|
T1199
|
Trusted Relationship |
Adversaries may breach or otherwise leverage organizations who have access to intended victims. Access through trusted t… |
initial-access
|
|
T1546.017
|
Udev Rules |
Adversaries may maintain persistence through executing malicious content triggered using udev rules. Udev is the Linux k… |
persistence
|
|
T1065
|
Uncommonly Used Port |
Adversaries may conduct C2 communications over a non-standard port to bypass proxies and firewalls that have been improp… |
command-and-control
|
|
T1059.004
|
Unix Shell |
Adversaries may abuse Unix shell commands and scripts for execution. Unix shells are the primary command prompt on Linux… |
execution
|
|
T1546.004
|
Unix Shell Configuration Modification |
Adversaries may establish persistence through executing malicious commands triggered by a user’s shell. User [Unix Shell… |
privilege-escalation
|
|
T1552
|
Unsecured Credentials |
Adversaries may search compromised systems to find and obtain insecurely stored credentials. These credentials can be st… |
credential-access
|
|
T1535
|
Unused/Unsupported Cloud Regions |
Adversaries may create cloud instances in unused geographic service regions in order to evade detection. Access is usual… |
stealth
|
|
T1608.001
|
Upload Malware |
Adversaries may upload malware to third-party or adversary controlled infrastructure to make it accessible during target… |
resource-development
|
|
T1608.002
|
Upload Tool |
Adversaries may upload tools to third-party or adversary controlled infrastructure to make it accessible during targetin… |
resource-development
|
|
T1550
|
Use Alternate Authentication Material |
Adversaries may use alternate authentication material, such as password hashes, Kerberos tickets, and application access… |
lateral-movement
|
|
T1497.002
|
User Activity Based Checks |
Adversaries may employ various user activity checks to detect and avoid virtualization and analysis environments. This m… |
stealth
|
|
T1204
|
User Execution |
An adversary may rely upon specific actions by a user in order to gain execution. Users may be subjected to social engin… |
execution
|
|
T1564.007
|
VBA Stomping |
Adversaries may hide malicious Visual Basic for Applications (VBA) payloads embedded within MS Office documents by repla… |
stealth
|
|
T1055.014
|
VDSO Hijacking |
Adversaries may inject malicious code into processes via VDSO hijacking in order to evade process-based defenses as well… |
stealth
|
|
T1021.005
|
VNC |
Adversaries may use [Valid Accounts](https://attack.mitre.org/techniques/T1078) to remotely control machines using Virtu… |
lateral-movement
|
|
T1078
|
Valid Accounts |
Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Pri… |
stealth
|
|
T1218.012
|
Verclsid |
Adversaries may abuse verclsid.exe to proxy execution of malicious code. Verclsid.exe is known as the Extension CLSID Ve… |
stealth
|
|
T1125
|
Video Capture |
An adversary can leverage a computer's peripheral devices (e.g., integrated cameras or webcams) or applications (e.g., v… |
collection
|
|
T1673
|
Virtual Machine Discovery |
An adversary may attempt to enumerate running virtual machines (VMs) after gaining access to a host or hypervisor. For e… |
discovery
|
|
T1584.003
|
Virtual Private Server |
Adversaries may compromise third-party Virtual Private Servers (VPSs) that can be used during targeting. There exist a v… |
resource-development
|
|
T1583.003
|
Virtual Private Server |
Adversaries may rent Virtual Private Servers (VPSs) that can be used during targeting. There exist a variety of cloud se… |
resource-development
|
|
T1497
|
Virtualization/Sandbox Evasion |
Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include chan… |
stealth
|
|
T1059.005
|
Visual Basic |
Adversaries may abuse Visual Basic (VB) for execution. VB is a programming language created by Microsoft with interopera… |
execution
|
|
T1588.006
|
Vulnerabilities |
Adversaries may acquire information about vulnerabilities that can be used during targeting. A vulnerability is a weakne… |
resource-development
|
|
T1595.002
|
Vulnerability Scanning |
Adversaries may scan victims for vulnerabilities that can be used during targeting. Vulnerability scans typically check … |
reconnaissance
|
|
T1596.002
|
WHOIS |
Adversaries may search public WHOIS data for information about victims that can be used during targeting. WHOIS data is … |
reconnaissance
|
|
T1600
|
Weaken Encryption |
Adversaries may compromise a network device’s encryption capability in order to bypass encryption that would otherwise p… |
defense-impairment
|
|
T1606.001
|
Web Cookies |
Adversaries may forge web cookies that can be used to gain access to web applications or Internet services. Web applicat… |
credential-access
|
|
T1056.003
|
Web Portal Capture |
Adversaries may install code on externally facing portals, such as a VPN login page, to capture and transmit credentials… |
collection
|
|
T1071.001
|
Web Protocols |
Adversaries may communicate using application layer protocols associated with web traffic to avoid detection/network fil… |
command-and-control
|
|
T1102
|
Web Service |
Adversaries may use an existing, legitimate external Web service as a means for relaying data to/from a compromised syst… |
command-and-control
|
|
T1583.006
|
Web Services |
Adversaries may register for web services that can be used during targeting. A variety of popular websites exist for adv… |
resource-development
|
|
T1584.006
|
Web Services |
Adversaries may compromise access to third-party web services that can be used during targeting. A variety of popular we… |
resource-development
|
|
T1550.004
|
Web Session Cookie |
Adversaries can use stolen session cookies to authenticate to web applications and services. This technique bypasses som… |
lateral-movement
|
|
T1506
|
Web Session Cookie |
Adversaries can use stolen session cookies to authenticate to web applications and services. This technique bypasses som… |
stealth
|
|
T1505.003
|
Web Shell |
Adversaries may backdoor web servers with web shells to establish persistent access to systems. A Web shell is a Web scr… |
persistence
|
|
T1100
|
Web Shell |
A Web shell is a Web script that is placed on an openly accessible Web server to allow an adversary to use the Web serve… |
persistence
|
|
T1016.002
|
Wi-Fi Discovery |
Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems… |
discovery
|
|
T1669
|
Wi-Fi Networks |
Adversaries may gain initial access to target systems by connecting to wireless networks. They may accomplish this by ex… |
initial-access
|
|
T1077
|
Windows Admin Shares |
Windows systems have hidden network shares that are accessible only to administrators and provide the ability for remote… |
lateral-movement
|
|
T1059.003
|
Windows Command Shell |
Adversaries may abuse the Windows command shell for execution. The Windows command shell ([cmd](https://attack.mitre.org… |
execution
|
|
T1555.004
|
Windows Credential Manager |
Adversaries may acquire credentials from the Windows Credential Manager. The Credential Manager stores credentials for s… |
credential-access
|
|
T1686.003
|
Windows Host Firewall |
Adversaries may disable or modify the Windows host firewall to bypass controls limiting network usage. This can include … |
defense-impairment
|
|
T1047
|
Windows Management Instrumentation |
Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is design… |
execution
|
|
T1546.003
|
Windows Management Instrumentation Event Subscription |
Adversaries may establish persistence and elevate privileges by executing malicious content triggered by a Windows Manag… |
privilege-escalation
|
|
T1084
|
Windows Management Instrumentation Event Subscription |
Windows Management Instrumentation (WMI) can be used to install event filters, providers, consumers, and bindings that e… |
persistence
|
|
T1222.001
|
Windows Permissions |
Adversaries may modify file or directory permissions/attributes to evade access control lists (ACLs) and access protecte… |
defense-impairment
|
|
T1021.006
|
Windows Remote Management |
Adversaries may use [Valid Accounts](https://attack.mitre.org/techniques/T1078) to interact with remote systems using Wi… |
lateral-movement
|
|
T1028
|
Windows Remote Management |
Windows Remote Management (WinRM) is the name of both a Windows service and a protocol that allows a user to interact wi… |
execution
|
|
T1543.003
|
Windows Service |
Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When … |
persistence
|
Trusted Design