|
T1069.002
|
Domain Groups |
Adversaries may attempt to find domain-level groups and permission settings. The knowledge of domain-level permission gr… |
discovery
|
|
T1590.001
|
Domain Properties |
Adversaries may gather information about the victim's network domain(s) that can be used during targeting. Information a… |
reconnaissance
|
|
T1482
|
Domain Trust Discovery |
Adversaries may attempt to gather information on domain trust relationships that may be used to identify lateral movemen… |
discovery
|
|
T1484
|
Domain or Tenant Policy Modification |
Adversaries may modify the configuration settings of a domain or identity tenant to evade defenses and/or escalate privi… |
defense-impairment
|
|
T1583.001
|
Domains |
Adversaries may acquire domains that can be used during targeting. Domain names are the human readable names used to rep… |
resource-development
|
|
T1584.001
|
Domains |
Adversaries may hijack domains and/or subdomains that can be used during targeting. Domain registration hijacking is the… |
resource-development
|
|
T1036.007
|
Double File Extension |
Adversaries may abuse a double extension in the filename as a means of masquerading the true file type. A file name may … |
stealth
|
|
T1689
|
Downgrade Attack |
Adversaries may downgrade or use a version of system features that may be outdated, vulnerable, and/or does not support … |
defense-impairment
|
|
T1562.010
|
Downgrade Attack |
Adversaries may downgrade or use a version of system features that may be outdated, vulnerable, and/or does not support … |
stealth
|
|
T1601.002
|
Downgrade System Image |
Adversaries may install an older version of the operating system of a network device to weaken security. Older operatin… |
defense-impairment
|
|
T1189
|
Drive-by Compromise |
Adversaries may gain access to a system through a user visiting a website over the normal course of browsing. Multiple w… |
initial-access
|
|
T1608.004
|
Drive-by Target |
Adversaries may prepare an operational environment to infect systems that visit a website over the normal course of brow… |
resource-development
|
|
T1157
|
Dylib Hijacking |
macOS and OS X use a common method to look for required dynamic libraries (dylib) to load into a program based on search… |
persistence
|
|
T1574.004
|
Dylib Hijacking |
Adversaries may execute their own payloads by placing a malicious dynamic library (dylib) with an expected name in a pat… |
stealth
|
|
T1027.007
|
Dynamic API Resolution |
Adversaries may obfuscate then dynamically resolve API functions called by their malware in order to conceal malicious f… |
stealth
|
|
T1559.002
|
Dynamic Data Exchange |
Adversaries may use Windows Dynamic Data Exchange (DDE) to execute arbitrary commands. DDE is a client-server protocol f… |
execution
|
|
T1173
|
Dynamic Data Exchange |
Windows Dynamic Data Exchange (DDE) is a client-server protocol for one-time and/or continuous inter-process communicati… |
execution
|
|
T1574.006
|
Dynamic Linker Hijacking |
Adversaries may execute their own malicious payloads by hijacking environment variables the dynamic linker uses to load … |
stealth
|
|
T1568
|
Dynamic Resolution |
Adversaries may dynamically establish connections to command and control infrastructure to evade common detections and r… |
command-and-control
|
|
T1055.001
|
Dynamic-link Library Injection |
Adversaries may inject dynamic-link libraries (DLLs) into processes in order to evade process-based defenses as well as … |
stealth
|
|
T1675
|
ESXi Administration Command |
Adversaries may abuse ESXi administration services to execute commands on guest machines hosted within an ESXi virtual e… |
execution
|
|
T1218.015
|
Electron Applications |
Adversaries may abuse components of the Electron framework to execute malicious code. The Electron framework hosts many … |
stealth
|
|
T1514
|
Elevated Execution with Prompt |
Adversaries may leverage the AuthorizationExecuteWithPrivileges API to escalate privileges by prompting the user for cre… |
privilege-escalation
|
|
T1548.004
|
Elevated Execution with Prompt |
Adversaries may leverage the <code>AuthorizationExecuteWithPrivileges</code> API to escalate privileges by prompting the… |
privilege-escalation
|
|
T1087.003
|
Email Account |
Adversaries may attempt to get a listing of email addresses and accounts. Adversaries may try to dump Exchange address l… |
discovery
|
|
T1586.002
|
Email Accounts |
Adversaries may compromise email accounts that can be used during targeting. Adversaries can use compromised email accou… |
resource-development
|
|
T1585.002
|
Email Accounts |
Adversaries may create email accounts that can be used during targeting. Adversaries can use accounts created with email… |
resource-development
|
|
T1589.002
|
Email Addresses |
Adversaries may gather email addresses that can be used during targeting. Even if internal instances exist, organization… |
reconnaissance
|
|
T1667
|
Email Bombing |
Adversaries may flood targeted email addresses with an overwhelming volume of messages. This may bury legitimate emails … |
impact
|
|
T1114
|
Email Collection |
Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade s… |
collection
|
|
T1114.003
|
Email Forwarding Rule |
Adversaries may setup email forwarding rules to collect sensitive information. Adversaries may abuse email forwarding ru… |
collection
|
|
T1564.008
|
Email Hiding Rules |
Adversaries may use email rules to hide inbound emails in a compromised user's mailbox. Many email clients allow users t… |
stealth
|
|
T1672
|
Email Spoofing |
Adversaries may fake, or spoof, a sender’s identity by modifying the value of relevant email headers in order to establi… |
stealth
|
|
T1684.002
|
Email Spoofing |
Adversaries may fake, or spoof, a sender’s identity by modifying the value of relevant email headers in order to establi… |
stealth
|
|
T1027.009
|
Embedded Payloads |
Adversaries may embed payloads within other files to conceal malicious content from defenses. Otherwise seemingly benign… |
stealth
|
|
T1546.014
|
Emond |
Adversaries may gain persistence and elevate privileges by executing malicious content triggered by the Event Monitor Da… |
privilege-escalation
|
|
T1519
|
Emond |
Adversaries may use Event Monitor Daemon (emond) to establish persistence by scheduling malicious commands to run on pre… |
persistence
|
|
T1589.003
|
Employee Names |
Adversaries may gather employee names that can be used during targeting. Employee names be used to derive email addresse… |
reconnaissance
|
|
T1573
|
Encrypted Channel |
Adversaries may employ an encryption algorithm to conceal command and control traffic rather than relying on any inheren… |
command-and-control
|
|
T1027.013
|
Encrypted/Encoded File |
Adversaries may encrypt or encode files to obfuscate strings, bytes, and other specific patterns to impede detection. En… |
stealth
|
|
T1499
|
Endpoint Denial of Service |
Adversaries may perform Endpoint Denial of Service (DoS) attacks to degrade or block the availability of services to use… |
impact
|
|
T1480.001
|
Environmental Keying |
Adversaries may environmentally key payloads or other features of malware to evade defenses and constraint execution to … |
stealth
|
|
T1611
|
Escape to Host |
Adversaries may break out of a container or virtualized environment to gain access to the underlying host. This can allo… |
privilege-escalation
|
|
T1585
|
Establish Accounts |
Adversaries may create and cultivate accounts with services that can be used during targeting. Adversaries can create ac… |
resource-development
|
|
T1546
|
Event Triggered Execution |
Adversaries may establish persistence and/or elevate privileges using system mechanisms that trigger execution based on … |
privilege-escalation
|
|
T1557.004
|
Evil Twin |
Adversaries may host seemingly genuine Wi-Fi access points to deceive users into connecting to malicious networks as a w… |
credential-access
|
|
T1668
|
Exclusive Control |
Adversaries who successfully compromise a system may attempt to maintain persistence by “closing the door” behind them … |
persistence
|
|
T1574.005
|
Executable Installer File Permissions Weakness |
Adversaries may execute their own malicious payloads by hijacking the binaries used by an installer. These processes may… |
stealth
|
|
T1480
|
Execution Guardrails |
Adversaries may use execution guardrails to constrain execution or actions based on adversary supplied and environment s… |
stealth
|
|
T1048
|
Exfiltration Over Alternative Protocol |
Adversaries may steal data by exfiltrating it over a different protocol than that of the existing command and control ch… |
exfiltration
|
Trusted Design