|
T1048.002
|
Exfiltration Over Asymmetric Encrypted Non-C2 Protocol |
Adversaries may steal data by exfiltrating it over an asymmetrically encrypted network protocol other than that of the e… |
exfiltration
|
|
T1011.001
|
Exfiltration Over Bluetooth |
Adversaries may attempt to exfiltrate data over Bluetooth rather than the command and control channel. If the command an… |
exfiltration
|
|
T1041
|
Exfiltration Over C2 Channel |
Adversaries may steal data by exfiltrating it over an existing command and control channel. Stolen data is encoded into … |
exfiltration
|
|
T1011
|
Exfiltration Over Other Network Medium |
Adversaries may attempt to exfiltrate data over a different network medium than the command and control channel. If the … |
exfiltration
|
|
T1052
|
Exfiltration Over Physical Medium |
Adversaries may attempt to exfiltrate data via a physical medium, such as a removable drive. In certain circumstances, s… |
exfiltration
|
|
T1048.001
|
Exfiltration Over Symmetric Encrypted Non-C2 Protocol |
Adversaries may steal data by exfiltrating it over a symmetrically encrypted network protocol other than that of the exi… |
exfiltration
|
|
T1048.003
|
Exfiltration Over Unencrypted Non-C2 Protocol |
Adversaries may steal data by exfiltrating it over an un-encrypted network protocol other than that of the existing comm… |
exfiltration
|
|
T1567
|
Exfiltration Over Web Service |
Adversaries may use an existing, legitimate external Web service to exfiltrate data rather than their primary command an… |
exfiltration
|
|
T1567.004
|
Exfiltration Over Webhook |
Adversaries may exfiltrate data to a webhook endpoint rather than over their primary command and control channel. Webhoo… |
exfiltration
|
|
T1052.001
|
Exfiltration over USB |
Adversaries may attempt to exfiltrate data over a USB connected physical device. In certain circumstances, such as an ai… |
exfiltration
|
|
T1567.002
|
Exfiltration to Cloud Storage |
Adversaries may exfiltrate data to a cloud storage service rather than over their primary command and control channel. C… |
exfiltration
|
|
T1567.001
|
Exfiltration to Code Repository |
Adversaries may exfiltrate data to a code repository rather than over their primary command and control channel. Code re… |
exfiltration
|
|
T1567.003
|
Exfiltration to Text Storage Sites |
Adversaries may exfiltrate data to text storage sites instead of their primary command and control channel. Text storage… |
exfiltration
|
|
T1190
|
Exploit Public-Facing Application |
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network. The we… |
initial-access
|
|
T1203
|
Exploitation for Client Execution |
Adversaries may exploit software vulnerabilities in client applications to execute code. Vulnerabilities can exist in so… |
execution
|
|
T1212
|
Exploitation for Credential Access |
Adversaries may exploit software vulnerabilities in an attempt to collect credentials. Exploitation of a software vulner… |
credential-access
|
|
T1687
|
Exploitation for Defense Impairment |
Adversaries may exploit vulnerabilities in security software, infrastructure, or defensive components to degrade, disabl… |
defense-impairment
|
|
T1068
|
Exploitation for Privilege Escalation |
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnera… |
privilege-escalation
|
|
T1211
|
Exploitation for Stealth |
Adversaries may exploit vulnerabilities to evade detection by hiding activity, suppressing logging, or operating within … |
stealth
|
|
T1210
|
Exploitation of Remote Services |
Adversaries may exploit remote services to gain unauthorized access to internal systems once inside of a network. Exploi… |
lateral-movement
|
|
T1587.004
|
Exploits |
Adversaries may develop exploits that can be used during targeting. An exploit takes advantage of a bug or vulnerability… |
resource-development
|
|
T1588.005
|
Exploits |
Adversaries may buy, steal, or download exploits that can be used during targeting. An exploit takes advantage of a bug … |
resource-development
|
|
T1564.014
|
Extended Attributes |
Adversaries may abuse extended attributes (xattrs) on macOS and Linux to hide their malicious data in order to evade det… |
stealth
|
|
T1491.002
|
External Defacement |
An adversary may deface systems external to an organization in an attempt to deliver messaging, intimidate, or otherwise… |
impact
|
|
T1090.002
|
External Proxy |
Adversaries may use an external proxy to act as an intermediary for network communications to a command and control serv… |
command-and-control
|
|
T1133
|
External Remote Services |
Adversaries may leverage external-facing remote services to initially access and/or persist within a network. Remote ser… |
persistence
|
|
T1055.011
|
Extra Window Memory Injection |
Adversaries may inject malicious code into process via Extra Window Memory (EWM) in order to evade process-based defense… |
stealth
|
|
T1181
|
Extra Window Memory Injection |
Before creating a window, graphical Windows-based processes must prescribe to or register a windows class, which stipula… |
stealth
|
|
T1008
|
Fallback Channels |
Adversaries may use fallback or alternate communication channels if the primary channel is compromised or inaccessible i… |
command-and-control
|
|
T1568.001
|
Fast Flux DNS |
Adversaries may use Fast Flux DNS to hide a command and control channel behind an array of rapidly changing IP addresses… |
command-and-control
|
|
T1107
|
File Deletion |
Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native… |
stealth
|
|
T1070.004
|
File Deletion |
Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native… |
stealth
|
|
T1044
|
File System Permissions Weakness |
Processes may automatically execute specific binaries as part of their functionality or to perform other actions. If the… |
persistence
|
|
T1071.002
|
File Transfer Protocols |
Adversaries may communicate using application layer protocols associated with transferring files to avoid detection/netw… |
command-and-control
|
|
T1083
|
File and Directory Discovery |
Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certa… |
discovery
|
|
T1222
|
File and Directory Permissions Modification |
Adversaries may modify file or directory permissions/attributes to evade access control lists (ACLs) and access protecte… |
defense-impairment
|
|
T1564.012
|
File/Path Exclusions |
Adversaries may attempt to hide their file-based artifacts by writing them to specific folders or file names excluded fr… |
stealth
|
|
T1027.011
|
Fileless Storage |
Adversaries may store data in "fileless" formats to conceal malicious activity from defenses. Fileless storage can be br… |
stealth
|
|
T1657
|
Financial Theft |
Adversaries may steal monetary resources from targets through extortion, social engineering, technical theft, or other m… |
impact
|
|
T1592.003
|
Firmware |
Adversaries may gather information about the victim's host firmware that can be used during targeting. Information about… |
reconnaissance
|
|
T1495
|
Firmware Corruption |
Adversaries may overwrite or corrupt the flash memory contents of system BIOS or other firmware in devices attached to a… |
impact
|
|
T1187
|
Forced Authentication |
Adversaries may gather credential material by invoking or forcing a user to automatically provide authentication informa… |
credential-access
|
|
T1606
|
Forge Web Credentials |
Adversaries may forge credential materials that can be used to gain access to web applications or Internet services. Web… |
credential-access
|
|
T1056.002
|
GUI Input Capture |
Adversaries may mimic common operating system GUI components to prompt users for credentials with a seemingly legitimate… |
collection
|
|
T1553.001
|
Gatekeeper Bypass |
Adversaries may modify file attributes and subvert Gatekeeper functionality to evade user prompts and execute untrusted … |
defense-impairment
|
|
T1144
|
Gatekeeper Bypass |
In macOS and OS X, when applications or programs are downloaded from the internet, there is a special attribute set on t… |
stealth
|
|
T1592
|
Gather Victim Host Information |
Adversaries may gather information about the victim's hosts that can be used during targeting. Information about hosts m… |
reconnaissance
|
|
T1589
|
Gather Victim Identity Information |
Adversaries may gather information about the victim's identity that can be used during targeting. Information about iden… |
reconnaissance
|
|
T1590
|
Gather Victim Network Information |
Adversaries may gather information about the victim's networks that can be used during targeting. Information about netw… |
reconnaissance
|
|
T1591
|
Gather Victim Org Information |
Adversaries may gather information about the victim's organization that can be used during targeting. Information about … |
reconnaissance
|
Trusted Design