|
T1174
|
Password Filter DLL |
Windows password filters are password policy enforcement mechanisms for both domain and local accounts. Filters are impl… |
credential-access
|
|
T1110.001
|
Password Guessing |
Adversaries with no prior knowledge of legitimate credentials within the system or environment may guess passwords to at… |
credential-access
|
|
T1555.005
|
Password Managers |
Adversaries may acquire user credentials from third-party password managers.(Citation: ise Password Manager February 201… |
credential-access
|
|
T1201
|
Password Policy Discovery |
Adversaries may attempt to access detailed information about the password policy used within an enterprise network or cl… |
discovery
|
|
T1110.003
|
Password Spraying |
Adversaries may use a single or small list of commonly used passwords against many different accounts to attempt to acqu… |
credential-access
|
|
T1601.001
|
Patch System Image |
Adversaries may modify the operating system of a network device to introduce new capabilities or weaken existing defense… |
defense-impairment
|
|
T1034
|
Path Interception |
**This technique has been deprecated. Please use [Path Interception by PATH Environment Variable](https://attack.mitre.o… |
persistence
|
|
T1574.007
|
Path Interception by PATH Environment Variable |
Adversaries may execute their own malicious payloads by hijacking environment variables used to load libraries. The PATH… |
stealth
|
|
T1574.008
|
Path Interception by Search Order Hijacking |
Adversaries may execute their own malicious payloads by hijacking the search order used to load other programs. Because … |
stealth
|
|
T1574.009
|
Path Interception by Unquoted Path |
Adversaries may execute their own malicious payloads by hijacking vulnerable file path references. Adversaries can take … |
stealth
|
|
T1120
|
Peripheral Device Discovery |
Adversaries may attempt to gather information about attached peripheral devices and components connected to a computer s… |
discovery
|
|
T1069
|
Permission Groups Discovery |
Adversaries may attempt to discover group and permission settings. This information can help adversaries determine which… |
discovery
|
|
T1566
|
Phishing |
Adversaries may send phishing messages to gain access to victim systems. All forms of phishing are electronically delive… |
initial-access
|
|
T1598
|
Phishing for Information |
Adversaries may send phishing messages to elicit sensitive information that can be used during targeting. Phishing for i… |
reconnaissance
|
|
T1647
|
Plist File Modification |
Adversaries may modify property list files (plist files) to enable other malicious activity, while also potentially evad… |
defense-impairment
|
|
T1150
|
Plist Modification |
Property list (plist) files contain all of the information that macOS and OS X uses to configure applications and servic… |
stealth
|
|
T1547.011
|
Plist Modification |
Adversaries can modify property list files (plist files) to execute their code as part of establishing persistence. Plis… |
persistence
|
|
T1556.003
|
Pluggable Authentication Modules |
Adversaries may modify pluggable authentication modules (PAM) to access user credentials or enable otherwise unwarranted… |
defense-impairment
|
|
T1677
|
Poisoned Pipeline Execution |
Adversaries may manipulate continuous integration / continuous development (CI/CD) processes by injecting malicious code… |
execution
|
|
T1027.014
|
Polymorphic Code |
Adversaries may utilize polymorphic code (also known as metamorphic or mutating code) to evade detection. Polymorphic co… |
stealth
|
|
T1205.001
|
Port Knocking |
Adversaries may use port knocking to hide open ports used for persistence or command and control. To enable a port, an a… |
stealth
|
|
T1013
|
Port Monitors |
A port monitor can be set through the (Citation: AddMonitor) API call to set a DLL to be loaded at startup. (Citation: … |
persistence
|
|
T1547.010
|
Port Monitors |
Adversaries may use port monitors to run an adversary supplied DLL during system boot for persistence or privilege escal… |
persistence
|
|
T1055.002
|
Portable Executable Injection |
Adversaries may inject portable executables (PE) into processes in order to evade process-based defenses as well as poss… |
stealth
|
|
T1653
|
Power Settings |
Adversaries may impair a system's ability to hibernate, reboot, or shut down in order to extend access to infected machi… |
persistence
|
|
T1059.001
|
PowerShell |
Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line i… |
execution
|
|
T1086
|
PowerShell |
PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating … |
execution
|
|
T1546.013
|
PowerShell Profile |
Adversaries may gain persistence and elevate privileges by executing malicious content triggered by PowerShell profiles.… |
privilege-escalation
|
|
T1504
|
PowerShell Profile |
Adversaries may gain persistence and elevate privileges in certain situations by abusing [PowerShell](https://attack.mit… |
persistence
|
|
T1542
|
Pre-OS Boot |
Adversaries may abuse Pre-OS Boot mechanisms as a way to establish persistence on a system. During the booting process o… |
stealth
|
|
T1690
|
Prevent Command History Logging |
Adversaries may impair command history logging to hide commands they run on a compromised system. Various command interp… |
defense-impairment
|
|
T1547.012
|
Print Processors |
Adversaries may abuse print processors to run malicious DLLs during system boot for persistence and/or privilege escalat… |
persistence
|
|
T1145
|
Private Keys |
Private cryptographic keys and certificates are used for authentication, encryption/decryption, and digital signatures. … |
credential-access
|
|
T1552.004
|
Private Keys |
Adversaries may search for private key certificate files on compromised systems for insecurely stored credentials. Priva… |
credential-access
|
|
T1003.007
|
Proc Filesystem |
Adversaries may gather credentials from the proc filesystem or `/proc`. The proc filesystem is a pseudo-filesystem used … |
credential-access
|
|
T1055.009
|
Proc Memory |
Adversaries may inject malicious code into processes via the /proc filesystem in order to evade process-based defenses a… |
stealth
|
|
T1564.010
|
Process Argument Spoofing |
Adversaries may attempt to hide process command-line arguments by overwriting process memory. Process command-line argum… |
stealth
|
|
T1057
|
Process Discovery |
Adversaries may attempt to get information about running processes on a system. Information obtained could be used to ga… |
discovery
|
|
T1055.013
|
Process Doppelgänging |
Adversaries may inject malicious code into process via process doppelgänging in order to evade process-based defenses as… |
stealth
|
|
T1186
|
Process Doppelgänging |
Windows Transactional NTFS (TxF) was introduced in Vista as a method to perform safe file operations. (Citation: Microso… |
stealth
|
|
T1093
|
Process Hollowing |
Process hollowing occurs when a process is created in a suspended state then its memory is unmapped and replaced with ma… |
stealth
|
|
T1055.012
|
Process Hollowing |
Adversaries may inject malicious code into suspended and hollowed processes in order to evade process-based defenses. Pr… |
stealth
|
|
T1055
|
Process Injection |
Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileg… |
stealth
|
|
T1572
|
Protocol Tunneling |
Adversaries may tunnel network communications to and from a victim system within a separate protocol to avoid detection/… |
command-and-control
|
|
T1001.003
|
Protocol or Service Impersonation |
Adversaries may impersonate legitimate protocols or web service traffic to disguise command and control activity and thw… |
command-and-control
|
|
T1090
|
Proxy |
Adversaries may use a connection proxy to direct network traffic between systems or act as an intermediary for network c… |
command-and-control
|
|
T1055.008
|
Ptrace System Calls |
Adversaries may inject malicious code into processes via ptrace (process trace) system calls in order to evade process-b… |
stealth
|
|
T1216.001
|
PubPrn |
Adversaries may use PubPrn to proxy execution of malicious remote files. PubPrn.vbs is a [Visual Basic](https://attack.m… |
stealth
|
|
T1071.005
|
Publish/Subscribe Protocols |
Adversaries may communicate using publish/subscribe (pub/sub) application layer protocols to avoid detection/network fil… |
command-and-control
|
|
T1597.002
|
Purchase Technical Data |
Adversaries may purchase technical information about victims that can be used during targeting. Information about victim… |
reconnaissance
|
Trusted Design