|
T1005
|
Data from Local System |
Adversaries may search local system sources, such as file systems, configuration files, local databases, virtual machine… |
collection
|
|
T1039
|
Data from Network Shared Drive |
Adversaries may search network shares on computers they have compromised to find files of interest. Sensitive data can b… |
collection
|
|
T1025
|
Data from Removable Media |
Adversaries may search connected removable media on computers they have compromised to find files of interest. Sensitive… |
collection
|
|
T1213.006
|
Databases |
Adversaries may leverage databases to mine valuable information. These databases may be hosted on-premises or in the clo… |
collection
|
|
T1102.001
|
Dead Drop Resolver |
Adversaries may use an existing, legitimate external Web service to host information that points to additional command a… |
command-and-control
|
|
T1622
|
Debugger Evasion |
Adversaries may employ various means to detect and avoid debuggers. Debuggers are typically used by defenders to trace a… |
stealth
|
|
T1491
|
Defacement |
Adversaries may modify visual content available internally or externally to an enterprise network, thus affecting the in… |
impact
|
|
T1078.001
|
Default Accounts |
Adversaries may obtain and abuse credentials of a default account as a means of gaining Initial Access, Persistence, Pri… |
stealth
|
|
T1678
|
Delay Execution |
Adversaries may employ various time-based methods to evade detection and analysis. These techniques often exploit system… |
stealth
|
|
T1578.003
|
Delete Cloud Instance |
An adversary may delete a cloud instance after they have performed malicious activities in an attempt to evade detection… |
defense-impairment
|
|
T1140
|
Deobfuscate/Decode Files or Information |
Adversaries may use [Obfuscated Files or Information](https://attack.mitre.org/techniques/T1027) to hide artifacts of an… |
stealth
|
|
T1610
|
Deploy Container |
Adversaries may deploy a container into an environment to facilitate execution or evade defenses. In some cases, adversa… |
execution
|
|
T1591.001
|
Determine Physical Locations |
Adversaries may gather the victim's physical location(s) that can be used during targeting. Information about physical l… |
reconnaissance
|
|
T1587
|
Develop Capabilities |
Adversaries may build capabilities that can be used during targeting. Rather than purchasing, freely downloading, or ste… |
resource-development
|
|
T1652
|
Device Driver Discovery |
Adversaries may attempt to enumerate local device drivers on a victim host. Information about device drivers may highlig… |
discovery
|
|
T1098.005
|
Device Registration |
Adversaries may register a device to an adversary-controlled account. Devices may be registered in a multifactor authent… |
persistence
|
|
T1596.003
|
Digital Certificates |
Adversaries may search public digital certificate data for information about victims that can be used during targeting. … |
reconnaissance
|
|
T1588.004
|
Digital Certificates |
Adversaries may buy and/or steal SSL/TLS certificates that can be used during targeting. SSL/TLS certificates are design… |
resource-development
|
|
T1587.003
|
Digital Certificates |
Adversaries may create self-signed SSL/TLS certificates that can be used during targeting. SSL/TLS certificates are desi… |
resource-development
|
|
T1021.008
|
Direct Cloud VM Connections |
Adversaries may leverage [Valid Accounts](https://attack.mitre.org/techniques/T1078) to log directly into accessible clo… |
lateral-movement
|
|
T1498.001
|
Direct Network Flood |
Adversaries may attempt to cause a denial of service (DoS) by directly sending a high-volume of network traffic to a tar… |
impact
|
|
T1006
|
Direct Volume Access |
Adversaries may directly access a volume to bypass file access controls and file system monitoring. Windows allows progr… |
stealth
|
|
T1600.002
|
Disable Crypto Hardware |
Adversaries disable a network device’s dedicated hardware encryption, which may enable them to leverage weaknesses in so… |
defense-impairment
|
|
T1562.002
|
Disable Windows Event Logging |
Adversaries may disable Windows event logging to limit data that can be leveraged for detections and audits. Windows eve… |
stealth
|
|
T1562.007
|
Disable or Modify Cloud Firewall |
Adversaries may disable or modify a firewall within a cloud environment to bypass controls that limit access to cloud re… |
stealth
|
|
T1685.002
|
Disable or Modify Cloud Log |
An adversary may disable or modify cloud logging capabilities and integrations to limit what data is collected on their … |
defense-impairment
|
|
T1562.008
|
Disable or Modify Cloud Logs |
An adversary may disable or modify cloud logging capabilities and integrations to limit what data is collected on their … |
stealth
|
|
T1562.012
|
Disable or Modify Linux Audit System |
Adversaries may disable or modify the Linux audit system to hide malicious activity and avoid detection. Linux admins us… |
stealth
|
|
T1685.004
|
Disable or Modify Linux Audit System Log |
Adversaries may disable or modify the Linux Audit system to hide malicious activity and avoid detection. Linux admins us… |
defense-impairment
|
|
T1562.013
|
Disable or Modify Network Device Firewall |
Adversaries may disable network device-based firewall mechanisms entirely or add, delete, or modify particular rules in … |
stealth
|
|
T1562.004
|
Disable or Modify System Firewall |
Adversaries may disable or modify system firewalls in order to bypass controls limiting network usage. Changes could be … |
stealth
|
|
T1686
|
Disable or Modify System Firewall |
Adversaries may disable or modify host-based or network firewalls to impair defensive mechanisms and enable further acti… |
defense-impairment
|
|
T1562.001
|
Disable or Modify Tools |
Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. … |
stealth
|
|
T1685
|
Disable or Modify Tools |
Adversaries may disable, degrade, or tamper with security tools or applications (e.g., endpoint detection and response (… |
defense-impairment
|
|
T1685.001
|
Disable or Modify Windows Event Log |
Adversaries may disable or modify the Windows Event Log to limit data that can be leveraged for detections and audits. W… |
defense-impairment
|
|
T1089
|
Disabling Security Tools |
Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form… |
stealth
|
|
T1488
|
Disk Content Wipe |
Adversaries may erase the contents of storage devices on specific systems as well as large numbers of systems in a netwo… |
impact
|
|
T1561.001
|
Disk Content Wipe |
Adversaries may erase the contents of storage devices on specific systems or in large numbers in a network to interrupt … |
impact
|
|
T1561.002
|
Disk Structure Wipe |
Adversaries may corrupt or wipe the disk data structures on a hard drive necessary to boot a system; targeting specific … |
impact
|
|
T1487
|
Disk Structure Wipe |
Adversaries may corrupt or wipe the disk data structures on hard drive necessary to boot systems; targeting specific cri… |
impact
|
|
T1561
|
Disk Wipe |
Adversaries may wipe or corrupt raw disk data on specific systems or in large numbers in a network to interrupt availabi… |
impact
|
|
T1021.003
|
Distributed Component Object Model |
Adversaries may use [Valid Accounts](https://attack.mitre.org/techniques/T1078) to interact with remote machines by taki… |
lateral-movement
|
|
T1087.002
|
Domain Account |
Adversaries may attempt to get a listing of domain accounts. This information can help adversaries determine which domai… |
discovery
|
|
T1136.002
|
Domain Account |
Adversaries may create a domain account to maintain access to victim systems. Domain accounts are those managed by Activ… |
persistence
|
|
T1078.002
|
Domain Accounts |
Adversaries may obtain and abuse credentials of a domain account as a means of gaining Initial Access, Persistence, Priv… |
stealth
|
|
T1556.001
|
Domain Controller Authentication |
Adversaries may patch the authentication process on a domain controller to bypass the typical authentication mechanisms … |
defense-impairment
|
|
T1172
|
Domain Fronting |
Domain fronting takes advantage of routing schemes in Content Delivery Networks (CDNs) and other services which host mul… |
command-and-control
|
|
T1090.004
|
Domain Fronting |
Adversaries may take advantage of routing schemes in Content Delivery Networks (CDNs) and other services which host mult… |
command-and-control
|
|
T1568.002
|
Domain Generation Algorithms |
Adversaries may make use of Domain Generation Algorithms (DGAs) to dynamically identify a destination domain for command… |
command-and-control
|
|
T1483
|
Domain Generation Algorithms |
Adversaries may make use of Domain Generation Algorithms (DGAs) to dynamically identify a destination for command and co… |
command-and-control
|
Trusted Design