- Add ATT&CK Techniquesnot completed
- Add Additional Countermeasuresnot completed
- Review Playbooknot completed
Step 1 of 3 Add ATT&CK Techniques
Add ATT&CK Techniques
What has the adversary done? Add observed ATT&CK Techniques to your Playbook
Add Techniques from Text
Locate Techniques by pasting text that contains IDs
Located IDs
Already in Cart:
Add to Playbook:
Search for Techniques
Activate Firmware Update Mode (T0800)
Adversaries may activate firmware update mode on devices to prevent expected response functions from engaging in reaction to an emergency or process malfunction.
Monitor Process State (T0801)
Adversaries may gather information about the physical process state.
Automated Collection (T0802)
Adversaries may automate collection of industrial environment information using tools or scripts.
Block Command Message (T0803)
Adversaries may block a command message from reaching its intended target to prevent command execution.
Block Reporting Message (T0804)
Adversaries may block or prevent a reporting message from reaching its intended target.
Block Serial COM (T0805)
Adversaries may block access to serial COM to prevent instructions or configurations from reaching target devices.
Brute Force I/O (T0806)
Adversaries may repetitively or successively change I/O point values to perform an action.
Command-Line Interface (T0807)
Adversaries may utilize command-line interfaces (CLIs) to interact with systems and execute commands.
Control Device Identification (T0808)
Adversaries may perform control device identification to determine the make and model of a target device.
Data Destruction (T0809)
Adversaries may perform data destruction over the course of an operation.
Data Historian Compromise (T0810)
Adversaries may compromise and gain control of a data historian to gain a foothold into the control system environment.
Data from Information Repositories (T0811)
Adversaries may target and collect data from information repositories.
Default Credentials (T0812)
Adversaries may leverage manufacturer or supplier set default credentials on control system devices.
Denial of Control (T0813)
Adversaries may cause a denial of control to temporarily prevent operators and engineers from interacting with process controls.
Denial of Service (T0814)
Adversaries may perform Denial-of-Service (DoS) attacks to disrupt expected device functionality.
Denial of View (T0815)
Adversaries may cause a denial of view in attempt to disrupt and prevent operator oversight on the status of an ICS environment.
Device Restart/Shutdown (T0816)
Adversaries may forcibly restart or shutdown a device in an ICS environment to disrupt and potentially negatively impact physical processes.
Drive-by Compromise (T0817)
Adversaries may gain access to a system during a drive-by compromise, when a user visits a website as part of a regular browsing session.
Engineering Workstation Compromise (T0818)
Adversaries will compromise and gain control of an engineering workstation for Initial Access into the control system environment.
Exploit Public-Facing Application (T0819)
Adversaries may leverage weaknesses to exploit internet-facing software for initial access into an industrial network.
Exploitation for Evasion (T0820)
Adversaries may exploit a software vulnerability to take advantage of a programming error in a program, service, or within the operating system software or kernel itself to evade detection.
Modify Controller Tasking (T0821)
Adversaries may modify the tasking of a controller to allow for the execution of their own programs.
External Remote Services (T0822)
Adversaries may leverage external remote services as a point of initial access into your network.
Graphical User Interface (T0823)
Adversaries may attempt to gain access to a machine via a Graphical User Interface (GUI) to enhance execution capabilities.
I/O Module Discovery (T0824)
Adversaries may use input/output (I/O) module discovery to gather key information about a control system device.
Location Identification (T0825)
Adversaries may perform location identification using device data to inform operations and targeted impact for attacks.
Loss of Availability (T0826)
Adversaries may attempt to disrupt essential components or systems to prevent owner and operator from delivering products or services.
Loss of Control (T0827)
Adversaries may seek to achieve a sustained loss of control or a runaway condition in which operators cannot issue any commands even if the malicious interference has subsided.
Loss of Productivity and Revenue (T0828)
Adversaries may cause loss of productivity and revenue through disruption and even damage to the availability and integrity of control system operations, devices, and related processes.
Loss of View (T0829)
Adversaries may cause a sustained or permanent loss of view where the ICS equipment will require local, hands-on operator intervention; for instance, a restart or manual operation.
Adversary-in-the-Middle (T0830)
Adversaries with privileged network access may seek to modify network traffic in real time using adversary-in-the-middle (AiTM) attacks.
Manipulation of Control (T0831)
Adversaries may manipulate physical process control within the industrial environment.
Manipulation of View (T0832)
Adversaries may attempt to manipulate the information reported back to operators or controllers.
Modify Control Logic (T0833)
Adversaries may place malicious code in a system, which can cause the system to malfunction by modifying its control logic.
Native API (T0834)
Adversaries may directly interact with the native OS application programming interface (API) to access system functions.
Manipulate I/O Image (T0835)
Adversaries may manipulate the I/O image of PLCs through various means to prevent them from functioning as expected.
Modify Parameter (T0836)
Adversaries may modify parameters used to instruct industrial control system devices.
Loss of Protection (T0837)
Adversaries may compromise protective system functions designed to prevent the effects of faults and abnormal conditions.
Modify Alarm Settings (T0838)
Adversaries may modify alarm settings to prevent alerts that may inform operators of their presence or to prevent responses to dangerous and unintended scenarios.
Module Firmware (T0839)
Adversaries may install malicious or vulnerable firmware onto modular hardware devices.
Network Connection Enumeration (T0840)
Adversaries may perform network connection enumeration to discover information about device communication patterns.
Network Service Scanning (T0841)
Network Service Scanning is the process of discovering services on networked systems.
Network Sniffing (T0842)
Network sniffing is the practice of using a network interface on a computer system to monitor or capture information (Citation: Enterprise ATT&CK January 2018) regardless of whether it is the specified destination for the information.
Program Download (T0843)
Adversaries may perform a program download to transfer a user program to a controller.
Program Organization Units (T0844)
Program Organizational Units (POUs) are block structures used within PLC programming to create programs and projects.
Program Upload (T0845)
Adversaries may attempt to upload a program from a PLC to gather information about an industrial process.
Remote System Discovery (T0846)
Adversaries may attempt to get a listing of other systems by IP address, hostname, or other logical identifier on a network that may be used for subsequent Lateral Movement or Discovery techniques.
Replication Through Removable Media (T0847)
Adversaries may move onto systems, such as those separated from the enterprise network, by copying malware to removable media which is inserted into the control systems environment.
Rogue Master (T0848)
Adversaries may setup a rogue master to leverage control server functions to communicate with outstations.
Masquerading (T0849)
Adversaries may use masquerading to disguise a malicious application or executable as another file, to avoid operator and engineer suspicion.
Role Identification (T0850)
Adversaries may perform role identification of devices involved with physical processes of interest in a target control system.
Rootkit (T0851)
Adversaries may deploy rootkits to hide the presence of programs, files, network connections, services, drivers, and other system components.
Screen Capture (T0852)
Adversaries may attempt to perform screen capture of devices in the control system environment.
Scripting (T0853)
Adversaries may use scripting languages to execute arbitrary code in the form of a pre-written script or in the form of user-supplied code to an interpreter.
Serial Connection Enumeration (T0854)
Adversaries may perform serial connection enumeration to gather situational awareness after gaining access to devices in the OT network.
Unauthorized Command Message (T0855)
Adversaries may send unauthorized command messages to instruct control system assets to perform actions outside of their intended functionality, or without the logical preconditions to trigger their expected function.
Spoof Reporting Message (T0856)
Adversaries may spoof reporting messages in control system environments for evasion and to impair process control.
System Firmware (T0857)
System firmware on modern assets is often designed with an update feature.
Change Operating Mode (T0858)
Adversaries may change the operating mode of a controller to gain additional access to engineering functions such as Program Download.
Valid Accounts (T0859)
Adversaries may steal the credentials of a specific user or service account using credential access techniques.
Wireless Compromise (T0860)
Adversaries may perform wireless compromise as a method of gaining communications and unauthorized access to a wireless network.
Point & Tag Identification (T0861)
Adversaries may collect point and tag values to gain a more comprehensive understanding of the process environment.
Supply Chain Compromise (T0862)
Adversaries may perform supply chain compromise to gain control systems environment access by means of infected products, software, and workflows.
User Execution (T0863)
Adversaries may rely on a targeted organizations user interaction for the execution of malicious code.
Transient Cyber Asset (T0864)
Adversaries may target devices that are transient across ICS networks and external networks.
Spearphishing Attachment (T0865)
Adversaries may use a spearphishing attachment, a variant of spearphishing, as a form of a social engineering attack against specific targets.
Exploitation of Remote Services (T0866)
Adversaries may exploit a software vulnerability to take advantage of a programming error in a program, service, or within the operating system software or kernel itself to enable remote service abuse.
Lateral Tool Transfer (T0867)
Adversaries may transfer tools or other files from one system to another to stage adversary tools or other files over the course of an operation.
Detect Operating Mode (T0868)
Adversaries may gather information about a PLCs or controllers current operating mode.
Standard Application Layer Protocol (T0869)
Adversaries may establish command and control capabilities over commonly used application layer protocols such as HTTP(S), OPC, RDP, telnet, DNP3, and modbus.
Detect Program State (T0870)
Adversaries may seek to gather information about the current state of a program on a PLC.
Execution through API (T0871)
Adversaries may attempt to leverage Application Program Interfaces (APIs) used for communication between control software and the hardware.
Indicator Removal on Host (T0872)
Adversaries may attempt to remove indicators of their presence on a system in an effort to cover their tracks.
Project File Infection (T0873)
Adversaries may attempt to infect project files with malicious code.
Hooking (T0874)
Adversaries may hook into application programming interface (API) functions used by processes to redirect calls for execution and privilege escalation means.
Change Program State (T0875)
Adversaries may attempt to change the state of the current program on a control device.
I/O Image (T0877)
Adversaries may seek to capture process values related to the inputs and outputs of a PLC.
Alarm Suppression (T0878)
Adversaries may target protection function alarms to prevent them from notifying operators of critical conditions.
Damage to Property (T0879)
Adversaries may cause damage and destruction of property to infrastructure, equipment, and the surrounding environment when attacking control systems.
Loss of Safety (T0880)
Adversaries may compromise safety system functions designed to maintain safe operation of a process when unacceptable or dangerous conditions occur.
Service Stop (T0881)
Adversaries may stop or disable services on a system to render those services unavailable to legitimate users.
Theft of Operational Information (T0882)
Adversaries may steal operational information on a production environment as a direct mission outcome for personal gain or to inform future operations.
Internet Accessible Device (T0883)
Adversaries may gain access into industrial environments through systems exposed directly to the internet for remote access rather than through [External Remote Services](https://attack.
Connection Proxy (T0884)
Adversaries may use a connection proxy to direct network traffic between systems or act as an intermediary for network communications.
Commonly Used Port (T0885)
Adversaries may communicate over a commonly used port to bypass firewalls or network detection systems and to blend in with normal network activity, to avoid more detailed inspection.
Remote Services (T0886)
Adversaries may leverage remote services to move between assets and network segments.
Wireless Sniffing (T0887)
Adversaries may seek to capture radio frequency (RF) communication used for remote control and reporting in distributed environments.
Remote System Information Discovery (T0888)
An adversary may attempt to get detailed information about remote systems and their peripherals, such as make/model, role, and configuration.
Modify Program (T0889)
Adversaries may modify or add a program on a controller to affect how it interacts with the physical process, peripheral devices and other hosts on the network.
Exploitation for Privilege Escalation (T0890)
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
Hardcoded Credentials (T0891)
Adversaries may leverage credentials that are hardcoded in software or firmware to gain an unauthorized interactive user session to an asset.
Change Credential (T0892)
Adversaries may modify software and device credentials to prevent operator and responder access.
Data from Local System (T0893)
Adversaries may target and collect data from local system sources, such as file systems, configuration files, or local databases.
System Binary Proxy Execution (T0894)
Adversaries may bypass process and/or signature-based defenses by proxying execution of malicious content with signed, or otherwise trusted, binaries.
Autorun Image (T0895)
Adversaries may leverage AutoRun functionality or scripts to execute malicious code.
Data Obfuscation (T1001)
Adversaries may obfuscate command and control traffic to make it more difficult to detect.
Junk Data (T1001.001)
Adversaries may add junk data to protocols used for command and control to make detection more difficult.
Steganography (T1001.002)
Adversaries may use steganographic techniques to hide command and control traffic to make detection efforts more difficult.
Protocol or Service Impersonation (T1001.003)
Adversaries may impersonate legitimate protocols or web service traffic to disguise command and control activity and thwart analysis efforts.
OS Credential Dumping (T1003)
Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password.
LSASS Memory (T1003.001)
Adversaries may attempt to access credential material stored in the process memory of the Local Security Authority Subsystem Service (LSASS).
Security Account Manager (T1003.002)
Adversaries may attempt to extract credential material from the Security Account Manager (SAM) database either through in-memory techniques or through the Windows Registry where the SAM database is stored.
NTDS (T1003.003)
Adversaries may attempt to access or create a copy of the Active Directory domain database in order to steal credential information, as well as obtain other information about domain members such as devices, users, and access rights.
LSA Secrets (T1003.004)
Adversaries with SYSTEM access to a host may attempt to access Local Security Authority (LSA) secrets, which can contain a variety of different credential materials, such as credentials for service accounts.
Cached Domain Credentials (T1003.005)
Adversaries may attempt to access cached domain credentials used to allow authentication to occur in the event a domain controller is unavailable.
DCSync (T1003.006)
Adversaries may attempt to access credentials and other sensitive information by abusing a Windows Domain Controller's application programming interface (API)(Citation: Microsoft DRSR Dec 2017) (Citation: Microsoft GetNCCChanges) (Citation: Samba DRSUAPI) (Citation: Wine API samlib.
Proc Filesystem (T1003.007)
Adversaries may gather credentials from the proc filesystem or `/proc`.
/etc/passwd and /etc/shadow (T1003.008)
Adversaries may attempt to dump the contents of <code>/etc/passwd</code> and <code>/etc/shadow</code> to enable offline password cracking.
Data from Local System (T1005)
Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Direct Volume Access (T1006)
Adversaries may directly access a volume to bypass file access controls and file system monitoring.
System Service Discovery (T1007)
Adversaries may try to gather information about registered local system services.
Fallback Channels (T1008)
Adversaries may use fallback or alternate communication channels if the primary channel is compromised or inaccessible in order to maintain reliable command and control and to avoid data transfer thresholds.
Binary Padding (T1009)
Adversaries can use binary padding to add junk data and change the on-disk representation of malware without affecting the functionality or behavior of the binary.
Application Window Discovery (T1010)
Adversaries may attempt to get a listing of open application windows.
Exfiltration Over Other Network Medium (T1011)
Adversaries may attempt to exfiltrate data over a different network medium than the command and control channel.
Exfiltration Over Bluetooth (T1011.001)
Adversaries may attempt to exfiltrate data over Bluetooth rather than the command and control channel.
Query Registry (T1012)
Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Port Monitors (T1013)
A port monitor can be set through the (Citation: AddMonitor) API call to set a DLL to be loaded at startup.
Rootkit (T1014)
Adversaries may use rootkits to hide the presence of programs, files, network connections, services, drivers, and other system components.
Accessibility Features (T1015)
Windows contains accessibility features that may be launched with a key combination before a user has logged in (for example, when the user is on the Windows logon screen).
System Network Configuration Discovery (T1016)
Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems.
Internet Connection Discovery (T1016.001)
Adversaries may check for Internet connectivity on compromised systems.
Wi-Fi Discovery (T1016.002)
Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.
Application Deployment Software (T1017)
Adversaries may deploy malicious software to systems within a network using application deployment systems employed by enterprise administrators.
Remote System Discovery (T1018)
Adversaries may attempt to get a listing of other systems by IP address, hostname, or other logical identifier on a network that may be used for Lateral Movement from the current system.
System Firmware (T1019)
The BIOS (Basic Input/Output System) and The Unified Extensible Firmware Interface (UEFI) or Extensible Firmware Interface (EFI) are examples of system firmware that operate as the software interface between the operating system and hardware of a computer.
Automated Exfiltration (T1020)
Adversaries may exfiltrate data, such as sensitive documents, through the use of automated processing after being gathered during Collection.
Traffic Duplication (T1020.001)
Adversaries may leverage traffic mirroring in order to automate data exfiltration over compromised infrastructure.
Remote Services (T1021)
Adversaries may use [Valid Accounts](https://attack.
Remote Desktop Protocol (T1021.001)
Adversaries may use [Valid Accounts](https://attack.
SMB/Windows Admin Shares (T1021.002)
Adversaries may use [Valid Accounts](https://attack.
Distributed Component Object Model (T1021.003)
Adversaries may use [Valid Accounts](https://attack.
SSH (T1021.004)
Adversaries may use [Valid Accounts](https://attack.
VNC (T1021.005)
Adversaries may use [Valid Accounts](https://attack.
Windows Remote Management (T1021.006)
Adversaries may use [Valid Accounts](https://attack.
Cloud Services (T1021.007)
Adversaries may log into accessible cloud services within a compromised environment using [Valid Accounts](https://attack.
Direct Cloud VM Connections (T1021.008)
Adversaries may leverage [Valid Accounts](https://attack.
Data Encrypted (T1022)
Data is encrypted before being exfiltrated in order to hide the information that is being exfiltrated from detection or to make the exfiltration less conspicuous upon inspection by a defender.
Shortcut Modification (T1023)
Shortcuts or symbolic links are ways of referencing other files or programs that will be opened or executed when the shortcut is clicked or executed by a system startup process.
Custom Cryptographic Protocol (T1024)
Adversaries may use a custom cryptographic protocol or algorithm to hide command and control traffic.
Data from Removable Media (T1025)
Adversaries may search connected removable media on computers they have compromised to find files of interest.
Multiband Communication (T1026)
**This technique has been deprecated and should no longer be used.
Obfuscated Files or Information (T1027)
Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit.
Binary Padding (T1027.001)
Adversaries may use binary padding to add junk data and change the on-disk representation of malware.
Software Packing (T1027.002)
Adversaries may perform software packing or virtual machine software protection to conceal their code.
Steganography (T1027.003)
Adversaries may use steganography techniques in order to prevent the detection of hidden information.
Compile After Delivery (T1027.004)
Adversaries may attempt to make payloads difficult to discover and analyze by delivering files to victims as uncompiled code.
Indicator Removal from Tools (T1027.005)
Adversaries may remove indicators from tools if they believe their malicious tool was detected, quarantined, or otherwise curtailed.
HTML Smuggling (T1027.006)
Adversaries may smuggle data and files past content filters by hiding malicious payloads inside of seemingly benign HTML files.
Dynamic API Resolution (T1027.007)
Adversaries may obfuscate then dynamically resolve API functions called by their malware in order to conceal malicious functionalities and impair defensive analysis.
Stripped Payloads (T1027.008)
Adversaries may attempt to make a payload difficult to analyze by removing symbols, strings, and other human readable information.
Embedded Payloads (T1027.009)
Adversaries may embed payloads within other files to conceal malicious content from defenses.
Command Obfuscation (T1027.010)
Adversaries may obfuscate content during command execution to impede detection.
Fileless Storage (T1027.011)
Adversaries may store data in "fileless" formats to conceal malicious activity from defenses.
LNK Icon Smuggling (T1027.012)
Adversaries may smuggle commands to download malicious payloads past content filters by hiding them within otherwise seemingly benign windows shortcut files.
Encrypted/Encoded File (T1027.013)
Adversaries may encrypt or encode files to obfuscate strings, bytes, and other specific patterns to impede detection.
Polymorphic Code (T1027.014)
Adversaries may utilize polymorphic code (also known as metamorphic or mutating code) to evade detection.
Windows Remote Management (T1028)
Windows Remote Management (WinRM) is the name of both a Windows service and a protocol that allows a user to interact with a remote system (e.
Scheduled Transfer (T1029)
Adversaries may schedule data exfiltration to be performed only at certain times of day or at certain intervals.
Data Transfer Size Limits (T1030)
An adversary may exfiltrate data in fixed size chunks instead of whole files or limit packet sizes below certain thresholds.
Modify Existing Service (T1031)
Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Registry.
Standard Cryptographic Protocol (T1032)
Adversaries may explicitly employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol.
System Owner/User Discovery (T1033)
Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system.
Service Execution (T1035)
Adversaries may execute a binary, command, or script via a method that interacts with Windows services, such as the Service Control Manager.
Masquerading (T1036)
Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools.
Invalid Code Signature (T1036.001)
Adversaries may attempt to mimic features of valid code signatures to increase the chance of deceiving a user, analyst, or tool.
Right-to-Left Override (T1036.002)
Adversaries may abuse the right-to-left override (RTLO or RLO) character (U+202E) to disguise a string and/or file name to make it appear benign.
Rename System Utilities (T1036.003)
Adversaries may rename legitimate system utilities to try to evade security mechanisms concerning the usage of those utilities.
Masquerade Task or Service (T1036.004)
Adversaries may attempt to manipulate the name of a task or service to make it appear legitimate or benign.
Match Legitimate Name or Location (T1036.005)
Adversaries may match or approximate the name or location of legitimate files or resources when naming/placing them.
Space after Filename (T1036.006)
Adversaries can hide a program's true filetype by changing the extension of a file.
Double File Extension (T1036.007)
Adversaries may abuse a double extension in the filename as a means of masquerading the true file type.
Masquerade File Type (T1036.008)
Adversaries may masquerade malicious payloads as legitimate files through changes to the payload's formatting, including the file’s signature, extension, and contents.
Break Process Trees (T1036.009)
An adversary may attempt to evade process tree-based analysis by modifying executed malware's parent process ID (PPID).
Masquerade Account Name (T1036.010)
Adversaries may match or approximate the names of legitimate accounts to make newly created ones appear benign.
Boot or Logon Initialization Scripts (T1037)
Adversaries may use scripts automatically executed at boot or logon initialization to establish persistence.
Logon Script (Windows) (T1037.001)
Adversaries may use Windows logon scripts automatically executed at logon initialization to establish persistence.
Login Hook (T1037.002)
Adversaries may use a Login Hook to establish persistence executed upon user logon.
Network Logon Script (T1037.003)
Adversaries may use network logon scripts automatically executed at logon initialization to establish persistence.
RC Scripts (T1037.004)
Adversaries may establish persistence by modifying RC scripts which are executed during a Unix-like system’s startup.
Startup Items (T1037.005)
Adversaries may use startup items automatically executed at boot initialization to establish persistence.
DLL Search Order Hijacking (T1038)
Windows systems use a common method to look for required DLLs to load into a program.
Data from Network Shared Drive (T1039)
Adversaries may search network shares on computers they have compromised to find files of interest.
Network Sniffing (T1040)
Adversaries may passively sniff network traffic to capture information about an environment, including authentication material passed over the network.
Exfiltration Over C2 Channel (T1041)
Adversaries may steal data by exfiltrating it over an existing command and control channel.
Change Default File Association (T1042)
When a file is opened, the default program used to open the file (also called the file association or handler) is checked.
File System Permissions Weakness (T1044)
Processes may automatically execute specific binaries as part of their functionality or to perform other actions.
Software Packing (T1045)
Software packing is a method of compressing or encrypting an executable.
Network Service Discovery (T1046)
Adversaries may attempt to get a listing of services running on remote hosts and local network infrastructure devices, including those that may be vulnerable to remote software exploitation.
Windows Management Instrumentation (T1047)
Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads.
Exfiltration Over Alternative Protocol (T1048)
Adversaries may steal data by exfiltrating it over a different protocol than that of the existing command and control channel.
Exfiltration Over Symmetric Encrypted Non-C2 Protocol (T1048.001)
Adversaries may steal data by exfiltrating it over a symmetrically encrypted network protocol other than that of the existing command and control channel.
Exfiltration Over Asymmetric Encrypted Non-C2 Protocol (T1048.002)
Adversaries may steal data by exfiltrating it over an asymmetrically encrypted network protocol other than that of the existing command and control channel.
Exfiltration Over Unencrypted Non-C2 Protocol (T1048.003)
Adversaries may steal data by exfiltrating it over an un-encrypted network protocol other than that of the existing command and control channel.
System Network Connections Discovery (T1049)
Adversaries may attempt to get a listing of network connections to or from the compromised system they are currently accessing or from remote systems by querying for information over the network.
New Service (T1050)
When operating systems boot up, they can start programs or applications called services that perform background system functions.
Shared Webroot (T1051)
**This technique has been deprecated and should no longer be used.
Exfiltration Over Physical Medium (T1052)
Adversaries may attempt to exfiltrate data via a physical medium, such as a removable drive.
Exfiltration over USB (T1052.001)
Adversaries may attempt to exfiltrate data over a USB connected physical device.
Scheduled Task/Job (T1053)
Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code.
At (Linux) (T1053.001)
Adversaries may abuse the [at](https://attack.
At (T1053.002)
Adversaries may abuse the [at](https://attack.
Cron (T1053.003)
Adversaries may abuse the <code>cron</code> utility to perform task scheduling for initial or recurring execution of malicious code.
Launchd (T1053.004)
This technique is deprecated due to the inaccurate usage.
Scheduled Task (T1053.005)
Adversaries may abuse the Windows Task Scheduler to perform task scheduling for initial or recurring execution of malicious code.
Systemd Timers (T1053.006)
Adversaries may abuse systemd timers to perform task scheduling for initial or recurring execution of malicious code.
Container Orchestration Job (T1053.007)
Adversaries may abuse task scheduling functionality provided by container orchestration tools such as Kubernetes to schedule deployment of containers configured to execute malicious code.
Indicator Blocking (T1054)
An adversary may attempt to block indicators or events typically captured by sensors from being gathered and analyzed.
Process Injection (T1055)
Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges.
Dynamic-link Library Injection (T1055.001)
Adversaries may inject dynamic-link libraries (DLLs) into processes in order to evade process-based defenses as well as possibly elevate privileges.
Portable Executable Injection (T1055.002)
Adversaries may inject portable executables (PE) into processes in order to evade process-based defenses as well as possibly elevate privileges.
Thread Execution Hijacking (T1055.003)
Adversaries may inject malicious code into hijacked processes in order to evade process-based defenses as well as possibly elevate privileges.
Asynchronous Procedure Call (T1055.004)
Adversaries may inject malicious code into processes via the asynchronous procedure call (APC) queue in order to evade process-based defenses as well as possibly elevate privileges.
Thread Local Storage (T1055.005)
Adversaries may inject malicious code into processes via thread local storage (TLS) callbacks in order to evade process-based defenses as well as possibly elevate privileges.
Ptrace System Calls (T1055.008)
Adversaries may inject malicious code into processes via ptrace (process trace) system calls in order to evade process-based defenses as well as possibly elevate privileges.
Proc Memory (T1055.009)
Adversaries may inject malicious code into processes via the /proc filesystem in order to evade process-based defenses as well as possibly elevate privileges.
Extra Window Memory Injection (T1055.011)
Adversaries may inject malicious code into process via Extra Window Memory (EWM) in order to evade process-based defenses as well as possibly elevate privileges.
Process Hollowing (T1055.012)
Adversaries may inject malicious code into suspended and hollowed processes in order to evade process-based defenses.
Process Doppelgänging (T1055.013)
Adversaries may inject malicious code into process via process doppelgänging in order to evade process-based defenses as well as possibly elevate privileges.
VDSO Hijacking (T1055.014)
Adversaries may inject malicious code into processes via VDSO hijacking in order to evade process-based defenses as well as possibly elevate privileges.
ListPlanting (T1055.015)
Adversaries may abuse list-view controls to inject malicious code into hijacked processes in order to evade process-based defenses as well as possibly elevate privileges.
Input Capture (T1056)
Adversaries may use methods of capturing user input to obtain credentials or collect information.
Keylogging (T1056.001)
Adversaries may log user keystrokes to intercept credentials as the user types them.
GUI Input Capture (T1056.002)
Adversaries may mimic common operating system GUI components to prompt users for credentials with a seemingly legitimate prompt.
Web Portal Capture (T1056.003)
Adversaries may install code on externally facing portals, such as a VPN login page, to capture and transmit credentials of users who attempt to log into the service.
Credential API Hooking (T1056.004)
Adversaries may hook into Windows application programming interface (API) functions to collect user credentials.
Process Discovery (T1057)
Adversaries may attempt to get information about running processes on a system.
Service Registry Permissions Weakness (T1058)
Windows stores local service configuration information in the Registry under <code>HKLM\SYSTEM\CurrentControlSet\Services</code>.
Command and Scripting Interpreter (T1059)
Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries.
PowerShell (T1059.001)
Adversaries may abuse PowerShell commands and scripts for execution.
AppleScript (T1059.002)
Adversaries may abuse AppleScript for execution.
Windows Command Shell (T1059.003)
Adversaries may abuse the Windows command shell for execution.
Unix Shell (T1059.004)
Adversaries may abuse Unix shell commands and scripts for execution.
Visual Basic (T1059.005)
Adversaries may abuse Visual Basic (VB) for execution.
Python (T1059.006)
Adversaries may abuse Python commands and scripts for execution.
JavaScript (T1059.007)
Adversaries may abuse various implementations of JavaScript for execution.
Network Device CLI (T1059.008)
Adversaries may abuse scripting or built-in command line interpreters (CLI) on network devices to execute malicious command and payloads.
Cloud API (T1059.009)
Adversaries may abuse cloud APIs to execute malicious commands.
AutoHotKey & AutoIT (T1059.010)
Adversaries may execute commands and perform malicious tasks using AutoIT and AutoHotKey automation scripts.
Lua (T1059.011)
Adversaries may abuse Lua commands and scripts for execution.
Registry Run Keys / Startup Folder (T1060)
Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key.
Hypervisor (T1062)
**This technique has been deprecated and should no longer be used.
Security Software Discovery (T1063)
Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on the system.
Uncommonly Used Port (T1065)
Adversaries may conduct C2 communications over a non-standard port to bypass proxies and firewalls that have been improperly configured.
Indicator Removal from Tools (T1066)
If a malicious tool is detected and quarantined or otherwise curtailed, an adversary may be able to determine why the malicious tool was detected (the indicator), modify the tool by removing the indicator, and use the updated version that is no longer detected by the target's defensive systems or subsequent targets that may use similar systems.
Bootkit (T1067)
A bootkit is a malware variant that modifies the boot sectors of a hard drive, including the Master Boot Record (MBR) and Volume Boot Record (VBR).
Exploitation for Privilege Escalation (T1068)
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
Permission Groups Discovery (T1069)
Adversaries may attempt to discover group and permission settings.
Local Groups (T1069.001)
Adversaries may attempt to find local system groups and permission settings.
Domain Groups (T1069.002)
Adversaries may attempt to find domain-level groups and permission settings.
Cloud Groups (T1069.003)
Adversaries may attempt to find cloud groups and permission settings.
Indicator Removal (T1070)
Adversaries may delete or modify artifacts generated within systems to remove evidence of their presence or hinder defenses.
Clear Windows Event Logs (T1070.001)
Adversaries may clear Windows Event Logs to hide the activity of an intrusion.
Clear Linux or Mac System Logs (T1070.002)
Adversaries may clear system logs to hide evidence of an intrusion.
Clear Command History (T1070.003)
In addition to clearing system logs, an adversary may clear the command history of a compromised account to conceal the actions undertaken during an intrusion.
File Deletion (T1070.004)
Adversaries may delete files left behind by the actions of their intrusion activity.
Network Share Connection Removal (T1070.005)
Adversaries may remove share connections that are no longer useful in order to clean up traces of their operation.
Timestomp (T1070.006)
Adversaries may modify file time attributes to hide new files or changes to existing files.
Clear Network Connection History and Configurations (T1070.007)
Adversaries may clear or remove evidence of malicious network connections in order to clean up traces of their operations.
Clear Mailbox Data (T1070.008)
Adversaries may modify mail and mail application data to remove evidence of their activity.
Clear Persistence (T1070.009)
Adversaries may clear artifacts associated with previously established persistence on a host system to remove evidence of their activity.
Relocate Malware (T1070.010)
Once a payload is delivered, adversaries may reproduce copies of the same malware on the victim system to remove evidence of their presence and/or avoid defenses.
Application Layer Protocol (T1071)
Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic.
Web Protocols (T1071.001)
Adversaries may communicate using application layer protocols associated with web traffic to avoid detection/network filtering by blending in with existing traffic.
File Transfer Protocols (T1071.002)
Adversaries may communicate using application layer protocols associated with transferring files to avoid detection/network filtering by blending in with existing traffic.
Mail Protocols (T1071.003)
Adversaries may communicate using application layer protocols associated with electronic mail delivery to avoid detection/network filtering by blending in with existing traffic.
DNS (T1071.004)
Adversaries may communicate using the Domain Name System (DNS) application layer protocol to avoid detection/network filtering by blending in with existing traffic.
Publish/Subscribe Protocols (T1071.005)
Adversaries may communicate using publish/subscribe (pub/sub) application layer protocols to avoid detection/network filtering by blending in with existing traffic.
Software Deployment Tools (T1072)
Adversaries may gain access to and use centralized software suites installed within an enterprise to execute commands and move laterally through the network.
DLL Side-Loading (T1073)
Programs may specify DLLs that are loaded at runtime.
Data Staged (T1074)
Adversaries may stage collected data in a central location or directory prior to Exfiltration.
Local Data Staging (T1074.001)
Adversaries may stage collected data in a central location or directory on the local system prior to Exfiltration.
Remote Data Staging (T1074.002)
Adversaries may stage data collected from multiple systems in a central location or directory on one system prior to Exfiltration.
Pass the Hash (T1075)
Pass the hash (PtH) is a method of authenticating as a user without having access to the user's cleartext password.
Remote Desktop Protocol (T1076)
Remote desktop is a common feature in operating systems.
Windows Admin Shares (T1077)
Windows systems have hidden network shares that are accessible only to administrators and provide the ability for remote file copy and other administrative functions.
Valid Accounts (T1078)
Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion.
Default Accounts (T1078.001)
Adversaries may obtain and abuse credentials of a default account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion.
Domain Accounts (T1078.002)
Adversaries may obtain and abuse credentials of a domain account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion.
Local Accounts (T1078.003)
Adversaries may obtain and abuse credentials of a local account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion.
Cloud Accounts (T1078.004)
Valid accounts in cloud environments may allow adversaries to perform actions to achieve Initial Access, Persistence, Privilege Escalation, or Defense Evasion.
Multilayer Encryption (T1079)
An adversary performs C2 communications using multiple layers of encryption, typically (but not exclusively) tunneling a custom encryption scheme within a protocol encryption scheme such as HTTPS or SMTPS.
Taint Shared Content (T1080)
Adversaries may deliver payloads to remote systems by adding content to shared storage locations, such as network drives or internal code repositories.
Credentials in Files (T1081)
Adversaries may search local file systems and remote file shares for files containing passwords.
System Information Discovery (T1082)
An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture.
File and Directory Discovery (T1083)
Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system.
Windows Management Instrumentation Event Subscription (T1084)
Windows Management Instrumentation (WMI) can be used to install event filters, providers, consumers, and bindings that execute code when a defined event occurs.
PowerShell (T1086)
PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.
Account Discovery (T1087)
Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment.
Local Account (T1087.001)
Adversaries may attempt to get a listing of local system accounts.
Domain Account (T1087.002)
Adversaries may attempt to get a listing of domain accounts.
Email Account (T1087.003)
Adversaries may attempt to get a listing of email addresses and accounts.
Cloud Account (T1087.004)
Adversaries may attempt to get a listing of cloud accounts.
Bypass User Account Control (T1088)
Windows User Account Control (UAC) allows a program to elevate its privileges to perform a task under administrator-level permissions by prompting the user for confirmation.
Disabling Security Tools (T1089)
Adversaries may disable security tools to avoid possible detection of their tools and activities.
Proxy (T1090)
Adversaries may use a connection proxy to direct network traffic between systems or act as an intermediary for network communications to a command and control server to avoid direct connections to their infrastructure.
Internal Proxy (T1090.001)
Adversaries may use an internal proxy to direct command and control traffic between two or more systems in a compromised environment.
External Proxy (T1090.002)
Adversaries may use an external proxy to act as an intermediary for network communications to a command and control server to avoid direct connections to their infrastructure.
Multi-hop Proxy (T1090.003)
Adversaries may chain together multiple proxies to disguise the source of malicious traffic.
Domain Fronting (T1090.004)
Adversaries may take advantage of routing schemes in Content Delivery Networks (CDNs) and other services which host multiple domains to obfuscate the intended destination of HTTPS traffic or traffic tunneled through HTTPS.
Replication Through Removable Media (T1091)
Adversaries may move onto systems, possibly those on disconnected or air-gapped networks, by copying malware to removable media and taking advantage of Autorun features when the media is inserted into a system and executes.
Communication Through Removable Media (T1092)
Adversaries can perform command and control between compromised hosts on potentially disconnected networks using removable media to transfer commands from system to system.
Process Hollowing (T1093)
Process hollowing occurs when a process is created in a suspended state then its memory is unmapped and replaced with malicious code.
Custom Command and Control Protocol (T1094)
Adversaries may communicate using a custom command and control protocol instead of encapsulating commands/data in an existing [Application Layer Protocol](https://attack.
Non-Application Layer Protocol (T1095)
Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network.
NTFS File Attributes (T1096)
Every New Technology File System (NTFS) formatted partition contains a Master File Table (MFT) that maintains a record for every file/directory on the partition.
Pass the Ticket (T1097)
Pass the ticket (PtT) is a method of authenticating to a system using Kerberos tickets without having access to an account's password.
Account Manipulation (T1098)
Adversaries may manipulate accounts to maintain and/or elevate access to victim systems.
Additional Cloud Credentials (T1098.001)
Adversaries may add adversary-controlled credentials to a cloud account to maintain persistent access to victim accounts and instances within the environment.
Additional Email Delegate Permissions (T1098.002)
Adversaries may grant additional permission levels to maintain persistent access to an adversary-controlled email account.
Additional Cloud Roles (T1098.003)
An adversary may add additional roles or permissions to an adversary-controlled cloud account to maintain persistent access to a tenant.
SSH Authorized Keys (T1098.004)
Adversaries may modify the SSH <code>authorized_keys</code> file to maintain persistence on a victim host.
Device Registration (T1098.005)
Adversaries may register a device to an adversary-controlled account.
Additional Container Cluster Roles (T1098.006)
An adversary may add additional roles or permissions to an adversary-controlled user or service account to maintain persistent access to a container orchestration system.
Additional Local or Domain Groups (T1098.007)
An adversary may add additional local or domain groups to an adversary-controlled account to maintain persistent access to a system or domain.
Timestomp (T1099)
Adversaries may take actions to hide the deployment of new, or modification of existing files to obfuscate their activities.
Web Shell (T1100)
A Web shell is a Web script that is placed on an openly accessible Web server to allow an adversary to use the Web server as a gateway into a network.
Security Support Provider (T1101)
Windows Security Support Provider (SSP) DLLs are loaded into the Local Security Authority (LSA) process at system start.
Web Service (T1102)
Adversaries may use an existing, legitimate external Web service as a means for relaying data to/from a compromised system.
Dead Drop Resolver (T1102.001)
Adversaries may use an existing, legitimate external Web service to host information that points to additional command and control (C2) infrastructure.
Bidirectional Communication (T1102.002)
Adversaries may use an existing, legitimate external Web service as a means for sending commands to and receiving output from a compromised system over the Web service channel.
One-Way Communication (T1102.003)
Adversaries may use an existing, legitimate external Web service as a means for sending commands to a compromised system without receiving return output over the Web service channel.
AppInit DLLs (T1103)
Dynamic-link libraries (DLLs) that are specified in the AppInit_DLLs value in the Registry keys <code>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows</code> or <code>HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Windows</code> are loaded by user32.
Multi-Stage Channels (T1104)
Adversaries may create multiple stages for command and control that are employed under different conditions or for certain functions.
Ingress Tool Transfer (T1105)
Adversaries may transfer tools or other files from an external system into a compromised environment.
Native API (T1106)
Adversaries may interact with the native OS application programming interface (API) to execute behaviors.
File Deletion (T1107)
Adversaries may delete files left behind by the actions of their intrusion activity.
Component Firmware (T1109)
Some adversaries may employ sophisticated means to compromise computer components and install malicious firmware that will execute adversary code outside of the operating system and main system firmware or BIOS.
Brute Force (T1110)
Adversaries may use brute force techniques to gain access to accounts when passwords are unknown or when password hashes are obtained.
Password Guessing (T1110.001)
Adversaries with no prior knowledge of legitimate credentials within the system or environment may guess passwords to attempt access to accounts.
Password Cracking (T1110.002)
Adversaries may use password cracking to attempt to recover usable credentials, such as plaintext passwords, when credential material such as password hashes are obtained.
Password Spraying (T1110.003)
Adversaries may use a single or small list of commonly used passwords against many different accounts to attempt to acquire valid account credentials.
Credential Stuffing (T1110.004)
Adversaries may use credentials obtained from breach dumps of unrelated accounts to gain access to target accounts through credential overlap.
Multi-Factor Authentication Interception (T1111)
Adversaries may target multi-factor authentication (MFA) mechanisms, (i.
Modify Registry (T1112)
Adversaries may interact with the Windows Registry to hide configuration information within Registry keys, remove information as part of cleaning up, or as part of other techniques to aid in persistence and execution.
Screen Capture (T1113)
Adversaries may attempt to take screen captures of the desktop to gather information over the course of an operation.
Email Collection (T1114)
Adversaries may target user email to collect sensitive information.
Local Email Collection (T1114.001)
Adversaries may target user email on local systems to collect sensitive information.
Remote Email Collection (T1114.002)
Adversaries may target an Exchange server, Office 365, or Google Workspace to collect sensitive information.
Email Forwarding Rule (T1114.003)
Adversaries may setup email forwarding rules to collect sensitive information.
Clipboard Data (T1115)
Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Code Signing (T1116)
Code signing provides a level of authenticity on a binary from the developer and a guarantee that the binary has not been tampered with.
InstallUtil (T1118)
InstallUtil is a command-line utility that allows for installation and uninstallation of resources by executing specific installer components specified in .
Automated Collection (T1119)
Once established within a system or network, an adversary may use automated techniques for collecting internal data.
Peripheral Device Discovery (T1120)
Adversaries may attempt to gather information about attached peripheral devices and components connected to a computer system.
Regsvcs/Regasm (T1121)
Regsvcs and Regasm are Windows command-line utilities that are used to register .
Component Object Model Hijacking (T1122)
The Component Object Model (COM) is a system within Windows to enable interaction between software components through the operating system.
Audio Capture (T1123)
An adversary can leverage a computer's peripheral devices (e.
System Time Discovery (T1124)
An adversary may gather the system time and/or time zone settings from a local or remote system.
Video Capture (T1125)
An adversary can leverage a computer's peripheral devices (e.
Network Share Connection Removal (T1126)
Adversaries may remove share connections that are no longer useful in order to clean up traces of their operation.
Trusted Developer Utilities Proxy Execution (T1127)
Adversaries may take advantage of trusted developer utilities to proxy execution of malicious payloads.
MSBuild (T1127.001)
Adversaries may use MSBuild to proxy execution of code through a trusted Windows utility.
ClickOnce (T1127.002)
Adversaries may use ClickOnce applications (.
Shared Modules (T1129)
Adversaries may execute malicious payloads via loading shared modules.
Install Root Certificate (T1130)
Root certificates are used in public key cryptography to identify a root certificate authority (CA).
Authentication Package (T1131)
Windows Authentication Package DLLs are loaded by the Local Security Authority (LSA) process at system start.
Data Encoding (T1132)
Adversaries may encode data to make the content of command and control traffic more difficult to detect.
Standard Encoding (T1132.001)
Adversaries may encode data with a standard data encoding system to make the content of command and control traffic more difficult to detect.
Non-Standard Encoding (T1132.002)
Adversaries may encode data with a non-standard data encoding system to make the content of command and control traffic more difficult to detect.
External Remote Services (T1133)
Adversaries may leverage external-facing remote services to initially access and/or persist within a network.
Access Token Manipulation (T1134)
Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls.
Token Impersonation/Theft (T1134.001)
Adversaries may duplicate then impersonate another user's existing token to escalate privileges and bypass access controls.
Create Process with Token (T1134.002)
Adversaries may create a new process with an existing token to escalate privileges and bypass access controls.
Make and Impersonate Token (T1134.003)
Adversaries may make new tokens and impersonate users to escalate privileges and bypass access controls.
Parent PID Spoofing (T1134.004)
Adversaries may spoof the parent process identifier (PPID) of a new process to evade process-monitoring defenses or to elevate privileges.
SID-History Injection (T1134.005)
Adversaries may use SID-History Injection to escalate privileges and bypass access controls.
Network Share Discovery (T1135)
Adversaries may look for folders and drives shared on remote systems as a means of identifying sources of information to gather as a precursor for Collection and to identify potential systems of interest for Lateral Movement.
Create Account (T1136)
Adversaries may create an account to maintain access to victim systems.
Local Account (T1136.001)
Adversaries may create a local account to maintain access to victim systems.
Domain Account (T1136.002)
Adversaries may create a domain account to maintain access to victim systems.
Cloud Account (T1136.003)
Adversaries may create a cloud account to maintain access to victim systems.
Office Application Startup (T1137)
Adversaries may leverage Microsoft Office-based applications for persistence between startups.
Office Template Macros (T1137.001)
Adversaries may abuse Microsoft Office templates to obtain persistence on a compromised system.
Office Test (T1137.002)
Adversaries may abuse the Microsoft Office "Office Test" Registry key to obtain persistence on a compromised system.
Outlook Forms (T1137.003)
Adversaries may abuse Microsoft Outlook forms to obtain persistence on a compromised system.
Outlook Home Page (T1137.004)
Adversaries may abuse Microsoft Outlook's Home Page feature to obtain persistence on a compromised system.
Outlook Rules (T1137.005)
Adversaries may abuse Microsoft Outlook rules to obtain persistence on a compromised system.
Add-ins (T1137.006)
Adversaries may abuse Microsoft Office add-ins to obtain persistence on a compromised system.
Application Shimming (T1138)
The Microsoft Windows Application Compatibility Infrastructure/Framework (Application Shim) was created to allow for backward compatibility of software as the operating system codebase changes over time.
Bash History (T1139)
Bash keeps track of the commands users type on the command-line with the "history" utility.
Deobfuscate/Decode Files or Information (T1140)
Adversaries may use [Obfuscated Files or Information](https://attack.
Input Prompt (T1141)
When programs are executed that need additional privileges than are present in the current user context, it is common for the operating system to prompt the user for proper credentials to authorize the elevated privileges for the task (ex: [Bypass User Account Control](https://attack.
Keychain (T1142)
Keychains are the built-in way for macOS to keep track of users' passwords and credentials for many services and features such as WiFi passwords, websites, secure notes, certificates, and Kerberos.
Hidden Window (T1143)
Adversaries may implement hidden windows to conceal malicious activity from the plain sight of users.
Gatekeeper Bypass (T1144)
In macOS and OS X, when applications or programs are downloaded from the internet, there is a special attribute set on the file called <code>com.
Private Keys (T1145)
Private cryptographic keys and certificates are used for authentication, encryption/decryption, and digital signatures.
Clear Command History (T1146)
In addition to clearing system logs, an adversary may clear the command history of a compromised account to conceal the actions undertaken during an intrusion.
Hidden Users (T1147)
Every user account in macOS has a userID associated with it.
HISTCONTROL (T1148)
The <code>HISTCONTROL</code> environment variable keeps track of what should be saved by the <code>history</code> command and eventually into the <code>~/.
LC_MAIN Hijacking (T1149)
**This technique has been deprecated and should no longer be used.
Plist Modification (T1150)
Property list (plist) files contain all of the information that macOS and OS X uses to configure applications and services.
Space after Filename (T1151)
Adversaries can hide a program's true filetype by changing the extension of a file.
Launchctl (T1152)
Launchctl controls the macOS launchd process which handles things like launch agents and launch daemons, but can execute other commands or programs itself.
Source (T1153)
**This technique has been deprecated and should no longer be used.
Trap (T1154)
The <code>trap</code> command allows programs and shells to specify commands that will be executed upon receiving interrupt signals.
AppleScript (T1155)
macOS and OS X applications send AppleEvent messages to each other for interprocess communications (IPC).
Malicious Shell Modification (T1156)
Adversaries may establish persistence through executing malicious commands triggered by a user’s shell.
Dylib Hijacking (T1157)
macOS and OS X use a common method to look for required dynamic libraries (dylib) to load into a program based on search paths.
Hidden Files and Directories (T1158)
To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file.
Launch Agent (T1159)
Per Apple’s developer documentation, when a user logs in, a per-user launchd process is started which loads the parameters for each launch-on-demand user agent from the property list (plist) files found in <code>/System/Library/LaunchAgents</code>, <code>/Library/LaunchAgents</code>, and <code>$HOME/Library/LaunchAgents</code> (Citation: AppleDocs Launch Agent Daemons) (Citation: OSX Keydnap malware) (Citation: Antiquated Mac Malware).
Launch Daemon (T1160)
Per Apple’s developer documentation, when macOS and OS X boot up, launchd is run to finish system initialization.
LC_LOAD_DYLIB Addition (T1161)
Mach-O binaries have a series of headers that are used to perform certain operations when a binary is loaded.
Login Item (T1162)
MacOS provides the option to list specific applications to run when a user logs in.
Rc.common (T1163)
During the boot process, macOS executes <code>source /etc/rc.
Startup Items (T1165)
Per Apple’s documentation, startup items execute during the final phase of the boot process and contain shell scripts or other executable files along with configuration information used by the system to determine the execution order for all startup items (Citation: Startup Items).
Setuid and Setgid (T1166)
When the setuid or setgid bits are set on Linux or macOS for an application, this means that the application will run with the privileges of the owning user or group respectively (Citation: setuid man page).
Securityd Memory (T1167)
In OS X prior to El Capitan, users with root access can read plaintext keychain passwords of logged-in users because Apple’s keychain implementation allows these credentials to be cached so that users are not repeatedly prompted for passwords.
Local Job Scheduling (T1168)
On Linux and macOS systems, multiple methods are supported for creating pre-scheduled and periodic background jobs: cron, (Citation: Die.
Sudo (T1169)
The sudoers file, <code>/etc/sudoers</code>, describes which users can run which commands and from which terminals.
LLMNR/NBT-NS Poisoning and Relay (T1171)
Link-Local Multicast Name Resolution (LLMNR) and NetBIOS Name Service (NBT-NS) are Microsoft Windows components that serve as alternate methods of host identification.
Domain Fronting (T1172)
Domain fronting takes advantage of routing schemes in Content Delivery Networks (CDNs) and other services which host multiple domains to obfuscate the intended destination of HTTPS traffic or traffic tunneled through HTTPS.
Dynamic Data Exchange (T1173)
Windows Dynamic Data Exchange (DDE) is a client-server protocol for one-time and/or continuous inter-process communication (IPC) between applications.
Password Filter DLL (T1174)
Windows password filters are password policy enforcement mechanisms for both domain and local accounts.
Component Object Model and Distributed COM (T1175)
**This technique has been deprecated.
Browser Extensions (T1176)
Adversaries may abuse Internet browser extensions to establish persistent access to victim systems.
LSASS Driver (T1177)
The Windows security subsystem is a set of components that manage and enforce the security policy for a computer or domain.
SID-History Injection (T1178)
The Windows security identifier (SID) is a unique value that identifies a user or group account.
Hooking (T1179)
Windows processes often leverage application programming interface (API) functions to perform tasks that require reusable system resources.
Screensaver (T1180)
Screensavers are programs that execute after a configurable time of user inactivity and consist of Portable Executable (PE) files with a .
Extra Window Memory Injection (T1181)
Before creating a window, graphical Windows-based processes must prescribe to or register a windows class, which stipulate appearance and behavior (via windows procedures, which are functions that handle input/output of data).
AppCert DLLs (T1182)
Dynamic-link libraries (DLLs) that are specified in the AppCertDLLs Registry key under <code>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager</code> are loaded into every process that calls the ubiquitously used application programming interface (API) functions CreateProcess, CreateProcessAsUser, CreateProcessWithLoginW, CreateProcessWithTokenW, or WinExec.
Image File Execution Options Injection (T1183)
Image File Execution Options (IFEO) enable a developer to attach a debugger to an application.
SSH Hijacking (T1184)
Secure Shell (SSH) is a standard means of remote access on Linux and macOS systems.
Browser Session Hijacking (T1185)
Adversaries may take advantage of security vulnerabilities and inherent functionality in browser software to change content, modify user-behaviors, and intercept information as part of various browser session hijacking techniques.
Process Doppelgänging (T1186)
Windows Transactional NTFS (TxF) was introduced in Vista as a method to perform safe file operations.
Forced Authentication (T1187)
Adversaries may gather credential material by invoking or forcing a user to automatically provide authentication information through a mechanism in which they can intercept.
Multi-hop Proxy (T1188)
To disguise the source of malicious traffic, adversaries may chain together multiple proxies.
Drive-by Compromise (T1189)
Adversaries may gain access to a system through a user visiting a website over the normal course of browsing.
Exploit Public-Facing Application (T1190)
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Spearphishing Link (T1192)
Spearphishing with a link is a specific variant of spearphishing.
Spearphishing Attachment (T1193)
Spearphishing attachment is a specific variant of spearphishing.
Spearphishing via Service (T1194)
Spearphishing via service is a specific variant of spearphishing.
Supply Chain Compromise (T1195)
Adversaries may manipulate products or product delivery mechanisms prior to receipt by a final consumer for the purpose of data or system compromise.
Compromise Software Dependencies and Development Tools (T1195.001)
Adversaries may manipulate software dependencies and development tools prior to receipt by a final consumer for the purpose of data or system compromise.
Compromise Software Supply Chain (T1195.002)
Adversaries may manipulate application software prior to receipt by a final consumer for the purpose of data or system compromise.
Compromise Hardware Supply Chain (T1195.003)
Adversaries may manipulate hardware components in products prior to receipt by a final consumer for the purpose of data or system compromise.
Control Panel Items (T1196)
Windows Control Panel items are utilities that allow users to view and adjust computer settings.
BITS Jobs (T1197)
Adversaries may abuse BITS jobs to persistently execute code and perform various background tasks.
SIP and Trust Provider Hijacking (T1198)
In user mode, Windows Authenticode (Citation: Microsoft Authenticode) digital signatures are used to verify a file's origin and integrity, variables that may be used to establish trust in signed code (ex: a driver with a valid Microsoft signature may be handled as safe).
Trusted Relationship (T1199)
Adversaries may breach or otherwise leverage organizations who have access to intended victims.
Hardware Additions (T1200)
Adversaries may introduce computer accessories, networking hardware, or other computing devices into a system or network that can be used as a vector to gain access.
Password Policy Discovery (T1201)
Adversaries may attempt to access detailed information about the password policy used within an enterprise network or cloud environment.
Indirect Command Execution (T1202)
Adversaries may abuse utilities that allow for command execution to bypass security restrictions that limit the use of command-line interpreters.
Exploitation for Client Execution (T1203)
Adversaries may exploit software vulnerabilities in client applications to execute code.
User Execution (T1204)
An adversary may rely upon specific actions by a user in order to gain execution.
Malicious Link (T1204.001)
An adversary may rely upon a user clicking a malicious link in order to gain execution.
Malicious File (T1204.002)
An adversary may rely upon a user opening a malicious file in order to gain execution.
Malicious Image (T1204.003)
Adversaries may rely on a user running a malicious image to facilitate execution.
Traffic Signaling (T1205)
Adversaries may use traffic signaling to hide open ports or other malicious functionality used for persistence or command and control.
Port Knocking (T1205.001)
Adversaries may use port knocking to hide open ports used for persistence or command and control.
Socket Filters (T1205.002)
Adversaries may attach filters to a network socket to monitor then activate backdoors used for persistence or command and control.
Sudo Caching (T1206)
The <code>sudo</code> command "allows a system administrator to delegate authority to give certain users (or groups of users) the ability to run some (or all) commands as root or another user while providing an audit trail of the commands and their arguments.
Rogue Domain Controller (T1207)
Adversaries may register a rogue Domain Controller to enable manipulation of Active Directory data.
Kerberoasting (T1208)
Service principal names (SPNs) are used to uniquely identify each instance of a Windows service.
Time Providers (T1209)
The Windows Time service (W32Time) enables time synchronization across and within domains.
Exploitation of Remote Services (T1210)
Adversaries may exploit remote services to gain unauthorized access to internal systems once inside of a network.
Exploitation for Defense Evasion (T1211)
Adversaries may exploit a system or application vulnerability to bypass security features.
Exploitation for Credential Access (T1212)
Adversaries may exploit software vulnerabilities in an attempt to collect credentials.
Data from Information Repositories (T1213)
Adversaries may leverage information repositories to mine valuable information.
Confluence (T1213.001)
Adversaries may leverage Confluence repositories to mine valuable information.
Sharepoint (T1213.002)
Adversaries may leverage the SharePoint repository as a source to mine valuable information.
Code Repositories (T1213.003)
Adversaries may leverage code repositories to collect valuable information.
Customer Relationship Management Software (T1213.004)
Adversaries may leverage Customer Relationship Management (CRM) software to mine valuable information.
Messaging Applications (T1213.005)
Adversaries may leverage chat and messaging applications, such as Microsoft Teams, Google Chat, and Slack, to mine valuable information.
Credentials in Registry (T1214)
The Windows Registry stores configuration information that can be used by the system or other programs.
Kernel Modules and Extensions (T1215)
Loadable Kernel Modules (or LKMs) are pieces of code that can be loaded and unloaded into the kernel upon demand.
System Script Proxy Execution (T1216)
Adversaries may use trusted scripts, often signed with certificates, to proxy the execution of malicious files.
PubPrn (T1216.001)
Adversaries may use PubPrn to proxy execution of malicious remote files.
SyncAppvPublishingServer (T1216.002)
Adversaries may abuse SyncAppvPublishingServer.
Browser Information Discovery (T1217)
Adversaries may enumerate information about browsers to learn more about compromised environments.
System Binary Proxy Execution (T1218)
Adversaries may bypass process and/or signature-based defenses by proxying execution of malicious content with signed, or otherwise trusted, binaries.
Compiled HTML File (T1218.001)
Adversaries may abuse Compiled HTML files (.
Control Panel (T1218.002)
Adversaries may abuse control.
CMSTP (T1218.003)
Adversaries may abuse CMSTP to proxy execution of malicious code.
InstallUtil (T1218.004)
Adversaries may use InstallUtil to proxy execution of code through a trusted Windows utility.
Mshta (T1218.005)
Adversaries may abuse mshta.
Msiexec (T1218.007)
Adversaries may abuse msiexec.
Odbcconf (T1218.008)
Adversaries may abuse odbcconf.
Regsvcs/Regasm (T1218.009)
Adversaries may abuse Regsvcs and Regasm to proxy execution of code through a trusted Windows utility.
Regsvr32 (T1218.010)
Adversaries may abuse Regsvr32.
Rundll32 (T1218.011)
Adversaries may abuse rundll32.
Verclsid (T1218.012)
Adversaries may abuse verclsid.
Mavinject (T1218.013)
Adversaries may abuse mavinject.
Electron Applications (T1218.015)
Adversaries may abuse components of the Electron framework to execute malicious code.
Remote Access Software (T1219)
An adversary may use legitimate desktop support and remote access software to establish an interactive command and control channel to target systems within networks.
XSL Script Processing (T1220)
Adversaries may bypass application control and obscure execution of code by embedding scripts inside XSL files.
Template Injection (T1221)
Adversaries may create or modify references in user document templates to conceal malicious code or force authentication attempts.
File and Directory Permissions Modification (T1222)
Adversaries may modify file or directory permissions/attributes to evade access control lists (ACLs) and access protected files.
Windows File and Directory Permissions Modification (T1222.001)
Adversaries may modify file or directory permissions/attributes to evade access control lists (ACLs) and access protected files.
Linux and Mac File and Directory Permissions Modification (T1222.002)
Adversaries may modify file or directory permissions/attributes to evade access control lists (ACLs) and access protected files.
Boot or Logon Initialization Scripts (T1398)
Adversaries may use scripts automatically executed at boot or logon initialization to establish persistence.
Modify Trusted Execution Environment (T1399)
If an adversary can escalate privileges, he or she may be able to use those privileges to place malicious code in the device's Trusted Execution Environment (TEE) or other similar isolated execution environment where the code can evade detection, may persist after device resets, and may not be removable by the device user.
Modify System Partition (T1400)
If an adversary can escalate privileges, he or she may be able to use those privileges to place malicious code in the device system partition, where it may persist after device resets and may not be easily removed by the device user.
Device Administrator Permissions (T1401)
Adversaries may request device administrator permissions to perform malicious actions.
Broadcast Receivers (T1402)
An intent is a message passed between Android application or system components.
Modify Cached Executable Code (T1403)
ART (the Android Runtime) compiles optimized code on the device itself to improve performance.
Exploitation for Privilege Escalation (T1404)
Adversaries may exploit software vulnerabilities in order to elevate privileges.
Exploit TEE Vulnerability (T1405)
A malicious app or other attack vector could be used to exploit vulnerabilities in code running within the Trusted Execution Environment (TEE) (Citation: Thomas-TrustZone).
Obfuscated Files or Information (T1406)
Adversaries may attempt to make a payload or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the device or in transit.
Steganography (T1406.001)
Adversaries may use steganography techniques in order to prevent the detection of hidden information.
Software Packing (T1406.002)
Adversaries may perform software packing to conceal their code.
Download New Code at Runtime (T1407)
Adversaries may download and execute dynamic code not included in the original application package after installation.
Disguise Root/Jailbreak Indicators (T1408)
An adversary could use knowledge of the techniques used by security software to evade detection(Citation: Brodie)(Citation: Tan).
Stored Application Data (T1409)
Adversaries may try to access and collect application data resident on the device.
Network Traffic Capture or Redirection (T1410)
An adversary may capture network traffic to and from the device to obtain credentials or other sensitive data, or redirect network traffic to flow through an adversary-controlled gateway to do the same.
Input Prompt (T1411)
The operating system and installed applications often have legitimate needs to prompt the user for sensitive information such as account credentials, bank account information, or Personally Identifiable Information (PII).
Capture SMS Messages (T1412)
A malicious application could capture sensitive data sent via SMS, including authentication credentials.
Access Sensitive Data in Device Logs (T1413)
On versions of Android prior to 4.
Clipboard Data (T1414)
Adversaries may abuse clipboard manager APIs to obtain sensitive information copied to the device clipboard.
URL Scheme Hijacking (T1415)
An iOS application may be able to maliciously claim a URL scheme, allowing it to intercept calls that are meant for a different application(Citation: FireEye-Masque2)(Citation: Dhanjani-URLScheme).
URI Hijacking (T1416)
Adversaries may register Uniform Resource Identifiers (URIs) to intercept sensitive data.
Input Capture (T1417)
Adversaries may use methods of capturing user input to obtain credentials or collect information.
Keylogging (T1417.001)
Adversaries may log user keystrokes to intercept credentials or other information from the user as the user types them.
GUI Input Capture (T1417.002)
Adversaries may mimic common operating system GUI components to prompt users for sensitive information with a seemingly legitimate prompt.
Software Discovery (T1418)
Adversaries may attempt to get a listing of applications that are installed on a device.
Security Software Discovery (T1418.001)
Adversaries may attempt to get a listing of security applications and configurations that are installed on a device.
Device Type Discovery (T1419)
On Android, device type information is accessible to apps through the android.
File and Directory Discovery (T1420)
Adversaries may enumerate files and directories or search in specific device locations for desired information within a filesystem.
System Network Connections Discovery (T1421)
Adversaries may attempt to get a listing of network connections to or from the compromised device they are currently accessing or from remote systems by querying for information over the network.
System Network Configuration Discovery (T1422)
Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of devices they access or through information discovery of remote systems.
Internet Connection Discovery (T1422.001)
Adversaries may check for Internet connectivity on compromised systems.
Wi-Fi Discovery (T1422.002)
Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.
Network Service Scanning (T1423)
Adversaries may attempt to get a listing of services running on remote hosts, including those that may be vulnerable to remote software exploitation.
Process Discovery (T1424)
Adversaries may attempt to get information about running processes on a device.
System Information Discovery (T1426)
Adversaries may attempt to get detailed information about a device’s operating system and hardware, including versions, patches, and architecture.
Attack PC via USB Connection (T1427)
With escalated privileges, an adversary could program the mobile device to impersonate USB devices such as input devices (keyboard and mouse), storage devices, and/or networking devices in order to attack a physically connected PC(Citation: Wang-ExploitingUSB)(Citation: ArsTechnica-PoisonTap) This technique has been demonstrated on Android.
Exploitation of Remote Services (T1428)
Adversaries may exploit remote services of enterprise servers, workstations, or other resources to gain unauthorized access to internal systems once inside of a network.
Audio Capture (T1429)
Adversaries may capture audio to collect information by leveraging standard operating system APIs of a mobile device.
Location Tracking (T1430)
Adversaries may track a device’s physical location through use of standard operating system APIs via malicious or exploited applications on the compromised device.
Remote Device Management Services (T1430.001)
An adversary may use access to cloud services (e.
Impersonate SS7 Nodes (T1430.002)
Adversaries may exploit the lack of authentication in signaling system network nodes to track the to track the location of mobile devices by impersonating a node.
Access Contact List (T1432)
An adversary could call standard operating system APIs from a malicious application to gather contact list (i.
Access Call Log (T1433)
On Android, an adversary could call standard operating system APIs from a malicious application to gather call log data, or with escalated privileges could directly access files containing call log data.
Access Calendar Entries (T1435)
An adversary could call standard operating system APIs from a malicious application to gather calendar entry data, or with escalated privileges could directly access files containing calendar data.
Commonly Used Port (T1436)
Adversaries may communicate over a commonly used port to bypass firewalls or network detection systems and to blend with normal network activity to avoid more detailed inspection.
Application Layer Protocol (T1437)
Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic.
Web Protocols (T1437.001)
Adversaries may communicate using application layer protocols associated with web protocols traffic to avoid detection/network filtering by blending in with existing traffic.
Exfiltration Over Other Network Medium (T1438)
Adversaries may attempt to exfiltrate data over a different network medium than the command and control channel.
Eavesdrop on Insecure Network Communication (T1439)
If network traffic between the mobile device and remote servers is unencrypted or is encrypted in an insecure manner, then an adversary positioned on the network can eavesdrop on communication.
Masquerade as Legitimate Application (T1444)
An adversary could distribute developed malware by masquerading the malware as a legitimate application.
Device Lockout (T1446)
An adversary may seek to lock the legitimate user out of the device, for example to inhibit user interaction or to obtain a ransom payment.
Delete Device Data (T1447)
Adversaries may wipe a device or delete individual files in order to manipulate external outcomes or hide activity.
Carrier Billing Fraud (T1448)
A malicious app may trigger fraudulent charges on a victim’s carrier billing statement in several different ways, including SMS toll fraud and SMS shortcodes that make purchases.
Exploit SS7 to Redirect Phone Calls/SMS (T1449)
An adversary could exploit signaling system vulnerabilities to redirect calls or text messages (SMS) to a phone number under the attacker's control.
Exploit SS7 to Track Device Location (T1450)
An adversary could exploit signaling system vulnerabilities to track the location of mobile devices.
SIM Card Swap (T1451)
An adversary could convince the mobile network operator (e.
Manipulate App Store Rankings or Ratings (T1452)
An adversary could use access to a compromised device's credentials to attempt to manipulate app store rankings or ratings by triggering application downloads or posting fake reviews of applications.
Drive-By Compromise (T1456)
Adversaries may gain access to a system through a user visiting a website over the normal course of browsing.
Replication Through Removable Media (T1458)
Adversaries may move onto devices by exploiting or copying malware to devices connected via USB.
Lockscreen Bypass (T1461)
An adversary with physical access to a mobile device may seek to bypass the device’s lockscreen.
Manipulate Device Communication (T1463)
If network traffic between the mobile device and a remote server is not securely protected, then an attacker positioned on the network may be able to manipulate network communication without being detected.
Network Denial of Service (T1464)
Adversaries may perform Network Denial of Service (DoS) attacks to degrade or block the availability of targeted resources to users.
Rogue Wi-Fi Access Points (T1465)
An adversary could set up unauthorized Wi-Fi access points or compromise existing access points and, if the device connects to them, carry out network-based attacks such as eavesdropping on or modifying network communication(Citation: NIST-SP800153)(Citation: Kaspersky-DarkHotel).
Downgrade to Insecure Protocols (T1466)
An adversary could cause the mobile device to use less secure protocols, for example by jamming frequencies used by newer protocols such as LTE and only allowing older protocols such as GSM to communicate(Citation: NIST-SP800187).
Rogue Cellular Base Station (T1467)
An adversary could set up a rogue cellular base station and then use it to eavesdrop on or manipulate cellular device communication.
Remotely Track Device Without Authorization (T1468)
An adversary who is able to obtain unauthorized access to or misuse authorized access to cloud services (e.
Remotely Wipe Data Without Authorization (T1469)
An adversary who is able to obtain unauthorized access to or misuse authorized access to cloud services (e.
Obtain Device Cloud Backups (T1470)
An adversary who is able to obtain unauthorized access to or misuse authorized access to cloud backup services (e.
Data Encrypted for Impact (T1471)
An adversary may encrypt files stored on a mobile device to prevent the user from accessing them.
Generate Fraudulent Advertising Revenue (T1472)
An adversary could seek to generate fraudulent advertising revenue from mobile devices, for example by triggering automatic clicks of advertising links without user involvement.
Supply Chain Compromise (T1474)
Adversaries may manipulate products or product delivery mechanisms prior to receipt by a final consumer for the purpose of data or system compromise.
Compromise Software Dependencies and Development Tools (T1474.001)
Adversaries may manipulate products or product delivery mechanisms prior to receipt by a final consumer for the purpose of data or system compromise.
Compromise Hardware Supply Chain (T1474.002)
Adversaries may manipulate hardware components in products prior to receipt by a final consumer for the purpose of data or system compromise.
Compromise Software Supply Chain (T1474.003)
Adversaries may manipulate application software prior to receipt by a final consumer for the purpose of data or system compromise.
Deliver Malicious App via Authorized App Store (T1475)
Malicious applications are a common attack vector used by adversaries to gain a presence on mobile devices.
Deliver Malicious App via Other Means (T1476)
Malicious applications are a common attack vector used by adversaries to gain a presence on mobile devices.
Exploit via Radio Interfaces (T1477)
The mobile device may be targeted for exploitation through its interface to cellular networks or other radio interfaces.
Install Insecure or Malicious Configuration (T1478)
An adversary could attempt to install insecure or malicious configuration settings on the mobile device, through means such as phishing emails or text messages either directly containing the configuration settings as an attachment, or containing a web link to the configuration settings.
Execution Guardrails (T1480)
Adversaries may use execution guardrails to constrain execution or actions based on adversary supplied and environment specific conditions that are expected to be present on the target.
Environmental Keying (T1480.001)
Adversaries may environmentally key payloads or other features of malware to evade defenses and constraint execution to a specific target environment.
Mutual Exclusion (T1480.002)
Adversaries may constrain execution or actions based on the presence of a mutex associated with malware.
Web Service (T1481)
Adversaries may use an existing, legitimate external Web service as a means for relaying data to/from a compromised system.
Dead Drop Resolver (T1481.001)
Adversaries may use an existing, legitimate external Web service to host information that points to additional command and control (C2) infrastructure.
Bidirectional Communication (T1481.002)
Adversaries may use an existing, legitimate external Web service channel as a means for sending commands to and receiving output from a compromised system.
One-Way Communication (T1481.003)
Adversaries may use an existing, legitimate external Web service channel as a means for sending commands to a compromised system without receiving return output.
Domain Trust Discovery (T1482)
Adversaries may attempt to gather information on domain trust relationships that may be used to identify lateral movement opportunities in Windows multi-domain/forest environments.
Domain Generation Algorithms (T1483)
Adversaries may make use of Domain Generation Algorithms (DGAs) to dynamically identify a destination for command and control traffic rather than relying on a list of static IP addresses or domains.
Domain or Tenant Policy Modification (T1484)
Adversaries may modify the configuration settings of a domain or identity tenant to evade defenses and/or escalate privileges in centrally managed environments.
Group Policy Modification (T1484.001)
Adversaries may modify Group Policy Objects (GPOs) to subvert the intended discretionary access controls for a domain, usually with the intention of escalating privileges on the domain.
Trust Modification (T1484.002)
Adversaries may add new domain trusts, modify the properties of existing domain trusts, or otherwise change the configuration of trust relationships between domains and tenants to evade defenses and/or elevate privileges.
Data Destruction (T1485)
Adversaries may destroy data and files on specific systems or in large numbers on a network to interrupt availability to systems, services, and network resources.
Lifecycle-Triggered Deletion (T1485.001)
Adversaries may modify the lifecycle policies of a cloud storage bucket to destroy all objects stored within.
Data Encrypted for Impact (T1486)
Adversaries may encrypt data on target systems or on large numbers of systems in a network to interrupt availability to system and network resources.
Disk Structure Wipe (T1487)
Adversaries may corrupt or wipe the disk data structures on hard drive necessary to boot systems; targeting specific critical systems as well as a large number of systems in a network to interrupt availability to system and network resources.
Disk Content Wipe (T1488)
Adversaries may erase the contents of storage devices on specific systems as well as large numbers of systems in a network to interrupt availability to system and network resources.
Service Stop (T1489)
Adversaries may stop or disable services on a system to render those services unavailable to legitimate users.
Inhibit System Recovery (T1490)
Adversaries may delete or remove built-in data and turn off services designed to aid in the recovery of a corrupted system to prevent recovery.
Defacement (T1491)
Adversaries may modify visual content available internally or externally to an enterprise network, thus affecting the integrity of the original content.
Internal Defacement (T1491.001)
An adversary may deface systems internal to an organization in an attempt to intimidate or mislead users, thus discrediting the integrity of the systems.
External Defacement (T1491.002)
An adversary may deface systems external to an organization in an attempt to deliver messaging, intimidate, or otherwise mislead an organization or users.
Stored Data Manipulation (T1492)
Adversaries may insert, delete, or manipulate data at rest in order to manipulate external outcomes or hide activity.
Transmitted Data Manipulation (T1493)
Adversaries may alter data en route to storage or other systems in order to manipulate external outcomes or hide activity.
Runtime Data Manipulation (T1494)
Adversaries may modify systems in order to manipulate the data as it is accessed and displayed to an end user.
Firmware Corruption (T1495)
Adversaries may overwrite or corrupt the flash memory contents of system BIOS or other firmware in devices attached to a system in order to render them inoperable or unable to boot, thus denying the availability to use the devices and/or the system.
Resource Hijacking (T1496)
Adversaries may leverage the resources of co-opted systems to complete resource-intensive tasks, which may impact system and/or hosted service availability.
Compute Hijacking (T1496.001)
Adversaries may leverage the compute resources of co-opted systems to complete resource-intensive tasks, which may impact system and/or hosted service availability.
Bandwidth Hijacking (T1496.002)
Adversaries may leverage the network bandwidth resources of co-opted systems to complete resource-intensive tasks, which may impact system and/or hosted service availability.
SMS Pumping (T1496.003)
Adversaries may leverage messaging services for SMS pumping, which may impact system and/or hosted service availability.
Cloud Service Hijacking (T1496.004)
Adversaries may leverage compromised software-as-a-service (SaaS) applications to complete resource-intensive tasks, which may impact hosted service availability.
Virtualization/Sandbox Evasion (T1497)
Adversaries may employ various means to detect and avoid virtualization and analysis environments.
System Checks (T1497.001)
Adversaries may employ various system checks to detect and avoid virtualization and analysis environments.
User Activity Based Checks (T1497.002)
Adversaries may employ various user activity checks to detect and avoid virtualization and analysis environments.
Time Based Evasion (T1497.003)
Adversaries may employ various time-based methods to detect and avoid virtualization and analysis environments.
Network Denial of Service (T1498)
Adversaries may perform Network Denial of Service (DoS) attacks to degrade or block the availability of targeted resources to users.
Direct Network Flood (T1498.001)
Adversaries may attempt to cause a denial of service (DoS) by directly sending a high-volume of network traffic to a target.
Reflection Amplification (T1498.002)
Adversaries may attempt to cause a denial of service (DoS) by reflecting a high-volume of network traffic to a target.
Endpoint Denial of Service (T1499)
Adversaries may perform Endpoint Denial of Service (DoS) attacks to degrade or block the availability of services to users.
OS Exhaustion Flood (T1499.001)
Adversaries may launch a denial of service (DoS) attack targeting an endpoint's operating system (OS).
Service Exhaustion Flood (T1499.002)
Adversaries may target the different network services provided by systems to conduct a denial of service (DoS).
Application Exhaustion Flood (T1499.003)
Adversaries may target resource intensive features of applications to cause a denial of service (DoS), denying availability to those applications.
Application or System Exploitation (T1499.004)
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
Compile After Delivery (T1500)
Adversaries may attempt to make payloads difficult to discover and analyze by delivering files to victims as uncompiled code.
Systemd Service (T1501)
Systemd services can be used to establish persistence on a Linux system.
Parent PID Spoofing (T1502)
Adversaries may spoof the parent process identifier (PPID) of a new process to evade process-monitoring defenses or to elevate privileges.
Credentials from Web Browsers (T1503)
Adversaries may acquire credentials from web browsers by reading files specific to the target browser.
PowerShell Profile (T1504)
Adversaries may gain persistence and elevate privileges in certain situations by abusing [PowerShell](https://attack.
Server Software Component (T1505)
Adversaries may abuse legitimate extensible development features of servers to establish persistent access to systems.
SQL Stored Procedures (T1505.001)
Adversaries may abuse SQL stored procedures to establish persistent access to systems.
Transport Agent (T1505.002)
Adversaries may abuse Microsoft transport agents to establish persistent access to systems.
Web Shell (T1505.003)
Adversaries may backdoor web servers with web shells to establish persistent access to systems.
IIS Components (T1505.004)
Adversaries may install malicious components that run on Internet Information Services (IIS) web servers to establish persistence.
Terminal Services DLL (T1505.005)
Adversaries may abuse components of Terminal Services to enable persistent access to systems.
Web Session Cookie (T1506)
Adversaries can use stolen session cookies to authenticate to web applications and services.
Network Information Discovery (T1507)
Adversaries may use device sensors to collect information about nearby networks, such as Wi-Fi and Bluetooth.
Suppress Application Icon (T1508)
A malicious application could suppress its icon from being displayed to the user in the application launcher to hide the fact that it is installed, and to make it more difficult for the user to uninstall the application.
Non-Standard Port (T1509)
Adversaries may generate network traffic using a protocol and port pairing that are typically not associated.
Clipboard Modification (T1510)
Adversaries may abuse clipboard functionality to intercept and replace information in the Android device clipboard.
Video Capture (T1512)
An adversary can leverage a device’s cameras to gather information by capturing video recordings.
Screen Capture (T1513)
Adversaries may use screen capture to collect additional information about a target device, such as applications running in the foreground, user data, credentials, or other sensitive information.
Elevated Execution with Prompt (T1514)
Adversaries may leverage the AuthorizationExecuteWithPrivileges API to escalate privileges by prompting the user for credentials.
Input Injection (T1516)
A malicious application can inject input to the user interface to mimic user interaction through the abuse of Android's accessibility APIs.
Access Notifications (T1517)
Adversaries may collect data within notifications sent by the operating system or other applications.
Software Discovery (T1518)
Adversaries may attempt to get a listing of software and software versions that are installed on a system or in a cloud environment.
Security Software Discovery (T1518.001)
Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment.
Emond (T1519)
Adversaries may use Event Monitor Daemon (emond) to establish persistence by scheduling malicious commands to run on predictable event triggers.
Domain Generation Algorithms (T1520)
Adversaries may use [Domain Generation Algorithms](https://attack.
Encrypted Channel (T1521)
Adversaries may explicitly employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol.
Symmetric Cryptography (T1521.001)
Adversaries may employ a known symmetric encryption algorithm to conceal command and control traffic, rather than relying on any inherent protections provided by a communication protocol.
Asymmetric Cryptography (T1521.002)
Adversaries may employ a known asymmetric encryption algorithm to conceal command and control traffic, rather than relying on any inherent protections provided by a communication protocol.
SSL Pinning (T1521.003)
Adversaries may use [SSL Pinning](https://attack.
Cloud Instance Metadata API (T1522)
Adversaries may attempt to access the Cloud Instance Metadata API to collect credentials and other sensitive data.
Evade Analysis Environment (T1523)
Malicious applications may attempt to detect their operating environment prior to fully executing their payloads.
Implant Internal Image (T1525)
Adversaries may implant cloud or container images with malicious code to establish persistence after gaining access to an environment.
Cloud Service Discovery (T1526)
An adversary may attempt to enumerate the cloud services running on a system after gaining access.
Application Access Token (T1527)
Adversaries may use application access tokens to bypass the typical authentication process and access restricted accounts, information, or services on remote systems.
Steal Application Access Token (T1528)
Adversaries can steal application access tokens as a means of acquiring credentials to access remote systems and resources.
System Shutdown/Reboot (T1529)
Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems.
Data from Cloud Storage (T1530)
Adversaries may access data from cloud storage.
Account Access Removal (T1531)
Adversaries may interrupt availability of system and network resources by inhibiting access to accounts utilized by legitimate users.
Archive Collected Data (T1532)
Adversaries may compress and/or encrypt data that is collected prior to exfiltration.
Data from Local System (T1533)
Adversaries may search local system sources, such as file systems or local databases, to find files of interest and sensitive data prior to exfiltration.
Internal Spearphishing (T1534)
After they already have access to accounts or systems within the environment, adversaries may use internal spearphishing to gain access to additional information or compromise other users within the same organization.
Unused/Unsupported Cloud Regions (T1535)
Adversaries may create cloud instances in unused geographic service regions in order to evade detection.
Revert Cloud Instance (T1536)
An adversary may revert changes made to a cloud instance after they have performed malicious activities in attempt to evade detection and remove evidence of their presence.
Transfer Data to Cloud Account (T1537)
Adversaries may exfiltrate data by transferring the data, including through sharing/syncing and creating backups of cloud environments, to another cloud account they control on the same service.
Cloud Service Dashboard (T1538)
An adversary may use a cloud service dashboard GUI with stolen credentials to gain useful information from an operational cloud environment, such as specific services, resources, and features.
Steal Web Session Cookie (T1539)
An adversary may steal web application or service session cookies and use them to gain access to web applications or Internet services as an authenticated user without needing credentials.
Code Injection (T1540)
Adversaries may use code injection attacks to implant arbitrary code into the address space of a running application.
Foreground Persistence (T1541)
Adversaries may abuse Android's `startForeground()` API method to maintain continuous sensor access.
Pre-OS Boot (T1542)
Adversaries may abuse Pre-OS Boot mechanisms as a way to establish persistence on a system.
System Firmware (T1542.001)
Adversaries may modify system firmware to persist on systems.
Component Firmware (T1542.002)
Adversaries may modify component firmware to persist on systems.
Bootkit (T1542.003)
Adversaries may use bootkits to persist on systems.
ROMMONkit (T1542.004)
Adversaries may abuse the ROM Monitor (ROMMON) by loading an unauthorized firmware with adversary code to provide persistent access and manipulate device behavior that is difficult to detect.
TFTP Boot (T1542.005)
Adversaries may abuse netbooting to load an unauthorized network device operating system from a Trivial File Transfer Protocol (TFTP) server.
Create or Modify System Process (T1543)
Adversaries may create or modify system-level processes to repeatedly execute malicious payloads as part of persistence.
Launch Agent (T1543.001)
Adversaries may create or modify launch agents to repeatedly execute malicious payloads as part of persistence.
Systemd Service (T1543.002)
Adversaries may create or modify systemd services to repeatedly execute malicious payloads as part of persistence.
Windows Service (T1543.003)
Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence.
Launch Daemon (T1543.004)
Adversaries may create or modify Launch Daemons to execute malicious payloads as part of persistence.
Container Service (T1543.005)
Adversaries may create or modify container or container cluster management tools that run as daemons, agents, or services on individual hosts.
Ingress Tool Transfer (T1544)
Adversaries may transfer tools or other files from an external system onto a compromised device to facilitate follow-on actions.
Event Triggered Execution (T1546)
Adversaries may establish persistence and/or elevate privileges using system mechanisms that trigger execution based on specific events.
Change Default File Association (T1546.001)
Adversaries may establish persistence by executing malicious content triggered by a file type association.
Screensaver (T1546.002)
Adversaries may establish persistence by executing malicious content triggered by user inactivity.
Windows Management Instrumentation Event Subscription (T1546.003)
Adversaries may establish persistence and elevate privileges by executing malicious content triggered by a Windows Management Instrumentation (WMI) event subscription.
Unix Shell Configuration Modification (T1546.004)
Adversaries may establish persistence through executing malicious commands triggered by a user’s shell.
Trap (T1546.005)
Adversaries may establish persistence by executing malicious content triggered by an interrupt signal.
LC_LOAD_DYLIB Addition (T1546.006)
Adversaries may establish persistence by executing malicious content triggered by the execution of tainted binaries.
Netsh Helper DLL (T1546.007)
Adversaries may establish persistence by executing malicious content triggered by Netsh Helper DLLs.
Accessibility Features (T1546.008)
Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by accessibility features.
AppCert DLLs (T1546.009)
Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by AppCert DLLs loaded into processes.
AppInit DLLs (T1546.010)
Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by AppInit DLLs loaded into processes.
Application Shimming (T1546.011)
Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by application shims.
Image File Execution Options Injection (T1546.012)
Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by Image File Execution Options (IFEO) debuggers.
PowerShell Profile (T1546.013)
Adversaries may gain persistence and elevate privileges by executing malicious content triggered by PowerShell profiles.
Emond (T1546.014)
Adversaries may gain persistence and elevate privileges by executing malicious content triggered by the Event Monitor Daemon (emond).
Component Object Model Hijacking (T1546.015)
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
Installer Packages (T1546.016)
Adversaries may establish persistence and elevate privileges by using an installer to trigger the execution of malicious content.
Udev Rules (T1546.017)
Adversaries may maintain persistence through executing malicious content triggered using udev rules.
Boot or Logon Autostart Execution (T1547)
Adversaries may configure system settings to automatically execute a program during system boot or logon to maintain persistence or gain higher-level privileges on compromised systems.
Registry Run Keys / Startup Folder (T1547.001)
Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key.
Authentication Package (T1547.002)
Adversaries may abuse authentication packages to execute DLLs when the system boots.
Time Providers (T1547.003)
Adversaries may abuse time providers to execute DLLs when the system boots.
Winlogon Helper DLL (T1547.004)
Adversaries may abuse features of Winlogon to execute DLLs and/or executables when a user logs in.
Security Support Provider (T1547.005)
Adversaries may abuse security support providers (SSPs) to execute DLLs when the system boots.
Kernel Modules and Extensions (T1547.006)
Adversaries may modify the kernel to automatically execute programs on system boot.
Re-opened Applications (T1547.007)
Adversaries may modify plist files to automatically run an application when a user logs in.
LSASS Driver (T1547.008)
Adversaries may modify or add LSASS drivers to obtain persistence on compromised systems.
Shortcut Modification (T1547.009)
Adversaries may create or modify shortcuts that can execute a program during system boot or user login.
Port Monitors (T1547.010)
Adversaries may use port monitors to run an adversary supplied DLL during system boot for persistence or privilege escalation.
Plist Modification (T1547.011)
Adversaries can modify property list files (plist files) to execute their code as part of establishing persistence.
Print Processors (T1547.012)
Adversaries may abuse print processors to run malicious DLLs during system boot for persistence and/or privilege escalation.
XDG Autostart Entries (T1547.013)
Adversaries may add or modify XDG Autostart Entries to execute malicious programs or commands when a user’s desktop environment is loaded at login.
Active Setup (T1547.014)
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
Login Items (T1547.015)
Adversaries may add login items to execute upon user login to gain persistence or escalate privileges.
Abuse Elevation Control Mechanism (T1548)
Adversaries may circumvent mechanisms designed to control elevate privileges to gain higher-level permissions.
Setuid and Setgid (T1548.001)
An adversary may abuse configurations where an application has the setuid or setgid bits set in order to get code running in a different (and possibly more privileged) user’s context.
Bypass User Account Control (T1548.002)
Adversaries may bypass UAC mechanisms to elevate process privileges on system.
Sudo and Sudo Caching (T1548.003)
Adversaries may perform sudo caching and/or use the sudoers file to elevate privileges.
Elevated Execution with Prompt (T1548.004)
Adversaries may leverage the <code>AuthorizationExecuteWithPrivileges</code> API to escalate privileges by prompting the user for credentials.
Temporary Elevated Cloud Access (T1548.005)
Adversaries may abuse permission configurations that allow them to gain temporarily elevated access to cloud resources.
TCC Manipulation (T1548.006)
Adversaries can manipulate or abuse the Transparency, Consent, & Control (TCC) service or database to grant malicious executables elevated permissions.
Use Alternate Authentication Material (T1550)
Adversaries may use alternate authentication material, such as password hashes, Kerberos tickets, and application access tokens, in order to move laterally within an environment and bypass normal system access controls.
Application Access Token (T1550.001)
Adversaries may use stolen application access tokens to bypass the typical authentication process and access restricted accounts, information, or services on remote systems.
Pass the Hash (T1550.002)
Adversaries may “pass the hash” using stolen password hashes to move laterally within an environment, bypassing normal system access controls.
Pass the Ticket (T1550.003)
Adversaries may “pass the ticket” using stolen Kerberos tickets to move laterally within an environment, bypassing normal system access controls.
Web Session Cookie (T1550.004)
Adversaries can use stolen session cookies to authenticate to web applications and services.
Unsecured Credentials (T1552)
Adversaries may search compromised systems to find and obtain insecurely stored credentials.
Credentials In Files (T1552.001)
Adversaries may search local file systems and remote file shares for files containing insecurely stored credentials.
Credentials in Registry (T1552.002)
Adversaries may search the Registry on compromised systems for insecurely stored credentials.
Bash History (T1552.003)
Adversaries may search the bash command history on compromised systems for insecurely stored credentials.
Private Keys (T1552.004)
Adversaries may search for private key certificate files on compromised systems for insecurely stored credentials.
Cloud Instance Metadata API (T1552.005)
Adversaries may attempt to access the Cloud Instance Metadata API to collect credentials and other sensitive data.
Group Policy Preferences (T1552.006)
Adversaries may attempt to find unsecured credentials in Group Policy Preferences (GPP).
Container API (T1552.007)
Adversaries may gather credentials via APIs within a containers environment.
Chat Messages (T1552.008)
Adversaries may directly collect unsecured credentials stored or passed through user communication services.
Subvert Trust Controls (T1553)
Adversaries may undermine security controls that will either warn users of untrusted activity or prevent execution of untrusted programs.
Gatekeeper Bypass (T1553.001)
Adversaries may modify file attributes and subvert Gatekeeper functionality to evade user prompts and execute untrusted programs.
Code Signing (T1553.002)
Adversaries may create, acquire, or steal code signing materials to sign their malware or tools.
SIP and Trust Provider Hijacking (T1553.003)
Adversaries may tamper with SIP and trust provider components to mislead the operating system and application control tools when conducting signature validation checks.
Install Root Certificate (T1553.004)
Adversaries may install a root certificate on a compromised system to avoid warnings when connecting to adversary controlled web servers.
Mark-of-the-Web Bypass (T1553.005)
Adversaries may abuse specific file formats to subvert Mark-of-the-Web (MOTW) controls.
Code Signing Policy Modification (T1553.006)
Adversaries may modify code signing policies to enable execution of unsigned or self-signed code.
Compromise Host Software Binary (T1554)
Adversaries may modify host software binaries to establish persistent access to systems.
Credentials from Password Stores (T1555)
Adversaries may search for common password storage locations to obtain user credentials.
Keychain (T1555.001)
Adversaries may acquire credentials from Keychain.
Securityd Memory (T1555.002)
An adversary with root access may gather credentials by reading `securityd`’s memory.
Credentials from Web Browsers (T1555.003)
Adversaries may acquire credentials from web browsers by reading files specific to the target browser.
Windows Credential Manager (T1555.004)
Adversaries may acquire credentials from the Windows Credential Manager.
Password Managers (T1555.005)
Adversaries may acquire user credentials from third-party password managers.
Cloud Secrets Management Stores (T1555.006)
Adversaries may acquire credentials from cloud-native secret management solutions such as AWS Secrets Manager, GCP Secret Manager, Azure Key Vault, and Terraform Vault.
Modify Authentication Process (T1556)
Adversaries may modify authentication mechanisms and processes to access user credentials or enable otherwise unwarranted access to accounts.
Domain Controller Authentication (T1556.001)
Adversaries may patch the authentication process on a domain controller to bypass the typical authentication mechanisms and enable access to accounts.
Password Filter DLL (T1556.002)
Adversaries may register malicious password filter dynamic link libraries (DLLs) into the authentication process to acquire user credentials as they are validated.
Pluggable Authentication Modules (T1556.003)
Adversaries may modify pluggable authentication modules (PAM) to access user credentials or enable otherwise unwarranted access to accounts.
Network Device Authentication (T1556.004)
Adversaries may use [Patch System Image](https://attack.
Reversible Encryption (T1556.005)
An adversary may abuse Active Directory authentication encryption properties to gain access to credentials on Windows systems.
Multi-Factor Authentication (T1556.006)
Adversaries may disable or modify multi-factor authentication (MFA) mechanisms to enable persistent access to compromised accounts.
Hybrid Identity (T1556.007)
Adversaries may patch, modify, or otherwise backdoor cloud authentication processes that are tied to on-premises user identities in order to bypass typical authentication mechanisms, access credentials, and enable persistent access to accounts.
Network Provider DLL (T1556.008)
Adversaries may register malicious network provider dynamic link libraries (DLLs) to capture cleartext user credentials during the authentication process.
Conditional Access Policies (T1556.009)
Adversaries may disable or modify conditional access policies to enable persistent access to compromised accounts.
Adversary-in-the-Middle (T1557)
Adversaries may attempt to position themselves between two or more networked devices using an adversary-in-the-middle (AiTM) technique to support follow-on behaviors such as [Network Sniffing](https://attack.
LLMNR/NBT-NS Poisoning and SMB Relay (T1557.001)
By responding to LLMNR/NBT-NS network traffic, adversaries may spoof an authoritative source for name resolution to force communication with an adversary controlled system.
ARP Cache Poisoning (T1557.002)
Adversaries may poison Address Resolution Protocol (ARP) caches to position themselves between the communication of two or more networked devices.
DHCP Spoofing (T1557.003)
Adversaries may redirect network traffic to adversary-owned systems by spoofing Dynamic Host Configuration Protocol (DHCP) traffic and acting as a malicious DHCP server on the victim network.
Evil Twin (T1557.004)
Adversaries may host seemingly genuine Wi-Fi access points to deceive users into connecting to malicious networks as a way of supporting follow-on behaviors such as [Network Sniffing](https://attack.
Steal or Forge Kerberos Tickets (T1558)
Adversaries may attempt to subvert Kerberos authentication by stealing or forging Kerberos tickets to enable [Pass the Ticket](https://attack.
Golden Ticket (T1558.001)
Adversaries who have the KRBTGT account password hash may forge Kerberos ticket-granting tickets (TGT), also known as a golden ticket.
Silver Ticket (T1558.002)
Adversaries who have the password hash of a target service account (e.
Kerberoasting (T1558.003)
Adversaries may abuse a valid Kerberos ticket-granting ticket (TGT) or sniff network traffic to obtain a ticket-granting service (TGS) ticket that may be vulnerable to [Brute Force](https://attack.
AS-REP Roasting (T1558.004)
Adversaries may reveal credentials of accounts that have disabled Kerberos preauthentication by [Password Cracking](https://attack.
Ccache Files (T1558.005)
Adversaries may attempt to steal Kerberos tickets stored in credential cache files (or ccache).
Inter-Process Communication (T1559)
Adversaries may abuse inter-process communication (IPC) mechanisms for local code or command execution.
Component Object Model (T1559.001)
Adversaries may use the Windows Component Object Model (COM) for local code execution.
Dynamic Data Exchange (T1559.002)
Adversaries may use Windows Dynamic Data Exchange (DDE) to execute arbitrary commands.
XPC Services (T1559.003)
Adversaries can provide malicious content to an XPC service daemon for local code execution.
Archive Collected Data (T1560)
An adversary may compress and/or encrypt data that is collected prior to exfiltration.
Archive via Utility (T1560.001)
Adversaries may use utilities to compress and/or encrypt collected data prior to exfiltration.
Archive via Library (T1560.002)
An adversary may compress or encrypt data that is collected prior to exfiltration using 3rd party libraries.
Archive via Custom Method (T1560.003)
An adversary may compress or encrypt data that is collected prior to exfiltration using a custom method.
Disk Wipe (T1561)
Adversaries may wipe or corrupt raw disk data on specific systems or in large numbers in a network to interrupt availability to system and network resources.
Disk Content Wipe (T1561.001)
Adversaries may erase the contents of storage devices on specific systems or in large numbers in a network to interrupt availability to system and network resources.
Disk Structure Wipe (T1561.002)
Adversaries may corrupt or wipe the disk data structures on a hard drive necessary to boot a system; targeting specific critical systems or in large numbers in a network to interrupt availability to system and network resources.
Impair Defenses (T1562)
Adversaries may maliciously modify components of a victim environment in order to hinder or disable defensive mechanisms.
Disable or Modify Tools (T1562.001)
Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities.
Disable Windows Event Logging (T1562.002)
Adversaries may disable Windows event logging to limit data that can be leveraged for detections and audits.
Impair Command History Logging (T1562.003)
Adversaries may impair command history logging to hide commands they run on a compromised system.
Disable or Modify System Firewall (T1562.004)
Adversaries may disable or modify system firewalls in order to bypass controls limiting network usage.
Indicator Blocking (T1562.006)
An adversary may attempt to block indicators or events typically captured by sensors from being gathered and analyzed.
Disable or Modify Cloud Firewall (T1562.007)
Adversaries may disable or modify a firewall within a cloud environment to bypass controls that limit access to cloud resources.
Disable or Modify Cloud Logs (T1562.008)
An adversary may disable or modify cloud logging capabilities and integrations to limit what data is collected on their activities and avoid detection.
Safe Mode Boot (T1562.009)
Adversaries may abuse Windows safe mode to disable endpoint defenses.
Downgrade Attack (T1562.010)
Adversaries may downgrade or use a version of system features that may be outdated, vulnerable, and/or does not support updated security controls.
Spoof Security Alerting (T1562.011)
Adversaries may spoof security alerting from tools, presenting false evidence to impair defenders’ awareness of malicious activity.
Disable or Modify Linux Audit System (T1562.012)
Adversaries may disable or modify the Linux audit system to hide malicious activity and avoid detection.
Remote Service Session Hijacking (T1563)
Adversaries may take control of preexisting sessions with remote services to move laterally in an environment.
SSH Hijacking (T1563.001)
Adversaries may hijack a legitimate user's SSH session to move laterally within an environment.
RDP Hijacking (T1563.002)
Adversaries may hijack a legitimate user’s remote desktop session to move laterally within an environment.
Hide Artifacts (T1564)
Adversaries may attempt to hide artifacts associated with their behaviors to evade detection.
Hidden Files and Directories (T1564.001)
Adversaries may set files and directories to be hidden to evade detection mechanisms.
Hidden Users (T1564.002)
Adversaries may use hidden users to hide the presence of user accounts they create or modify.
Hidden Window (T1564.003)
Adversaries may use hidden windows to conceal malicious activity from the plain sight of users.
NTFS File Attributes (T1564.004)
Adversaries may use NTFS file attributes to hide their malicious data in order to evade detection.
Hidden File System (T1564.005)
Adversaries may use a hidden file system to conceal malicious activity from users and security tools.
Run Virtual Instance (T1564.006)
Adversaries may carry out malicious operations using a virtual instance to avoid detection.
VBA Stomping (T1564.007)
Adversaries may hide malicious Visual Basic for Applications (VBA) payloads embedded within MS Office documents by replacing the VBA source code with benign data.
Email Hiding Rules (T1564.008)
Adversaries may use email rules to hide inbound emails in a compromised user's mailbox.
Resource Forking (T1564.009)
Adversaries may abuse resource forks to hide malicious code or executables to evade detection and bypass security applications.
Process Argument Spoofing (T1564.010)
Adversaries may attempt to hide process command-line arguments by overwriting process memory.
Ignore Process Interrupts (T1564.011)
Adversaries may evade defensive mechanisms by executing commands that hide from process interrupt signals.
File/Path Exclusions (T1564.012)
Adversaries may attempt to hide their file-based artifacts by writing them to specific folders or file names excluded from antivirus (AV) scanning and other defensive capabilities.
Data Manipulation (T1565)
Adversaries may insert, delete, or manipulate data in order to influence external outcomes or hide activity, thus threatening the integrity of the data.
Stored Data Manipulation (T1565.001)
Adversaries may insert, delete, or manipulate data at rest in order to influence external outcomes or hide activity, thus threatening the integrity of the data.
Transmitted Data Manipulation (T1565.002)
Adversaries may alter data en route to storage or other systems in order to manipulate external outcomes or hide activity, thus threatening the integrity of the data.
Runtime Data Manipulation (T1565.003)
Adversaries may modify systems in order to manipulate the data as it is accessed and displayed to an end user, thus threatening the integrity of the data.
Phishing (T1566)
Adversaries may send phishing messages to gain access to victim systems.
Spearphishing Attachment (T1566.001)
Adversaries may send spearphishing emails with a malicious attachment in an attempt to gain access to victim systems.
Spearphishing Link (T1566.002)
Adversaries may send spearphishing emails with a malicious link in an attempt to gain access to victim systems.
Spearphishing via Service (T1566.003)
Adversaries may send spearphishing messages via third-party services in an attempt to gain access to victim systems.
Spearphishing Voice (T1566.004)
Adversaries may use voice communications to ultimately gain access to victim systems.
Exfiltration Over Web Service (T1567)
Adversaries may use an existing, legitimate external Web service to exfiltrate data rather than their primary command and control channel.
Exfiltration to Code Repository (T1567.001)
Adversaries may exfiltrate data to a code repository rather than over their primary command and control channel.
Exfiltration to Cloud Storage (T1567.002)
Adversaries may exfiltrate data to a cloud storage service rather than over their primary command and control channel.
Exfiltration to Text Storage Sites (T1567.003)
Adversaries may exfiltrate data to text storage sites instead of their primary command and control channel.
Exfiltration Over Webhook (T1567.004)
Adversaries may exfiltrate data to a webhook endpoint rather than over their primary command and control channel.
Dynamic Resolution (T1568)
Adversaries may dynamically establish connections to command and control infrastructure to evade common detections and remediations.
Fast Flux DNS (T1568.001)
Adversaries may use Fast Flux DNS to hide a command and control channel behind an array of rapidly changing IP addresses linked to a single domain resolution.
Domain Generation Algorithms (T1568.002)
Adversaries may make use of Domain Generation Algorithms (DGAs) to dynamically identify a destination domain for command and control traffic rather than relying on a list of static IP addresses or domains.
DNS Calculation (T1568.003)
Adversaries may perform calculations on addresses returned in DNS results to determine which port and IP address to use for command and control, rather than relying on a predetermined port number or the actual returned IP address.
System Services (T1569)
Adversaries may abuse system services or daemons to execute commands or programs.
Launchctl (T1569.001)
Adversaries may abuse launchctl to execute commands or programs.
Service Execution (T1569.002)
Adversaries may abuse the Windows service control manager to execute malicious commands or payloads.
Lateral Tool Transfer (T1570)
Adversaries may transfer tools or other files between systems in a compromised environment.
Non-Standard Port (T1571)
Adversaries may communicate using a protocol and port pairing that are typically not associated.
Protocol Tunneling (T1572)
Adversaries may tunnel network communications to and from a victim system within a separate protocol to avoid detection/network filtering and/or enable access to otherwise unreachable systems.
Encrypted Channel (T1573)
Adversaries may employ an encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol.
Symmetric Cryptography (T1573.001)
Adversaries may employ a known symmetric encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol.
Asymmetric Cryptography (T1573.002)
Adversaries may employ a known asymmetric encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol.
Hijack Execution Flow (T1574)
Adversaries may execute their own malicious payloads by hijacking the way operating systems run programs.
DLL Search Order Hijacking (T1574.001)
Adversaries may execute their own malicious payloads by hijacking the search order used to load DLLs.
DLL Side-Loading (T1574.002)
Adversaries may execute their own malicious payloads by side-loading DLLs.
Dylib Hijacking (T1574.004)
Adversaries may execute their own payloads by placing a malicious dynamic library (dylib) with an expected name in a path a victim application searches at runtime.
Executable Installer File Permissions Weakness (T1574.005)
Adversaries may execute their own malicious payloads by hijacking the binaries used by an installer.
Dynamic Linker Hijacking (T1574.006)
Adversaries may execute their own malicious payloads by hijacking environment variables the dynamic linker uses to load shared libraries.
Path Interception by PATH Environment Variable (T1574.007)
Adversaries may execute their own malicious payloads by hijacking environment variables used to load libraries.
Path Interception by Search Order Hijacking (T1574.008)
Adversaries may execute their own malicious payloads by hijacking the search order used to load other programs.
Path Interception by Unquoted Path (T1574.009)
Adversaries may execute their own malicious payloads by hijacking vulnerable file path references.
Services File Permissions Weakness (T1574.010)
Adversaries may execute their own malicious payloads by hijacking the binaries used by services.
Services Registry Permissions Weakness (T1574.011)
Adversaries may execute their own malicious payloads by hijacking the Registry entries used by services.
COR_PROFILER (T1574.012)
Adversaries may leverage the COR_PROFILER environment variable to hijack the execution flow of programs that load the .
KernelCallbackTable (T1574.013)
Adversaries may abuse the <code>KernelCallbackTable</code> of a process to hijack its execution flow in order to run their own payloads.
AppDomainManager (T1574.014)
Adversaries may execute their own malicious payloads by hijacking how the .
Native API (T1575)
Adversaries may use Android’s Native Development Kit (NDK) to write native functions that can achieve execution of binaries or functions.
Uninstall Malicious Application (T1576)
Adversaries may include functionality in malware that uninstalls the malicious application from the device.
Compromise Application Executable (T1577)
Adversaries may modify applications installed on a device to establish persistent access to a victim.
Modify Cloud Compute Infrastructure (T1578)
An adversary may attempt to modify a cloud account's compute service infrastructure to evade defenses.
Create Snapshot (T1578.001)
An adversary may create a snapshot or data backup within a cloud account to evade defenses.
Create Cloud Instance (T1578.002)
An adversary may create a new instance or virtual machine (VM) within the compute service of a cloud account to evade defenses.
Delete Cloud Instance (T1578.003)
An adversary may delete a cloud instance after they have performed malicious activities in an attempt to evade detection and remove evidence of their presence.
Revert Cloud Instance (T1578.004)
An adversary may revert changes made to a cloud instance after they have performed malicious activities in attempt to evade detection and remove evidence of their presence.
Modify Cloud Compute Configurations (T1578.005)
Adversaries may modify settings that directly affect the size, locations, and resources available to cloud compute infrastructure in order to evade defenses.
Keychain (T1579)
Adversaries may collect the keychain storage data from an iOS device to acquire credentials.
Cloud Infrastructure Discovery (T1580)
An adversary may attempt to discover infrastructure and resources that are available within an infrastructure-as-a-service (IaaS) environment.
Geofencing (T1581)
Adversaries may use a device’s geographical location to limit certain malicious behaviors.
SMS Control (T1582)
Adversaries may delete, alter, or send SMS messages without user authorization.
Acquire Infrastructure (T1583)
Adversaries may buy, lease, rent, or obtain infrastructure that can be used during targeting.
Domains (T1583.001)
Adversaries may acquire domains that can be used during targeting.
DNS Server (T1583.002)
Adversaries may set up their own Domain Name System (DNS) servers that can be used during targeting.
Virtual Private Server (T1583.003)
Adversaries may rent Virtual Private Servers (VPSs) that can be used during targeting.
Server (T1583.004)
Adversaries may buy, lease, rent, or obtain physical servers that can be used during targeting.
Botnet (T1583.005)
Adversaries may buy, lease, or rent a network of compromised systems that can be used during targeting.
Web Services (T1583.006)
Adversaries may register for web services that can be used during targeting.
Serverless (T1583.007)
Adversaries may purchase and configure serverless cloud infrastructure, such as Cloudflare Workers, AWS Lambda functions, or Google Apps Scripts, that can be used during targeting.
Malvertising (T1583.008)
Adversaries may purchase online advertisements that can be abused to distribute malware to victims.
Compromise Infrastructure (T1584)
Adversaries may compromise third-party infrastructure that can be used during targeting.
Domains (T1584.001)
Adversaries may hijack domains and/or subdomains that can be used during targeting.
DNS Server (T1584.002)
Adversaries may compromise third-party DNS servers that can be used during targeting.
Virtual Private Server (T1584.003)
Adversaries may compromise third-party Virtual Private Servers (VPSs) that can be used during targeting.
Server (T1584.004)
Adversaries may compromise third-party servers that can be used during targeting.
Botnet (T1584.005)
Adversaries may compromise numerous third-party systems to form a botnet that can be used during targeting.
Web Services (T1584.006)
Adversaries may compromise access to third-party web services that can be used during targeting.
Serverless (T1584.007)
Adversaries may compromise serverless cloud infrastructure, such as Cloudflare Workers, AWS Lambda functions, or Google Apps Scripts, that can be used during targeting.
Network Devices (T1584.008)
Adversaries may compromise third-party network devices that can be used during targeting.
Establish Accounts (T1585)
Adversaries may create and cultivate accounts with services that can be used during targeting.
Social Media Accounts (T1585.001)
Adversaries may create and cultivate social media accounts that can be used during targeting.
Email Accounts (T1585.002)
Adversaries may create email accounts that can be used during targeting.
Cloud Accounts (T1585.003)
Adversaries may create accounts with cloud providers that can be used during targeting.
Compromise Accounts (T1586)
Adversaries may compromise accounts with services that can be used during targeting.
Social Media Accounts (T1586.001)
Adversaries may compromise social media accounts that can be used during targeting.
Email Accounts (T1586.002)
Adversaries may compromise email accounts that can be used during targeting.
Cloud Accounts (T1586.003)
Adversaries may compromise cloud accounts that can be used during targeting.
Develop Capabilities (T1587)
Adversaries may build capabilities that can be used during targeting.
Malware (T1587.001)
Adversaries may develop malware and malware components that can be used during targeting.
Code Signing Certificates (T1587.002)
Adversaries may create self-signed code signing certificates that can be used during targeting.
Digital Certificates (T1587.003)
Adversaries may create self-signed SSL/TLS certificates that can be used during targeting.
Exploits (T1587.004)
Adversaries may develop exploits that can be used during targeting.
Obtain Capabilities (T1588)
Adversaries may buy and/or steal capabilities that can be used during targeting.
Malware (T1588.001)
Adversaries may buy, steal, or download malware that can be used during targeting.
Tool (T1588.002)
Adversaries may buy, steal, or download software tools that can be used during targeting.
Code Signing Certificates (T1588.003)
Adversaries may buy and/or steal code signing certificates that can be used during targeting.
Digital Certificates (T1588.004)
Adversaries may buy and/or steal SSL/TLS certificates that can be used during targeting.
Exploits (T1588.005)
Adversaries may buy, steal, or download exploits that can be used during targeting.
Vulnerabilities (T1588.006)
Adversaries may acquire information about vulnerabilities that can be used during targeting.
Artificial Intelligence (T1588.007)
Adversaries may obtain access to generative artificial intelligence tools, such as large language models (LLMs), to aid various techniques during targeting.
Gather Victim Identity Information (T1589)
Adversaries may gather information about the victim's identity that can be used during targeting.
Credentials (T1589.001)
Adversaries may gather credentials that can be used during targeting.
Email Addresses (T1589.002)
Adversaries may gather email addresses that can be used during targeting.
Employee Names (T1589.003)
Adversaries may gather employee names that can be used during targeting.
Gather Victim Network Information (T1590)
Adversaries may gather information about the victim's networks that can be used during targeting.
Domain Properties (T1590.001)
Adversaries may gather information about the victim's network domain(s) that can be used during targeting.
DNS (T1590.002)
Adversaries may gather information about the victim's DNS that can be used during targeting.
Network Trust Dependencies (T1590.003)
Adversaries may gather information about the victim's network trust dependencies that can be used during targeting.
Network Topology (T1590.004)
Adversaries may gather information about the victim's network topology that can be used during targeting.
IP Addresses (T1590.005)
Adversaries may gather the victim's IP addresses that can be used during targeting.
Network Security Appliances (T1590.006)
Adversaries may gather information about the victim's network security appliances that can be used during targeting.
Gather Victim Org Information (T1591)
Adversaries may gather information about the victim's organization that can be used during targeting.
Determine Physical Locations (T1591.001)
Adversaries may gather the victim's physical location(s) that can be used during targeting.
Business Relationships (T1591.002)
Adversaries may gather information about the victim's business relationships that can be used during targeting.
Identify Business Tempo (T1591.003)
Adversaries may gather information about the victim's business tempo that can be used during targeting.
Identify Roles (T1591.004)
Adversaries may gather information about identities and roles within the victim organization that can be used during targeting.
Gather Victim Host Information (T1592)
Adversaries may gather information about the victim's hosts that can be used during targeting.
Hardware (T1592.001)
Adversaries may gather information about the victim's host hardware that can be used during targeting.
Software (T1592.002)
Adversaries may gather information about the victim's host software that can be used during targeting.
Firmware (T1592.003)
Adversaries may gather information about the victim's host firmware that can be used during targeting.
Client Configurations (T1592.004)
Adversaries may gather information about the victim's client configurations that can be used during targeting.
Search Open Websites/Domains (T1593)
Adversaries may search freely available websites and/or domains for information about victims that can be used during targeting.
Social Media (T1593.001)
Adversaries may search social media for information about victims that can be used during targeting.
Search Engines (T1593.002)
Adversaries may use search engines to collect information about victims that can be used during targeting.
Code Repositories (T1593.003)
Adversaries may search public code repositories for information about victims that can be used during targeting.
Search Victim-Owned Websites (T1594)
Adversaries may search websites owned by the victim for information that can be used during targeting.
Active Scanning (T1595)
Adversaries may execute active reconnaissance scans to gather information that can be used during targeting.
Scanning IP Blocks (T1595.001)
Adversaries may scan victim IP blocks to gather information that can be used during targeting.
Vulnerability Scanning (T1595.002)
Adversaries may scan victims for vulnerabilities that can be used during targeting.
Wordlist Scanning (T1595.003)
Adversaries may iteratively probe infrastructure using brute-forcing and crawling techniques.
Search Open Technical Databases (T1596)
Adversaries may search freely available technical databases for information about victims that can be used during targeting.
DNS/Passive DNS (T1596.001)
Adversaries may search DNS data for information about victims that can be used during targeting.
WHOIS (T1596.002)
Adversaries may search public WHOIS data for information about victims that can be used during targeting.
Digital Certificates (T1596.003)
Adversaries may search public digital certificate data for information about victims that can be used during targeting.
CDNs (T1596.004)
Adversaries may search content delivery network (CDN) data about victims that can be used during targeting.
Scan Databases (T1596.005)
Adversaries may search within public scan databases for information about victims that can be used during targeting.
Search Closed Sources (T1597)
Adversaries may search and gather information about victims from closed (e.
Threat Intel Vendors (T1597.001)
Adversaries may search private data from threat intelligence vendors for information that can be used during targeting.
Purchase Technical Data (T1597.002)
Adversaries may purchase technical information about victims that can be used during targeting.
Phishing for Information (T1598)
Adversaries may send phishing messages to elicit sensitive information that can be used during targeting.
Spearphishing Service (T1598.001)
Adversaries may send spearphishing messages via third-party services to elicit sensitive information that can be used during targeting.
Spearphishing Attachment (T1598.002)
Adversaries may send spearphishing messages with a malicious attachment to elicit sensitive information that can be used during targeting.
Spearphishing Link (T1598.003)
Adversaries may send spearphishing messages with a malicious link to elicit sensitive information that can be used during targeting.
Spearphishing Voice (T1598.004)
Adversaries may use voice communications to elicit sensitive information that can be used during targeting.
Network Boundary Bridging (T1599)
Adversaries may bridge network boundaries by compromising perimeter network devices or internal devices responsible for network segmentation.
Network Address Translation Traversal (T1599.001)
Adversaries may bridge network boundaries by modifying a network device’s Network Address Translation (NAT) configuration.
Weaken Encryption (T1600)
Adversaries may compromise a network device’s encryption capability in order to bypass encryption that would otherwise protect data communications.
Reduce Key Space (T1600.001)
Adversaries may reduce the level of effort required to decrypt data transmitted over the network by reducing the cipher strength of encrypted communications.
Disable Crypto Hardware (T1600.002)
Adversaries disable a network device’s dedicated hardware encryption, which may enable them to leverage weaknesses in software encryption in order to reduce the effort involved in collecting, manipulating, and exfiltrating transmitted data.
Modify System Image (T1601)
Adversaries may make changes to the operating system of embedded network devices to weaken defenses and provide new capabilities for themselves.
Patch System Image (T1601.001)
Adversaries may modify the operating system of a network device to introduce new capabilities or weaken existing defenses.
Downgrade System Image (T1601.002)
Adversaries may install an older version of the operating system of a network device to weaken security.
Data from Configuration Repository (T1602)
Adversaries may collect data related to managed devices from configuration repositories.
SNMP (MIB Dump) (T1602.001)
Adversaries may target the Management Information Base (MIB) to collect and/or mine valuable information in a network managed using Simple Network Management Protocol (SNMP).
Network Device Configuration Dump (T1602.002)
Adversaries may access network configuration files to collect sensitive data about the device and the network.
Scheduled Task/Job (T1603)
Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code.
Proxy Through Victim (T1604)
Adversaries may use a compromised device as a proxy server to the Internet.
Command-Line Interface (T1605)
Adversaries may use built-in command-line interfaces to interact with the device and execute commands.
Forge Web Credentials (T1606)
Adversaries may forge credential materials that can be used to gain access to web applications or Internet services.
Web Cookies (T1606.001)
Adversaries may forge web cookies that can be used to gain access to web applications or Internet services.
SAML Tokens (T1606.002)
An adversary may forge SAML tokens with any permissions claims and lifetimes if they possess a valid SAML token-signing certificate.
Stage Capabilities (T1608)
Adversaries may upload, install, or otherwise set up capabilities that can be used during targeting.
Upload Malware (T1608.001)
Adversaries may upload malware to third-party or adversary controlled infrastructure to make it accessible during targeting.
Upload Tool (T1608.002)
Adversaries may upload tools to third-party or adversary controlled infrastructure to make it accessible during targeting.
Install Digital Certificate (T1608.003)
Adversaries may install SSL/TLS certificates that can be used during targeting.
Drive-by Target (T1608.004)
Adversaries may prepare an operational environment to infect systems that visit a website over the normal course of browsing.
Link Target (T1608.005)
Adversaries may put in place resources that are referenced by a link that can be used during targeting.
SEO Poisoning (T1608.006)
Adversaries may poison mechanisms that influence search engine optimization (SEO) to further lure staged capabilities towards potential victims.
Container Administration Command (T1609)
Adversaries may abuse a container administration service to execute commands within a container.
Deploy Container (T1610)
Adversaries may deploy a container into an environment to facilitate execution or evade defenses.
Escape to Host (T1611)
Adversaries may break out of a container to gain access to the underlying host.
Build Image on Host (T1612)
Adversaries may build a container image directly on a host to bypass defenses that monitor for the retrieval of malicious images from a public registry.
Container and Resource Discovery (T1613)
Adversaries may attempt to discover containers and other resources that are available within a containers environment.
System Location Discovery (T1614)
Adversaries may gather information in an attempt to calculate the geographical location of a victim host.
System Language Discovery (T1614.001)
Adversaries may attempt to gather information about the system language of a victim in order to infer the geographical location of that host.
Group Policy Discovery (T1615)
Adversaries may gather information on Group Policy settings to identify paths for privilege escalation, security measures applied within a domain, and to discover patterns in domain objects that can be manipulated or used to blend in the environment.
Call Control (T1616)
Adversaries may make, forward, or block phone calls without user authorization.
Hooking (T1617)
Adversaries may utilize hooking to hide the presence of artifacts associated with their behaviors to evade detection.
User Evasion (T1618)
Adversaries may attempt to avoid detection by hiding malicious behavior from the user.
Cloud Storage Object Discovery (T1619)
Adversaries may enumerate objects in cloud storage infrastructure.
Reflective Code Loading (T1620)
Adversaries may reflectively load code into a process in order to conceal the execution of malicious payloads.
Multi-Factor Authentication Request Generation (T1621)
Adversaries may attempt to bypass multi-factor authentication (MFA) mechanisms and gain access to accounts by generating MFA requests sent to users.
Debugger Evasion (T1622)
Adversaries may employ various means to detect and avoid debuggers.
Command and Scripting Interpreter (T1623)
Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries.
Unix Shell (T1623.001)
Adversaries may abuse Unix shell commands and scripts for execution.
Event Triggered Execution (T1624)
Adversaries may establish persistence using system mechanisms that trigger execution based on specific events.
Broadcast Receivers (T1624.001)
Adversaries may establish persistence using system mechanisms that trigger execution based on specific events.
Hijack Execution Flow (T1625)
Adversaries may execute their own malicious payloads by hijacking the way operating systems run applications.
System Runtime API Hijacking (T1625.001)
Adversaries may execute their own malicious payloads by hijacking the way an operating system runs applications.
Abuse Elevation Control Mechanism (T1626)
Adversaries may circumvent mechanisms designed to control elevated privileges to gain higher-level permissions.
Device Administrator Permissions (T1626.001)
Adversaries may abuse Android’s device administration API to obtain a higher degree of control over the device.
Execution Guardrails (T1627)
Adversaries may use execution guardrails to constrain execution or actions based on adversary supplied and environment specific conditions that are expected to be present on the target.
Geofencing (T1627.001)
Adversaries may use a device’s geographical location to limit certain malicious behaviors.
Hide Artifacts (T1628)
Adversaries may attempt to hide artifacts associated with their behaviors to evade detection.
Suppress Application Icon (T1628.001)
A malicious application could suppress its icon from being displayed to the user in the application launcher.
User Evasion (T1628.002)
Adversaries may attempt to avoid detection by hiding malicious behavior from the user.
Conceal Multimedia Files (T1628.003)
Adversaries may attempt to hide multimedia files from the user.
Impair Defenses (T1629)
Adversaries may maliciously modify components of a victim environment in order to hinder or disable defensive mechanisms.
Prevent Application Removal (T1629.001)
Adversaries may abuse the Android device administration API to prevent the user from uninstalling a target application.
Device Lockout (T1629.002)
An adversary may seek to inhibit user interaction by locking the legitimate user out of the device.
Disable or Modify Tools (T1629.003)
Adversaries may disable security tools to avoid potential detection of their tools and activities.
Indicator Removal on Host (T1630)
Adversaries may delete, alter, or hide generated artifacts on a device, including files, jailbreak status, or the malicious application itself.
Uninstall Malicious Application (T1630.001)
Adversaries may include functionality in malware that uninstalls the malicious application from the device.
File Deletion (T1630.002)
Adversaries may wipe a device or delete individual files in order to manipulate external outcomes or hide activity.
Disguise Root/Jailbreak Indicators (T1630.003)
An adversary could use knowledge of the techniques used by security software to evade detection.
Process Injection (T1631)
Adversaries may inject code into processes in order to evade process-based defenses or even elevate privileges.
Ptrace System Calls (T1631.001)
Adversaries may inject malicious code into processes via ptrace (process trace) system calls in order to evade process-based defenses as well as possibly elevate privileges.
Subvert Trust Controls (T1632)
Adversaries may undermine security controls that will either warn users of untrusted activity or prevent execution of untrusted applications.
Code Signing Policy Modification (T1632.001)
Adversaries may modify code signing policies to enable execution of applications signed with unofficial or unknown keys.
Virtualization/Sandbox Evasion (T1633)
Adversaries may employ various means to detect and avoid virtualization and analysis environments.
System Checks (T1633.001)
Adversaries may employ various system checks to detect and avoid virtualization and analysis environments.
Credentials from Password Store (T1634)
Adversaries may search common password storage locations to obtain user credentials.
Keychain (T1634.001)
Adversaries may collect keychain data from an iOS device to acquire credentials.
Steal Application Access Token (T1635)
Adversaries can steal user application access tokens as a means of acquiring credentials to access remote systems and resources.
URI Hijacking (T1635.001)
Adversaries may register Uniform Resource Identifiers (URIs) to intercept sensitive data.
Protected User Data (T1636)
Adversaries may utilize standard operating system APIs to collect data from permission-backed data stores on a device, such as the calendar or contact list.
Calendar Entries (T1636.001)
Adversaries may utilize standard operating system APIs to gather calendar entry data.
Call Log (T1636.002)
Adversaries may utilize standard operating system APIs to gather call log data.
Contact List (T1636.003)
Adversaries may utilize standard operating system APIs to gather contact list data.
SMS Messages (T1636.004)
Adversaries may utilize standard operating system APIs to gather SMS messages.
Dynamic Resolution (T1637)
Adversaries may dynamically establish connections to command and control infrastructure to evade common detections and remediations.
Domain Generation Algorithms (T1637.001)
Adversaries may use [Domain Generation Algorithms](https://attack.
Adversary-in-the-Middle (T1638)
Adversaries may attempt to position themselves between two or more networked devices to support follow-on behaviors such as [Transmitted Data Manipulation](https://attack.
Exfiltration Over Alternative Protocol (T1639)
Adversaries may steal data by exfiltrating it over a different protocol than that of the existing command and control channel.
Exfiltration Over Unencrypted Non-C2 Protocol (T1639.001)
Adversaries may steal data by exfiltrating it over an un-encrypted network protocol other than that of the existing command and control channel.
Account Access Removal (T1640)
Adversaries may interrupt availability of system and network resources by inhibiting access to accounts utilized by legitimate users.
Data Manipulation (T1641)
Adversaries may insert, delete, or alter data in order to manipulate external outcomes or hide activity.
Transmitted Data Manipulation (T1641.001)
Adversaries may alter data en route to storage or other systems in order to manipulate external outcomes or hide activity.
Endpoint Denial of Service (T1642)
Adversaries may perform Endpoint Denial of Service (DoS) attacks to degrade or block the availability of services to users.
Generate Traffic from Victim (T1643)
Adversaries may generate outbound traffic from devices.
Out of Band Data (T1644)
Adversaries may communicate with compromised devices using out of band data streams.
Compromise Client Software Binary (T1645)
Adversaries may modify system software binaries to establish persistent access to devices.
Exfiltration Over C2 Channel (T1646)
Adversaries may steal data by exfiltrating it over an existing command and control channel.
Plist File Modification (T1647)
Adversaries may modify property list files (plist files) to enable other malicious activity, while also potentially evading and bypassing system defenses.
Serverless Execution (T1648)
Adversaries may abuse serverless computing, integration, and automation services to execute arbitrary code in cloud environments.
Steal or Forge Authentication Certificates (T1649)
Adversaries may steal or forge certificates used for authentication to access remote systems or resources.
Acquire Access (T1650)
Adversaries may purchase or otherwise acquire an existing access to a target system or network.
Cloud Administration Command (T1651)
Adversaries may abuse cloud management services to execute commands within virtual machines.
Device Driver Discovery (T1652)
Adversaries may attempt to enumerate local device drivers on a victim host.
Power Settings (T1653)
Adversaries may impair a system's ability to hibernate, reboot, or shut down in order to extend access to infected machines.
Log Enumeration (T1654)
Adversaries may enumerate system and service logs to find useful data.
Masquerading (T1655)
Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools.
Match Legitimate Name or Location (T1655.001)
Adversaries may match or approximate the name or location of legitimate files or resources when naming/placing them.
Impersonation (T1656)
Adversaries may impersonate a trusted person or organization in order to persuade and trick a target into performing some action on their behalf.
Financial Theft (T1657)
Adversaries may steal monetary resources from targets through extortion, social engineering, technical theft, or other methods aimed at their own financial gain at the expense of the availability of these resources for victims.
Exploitation for Client Execution (T1658)
Adversaries may exploit software vulnerabilities in client applications to execute code.
Content Injection (T1659)
Adversaries may gain access and continuously communicate with victims by injecting malicious content into systems through online network traffic.
Phishing (T1660)
Adversaries may send malicious content to users in order to gain access to their mobile devices.
Application Versioning (T1661)
An adversary may push an update to a previously benign application to add malicious code.
Data Destruction (T1662)
Adversaries may destroy data and files on specific devices or in large numbers to interrupt availability to systems, services, and network resources.
Remote Access Software (T1663)
Adversaries may use legitimate remote access software, such as `VNC`, `TeamViewer`, `AirDroid`, `AirMirror`, etc.
Exploitation for Initial Access (T1664)
Adversaries may exploit software vulnerabilities to gain initial access to a mobile device.
Hide Infrastructure (T1665)
Adversaries may manipulate network traffic in order to hide and evade detection of their C2 infrastructure.
Modify Cloud Resource Hierarchy (T1666)
Adversaries may attempt to modify hierarchical structures in infrastructure-as-a-service (IaaS) environments in order to evade defenses.