Trusted Design

Technique 一覧

Technique ID 名称 概要 戦術
T1206 Sudo Caching The <code>sudo</code> command "allows a system administrator to delegate authority to give certain users (or groups of u… privilege-escalation
T1548.003 Sudo and Sudo Caching Adversaries may perform sudo caching and/or use the sudoers file to elevate privileges. Adversaries may do this to execu… privilege-escalation
T1195 Supply Chain Compromise Adversaries may manipulate products or product delivery mechanisms prior to receipt by a final consumer for the purpose … initial-access
T1573.001 Symmetric Cryptography Adversaries may employ a known symmetric encryption algorithm to conceal command and control traffic rather than relying… command-and-control
T1216.002 SyncAppvPublishingServer Adversaries may abuse SyncAppvPublishingServer.vbs to proxy execution of malicious [PowerShell](https://attack.mitre.org… stealth
T1218 System Binary Proxy Execution Adversaries may bypass process and/or signature-based defenses by proxying execution of malicious content with signed, o… stealth
T1497.001 System Checks Adversaries may employ various system checks to detect and avoid virtualization and analysis environments. This may incl… stealth
T1542.001 System Firmware Adversaries may modify system firmware to persist on systems.The BIOS (Basic Input/Output System) and The Unified Extens… stealth
T1019 System Firmware The BIOS (Basic Input/Output System) and The Unified Extensible Firmware Interface (UEFI) or Extensible Firmware Interfa… persistence
T1082 System Information Discovery An adversary may attempt to get detailed information about the operating system and hardware, including version, patches… discovery
T1614.001 System Language Discovery Adversaries may attempt to gather information about the system language of a victim in order to infer the geographical l… discovery
T1614 System Location Discovery Adversaries may gather information in an attempt to calculate the geographical location of a victim host. Adversaries m… discovery
T1016 System Network Configuration Discovery Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of syste… discovery
T1049 System Network Connections Discovery Adversaries may attempt to get a listing of network connections to or from the compromised system they are currently acc… discovery
T1033 System Owner/User Discovery Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system… discovery
T1216 System Script Proxy Execution Adversaries may use trusted scripts, often signed with certificates, to proxy the execution of malicious files. Several … stealth
T1007 System Service Discovery Adversaries may try to gather information about registered local system services. Adversaries may obtain information abo… discovery
T1569 System Services Adversaries may abuse system services or daemons to execute commands or programs. Adversaries can execute malicious cont… execution
T1529 System Shutdown/Reboot Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating s… impact
T1124 System Time Discovery An adversary may gather the system time and/or time zone settings from a local or remote system. The system time is set … discovery
T1569.003 Systemctl Adversaries may abuse systemctl to execute commands or programs. Systemctl is the primary interface for systemd, the Lin… execution
T1501 Systemd Service Systemd services can be used to establish persistence on a Linux system. The systemd service manager is commonly used fo… persistence
T1543.002 Systemd Service Adversaries may create or modify systemd services to repeatedly execute malicious payloads as part of persistence. Syste… persistence
T1053.006 Systemd Timers Adversaries may abuse systemd timers to perform task scheduling for initial or recurring execution of malicious code. Sy… execution
T1548.006 TCC Manipulation Adversaries can manipulate or abuse the Transparency, Consent, & Control (TCC) service or database to grant malicious ex… privilege-escalation
T1542.005 TFTP Boot Adversaries may abuse netbooting to load an unauthorized network device operating system from a Trivial File Transfer Pr… stealth
T1080 Taint Shared Content Adversaries may deliver payloads to remote systems by adding content to shared storage locations, such as network drive… lateral-movement
T1221 Template Injection Adversaries may create or modify references in user document templates to conceal malicious code or force authentication… stealth
T1548.005 Temporary Elevated Cloud Access Adversaries may abuse permission configurations that allow them to gain temporarily elevated access to cloud resources. … privilege-escalation
T1505.005 Terminal Services DLL Adversaries may abuse components of Terminal Services to enable persistent access to systems. Microsoft Terminal Service… persistence
T1055.003 Thread Execution Hijacking Adversaries may inject malicious code into hijacked processes in order to evade process-based defenses as well as possib… stealth
T1055.005 Thread Local Storage Adversaries may inject malicious code into processes via thread local storage (TLS) callbacks in order to evade process-… stealth
T1597.001 Threat Intel Vendors Adversaries may search private data from threat intelligence vendors for information that can be used during targeting. … reconnaissance
T1497.003 Time Based Checks Adversaries may employ various time-based methods to detect virtualization and analysis environments, particularly those… stealth
T1547.003 Time Providers Adversaries may abuse time providers to execute DLLs when the system boots. The Windows Time service (W32Time) enables t… persistence
T1209 Time Providers The Windows Time service (W32Time) enables time synchronization across and within domains. (Citation: Microsoft W32Time … persistence
T1099 Timestomp Adversaries may take actions to hide the deployment of new, or modification of existing files to obfuscate their activit… stealth
T1070.006 Timestomp Adversaries may modify file time attributes to hide new files or changes to existing files. Timestomping is a technique … stealth
T1134.001 Token Impersonation/Theft Adversaries may duplicate then impersonate another user's existing token to escalate privileges and bypass access contro… stealth
T1588.002 Tool Adversaries may buy, steal, or download software tools that can be used during targeting. Tools can be open or closed so… resource-development
T1020.001 Traffic Duplication Adversaries may leverage traffic mirroring in order to automate data exfiltration over compromised infrastructure. Traff… exfiltration
T1205 Traffic Signaling Adversaries may use traffic signaling to hide open ports or other malicious functionality used for persistence or comman… stealth
T1537 Transfer Data to Cloud Account Adversaries may exfiltrate data by transferring the data, including through sharing/syncing and creating backups of clou… exfiltration
T1493 Transmitted Data Manipulation Adversaries may alter data en route to storage or other systems in order to manipulate external outcomes or hide activit… impact
T1565.002 Transmitted Data Manipulation Adversaries may alter data en route to storage or other systems in order to manipulate external outcomes or hide activit… impact
T1505.002 Transport Agent Adversaries may abuse Microsoft transport agents to establish persistent access to systems. Microsoft Exchange transport… persistence
T1546.005 Trap Adversaries may establish persistence by executing malicious content triggered by an interrupt signal. The <code>trap</c… privilege-escalation
T1154 Trap The <code>trap</code> command allows programs and shells to specify commands that will be executed upon receiving interr… execution
T1484.002 Trust Modification Adversaries may add new domain trusts, modify the properties of existing domain trusts, or otherwise change the configur… defense-impairment
T1127 Trusted Developer Utilities Proxy Execution Adversaries may take advantage of trusted developer utilities to proxy execution of malicious payloads. There are many u… stealth