|
T1136.003
|
Cloud Account |
Adversaries may create a cloud account to maintain access to victim systems. With a sufficient level of access, such acc… |
persistence
|
|
T1586.003
|
Cloud Accounts |
Adversaries may compromise cloud accounts that can be used during targeting. Adversaries can use compromised cloud accou… |
resource-development
|
|
T1585.003
|
Cloud Accounts |
Adversaries may create accounts with cloud providers that can be used during targeting. Adversaries can use cloud accoun… |
resource-development
|
|
T1078.004
|
Cloud Accounts |
Valid accounts in cloud environments may allow adversaries to perform actions to achieve Initial Access, Persistence, Pr… |
stealth
|
|
T1651
|
Cloud Administration Command |
Adversaries may abuse cloud management services to execute commands within virtual machines. Resources such as AWS Syste… |
execution
|
|
T1671
|
Cloud Application Integration |
Adversaries may achieve persistence by leveraging OAuth application integrations in a software-as-a-service environment.… |
persistence
|
|
T1686.001
|
Cloud Firewall |
Adversaries may disable or modify a firewall within a cloud environment to bypass controls that limit access to cloud re… |
defense-impairment
|
|
T1069.003
|
Cloud Groups |
Adversaries may attempt to find cloud groups and permission settings. The knowledge of cloud permission groups can help … |
discovery
|
|
T1580
|
Cloud Infrastructure Discovery |
An adversary may attempt to discover infrastructure and resources that are available within an infrastructure-as-a-servi… |
discovery
|
|
T1552.005
|
Cloud Instance Metadata API |
Adversaries may attempt to access the Cloud Instance Metadata API to collect credentials and other sensitive data.
Most… |
credential-access
|
|
T1522
|
Cloud Instance Metadata API |
Adversaries may attempt to access the Cloud Instance Metadata API to collect credentials and other sensitive data.
Most… |
credential-access
|
|
T1555.006
|
Cloud Secrets Management Stores |
Adversaries may acquire credentials from cloud-native secret management solutions such as AWS Secrets Manager, GCP Secre… |
credential-access
|
|
T1538
|
Cloud Service Dashboard |
An adversary may use a cloud service dashboard GUI with stolen credentials to gain useful information from an operationa… |
discovery
|
|
T1526
|
Cloud Service Discovery |
An adversary may attempt to enumerate the cloud services running on a system after gaining access. These methods can dif… |
discovery
|
|
T1496.004
|
Cloud Service Hijacking |
Adversaries may leverage compromised software-as-a-service (SaaS) applications to complete resource-intensive tasks, whi… |
impact
|
|
T1021.007
|
Cloud Services |
Adversaries may log into accessible cloud services within a compromised environment using [Valid Accounts](https://attac… |
lateral-movement
|
|
T1619
|
Cloud Storage Object Discovery |
Adversaries may enumerate objects in cloud storage infrastructure. Adversaries may use this information during automated… |
discovery
|
|
T1593.003
|
Code Repositories |
Adversaries may search public code repositories for information about victims that can be used during targeting. Victims… |
reconnaissance
|
|
T1213.003
|
Code Repositories |
Adversaries may leverage code repositories to collect valuable information. Code repositories are tools/services that st… |
collection
|
|
T1116
|
Code Signing |
Code signing provides a level of authenticity on a binary from the developer and a guarantee that the binary has not bee… |
stealth
|
|
T1553.002
|
Code Signing |
Adversaries may create, acquire, or steal code signing materials to sign their malware or tools. Code signing provides a… |
defense-impairment
|
|
T1587.002
|
Code Signing Certificates |
Adversaries may create self-signed code signing certificates that can be used during targeting. Code signing is the proc… |
resource-development
|
|
T1588.003
|
Code Signing Certificates |
Adversaries may buy and/or steal code signing certificates that can be used during targeting. Code signing is the proces… |
resource-development
|
|
T1553.006
|
Code Signing Policy Modification |
Adversaries may modify code signing policies to enable execution of unsigned or self-signed code. Code signing provides … |
defense-impairment
|
|
T1027.010
|
Command Obfuscation |
Adversaries may obfuscate content during command execution to impede detection. Command-line obfuscation is a method of … |
stealth
|
|
T1059
|
Command and Scripting Interpreter |
Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and la… |
execution
|
|
T1043
|
Commonly Used Port |
**This technique has been deprecated. Please use [Non-Standard Port](https://attack.mitre.org/techniques/T1571) where ap… |
command-and-control
|
|
T1092
|
Communication Through Removable Media |
Adversaries can perform command and control between compromised hosts on potentially disconnected networks using removab… |
command-and-control
|
|
T1027.004
|
Compile After Delivery |
Adversaries may attempt to make payloads difficult to discover and analyze by delivering files to victims as uncompiled … |
stealth
|
|
T1500
|
Compile After Delivery |
Adversaries may attempt to make payloads difficult to discover and analyze by delivering files to victims as uncompiled … |
stealth
|
|
T1218.001
|
Compiled HTML File |
Adversaries may abuse Compiled HTML files (.chm) to conceal malicious code. CHM files are commonly distributed as part o… |
stealth
|
|
T1223
|
Compiled HTML File |
Compiled HTML files (.chm) are commonly distributed as part of the Microsoft HTML Help system. CHM files are compressed … |
stealth
|
|
T1109
|
Component Firmware |
Some adversaries may employ sophisticated means to compromise computer components and install malicious firmware that wi… |
stealth
|
|
T1542.002
|
Component Firmware |
Adversaries may modify component firmware to persist on systems. Some adversaries may employ sophisticated means to comp… |
stealth
|
|
T1559.001
|
Component Object Model |
Adversaries may use the Windows Component Object Model (COM) for local code execution. COM is an inter-process communica… |
execution
|
|
T1122
|
Component Object Model Hijacking |
The Component Object Model (COM) is a system within Windows to enable interaction between software components through th… |
stealth
|
|
T1546.015
|
Component Object Model Hijacking |
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Objec… |
privilege-escalation
|
|
T1175
|
Component Object Model and Distributed COM |
**This technique has been deprecated. Please use [Distributed Component Object Model](https://attack.mitre.org/technique… |
lateral-movement
|
|
T1027.015
|
Compression |
Adversaries may use compression to obfuscate their payloads or files. Compressed file formats such as ZIP, gzip, 7z, and… |
stealth
|
|
T1586
|
Compromise Accounts |
Adversaries may compromise accounts with services that can be used during targeting. For operations incorporating social… |
resource-development
|
|
T1195.003
|
Compromise Hardware Supply Chain |
Adversaries may manipulate hardware components in products prior to receipt by a final consumer for the purpose of data … |
initial-access
|
|
T1554
|
Compromise Host Software Binary |
Adversaries may modify host software binaries to establish persistent access to systems. Software binaries/executables p… |
persistence
|
|
T1584
|
Compromise Infrastructure |
Adversaries may compromise third-party infrastructure that can be used during targeting. Infrastructure solutions includ… |
resource-development
|
|
T1195.001
|
Compromise Software Dependencies and Development Tools |
Adversaries may manipulate software dependencies and development tools prior to receipt by a final consumer for the purp… |
initial-access
|
|
T1195.002
|
Compromise Software Supply Chain |
Adversaries may manipulate application software prior to receipt by a final consumer for the purpose of data or system c… |
initial-access
|
|
T1496.001
|
Compute Hijacking |
Adversaries may leverage the compute resources of co-opted systems to complete resource-intensive tasks, which may impac… |
impact
|
|
T1556.009
|
Conditional Access Policies |
Adversaries may disable or modify conditional access policies to enable persistent access to compromised accounts. Condi… |
defense-impairment
|
|
T1213.001
|
Confluence |
Adversaries may leverage Confluence repositories to mine valuable information. Often found in development environments … |
collection
|
|
T1552.007
|
Container API |
Adversaries may gather credentials via APIs within a containers environment. APIs in these environments, such as the Doc… |
credential-access
|
|
T1609
|
Container Administration Command |
Adversaries may abuse a container administration service to execute commands within a container. A container administrat… |
execution
|
Trusted Design