<!DOCTYPE html> <html lang='en'> <head> <script async src="https://www.googletagmanager.com/gtag/js?id=UA-62667723-1"></script> <script> window.dataLayer = window.dataLayer || []; function gtag(){dataLayer.push(arguments);} gtag('js', new Date()); gtag('config', 'UA-62667723-1'); </script> <meta name="google-site-verification" content="2oJKLqNN62z6AOCb0A0IXGtbQuj-lev5YPAHFF_cbHQ"/> <meta charset='utf-8'> <meta name='viewport' content='width=device-width, initial-scale=1,shrink-to-fit=no'> <meta http-equiv="X-UA-Compatible" content="IE=edge"> <link rel='shortcut icon' href="/versions/v13/theme/favicon.ico" type='image/x-icon'> <title>Valid Accounts, Technique T1078 - Enterprise | MITRE ATT&CK&reg;</title> <!-- Bootstrap CSS --> <link rel='stylesheet' href="/versions/v13/theme/style/bootstrap.min.css" /> <link rel='stylesheet' href="/versions/v13/theme/style/bootstrap-glyphicon.min.css" /> <link rel='stylesheet' href="/versions/v13/theme/style/bootstrap-tourist.css" /> <link rel='stylesheet' href="/versions/v13/theme/style/bootstrap-select.min.css" /> <link rel="stylesheet" type="text/css" href="/versions/v13/theme/style.min.css?e8044105"> <link rel="stylesheet" href="https://cdnjs.cloudflare.com/ajax/libs/font-awesome/4.7.0/css/font-awesome.min.css"> </head> <body> <div class="container-fluid attack-website-wrapper d-flex flex-column h-100"> <div class="row sticky-top flex-grow-0 flex-shrink-1"> <!-- header elements --> <header class="col px-0"> <nav class='navbar navbar-expand-lg navbar-dark position-static'> <a class='navbar-brand' href="/versions/v13/"><img src="/versions/v13/theme/images/mitre_attack_logo.png" class="attack-logo"></a> <button class='navbar-toggler' type='button' data-toggle='collapse' data-target='#navbarCollapse' aria-controls='navbarCollapse' aria-expanded='false' aria-label='Toggle navigation'> <span class='navbar-toggler-icon'></span> </button> <div class='collapse navbar-collapse' id='navbarCollapse'> <ul class='nav nav-tabs ml-auto'> <li class="nav-item dropdown"> <a class="nav-link dropdown-toggle" href="/versions/v13/matrices/" id="navbarDropdown" role="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false"> <b>Matrices</b> </a> <div class="dropdown-menu " aria-labelledby="navbarDropdown"> <a class="dropdown-item" href="/versions/v13/matrices/enterprise/">Enterprise</a> <a class="dropdown-item" href="/versions/v13/matrices/mobile/">Mobile</a> <a class="dropdown-item" href="/versions/v13/matrices/ics/">ICS</a> </div> </li> <li class="nav-item dropdown"> <a class="nav-link dropdown-toggle" href="/versions/v13/tactics/" id="navbarDropdown" role="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false"> <b>Tactics</b> </a> <div class="dropdown-menu " aria-labelledby="navbarDropdown"> <a class="dropdown-item" href="/versions/v13/tactics/enterprise/">Enterprise</a> <a class="dropdown-item" href="/versions/v13/tactics/mobile/">Mobile</a> <a class="dropdown-item" href="/versions/v13/tactics/ics/">ICS</a> </div> </li> <li class="nav-item dropdown"> <a class="nav-link dropdown-toggle" href="/versions/v13/techniques/" id="navbarDropdown" role="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false"> <b>Techniques</b> </a> <div class="dropdown-menu " aria-labelledby="navbarDropdown"> <a class="dropdown-item" href="/versions/v13/techniques/enterprise/">Enterprise</a> <a class="dropdown-item" href="/versions/v13/techniques/mobile/">Mobile</a> <a class="dropdown-item" href="/versions/v13/techniques/ics/">ICS</a> </div> </li> <li class="nav-item"> <a href="/versions/v13/datasources" class="nav-link" ><b>Data Sources</b></a> </li> <li class="nav-item dropdown"> <a class="nav-link dropdown-toggle" href="/versions/v13/mitigations/" id="navbarDropdown" role="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false"> <b>Mitigations</b> </a> <div class="dropdown-menu " aria-labelledby="navbarDropdown"> <a class="dropdown-item" href="/versions/v13/mitigations/enterprise/">Enterprise</a> <a class="dropdown-item" href="/versions/v13/mitigations/mobile/">Mobile</a> <a class="dropdown-item" href="/versions/v13/mitigations/ics/">ICS</a> </div> </li> <li class="nav-item"> <a href="/versions/v13/groups" class="nav-link" ><b>Groups</b></a> </li> <li class="nav-item"> <a href="/versions/v13/software/" class="nav-link" ><b>Software</b></a> </li> <li class="nav-item"> <a href="/versions/v13/campaigns" class="nav-link" ><b>Campaigns</b></a> </li> <li class="nav-item dropdown"> <a class="nav-link dropdown-toggle" href="/versions/v13/resources/" id="navbarDropdown" role="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false"> <b>Resources</b> </a> <div class="dropdown-menu " aria-labelledby="navbarDropdown"> <a class="dropdown-item" href="/versions/v13/resources/">General Information</a> <a class="dropdown-item" href="/versions/v13/resources/getting-started/">Getting Started</a> <a class="dropdown-item" href="/versions/v13/resources/training/">Training</a> <a class="dropdown-item" href="/versions/v13/resources/attackcon/">ATT&CKcon</a> <a class="dropdown-item" href="/versions/v13/resources/working-with-attack/">Working with ATT&CK</a> <a class="dropdown-item" href="/versions/v13/resources/faq/">FAQ</a> <a class="dropdown-item" href="/resources/updates/">Updates</a> <a class="dropdown-item" href="/resources/versions/">Versions of ATT&CK</a> <a class="dropdown-item" href="/versions/v13/resources/related-projects/">Related Projects</a> <a class="dropdown-item" href="/versions/v13/resources/brand/">Brand Guide</a> </div> </li> <li class="nav-item"> <a href="https://medium.com/mitre-attack/" target="_blank" class="nav-link"> <b>Blog</b>&nbsp; <img src="/versions/v13/theme/images/external-site.svg" alt="External site" class="external-icon" /> </a> </li> <li class="nav-item"> <a href="/versions/v13/resources/contribute/" class="nav-link" ><b>Contribute</b></a> </li> <li class="nav-item"> <button id="search-button" class="btn search-button">Search <div id="search-icon" class="icon-button search-icon"></div></button> </li> </ul> </div> </nav> </header> </div> <div class="row flex-grow-0 flex-shrink-1"> <!-- banner elements --> <div class="col px-0"> <!-- don't edit or remove the line below even though it's commented out, it gets parsed and replaced by the versioning feature --> <div class="container-fluid version-banner"><div class="icon-inline baseline mr-1"><img src="/versions/v13/theme/images/icon-warning-24px.svg"></div>Currently viewing <a href="https://github.com/mitre/cti/releases/tag/ATT%26CK-v13.1" target="_blank">ATT&CK v13.1</a> which was live between April 25, 2023 and October 30, 2023. <a href="/resources/versions/">Learn more about the versioning system</a> or <a href="/">see the live site</a>.</div> </div> </div> <div class="row flex-grow-1 flex-shrink-0"> <!-- main content elements --> <!--start-indexing-for-search--> <div class="sidebar nav sticky-top flex-column pr-0 pt-4 pb-3 pl-3" id="v-tab" role="tablist" aria-orientation="vertical"> <div class="resizer"></div> <!--stop-indexing-for-search--> <div id="v-tab" role="tablist" aria-orientation="vertical" class="h-100"> <div class="sidenav-wrapper"> <div class="heading" data-toggle="collapse" data-target="#sidebar-collapse" id="v-home-tab" aria-selected="false">TECHNIQUES <i class="fa fa-fw fa-chevron-down"></i> <i class="fa fa-fw fa-chevron-up"></i> </div> <br class="br-mobile"> <div class="collapse show" id="sidebar-collapse"> <div class="sidenav-list"> <div class="sidenav"> <div class="sidenav-head " id="enterprise"> <a href="/versions/v13/techniques/enterprise/"> Enterprise </a> <div class="expand-button collapsed" id="enterprise-header" data-toggle="collapse" data-target="#enterprise-body" aria-expanded="false" aria-controls="#enterprise-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-body" aria-labelledby="enterprise-header"> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0043"> <a href="/versions/v13/tactics/TA0043"> Reconnaissance </a> <div class="expand-button collapsed" id="enterprise-TA0043-header" data-toggle="collapse" data-target="#enterprise-TA0043-body" aria-expanded="false" aria-controls="#enterprise-TA0043-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0043-body" aria-labelledby="enterprise-TA0043-header"> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0043-T1595"> <a href="/versions/v13/techniques/T1595/"> Active Scanning </a> <div class="expand-button collapsed" id="enterprise-TA0043-T1595-header" data-toggle="collapse" data-target="#enterprise-TA0043-T1595-body" aria-expanded="false" aria-controls="#enterprise-TA0043-T1595-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0043-T1595-body" aria-labelledby="enterprise-TA0043-T1595-header"> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0043-T1595-T1595.001"> <a href="/versions/v13/techniques/T1595/001/"> Scanning IP Blocks </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0043-T1595-T1595.002"> <a href="/versions/v13/techniques/T1595/002/"> Vulnerability Scanning </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0043-T1595-T1595.003"> <a href="/versions/v13/techniques/T1595/003/"> Wordlist Scanning </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0043-T1592"> <a href="/versions/v13/techniques/T1592/"> Gather Victim Host Information </a> <div class="expand-button collapsed" id="enterprise-TA0043-T1592-header" data-toggle="collapse" data-target="#enterprise-TA0043-T1592-body" aria-expanded="false" aria-controls="#enterprise-TA0043-T1592-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0043-T1592-body" aria-labelledby="enterprise-TA0043-T1592-header"> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0043-T1592-T1592.001"> <a href="/versions/v13/techniques/T1592/001/"> Hardware </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0043-T1592-T1592.002"> <a href="/versions/v13/techniques/T1592/002/"> Software </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0043-T1592-T1592.003"> <a href="/versions/v13/techniques/T1592/003/"> Firmware </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0043-T1592-T1592.004"> <a href="/versions/v13/techniques/T1592/004/"> Client Configurations </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0043-T1589"> <a href="/versions/v13/techniques/T1589/"> Gather Victim Identity Information </a> <div class="expand-button collapsed" id="enterprise-TA0043-T1589-header" data-toggle="collapse" data-target="#enterprise-TA0043-T1589-body" aria-expanded="false" aria-controls="#enterprise-TA0043-T1589-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0043-T1589-body" aria-labelledby="enterprise-TA0043-T1589-header"> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0043-T1589-T1589.001"> <a href="/versions/v13/techniques/T1589/001/"> Credentials </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0043-T1589-T1589.002"> <a href="/versions/v13/techniques/T1589/002/"> Email Addresses </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0043-T1589-T1589.003"> <a href="/versions/v13/techniques/T1589/003/"> Employee Names </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0043-T1590"> <a href="/versions/v13/techniques/T1590/"> Gather Victim Network Information </a> <div class="expand-button collapsed" id="enterprise-TA0043-T1590-header" data-toggle="collapse" data-target="#enterprise-TA0043-T1590-body" aria-expanded="false" aria-controls="#enterprise-TA0043-T1590-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0043-T1590-body" aria-labelledby="enterprise-TA0043-T1590-header"> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0043-T1590-T1590.001"> <a href="/versions/v13/techniques/T1590/001/"> Domain Properties </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0043-T1590-T1590.002"> <a href="/versions/v13/techniques/T1590/002/"> DNS </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0043-T1590-T1590.003"> <a href="/versions/v13/techniques/T1590/003/"> Network Trust Dependencies </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0043-T1590-T1590.004"> <a href="/versions/v13/techniques/T1590/004/"> Network Topology </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0043-T1590-T1590.005"> <a href="/versions/v13/techniques/T1590/005/"> IP Addresses </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0043-T1590-T1590.006"> <a href="/versions/v13/techniques/T1590/006/"> Network Security Appliances </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0043-T1591"> <a href="/versions/v13/techniques/T1591/"> Gather Victim Org Information </a> <div class="expand-button collapsed" id="enterprise-TA0043-T1591-header" data-toggle="collapse" data-target="#enterprise-TA0043-T1591-body" aria-expanded="false" aria-controls="#enterprise-TA0043-T1591-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0043-T1591-body" aria-labelledby="enterprise-TA0043-T1591-header"> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0043-T1591-T1591.001"> <a href="/versions/v13/techniques/T1591/001/"> Determine Physical Locations </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0043-T1591-T1591.002"> <a href="/versions/v13/techniques/T1591/002/"> Business Relationships </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0043-T1591-T1591.003"> <a href="/versions/v13/techniques/T1591/003/"> Identify Business Tempo </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0043-T1591-T1591.004"> <a href="/versions/v13/techniques/T1591/004/"> Identify Roles </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0043-T1598"> <a href="/versions/v13/techniques/T1598/"> Phishing for Information </a> <div class="expand-button collapsed" id="enterprise-TA0043-T1598-header" data-toggle="collapse" data-target="#enterprise-TA0043-T1598-body" aria-expanded="false" aria-controls="#enterprise-TA0043-T1598-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0043-T1598-body" aria-labelledby="enterprise-TA0043-T1598-header"> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0043-T1598-T1598.001"> <a href="/versions/v13/techniques/T1598/001/"> Spearphishing Service </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0043-T1598-T1598.002"> <a href="/versions/v13/techniques/T1598/002/"> Spearphishing Attachment </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0043-T1598-T1598.003"> <a href="/versions/v13/techniques/T1598/003/"> Spearphishing Link </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0043-T1597"> <a href="/versions/v13/techniques/T1597/"> Search Closed Sources </a> <div class="expand-button collapsed" id="enterprise-TA0043-T1597-header" data-toggle="collapse" data-target="#enterprise-TA0043-T1597-body" aria-expanded="false" aria-controls="#enterprise-TA0043-T1597-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0043-T1597-body" aria-labelledby="enterprise-TA0043-T1597-header"> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0043-T1597-T1597.001"> <a href="/versions/v13/techniques/T1597/001/"> Threat Intel Vendors </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0043-T1597-T1597.002"> <a href="/versions/v13/techniques/T1597/002/"> Purchase Technical Data </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0043-T1596"> <a href="/versions/v13/techniques/T1596/"> Search Open Technical Databases </a> <div class="expand-button collapsed" id="enterprise-TA0043-T1596-header" data-toggle="collapse" data-target="#enterprise-TA0043-T1596-body" aria-expanded="false" aria-controls="#enterprise-TA0043-T1596-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0043-T1596-body" aria-labelledby="enterprise-TA0043-T1596-header"> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0043-T1596-T1596.001"> <a href="/versions/v13/techniques/T1596/001/"> DNS/Passive DNS </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0043-T1596-T1596.002"> <a href="/versions/v13/techniques/T1596/002/"> WHOIS </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0043-T1596-T1596.003"> <a href="/versions/v13/techniques/T1596/003/"> Digital Certificates </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0043-T1596-T1596.004"> <a href="/versions/v13/techniques/T1596/004/"> CDNs </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0043-T1596-T1596.005"> <a href="/versions/v13/techniques/T1596/005/"> Scan Databases </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0043-T1593"> <a href="/versions/v13/techniques/T1593/"> Search Open Websites/Domains </a> <div class="expand-button collapsed" id="enterprise-TA0043-T1593-header" data-toggle="collapse" data-target="#enterprise-TA0043-T1593-body" aria-expanded="false" aria-controls="#enterprise-TA0043-T1593-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0043-T1593-body" aria-labelledby="enterprise-TA0043-T1593-header"> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0043-T1593-T1593.001"> <a href="/versions/v13/techniques/T1593/001/"> Social Media </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0043-T1593-T1593.002"> <a href="/versions/v13/techniques/T1593/002/"> Search Engines </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0043-T1593-T1593.003"> <a href="/versions/v13/techniques/T1593/003/"> Code Repositories </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0043-T1594"> <a href="/versions/v13/techniques/T1594/"> Search Victim-Owned Websites </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0042"> <a href="/versions/v13/tactics/TA0042"> Resource Development </a> <div class="expand-button collapsed" id="enterprise-TA0042-header" data-toggle="collapse" data-target="#enterprise-TA0042-body" aria-expanded="false" aria-controls="#enterprise-TA0042-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0042-body" aria-labelledby="enterprise-TA0042-header"> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0042-T1650"> <a href="/versions/v13/techniques/T1650/"> Acquire Access </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0042-T1583"> <a href="/versions/v13/techniques/T1583/"> Acquire Infrastructure </a> <div class="expand-button collapsed" id="enterprise-TA0042-T1583-header" data-toggle="collapse" data-target="#enterprise-TA0042-T1583-body" aria-expanded="false" aria-controls="#enterprise-TA0042-T1583-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0042-T1583-body" aria-labelledby="enterprise-TA0042-T1583-header"> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0042-T1583-T1583.001"> <a href="/versions/v13/techniques/T1583/001/"> Domains </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0042-T1583-T1583.002"> <a href="/versions/v13/techniques/T1583/002/"> DNS Server </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0042-T1583-T1583.003"> <a href="/versions/v13/techniques/T1583/003/"> Virtual Private Server </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0042-T1583-T1583.004"> <a href="/versions/v13/techniques/T1583/004/"> Server </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0042-T1583-T1583.005"> <a href="/versions/v13/techniques/T1583/005/"> Botnet </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0042-T1583-T1583.006"> <a href="/versions/v13/techniques/T1583/006/"> Web Services </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0042-T1583-T1583.007"> <a href="/versions/v13/techniques/T1583/007/"> Serverless </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0042-T1583-T1583.008"> <a href="/versions/v13/techniques/T1583/008/"> Malvertising </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0042-T1586"> <a href="/versions/v13/techniques/T1586/"> Compromise Accounts </a> <div class="expand-button collapsed" id="enterprise-TA0042-T1586-header" data-toggle="collapse" data-target="#enterprise-TA0042-T1586-body" aria-expanded="false" aria-controls="#enterprise-TA0042-T1586-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0042-T1586-body" aria-labelledby="enterprise-TA0042-T1586-header"> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0042-T1586-T1586.001"> <a href="/versions/v13/techniques/T1586/001/"> Social Media Accounts </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0042-T1586-T1586.002"> <a href="/versions/v13/techniques/T1586/002/"> Email Accounts </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0042-T1586-T1586.003"> <a href="/versions/v13/techniques/T1586/003/"> Cloud Accounts </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0042-T1584"> <a href="/versions/v13/techniques/T1584/"> Compromise Infrastructure </a> <div class="expand-button collapsed" id="enterprise-TA0042-T1584-header" data-toggle="collapse" data-target="#enterprise-TA0042-T1584-body" aria-expanded="false" aria-controls="#enterprise-TA0042-T1584-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0042-T1584-body" aria-labelledby="enterprise-TA0042-T1584-header"> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0042-T1584-T1584.001"> <a href="/versions/v13/techniques/T1584/001/"> Domains </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0042-T1584-T1584.002"> <a href="/versions/v13/techniques/T1584/002/"> DNS Server </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0042-T1584-T1584.003"> <a href="/versions/v13/techniques/T1584/003/"> Virtual Private Server </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0042-T1584-T1584.004"> <a href="/versions/v13/techniques/T1584/004/"> Server </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0042-T1584-T1584.005"> <a href="/versions/v13/techniques/T1584/005/"> Botnet </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0042-T1584-T1584.006"> <a href="/versions/v13/techniques/T1584/006/"> Web Services </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0042-T1584-T1584.007"> <a href="/versions/v13/techniques/T1584/007/"> Serverless </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0042-T1587"> <a href="/versions/v13/techniques/T1587/"> Develop Capabilities </a> <div class="expand-button collapsed" id="enterprise-TA0042-T1587-header" data-toggle="collapse" data-target="#enterprise-TA0042-T1587-body" aria-expanded="false" aria-controls="#enterprise-TA0042-T1587-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0042-T1587-body" aria-labelledby="enterprise-TA0042-T1587-header"> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0042-T1587-T1587.001"> <a href="/versions/v13/techniques/T1587/001/"> Malware </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0042-T1587-T1587.002"> <a href="/versions/v13/techniques/T1587/002/"> Code Signing Certificates </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0042-T1587-T1587.003"> <a href="/versions/v13/techniques/T1587/003/"> Digital Certificates </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0042-T1587-T1587.004"> <a href="/versions/v13/techniques/T1587/004/"> Exploits </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0042-T1585"> <a href="/versions/v13/techniques/T1585/"> Establish Accounts </a> <div class="expand-button collapsed" id="enterprise-TA0042-T1585-header" data-toggle="collapse" data-target="#enterprise-TA0042-T1585-body" aria-expanded="false" aria-controls="#enterprise-TA0042-T1585-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0042-T1585-body" aria-labelledby="enterprise-TA0042-T1585-header"> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0042-T1585-T1585.001"> <a href="/versions/v13/techniques/T1585/001/"> Social Media Accounts </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0042-T1585-T1585.002"> <a href="/versions/v13/techniques/T1585/002/"> Email Accounts </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0042-T1585-T1585.003"> <a href="/versions/v13/techniques/T1585/003/"> Cloud Accounts </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0042-T1588"> <a href="/versions/v13/techniques/T1588/"> Obtain Capabilities </a> <div class="expand-button collapsed" id="enterprise-TA0042-T1588-header" data-toggle="collapse" data-target="#enterprise-TA0042-T1588-body" aria-expanded="false" aria-controls="#enterprise-TA0042-T1588-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0042-T1588-body" aria-labelledby="enterprise-TA0042-T1588-header"> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0042-T1588-T1588.001"> <a href="/versions/v13/techniques/T1588/001/"> Malware </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0042-T1588-T1588.002"> <a href="/versions/v13/techniques/T1588/002/"> Tool </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0042-T1588-T1588.003"> <a href="/versions/v13/techniques/T1588/003/"> Code Signing Certificates </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0042-T1588-T1588.004"> <a href="/versions/v13/techniques/T1588/004/"> Digital Certificates </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0042-T1588-T1588.005"> <a href="/versions/v13/techniques/T1588/005/"> Exploits </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0042-T1588-T1588.006"> <a href="/versions/v13/techniques/T1588/006/"> Vulnerabilities </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0042-T1608"> <a href="/versions/v13/techniques/T1608/"> Stage Capabilities </a> <div class="expand-button collapsed" id="enterprise-TA0042-T1608-header" data-toggle="collapse" data-target="#enterprise-TA0042-T1608-body" aria-expanded="false" aria-controls="#enterprise-TA0042-T1608-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0042-T1608-body" aria-labelledby="enterprise-TA0042-T1608-header"> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0042-T1608-T1608.001"> <a href="/versions/v13/techniques/T1608/001/"> Upload Malware </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0042-T1608-T1608.002"> <a href="/versions/v13/techniques/T1608/002/"> Upload Tool </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0042-T1608-T1608.003"> <a href="/versions/v13/techniques/T1608/003/"> Install Digital Certificate </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0042-T1608-T1608.004"> <a href="/versions/v13/techniques/T1608/004/"> Drive-by Target </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0042-T1608-T1608.005"> <a href="/versions/v13/techniques/T1608/005/"> Link Target </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0042-T1608-T1608.006"> <a href="/versions/v13/techniques/T1608/006/"> SEO Poisoning </a> </div> </div> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0001"> <a href="/versions/v13/tactics/TA0001"> Initial Access </a> <div class="expand-button collapsed" id="enterprise-TA0001-header" data-toggle="collapse" data-target="#enterprise-TA0001-body" aria-expanded="false" aria-controls="#enterprise-TA0001-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0001-body" aria-labelledby="enterprise-TA0001-header"> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0001-T1189"> <a href="/versions/v13/techniques/T1189/"> Drive-by Compromise </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0001-T1190"> <a href="/versions/v13/techniques/T1190/"> Exploit Public-Facing Application </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0001-T1133"> <a href="/versions/v13/techniques/T1133/"> External Remote Services </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0001-T1200"> <a href="/versions/v13/techniques/T1200/"> Hardware Additions </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0001-T1566"> <a href="/versions/v13/techniques/T1566/"> Phishing </a> <div class="expand-button collapsed" id="enterprise-TA0001-T1566-header" data-toggle="collapse" data-target="#enterprise-TA0001-T1566-body" aria-expanded="false" aria-controls="#enterprise-TA0001-T1566-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0001-T1566-body" aria-labelledby="enterprise-TA0001-T1566-header"> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0001-T1566-T1566.001"> <a href="/versions/v13/techniques/T1566/001/"> Spearphishing Attachment </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0001-T1566-T1566.002"> <a href="/versions/v13/techniques/T1566/002/"> Spearphishing Link </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0001-T1566-T1566.003"> <a href="/versions/v13/techniques/T1566/003/"> Spearphishing via Service </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0001-T1091"> <a href="/versions/v13/techniques/T1091/"> Replication Through Removable Media </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0001-T1195"> <a href="/versions/v13/techniques/T1195/"> Supply Chain Compromise </a> <div class="expand-button collapsed" id="enterprise-TA0001-T1195-header" data-toggle="collapse" data-target="#enterprise-TA0001-T1195-body" aria-expanded="false" aria-controls="#enterprise-TA0001-T1195-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0001-T1195-body" aria-labelledby="enterprise-TA0001-T1195-header"> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0001-T1195-T1195.001"> <a href="/versions/v13/techniques/T1195/001/"> Compromise Software Dependencies and Development Tools </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0001-T1195-T1195.002"> <a href="/versions/v13/techniques/T1195/002/"> Compromise Software Supply Chain </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0001-T1195-T1195.003"> <a href="/versions/v13/techniques/T1195/003/"> Compromise Hardware Supply Chain </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0001-T1199"> <a href="/versions/v13/techniques/T1199/"> Trusted Relationship </a> </div> </div> <div class="sidenav"> <div class="sidenav-head active " id="enterprise-TA0001-T1078"> <a href="/versions/v13/techniques/T1078/"> Valid Accounts </a> <div class="expand-button collapsed" id="enterprise-TA0001-T1078-header" data-toggle="collapse" data-target="#enterprise-TA0001-T1078-body" aria-expanded="false" aria-controls="#enterprise-TA0001-T1078-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0001-T1078-body" aria-labelledby="enterprise-TA0001-T1078-header"> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0001-T1078-T1078.001"> <a href="/versions/v13/techniques/T1078/001/"> Default Accounts </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0001-T1078-T1078.002"> <a href="/versions/v13/techniques/T1078/002/"> Domain Accounts </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0001-T1078-T1078.003"> <a href="/versions/v13/techniques/T1078/003/"> Local Accounts </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0001-T1078-T1078.004"> <a href="/versions/v13/techniques/T1078/004/"> Cloud Accounts </a> </div> </div> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0002"> <a href="/versions/v13/tactics/TA0002"> Execution </a> <div class="expand-button collapsed" id="enterprise-TA0002-header" data-toggle="collapse" data-target="#enterprise-TA0002-body" aria-expanded="false" aria-controls="#enterprise-TA0002-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0002-body" aria-labelledby="enterprise-TA0002-header"> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0002-T1651"> <a href="/versions/v13/techniques/T1651/"> Cloud Administration Command </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0002-T1059"> <a href="/versions/v13/techniques/T1059/"> Command and Scripting Interpreter </a> <div class="expand-button collapsed" id="enterprise-TA0002-T1059-header" data-toggle="collapse" data-target="#enterprise-TA0002-T1059-body" aria-expanded="false" aria-controls="#enterprise-TA0002-T1059-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0002-T1059-body" aria-labelledby="enterprise-TA0002-T1059-header"> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0002-T1059-T1059.001"> <a href="/versions/v13/techniques/T1059/001/"> PowerShell </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0002-T1059-T1059.002"> <a href="/versions/v13/techniques/T1059/002/"> AppleScript </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0002-T1059-T1059.003"> <a href="/versions/v13/techniques/T1059/003/"> Windows Command Shell </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0002-T1059-T1059.004"> <a href="/versions/v13/techniques/T1059/004/"> Unix Shell </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0002-T1059-T1059.005"> <a href="/versions/v13/techniques/T1059/005/"> Visual Basic </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0002-T1059-T1059.006"> <a href="/versions/v13/techniques/T1059/006/"> Python </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0002-T1059-T1059.007"> <a href="/versions/v13/techniques/T1059/007/"> JavaScript </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0002-T1059-T1059.008"> <a href="/versions/v13/techniques/T1059/008/"> Network Device CLI </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0002-T1059-T1059.009"> <a href="/versions/v13/techniques/T1059/009/"> Cloud API </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0002-T1609"> <a href="/versions/v13/techniques/T1609/"> Container Administration Command </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0002-T1610"> <a href="/versions/v13/techniques/T1610/"> Deploy Container </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0002-T1203"> <a href="/versions/v13/techniques/T1203/"> Exploitation for Client Execution </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0002-T1559"> <a href="/versions/v13/techniques/T1559/"> Inter-Process Communication </a> <div class="expand-button collapsed" id="enterprise-TA0002-T1559-header" data-toggle="collapse" data-target="#enterprise-TA0002-T1559-body" aria-expanded="false" aria-controls="#enterprise-TA0002-T1559-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0002-T1559-body" aria-labelledby="enterprise-TA0002-T1559-header"> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0002-T1559-T1559.001"> <a href="/versions/v13/techniques/T1559/001/"> Component Object Model </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0002-T1559-T1559.002"> <a href="/versions/v13/techniques/T1559/002/"> Dynamic Data Exchange </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0002-T1559-T1559.003"> <a href="/versions/v13/techniques/T1559/003/"> XPC Services </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0002-T1106"> <a href="/versions/v13/techniques/T1106/"> Native API </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0002-T1053"> <a href="/versions/v13/techniques/T1053/"> Scheduled Task/Job </a> <div class="expand-button collapsed" id="enterprise-TA0002-T1053-header" data-toggle="collapse" data-target="#enterprise-TA0002-T1053-body" aria-expanded="false" aria-controls="#enterprise-TA0002-T1053-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0002-T1053-body" aria-labelledby="enterprise-TA0002-T1053-header"> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0002-T1053-T1053.002"> <a href="/versions/v13/techniques/T1053/002/"> At </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0002-T1053-T1053.003"> <a href="/versions/v13/techniques/T1053/003/"> Cron </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0002-T1053-T1053.005"> <a href="/versions/v13/techniques/T1053/005/"> Scheduled Task </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0002-T1053-T1053.006"> <a href="/versions/v13/techniques/T1053/006/"> Systemd Timers </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0002-T1053-T1053.007"> <a href="/versions/v13/techniques/T1053/007/"> Container Orchestration Job </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0002-T1648"> <a href="/versions/v13/techniques/T1648/"> Serverless Execution </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0002-T1129"> <a href="/versions/v13/techniques/T1129/"> Shared Modules </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0002-T1072"> <a href="/versions/v13/techniques/T1072/"> Software Deployment Tools </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0002-T1569"> <a href="/versions/v13/techniques/T1569/"> System Services </a> <div class="expand-button collapsed" id="enterprise-TA0002-T1569-header" data-toggle="collapse" data-target="#enterprise-TA0002-T1569-body" aria-expanded="false" aria-controls="#enterprise-TA0002-T1569-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0002-T1569-body" aria-labelledby="enterprise-TA0002-T1569-header"> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0002-T1569-T1569.001"> <a href="/versions/v13/techniques/T1569/001/"> Launchctl </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0002-T1569-T1569.002"> <a href="/versions/v13/techniques/T1569/002/"> Service Execution </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0002-T1204"> <a href="/versions/v13/techniques/T1204/"> User Execution </a> <div class="expand-button collapsed" id="enterprise-TA0002-T1204-header" data-toggle="collapse" data-target="#enterprise-TA0002-T1204-body" aria-expanded="false" aria-controls="#enterprise-TA0002-T1204-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0002-T1204-body" aria-labelledby="enterprise-TA0002-T1204-header"> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0002-T1204-T1204.001"> <a href="/versions/v13/techniques/T1204/001/"> Malicious Link </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0002-T1204-T1204.002"> <a href="/versions/v13/techniques/T1204/002/"> Malicious File </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0002-T1204-T1204.003"> <a href="/versions/v13/techniques/T1204/003/"> Malicious Image </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0002-T1047"> <a href="/versions/v13/techniques/T1047/"> Windows Management Instrumentation </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0003"> <a href="/versions/v13/tactics/TA0003"> Persistence </a> <div class="expand-button collapsed" id="enterprise-TA0003-header" data-toggle="collapse" data-target="#enterprise-TA0003-body" aria-expanded="false" aria-controls="#enterprise-TA0003-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0003-body" aria-labelledby="enterprise-TA0003-header"> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0003-T1098"> <a href="/versions/v13/techniques/T1098/"> Account Manipulation </a> <div class="expand-button collapsed" id="enterprise-TA0003-T1098-header" data-toggle="collapse" data-target="#enterprise-TA0003-T1098-body" aria-expanded="false" aria-controls="#enterprise-TA0003-T1098-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0003-T1098-body" aria-labelledby="enterprise-TA0003-T1098-header"> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0003-T1098-T1098.001"> <a href="/versions/v13/techniques/T1098/001/"> Additional Cloud Credentials </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0003-T1098-T1098.002"> <a href="/versions/v13/techniques/T1098/002/"> Additional Email Delegate Permissions </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0003-T1098-T1098.003"> <a href="/versions/v13/techniques/T1098/003/"> Additional Cloud Roles </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0003-T1098-T1098.004"> <a href="/versions/v13/techniques/T1098/004/"> SSH Authorized Keys </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0003-T1098-T1098.005"> <a href="/versions/v13/techniques/T1098/005/"> Device Registration </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0003-T1197"> <a href="/versions/v13/techniques/T1197/"> BITS Jobs </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0003-T1547"> <a href="/versions/v13/techniques/T1547/"> Boot or Logon Autostart Execution </a> <div class="expand-button collapsed" id="enterprise-TA0003-T1547-header" data-toggle="collapse" data-target="#enterprise-TA0003-T1547-body" aria-expanded="false" aria-controls="#enterprise-TA0003-T1547-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0003-T1547-body" aria-labelledby="enterprise-TA0003-T1547-header"> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0003-T1547-T1547.001"> <a href="/versions/v13/techniques/T1547/001/"> Registry Run Keys / Startup Folder </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0003-T1547-T1547.002"> <a href="/versions/v13/techniques/T1547/002/"> Authentication Package </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0003-T1547-T1547.003"> <a href="/versions/v13/techniques/T1547/003/"> Time Providers </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0003-T1547-T1547.004"> <a href="/versions/v13/techniques/T1547/004/"> Winlogon Helper DLL </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0003-T1547-T1547.005"> <a href="/versions/v13/techniques/T1547/005/"> Security Support Provider </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0003-T1547-T1547.006"> <a href="/versions/v13/techniques/T1547/006/"> Kernel Modules and Extensions </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0003-T1547-T1547.007"> <a href="/versions/v13/techniques/T1547/007/"> Re-opened Applications </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0003-T1547-T1547.008"> <a href="/versions/v13/techniques/T1547/008/"> LSASS Driver </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0003-T1547-T1547.009"> <a href="/versions/v13/techniques/T1547/009/"> Shortcut Modification </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0003-T1547-T1547.010"> <a href="/versions/v13/techniques/T1547/010/"> Port Monitors </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0003-T1547-T1547.012"> <a href="/versions/v13/techniques/T1547/012/"> Print Processors </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0003-T1547-T1547.013"> <a href="/versions/v13/techniques/T1547/013/"> XDG Autostart Entries </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0003-T1547-T1547.014"> <a href="/versions/v13/techniques/T1547/014/"> Active Setup </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0003-T1547-T1547.015"> <a href="/versions/v13/techniques/T1547/015/"> Login Items </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0003-T1037"> <a href="/versions/v13/techniques/T1037/"> Boot or Logon Initialization Scripts </a> <div class="expand-button collapsed" id="enterprise-TA0003-T1037-header" data-toggle="collapse" data-target="#enterprise-TA0003-T1037-body" aria-expanded="false" aria-controls="#enterprise-TA0003-T1037-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0003-T1037-body" aria-labelledby="enterprise-TA0003-T1037-header"> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0003-T1037-T1037.001"> <a href="/versions/v13/techniques/T1037/001/"> Logon Script (Windows) </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0003-T1037-T1037.002"> <a href="/versions/v13/techniques/T1037/002/"> Login Hook </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0003-T1037-T1037.003"> <a href="/versions/v13/techniques/T1037/003/"> Network Logon Script </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0003-T1037-T1037.004"> <a href="/versions/v13/techniques/T1037/004/"> RC Scripts </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0003-T1037-T1037.005"> <a href="/versions/v13/techniques/T1037/005/"> Startup Items </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0003-T1176"> <a href="/versions/v13/techniques/T1176/"> Browser Extensions </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0003-T1554"> <a href="/versions/v13/techniques/T1554/"> Compromise Client Software Binary </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0003-T1136"> <a href="/versions/v13/techniques/T1136/"> Create Account </a> <div class="expand-button collapsed" id="enterprise-TA0003-T1136-header" data-toggle="collapse" data-target="#enterprise-TA0003-T1136-body" aria-expanded="false" aria-controls="#enterprise-TA0003-T1136-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0003-T1136-body" aria-labelledby="enterprise-TA0003-T1136-header"> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0003-T1136-T1136.001"> <a href="/versions/v13/techniques/T1136/001/"> Local Account </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0003-T1136-T1136.002"> <a href="/versions/v13/techniques/T1136/002/"> Domain Account </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0003-T1136-T1136.003"> <a href="/versions/v13/techniques/T1136/003/"> Cloud Account </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0003-T1543"> <a href="/versions/v13/techniques/T1543/"> Create or Modify System Process </a> <div class="expand-button collapsed" id="enterprise-TA0003-T1543-header" data-toggle="collapse" data-target="#enterprise-TA0003-T1543-body" aria-expanded="false" aria-controls="#enterprise-TA0003-T1543-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0003-T1543-body" aria-labelledby="enterprise-TA0003-T1543-header"> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0003-T1543-T1543.001"> <a href="/versions/v13/techniques/T1543/001/"> Launch Agent </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0003-T1543-T1543.002"> <a href="/versions/v13/techniques/T1543/002/"> Systemd Service </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0003-T1543-T1543.003"> <a href="/versions/v13/techniques/T1543/003/"> Windows Service </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0003-T1543-T1543.004"> <a href="/versions/v13/techniques/T1543/004/"> Launch Daemon </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0003-T1546"> <a href="/versions/v13/techniques/T1546/"> Event Triggered Execution </a> <div class="expand-button collapsed" id="enterprise-TA0003-T1546-header" data-toggle="collapse" data-target="#enterprise-TA0003-T1546-body" aria-expanded="false" aria-controls="#enterprise-TA0003-T1546-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0003-T1546-body" aria-labelledby="enterprise-TA0003-T1546-header"> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0003-T1546-T1546.001"> <a href="/versions/v13/techniques/T1546/001/"> Change Default File Association </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0003-T1546-T1546.002"> <a href="/versions/v13/techniques/T1546/002/"> Screensaver </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0003-T1546-T1546.003"> <a href="/versions/v13/techniques/T1546/003/"> Windows Management Instrumentation Event Subscription </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0003-T1546-T1546.004"> <a href="/versions/v13/techniques/T1546/004/"> Unix Shell Configuration Modification </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0003-T1546-T1546.005"> <a href="/versions/v13/techniques/T1546/005/"> Trap </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0003-T1546-T1546.006"> <a href="/versions/v13/techniques/T1546/006/"> LC_LOAD_DYLIB Addition </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0003-T1546-T1546.007"> <a href="/versions/v13/techniques/T1546/007/"> Netsh Helper DLL </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0003-T1546-T1546.008"> <a href="/versions/v13/techniques/T1546/008/"> Accessibility Features </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0003-T1546-T1546.009"> <a href="/versions/v13/techniques/T1546/009/"> AppCert DLLs </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0003-T1546-T1546.010"> <a href="/versions/v13/techniques/T1546/010/"> AppInit DLLs </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0003-T1546-T1546.011"> <a href="/versions/v13/techniques/T1546/011/"> Application Shimming </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0003-T1546-T1546.012"> <a href="/versions/v13/techniques/T1546/012/"> Image File Execution Options Injection </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0003-T1546-T1546.013"> <a href="/versions/v13/techniques/T1546/013/"> PowerShell Profile </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0003-T1546-T1546.014"> <a href="/versions/v13/techniques/T1546/014/"> Emond </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0003-T1546-T1546.015"> <a href="/versions/v13/techniques/T1546/015/"> Component Object Model Hijacking </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0003-T1546-T1546.016"> <a href="/versions/v13/techniques/T1546/016/"> Installer Packages </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0003-T1133"> <a href="/versions/v13/techniques/T1133/"> External Remote Services </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0003-T1574"> <a href="/versions/v13/techniques/T1574/"> Hijack Execution Flow </a> <div class="expand-button collapsed" id="enterprise-TA0003-T1574-header" data-toggle="collapse" data-target="#enterprise-TA0003-T1574-body" aria-expanded="false" aria-controls="#enterprise-TA0003-T1574-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0003-T1574-body" aria-labelledby="enterprise-TA0003-T1574-header"> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0003-T1574-T1574.001"> <a href="/versions/v13/techniques/T1574/001/"> DLL Search Order Hijacking </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0003-T1574-T1574.002"> <a href="/versions/v13/techniques/T1574/002/"> DLL Side-Loading </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0003-T1574-T1574.004"> <a href="/versions/v13/techniques/T1574/004/"> Dylib Hijacking </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0003-T1574-T1574.005"> <a href="/versions/v13/techniques/T1574/005/"> Executable Installer File Permissions Weakness </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0003-T1574-T1574.006"> <a href="/versions/v13/techniques/T1574/006/"> Dynamic Linker Hijacking </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0003-T1574-T1574.007"> <a href="/versions/v13/techniques/T1574/007/"> Path Interception by PATH Environment Variable </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0003-T1574-T1574.008"> <a href="/versions/v13/techniques/T1574/008/"> Path Interception by Search Order Hijacking </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0003-T1574-T1574.009"> <a href="/versions/v13/techniques/T1574/009/"> Path Interception by Unquoted Path </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0003-T1574-T1574.010"> <a href="/versions/v13/techniques/T1574/010/"> Services File Permissions Weakness </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0003-T1574-T1574.011"> <a href="/versions/v13/techniques/T1574/011/"> Services Registry Permissions Weakness </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0003-T1574-T1574.012"> <a href="/versions/v13/techniques/T1574/012/"> COR_PROFILER </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0003-T1574-T1574.013"> <a href="/versions/v13/techniques/T1574/013/"> KernelCallbackTable </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0003-T1525"> <a href="/versions/v13/techniques/T1525/"> Implant Internal Image </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0003-T1556"> <a href="/versions/v13/techniques/T1556/"> Modify Authentication Process </a> <div class="expand-button collapsed" id="enterprise-TA0003-T1556-header" data-toggle="collapse" data-target="#enterprise-TA0003-T1556-body" aria-expanded="false" aria-controls="#enterprise-TA0003-T1556-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0003-T1556-body" aria-labelledby="enterprise-TA0003-T1556-header"> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0003-T1556-T1556.001"> <a href="/versions/v13/techniques/T1556/001/"> Domain Controller Authentication </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0003-T1556-T1556.002"> <a href="/versions/v13/techniques/T1556/002/"> Password Filter DLL </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0003-T1556-T1556.003"> <a href="/versions/v13/techniques/T1556/003/"> Pluggable Authentication Modules </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0003-T1556-T1556.004"> <a href="/versions/v13/techniques/T1556/004/"> Network Device Authentication </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0003-T1556-T1556.005"> <a href="/versions/v13/techniques/T1556/005/"> Reversible Encryption </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0003-T1556-T1556.006"> <a href="/versions/v13/techniques/T1556/006/"> Multi-Factor Authentication </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0003-T1556-T1556.007"> <a href="/versions/v13/techniques/T1556/007/"> Hybrid Identity </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0003-T1556-T1556.008"> <a href="/versions/v13/techniques/T1556/008/"> Network Provider DLL </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0003-T1137"> <a href="/versions/v13/techniques/T1137/"> Office Application Startup </a> <div class="expand-button collapsed" id="enterprise-TA0003-T1137-header" data-toggle="collapse" data-target="#enterprise-TA0003-T1137-body" aria-expanded="false" aria-controls="#enterprise-TA0003-T1137-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0003-T1137-body" aria-labelledby="enterprise-TA0003-T1137-header"> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0003-T1137-T1137.001"> <a href="/versions/v13/techniques/T1137/001/"> Office Template Macros </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0003-T1137-T1137.002"> <a href="/versions/v13/techniques/T1137/002/"> Office Test </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0003-T1137-T1137.003"> <a href="/versions/v13/techniques/T1137/003/"> Outlook Forms </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0003-T1137-T1137.004"> <a href="/versions/v13/techniques/T1137/004/"> Outlook Home Page </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0003-T1137-T1137.005"> <a href="/versions/v13/techniques/T1137/005/"> Outlook Rules </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0003-T1137-T1137.006"> <a href="/versions/v13/techniques/T1137/006/"> Add-ins </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0003-T1542"> <a href="/versions/v13/techniques/T1542/"> Pre-OS Boot </a> <div class="expand-button collapsed" id="enterprise-TA0003-T1542-header" data-toggle="collapse" data-target="#enterprise-TA0003-T1542-body" aria-expanded="false" aria-controls="#enterprise-TA0003-T1542-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0003-T1542-body" aria-labelledby="enterprise-TA0003-T1542-header"> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0003-T1542-T1542.001"> <a href="/versions/v13/techniques/T1542/001/"> System Firmware </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0003-T1542-T1542.002"> <a href="/versions/v13/techniques/T1542/002/"> Component Firmware </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0003-T1542-T1542.003"> <a href="/versions/v13/techniques/T1542/003/"> Bootkit </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0003-T1542-T1542.004"> <a href="/versions/v13/techniques/T1542/004/"> ROMMONkit </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0003-T1542-T1542.005"> <a href="/versions/v13/techniques/T1542/005/"> TFTP Boot </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0003-T1053"> <a href="/versions/v13/techniques/T1053/"> Scheduled Task/Job </a> <div class="expand-button collapsed" id="enterprise-TA0003-T1053-header" data-toggle="collapse" data-target="#enterprise-TA0003-T1053-body" aria-expanded="false" aria-controls="#enterprise-TA0003-T1053-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0003-T1053-body" aria-labelledby="enterprise-TA0003-T1053-header"> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0003-T1053-T1053.002"> <a href="/versions/v13/techniques/T1053/002/"> At </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0003-T1053-T1053.003"> <a href="/versions/v13/techniques/T1053/003/"> Cron </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0003-T1053-T1053.005"> <a href="/versions/v13/techniques/T1053/005/"> Scheduled Task </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0003-T1053-T1053.006"> <a href="/versions/v13/techniques/T1053/006/"> Systemd Timers </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0003-T1053-T1053.007"> <a href="/versions/v13/techniques/T1053/007/"> Container Orchestration Job </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0003-T1505"> <a href="/versions/v13/techniques/T1505/"> Server Software Component </a> <div class="expand-button collapsed" id="enterprise-TA0003-T1505-header" data-toggle="collapse" data-target="#enterprise-TA0003-T1505-body" aria-expanded="false" aria-controls="#enterprise-TA0003-T1505-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0003-T1505-body" aria-labelledby="enterprise-TA0003-T1505-header"> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0003-T1505-T1505.001"> <a href="/versions/v13/techniques/T1505/001/"> SQL Stored Procedures </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0003-T1505-T1505.002"> <a href="/versions/v13/techniques/T1505/002/"> Transport Agent </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0003-T1505-T1505.003"> <a href="/versions/v13/techniques/T1505/003/"> Web Shell </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0003-T1505-T1505.004"> <a href="/versions/v13/techniques/T1505/004/"> IIS Components </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0003-T1505-T1505.005"> <a href="/versions/v13/techniques/T1505/005/"> Terminal Services DLL </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0003-T1205"> <a href="/versions/v13/techniques/T1205/"> Traffic Signaling </a> <div class="expand-button collapsed" id="enterprise-TA0003-T1205-header" data-toggle="collapse" data-target="#enterprise-TA0003-T1205-body" aria-expanded="false" aria-controls="#enterprise-TA0003-T1205-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0003-T1205-body" aria-labelledby="enterprise-TA0003-T1205-header"> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0003-T1205-T1205.001"> <a href="/versions/v13/techniques/T1205/001/"> Port Knocking </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0003-T1205-T1205.002"> <a href="/versions/v13/techniques/T1205/002/"> Socket Filters </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head active " id="enterprise-TA0003-T1078"> <a href="/versions/v13/techniques/T1078/"> Valid Accounts </a> <div class="expand-button collapsed" id="enterprise-TA0003-T1078-header" data-toggle="collapse" data-target="#enterprise-TA0003-T1078-body" aria-expanded="false" aria-controls="#enterprise-TA0003-T1078-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0003-T1078-body" aria-labelledby="enterprise-TA0003-T1078-header"> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0003-T1078-T1078.001"> <a href="/versions/v13/techniques/T1078/001/"> Default Accounts </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0003-T1078-T1078.002"> <a href="/versions/v13/techniques/T1078/002/"> Domain Accounts </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0003-T1078-T1078.003"> <a href="/versions/v13/techniques/T1078/003/"> Local Accounts </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0003-T1078-T1078.004"> <a href="/versions/v13/techniques/T1078/004/"> Cloud Accounts </a> </div> </div> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0004"> <a href="/versions/v13/tactics/TA0004"> Privilege Escalation </a> <div class="expand-button collapsed" id="enterprise-TA0004-header" data-toggle="collapse" data-target="#enterprise-TA0004-body" aria-expanded="false" aria-controls="#enterprise-TA0004-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0004-body" aria-labelledby="enterprise-TA0004-header"> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0004-T1548"> <a href="/versions/v13/techniques/T1548/"> Abuse Elevation Control Mechanism </a> <div class="expand-button collapsed" id="enterprise-TA0004-T1548-header" data-toggle="collapse" data-target="#enterprise-TA0004-T1548-body" aria-expanded="false" aria-controls="#enterprise-TA0004-T1548-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0004-T1548-body" aria-labelledby="enterprise-TA0004-T1548-header"> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0004-T1548-T1548.001"> <a href="/versions/v13/techniques/T1548/001/"> Setuid and Setgid </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0004-T1548-T1548.002"> <a href="/versions/v13/techniques/T1548/002/"> Bypass User Account Control </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0004-T1548-T1548.003"> <a href="/versions/v13/techniques/T1548/003/"> Sudo and Sudo Caching </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0004-T1548-T1548.004"> <a href="/versions/v13/techniques/T1548/004/"> Elevated Execution with Prompt </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0004-T1134"> <a href="/versions/v13/techniques/T1134/"> Access Token Manipulation </a> <div class="expand-button collapsed" id="enterprise-TA0004-T1134-header" data-toggle="collapse" data-target="#enterprise-TA0004-T1134-body" aria-expanded="false" aria-controls="#enterprise-TA0004-T1134-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0004-T1134-body" aria-labelledby="enterprise-TA0004-T1134-header"> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0004-T1134-T1134.001"> <a href="/versions/v13/techniques/T1134/001/"> Token Impersonation/Theft </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0004-T1134-T1134.002"> <a href="/versions/v13/techniques/T1134/002/"> Create Process with Token </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0004-T1134-T1134.003"> <a href="/versions/v13/techniques/T1134/003/"> Make and Impersonate Token </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0004-T1134-T1134.004"> <a href="/versions/v13/techniques/T1134/004/"> Parent PID Spoofing </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0004-T1134-T1134.005"> <a href="/versions/v13/techniques/T1134/005/"> SID-History Injection </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0004-T1547"> <a href="/versions/v13/techniques/T1547/"> Boot or Logon Autostart Execution </a> <div class="expand-button collapsed" id="enterprise-TA0004-T1547-header" data-toggle="collapse" data-target="#enterprise-TA0004-T1547-body" aria-expanded="false" aria-controls="#enterprise-TA0004-T1547-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0004-T1547-body" aria-labelledby="enterprise-TA0004-T1547-header"> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0004-T1547-T1547.001"> <a href="/versions/v13/techniques/T1547/001/"> Registry Run Keys / Startup Folder </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0004-T1547-T1547.002"> <a href="/versions/v13/techniques/T1547/002/"> Authentication Package </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0004-T1547-T1547.003"> <a href="/versions/v13/techniques/T1547/003/"> Time Providers </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0004-T1547-T1547.004"> <a href="/versions/v13/techniques/T1547/004/"> Winlogon Helper DLL </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0004-T1547-T1547.005"> <a href="/versions/v13/techniques/T1547/005/"> Security Support Provider </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0004-T1547-T1547.006"> <a href="/versions/v13/techniques/T1547/006/"> Kernel Modules and Extensions </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0004-T1547-T1547.007"> <a href="/versions/v13/techniques/T1547/007/"> Re-opened Applications </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0004-T1547-T1547.008"> <a href="/versions/v13/techniques/T1547/008/"> LSASS Driver </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0004-T1547-T1547.009"> <a href="/versions/v13/techniques/T1547/009/"> Shortcut Modification </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0004-T1547-T1547.010"> <a href="/versions/v13/techniques/T1547/010/"> Port Monitors </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0004-T1547-T1547.012"> <a href="/versions/v13/techniques/T1547/012/"> Print Processors </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0004-T1547-T1547.013"> <a href="/versions/v13/techniques/T1547/013/"> XDG Autostart Entries </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0004-T1547-T1547.014"> <a href="/versions/v13/techniques/T1547/014/"> Active Setup </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0004-T1547-T1547.015"> <a href="/versions/v13/techniques/T1547/015/"> Login Items </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0004-T1037"> <a href="/versions/v13/techniques/T1037/"> Boot or Logon Initialization Scripts </a> <div class="expand-button collapsed" id="enterprise-TA0004-T1037-header" data-toggle="collapse" data-target="#enterprise-TA0004-T1037-body" aria-expanded="false" aria-controls="#enterprise-TA0004-T1037-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0004-T1037-body" aria-labelledby="enterprise-TA0004-T1037-header"> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0004-T1037-T1037.001"> <a href="/versions/v13/techniques/T1037/001/"> Logon Script (Windows) </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0004-T1037-T1037.002"> <a href="/versions/v13/techniques/T1037/002/"> Login Hook </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0004-T1037-T1037.003"> <a href="/versions/v13/techniques/T1037/003/"> Network Logon Script </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0004-T1037-T1037.004"> <a href="/versions/v13/techniques/T1037/004/"> RC Scripts </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0004-T1037-T1037.005"> <a href="/versions/v13/techniques/T1037/005/"> Startup Items </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0004-T1543"> <a href="/versions/v13/techniques/T1543/"> Create or Modify System Process </a> <div class="expand-button collapsed" id="enterprise-TA0004-T1543-header" data-toggle="collapse" data-target="#enterprise-TA0004-T1543-body" aria-expanded="false" aria-controls="#enterprise-TA0004-T1543-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0004-T1543-body" aria-labelledby="enterprise-TA0004-T1543-header"> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0004-T1543-T1543.001"> <a href="/versions/v13/techniques/T1543/001/"> Launch Agent </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0004-T1543-T1543.002"> <a href="/versions/v13/techniques/T1543/002/"> Systemd Service </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0004-T1543-T1543.003"> <a href="/versions/v13/techniques/T1543/003/"> Windows Service </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0004-T1543-T1543.004"> <a href="/versions/v13/techniques/T1543/004/"> Launch Daemon </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0004-T1484"> <a href="/versions/v13/techniques/T1484/"> Domain Policy Modification </a> <div class="expand-button collapsed" id="enterprise-TA0004-T1484-header" data-toggle="collapse" data-target="#enterprise-TA0004-T1484-body" aria-expanded="false" aria-controls="#enterprise-TA0004-T1484-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0004-T1484-body" aria-labelledby="enterprise-TA0004-T1484-header"> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0004-T1484-T1484.001"> <a href="/versions/v13/techniques/T1484/001/"> Group Policy Modification </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0004-T1484-T1484.002"> <a href="/versions/v13/techniques/T1484/002/"> Domain Trust Modification </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0004-T1611"> <a href="/versions/v13/techniques/T1611/"> Escape to Host </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0004-T1546"> <a href="/versions/v13/techniques/T1546/"> Event Triggered Execution </a> <div class="expand-button collapsed" id="enterprise-TA0004-T1546-header" data-toggle="collapse" data-target="#enterprise-TA0004-T1546-body" aria-expanded="false" aria-controls="#enterprise-TA0004-T1546-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0004-T1546-body" aria-labelledby="enterprise-TA0004-T1546-header"> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0004-T1546-T1546.001"> <a href="/versions/v13/techniques/T1546/001/"> Change Default File Association </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0004-T1546-T1546.002"> <a href="/versions/v13/techniques/T1546/002/"> Screensaver </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0004-T1546-T1546.003"> <a href="/versions/v13/techniques/T1546/003/"> Windows Management Instrumentation Event Subscription </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0004-T1546-T1546.004"> <a href="/versions/v13/techniques/T1546/004/"> Unix Shell Configuration Modification </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0004-T1546-T1546.005"> <a href="/versions/v13/techniques/T1546/005/"> Trap </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0004-T1546-T1546.006"> <a href="/versions/v13/techniques/T1546/006/"> LC_LOAD_DYLIB Addition </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0004-T1546-T1546.007"> <a href="/versions/v13/techniques/T1546/007/"> Netsh Helper DLL </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0004-T1546-T1546.008"> <a href="/versions/v13/techniques/T1546/008/"> Accessibility Features </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0004-T1546-T1546.009"> <a href="/versions/v13/techniques/T1546/009/"> AppCert DLLs </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0004-T1546-T1546.010"> <a href="/versions/v13/techniques/T1546/010/"> AppInit DLLs </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0004-T1546-T1546.011"> <a href="/versions/v13/techniques/T1546/011/"> Application Shimming </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0004-T1546-T1546.012"> <a href="/versions/v13/techniques/T1546/012/"> Image File Execution Options Injection </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0004-T1546-T1546.013"> <a href="/versions/v13/techniques/T1546/013/"> PowerShell Profile </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0004-T1546-T1546.014"> <a href="/versions/v13/techniques/T1546/014/"> Emond </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0004-T1546-T1546.015"> <a href="/versions/v13/techniques/T1546/015/"> Component Object Model Hijacking </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0004-T1546-T1546.016"> <a href="/versions/v13/techniques/T1546/016/"> Installer Packages </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0004-T1068"> <a href="/versions/v13/techniques/T1068/"> Exploitation for Privilege Escalation </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0004-T1574"> <a href="/versions/v13/techniques/T1574/"> Hijack Execution Flow </a> <div class="expand-button collapsed" id="enterprise-TA0004-T1574-header" data-toggle="collapse" data-target="#enterprise-TA0004-T1574-body" aria-expanded="false" aria-controls="#enterprise-TA0004-T1574-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0004-T1574-body" aria-labelledby="enterprise-TA0004-T1574-header"> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0004-T1574-T1574.001"> <a href="/versions/v13/techniques/T1574/001/"> DLL Search Order Hijacking </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0004-T1574-T1574.002"> <a href="/versions/v13/techniques/T1574/002/"> DLL Side-Loading </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0004-T1574-T1574.004"> <a href="/versions/v13/techniques/T1574/004/"> Dylib Hijacking </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0004-T1574-T1574.005"> <a href="/versions/v13/techniques/T1574/005/"> Executable Installer File Permissions Weakness </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0004-T1574-T1574.006"> <a href="/versions/v13/techniques/T1574/006/"> Dynamic Linker Hijacking </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0004-T1574-T1574.007"> <a href="/versions/v13/techniques/T1574/007/"> Path Interception by PATH Environment Variable </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0004-T1574-T1574.008"> <a href="/versions/v13/techniques/T1574/008/"> Path Interception by Search Order Hijacking </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0004-T1574-T1574.009"> <a href="/versions/v13/techniques/T1574/009/"> Path Interception by Unquoted Path </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0004-T1574-T1574.010"> <a href="/versions/v13/techniques/T1574/010/"> Services File Permissions Weakness </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0004-T1574-T1574.011"> <a href="/versions/v13/techniques/T1574/011/"> Services Registry Permissions Weakness </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0004-T1574-T1574.012"> <a href="/versions/v13/techniques/T1574/012/"> COR_PROFILER </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0004-T1574-T1574.013"> <a href="/versions/v13/techniques/T1574/013/"> KernelCallbackTable </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0004-T1055"> <a href="/versions/v13/techniques/T1055/"> Process Injection </a> <div class="expand-button collapsed" id="enterprise-TA0004-T1055-header" data-toggle="collapse" data-target="#enterprise-TA0004-T1055-body" aria-expanded="false" aria-controls="#enterprise-TA0004-T1055-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0004-T1055-body" aria-labelledby="enterprise-TA0004-T1055-header"> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0004-T1055-T1055.001"> <a href="/versions/v13/techniques/T1055/001/"> Dynamic-link Library Injection </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0004-T1055-T1055.002"> <a href="/versions/v13/techniques/T1055/002/"> Portable Executable Injection </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0004-T1055-T1055.003"> <a href="/versions/v13/techniques/T1055/003/"> Thread Execution Hijacking </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0004-T1055-T1055.004"> <a href="/versions/v13/techniques/T1055/004/"> Asynchronous Procedure Call </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0004-T1055-T1055.005"> <a href="/versions/v13/techniques/T1055/005/"> Thread Local Storage </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0004-T1055-T1055.008"> <a href="/versions/v13/techniques/T1055/008/"> Ptrace System Calls </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0004-T1055-T1055.009"> <a href="/versions/v13/techniques/T1055/009/"> Proc Memory </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0004-T1055-T1055.011"> <a href="/versions/v13/techniques/T1055/011/"> Extra Window Memory Injection </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0004-T1055-T1055.012"> <a href="/versions/v13/techniques/T1055/012/"> Process Hollowing </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0004-T1055-T1055.013"> <a href="/versions/v13/techniques/T1055/013/"> Process Doppelgänging </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0004-T1055-T1055.014"> <a href="/versions/v13/techniques/T1055/014/"> VDSO Hijacking </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0004-T1055-T1055.015"> <a href="/versions/v13/techniques/T1055/015/"> ListPlanting </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0004-T1053"> <a href="/versions/v13/techniques/T1053/"> Scheduled Task/Job </a> <div class="expand-button collapsed" id="enterprise-TA0004-T1053-header" data-toggle="collapse" data-target="#enterprise-TA0004-T1053-body" aria-expanded="false" aria-controls="#enterprise-TA0004-T1053-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0004-T1053-body" aria-labelledby="enterprise-TA0004-T1053-header"> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0004-T1053-T1053.002"> <a href="/versions/v13/techniques/T1053/002/"> At </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0004-T1053-T1053.003"> <a href="/versions/v13/techniques/T1053/003/"> Cron </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0004-T1053-T1053.005"> <a href="/versions/v13/techniques/T1053/005/"> Scheduled Task </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0004-T1053-T1053.006"> <a href="/versions/v13/techniques/T1053/006/"> Systemd Timers </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0004-T1053-T1053.007"> <a href="/versions/v13/techniques/T1053/007/"> Container Orchestration Job </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head active " id="enterprise-TA0004-T1078"> <a href="/versions/v13/techniques/T1078/"> Valid Accounts </a> <div class="expand-button collapsed" id="enterprise-TA0004-T1078-header" data-toggle="collapse" data-target="#enterprise-TA0004-T1078-body" aria-expanded="false" aria-controls="#enterprise-TA0004-T1078-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0004-T1078-body" aria-labelledby="enterprise-TA0004-T1078-header"> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0004-T1078-T1078.001"> <a href="/versions/v13/techniques/T1078/001/"> Default Accounts </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0004-T1078-T1078.002"> <a href="/versions/v13/techniques/T1078/002/"> Domain Accounts </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0004-T1078-T1078.003"> <a href="/versions/v13/techniques/T1078/003/"> Local Accounts </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0004-T1078-T1078.004"> <a href="/versions/v13/techniques/T1078/004/"> Cloud Accounts </a> </div> </div> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005"> <a href="/versions/v13/tactics/TA0005"> Defense Evasion </a> <div class="expand-button collapsed" id="enterprise-TA0005-header" data-toggle="collapse" data-target="#enterprise-TA0005-body" aria-expanded="false" aria-controls="#enterprise-TA0005-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0005-body" aria-labelledby="enterprise-TA0005-header"> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1548"> <a href="/versions/v13/techniques/T1548/"> Abuse Elevation Control Mechanism </a> <div class="expand-button collapsed" id="enterprise-TA0005-T1548-header" data-toggle="collapse" data-target="#enterprise-TA0005-T1548-body" aria-expanded="false" aria-controls="#enterprise-TA0005-T1548-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0005-T1548-body" aria-labelledby="enterprise-TA0005-T1548-header"> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1548-T1548.001"> <a href="/versions/v13/techniques/T1548/001/"> Setuid and Setgid </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1548-T1548.002"> <a href="/versions/v13/techniques/T1548/002/"> Bypass User Account Control </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1548-T1548.003"> <a href="/versions/v13/techniques/T1548/003/"> Sudo and Sudo Caching </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1548-T1548.004"> <a href="/versions/v13/techniques/T1548/004/"> Elevated Execution with Prompt </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1134"> <a href="/versions/v13/techniques/T1134/"> Access Token Manipulation </a> <div class="expand-button collapsed" id="enterprise-TA0005-T1134-header" data-toggle="collapse" data-target="#enterprise-TA0005-T1134-body" aria-expanded="false" aria-controls="#enterprise-TA0005-T1134-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0005-T1134-body" aria-labelledby="enterprise-TA0005-T1134-header"> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1134-T1134.001"> <a href="/versions/v13/techniques/T1134/001/"> Token Impersonation/Theft </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1134-T1134.002"> <a href="/versions/v13/techniques/T1134/002/"> Create Process with Token </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1134-T1134.003"> <a href="/versions/v13/techniques/T1134/003/"> Make and Impersonate Token </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1134-T1134.004"> <a href="/versions/v13/techniques/T1134/004/"> Parent PID Spoofing </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1134-T1134.005"> <a href="/versions/v13/techniques/T1134/005/"> SID-History Injection </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1197"> <a href="/versions/v13/techniques/T1197/"> BITS Jobs </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1612"> <a href="/versions/v13/techniques/T1612/"> Build Image on Host </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1622"> <a href="/versions/v13/techniques/T1622/"> Debugger Evasion </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1140"> <a href="/versions/v13/techniques/T1140/"> Deobfuscate/Decode Files or Information </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1610"> <a href="/versions/v13/techniques/T1610/"> Deploy Container </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1006"> <a href="/versions/v13/techniques/T1006/"> Direct Volume Access </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1484"> <a href="/versions/v13/techniques/T1484/"> Domain Policy Modification </a> <div class="expand-button collapsed" id="enterprise-TA0005-T1484-header" data-toggle="collapse" data-target="#enterprise-TA0005-T1484-body" aria-expanded="false" aria-controls="#enterprise-TA0005-T1484-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0005-T1484-body" aria-labelledby="enterprise-TA0005-T1484-header"> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1484-T1484.001"> <a href="/versions/v13/techniques/T1484/001/"> Group Policy Modification </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1484-T1484.002"> <a href="/versions/v13/techniques/T1484/002/"> Domain Trust Modification </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1480"> <a href="/versions/v13/techniques/T1480/"> Execution Guardrails </a> <div class="expand-button collapsed" id="enterprise-TA0005-T1480-header" data-toggle="collapse" data-target="#enterprise-TA0005-T1480-body" aria-expanded="false" aria-controls="#enterprise-TA0005-T1480-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0005-T1480-body" aria-labelledby="enterprise-TA0005-T1480-header"> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1480-T1480.001"> <a href="/versions/v13/techniques/T1480/001/"> Environmental Keying </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1211"> <a href="/versions/v13/techniques/T1211/"> Exploitation for Defense Evasion </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1222"> <a href="/versions/v13/techniques/T1222/"> File and Directory Permissions Modification </a> <div class="expand-button collapsed" id="enterprise-TA0005-T1222-header" data-toggle="collapse" data-target="#enterprise-TA0005-T1222-body" aria-expanded="false" aria-controls="#enterprise-TA0005-T1222-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0005-T1222-body" aria-labelledby="enterprise-TA0005-T1222-header"> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1222-T1222.001"> <a href="/versions/v13/techniques/T1222/001/"> Windows File and Directory Permissions Modification </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1222-T1222.002"> <a href="/versions/v13/techniques/T1222/002/"> Linux and Mac File and Directory Permissions Modification </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1564"> <a href="/versions/v13/techniques/T1564/"> Hide Artifacts </a> <div class="expand-button collapsed" id="enterprise-TA0005-T1564-header" data-toggle="collapse" data-target="#enterprise-TA0005-T1564-body" aria-expanded="false" aria-controls="#enterprise-TA0005-T1564-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0005-T1564-body" aria-labelledby="enterprise-TA0005-T1564-header"> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1564-T1564.001"> <a href="/versions/v13/techniques/T1564/001/"> Hidden Files and Directories </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1564-T1564.002"> <a href="/versions/v13/techniques/T1564/002/"> Hidden Users </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1564-T1564.003"> <a href="/versions/v13/techniques/T1564/003/"> Hidden Window </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1564-T1564.004"> <a href="/versions/v13/techniques/T1564/004/"> NTFS File Attributes </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1564-T1564.005"> <a href="/versions/v13/techniques/T1564/005/"> Hidden File System </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1564-T1564.006"> <a href="/versions/v13/techniques/T1564/006/"> Run Virtual Instance </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1564-T1564.007"> <a href="/versions/v13/techniques/T1564/007/"> VBA Stomping </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1564-T1564.008"> <a href="/versions/v13/techniques/T1564/008/"> Email Hiding Rules </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1564-T1564.009"> <a href="/versions/v13/techniques/T1564/009/"> Resource Forking </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1564-T1564.010"> <a href="/versions/v13/techniques/T1564/010/"> Process Argument Spoofing </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1574"> <a href="/versions/v13/techniques/T1574/"> Hijack Execution Flow </a> <div class="expand-button collapsed" id="enterprise-TA0005-T1574-header" data-toggle="collapse" data-target="#enterprise-TA0005-T1574-body" aria-expanded="false" aria-controls="#enterprise-TA0005-T1574-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0005-T1574-body" aria-labelledby="enterprise-TA0005-T1574-header"> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1574-T1574.001"> <a href="/versions/v13/techniques/T1574/001/"> DLL Search Order Hijacking </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1574-T1574.002"> <a href="/versions/v13/techniques/T1574/002/"> DLL Side-Loading </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1574-T1574.004"> <a href="/versions/v13/techniques/T1574/004/"> Dylib Hijacking </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1574-T1574.005"> <a href="/versions/v13/techniques/T1574/005/"> Executable Installer File Permissions Weakness </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1574-T1574.006"> <a href="/versions/v13/techniques/T1574/006/"> Dynamic Linker Hijacking </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1574-T1574.007"> <a href="/versions/v13/techniques/T1574/007/"> Path Interception by PATH Environment Variable </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1574-T1574.008"> <a href="/versions/v13/techniques/T1574/008/"> Path Interception by Search Order Hijacking </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1574-T1574.009"> <a href="/versions/v13/techniques/T1574/009/"> Path Interception by Unquoted Path </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1574-T1574.010"> <a href="/versions/v13/techniques/T1574/010/"> Services File Permissions Weakness </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1574-T1574.011"> <a href="/versions/v13/techniques/T1574/011/"> Services Registry Permissions Weakness </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1574-T1574.012"> <a href="/versions/v13/techniques/T1574/012/"> COR_PROFILER </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1574-T1574.013"> <a href="/versions/v13/techniques/T1574/013/"> KernelCallbackTable </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1562"> <a href="/versions/v13/techniques/T1562/"> Impair Defenses </a> <div class="expand-button collapsed" id="enterprise-TA0005-T1562-header" data-toggle="collapse" data-target="#enterprise-TA0005-T1562-body" aria-expanded="false" aria-controls="#enterprise-TA0005-T1562-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0005-T1562-body" aria-labelledby="enterprise-TA0005-T1562-header"> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1562-T1562.001"> <a href="/versions/v13/techniques/T1562/001/"> Disable or Modify Tools </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1562-T1562.002"> <a href="/versions/v13/techniques/T1562/002/"> Disable Windows Event Logging </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1562-T1562.003"> <a href="/versions/v13/techniques/T1562/003/"> Impair Command History Logging </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1562-T1562.004"> <a href="/versions/v13/techniques/T1562/004/"> Disable or Modify System Firewall </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1562-T1562.006"> <a href="/versions/v13/techniques/T1562/006/"> Indicator Blocking </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1562-T1562.007"> <a href="/versions/v13/techniques/T1562/007/"> Disable or Modify Cloud Firewall </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1562-T1562.008"> <a href="/versions/v13/techniques/T1562/008/"> Disable Cloud Logs </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1562-T1562.009"> <a href="/versions/v13/techniques/T1562/009/"> Safe Mode Boot </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1562-T1562.010"> <a href="/versions/v13/techniques/T1562/010/"> Downgrade Attack </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1562-T1562.011"> <a href="/versions/v13/techniques/T1562/011/"> Spoof Security Alerting </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1070"> <a href="/versions/v13/techniques/T1070/"> Indicator Removal </a> <div class="expand-button collapsed" id="enterprise-TA0005-T1070-header" data-toggle="collapse" data-target="#enterprise-TA0005-T1070-body" aria-expanded="false" aria-controls="#enterprise-TA0005-T1070-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0005-T1070-body" aria-labelledby="enterprise-TA0005-T1070-header"> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1070-T1070.001"> <a href="/versions/v13/techniques/T1070/001/"> Clear Windows Event Logs </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1070-T1070.002"> <a href="/versions/v13/techniques/T1070/002/"> Clear Linux or Mac System Logs </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1070-T1070.003"> <a href="/versions/v13/techniques/T1070/003/"> Clear Command History </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1070-T1070.004"> <a href="/versions/v13/techniques/T1070/004/"> File Deletion </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1070-T1070.005"> <a href="/versions/v13/techniques/T1070/005/"> Network Share Connection Removal </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1070-T1070.006"> <a href="/versions/v13/techniques/T1070/006/"> Timestomp </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1070-T1070.007"> <a href="/versions/v13/techniques/T1070/007/"> Clear Network Connection History and Configurations </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1070-T1070.008"> <a href="/versions/v13/techniques/T1070/008/"> Clear Mailbox Data </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1070-T1070.009"> <a href="/versions/v13/techniques/T1070/009/"> Clear Persistence </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1202"> <a href="/versions/v13/techniques/T1202/"> Indirect Command Execution </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1036"> <a href="/versions/v13/techniques/T1036/"> Masquerading </a> <div class="expand-button collapsed" id="enterprise-TA0005-T1036-header" data-toggle="collapse" data-target="#enterprise-TA0005-T1036-body" aria-expanded="false" aria-controls="#enterprise-TA0005-T1036-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0005-T1036-body" aria-labelledby="enterprise-TA0005-T1036-header"> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1036-T1036.001"> <a href="/versions/v13/techniques/T1036/001/"> Invalid Code Signature </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1036-T1036.002"> <a href="/versions/v13/techniques/T1036/002/"> Right-to-Left Override </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1036-T1036.003"> <a href="/versions/v13/techniques/T1036/003/"> Rename System Utilities </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1036-T1036.004"> <a href="/versions/v13/techniques/T1036/004/"> Masquerade Task or Service </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1036-T1036.005"> <a href="/versions/v13/techniques/T1036/005/"> Match Legitimate Name or Location </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1036-T1036.006"> <a href="/versions/v13/techniques/T1036/006/"> Space after Filename </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1036-T1036.007"> <a href="/versions/v13/techniques/T1036/007/"> Double File Extension </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1036-T1036.008"> <a href="/versions/v13/techniques/T1036/008/"> Masquerade File Type </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1556"> <a href="/versions/v13/techniques/T1556/"> Modify Authentication Process </a> <div class="expand-button collapsed" id="enterprise-TA0005-T1556-header" data-toggle="collapse" data-target="#enterprise-TA0005-T1556-body" aria-expanded="false" aria-controls="#enterprise-TA0005-T1556-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0005-T1556-body" aria-labelledby="enterprise-TA0005-T1556-header"> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1556-T1556.001"> <a href="/versions/v13/techniques/T1556/001/"> Domain Controller Authentication </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1556-T1556.002"> <a href="/versions/v13/techniques/T1556/002/"> Password Filter DLL </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1556-T1556.003"> <a href="/versions/v13/techniques/T1556/003/"> Pluggable Authentication Modules </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1556-T1556.004"> <a href="/versions/v13/techniques/T1556/004/"> Network Device Authentication </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1556-T1556.005"> <a href="/versions/v13/techniques/T1556/005/"> Reversible Encryption </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1556-T1556.006"> <a href="/versions/v13/techniques/T1556/006/"> Multi-Factor Authentication </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1556-T1556.007"> <a href="/versions/v13/techniques/T1556/007/"> Hybrid Identity </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1556-T1556.008"> <a href="/versions/v13/techniques/T1556/008/"> Network Provider DLL </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1578"> <a href="/versions/v13/techniques/T1578/"> Modify Cloud Compute Infrastructure </a> <div class="expand-button collapsed" id="enterprise-TA0005-T1578-header" data-toggle="collapse" data-target="#enterprise-TA0005-T1578-body" aria-expanded="false" aria-controls="#enterprise-TA0005-T1578-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0005-T1578-body" aria-labelledby="enterprise-TA0005-T1578-header"> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1578-T1578.001"> <a href="/versions/v13/techniques/T1578/001/"> Create Snapshot </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1578-T1578.002"> <a href="/versions/v13/techniques/T1578/002/"> Create Cloud Instance </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1578-T1578.003"> <a href="/versions/v13/techniques/T1578/003/"> Delete Cloud Instance </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1578-T1578.004"> <a href="/versions/v13/techniques/T1578/004/"> Revert Cloud Instance </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1112"> <a href="/versions/v13/techniques/T1112/"> Modify Registry </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1601"> <a href="/versions/v13/techniques/T1601/"> Modify System Image </a> <div class="expand-button collapsed" id="enterprise-TA0005-T1601-header" data-toggle="collapse" data-target="#enterprise-TA0005-T1601-body" aria-expanded="false" aria-controls="#enterprise-TA0005-T1601-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0005-T1601-body" aria-labelledby="enterprise-TA0005-T1601-header"> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1601-T1601.001"> <a href="/versions/v13/techniques/T1601/001/"> Patch System Image </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1601-T1601.002"> <a href="/versions/v13/techniques/T1601/002/"> Downgrade System Image </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1599"> <a href="/versions/v13/techniques/T1599/"> Network Boundary Bridging </a> <div class="expand-button collapsed" id="enterprise-TA0005-T1599-header" data-toggle="collapse" data-target="#enterprise-TA0005-T1599-body" aria-expanded="false" aria-controls="#enterprise-TA0005-T1599-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0005-T1599-body" aria-labelledby="enterprise-TA0005-T1599-header"> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1599-T1599.001"> <a href="/versions/v13/techniques/T1599/001/"> Network Address Translation Traversal </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1027"> <a href="/versions/v13/techniques/T1027/"> Obfuscated Files or Information </a> <div class="expand-button collapsed" id="enterprise-TA0005-T1027-header" data-toggle="collapse" data-target="#enterprise-TA0005-T1027-body" aria-expanded="false" aria-controls="#enterprise-TA0005-T1027-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0005-T1027-body" aria-labelledby="enterprise-TA0005-T1027-header"> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1027-T1027.001"> <a href="/versions/v13/techniques/T1027/001/"> Binary Padding </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1027-T1027.002"> <a href="/versions/v13/techniques/T1027/002/"> Software Packing </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1027-T1027.003"> <a href="/versions/v13/techniques/T1027/003/"> Steganography </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1027-T1027.004"> <a href="/versions/v13/techniques/T1027/004/"> Compile After Delivery </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1027-T1027.005"> <a href="/versions/v13/techniques/T1027/005/"> Indicator Removal from Tools </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1027-T1027.006"> <a href="/versions/v13/techniques/T1027/006/"> HTML Smuggling </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1027-T1027.007"> <a href="/versions/v13/techniques/T1027/007/"> Dynamic API Resolution </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1027-T1027.008"> <a href="/versions/v13/techniques/T1027/008/"> Stripped Payloads </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1027-T1027.009"> <a href="/versions/v13/techniques/T1027/009/"> Embedded Payloads </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1027-T1027.010"> <a href="/versions/v13/techniques/T1027/010/"> Command Obfuscation </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1027-T1027.011"> <a href="/versions/v13/techniques/T1027/011/"> Fileless Storage </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1647"> <a href="/versions/v13/techniques/T1647/"> Plist File Modification </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1542"> <a href="/versions/v13/techniques/T1542/"> Pre-OS Boot </a> <div class="expand-button collapsed" id="enterprise-TA0005-T1542-header" data-toggle="collapse" data-target="#enterprise-TA0005-T1542-body" aria-expanded="false" aria-controls="#enterprise-TA0005-T1542-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0005-T1542-body" aria-labelledby="enterprise-TA0005-T1542-header"> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1542-T1542.001"> <a href="/versions/v13/techniques/T1542/001/"> System Firmware </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1542-T1542.002"> <a href="/versions/v13/techniques/T1542/002/"> Component Firmware </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1542-T1542.003"> <a href="/versions/v13/techniques/T1542/003/"> Bootkit </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1542-T1542.004"> <a href="/versions/v13/techniques/T1542/004/"> ROMMONkit </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1542-T1542.005"> <a href="/versions/v13/techniques/T1542/005/"> TFTP Boot </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1055"> <a href="/versions/v13/techniques/T1055/"> Process Injection </a> <div class="expand-button collapsed" id="enterprise-TA0005-T1055-header" data-toggle="collapse" data-target="#enterprise-TA0005-T1055-body" aria-expanded="false" aria-controls="#enterprise-TA0005-T1055-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0005-T1055-body" aria-labelledby="enterprise-TA0005-T1055-header"> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1055-T1055.001"> <a href="/versions/v13/techniques/T1055/001/"> Dynamic-link Library Injection </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1055-T1055.002"> <a href="/versions/v13/techniques/T1055/002/"> Portable Executable Injection </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1055-T1055.003"> <a href="/versions/v13/techniques/T1055/003/"> Thread Execution Hijacking </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1055-T1055.004"> <a href="/versions/v13/techniques/T1055/004/"> Asynchronous Procedure Call </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1055-T1055.005"> <a href="/versions/v13/techniques/T1055/005/"> Thread Local Storage </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1055-T1055.008"> <a href="/versions/v13/techniques/T1055/008/"> Ptrace System Calls </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1055-T1055.009"> <a href="/versions/v13/techniques/T1055/009/"> Proc Memory </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1055-T1055.011"> <a href="/versions/v13/techniques/T1055/011/"> Extra Window Memory Injection </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1055-T1055.012"> <a href="/versions/v13/techniques/T1055/012/"> Process Hollowing </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1055-T1055.013"> <a href="/versions/v13/techniques/T1055/013/"> Process Doppelgänging </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1055-T1055.014"> <a href="/versions/v13/techniques/T1055/014/"> VDSO Hijacking </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1055-T1055.015"> <a href="/versions/v13/techniques/T1055/015/"> ListPlanting </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1620"> <a href="/versions/v13/techniques/T1620/"> Reflective Code Loading </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1207"> <a href="/versions/v13/techniques/T1207/"> Rogue Domain Controller </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1014"> <a href="/versions/v13/techniques/T1014/"> Rootkit </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1553"> <a href="/versions/v13/techniques/T1553/"> Subvert Trust Controls </a> <div class="expand-button collapsed" id="enterprise-TA0005-T1553-header" data-toggle="collapse" data-target="#enterprise-TA0005-T1553-body" aria-expanded="false" aria-controls="#enterprise-TA0005-T1553-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0005-T1553-body" aria-labelledby="enterprise-TA0005-T1553-header"> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1553-T1553.001"> <a href="/versions/v13/techniques/T1553/001/"> Gatekeeper Bypass </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1553-T1553.002"> <a href="/versions/v13/techniques/T1553/002/"> Code Signing </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1553-T1553.003"> <a href="/versions/v13/techniques/T1553/003/"> SIP and Trust Provider Hijacking </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1553-T1553.004"> <a href="/versions/v13/techniques/T1553/004/"> Install Root Certificate </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1553-T1553.005"> <a href="/versions/v13/techniques/T1553/005/"> Mark-of-the-Web Bypass </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1553-T1553.006"> <a href="/versions/v13/techniques/T1553/006/"> Code Signing Policy Modification </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1218"> <a href="/versions/v13/techniques/T1218/"> System Binary Proxy Execution </a> <div class="expand-button collapsed" id="enterprise-TA0005-T1218-header" data-toggle="collapse" data-target="#enterprise-TA0005-T1218-body" aria-expanded="false" aria-controls="#enterprise-TA0005-T1218-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0005-T1218-body" aria-labelledby="enterprise-TA0005-T1218-header"> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1218-T1218.001"> <a href="/versions/v13/techniques/T1218/001/"> Compiled HTML File </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1218-T1218.002"> <a href="/versions/v13/techniques/T1218/002/"> Control Panel </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1218-T1218.003"> <a href="/versions/v13/techniques/T1218/003/"> CMSTP </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1218-T1218.004"> <a href="/versions/v13/techniques/T1218/004/"> InstallUtil </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1218-T1218.005"> <a href="/versions/v13/techniques/T1218/005/"> Mshta </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1218-T1218.007"> <a href="/versions/v13/techniques/T1218/007/"> Msiexec </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1218-T1218.008"> <a href="/versions/v13/techniques/T1218/008/"> Odbcconf </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1218-T1218.009"> <a href="/versions/v13/techniques/T1218/009/"> Regsvcs/Regasm </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1218-T1218.010"> <a href="/versions/v13/techniques/T1218/010/"> Regsvr32 </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1218-T1218.011"> <a href="/versions/v13/techniques/T1218/011/"> Rundll32 </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1218-T1218.012"> <a href="/versions/v13/techniques/T1218/012/"> Verclsid </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1218-T1218.013"> <a href="/versions/v13/techniques/T1218/013/"> Mavinject </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1218-T1218.014"> <a href="/versions/v13/techniques/T1218/014/"> MMC </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1216"> <a href="/versions/v13/techniques/T1216/"> System Script Proxy Execution </a> <div class="expand-button collapsed" id="enterprise-TA0005-T1216-header" data-toggle="collapse" data-target="#enterprise-TA0005-T1216-body" aria-expanded="false" aria-controls="#enterprise-TA0005-T1216-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0005-T1216-body" aria-labelledby="enterprise-TA0005-T1216-header"> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1216-T1216.001"> <a href="/versions/v13/techniques/T1216/001/"> PubPrn </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1221"> <a href="/versions/v13/techniques/T1221/"> Template Injection </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1205"> <a href="/versions/v13/techniques/T1205/"> Traffic Signaling </a> <div class="expand-button collapsed" id="enterprise-TA0005-T1205-header" data-toggle="collapse" data-target="#enterprise-TA0005-T1205-body" aria-expanded="false" aria-controls="#enterprise-TA0005-T1205-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0005-T1205-body" aria-labelledby="enterprise-TA0005-T1205-header"> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1205-T1205.001"> <a href="/versions/v13/techniques/T1205/001/"> Port Knocking </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1205-T1205.002"> <a href="/versions/v13/techniques/T1205/002/"> Socket Filters </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1127"> <a href="/versions/v13/techniques/T1127/"> Trusted Developer Utilities Proxy Execution </a> <div class="expand-button collapsed" id="enterprise-TA0005-T1127-header" data-toggle="collapse" data-target="#enterprise-TA0005-T1127-body" aria-expanded="false" aria-controls="#enterprise-TA0005-T1127-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0005-T1127-body" aria-labelledby="enterprise-TA0005-T1127-header"> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1127-T1127.001"> <a href="/versions/v13/techniques/T1127/001/"> MSBuild </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1535"> <a href="/versions/v13/techniques/T1535/"> Unused/Unsupported Cloud Regions </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1550"> <a href="/versions/v13/techniques/T1550/"> Use Alternate Authentication Material </a> <div class="expand-button collapsed" id="enterprise-TA0005-T1550-header" data-toggle="collapse" data-target="#enterprise-TA0005-T1550-body" aria-expanded="false" aria-controls="#enterprise-TA0005-T1550-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0005-T1550-body" aria-labelledby="enterprise-TA0005-T1550-header"> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1550-T1550.001"> <a href="/versions/v13/techniques/T1550/001/"> Application Access Token </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1550-T1550.002"> <a href="/versions/v13/techniques/T1550/002/"> Pass the Hash </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1550-T1550.003"> <a href="/versions/v13/techniques/T1550/003/"> Pass the Ticket </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1550-T1550.004"> <a href="/versions/v13/techniques/T1550/004/"> Web Session Cookie </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head active " id="enterprise-TA0005-T1078"> <a href="/versions/v13/techniques/T1078/"> Valid Accounts </a> <div class="expand-button collapsed" id="enterprise-TA0005-T1078-header" data-toggle="collapse" data-target="#enterprise-TA0005-T1078-body" aria-expanded="false" aria-controls="#enterprise-TA0005-T1078-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0005-T1078-body" aria-labelledby="enterprise-TA0005-T1078-header"> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1078-T1078.001"> <a href="/versions/v13/techniques/T1078/001/"> Default Accounts </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1078-T1078.002"> <a href="/versions/v13/techniques/T1078/002/"> Domain Accounts </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1078-T1078.003"> <a href="/versions/v13/techniques/T1078/003/"> Local Accounts </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1078-T1078.004"> <a href="/versions/v13/techniques/T1078/004/"> Cloud Accounts </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1497"> <a href="/versions/v13/techniques/T1497/"> Virtualization/Sandbox Evasion </a> <div class="expand-button collapsed" id="enterprise-TA0005-T1497-header" data-toggle="collapse" data-target="#enterprise-TA0005-T1497-body" aria-expanded="false" aria-controls="#enterprise-TA0005-T1497-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0005-T1497-body" aria-labelledby="enterprise-TA0005-T1497-header"> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1497-T1497.001"> <a href="/versions/v13/techniques/T1497/001/"> System Checks </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1497-T1497.002"> <a href="/versions/v13/techniques/T1497/002/"> User Activity Based Checks </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1497-T1497.003"> <a href="/versions/v13/techniques/T1497/003/"> Time Based Evasion </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1600"> <a href="/versions/v13/techniques/T1600/"> Weaken Encryption </a> <div class="expand-button collapsed" id="enterprise-TA0005-T1600-header" data-toggle="collapse" data-target="#enterprise-TA0005-T1600-body" aria-expanded="false" aria-controls="#enterprise-TA0005-T1600-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0005-T1600-body" aria-labelledby="enterprise-TA0005-T1600-header"> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1600-T1600.001"> <a href="/versions/v13/techniques/T1600/001/"> Reduce Key Space </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1600-T1600.002"> <a href="/versions/v13/techniques/T1600/002/"> Disable Crypto Hardware </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1220"> <a href="/versions/v13/techniques/T1220/"> XSL Script Processing </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0006"> <a href="/versions/v13/tactics/TA0006"> Credential Access </a> <div class="expand-button collapsed" id="enterprise-TA0006-header" data-toggle="collapse" data-target="#enterprise-TA0006-body" aria-expanded="false" aria-controls="#enterprise-TA0006-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0006-body" aria-labelledby="enterprise-TA0006-header"> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0006-T1557"> <a href="/versions/v13/techniques/T1557/"> Adversary-in-the-Middle </a> <div class="expand-button collapsed" id="enterprise-TA0006-T1557-header" data-toggle="collapse" data-target="#enterprise-TA0006-T1557-body" aria-expanded="false" aria-controls="#enterprise-TA0006-T1557-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0006-T1557-body" aria-labelledby="enterprise-TA0006-T1557-header"> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0006-T1557-T1557.001"> <a href="/versions/v13/techniques/T1557/001/"> LLMNR/NBT-NS Poisoning and SMB Relay </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0006-T1557-T1557.002"> <a href="/versions/v13/techniques/T1557/002/"> ARP Cache Poisoning </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0006-T1557-T1557.003"> <a href="/versions/v13/techniques/T1557/003/"> DHCP Spoofing </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0006-T1110"> <a href="/versions/v13/techniques/T1110/"> Brute Force </a> <div class="expand-button collapsed" id="enterprise-TA0006-T1110-header" data-toggle="collapse" data-target="#enterprise-TA0006-T1110-body" aria-expanded="false" aria-controls="#enterprise-TA0006-T1110-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0006-T1110-body" aria-labelledby="enterprise-TA0006-T1110-header"> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0006-T1110-T1110.001"> <a href="/versions/v13/techniques/T1110/001/"> Password Guessing </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0006-T1110-T1110.002"> <a href="/versions/v13/techniques/T1110/002/"> Password Cracking </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0006-T1110-T1110.003"> <a href="/versions/v13/techniques/T1110/003/"> Password Spraying </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0006-T1110-T1110.004"> <a href="/versions/v13/techniques/T1110/004/"> Credential Stuffing </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0006-T1555"> <a href="/versions/v13/techniques/T1555/"> Credentials from Password Stores </a> <div class="expand-button collapsed" id="enterprise-TA0006-T1555-header" data-toggle="collapse" data-target="#enterprise-TA0006-T1555-body" aria-expanded="false" aria-controls="#enterprise-TA0006-T1555-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0006-T1555-body" aria-labelledby="enterprise-TA0006-T1555-header"> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0006-T1555-T1555.001"> <a href="/versions/v13/techniques/T1555/001/"> Keychain </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0006-T1555-T1555.002"> <a href="/versions/v13/techniques/T1555/002/"> Securityd Memory </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0006-T1555-T1555.003"> <a href="/versions/v13/techniques/T1555/003/"> Credentials from Web Browsers </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0006-T1555-T1555.004"> <a href="/versions/v13/techniques/T1555/004/"> Windows Credential Manager </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0006-T1555-T1555.005"> <a href="/versions/v13/techniques/T1555/005/"> Password Managers </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0006-T1212"> <a href="/versions/v13/techniques/T1212/"> Exploitation for Credential Access </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0006-T1187"> <a href="/versions/v13/techniques/T1187/"> Forced Authentication </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0006-T1606"> <a href="/versions/v13/techniques/T1606/"> Forge Web Credentials </a> <div class="expand-button collapsed" id="enterprise-TA0006-T1606-header" data-toggle="collapse" data-target="#enterprise-TA0006-T1606-body" aria-expanded="false" aria-controls="#enterprise-TA0006-T1606-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0006-T1606-body" aria-labelledby="enterprise-TA0006-T1606-header"> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0006-T1606-T1606.001"> <a href="/versions/v13/techniques/T1606/001/"> Web Cookies </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0006-T1606-T1606.002"> <a href="/versions/v13/techniques/T1606/002/"> SAML Tokens </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0006-T1056"> <a href="/versions/v13/techniques/T1056/"> Input Capture </a> <div class="expand-button collapsed" id="enterprise-TA0006-T1056-header" data-toggle="collapse" data-target="#enterprise-TA0006-T1056-body" aria-expanded="false" aria-controls="#enterprise-TA0006-T1056-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0006-T1056-body" aria-labelledby="enterprise-TA0006-T1056-header"> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0006-T1056-T1056.001"> <a href="/versions/v13/techniques/T1056/001/"> Keylogging </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0006-T1056-T1056.002"> <a href="/versions/v13/techniques/T1056/002/"> GUI Input Capture </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0006-T1056-T1056.003"> <a href="/versions/v13/techniques/T1056/003/"> Web Portal Capture </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0006-T1056-T1056.004"> <a href="/versions/v13/techniques/T1056/004/"> Credential API Hooking </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0006-T1556"> <a href="/versions/v13/techniques/T1556/"> Modify Authentication Process </a> <div class="expand-button collapsed" id="enterprise-TA0006-T1556-header" data-toggle="collapse" data-target="#enterprise-TA0006-T1556-body" aria-expanded="false" aria-controls="#enterprise-TA0006-T1556-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0006-T1556-body" aria-labelledby="enterprise-TA0006-T1556-header"> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0006-T1556-T1556.001"> <a href="/versions/v13/techniques/T1556/001/"> Domain Controller Authentication </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0006-T1556-T1556.002"> <a href="/versions/v13/techniques/T1556/002/"> Password Filter DLL </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0006-T1556-T1556.003"> <a href="/versions/v13/techniques/T1556/003/"> Pluggable Authentication Modules </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0006-T1556-T1556.004"> <a href="/versions/v13/techniques/T1556/004/"> Network Device Authentication </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0006-T1556-T1556.005"> <a href="/versions/v13/techniques/T1556/005/"> Reversible Encryption </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0006-T1556-T1556.006"> <a href="/versions/v13/techniques/T1556/006/"> Multi-Factor Authentication </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0006-T1556-T1556.007"> <a href="/versions/v13/techniques/T1556/007/"> Hybrid Identity </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0006-T1556-T1556.008"> <a href="/versions/v13/techniques/T1556/008/"> Network Provider DLL </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0006-T1111"> <a href="/versions/v13/techniques/T1111/"> Multi-Factor Authentication Interception </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0006-T1621"> <a href="/versions/v13/techniques/T1621/"> Multi-Factor Authentication Request Generation </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0006-T1040"> <a href="/versions/v13/techniques/T1040/"> Network Sniffing </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0006-T1003"> <a href="/versions/v13/techniques/T1003/"> OS Credential Dumping </a> <div class="expand-button collapsed" id="enterprise-TA0006-T1003-header" data-toggle="collapse" data-target="#enterprise-TA0006-T1003-body" aria-expanded="false" aria-controls="#enterprise-TA0006-T1003-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0006-T1003-body" aria-labelledby="enterprise-TA0006-T1003-header"> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0006-T1003-T1003.001"> <a href="/versions/v13/techniques/T1003/001/"> LSASS Memory </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0006-T1003-T1003.002"> <a href="/versions/v13/techniques/T1003/002/"> Security Account Manager </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0006-T1003-T1003.003"> <a href="/versions/v13/techniques/T1003/003/"> NTDS </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0006-T1003-T1003.004"> <a href="/versions/v13/techniques/T1003/004/"> LSA Secrets </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0006-T1003-T1003.005"> <a href="/versions/v13/techniques/T1003/005/"> Cached Domain Credentials </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0006-T1003-T1003.006"> <a href="/versions/v13/techniques/T1003/006/"> DCSync </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0006-T1003-T1003.007"> <a href="/versions/v13/techniques/T1003/007/"> Proc Filesystem </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0006-T1003-T1003.008"> <a href="/versions/v13/techniques/T1003/008/"> /etc/passwd and /etc/shadow </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0006-T1528"> <a href="/versions/v13/techniques/T1528/"> Steal Application Access Token </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0006-T1649"> <a href="/versions/v13/techniques/T1649/"> Steal or Forge Authentication Certificates </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0006-T1558"> <a href="/versions/v13/techniques/T1558/"> Steal or Forge Kerberos Tickets </a> <div class="expand-button collapsed" id="enterprise-TA0006-T1558-header" data-toggle="collapse" data-target="#enterprise-TA0006-T1558-body" aria-expanded="false" aria-controls="#enterprise-TA0006-T1558-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0006-T1558-body" aria-labelledby="enterprise-TA0006-T1558-header"> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0006-T1558-T1558.001"> <a href="/versions/v13/techniques/T1558/001/"> Golden Ticket </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0006-T1558-T1558.002"> <a href="/versions/v13/techniques/T1558/002/"> Silver Ticket </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0006-T1558-T1558.003"> <a href="/versions/v13/techniques/T1558/003/"> Kerberoasting </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0006-T1558-T1558.004"> <a href="/versions/v13/techniques/T1558/004/"> AS-REP Roasting </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0006-T1539"> <a href="/versions/v13/techniques/T1539/"> Steal Web Session Cookie </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0006-T1552"> <a href="/versions/v13/techniques/T1552/"> Unsecured Credentials </a> <div class="expand-button collapsed" id="enterprise-TA0006-T1552-header" data-toggle="collapse" data-target="#enterprise-TA0006-T1552-body" aria-expanded="false" aria-controls="#enterprise-TA0006-T1552-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0006-T1552-body" aria-labelledby="enterprise-TA0006-T1552-header"> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0006-T1552-T1552.001"> <a href="/versions/v13/techniques/T1552/001/"> Credentials In Files </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0006-T1552-T1552.002"> <a href="/versions/v13/techniques/T1552/002/"> Credentials in Registry </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0006-T1552-T1552.003"> <a href="/versions/v13/techniques/T1552/003/"> Bash History </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0006-T1552-T1552.004"> <a href="/versions/v13/techniques/T1552/004/"> Private Keys </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0006-T1552-T1552.005"> <a href="/versions/v13/techniques/T1552/005/"> Cloud Instance Metadata API </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0006-T1552-T1552.006"> <a href="/versions/v13/techniques/T1552/006/"> Group Policy Preferences </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0006-T1552-T1552.007"> <a href="/versions/v13/techniques/T1552/007/"> Container API </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0006-T1552-T1552.008"> <a href="/versions/v13/techniques/T1552/008/"> Chat Messages </a> </div> </div> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0007"> <a href="/versions/v13/tactics/TA0007"> Discovery </a> <div class="expand-button collapsed" id="enterprise-TA0007-header" data-toggle="collapse" data-target="#enterprise-TA0007-body" aria-expanded="false" aria-controls="#enterprise-TA0007-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0007-body" aria-labelledby="enterprise-TA0007-header"> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0007-T1087"> <a href="/versions/v13/techniques/T1087/"> Account Discovery </a> <div class="expand-button collapsed" id="enterprise-TA0007-T1087-header" data-toggle="collapse" data-target="#enterprise-TA0007-T1087-body" aria-expanded="false" aria-controls="#enterprise-TA0007-T1087-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0007-T1087-body" aria-labelledby="enterprise-TA0007-T1087-header"> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0007-T1087-T1087.001"> <a href="/versions/v13/techniques/T1087/001/"> Local Account </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0007-T1087-T1087.002"> <a href="/versions/v13/techniques/T1087/002/"> Domain Account </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0007-T1087-T1087.003"> <a href="/versions/v13/techniques/T1087/003/"> Email Account </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0007-T1087-T1087.004"> <a href="/versions/v13/techniques/T1087/004/"> Cloud Account </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0007-T1010"> <a href="/versions/v13/techniques/T1010/"> Application Window Discovery </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0007-T1217"> <a href="/versions/v13/techniques/T1217/"> Browser Information Discovery </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0007-T1580"> <a href="/versions/v13/techniques/T1580/"> Cloud Infrastructure Discovery </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0007-T1538"> <a href="/versions/v13/techniques/T1538/"> Cloud Service Dashboard </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0007-T1526"> <a href="/versions/v13/techniques/T1526/"> Cloud Service Discovery </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0007-T1619"> <a href="/versions/v13/techniques/T1619/"> Cloud Storage Object Discovery </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0007-T1613"> <a href="/versions/v13/techniques/T1613/"> Container and Resource Discovery </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0007-T1622"> <a href="/versions/v13/techniques/T1622/"> Debugger Evasion </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0007-T1652"> <a href="/versions/v13/techniques/T1652/"> Device Driver Discovery </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0007-T1482"> <a href="/versions/v13/techniques/T1482/"> Domain Trust Discovery </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0007-T1083"> <a href="/versions/v13/techniques/T1083/"> File and Directory Discovery </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0007-T1615"> <a href="/versions/v13/techniques/T1615/"> Group Policy Discovery </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0007-T1046"> <a href="/versions/v13/techniques/T1046/"> Network Service Discovery </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0007-T1135"> <a href="/versions/v13/techniques/T1135/"> Network Share Discovery </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0007-T1040"> <a href="/versions/v13/techniques/T1040/"> Network Sniffing </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0007-T1201"> <a href="/versions/v13/techniques/T1201/"> Password Policy Discovery </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0007-T1120"> <a href="/versions/v13/techniques/T1120/"> Peripheral Device Discovery </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0007-T1069"> <a href="/versions/v13/techniques/T1069/"> Permission Groups Discovery </a> <div class="expand-button collapsed" id="enterprise-TA0007-T1069-header" data-toggle="collapse" data-target="#enterprise-TA0007-T1069-body" aria-expanded="false" aria-controls="#enterprise-TA0007-T1069-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0007-T1069-body" aria-labelledby="enterprise-TA0007-T1069-header"> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0007-T1069-T1069.001"> <a href="/versions/v13/techniques/T1069/001/"> Local Groups </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0007-T1069-T1069.002"> <a href="/versions/v13/techniques/T1069/002/"> Domain Groups </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0007-T1069-T1069.003"> <a href="/versions/v13/techniques/T1069/003/"> Cloud Groups </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0007-T1057"> <a href="/versions/v13/techniques/T1057/"> Process Discovery </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0007-T1012"> <a href="/versions/v13/techniques/T1012/"> Query Registry </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0007-T1018"> <a href="/versions/v13/techniques/T1018/"> Remote System Discovery </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0007-T1518"> <a href="/versions/v13/techniques/T1518/"> Software Discovery </a> <div class="expand-button collapsed" id="enterprise-TA0007-T1518-header" data-toggle="collapse" data-target="#enterprise-TA0007-T1518-body" aria-expanded="false" aria-controls="#enterprise-TA0007-T1518-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0007-T1518-body" aria-labelledby="enterprise-TA0007-T1518-header"> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0007-T1518-T1518.001"> <a href="/versions/v13/techniques/T1518/001/"> Security Software Discovery </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0007-T1082"> <a href="/versions/v13/techniques/T1082/"> System Information Discovery </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0007-T1614"> <a href="/versions/v13/techniques/T1614/"> System Location Discovery </a> <div class="expand-button collapsed" id="enterprise-TA0007-T1614-header" data-toggle="collapse" data-target="#enterprise-TA0007-T1614-body" aria-expanded="false" aria-controls="#enterprise-TA0007-T1614-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0007-T1614-body" aria-labelledby="enterprise-TA0007-T1614-header"> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0007-T1614-T1614.001"> <a href="/versions/v13/techniques/T1614/001/"> System Language Discovery </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0007-T1016"> <a href="/versions/v13/techniques/T1016/"> System Network Configuration Discovery </a> <div class="expand-button collapsed" id="enterprise-TA0007-T1016-header" data-toggle="collapse" data-target="#enterprise-TA0007-T1016-body" aria-expanded="false" aria-controls="#enterprise-TA0007-T1016-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0007-T1016-body" aria-labelledby="enterprise-TA0007-T1016-header"> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0007-T1016-T1016.001"> <a href="/versions/v13/techniques/T1016/001/"> Internet Connection Discovery </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0007-T1049"> <a href="/versions/v13/techniques/T1049/"> System Network Connections Discovery </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0007-T1033"> <a href="/versions/v13/techniques/T1033/"> System Owner/User Discovery </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0007-T1007"> <a href="/versions/v13/techniques/T1007/"> System Service Discovery </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0007-T1124"> <a href="/versions/v13/techniques/T1124/"> System Time Discovery </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0007-T1497"> <a href="/versions/v13/techniques/T1497/"> Virtualization/Sandbox Evasion </a> <div class="expand-button collapsed" id="enterprise-TA0007-T1497-header" data-toggle="collapse" data-target="#enterprise-TA0007-T1497-body" aria-expanded="false" aria-controls="#enterprise-TA0007-T1497-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0007-T1497-body" aria-labelledby="enterprise-TA0007-T1497-header"> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0007-T1497-T1497.001"> <a href="/versions/v13/techniques/T1497/001/"> System Checks </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0007-T1497-T1497.002"> <a href="/versions/v13/techniques/T1497/002/"> User Activity Based Checks </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0007-T1497-T1497.003"> <a href="/versions/v13/techniques/T1497/003/"> Time Based Evasion </a> </div> </div> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0008"> <a href="/versions/v13/tactics/TA0008"> Lateral Movement </a> <div class="expand-button collapsed" id="enterprise-TA0008-header" data-toggle="collapse" data-target="#enterprise-TA0008-body" aria-expanded="false" aria-controls="#enterprise-TA0008-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0008-body" aria-labelledby="enterprise-TA0008-header"> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0008-T1210"> <a href="/versions/v13/techniques/T1210/"> Exploitation of Remote Services </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0008-T1534"> <a href="/versions/v13/techniques/T1534/"> Internal Spearphishing </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0008-T1570"> <a href="/versions/v13/techniques/T1570/"> Lateral Tool Transfer </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0008-T1563"> <a href="/versions/v13/techniques/T1563/"> Remote Service Session Hijacking </a> <div class="expand-button collapsed" id="enterprise-TA0008-T1563-header" data-toggle="collapse" data-target="#enterprise-TA0008-T1563-body" aria-expanded="false" aria-controls="#enterprise-TA0008-T1563-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0008-T1563-body" aria-labelledby="enterprise-TA0008-T1563-header"> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0008-T1563-T1563.001"> <a href="/versions/v13/techniques/T1563/001/"> SSH Hijacking </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0008-T1563-T1563.002"> <a href="/versions/v13/techniques/T1563/002/"> RDP Hijacking </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0008-T1021"> <a href="/versions/v13/techniques/T1021/"> Remote Services </a> <div class="expand-button collapsed" id="enterprise-TA0008-T1021-header" data-toggle="collapse" data-target="#enterprise-TA0008-T1021-body" aria-expanded="false" aria-controls="#enterprise-TA0008-T1021-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0008-T1021-body" aria-labelledby="enterprise-TA0008-T1021-header"> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0008-T1021-T1021.001"> <a href="/versions/v13/techniques/T1021/001/"> Remote Desktop Protocol </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0008-T1021-T1021.002"> <a href="/versions/v13/techniques/T1021/002/"> SMB/Windows Admin Shares </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0008-T1021-T1021.003"> <a href="/versions/v13/techniques/T1021/003/"> Distributed Component Object Model </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0008-T1021-T1021.004"> <a href="/versions/v13/techniques/T1021/004/"> SSH </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0008-T1021-T1021.005"> <a href="/versions/v13/techniques/T1021/005/"> VNC </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0008-T1021-T1021.006"> <a href="/versions/v13/techniques/T1021/006/"> Windows Remote Management </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0008-T1021-T1021.007"> <a href="/versions/v13/techniques/T1021/007/"> Cloud Services </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0008-T1091"> <a href="/versions/v13/techniques/T1091/"> Replication Through Removable Media </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0008-T1072"> <a href="/versions/v13/techniques/T1072/"> Software Deployment Tools </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0008-T1080"> <a href="/versions/v13/techniques/T1080/"> Taint Shared Content </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0008-T1550"> <a href="/versions/v13/techniques/T1550/"> Use Alternate Authentication Material </a> <div class="expand-button collapsed" id="enterprise-TA0008-T1550-header" data-toggle="collapse" data-target="#enterprise-TA0008-T1550-body" aria-expanded="false" aria-controls="#enterprise-TA0008-T1550-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0008-T1550-body" aria-labelledby="enterprise-TA0008-T1550-header"> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0008-T1550-T1550.001"> <a href="/versions/v13/techniques/T1550/001/"> Application Access Token </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0008-T1550-T1550.002"> <a href="/versions/v13/techniques/T1550/002/"> Pass the Hash </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0008-T1550-T1550.003"> <a href="/versions/v13/techniques/T1550/003/"> Pass the Ticket </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0008-T1550-T1550.004"> <a href="/versions/v13/techniques/T1550/004/"> Web Session Cookie </a> </div> </div> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0009"> <a href="/versions/v13/tactics/TA0009"> Collection </a> <div class="expand-button collapsed" id="enterprise-TA0009-header" data-toggle="collapse" data-target="#enterprise-TA0009-body" aria-expanded="false" aria-controls="#enterprise-TA0009-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0009-body" aria-labelledby="enterprise-TA0009-header"> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0009-T1557"> <a href="/versions/v13/techniques/T1557/"> Adversary-in-the-Middle </a> <div class="expand-button collapsed" id="enterprise-TA0009-T1557-header" data-toggle="collapse" data-target="#enterprise-TA0009-T1557-body" aria-expanded="false" aria-controls="#enterprise-TA0009-T1557-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0009-T1557-body" aria-labelledby="enterprise-TA0009-T1557-header"> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0009-T1557-T1557.001"> <a href="/versions/v13/techniques/T1557/001/"> LLMNR/NBT-NS Poisoning and SMB Relay </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0009-T1557-T1557.002"> <a href="/versions/v13/techniques/T1557/002/"> ARP Cache Poisoning </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0009-T1557-T1557.003"> <a href="/versions/v13/techniques/T1557/003/"> DHCP Spoofing </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0009-T1560"> <a href="/versions/v13/techniques/T1560/"> Archive Collected Data </a> <div class="expand-button collapsed" id="enterprise-TA0009-T1560-header" data-toggle="collapse" data-target="#enterprise-TA0009-T1560-body" aria-expanded="false" aria-controls="#enterprise-TA0009-T1560-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0009-T1560-body" aria-labelledby="enterprise-TA0009-T1560-header"> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0009-T1560-T1560.001"> <a href="/versions/v13/techniques/T1560/001/"> Archive via Utility </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0009-T1560-T1560.002"> <a href="/versions/v13/techniques/T1560/002/"> Archive via Library </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0009-T1560-T1560.003"> <a href="/versions/v13/techniques/T1560/003/"> Archive via Custom Method </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0009-T1123"> <a href="/versions/v13/techniques/T1123/"> Audio Capture </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0009-T1119"> <a href="/versions/v13/techniques/T1119/"> Automated Collection </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0009-T1185"> <a href="/versions/v13/techniques/T1185/"> Browser Session Hijacking </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0009-T1115"> <a href="/versions/v13/techniques/T1115/"> Clipboard Data </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0009-T1530"> <a href="/versions/v13/techniques/T1530/"> Data from Cloud Storage </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0009-T1602"> <a href="/versions/v13/techniques/T1602/"> Data from Configuration Repository </a> <div class="expand-button collapsed" id="enterprise-TA0009-T1602-header" data-toggle="collapse" data-target="#enterprise-TA0009-T1602-body" aria-expanded="false" aria-controls="#enterprise-TA0009-T1602-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0009-T1602-body" aria-labelledby="enterprise-TA0009-T1602-header"> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0009-T1602-T1602.001"> <a href="/versions/v13/techniques/T1602/001/"> SNMP (MIB Dump) </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0009-T1602-T1602.002"> <a href="/versions/v13/techniques/T1602/002/"> Network Device Configuration Dump </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0009-T1213"> <a href="/versions/v13/techniques/T1213/"> Data from Information Repositories </a> <div class="expand-button collapsed" id="enterprise-TA0009-T1213-header" data-toggle="collapse" data-target="#enterprise-TA0009-T1213-body" aria-expanded="false" aria-controls="#enterprise-TA0009-T1213-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0009-T1213-body" aria-labelledby="enterprise-TA0009-T1213-header"> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0009-T1213-T1213.001"> <a href="/versions/v13/techniques/T1213/001/"> Confluence </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0009-T1213-T1213.002"> <a href="/versions/v13/techniques/T1213/002/"> Sharepoint </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0009-T1213-T1213.003"> <a href="/versions/v13/techniques/T1213/003/"> Code Repositories </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0009-T1005"> <a href="/versions/v13/techniques/T1005/"> Data from Local System </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0009-T1039"> <a href="/versions/v13/techniques/T1039/"> Data from Network Shared Drive </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0009-T1025"> <a href="/versions/v13/techniques/T1025/"> Data from Removable Media </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0009-T1074"> <a href="/versions/v13/techniques/T1074/"> Data Staged </a> <div class="expand-button collapsed" id="enterprise-TA0009-T1074-header" data-toggle="collapse" data-target="#enterprise-TA0009-T1074-body" aria-expanded="false" aria-controls="#enterprise-TA0009-T1074-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0009-T1074-body" aria-labelledby="enterprise-TA0009-T1074-header"> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0009-T1074-T1074.001"> <a href="/versions/v13/techniques/T1074/001/"> Local Data Staging </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0009-T1074-T1074.002"> <a href="/versions/v13/techniques/T1074/002/"> Remote Data Staging </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0009-T1114"> <a href="/versions/v13/techniques/T1114/"> Email Collection </a> <div class="expand-button collapsed" id="enterprise-TA0009-T1114-header" data-toggle="collapse" data-target="#enterprise-TA0009-T1114-body" aria-expanded="false" aria-controls="#enterprise-TA0009-T1114-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0009-T1114-body" aria-labelledby="enterprise-TA0009-T1114-header"> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0009-T1114-T1114.001"> <a href="/versions/v13/techniques/T1114/001/"> Local Email Collection </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0009-T1114-T1114.002"> <a href="/versions/v13/techniques/T1114/002/"> Remote Email Collection </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0009-T1114-T1114.003"> <a href="/versions/v13/techniques/T1114/003/"> Email Forwarding Rule </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0009-T1056"> <a href="/versions/v13/techniques/T1056/"> Input Capture </a> <div class="expand-button collapsed" id="enterprise-TA0009-T1056-header" data-toggle="collapse" data-target="#enterprise-TA0009-T1056-body" aria-expanded="false" aria-controls="#enterprise-TA0009-T1056-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0009-T1056-body" aria-labelledby="enterprise-TA0009-T1056-header"> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0009-T1056-T1056.001"> <a href="/versions/v13/techniques/T1056/001/"> Keylogging </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0009-T1056-T1056.002"> <a href="/versions/v13/techniques/T1056/002/"> GUI Input Capture </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0009-T1056-T1056.003"> <a href="/versions/v13/techniques/T1056/003/"> Web Portal Capture </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0009-T1056-T1056.004"> <a href="/versions/v13/techniques/T1056/004/"> Credential API Hooking </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0009-T1113"> <a href="/versions/v13/techniques/T1113/"> Screen Capture </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0009-T1125"> <a href="/versions/v13/techniques/T1125/"> Video Capture </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0011"> <a href="/versions/v13/tactics/TA0011"> Command and Control </a> <div class="expand-button collapsed" id="enterprise-TA0011-header" data-toggle="collapse" data-target="#enterprise-TA0011-body" aria-expanded="false" aria-controls="#enterprise-TA0011-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0011-body" aria-labelledby="enterprise-TA0011-header"> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0011-T1071"> <a href="/versions/v13/techniques/T1071/"> Application Layer Protocol </a> <div class="expand-button collapsed" id="enterprise-TA0011-T1071-header" data-toggle="collapse" data-target="#enterprise-TA0011-T1071-body" aria-expanded="false" aria-controls="#enterprise-TA0011-T1071-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0011-T1071-body" aria-labelledby="enterprise-TA0011-T1071-header"> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0011-T1071-T1071.001"> <a href="/versions/v13/techniques/T1071/001/"> Web Protocols </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0011-T1071-T1071.002"> <a href="/versions/v13/techniques/T1071/002/"> File Transfer Protocols </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0011-T1071-T1071.003"> <a href="/versions/v13/techniques/T1071/003/"> Mail Protocols </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0011-T1071-T1071.004"> <a href="/versions/v13/techniques/T1071/004/"> DNS </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0011-T1092"> <a href="/versions/v13/techniques/T1092/"> Communication Through Removable Media </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0011-T1132"> <a href="/versions/v13/techniques/T1132/"> Data Encoding </a> <div class="expand-button collapsed" id="enterprise-TA0011-T1132-header" data-toggle="collapse" data-target="#enterprise-TA0011-T1132-body" aria-expanded="false" aria-controls="#enterprise-TA0011-T1132-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0011-T1132-body" aria-labelledby="enterprise-TA0011-T1132-header"> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0011-T1132-T1132.001"> <a href="/versions/v13/techniques/T1132/001/"> Standard Encoding </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0011-T1132-T1132.002"> <a href="/versions/v13/techniques/T1132/002/"> Non-Standard Encoding </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0011-T1001"> <a href="/versions/v13/techniques/T1001/"> Data Obfuscation </a> <div class="expand-button collapsed" id="enterprise-TA0011-T1001-header" data-toggle="collapse" data-target="#enterprise-TA0011-T1001-body" aria-expanded="false" aria-controls="#enterprise-TA0011-T1001-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0011-T1001-body" aria-labelledby="enterprise-TA0011-T1001-header"> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0011-T1001-T1001.001"> <a href="/versions/v13/techniques/T1001/001/"> Junk Data </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0011-T1001-T1001.002"> <a href="/versions/v13/techniques/T1001/002/"> Steganography </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0011-T1001-T1001.003"> <a href="/versions/v13/techniques/T1001/003/"> Protocol Impersonation </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0011-T1568"> <a href="/versions/v13/techniques/T1568/"> Dynamic Resolution </a> <div class="expand-button collapsed" id="enterprise-TA0011-T1568-header" data-toggle="collapse" data-target="#enterprise-TA0011-T1568-body" aria-expanded="false" aria-controls="#enterprise-TA0011-T1568-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0011-T1568-body" aria-labelledby="enterprise-TA0011-T1568-header"> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0011-T1568-T1568.001"> <a href="/versions/v13/techniques/T1568/001/"> Fast Flux DNS </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0011-T1568-T1568.002"> <a href="/versions/v13/techniques/T1568/002/"> Domain Generation Algorithms </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0011-T1568-T1568.003"> <a href="/versions/v13/techniques/T1568/003/"> DNS Calculation </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0011-T1573"> <a href="/versions/v13/techniques/T1573/"> Encrypted Channel </a> <div class="expand-button collapsed" id="enterprise-TA0011-T1573-header" data-toggle="collapse" data-target="#enterprise-TA0011-T1573-body" aria-expanded="false" aria-controls="#enterprise-TA0011-T1573-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0011-T1573-body" aria-labelledby="enterprise-TA0011-T1573-header"> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0011-T1573-T1573.001"> <a href="/versions/v13/techniques/T1573/001/"> Symmetric Cryptography </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0011-T1573-T1573.002"> <a href="/versions/v13/techniques/T1573/002/"> Asymmetric Cryptography </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0011-T1008"> <a href="/versions/v13/techniques/T1008/"> Fallback Channels </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0011-T1105"> <a href="/versions/v13/techniques/T1105/"> Ingress Tool Transfer </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0011-T1104"> <a href="/versions/v13/techniques/T1104/"> Multi-Stage Channels </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0011-T1095"> <a href="/versions/v13/techniques/T1095/"> Non-Application Layer Protocol </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0011-T1571"> <a href="/versions/v13/techniques/T1571/"> Non-Standard Port </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0011-T1572"> <a href="/versions/v13/techniques/T1572/"> Protocol Tunneling </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0011-T1090"> <a href="/versions/v13/techniques/T1090/"> Proxy </a> <div class="expand-button collapsed" id="enterprise-TA0011-T1090-header" data-toggle="collapse" data-target="#enterprise-TA0011-T1090-body" aria-expanded="false" aria-controls="#enterprise-TA0011-T1090-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0011-T1090-body" aria-labelledby="enterprise-TA0011-T1090-header"> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0011-T1090-T1090.001"> <a href="/versions/v13/techniques/T1090/001/"> Internal Proxy </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0011-T1090-T1090.002"> <a href="/versions/v13/techniques/T1090/002/"> External Proxy </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0011-T1090-T1090.003"> <a href="/versions/v13/techniques/T1090/003/"> Multi-hop Proxy </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0011-T1090-T1090.004"> <a href="/versions/v13/techniques/T1090/004/"> Domain Fronting </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0011-T1219"> <a href="/versions/v13/techniques/T1219/"> Remote Access Software </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0011-T1205"> <a href="/versions/v13/techniques/T1205/"> Traffic Signaling </a> <div class="expand-button collapsed" id="enterprise-TA0011-T1205-header" data-toggle="collapse" data-target="#enterprise-TA0011-T1205-body" aria-expanded="false" aria-controls="#enterprise-TA0011-T1205-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0011-T1205-body" aria-labelledby="enterprise-TA0011-T1205-header"> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0011-T1205-T1205.001"> <a href="/versions/v13/techniques/T1205/001/"> Port Knocking </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0011-T1205-T1205.002"> <a href="/versions/v13/techniques/T1205/002/"> Socket Filters </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0011-T1102"> <a href="/versions/v13/techniques/T1102/"> Web Service </a> <div class="expand-button collapsed" id="enterprise-TA0011-T1102-header" data-toggle="collapse" data-target="#enterprise-TA0011-T1102-body" aria-expanded="false" aria-controls="#enterprise-TA0011-T1102-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0011-T1102-body" aria-labelledby="enterprise-TA0011-T1102-header"> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0011-T1102-T1102.001"> <a href="/versions/v13/techniques/T1102/001/"> Dead Drop Resolver </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0011-T1102-T1102.002"> <a href="/versions/v13/techniques/T1102/002/"> Bidirectional Communication </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0011-T1102-T1102.003"> <a href="/versions/v13/techniques/T1102/003/"> One-Way Communication </a> </div> </div> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0010"> <a href="/versions/v13/tactics/TA0010"> Exfiltration </a> <div class="expand-button collapsed" id="enterprise-TA0010-header" data-toggle="collapse" data-target="#enterprise-TA0010-body" aria-expanded="false" aria-controls="#enterprise-TA0010-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0010-body" aria-labelledby="enterprise-TA0010-header"> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0010-T1020"> <a href="/versions/v13/techniques/T1020/"> Automated Exfiltration </a> <div class="expand-button collapsed" id="enterprise-TA0010-T1020-header" data-toggle="collapse" data-target="#enterprise-TA0010-T1020-body" aria-expanded="false" aria-controls="#enterprise-TA0010-T1020-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0010-T1020-body" aria-labelledby="enterprise-TA0010-T1020-header"> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0010-T1020-T1020.001"> <a href="/versions/v13/techniques/T1020/001/"> Traffic Duplication </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0010-T1030"> <a href="/versions/v13/techniques/T1030/"> Data Transfer Size Limits </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0010-T1048"> <a href="/versions/v13/techniques/T1048/"> Exfiltration Over Alternative Protocol </a> <div class="expand-button collapsed" id="enterprise-TA0010-T1048-header" data-toggle="collapse" data-target="#enterprise-TA0010-T1048-body" aria-expanded="false" aria-controls="#enterprise-TA0010-T1048-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0010-T1048-body" aria-labelledby="enterprise-TA0010-T1048-header"> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0010-T1048-T1048.001"> <a href="/versions/v13/techniques/T1048/001/"> Exfiltration Over Symmetric Encrypted Non-C2 Protocol </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0010-T1048-T1048.002"> <a href="/versions/v13/techniques/T1048/002/"> Exfiltration Over Asymmetric Encrypted Non-C2 Protocol </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0010-T1048-T1048.003"> <a href="/versions/v13/techniques/T1048/003/"> Exfiltration Over Unencrypted Non-C2 Protocol </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0010-T1041"> <a href="/versions/v13/techniques/T1041/"> Exfiltration Over C2 Channel </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0010-T1011"> <a href="/versions/v13/techniques/T1011/"> Exfiltration Over Other Network Medium </a> <div class="expand-button collapsed" id="enterprise-TA0010-T1011-header" data-toggle="collapse" data-target="#enterprise-TA0010-T1011-body" aria-expanded="false" aria-controls="#enterprise-TA0010-T1011-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0010-T1011-body" aria-labelledby="enterprise-TA0010-T1011-header"> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0010-T1011-T1011.001"> <a href="/versions/v13/techniques/T1011/001/"> Exfiltration Over Bluetooth </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0010-T1052"> <a href="/versions/v13/techniques/T1052/"> Exfiltration Over Physical Medium </a> <div class="expand-button collapsed" id="enterprise-TA0010-T1052-header" data-toggle="collapse" data-target="#enterprise-TA0010-T1052-body" aria-expanded="false" aria-controls="#enterprise-TA0010-T1052-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0010-T1052-body" aria-labelledby="enterprise-TA0010-T1052-header"> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0010-T1052-T1052.001"> <a href="/versions/v13/techniques/T1052/001/"> Exfiltration over USB </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0010-T1567"> <a href="/versions/v13/techniques/T1567/"> Exfiltration Over Web Service </a> <div class="expand-button collapsed" id="enterprise-TA0010-T1567-header" data-toggle="collapse" data-target="#enterprise-TA0010-T1567-body" aria-expanded="false" aria-controls="#enterprise-TA0010-T1567-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0010-T1567-body" aria-labelledby="enterprise-TA0010-T1567-header"> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0010-T1567-T1567.001"> <a href="/versions/v13/techniques/T1567/001/"> Exfiltration to Code Repository </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0010-T1567-T1567.002"> <a href="/versions/v13/techniques/T1567/002/"> Exfiltration to Cloud Storage </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0010-T1567-T1567.003"> <a href="/versions/v13/techniques/T1567/003/"> Exfiltration to Text Storage Sites </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0010-T1029"> <a href="/versions/v13/techniques/T1029/"> Scheduled Transfer </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0010-T1537"> <a href="/versions/v13/techniques/T1537/"> Transfer Data to Cloud Account </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0040"> <a href="/versions/v13/tactics/TA0040"> Impact </a> <div class="expand-button collapsed" id="enterprise-TA0040-header" data-toggle="collapse" data-target="#enterprise-TA0040-body" aria-expanded="false" aria-controls="#enterprise-TA0040-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0040-body" aria-labelledby="enterprise-TA0040-header"> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0040-T1531"> <a href="/versions/v13/techniques/T1531/"> Account Access Removal </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0040-T1485"> <a href="/versions/v13/techniques/T1485/"> Data Destruction </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0040-T1486"> <a href="/versions/v13/techniques/T1486/"> Data Encrypted for Impact </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0040-T1565"> <a href="/versions/v13/techniques/T1565/"> Data Manipulation </a> <div class="expand-button collapsed" id="enterprise-TA0040-T1565-header" data-toggle="collapse" data-target="#enterprise-TA0040-T1565-body" aria-expanded="false" aria-controls="#enterprise-TA0040-T1565-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0040-T1565-body" aria-labelledby="enterprise-TA0040-T1565-header"> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0040-T1565-T1565.001"> <a href="/versions/v13/techniques/T1565/001/"> Stored Data Manipulation </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0040-T1565-T1565.002"> <a href="/versions/v13/techniques/T1565/002/"> Transmitted Data Manipulation </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0040-T1565-T1565.003"> <a href="/versions/v13/techniques/T1565/003/"> Runtime Data Manipulation </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0040-T1491"> <a href="/versions/v13/techniques/T1491/"> Defacement </a> <div class="expand-button collapsed" id="enterprise-TA0040-T1491-header" data-toggle="collapse" data-target="#enterprise-TA0040-T1491-body" aria-expanded="false" aria-controls="#enterprise-TA0040-T1491-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0040-T1491-body" aria-labelledby="enterprise-TA0040-T1491-header"> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0040-T1491-T1491.001"> <a href="/versions/v13/techniques/T1491/001/"> Internal Defacement </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0040-T1491-T1491.002"> <a href="/versions/v13/techniques/T1491/002/"> External Defacement </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0040-T1561"> <a href="/versions/v13/techniques/T1561/"> Disk Wipe </a> <div class="expand-button collapsed" id="enterprise-TA0040-T1561-header" data-toggle="collapse" data-target="#enterprise-TA0040-T1561-body" aria-expanded="false" aria-controls="#enterprise-TA0040-T1561-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0040-T1561-body" aria-labelledby="enterprise-TA0040-T1561-header"> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0040-T1561-T1561.001"> <a href="/versions/v13/techniques/T1561/001/"> Disk Content Wipe </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0040-T1561-T1561.002"> <a href="/versions/v13/techniques/T1561/002/"> Disk Structure Wipe </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0040-T1499"> <a href="/versions/v13/techniques/T1499/"> Endpoint Denial of Service </a> <div class="expand-button collapsed" id="enterprise-TA0040-T1499-header" data-toggle="collapse" data-target="#enterprise-TA0040-T1499-body" aria-expanded="false" aria-controls="#enterprise-TA0040-T1499-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0040-T1499-body" aria-labelledby="enterprise-TA0040-T1499-header"> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0040-T1499-T1499.001"> <a href="/versions/v13/techniques/T1499/001/"> OS Exhaustion Flood </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0040-T1499-T1499.002"> <a href="/versions/v13/techniques/T1499/002/"> Service Exhaustion Flood </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0040-T1499-T1499.003"> <a href="/versions/v13/techniques/T1499/003/"> Application Exhaustion Flood </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0040-T1499-T1499.004"> <a href="/versions/v13/techniques/T1499/004/"> Application or System Exploitation </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0040-T1495"> <a href="/versions/v13/techniques/T1495/"> Firmware Corruption </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0040-T1490"> <a href="/versions/v13/techniques/T1490/"> Inhibit System Recovery </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0040-T1498"> <a href="/versions/v13/techniques/T1498/"> Network Denial of Service </a> <div class="expand-button collapsed" id="enterprise-TA0040-T1498-header" data-toggle="collapse" data-target="#enterprise-TA0040-T1498-body" aria-expanded="false" aria-controls="#enterprise-TA0040-T1498-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0040-T1498-body" aria-labelledby="enterprise-TA0040-T1498-header"> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0040-T1498-T1498.001"> <a href="/versions/v13/techniques/T1498/001/"> Direct Network Flood </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0040-T1498-T1498.002"> <a href="/versions/v13/techniques/T1498/002/"> Reflection Amplification </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0040-T1496"> <a href="/versions/v13/techniques/T1496/"> Resource Hijacking </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0040-T1489"> <a href="/versions/v13/techniques/T1489/"> Service Stop </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0040-T1529"> <a href="/versions/v13/techniques/T1529/"> System Shutdown/Reboot </a> </div> </div> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="mobile"> <a href="/versions/v13/techniques/mobile/"> Mobile </a> <div class="expand-button collapsed" id="mobile-header" data-toggle="collapse" data-target="#mobile-body" aria-expanded="false" aria-controls="#mobile-body"></div> </div> <div class="sidenav-body collapse" id="mobile-body" aria-labelledby="mobile-header"> <div class="sidenav"> <div class="sidenav-head " id="mobile-TA0027"> <a href="/versions/v13/tactics/TA0027"> Initial Access </a> <div class="expand-button collapsed" id="mobile-TA0027-header" data-toggle="collapse" data-target="#mobile-TA0027-body" aria-expanded="false" aria-controls="#mobile-TA0027-body"></div> </div> <div class="sidenav-body collapse" id="mobile-TA0027-body" aria-labelledby="mobile-TA0027-header"> <div class="sidenav"> <div class="sidenav-head " id="mobile-TA0027-T1456"> <a href="/versions/v13/techniques/T1456/"> Drive-By Compromise </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="mobile-TA0027-T1461"> <a href="/versions/v13/techniques/T1461/"> Lockscreen Bypass </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="mobile-TA0027-T1458"> <a href="/versions/v13/techniques/T1458/"> Replication Through Removable Media </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="mobile-TA0027-T1474"> <a href="/versions/v13/techniques/T1474/"> Supply Chain Compromise </a> <div class="expand-button collapsed" id="mobile-TA0027-T1474-header" data-toggle="collapse" data-target="#mobile-TA0027-T1474-body" aria-expanded="false" aria-controls="#mobile-TA0027-T1474-body"></div> </div> <div class="sidenav-body collapse" id="mobile-TA0027-T1474-body" aria-labelledby="mobile-TA0027-T1474-header"> <div class="sidenav"> <div class="sidenav-head " id="mobile-TA0027-T1474-T1474.001"> <a href="/versions/v13/techniques/T1474/001/"> Compromise Software Dependencies and Development Tools </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="mobile-TA0027-T1474-T1474.002"> <a href="/versions/v13/techniques/T1474/002/"> Compromise Hardware Supply Chain </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="mobile-TA0027-T1474-T1474.003"> <a href="/versions/v13/techniques/T1474/003/"> Compromise Software Supply Chain </a> </div> </div> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="mobile-TA0041"> <a href="/versions/v13/tactics/TA0041"> Execution </a> <div class="expand-button collapsed" id="mobile-TA0041-header" data-toggle="collapse" data-target="#mobile-TA0041-body" aria-expanded="false" aria-controls="#mobile-TA0041-body"></div> </div> <div class="sidenav-body collapse" id="mobile-TA0041-body" aria-labelledby="mobile-TA0041-header"> <div class="sidenav"> <div class="sidenav-head " id="mobile-TA0041-T1623"> <a href="/versions/v13/techniques/T1623/"> Command and Scripting Interpreter </a> <div class="expand-button collapsed" id="mobile-TA0041-T1623-header" data-toggle="collapse" data-target="#mobile-TA0041-T1623-body" aria-expanded="false" aria-controls="#mobile-TA0041-T1623-body"></div> </div> <div class="sidenav-body collapse" id="mobile-TA0041-T1623-body" aria-labelledby="mobile-TA0041-T1623-header"> <div class="sidenav"> <div class="sidenav-head " id="mobile-TA0041-T1623-T1623.001"> <a href="/versions/v13/techniques/T1623/001/"> Unix Shell </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="mobile-TA0041-T1575"> <a href="/versions/v13/techniques/T1575/"> Native API </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="mobile-TA0041-T1603"> <a href="/versions/v13/techniques/T1603/"> Scheduled Task/Job </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="mobile-TA0028"> <a href="/versions/v13/tactics/TA0028"> Persistence </a> <div class="expand-button collapsed" id="mobile-TA0028-header" data-toggle="collapse" data-target="#mobile-TA0028-body" aria-expanded="false" aria-controls="#mobile-TA0028-body"></div> </div> <div class="sidenav-body collapse" id="mobile-TA0028-body" aria-labelledby="mobile-TA0028-header"> <div class="sidenav"> <div class="sidenav-head " id="mobile-TA0028-T1398"> <a href="/versions/v13/techniques/T1398/"> Boot or Logon Initialization Scripts </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="mobile-TA0028-T1577"> <a href="/versions/v13/techniques/T1577/"> Compromise Application Executable </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="mobile-TA0028-T1645"> <a href="/versions/v13/techniques/T1645/"> Compromise Client Software Binary </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="mobile-TA0028-T1624"> <a href="/versions/v13/techniques/T1624/"> Event Triggered Execution </a> <div class="expand-button collapsed" id="mobile-TA0028-T1624-header" data-toggle="collapse" data-target="#mobile-TA0028-T1624-body" aria-expanded="false" aria-controls="#mobile-TA0028-T1624-body"></div> </div> <div class="sidenav-body collapse" id="mobile-TA0028-T1624-body" aria-labelledby="mobile-TA0028-T1624-header"> <div class="sidenav"> <div class="sidenav-head " id="mobile-TA0028-T1624-T1624.001"> <a href="/versions/v13/techniques/T1624/001/"> Broadcast Receivers </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="mobile-TA0028-T1541"> <a href="/versions/v13/techniques/T1541/"> Foreground Persistence </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="mobile-TA0028-T1625"> <a href="/versions/v13/techniques/T1625/"> Hijack Execution Flow </a> <div class="expand-button collapsed" id="mobile-TA0028-T1625-header" data-toggle="collapse" data-target="#mobile-TA0028-T1625-body" aria-expanded="false" aria-controls="#mobile-TA0028-T1625-body"></div> </div> <div class="sidenav-body collapse" id="mobile-TA0028-T1625-body" aria-labelledby="mobile-TA0028-T1625-header"> <div class="sidenav"> <div class="sidenav-head " id="mobile-TA0028-T1625-T1625.001"> <a href="/versions/v13/techniques/T1625/001/"> System Runtime API Hijacking </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="mobile-TA0028-T1603"> <a href="/versions/v13/techniques/T1603/"> Scheduled Task/Job </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="mobile-TA0029"> <a href="/versions/v13/tactics/TA0029"> Privilege Escalation </a> <div class="expand-button collapsed" id="mobile-TA0029-header" data-toggle="collapse" data-target="#mobile-TA0029-body" aria-expanded="false" aria-controls="#mobile-TA0029-body"></div> </div> <div class="sidenav-body collapse" id="mobile-TA0029-body" aria-labelledby="mobile-TA0029-header"> <div class="sidenav"> <div class="sidenav-head " id="mobile-TA0029-T1626"> <a href="/versions/v13/techniques/T1626/"> Abuse Elevation Control Mechanism </a> <div class="expand-button collapsed" id="mobile-TA0029-T1626-header" data-toggle="collapse" data-target="#mobile-TA0029-T1626-body" aria-expanded="false" aria-controls="#mobile-TA0029-T1626-body"></div> </div> <div class="sidenav-body collapse" id="mobile-TA0029-T1626-body" aria-labelledby="mobile-TA0029-T1626-header"> <div class="sidenav"> <div class="sidenav-head " id="mobile-TA0029-T1626-T1626.001"> <a href="/versions/v13/techniques/T1626/001/"> Device Administrator Permissions </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="mobile-TA0029-T1404"> <a href="/versions/v13/techniques/T1404/"> Exploitation for Privilege Escalation </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="mobile-TA0029-T1631"> <a href="/versions/v13/techniques/T1631/"> Process Injection </a> <div class="expand-button collapsed" id="mobile-TA0029-T1631-header" data-toggle="collapse" data-target="#mobile-TA0029-T1631-body" aria-expanded="false" aria-controls="#mobile-TA0029-T1631-body"></div> </div> <div class="sidenav-body collapse" id="mobile-TA0029-T1631-body" aria-labelledby="mobile-TA0029-T1631-header"> <div class="sidenav"> <div class="sidenav-head " id="mobile-TA0029-T1631-T1631.001"> <a href="/versions/v13/techniques/T1631/001/"> Ptrace System Calls </a> </div> </div> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="mobile-TA0030"> <a href="/versions/v13/tactics/TA0030"> Defense Evasion </a> <div class="expand-button collapsed" id="mobile-TA0030-header" data-toggle="collapse" data-target="#mobile-TA0030-body" aria-expanded="false" aria-controls="#mobile-TA0030-body"></div> </div> <div class="sidenav-body collapse" id="mobile-TA0030-body" aria-labelledby="mobile-TA0030-header"> <div class="sidenav"> <div class="sidenav-head " id="mobile-TA0030-T1407"> <a href="/versions/v13/techniques/T1407/"> Download New Code at Runtime </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="mobile-TA0030-T1627"> <a href="/versions/v13/techniques/T1627/"> Execution Guardrails </a> <div class="expand-button collapsed" id="mobile-TA0030-T1627-header" data-toggle="collapse" data-target="#mobile-TA0030-T1627-body" aria-expanded="false" aria-controls="#mobile-TA0030-T1627-body"></div> </div> <div class="sidenav-body collapse" id="mobile-TA0030-T1627-body" aria-labelledby="mobile-TA0030-T1627-header"> <div class="sidenav"> <div class="sidenav-head " id="mobile-TA0030-T1627-T1627.001"> <a href="/versions/v13/techniques/T1627/001/"> Geofencing </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="mobile-TA0030-T1541"> <a href="/versions/v13/techniques/T1541/"> Foreground Persistence </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="mobile-TA0030-T1628"> <a href="/versions/v13/techniques/T1628/"> Hide Artifacts </a> <div class="expand-button collapsed" id="mobile-TA0030-T1628-header" data-toggle="collapse" data-target="#mobile-TA0030-T1628-body" aria-expanded="false" aria-controls="#mobile-TA0030-T1628-body"></div> </div> <div class="sidenav-body collapse" id="mobile-TA0030-T1628-body" aria-labelledby="mobile-TA0030-T1628-header"> <div class="sidenav"> <div class="sidenav-head " id="mobile-TA0030-T1628-T1628.001"> <a href="/versions/v13/techniques/T1628/001/"> Suppress Application Icon </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="mobile-TA0030-T1628-T1628.002"> <a href="/versions/v13/techniques/T1628/002/"> User Evasion </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="mobile-TA0030-T1617"> <a href="/versions/v13/techniques/T1617/"> Hooking </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="mobile-TA0030-T1629"> <a href="/versions/v13/techniques/T1629/"> Impair Defenses </a> <div class="expand-button collapsed" id="mobile-TA0030-T1629-header" data-toggle="collapse" data-target="#mobile-TA0030-T1629-body" aria-expanded="false" aria-controls="#mobile-TA0030-T1629-body"></div> </div> <div class="sidenav-body collapse" id="mobile-TA0030-T1629-body" aria-labelledby="mobile-TA0030-T1629-header"> <div class="sidenav"> <div class="sidenav-head " id="mobile-TA0030-T1629-T1629.001"> <a href="/versions/v13/techniques/T1629/001/"> Prevent Application Removal </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="mobile-TA0030-T1629-T1629.002"> <a href="/versions/v13/techniques/T1629/002/"> Device Lockout </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="mobile-TA0030-T1629-T1629.003"> <a href="/versions/v13/techniques/T1629/003/"> Disable or Modify Tools </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="mobile-TA0030-T1630"> <a href="/versions/v13/techniques/T1630/"> Indicator Removal on Host </a> <div class="expand-button collapsed" id="mobile-TA0030-T1630-header" data-toggle="collapse" data-target="#mobile-TA0030-T1630-body" aria-expanded="false" aria-controls="#mobile-TA0030-T1630-body"></div> </div> <div class="sidenav-body collapse" id="mobile-TA0030-T1630-body" aria-labelledby="mobile-TA0030-T1630-header"> <div class="sidenav"> <div class="sidenav-head " id="mobile-TA0030-T1630-T1630.001"> <a href="/versions/v13/techniques/T1630/001/"> Uninstall Malicious Application </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="mobile-TA0030-T1630-T1630.002"> <a href="/versions/v13/techniques/T1630/002/"> File Deletion </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="mobile-TA0030-T1630-T1630.003"> <a href="/versions/v13/techniques/T1630/003/"> Disguise Root/Jailbreak Indicators </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="mobile-TA0030-T1516"> <a href="/versions/v13/techniques/T1516/"> Input Injection </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="mobile-TA0030-T1575"> <a href="/versions/v13/techniques/T1575/"> Native API </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="mobile-TA0030-T1406"> <a href="/versions/v13/techniques/T1406/"> Obfuscated Files or Information </a> <div class="expand-button collapsed" id="mobile-TA0030-T1406-header" data-toggle="collapse" data-target="#mobile-TA0030-T1406-body" aria-expanded="false" aria-controls="#mobile-TA0030-T1406-body"></div> </div> <div class="sidenav-body collapse" id="mobile-TA0030-T1406-body" aria-labelledby="mobile-TA0030-T1406-header"> <div class="sidenav"> <div class="sidenav-head " id="mobile-TA0030-T1406-T1406.001"> <a href="/versions/v13/techniques/T1406/001/"> Steganography </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="mobile-TA0030-T1406-T1406.002"> <a href="/versions/v13/techniques/T1406/002/"> Software Packing </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="mobile-TA0030-T1631"> <a href="/versions/v13/techniques/T1631/"> Process Injection </a> <div class="expand-button collapsed" id="mobile-TA0030-T1631-header" data-toggle="collapse" data-target="#mobile-TA0030-T1631-body" aria-expanded="false" aria-controls="#mobile-TA0030-T1631-body"></div> </div> <div class="sidenav-body collapse" id="mobile-TA0030-T1631-body" aria-labelledby="mobile-TA0030-T1631-header"> <div class="sidenav"> <div class="sidenav-head " id="mobile-TA0030-T1631-T1631.001"> <a href="/versions/v13/techniques/T1631/001/"> Ptrace System Calls </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="mobile-TA0030-T1604"> <a href="/versions/v13/techniques/T1604/"> Proxy Through Victim </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="mobile-TA0030-T1632"> <a href="/versions/v13/techniques/T1632/"> Subvert Trust Controls </a> <div class="expand-button collapsed" id="mobile-TA0030-T1632-header" data-toggle="collapse" data-target="#mobile-TA0030-T1632-body" aria-expanded="false" aria-controls="#mobile-TA0030-T1632-body"></div> </div> <div class="sidenav-body collapse" id="mobile-TA0030-T1632-body" aria-labelledby="mobile-TA0030-T1632-header"> <div class="sidenav"> <div class="sidenav-head " id="mobile-TA0030-T1632-T1632.001"> <a href="/versions/v13/techniques/T1632/001/"> Code Signing Policy Modification </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="mobile-TA0030-T1633"> <a href="/versions/v13/techniques/T1633/"> Virtualization/Sandbox Evasion </a> <div class="expand-button collapsed" id="mobile-TA0030-T1633-header" data-toggle="collapse" data-target="#mobile-TA0030-T1633-body" aria-expanded="false" aria-controls="#mobile-TA0030-T1633-body"></div> </div> <div class="sidenav-body collapse" id="mobile-TA0030-T1633-body" aria-labelledby="mobile-TA0030-T1633-header"> <div class="sidenav"> <div class="sidenav-head " id="mobile-TA0030-T1633-T1633.001"> <a href="/versions/v13/techniques/T1633/001/"> System Checks </a> </div> </div> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="mobile-TA0031"> <a href="/versions/v13/tactics/TA0031"> Credential Access </a> <div class="expand-button collapsed" id="mobile-TA0031-header" data-toggle="collapse" data-target="#mobile-TA0031-body" aria-expanded="false" aria-controls="#mobile-TA0031-body"></div> </div> <div class="sidenav-body collapse" id="mobile-TA0031-body" aria-labelledby="mobile-TA0031-header"> <div class="sidenav"> <div class="sidenav-head " id="mobile-TA0031-T1517"> <a href="/versions/v13/techniques/T1517/"> Access Notifications </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="mobile-TA0031-T1414"> <a href="/versions/v13/techniques/T1414/"> Clipboard Data </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="mobile-TA0031-T1634"> <a href="/versions/v13/techniques/T1634/"> Credentials from Password Store </a> <div class="expand-button collapsed" id="mobile-TA0031-T1634-header" data-toggle="collapse" data-target="#mobile-TA0031-T1634-body" aria-expanded="false" aria-controls="#mobile-TA0031-T1634-body"></div> </div> <div class="sidenav-body collapse" id="mobile-TA0031-T1634-body" aria-labelledby="mobile-TA0031-T1634-header"> <div class="sidenav"> <div class="sidenav-head " id="mobile-TA0031-T1634-T1634.001"> <a href="/versions/v13/techniques/T1634/001/"> Keychain </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="mobile-TA0031-T1417"> <a href="/versions/v13/techniques/T1417/"> Input Capture </a> <div class="expand-button collapsed" id="mobile-TA0031-T1417-header" data-toggle="collapse" data-target="#mobile-TA0031-T1417-body" aria-expanded="false" aria-controls="#mobile-TA0031-T1417-body"></div> </div> <div class="sidenav-body collapse" id="mobile-TA0031-T1417-body" aria-labelledby="mobile-TA0031-T1417-header"> <div class="sidenav"> <div class="sidenav-head " id="mobile-TA0031-T1417-T1417.001"> <a href="/versions/v13/techniques/T1417/001/"> Keylogging </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="mobile-TA0031-T1417-T1417.002"> <a href="/versions/v13/techniques/T1417/002/"> GUI Input Capture </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="mobile-TA0031-T1635"> <a href="/versions/v13/techniques/T1635/"> Steal Application Access Token </a> <div class="expand-button collapsed" id="mobile-TA0031-T1635-header" data-toggle="collapse" data-target="#mobile-TA0031-T1635-body" aria-expanded="false" aria-controls="#mobile-TA0031-T1635-body"></div> </div> <div class="sidenav-body collapse" id="mobile-TA0031-T1635-body" aria-labelledby="mobile-TA0031-T1635-header"> <div class="sidenav"> <div class="sidenav-head " id="mobile-TA0031-T1635-T1635.001"> <a href="/versions/v13/techniques/T1635/001/"> URI Hijacking </a> </div> </div> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="mobile-TA0032"> <a href="/versions/v13/tactics/TA0032"> Discovery </a> <div class="expand-button collapsed" id="mobile-TA0032-header" data-toggle="collapse" data-target="#mobile-TA0032-body" aria-expanded="false" aria-controls="#mobile-TA0032-body"></div> </div> <div class="sidenav-body collapse" id="mobile-TA0032-body" aria-labelledby="mobile-TA0032-header"> <div class="sidenav"> <div class="sidenav-head " id="mobile-TA0032-T1420"> <a href="/versions/v13/techniques/T1420/"> File and Directory Discovery </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="mobile-TA0032-T1430"> <a href="/versions/v13/techniques/T1430/"> Location Tracking </a> <div class="expand-button collapsed" id="mobile-TA0032-T1430-header" data-toggle="collapse" data-target="#mobile-TA0032-T1430-body" aria-expanded="false" aria-controls="#mobile-TA0032-T1430-body"></div> </div> <div class="sidenav-body collapse" id="mobile-TA0032-T1430-body" aria-labelledby="mobile-TA0032-T1430-header"> <div class="sidenav"> <div class="sidenav-head " id="mobile-TA0032-T1430-T1430.001"> <a href="/versions/v13/techniques/T1430/001/"> Remote Device Management Services </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="mobile-TA0032-T1430-T1430.002"> <a href="/versions/v13/techniques/T1430/002/"> Impersonate SS7 Nodes </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="mobile-TA0032-T1423"> <a href="/versions/v13/techniques/T1423/"> Network Service Scanning </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="mobile-TA0032-T1424"> <a href="/versions/v13/techniques/T1424/"> Process Discovery </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="mobile-TA0032-T1418"> <a href="/versions/v13/techniques/T1418/"> Software Discovery </a> <div class="expand-button collapsed" id="mobile-TA0032-T1418-header" data-toggle="collapse" data-target="#mobile-TA0032-T1418-body" aria-expanded="false" aria-controls="#mobile-TA0032-T1418-body"></div> </div> <div class="sidenav-body collapse" id="mobile-TA0032-T1418-body" aria-labelledby="mobile-TA0032-T1418-header"> <div class="sidenav"> <div class="sidenav-head " id="mobile-TA0032-T1418-T1418.001"> <a href="/versions/v13/techniques/T1418/001/"> Security Software Discovery </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="mobile-TA0032-T1426"> <a href="/versions/v13/techniques/T1426/"> System Information Discovery </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="mobile-TA0032-T1422"> <a href="/versions/v13/techniques/T1422/"> System Network Configuration Discovery </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="mobile-TA0032-T1421"> <a href="/versions/v13/techniques/T1421/"> System Network Connections Discovery </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="mobile-TA0033"> <a href="/versions/v13/tactics/TA0033"> Lateral Movement </a> <div class="expand-button collapsed" id="mobile-TA0033-header" data-toggle="collapse" data-target="#mobile-TA0033-body" aria-expanded="false" aria-controls="#mobile-TA0033-body"></div> </div> <div class="sidenav-body collapse" id="mobile-TA0033-body" aria-labelledby="mobile-TA0033-header"> <div class="sidenav"> <div class="sidenav-head " id="mobile-TA0033-T1428"> <a href="/versions/v13/techniques/T1428/"> Exploitation of Remote Services </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="mobile-TA0033-T1458"> <a href="/versions/v13/techniques/T1458/"> Replication Through Removable Media </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="mobile-TA0035"> <a href="/versions/v13/tactics/TA0035"> Collection </a> <div class="expand-button collapsed" id="mobile-TA0035-header" data-toggle="collapse" data-target="#mobile-TA0035-body" aria-expanded="false" aria-controls="#mobile-TA0035-body"></div> </div> <div class="sidenav-body collapse" id="mobile-TA0035-body" aria-labelledby="mobile-TA0035-header"> <div class="sidenav"> <div class="sidenav-head " id="mobile-TA0035-T1517"> <a href="/versions/v13/techniques/T1517/"> Access Notifications </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="mobile-TA0035-T1638"> <a href="/versions/v13/techniques/T1638/"> Adversary-in-the-Middle </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="mobile-TA0035-T1532"> <a href="/versions/v13/techniques/T1532/"> Archive Collected Data </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="mobile-TA0035-T1429"> <a href="/versions/v13/techniques/T1429/"> Audio Capture </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="mobile-TA0035-T1616"> <a href="/versions/v13/techniques/T1616/"> Call Control </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="mobile-TA0035-T1414"> <a href="/versions/v13/techniques/T1414/"> Clipboard Data </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="mobile-TA0035-T1533"> <a href="/versions/v13/techniques/T1533/"> Data from Local System </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="mobile-TA0035-T1417"> <a href="/versions/v13/techniques/T1417/"> Input Capture </a> <div class="expand-button collapsed" id="mobile-TA0035-T1417-header" data-toggle="collapse" data-target="#mobile-TA0035-T1417-body" aria-expanded="false" aria-controls="#mobile-TA0035-T1417-body"></div> </div> <div class="sidenav-body collapse" id="mobile-TA0035-T1417-body" aria-labelledby="mobile-TA0035-T1417-header"> <div class="sidenav"> <div class="sidenav-head " id="mobile-TA0035-T1417-T1417.001"> <a href="/versions/v13/techniques/T1417/001/"> Keylogging </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="mobile-TA0035-T1417-T1417.002"> <a href="/versions/v13/techniques/T1417/002/"> GUI Input Capture </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="mobile-TA0035-T1430"> <a href="/versions/v13/techniques/T1430/"> Location Tracking </a> <div class="expand-button collapsed" id="mobile-TA0035-T1430-header" data-toggle="collapse" data-target="#mobile-TA0035-T1430-body" aria-expanded="false" aria-controls="#mobile-TA0035-T1430-body"></div> </div> <div class="sidenav-body collapse" id="mobile-TA0035-T1430-body" aria-labelledby="mobile-TA0035-T1430-header"> <div class="sidenav"> <div class="sidenav-head " id="mobile-TA0035-T1430-T1430.001"> <a href="/versions/v13/techniques/T1430/001/"> Remote Device Management Services </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="mobile-TA0035-T1430-T1430.002"> <a href="/versions/v13/techniques/T1430/002/"> Impersonate SS7 Nodes </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="mobile-TA0035-T1636"> <a href="/versions/v13/techniques/T1636/"> Protected User Data </a> <div class="expand-button collapsed" id="mobile-TA0035-T1636-header" data-toggle="collapse" data-target="#mobile-TA0035-T1636-body" aria-expanded="false" aria-controls="#mobile-TA0035-T1636-body"></div> </div> <div class="sidenav-body collapse" id="mobile-TA0035-T1636-body" aria-labelledby="mobile-TA0035-T1636-header"> <div class="sidenav"> <div class="sidenav-head " id="mobile-TA0035-T1636-T1636.001"> <a href="/versions/v13/techniques/T1636/001/"> Calendar Entries </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="mobile-TA0035-T1636-T1636.002"> <a href="/versions/v13/techniques/T1636/002/"> Call Log </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="mobile-TA0035-T1636-T1636.003"> <a href="/versions/v13/techniques/T1636/003/"> Contact List </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="mobile-TA0035-T1636-T1636.004"> <a href="/versions/v13/techniques/T1636/004/"> SMS Messages </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="mobile-TA0035-T1513"> <a href="/versions/v13/techniques/T1513/"> Screen Capture </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="mobile-TA0035-T1409"> <a href="/versions/v13/techniques/T1409/"> Stored Application Data </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="mobile-TA0035-T1512"> <a href="/versions/v13/techniques/T1512/"> Video Capture </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="mobile-TA0037"> <a href="/versions/v13/tactics/TA0037"> Command and Control </a> <div class="expand-button collapsed" id="mobile-TA0037-header" data-toggle="collapse" data-target="#mobile-TA0037-body" aria-expanded="false" aria-controls="#mobile-TA0037-body"></div> </div> <div class="sidenav-body collapse" id="mobile-TA0037-body" aria-labelledby="mobile-TA0037-header"> <div class="sidenav"> <div class="sidenav-head " id="mobile-TA0037-T1437"> <a href="/versions/v13/techniques/T1437/"> Application Layer Protocol </a> <div class="expand-button collapsed" id="mobile-TA0037-T1437-header" data-toggle="collapse" data-target="#mobile-TA0037-T1437-body" aria-expanded="false" aria-controls="#mobile-TA0037-T1437-body"></div> </div> <div class="sidenav-body collapse" id="mobile-TA0037-T1437-body" aria-labelledby="mobile-TA0037-T1437-header"> <div class="sidenav"> <div class="sidenav-head " id="mobile-TA0037-T1437-T1437.001"> <a href="/versions/v13/techniques/T1437/001/"> Web Protocols </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="mobile-TA0037-T1616"> <a href="/versions/v13/techniques/T1616/"> Call Control </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="mobile-TA0037-T1637"> <a href="/versions/v13/techniques/T1637/"> Dynamic Resolution </a> <div class="expand-button collapsed" id="mobile-TA0037-T1637-header" data-toggle="collapse" data-target="#mobile-TA0037-T1637-body" aria-expanded="false" aria-controls="#mobile-TA0037-T1637-body"></div> </div> <div class="sidenav-body collapse" id="mobile-TA0037-T1637-body" aria-labelledby="mobile-TA0037-T1637-header"> <div class="sidenav"> <div class="sidenav-head " id="mobile-TA0037-T1637-T1637.001"> <a href="/versions/v13/techniques/T1637/001/"> Domain Generation Algorithms </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="mobile-TA0037-T1521"> <a href="/versions/v13/techniques/T1521/"> Encrypted Channel </a> <div class="expand-button collapsed" id="mobile-TA0037-T1521-header" data-toggle="collapse" data-target="#mobile-TA0037-T1521-body" aria-expanded="false" aria-controls="#mobile-TA0037-T1521-body"></div> </div> <div class="sidenav-body collapse" id="mobile-TA0037-T1521-body" aria-labelledby="mobile-TA0037-T1521-header"> <div class="sidenav"> <div class="sidenav-head " id="mobile-TA0037-T1521-T1521.001"> <a href="/versions/v13/techniques/T1521/001/"> Symmetric Cryptography </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="mobile-TA0037-T1521-T1521.002"> <a href="/versions/v13/techniques/T1521/002/"> Asymmetric Cryptography </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="mobile-TA0037-T1544"> <a href="/versions/v13/techniques/T1544/"> Ingress Tool Transfer </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="mobile-TA0037-T1509"> <a href="/versions/v13/techniques/T1509/"> Non-Standard Port </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="mobile-TA0037-T1644"> <a href="/versions/v13/techniques/T1644/"> Out of Band Data </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="mobile-TA0037-T1481"> <a href="/versions/v13/techniques/T1481/"> Web Service </a> <div class="expand-button collapsed" id="mobile-TA0037-T1481-header" data-toggle="collapse" data-target="#mobile-TA0037-T1481-body" aria-expanded="false" aria-controls="#mobile-TA0037-T1481-body"></div> </div> <div class="sidenav-body collapse" id="mobile-TA0037-T1481-body" aria-labelledby="mobile-TA0037-T1481-header"> <div class="sidenav"> <div class="sidenav-head " id="mobile-TA0037-T1481-T1481.001"> <a href="/versions/v13/techniques/T1481/001/"> Dead Drop Resolver </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="mobile-TA0037-T1481-T1481.002"> <a href="/versions/v13/techniques/T1481/002/"> Bidirectional Communication </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="mobile-TA0037-T1481-T1481.003"> <a href="/versions/v13/techniques/T1481/003/"> One-Way Communication </a> </div> </div> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="mobile-TA0036"> <a href="/versions/v13/tactics/TA0036"> Exfiltration </a> <div class="expand-button collapsed" id="mobile-TA0036-header" data-toggle="collapse" data-target="#mobile-TA0036-body" aria-expanded="false" aria-controls="#mobile-TA0036-body"></div> </div> <div class="sidenav-body collapse" id="mobile-TA0036-body" aria-labelledby="mobile-TA0036-header"> <div class="sidenav"> <div class="sidenav-head " id="mobile-TA0036-T1639"> <a href="/versions/v13/techniques/T1639/"> Exfiltration Over Alternative Protocol </a> <div class="expand-button collapsed" id="mobile-TA0036-T1639-header" data-toggle="collapse" data-target="#mobile-TA0036-T1639-body" aria-expanded="false" aria-controls="#mobile-TA0036-T1639-body"></div> </div> <div class="sidenav-body collapse" id="mobile-TA0036-T1639-body" aria-labelledby="mobile-TA0036-T1639-header"> <div class="sidenav"> <div class="sidenav-head " id="mobile-TA0036-T1639-T1639.001"> <a href="/versions/v13/techniques/T1639/001/"> Exfiltration Over Unencrypted Non-C2 Protocol </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="mobile-TA0036-T1646"> <a href="/versions/v13/techniques/T1646/"> Exfiltration Over C2 Channel </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="mobile-TA0034"> <a href="/versions/v13/tactics/TA0034"> Impact </a> <div class="expand-button collapsed" id="mobile-TA0034-header" data-toggle="collapse" data-target="#mobile-TA0034-body" aria-expanded="false" aria-controls="#mobile-TA0034-body"></div> </div> <div class="sidenav-body collapse" id="mobile-TA0034-body" aria-labelledby="mobile-TA0034-header"> <div class="sidenav"> <div class="sidenav-head " id="mobile-TA0034-T1640"> <a href="/versions/v13/techniques/T1640/"> Account Access Removal </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="mobile-TA0034-T1616"> <a href="/versions/v13/techniques/T1616/"> Call Control </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="mobile-TA0034-T1471"> <a href="/versions/v13/techniques/T1471/"> Data Encrypted for Impact </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="mobile-TA0034-T1641"> <a href="/versions/v13/techniques/T1641/"> Data Manipulation </a> <div class="expand-button collapsed" id="mobile-TA0034-T1641-header" data-toggle="collapse" data-target="#mobile-TA0034-T1641-body" aria-expanded="false" aria-controls="#mobile-TA0034-T1641-body"></div> </div> <div class="sidenav-body collapse" id="mobile-TA0034-T1641-body" aria-labelledby="mobile-TA0034-T1641-header"> <div class="sidenav"> <div class="sidenav-head " id="mobile-TA0034-T1641-T1641.001"> <a href="/versions/v13/techniques/T1641/001/"> Transmitted Data Manipulation </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="mobile-TA0034-T1642"> <a href="/versions/v13/techniques/T1642/"> Endpoint Denial of Service </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="mobile-TA0034-T1643"> <a href="/versions/v13/techniques/T1643/"> Generate Traffic from Victim </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="mobile-TA0034-T1516"> <a href="/versions/v13/techniques/T1516/"> Input Injection </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="mobile-TA0034-T1464"> <a href="/versions/v13/techniques/T1464/"> Network Denial of Service </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="mobile-TA0034-T1582"> <a href="/versions/v13/techniques/T1582/"> SMS Control </a> </div> </div> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="ics"> <a href="/versions/v13/techniques/ics/"> ICS </a> <div class="expand-button collapsed" id="ics-header" data-toggle="collapse" data-target="#ics-body" aria-expanded="false" aria-controls="#ics-body"></div> </div> <div class="sidenav-body collapse" id="ics-body" aria-labelledby="ics-header"> <div class="sidenav"> <div class="sidenav-head " id="ics-TA0108"> <a href="/versions/v13/tactics/TA0108"> Initial Access </a> <div class="expand-button collapsed" id="ics-TA0108-header" data-toggle="collapse" data-target="#ics-TA0108-body" aria-expanded="false" aria-controls="#ics-TA0108-body"></div> </div> <div class="sidenav-body collapse" id="ics-TA0108-body" aria-labelledby="ics-TA0108-header"> <div class="sidenav"> <div class="sidenav-head " id="ics-TA0108-T0817"> <a href="/versions/v13/techniques/T0817/"> Drive-by Compromise </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="ics-TA0108-T0819"> <a href="/versions/v13/techniques/T0819/"> Exploit Public-Facing Application </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="ics-TA0108-T0866"> <a href="/versions/v13/techniques/T0866/"> Exploitation of Remote Services </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="ics-TA0108-T0822"> <a href="/versions/v13/techniques/T0822/"> External Remote Services </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="ics-TA0108-T0883"> <a href="/versions/v13/techniques/T0883/"> Internet Accessible Device </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="ics-TA0108-T0886"> <a href="/versions/v13/techniques/T0886/"> Remote Services </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="ics-TA0108-T0847"> <a href="/versions/v13/techniques/T0847/"> Replication Through Removable Media </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="ics-TA0108-T0848"> <a href="/versions/v13/techniques/T0848/"> Rogue Master </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="ics-TA0108-T0865"> <a href="/versions/v13/techniques/T0865/"> Spearphishing Attachment </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="ics-TA0108-T0862"> <a href="/versions/v13/techniques/T0862/"> Supply Chain Compromise </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="ics-TA0108-T0864"> <a href="/versions/v13/techniques/T0864/"> Transient Cyber Asset </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="ics-TA0108-T0860"> <a href="/versions/v13/techniques/T0860/"> Wireless Compromise </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="ics-TA0104"> <a href="/versions/v13/tactics/TA0104"> Execution </a> <div class="expand-button collapsed" id="ics-TA0104-header" data-toggle="collapse" data-target="#ics-TA0104-body" aria-expanded="false" aria-controls="#ics-TA0104-body"></div> </div> <div class="sidenav-body collapse" id="ics-TA0104-body" aria-labelledby="ics-TA0104-header"> <div class="sidenav"> <div class="sidenav-head " id="ics-TA0104-T0858"> <a href="/versions/v13/techniques/T0858/"> Change Operating Mode </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="ics-TA0104-T0807"> <a href="/versions/v13/techniques/T0807/"> Command-Line Interface </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="ics-TA0104-T0871"> <a href="/versions/v13/techniques/T0871/"> Execution through API </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="ics-TA0104-T0823"> <a href="/versions/v13/techniques/T0823/"> Graphical User Interface </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="ics-TA0104-T0874"> <a href="/versions/v13/techniques/T0874/"> Hooking </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="ics-TA0104-T0821"> <a href="/versions/v13/techniques/T0821/"> Modify Controller Tasking </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="ics-TA0104-T0834"> <a href="/versions/v13/techniques/T0834/"> Native API </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="ics-TA0104-T0853"> <a href="/versions/v13/techniques/T0853/"> Scripting </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="ics-TA0104-T0863"> <a href="/versions/v13/techniques/T0863/"> User Execution </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="ics-TA0110"> <a href="/versions/v13/tactics/TA0110"> Persistence </a> <div class="expand-button collapsed" id="ics-TA0110-header" data-toggle="collapse" data-target="#ics-TA0110-body" aria-expanded="false" aria-controls="#ics-TA0110-body"></div> </div> <div class="sidenav-body collapse" id="ics-TA0110-body" aria-labelledby="ics-TA0110-header"> <div class="sidenav"> <div class="sidenav-head " id="ics-TA0110-T0891"> <a href="/versions/v13/techniques/T0891/"> Hardcoded Credentials </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="ics-TA0110-T0889"> <a href="/versions/v13/techniques/T0889/"> Modify Program </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="ics-TA0110-T0839"> <a href="/versions/v13/techniques/T0839/"> Module Firmware </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="ics-TA0110-T0873"> <a href="/versions/v13/techniques/T0873/"> Project File Infection </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="ics-TA0110-T0857"> <a href="/versions/v13/techniques/T0857/"> System Firmware </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="ics-TA0110-T0859"> <a href="/versions/v13/techniques/T0859/"> Valid Accounts </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="ics-TA0111"> <a href="/versions/v13/tactics/TA0111"> Privilege Escalation </a> <div class="expand-button collapsed" id="ics-TA0111-header" data-toggle="collapse" data-target="#ics-TA0111-body" aria-expanded="false" aria-controls="#ics-TA0111-body"></div> </div> <div class="sidenav-body collapse" id="ics-TA0111-body" aria-labelledby="ics-TA0111-header"> <div class="sidenav"> <div class="sidenav-head " id="ics-TA0111-T0890"> <a href="/versions/v13/techniques/T0890/"> Exploitation for Privilege Escalation </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="ics-TA0111-T0874"> <a href="/versions/v13/techniques/T0874/"> Hooking </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="ics-TA0103"> <a href="/versions/v13/tactics/TA0103"> Evasion </a> <div class="expand-button collapsed" id="ics-TA0103-header" data-toggle="collapse" data-target="#ics-TA0103-body" aria-expanded="false" aria-controls="#ics-TA0103-body"></div> </div> <div class="sidenav-body collapse" id="ics-TA0103-body" aria-labelledby="ics-TA0103-header"> <div class="sidenav"> <div class="sidenav-head " id="ics-TA0103-T0858"> <a href="/versions/v13/techniques/T0858/"> Change Operating Mode </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="ics-TA0103-T0820"> <a href="/versions/v13/techniques/T0820/"> Exploitation for Evasion </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="ics-TA0103-T0872"> <a href="/versions/v13/techniques/T0872/"> Indicator Removal on Host </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="ics-TA0103-T0849"> <a href="/versions/v13/techniques/T0849/"> Masquerading </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="ics-TA0103-T0851"> <a href="/versions/v13/techniques/T0851/"> Rootkit </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="ics-TA0103-T0856"> <a href="/versions/v13/techniques/T0856/"> Spoof Reporting Message </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="ics-TA0102"> <a href="/versions/v13/tactics/TA0102"> Discovery </a> <div class="expand-button collapsed" id="ics-TA0102-header" data-toggle="collapse" data-target="#ics-TA0102-body" aria-expanded="false" aria-controls="#ics-TA0102-body"></div> </div> <div class="sidenav-body collapse" id="ics-TA0102-body" aria-labelledby="ics-TA0102-header"> <div class="sidenav"> <div class="sidenav-head " id="ics-TA0102-T0840"> <a href="/versions/v13/techniques/T0840/"> Network Connection Enumeration </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="ics-TA0102-T0842"> <a href="/versions/v13/techniques/T0842/"> Network Sniffing </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="ics-TA0102-T0846"> <a href="/versions/v13/techniques/T0846/"> Remote System Discovery </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="ics-TA0102-T0888"> <a href="/versions/v13/techniques/T0888/"> Remote System Information Discovery </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="ics-TA0102-T0887"> <a href="/versions/v13/techniques/T0887/"> Wireless Sniffing </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="ics-TA0109"> <a href="/versions/v13/tactics/TA0109"> Lateral Movement </a> <div class="expand-button collapsed" id="ics-TA0109-header" data-toggle="collapse" data-target="#ics-TA0109-body" aria-expanded="false" aria-controls="#ics-TA0109-body"></div> </div> <div class="sidenav-body collapse" id="ics-TA0109-body" aria-labelledby="ics-TA0109-header"> <div class="sidenav"> <div class="sidenav-head " id="ics-TA0109-T0812"> <a href="/versions/v13/techniques/T0812/"> Default Credentials </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="ics-TA0109-T0866"> <a href="/versions/v13/techniques/T0866/"> Exploitation of Remote Services </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="ics-TA0109-T0891"> <a href="/versions/v13/techniques/T0891/"> Hardcoded Credentials </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="ics-TA0109-T0867"> <a href="/versions/v13/techniques/T0867/"> Lateral Tool Transfer </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="ics-TA0109-T0843"> <a href="/versions/v13/techniques/T0843/"> Program Download </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="ics-TA0109-T0886"> <a href="/versions/v13/techniques/T0886/"> Remote Services </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="ics-TA0109-T0859"> <a href="/versions/v13/techniques/T0859/"> Valid Accounts </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="ics-TA0100"> <a href="/versions/v13/tactics/TA0100"> Collection </a> <div class="expand-button collapsed" id="ics-TA0100-header" data-toggle="collapse" data-target="#ics-TA0100-body" aria-expanded="false" aria-controls="#ics-TA0100-body"></div> </div> <div class="sidenav-body collapse" id="ics-TA0100-body" aria-labelledby="ics-TA0100-header"> <div class="sidenav"> <div class="sidenav-head " id="ics-TA0100-T0830"> <a href="/versions/v13/techniques/T0830/"> Adversary-in-the-Middle </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="ics-TA0100-T0802"> <a href="/versions/v13/techniques/T0802/"> Automated Collection </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="ics-TA0100-T0811"> <a href="/versions/v13/techniques/T0811/"> Data from Information Repositories </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="ics-TA0100-T0893"> <a href="/versions/v13/techniques/T0893/"> Data from Local System </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="ics-TA0100-T0868"> <a href="/versions/v13/techniques/T0868/"> Detect Operating Mode </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="ics-TA0100-T0877"> <a href="/versions/v13/techniques/T0877/"> I/O Image </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="ics-TA0100-T0801"> <a href="/versions/v13/techniques/T0801/"> Monitor Process State </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="ics-TA0100-T0861"> <a href="/versions/v13/techniques/T0861/"> Point & Tag Identification </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="ics-TA0100-T0845"> <a href="/versions/v13/techniques/T0845/"> Program Upload </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="ics-TA0100-T0852"> <a href="/versions/v13/techniques/T0852/"> Screen Capture </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="ics-TA0100-T0887"> <a href="/versions/v13/techniques/T0887/"> Wireless Sniffing </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="ics-TA0101"> <a href="/versions/v13/tactics/TA0101"> Command and Control </a> <div class="expand-button collapsed" id="ics-TA0101-header" data-toggle="collapse" data-target="#ics-TA0101-body" aria-expanded="false" aria-controls="#ics-TA0101-body"></div> </div> <div class="sidenav-body collapse" id="ics-TA0101-body" aria-labelledby="ics-TA0101-header"> <div class="sidenav"> <div class="sidenav-head " id="ics-TA0101-T0885"> <a href="/versions/v13/techniques/T0885/"> Commonly Used Port </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="ics-TA0101-T0884"> <a href="/versions/v13/techniques/T0884/"> Connection Proxy </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="ics-TA0101-T0869"> <a href="/versions/v13/techniques/T0869/"> Standard Application Layer Protocol </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="ics-TA0107"> <a href="/versions/v13/tactics/TA0107"> Inhibit Response Function </a> <div class="expand-button collapsed" id="ics-TA0107-header" data-toggle="collapse" data-target="#ics-TA0107-body" aria-expanded="false" aria-controls="#ics-TA0107-body"></div> </div> <div class="sidenav-body collapse" id="ics-TA0107-body" aria-labelledby="ics-TA0107-header"> <div class="sidenav"> <div class="sidenav-head " id="ics-TA0107-T0800"> <a href="/versions/v13/techniques/T0800/"> Activate Firmware Update Mode </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="ics-TA0107-T0878"> <a href="/versions/v13/techniques/T0878/"> Alarm Suppression </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="ics-TA0107-T0803"> <a href="/versions/v13/techniques/T0803/"> Block Command Message </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="ics-TA0107-T0804"> <a href="/versions/v13/techniques/T0804/"> Block Reporting Message </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="ics-TA0107-T0805"> <a href="/versions/v13/techniques/T0805/"> Block Serial COM </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="ics-TA0107-T0892"> <a href="/versions/v13/techniques/T0892/"> Change Credential </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="ics-TA0107-T0809"> <a href="/versions/v13/techniques/T0809/"> Data Destruction </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="ics-TA0107-T0814"> <a href="/versions/v13/techniques/T0814/"> Denial of Service </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="ics-TA0107-T0816"> <a href="/versions/v13/techniques/T0816/"> Device Restart/Shutdown </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="ics-TA0107-T0835"> <a href="/versions/v13/techniques/T0835/"> Manipulate I/O Image </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="ics-TA0107-T0838"> <a href="/versions/v13/techniques/T0838/"> Modify Alarm Settings </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="ics-TA0107-T0851"> <a href="/versions/v13/techniques/T0851/"> Rootkit </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="ics-TA0107-T0881"> <a href="/versions/v13/techniques/T0881/"> Service Stop </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="ics-TA0107-T0857"> <a href="/versions/v13/techniques/T0857/"> System Firmware </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="ics-TA0106"> <a href="/versions/v13/tactics/TA0106"> Impair Process Control </a> <div class="expand-button collapsed" id="ics-TA0106-header" data-toggle="collapse" data-target="#ics-TA0106-body" aria-expanded="false" aria-controls="#ics-TA0106-body"></div> </div> <div class="sidenav-body collapse" id="ics-TA0106-body" aria-labelledby="ics-TA0106-header"> <div class="sidenav"> <div class="sidenav-head " id="ics-TA0106-T0806"> <a href="/versions/v13/techniques/T0806/"> Brute Force I/O </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="ics-TA0106-T0836"> <a href="/versions/v13/techniques/T0836/"> Modify Parameter </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="ics-TA0106-T0839"> <a href="/versions/v13/techniques/T0839/"> Module Firmware </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="ics-TA0106-T0856"> <a href="/versions/v13/techniques/T0856/"> Spoof Reporting Message </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="ics-TA0106-T0855"> <a href="/versions/v13/techniques/T0855/"> Unauthorized Command Message </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="ics-TA0105"> <a href="/versions/v13/tactics/TA0105"> Impact </a> <div class="expand-button collapsed" id="ics-TA0105-header" data-toggle="collapse" data-target="#ics-TA0105-body" aria-expanded="false" aria-controls="#ics-TA0105-body"></div> </div> <div class="sidenav-body collapse" id="ics-TA0105-body" aria-labelledby="ics-TA0105-header"> <div class="sidenav"> <div class="sidenav-head " id="ics-TA0105-T0879"> <a href="/versions/v13/techniques/T0879/"> Damage to Property </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="ics-TA0105-T0813"> <a href="/versions/v13/techniques/T0813/"> Denial of Control </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="ics-TA0105-T0815"> <a href="/versions/v13/techniques/T0815/"> Denial of View </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="ics-TA0105-T0826"> <a href="/versions/v13/techniques/T0826/"> Loss of Availability </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="ics-TA0105-T0827"> <a href="/versions/v13/techniques/T0827/"> Loss of Control </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="ics-TA0105-T0828"> <a href="/versions/v13/techniques/T0828/"> Loss of Productivity and Revenue </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="ics-TA0105-T0837"> <a href="/versions/v13/techniques/T0837/"> Loss of Protection </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="ics-TA0105-T0880"> <a href="/versions/v13/techniques/T0880/"> Loss of Safety </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="ics-TA0105-T0829"> <a href="/versions/v13/techniques/T0829/"> Loss of View </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="ics-TA0105-T0831"> <a href="/versions/v13/techniques/T0831/"> Manipulation of Control </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="ics-TA0105-T0832"> <a href="/versions/v13/techniques/T0832/"> Manipulation of View </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="ics-TA0105-T0882"> <a href="/versions/v13/techniques/T0882/"> Theft of Operational Information </a> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> <!--start-indexing-for-search--> </div> <div class="tab-content col-xl-9 col-lg-9 col-md-8 pt-4" id="v-tabContent"> <div class="tab-pane fade show active" id="v-attckmatrix" role="tabpanel" aria-labelledby="v-attckmatrix-tab"> <ol class="breadcrumb"> <li class="breadcrumb-item"><a href="/versions/v13/">Home</a></li> <li class="breadcrumb-item"><a href="/versions/v13/techniques/enterprise">Techniques</a></li> <li class="breadcrumb-item"><a href="/versions/v13/techniques/enterprise">Enterprise</a></li> <li class="breadcrumb-item">Valid Accounts</li> </ol> <div class="tab-pane fade show active" id="v-" role="tabpanel" aria-labelledby="v--tab"></div> <div class="row"> <div class="col-xl-12"> <div class="jumbotron jumbotron-fluid"> <div class="container-fluid"> <h1 id=""> Valid Accounts </h1> <div class="row"> <div class="col-md-8"> <!--stop-indexing-for-search--> <div class="card-block pb-2"> <div class="card"> <div class="card-header collapsed" id="subtechniques-card-header" data-toggle="collapse" data-target="#subtechniques-card-body" aria-expanded="false" aria-controls="subtechniques-card-body"> <h5 class="mb-0" id ="sub-techniques">Sub-techniques (4)</h5> </div> <div id="subtechniques-card-body" class="card-body p-0 collapse" aria-labelledby="subtechniques-card-header"> <table class="table table-bordered"> <thead> <tr> <th scope="col">ID</th> <th scope="col">Name</th> </tr> </thead> <tbody> <tr> <td> <a href="/versions/v13/techniques/T1078/001/" class="subtechnique-table-item" data-subtechnique_id="T1078.001"> T1078.001 </a> </td> <td> <a href="/versions/v13/techniques/T1078/001/" class="subtechnique-table-item" data-subtechnique_id="T1078.001"> Default Accounts </a> </td> </tr> <tr> <td> <a href="/versions/v13/techniques/T1078/002/" class="subtechnique-table-item" data-subtechnique_id="T1078.002"> T1078.002 </a> </td> <td> <a href="/versions/v13/techniques/T1078/002/" class="subtechnique-table-item" data-subtechnique_id="T1078.002"> Domain Accounts </a> </td> </tr> <tr> <td> <a href="/versions/v13/techniques/T1078/003/" class="subtechnique-table-item" data-subtechnique_id="T1078.003"> T1078.003 </a> </td> <td> <a href="/versions/v13/techniques/T1078/003/" class="subtechnique-table-item" data-subtechnique_id="T1078.003"> Local Accounts </a> </td> </tr> <tr> <td> <a href="/versions/v13/techniques/T1078/004/" class="subtechnique-table-item" data-subtechnique_id="T1078.004"> T1078.004 </a> </td> <td> <a href="/versions/v13/techniques/T1078/004/" class="subtechnique-table-item" data-subtechnique_id="T1078.004"> Cloud Accounts </a> </td> </tr> </tbody> </table> </div> </div> </div> <!--start-indexing-for-search--> <div class="description-body"> <p>Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.<span onclick=scrollToRef('scite-1') id="scite-ref-1-a" class="scite-citeref-number" data-reference="volexity_0day_sophos_FW">^{<a href="https://www.volexity.com/blog/2022/06/15/driftingcloud-zero-day-sophos-firewall-exploitation-and-an-insidious-breach/" target="_blank" data-hasqtip="0" aria-describedby="qtip-0">[1]</a>}</span> Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.</p><p>In some cases, adversaries may abuse inactive accounts: for example, those belonging to individuals who are no longer part of an organization. Using these accounts may allow the adversary to evade detection, as the original account user will not be present to identify any anomalous activity taking place on their account.<span onclick=scrollToRef('scite-2') id="scite-ref-2-a" class="scite-citeref-number" data-reference="CISA MFA PrintNightmare">^{<a href="https://www.cisa.gov/uscert/ncas/alerts/aa22-074a" target="_blank" data-hasqtip="1" aria-describedby="qtip-1">[2]</a>}</span></p><p>The overlap of permissions for local, domain, and cloud accounts across a network of systems is of concern because the adversary may be able to pivot across accounts and systems to reach a high level of access (i.e., domain or enterprise administrator) to bypass access controls set within the enterprise.<span onclick=scrollToRef('scite-3') id="scite-ref-3-a" class="scite-citeref-number" data-reference="TechNet Credential Theft">^{<a href="https://technet.microsoft.com/en-us/library/dn535501.aspx" target="_blank" data-hasqtip="2" aria-describedby="qtip-2">[3]</a>}</span></p> </div> </div> <div class="col-md-4"> <div class="card"> <div class="card-body"> <div class="row card-data" id="card-id"> <div class="col-md-1 px-0 text-center"></div> <div class="col-md-11 pl-0"> <span class="h5 card-title">ID:&nbsp;</span>T1078 </div> </div> <!--stop-indexing-for-search--> <div class="row card-data"> <div class="col-md-1 px-0 text-center"></div> <div class="col-md-11 pl-0"> <span class="h5 card-title">Sub-techniques:&nbsp;</span> <a href="/versions/v13/techniques/T1078/001">T1078.001</a>, <a href="/versions/v13/techniques/T1078/002">T1078.002</a>, <a href="/versions/v13/techniques/T1078/003">T1078.003</a>, <a href="/versions/v13/techniques/T1078/004">T1078.004</a> </div> </div> <!--start-indexing-for-search--> <div id="card-tactics" class="row card-data"> <div class="col-md-1 px-0 text-center"> <span data-toggle="tooltip" data-placement="left" title="" data-test-ignore="true" data-original-title="The tactic objectives that the (sub-)technique can be used to accomplish">&#9432;</span> </div> <div class="col-md-11 pl-0"> <span class="h5 card-title">Tactics:</span> <a href="/versions/v13/tactics/TA0005">Defense Evasion</a>, <a href="/versions/v13/tactics/TA0003">Persistence</a>, <a href="/versions/v13/tactics/TA0004">Privilege Escalation</a>, <a href="/versions/v13/tactics/TA0001">Initial Access</a> </div> </div> <div class="row card-data"> <div class="col-md-1 px-0 text-center"> <span data-toggle="tooltip" data-placement="left" title="" data-test-ignore="true" data-original-title="The system an adversary is operating within; could be an operating system or application">&#9432;</span> </div> <div class="col-md-11 pl-0"> <span class="h5 card-title">Platforms:&nbsp;</span>Azure AD, Containers, Google Workspace, IaaS, Linux, Network, Office 365, SaaS, Windows, macOS </div> </div> <div class="row card-data"> <div class="col-md-1 px-0 text-center"> <span data-toggle="tooltip" data-placement="left" title="" data-test-ignore="true" data-original-title="The lowest level of permissions the adversary is required to be operating within to perform the (sub-)technique on a system">&#9432;</span> </div> <div class="col-md-11 pl-0"> <span class="h5 card-title">Permissions Required:&nbsp;</span>Administrator, User </div> </div> <div class="row card-data"> <div class="col-md-1 px-0 text-center"> <span data-toggle="tooltip" data-placement="left" title="" data-test-ignore="true" data-original-title="The level of permissions the adversary will attain by performing the (sub-)technique">&#9432;</span> </div> <div class="col-md-11 pl-0"> <span class="h5 card-title">Effective Permissions:&nbsp;</span>Administrator, User </div> </div> <div class="row card-data"> <div class="col-md-1 px-0 text-center"> <span data-toggle="tooltip" data-placement="left" title="" data-test-ignore="true" data-original-title="If the (sub-)technique can be used to bypass or evade a particular defensive tool, methodology, or process">&#9432;</span> </div> <div class="col-md-11 pl-0"> <span class="h5 card-title">Defense Bypassed:&nbsp;</span>Anti-virus, Application Control, Firewall, Host Intrusion Prevention Systems, Network Intrusion Detection System, System Access Controls </div> </div> <div class="row card-data"> <div class="col-md-1 px-0 text-center"></div> <div class="col-md-11 pl-0"> <span class="h5 card-title">Contributors:&nbsp;</span>Goldstein Menachem; Jon Sternstein, Stern Security; Mark Wee; Netskope; Praetorian; Prasad Somasamudram, McAfee; Sekhar Sarukkai, McAfee; Syed Ummar Farooqh, McAfee; Yossi Weizman, Azure Defender Research Team </div> </div> <div class="row card-data"> <div class="col-md-1 px-0 text-center"></div> <div class="col-md-11 pl-0"> <span class="h5 card-title">Version:&nbsp;</span>2.6 </div> </div> <div class="row card-data"> <div class="col-md-1 px-0 text-center"></div> <div class="col-md-11 pl-0"> <span class="h5 card-title">Created:&nbsp;</span>31 May 2017 </div> </div> <div class="row card-data"> <div class="col-md-1 px-0 text-center"></div> <div class="col-md-11 pl-0"> <span class="h5 card-title">Last Modified:&nbsp;</span>30 March 2023 </div> </div> </div> </div> <div class="text-center pt-2 version-button permalink"> <div class="live"> <a data-toggle="tooltip" data-placement="bottom" title="Permalink to this version of T1078" href="/versions/v13/techniques/T1078/" data-test-ignore="true">Version Permalink</a> </div> <div class="permalink"> <a data-toggle="tooltip" data-placement="bottom" title="Go to the live version of T1078" href="/techniques/T1078/" data-test-ignore="true">Live Version</a><!--do not change this line without also changing versions.py--> </div> </div> </div> </div> <h2 class="pt-3" id ="examples">Procedure Examples</h2> <table class="table table-bordered table-alternate mt-2"> <thead> <tr> <th scope="col">ID</th> <th scope="col">Name</th> <th scope="col">Description</th> </tr> </thead> <tbody> <tr> <td> <a href="/versions/v13/groups/G0026"> G0026 </a> </td> <td> <a href="/versions/v13/groups/G0026"> APT18 </a> </td> <td> <p><a href="/versions/v13/groups/G0026">APT18</a> actors leverage legitimate credentials to log into external remote services.<span onclick=scrollToRef('scite-4') id="scite-ref-4-a" class="scite-citeref-number" data-reference="RSA2017 Detect and Respond Adair">^{<a href="https://published-prd.lanyonevents.com/published/rsaus17/sessionsFiles/5009/HTA-F02-Detecting-and-Responding-to-Advanced-Threats-within-Exchange-Environments.pdf" target="_blank" data-hasqtip="3" aria-describedby="qtip-3">[4]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v13/groups/G0007"> G0007 </a> </td> <td> <a href="/versions/v13/groups/G0007"> APT28 </a> </td> <td> <p><a href="/versions/v13/groups/G0007">APT28</a> has used legitimate credentials to gain initial access, maintain access, and exfiltrate data from a victim network. The group has specifically used credentials stolen through a spearphishing email to login to the DCCC network. The group has also leveraged default manufacturer's passwords to gain initial access to corporate networks via IoT devices such as a VOIP phone, printer, and video decoder.<span onclick=scrollToRef('scite-5') id="scite-ref-5-a" class="scite-citeref-number" data-reference="Trend Micro Pawn Storm April 2017">^{<a href="https://documents.trendmicro.com/assets/wp/wp-two-years-of-pawn-storm.pdf" target="_blank" data-hasqtip="4" aria-describedby="qtip-4">[5]</a>}</span><span onclick=scrollToRef('scite-6') id="scite-ref-6-a" class="scite-citeref-number" data-reference="DOJ GRU Indictment Jul 2018">^{<a href="https://www.justice.gov/file/1080281/download" target="_blank" data-hasqtip="5" aria-describedby="qtip-5">[6]</a>}</span><span onclick=scrollToRef('scite-7') id="scite-ref-7-a" class="scite-citeref-number" data-reference="Microsoft STRONTIUM Aug 2019">^{<a href="https://msrc-blog.microsoft.com/2019/08/05/corporate-iot-a-path-to-intrusion/" target="_blank" data-hasqtip="6" aria-describedby="qtip-6">[7]</a>}</span><span onclick=scrollToRef('scite-8') id="scite-ref-8-a" class="scite-citeref-number" data-reference="Cybersecurity Advisory GRU Brute Force Campaign July 2021">^{<a href="https://media.defense.gov/2021/Jul/01/2002753896/-1/-1/1/CSA_GRU_GLOBAL_BRUTE_FORCE_CAMPAIGN_UOO158036-21.PDF" target="_blank" data-hasqtip="7" aria-describedby="qtip-7">[8]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v13/groups/G0016"> G0016 </a> </td> <td> <a href="/versions/v13/groups/G0016"> APT29 </a> </td> <td> <p><a href="/versions/v13/groups/G0016">APT29</a> has used a compromised account to access an organization's VPN infrastructure.<span onclick=scrollToRef('scite-9') id="scite-ref-9-a" class="scite-citeref-number" data-reference="Mandiant APT29 Microsoft 365 2022">^{<a href="https://www.mandiant.com/resources/blog/apt29-continues-targeting-microsoft" target="_blank" data-hasqtip="8" aria-describedby="qtip-8">[9]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v13/groups/G0064"> G0064 </a> </td> <td> <a href="/versions/v13/groups/G0064"> APT33 </a> </td> <td> <p><a href="/versions/v13/groups/G0064">APT33</a> has used valid accounts for initial access and privilege escalation.<span onclick=scrollToRef('scite-10') id="scite-ref-10-a" class="scite-citeref-number" data-reference="FireEye APT33 Webinar Sept 2017">^{<a href="https://www.brighttalk.com/webcast/10703/275683" target="_blank" data-hasqtip="9" aria-describedby="qtip-9">[10]</a>}</span><span onclick=scrollToRef('scite-11') id="scite-ref-11-a" class="scite-citeref-number" data-reference="FireEye APT33 Guardrail">^{<a href="https://www.fireeye.com/blog/threat-research/2018/12/overruled-containing-a-potentially-destructive-adversary.html" target="_blank" data-hasqtip="10" aria-describedby="qtip-10">[11]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v13/groups/G0087"> G0087 </a> </td> <td> <a href="/versions/v13/groups/G0087"> APT39 </a> </td> <td> <p><a href="/versions/v13/groups/G0087">APT39</a> has used stolen credentials to compromise Outlook Web Access (OWA).<span onclick=scrollToRef('scite-12') id="scite-ref-12-a" class="scite-citeref-number" data-reference="FireEye APT39 Jan 2019">^{<a href="https://www.fireeye.com/blog/threat-research/2019/01/apt39-iranian-cyber-espionage-group-focused-on-personal-information.html" target="_blank" data-hasqtip="11" aria-describedby="qtip-11">[12]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v13/groups/G0096"> G0096 </a> </td> <td> <a href="/versions/v13/groups/G0096"> APT41 </a> </td> <td> <p><a href="/versions/v13/groups/G0096">APT41</a> used compromised credentials to log on to other systems.<span onclick=scrollToRef('scite-13') id="scite-ref-13-a" class="scite-citeref-number" data-reference="FireEye APT41 Aug 2019">^{<a href="https://www.mandiant.com/sites/default/files/2022-02/rt-apt41-dual-operation.pdf" target="_blank" data-hasqtip="12" aria-describedby="qtip-12">[13]</a>}</span><span onclick=scrollToRef('scite-14') id="scite-ref-14-a" class="scite-citeref-number" data-reference="Crowdstrike GTR2020 Mar 2020">^{<a href="https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf" target="_blank" data-hasqtip="13" aria-describedby="qtip-13">[14]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v13/groups/G0001"> G0001 </a> </td> <td> <a href="/versions/v13/groups/G0001"> Axiom </a> </td> <td> <p><a href="/versions/v13/groups/G0001">Axiom</a> has used previously compromised administrative accounts to escalate privileges.<span onclick=scrollToRef('scite-15') id="scite-ref-15-a" class="scite-citeref-number" data-reference="Novetta-Axiom">^{<a href="https://web.archive.org/web/20230115144216/http://www.novetta.com/wp-content/uploads/2014/11/Executive_Summary-Final_1.pdf" target="_blank" data-hasqtip="14" aria-describedby="qtip-14">[15]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v13/groups/G0008"> G0008 </a> </td> <td> <a href="/versions/v13/groups/G0008"> Carbanak </a> </td> <td> <p><a href="/versions/v13/groups/G0008">Carbanak</a> actors used legitimate credentials of banking employees to perform operations that sent them millions of dollars.<span onclick=scrollToRef('scite-16') id="scite-ref-16-a" class="scite-citeref-number" data-reference="Kaspersky Carbanak">^{<a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/08064518/Carbanak_APT_eng.pdf" target="_blank" data-hasqtip="15" aria-describedby="qtip-15">[16]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v13/groups/G0114"> G0114 </a> </td> <td> <a href="/versions/v13/groups/G0114"> Chimera </a> </td> <td> <p><a href="/versions/v13/groups/G0114">Chimera</a> has used a valid account to maintain persistence via scheduled task.<span onclick=scrollToRef('scite-17') id="scite-ref-17-a" class="scite-citeref-number" data-reference="Cycraft Chimera April 2020">^{<a href="https://cycraft.com/download/CyCraft-Whitepaper-Chimera_V4.1.pdf" target="_blank" data-hasqtip="16" aria-describedby="qtip-16">[17]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v13/groups/G0035"> G0035 </a> </td> <td> <a href="/versions/v13/groups/G0035"> Dragonfly </a> </td> <td> <p><a href="/versions/v13/groups/G0035">Dragonfly</a> has compromised user credentials and used valid accounts for operations.<span onclick=scrollToRef('scite-18') id="scite-ref-18-a" class="scite-citeref-number" data-reference="US-CERT TA18-074A">^{<a href="https://www.us-cert.gov/ncas/alerts/TA18-074A" target="_blank" data-hasqtip="17" aria-describedby="qtip-17">[18]</a>}</span><span onclick=scrollToRef('scite-19') id="scite-ref-19-a" class="scite-citeref-number" data-reference="Gigamon Berserk Bear October 2021">^{<a href="https://vblocalhost.com/uploads/VB2021-Slowik.pdf" target="_blank" data-hasqtip="18" aria-describedby="qtip-18">[19]</a>}</span><span onclick=scrollToRef('scite-20') id="scite-ref-20-a" class="scite-citeref-number" data-reference="CISA AA20-296A Berserk Bear December 2020">^{<a href="https://www.cisa.gov/uscert/ncas/alerts/aa20-296a#revisions" target="_blank" data-hasqtip="19" aria-describedby="qtip-19">[20]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v13/software/S0567"> S0567 </a> </td> <td> <a href="/versions/v13/software/S0567"> Dtrack </a> </td> <td> <p><a href="/versions/v13/software/S0567">Dtrack</a> used hard-coded credentials to gain access to a network share.<span onclick=scrollToRef('scite-21') id="scite-ref-21-a" class="scite-citeref-number" data-reference="CyberBit Dtrack">^{<a href="https://www.cyberbit.com/blog/endpoint-security/dtrack-apt-malware-found-in-nuclear-power-plant/" target="_blank" data-hasqtip="20" aria-describedby="qtip-20">[21]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v13/software/S0038"> S0038 </a> </td> <td> <a href="/versions/v13/software/S0038"> Duqu </a> </td> <td> <p>Adversaries can instruct <a href="/versions/v13/software/S0038">Duqu</a> to spread laterally by copying itself to shares it has enumerated and for which it has obtained legitimate credentials (via keylogging or other means). The remote host is then infected by using the compromised credentials to schedule a task on remote machines that executes the malware.<span onclick=scrollToRef('scite-22') id="scite-ref-22-a" class="scite-citeref-number" data-reference="Symantec W32.Duqu">^{<a href="https://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/w32_duqu_the_precursor_to_the_next_stuxnet.pdf" target="_blank" data-hasqtip="21" aria-describedby="qtip-21">[22]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v13/groups/G0051"> G0051 </a> </td> <td> <a href="/versions/v13/groups/G0051"> FIN10 </a> </td> <td> <p><a href="/versions/v13/groups/G0051">FIN10</a> has used stolen credentials to connect remotely to victim networks using VPNs protected with only a single factor.<span onclick=scrollToRef('scite-23') id="scite-ref-23-a" class="scite-citeref-number" data-reference="FireEye FIN10 June 2017">^{<a href="https://www2.fireeye.com/rs/848-DID-242/images/rpt-fin10.pdf" target="_blank" data-hasqtip="22" aria-describedby="qtip-22">[23]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v13/groups/G0085"> G0085 </a> </td> <td> <a href="/versions/v13/groups/G0085"> FIN4 </a> </td> <td> <p><a href="/versions/v13/groups/G0085">FIN4</a> has used legitimate credentials to hijack email communications.<span onclick=scrollToRef('scite-24') id="scite-ref-24-a" class="scite-citeref-number" data-reference="FireEye Hacking FIN4 Dec 2014">^{<a href="https://www.mandiant.com/sites/default/files/2021-09/rpt-fin4.pdf" target="_blank" data-hasqtip="23" aria-describedby="qtip-23">[24]</a>}</span><span onclick=scrollToRef('scite-25') id="scite-ref-25-a" class="scite-citeref-number" data-reference="FireEye Hacking FIN4 Video Dec 2014">^{<a href="https://www2.fireeye.com/WBNR-14Q4NAMFIN4.html" target="_blank" data-hasqtip="24" aria-describedby="qtip-24">[25]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v13/groups/G0053"> G0053 </a> </td> <td> <a href="/versions/v13/groups/G0053"> FIN5 </a> </td> <td> <p><a href="/versions/v13/groups/G0053">FIN5</a> has used legitimate VPN, RDP, Citrix, or VNC credentials to maintain access to a victim environment.<span onclick=scrollToRef('scite-26') id="scite-ref-26-a" class="scite-citeref-number" data-reference="FireEye Respond Webinar July 2017">^{<a href="https://www2.fireeye.com/WBNR-Are-you-ready-to-respond.html" target="_blank" data-hasqtip="25" aria-describedby="qtip-25">[26]</a>}</span><span onclick=scrollToRef('scite-27') id="scite-ref-27-a" class="scite-citeref-number" data-reference="DarkReading FireEye FIN5 Oct 2015">^{<a href="https://www.darkreading.com/analytics/prolific-cybercrime-gang-favors-legit-login-credentials/d/d-id/1322645?" target="_blank" data-hasqtip="26" aria-describedby="qtip-26">[27]</a>}</span><span onclick=scrollToRef('scite-28') id="scite-ref-28-a" class="scite-citeref-number" data-reference="Mandiant FIN5 GrrCON Oct 2016">^{<a href="https://www.youtube.com/watch?v=fevGZs0EQu8" target="_blank" data-hasqtip="27" aria-describedby="qtip-27">[28]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v13/groups/G0037"> G0037 </a> </td> <td> <a href="/versions/v13/groups/G0037"> FIN6 </a> </td> <td> <p>To move laterally on a victim network, <a href="/versions/v13/groups/G0037">FIN6</a> has used credentials stolen from various systems on which it gathered usernames and password hashes.<span onclick=scrollToRef('scite-29') id="scite-ref-29-a" class="scite-citeref-number" data-reference="FireEye FIN6 April 2016">^{<a href="https://www2.fireeye.com/rs/848-DID-242/images/rpt-fin6.pdf" target="_blank" data-hasqtip="28" aria-describedby="qtip-28">[29]</a>}</span><span onclick=scrollToRef('scite-30') id="scite-ref-30-a" class="scite-citeref-number" data-reference="FireEye FIN6 Apr 2019">^{<a href="https://www.fireeye.com/blog/threat-research/2019/04/pick-six-intercepting-a-fin6-intrusion.html" target="_blank" data-hasqtip="29" aria-describedby="qtip-29">[30]</a>}</span><span onclick=scrollToRef('scite-31') id="scite-ref-31-a" class="scite-citeref-number" data-reference="Visa FIN6 Feb 2019">^{<a href="https://usa.visa.com/dam/VCOM/global/support-legal/documents/fin6-cybercrime-group-expands-threat-To-ecommerce-merchants.pdf" target="_blank" data-hasqtip="30" aria-describedby="qtip-30">[31]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v13/groups/G0046"> G0046 </a> </td> <td> <a href="/versions/v13/groups/G0046"> FIN7 </a> </td> <td> <p><a href="/versions/v13/groups/G0046">FIN7</a> has harvested valid administrative credentials for lateral movement.<span onclick=scrollToRef('scite-32') id="scite-ref-32-a" class="scite-citeref-number" data-reference="CrowdStrike Carbon Spider August 2021">^{<a href="https://www.crowdstrike.com/blog/carbon-spider-embraces-big-game-hunting-part-1/" target="_blank" data-hasqtip="31" aria-describedby="qtip-31">[32]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v13/groups/G0061"> G0061 </a> </td> <td> <a href="/versions/v13/groups/G0061"> FIN8 </a> </td> <td> <p><a href="/versions/v13/groups/G0061">FIN8</a> has used valid accounts for persistence and lateral movement.<span onclick=scrollToRef('scite-33') id="scite-ref-33-a" class="scite-citeref-number" data-reference="FireEye Know Your Enemy FIN8 Aug 2016">^{<a href="https://www2.fireeye.com/WBNR-Know-Your-Enemy-UNC622-Spear-Phishing.html" target="_blank" data-hasqtip="32" aria-describedby="qtip-32">[33]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v13/groups/G0117"> G0117 </a> </td> <td> <a href="/versions/v13/groups/G0117"> Fox Kitten </a> </td> <td> <p><a href="/versions/v13/groups/G0117">Fox Kitten</a> has used valid credentials with various services during lateral movement.<span onclick=scrollToRef('scite-34') id="scite-ref-34-a" class="scite-citeref-number" data-reference="CISA AA20-259A Iran-Based Actor September 2020">^{<a href="https://us-cert.cisa.gov/ncas/alerts/aa20-259a" target="_blank" data-hasqtip="33" aria-describedby="qtip-33">[34]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v13/groups/G0093"> G0093 </a> </td> <td> <a href="/versions/v13/groups/G0093"> GALLIUM </a> </td> <td> <p><a href="/versions/v13/groups/G0093">GALLIUM</a> leveraged valid accounts to maintain access to a victim network.<span onclick=scrollToRef('scite-35') id="scite-ref-35-a" class="scite-citeref-number" data-reference="Cybereason Soft Cell June 2019">^{<a href="https://www.cybereason.com/blog/operation-soft-cell-a-worldwide-campaign-against-telecommunications-providers" target="_blank" data-hasqtip="34" aria-describedby="qtip-34">[35]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v13/software/S0604"> S0604 </a> </td> <td> <a href="/versions/v13/software/S0604"> Industroyer </a> </td> <td> <p><a href="/versions/v13/software/S0604">Industroyer</a> can use supplied user credentials to execute processes and stop services.<span onclick=scrollToRef('scite-36') id="scite-ref-36-a" class="scite-citeref-number" data-reference="ESET Industroyer">^{<a href="https://www.welivesecurity.com/wp-content/uploads/2017/06/Win32_Industroyer.pdf" target="_blank" data-hasqtip="35" aria-describedby="qtip-35">[36]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v13/groups/G0004"> G0004 </a> </td> <td> <a href="/versions/v13/groups/G0004"> Ke3chang </a> </td> <td> <p><a href="/versions/v13/groups/G0004">Ke3chang</a> has used credential dumpers or stealers to obtain legitimate credentials, which they used to gain access to victim accounts.<span onclick=scrollToRef('scite-37') id="scite-ref-37-a" class="scite-citeref-number" data-reference="Microsoft NICKEL December 2021">^{<a href="https://www.microsoft.com/security/blog/2021/12/06/nickel-targeting-government-organizations-across-latin-america-and-europe" target="_blank" data-hasqtip="36" aria-describedby="qtip-36">[37]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v13/software/S0599"> S0599 </a> </td> <td> <a href="/versions/v13/software/S0599"> Kinsing </a> </td> <td> <p><a href="/versions/v13/software/S0599">Kinsing</a> has used valid SSH credentials to access remote hosts.<span onclick=scrollToRef('scite-38') id="scite-ref-38-a" class="scite-citeref-number" data-reference="Aqua Kinsing April 2020">^{<a href="https://blog.aquasec.com/threat-alert-kinsing-malware-container-vulnerability" target="_blank" data-hasqtip="37" aria-describedby="qtip-37">[38]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v13/groups/G1004"> G1004 </a> </td> <td> <a href="/versions/v13/groups/G1004"> LAPSUS$ </a> </td> <td> <p><a href="/versions/v13/groups/G1004">LAPSUS$</a> has used compromised credentials and/or session tokens to gain access into a victim's VPN, VDI, RDP, and IAMs.<span onclick=scrollToRef('scite-39') id="scite-ref-39-a" class="scite-citeref-number" data-reference="MSTIC DEV-0537 Mar 2022">^{<a href="https://www.microsoft.com/security/blog/2022/03/22/dev-0537-criminal-actor-targeting-organizations-for-data-exfiltration-and-destruction/" target="_blank" data-hasqtip="38" aria-describedby="qtip-38">[39]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v13/groups/G0032"> G0032 </a> </td> <td> <a href="/versions/v13/groups/G0032"> Lazarus Group </a> </td> <td> <p><a href="/versions/v13/groups/G0032">Lazarus Group</a> has used administrator credentials to gain access to restricted network segments.<span onclick=scrollToRef('scite-40') id="scite-ref-40-a" class="scite-citeref-number" data-reference="Kaspersky ThreatNeedle Feb 2021">^{<a href="https://securelist.com/lazarus-threatneedle/100803/" target="_blank" data-hasqtip="39" aria-describedby="qtip-39">[40]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v13/groups/G0065"> G0065 </a> </td> <td> <a href="/versions/v13/groups/G0065"> Leviathan </a> </td> <td> <p><a href="/versions/v13/groups/G0065">Leviathan</a> has obtained valid accounts to gain initial access.<span onclick=scrollToRef('scite-41') id="scite-ref-41-a" class="scite-citeref-number" data-reference="CISA AA21-200A APT40 July 2021">^{<a href="https://us-cert.cisa.gov/ncas/alerts/aa21-200a" target="_blank" data-hasqtip="40" aria-describedby="qtip-40">[41]</a>}</span><span onclick=scrollToRef('scite-42') id="scite-ref-42-a" class="scite-citeref-number" data-reference="Accenture MUDCARP March 2019">^{<a href="https://www.accenture.com/us-en/blogs/cyber-defense/mudcarps-focus-on-submarine-technologies" target="_blank" data-hasqtip="41" aria-describedby="qtip-41">[42]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v13/software/S0362"> S0362 </a> </td> <td> <a href="/versions/v13/software/S0362"> Linux Rabbit </a> </td> <td> <p><a href="/versions/v13/software/S0362">Linux Rabbit</a> acquires valid SSH accounts through brute force. <span onclick=scrollToRef('scite-43') id="scite-ref-43-a" class="scite-citeref-number" data-reference="Anomali Linux Rabbit 2018">^{<a href="https://www.anomali.com/blog/pulling-linux-rabbit-rabbot-malware-out-of-a-hat" target="_blank" data-hasqtip="42" aria-describedby="qtip-42">[43]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v13/groups/G0045"> G0045 </a> </td> <td> <a href="/versions/v13/groups/G0045"> menuPass </a> </td> <td> <p><a href="/versions/v13/groups/G0045">menuPass</a> has used valid accounts including shared between Managed Service Providers and clients to move between the two environments.<span onclick=scrollToRef('scite-44') id="scite-ref-44-a" class="scite-citeref-number" data-reference="PWC Cloud Hopper April 2017">^{<a href="https://web.archive.org/web/20220224041316/https:/www.pwc.co.uk/cyber-security/pdf/cloud-hopper-report-final-v4.pdf" target="_blank" data-hasqtip="43" aria-describedby="qtip-43">[44]</a>}</span><span onclick=scrollToRef('scite-45') id="scite-ref-45-a" class="scite-citeref-number" data-reference="Symantec Cicada November 2020">^{<a href="https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/cicada-apt10-japan-espionage" target="_blank" data-hasqtip="44" aria-describedby="qtip-44">[45]</a>}</span><span onclick=scrollToRef('scite-46') id="scite-ref-46-a" class="scite-citeref-number" data-reference="District Court of NY APT10 Indictment December 2018">^{<a href="https://www.justice.gov/opa/page/file/1122671/download" target="_blank" data-hasqtip="45" aria-describedby="qtip-45">[46]</a>}</span><span onclick=scrollToRef('scite-47') id="scite-ref-47-a" class="scite-citeref-number" data-reference="Securelist APT10 March 2021">^{<a href="https://securelist.com/apt10-sophisticated-multi-layered-loader-ecipekac-discovered-in-a41apt-campaign/101519/" target="_blank" data-hasqtip="46" aria-describedby="qtip-46">[47]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v13/campaigns/C0002"> C0002 </a> </td> <td> <a href="/versions/v13/campaigns/C0002"> Night Dragon </a> </td> <td> <p>During <a href="https://attack.mitre.org/campaigns/C0002">Night Dragon</a>, threat actors used compromised VPN accounts to gain access to victim systems.<span onclick=scrollToRef('scite-48') id="scite-ref-48-a" class="scite-citeref-number" data-reference="McAfee Night Dragon">^{<a href="https://scadahacker.com/library/Documents/Cyber_Events/McAfee%20-%20Night%20Dragon%20-%20Global%20Energy%20Cyberattacks.pdf" target="_blank" data-hasqtip="47" aria-describedby="qtip-47">[48]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v13/groups/G0049"> G0049 </a> </td> <td> <a href="/versions/v13/groups/G0049"> OilRig </a> </td> <td> <p><a href="/versions/v13/groups/G0049">OilRig</a> has used compromised credentials to access other systems on a victim network.<span onclick=scrollToRef('scite-49') id="scite-ref-49-a" class="scite-citeref-number" data-reference="Unit42 OilRig Playbook 2023">^{<a href="https://pan-unit42.github.io/playbook_viewer/?pb=evasive-serpens" target="_blank" data-hasqtip="48" aria-describedby="qtip-48">[49]</a>}</span><span onclick=scrollToRef('scite-50') id="scite-ref-50-a" class="scite-citeref-number" data-reference="FireEye APT34 Webinar Dec 2017">^{<a href="https://www.brighttalk.com/webcast/10703/296317/apt34-new-targeted-attack-in-the-middle-east" target="_blank" data-hasqtip="49" aria-describedby="qtip-49">[50]</a>}</span><span onclick=scrollToRef('scite-14') id="scite-ref-14-a" class="scite-citeref-number" data-reference="Crowdstrike GTR2020 Mar 2020">^{<a href="https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf" target="_blank" data-hasqtip="13" aria-describedby="qtip-13">[14]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v13/campaigns/C0014"> C0014 </a> </td> <td> <a href="/versions/v13/campaigns/C0014"> Operation Wocao </a> </td> <td> <p>During <a href="https://attack.mitre.org/campaigns/C0014">Operation Wocao</a>, threat actors used valid VPN credentials to gain initial access.<span onclick=scrollToRef('scite-51') id="scite-ref-51-a" class="scite-citeref-number" data-reference="FoxIT Wocao December 2019">^{<a href="https://www.fox-it.com/media/kadlze5c/201912_report_operation_wocao.pdf" target="_blank" data-hasqtip="50" aria-describedby="qtip-50">[51]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v13/groups/G0011"> G0011 </a> </td> <td> <a href="/versions/v13/groups/G0011"> PittyTiger </a> </td> <td> <p><a href="/versions/v13/groups/G0011">PittyTiger</a> attempts to obtain legitimate credentials during operations.<span onclick=scrollToRef('scite-52') id="scite-ref-52-a" class="scite-citeref-number" data-reference="Bizeul 2014">^{<a href="https://airbus-cyber-security.com/the-eye-of-the-tiger/" target="_blank" data-hasqtip="51" aria-describedby="qtip-51">[52]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v13/groups/G1005"> G1005 </a> </td> <td> <a href="/versions/v13/groups/G1005"> POLONIUM </a> </td> <td> <p><a href="/versions/v13/groups/G1005">POLONIUM</a> has used valid compromised credentials to gain access to victim environments.<span onclick=scrollToRef('scite-53') id="scite-ref-53-a" class="scite-citeref-number" data-reference="Microsoft POLONIUM June 2022">^{<a href="https://www.microsoft.com/security/blog/2022/06/02/exposing-polonium-activity-and-infrastructure-targeting-israeli-organizations/" target="_blank" data-hasqtip="52" aria-describedby="qtip-52">[53]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v13/groups/G0034"> G0034 </a> </td> <td> <a href="/versions/v13/groups/G0034"> Sandworm Team </a> </td> <td> <p><a href="/versions/v13/groups/G0034">Sandworm Team</a> have used previously acquired legitimate credentials prior to attacks.<span onclick=scrollToRef('scite-54') id="scite-ref-54-a" class="scite-citeref-number" data-reference="US-CERT Ukraine Feb 2016">^{<a href="https://www.us-cert.gov/ics/alerts/IR-ALERT-H-16-056-01" target="_blank" data-hasqtip="53" aria-describedby="qtip-53">[54]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v13/software/S0053"> S0053 </a> </td> <td> <a href="/versions/v13/software/S0053"> SeaDuke </a> </td> <td> <p>Some <a href="/versions/v13/software/S0053">SeaDuke</a> samples have a module to extract email from Microsoft Exchange servers using compromised credentials.<span onclick=scrollToRef('scite-55') id="scite-ref-55-a" class="scite-citeref-number" data-reference="Symantec Seaduke 2015">^{<a href="http://www.symantec.com/connect/blogs/forkmeiamfamous-seaduke-latest-weapon-duke-armory" target="_blank" data-hasqtip="54" aria-describedby="qtip-54">[55]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v13/groups/G0091"> G0091 </a> </td> <td> <a href="/versions/v13/groups/G0091"> Silence </a> </td> <td> <p><a href="/versions/v13/groups/G0091">Silence</a> has used compromised credentials to log on to other systems and escalate privileges.<span onclick=scrollToRef('scite-56') id="scite-ref-56-a" class="scite-citeref-number" data-reference="Group IB Silence Sept 2018">^{<a href="https://www.group-ib.com/resources/threat-research/silence_moving-into-the-darkside.pdf" target="_blank" data-hasqtip="55" aria-describedby="qtip-55">[56]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v13/groups/G0122"> G0122 </a> </td> <td> <a href="/versions/v13/groups/G0122"> Silent Librarian </a> </td> <td> <p><a href="/versions/v13/groups/G0122">Silent Librarian</a> has used compromised credentials to obtain unauthorized access to online accounts.<span onclick=scrollToRef('scite-57') id="scite-ref-57-a" class="scite-citeref-number" data-reference="DOJ Iran Indictments March 2018">^{<a href="https://www.justice.gov/usao-sdny/press-release/file/1045781/download" target="_blank" data-hasqtip="56" aria-describedby="qtip-56">[57]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v13/campaigns/C0024"> C0024 </a> </td> <td> <a href="/versions/v13/campaigns/C0024"> SolarWinds Compromise </a> </td> <td> <p>During the <a href="https://attack.mitre.org/campaigns/C0024">SolarWinds Compromise</a>, <a href="/versions/v13/groups/G0016">APT29</a> used different compromised credentials for remote access and to move laterally.<span onclick=scrollToRef('scite-58') id="scite-ref-58-a" class="scite-citeref-number" data-reference="FireEye SUNBURST Backdoor December 2020">^{<a href="https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html" target="_blank" data-hasqtip="57" aria-describedby="qtip-57">[58]</a>}</span><span onclick=scrollToRef('scite-59') id="scite-ref-59-a" class="scite-citeref-number" data-reference="MSTIC NOBELIUM Mar 2021">^{<a href="https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware/" target="_blank" data-hasqtip="58" aria-describedby="qtip-58">[59]</a>}</span><span onclick=scrollToRef('scite-60') id="scite-ref-60-a" class="scite-citeref-number" data-reference="Cybersecurity Advisory SVR TTP May 2021">^{<a href="https://www.ncsc.gov.uk/files/Advisory-further-TTPs-associated-with-SVR-cyber-actors.pdf" target="_blank" data-hasqtip="59" aria-describedby="qtip-59">[60]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v13/groups/G0039"> G0039 </a> </td> <td> <a href="/versions/v13/groups/G0039"> Suckfly </a> </td> <td> <p><a href="/versions/v13/groups/G0039">Suckfly</a> used legitimate account credentials that they dumped to navigate the internal victim network as though they were the legitimate account owner.<span onclick=scrollToRef('scite-61') id="scite-ref-61-a" class="scite-citeref-number" data-reference="Symantec Suckfly May 2016">^{<a href="http://www.symantec.com/connect/blogs/indian-organizations-targeted-suckfly-attacks" target="_blank" data-hasqtip="60" aria-describedby="qtip-60">[61]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v13/groups/G0088"> G0088 </a> </td> <td> <a href="/versions/v13/groups/G0088"> TEMP.Veles </a> </td> <td> <p><a href="/versions/v13/groups/G0088">TEMP.Veles</a> has used compromised VPN accounts.<span onclick=scrollToRef('scite-62') id="scite-ref-62-a" class="scite-citeref-number" data-reference="FireEye TRITON 2019">^{<a href="https://www.fireeye.com/blog/threat-research/2019/04/triton-actor-ttp-profile-custom-attack-tools-detections.html" target="_blank" data-hasqtip="61" aria-describedby="qtip-61">[62]</a>}</span> </p> </td> </tr> <tr> <td> <a href="/versions/v13/groups/G0027"> G0027 </a> </td> <td> <a href="/versions/v13/groups/G0027"> Threat Group-3390 </a> </td> <td> <p><a href="/versions/v13/groups/G0027">Threat Group-3390</a> actors obtain legitimate credentials using a variety of methods and use them to further lateral movement on victim networks.<span onclick=scrollToRef('scite-63') id="scite-ref-63-a" class="scite-citeref-number" data-reference="Dell TG-3390">^{<a href="https://www.secureworks.com/research/threat-group-3390-targets-organizations-for-cyberespionage" target="_blank" data-hasqtip="62" aria-describedby="qtip-62">[63]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v13/groups/G0102"> G0102 </a> </td> <td> <a href="/versions/v13/groups/G0102"> Wizard Spider </a> </td> <td> <p><a href="/versions/v13/groups/G0102">Wizard Spider</a> has used valid credentials for privileged accounts with the goal of accessing domain controllers.<span onclick=scrollToRef('scite-64') id="scite-ref-64-a" class="scite-citeref-number" data-reference="CrowdStrike Grim Spider May 2019">^{<a href="https://www.crowdstrike.com/blog/timelining-grim-spiders-big-game-hunting-tactics/" target="_blank" data-hasqtip="63" aria-describedby="qtip-63">[64]</a>}</span> </p> </td> </tr> </tbody> </table> <h2 class="pt-3" id ="mitigations">Mitigations</h2> <table class="table table-bordered table-alternate mt-2"> <thead> <tr> <th scope="col">ID</th> <th scope="col">Mitigation</th> <th scope="col">Description</th> </tr> </thead> <tbody> <tr> <td> <a href="/versions/v13/mitigations/M1036"> M1036 </a> </td> <td> <a href="/versions/v13/mitigations/M1036"> Account Use Policies </a> </td> <td> <p>Use conditional access policies to block logins from non-compliant devices or from outside defined organization IP ranges.<span onclick=scrollToRef('scite-65') id="scite-ref-65-a" class="scite-citeref-number" data-reference="Microsoft Common Conditional Access Policies">^{<a href="https://learn.microsoft.com/en-us/azure/active-directory/conditional-access/concept-conditional-access-policy-common" target="_blank" data-hasqtip="64" aria-describedby="qtip-64">[65]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v13/mitigations/M1015"> M1015 </a> </td> <td> <a href="/versions/v13/mitigations/M1015"> Active Directory Configuration </a> </td> <td> <p>Disable legacy authentication, which does not support MFA, and require the use of modern authentication protocols instead.</p> </td> </tr> <tr> <td> <a href="/versions/v13/mitigations/M1013"> M1013 </a> </td> <td> <a href="/versions/v13/mitigations/M1013"> Application Developer Guidance </a> </td> <td> <p>Ensure that applications do not store sensitive data or credentials insecurely. (e.g. plaintext credentials in code, published credentials in repositories, or credentials in public cloud storage).</p> </td> </tr> <tr> <td> <a href="/versions/v13/mitigations/M1027"> M1027 </a> </td> <td> <a href="/versions/v13/mitigations/M1027"> Password Policies </a> </td> <td> <p>Applications and appliances that utilize default username and password should be changed immediately after the installation, and before deployment to a production environment.<span onclick=scrollToRef('scite-66') id="scite-ref-66-a" class="scite-citeref-number" data-reference="US-CERT Alert TA13-175A Risks of Default Passwords on the Internet">^{<a href="https://www.us-cert.gov/ncas/alerts/TA13-175A" target="_blank" data-hasqtip="65" aria-describedby="qtip-65">[66]</a>}</span> When possible, applications that use SSH keys should be updated periodically and properly secured.</p><p>Policies should minimize (if not eliminate) reuse of passwords between different user accounts, especially employees using the same credentials for personal accounts that may not be defended by enterprise security resources.</p> </td> </tr> <tr> <td> <a href="/versions/v13/mitigations/M1026"> M1026 </a> </td> <td> <a href="/versions/v13/mitigations/M1026"> Privileged Account Management </a> </td> <td> <p>Audit domain and local accounts as well as their permission levels routinely to look for situations that could allow an adversary to gain wide access by obtaining credentials of a privileged account. <span onclick=scrollToRef('scite-3') id="scite-ref-3-a" class="scite-citeref-number" data-reference="TechNet Credential Theft">^{<a href="https://technet.microsoft.com/en-us/library/dn535501.aspx" target="_blank" data-hasqtip="2" aria-describedby="qtip-2">[3]</a>}</span> <span onclick=scrollToRef('scite-67') id="scite-ref-67-a" class="scite-citeref-number" data-reference="TechNet Least Privilege">^{<a href="https://technet.microsoft.com/en-us/library/dn487450.aspx" target="_blank" data-hasqtip="66" aria-describedby="qtip-66">[67]</a>}</span> These audits should also include if default accounts have been enabled, or if new local accounts are created that have not be authorized. Follow best practices for design and administration of an enterprise network to limit privileged account use across administrative tiers. <span onclick=scrollToRef('scite-68') id="scite-ref-68-a" class="scite-citeref-number" data-reference="Microsoft Securing Privileged Access">^{<a href="https://docs.microsoft.com/en-us/windows-server/identity/securing-privileged-access/securing-privileged-access-reference-material#a-nameesaebmaesae-administrative-forest-design-approach" target="_blank" data-hasqtip="67" aria-describedby="qtip-67">[68]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v13/mitigations/M1018"> M1018 </a> </td> <td> <a href="/versions/v13/mitigations/M1018"> User Account Management </a> </td> <td> <p>Regularly audit user accounts for activity and deactivate or remove any that are no longer needed.</p> </td> </tr> <tr> <td> <a href="/versions/v13/mitigations/M1017"> M1017 </a> </td> <td> <a href="/versions/v13/mitigations/M1017"> User Training </a> </td> <td> <p>Applications may send push notifications to verify a login as a form of multi-factor authentication (MFA). Train users to only accept valid push notifications and to report suspicious push notifications.</p> </td> </tr> </tbody> </table> <h2 class="pt-3" id="detection">Detection</h2> <table class="table datasources-table table-bordered"> <thead> <tr> <th class="p-2" scope="col">ID</th> <th class="p-2 nowrap" scope="col">Data Source</th> <th class="p-2 nowrap" scope="col">Data Component</th> <th class="p-2" scope="col">Detects</th> </tr> </thead> <tbody> <tr class="datasource" id="uses-DS0028"> <td> <a href="/versions/v13/datasources/DS0028">DS0028</a> </td> <td class="nowrap"> <a href="/versions/v13/datasources/DS0028">Logon Session</a> </td> <!-- Add first data component here --> <td> <a href="/datasources/DS0028/#Logon%20Session%20Creation">Logon Session Creation</a> </td> <td> <p>Monitor for newly constructed logon behavior that may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Correlate other security systems with login information (e.g., a user has an active login session but has not entered the building or does not have VPN access).</p> </td> </tr> <tr class="datacomponent datasource" id="uses-DS0028-Logon Session Metadata"> <td></td> <td></td> <td> <a href="/datasources/DS0028/#Logon%20Session%20Metadata">Logon Session Metadata</a> </td> <td> <p>Look for suspicious account behavior across systems that share accounts, either user, admin, or service accounts. Examples: one account logged into multiple systems simultaneously; multiple accounts logged into the same machine simultaneously; accounts logged in at odd times or outside of business hours. Activity may be from interactive login sessions or process ownership from accounts being used to execute binaries on a remote system as a particular account.</p> </td> </tr> <tr class="datasource" id="uses-DS0002"> <td> <a href="/versions/v13/datasources/DS0002">DS0002</a> </td> <td class="nowrap"> <a href="/versions/v13/datasources/DS0002">User Account</a> </td> <!-- Add first data component here --> <td> <a href="/datasources/DS0002/#User%20Account%20Authentication">User Account Authentication</a> </td> <td> <p>Monitor for an attempt by a user that may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. </p> </td> </tr> </tbody> </table> <h2 class="pt-3" id="references">References</h2> <div class="row"> <div class="col"> <ol> <li> <span id="scite-1" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-1" href="https://www.volexity.com/blog/2022/06/15/driftingcloud-zero-day-sophos-firewall-exploitation-and-an-insidious-breach/" target="_blank"> Adair, S., Lancaster, T., Volexity Threat Research. (2022, June 15). DriftingCloud: Zero-Day Sophos Firewall Exploitation and an Insidious Breach. Retrieved July 1, 2022. </a> </span> </span> </li> <li> <span id="scite-2" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-2" href="https://www.cisa.gov/uscert/ncas/alerts/aa22-074a" target="_blank"> Cybersecurity and Infrastructure Security Agency. (2022, March 15). Russian State-Sponsored Cyber Actors Gain Network Access by Exploiting Default Multifactor Authentication Protocols and “PrintNightmare” Vulnerability. Retrieved March 16, 2022. </a> </span> </span> </li> <li> <span id="scite-3" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-3" href="https://technet.microsoft.com/en-us/library/dn535501.aspx" target="_blank"> Microsoft. (2016, April 15). Attractive Accounts for Credential Theft. Retrieved June 3, 2016. </a> </span> </span> </li> <li> <span id="scite-4" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-4" href="https://published-prd.lanyonevents.com/published/rsaus17/sessionsFiles/5009/HTA-F02-Detecting-and-Responding-to-Advanced-Threats-within-Exchange-Environments.pdf" target="_blank"> Adair, S. (2017, February 17). Detecting and Responding to Advanced Threats within Exchange Environments. Retrieved March 20, 2017. </a> </span> </span> </li> <li> <span id="scite-5" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-5" href="https://documents.trendmicro.com/assets/wp/wp-two-years-of-pawn-storm.pdf" target="_blank"> Hacquebord, F.. (2017, April 25). Two Years of Pawn Storm: Examining an Increasingly Relevant Threat. Retrieved May 3, 2017. </a> </span> </span> </li> <li> <span id="scite-6" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-6" href="https://www.justice.gov/file/1080281/download" target="_blank"> Mueller, R. (2018, July 13). Indictment - United States of America vs. VIKTOR BORISOVICH NETYKSHO, et al. Retrieved September 13, 2018. </a> </span> </span> </li> <li> <span id="scite-7" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-7" href="https://msrc-blog.microsoft.com/2019/08/05/corporate-iot-a-path-to-intrusion/" target="_blank"> MSRC Team. (2019, August 5). Corporate IoT – a path to intrusion. Retrieved August 16, 2019. </a> </span> </span> </li> <li> <span id="scite-8" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-8" href="https://media.defense.gov/2021/Jul/01/2002753896/-1/-1/1/CSA_GRU_GLOBAL_BRUTE_FORCE_CAMPAIGN_UOO158036-21.PDF" target="_blank"> NSA, CISA, FBI, NCSC. (2021, July). Russian GRU Conducting Global Brute Force Campaign to Compromise Enterprise and Cloud Environments. Retrieved July 26, 2021. </a> </span> </span> </li> <li> <span id="scite-9" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-9" href="https://www.mandiant.com/resources/blog/apt29-continues-targeting-microsoft" target="_blank"> Douglas Bienstock. (2022, August 18). You Can’t Audit Me: APT29 Continues Targeting Microsoft 365. Retrieved February 23, 2023. </a> </span> </span> </li> <li> <span id="scite-10" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-10" href="https://www.brighttalk.com/webcast/10703/275683" target="_blank"> Davis, S. and Carr, N. (2017, September 21). APT33: New Insights into Iranian Cyber Espionage Group. Retrieved February 15, 2018. </a> </span> </span> </li> <li> <span id="scite-11" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-11" href="https://www.fireeye.com/blog/threat-research/2018/12/overruled-containing-a-potentially-destructive-adversary.html" target="_blank"> Ackerman, G., et al. (2018, December 21). OVERRULED: Containing a Potentially Destructive Adversary. Retrieved January 17, 2019. </a> </span> </span> </li> <li> <span id="scite-12" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-12" href="https://www.fireeye.com/blog/threat-research/2019/01/apt39-iranian-cyber-espionage-group-focused-on-personal-information.html" target="_blank"> Hawley et al. (2019, January 29). APT39: An Iranian Cyber Espionage Group Focused on Personal Information. Retrieved February 19, 2019. </a> </span> </span> </li> <li> <span id="scite-13" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-13" href="https://www.mandiant.com/sites/default/files/2022-02/rt-apt41-dual-operation.pdf" target="_blank"> Fraser, N., et al. (2019, August 7). Double DragonAPT41, a dual espionage and cyber crime operation APT41. Retrieved September 23, 2019. </a> </span> </span> </li> <li> <span id="scite-14" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-14" href="https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf" target="_blank"> Crowdstrike. (2020, March 2). 2020 Global Threat Report. Retrieved December 11, 2020. </a> </span> </span> </li> <li> <span id="scite-15" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-15" href="https://web.archive.org/web/20230115144216/http://www.novetta.com/wp-content/uploads/2014/11/Executive_Summary-Final_1.pdf" target="_blank"> Novetta. (n.d.). Operation SMN: Axiom Threat Actor Group Report. Retrieved November 12, 2014. </a> </span> </span> </li> <li> <span id="scite-16" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-16" href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/08064518/Carbanak_APT_eng.pdf" target="_blank"> Kaspersky Lab's Global Research and Analysis Team. (2015, February). CARBANAK APT THE GREAT BANK ROBBERY. Retrieved August 23, 2018. </a> </span> </span> </li> <li> <span id="scite-17" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-17" href="https://cycraft.com/download/CyCraft-Whitepaper-Chimera_V4.1.pdf" target="_blank"> Cycraft. (2020, April 15). APT Group Chimera - APT Operation Skeleton key Targets Taiwan Semiconductor Vendors. Retrieved August 24, 2020. </a> </span> </span> </li> <li> <span id="scite-18" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-18" href="https://www.us-cert.gov/ncas/alerts/TA18-074A" target="_blank"> US-CERT. (2018, March 16). Alert (TA18-074A): Russian Government Cyber Activity Targeting Energy and Other Critical Infrastructure Sectors. Retrieved June 6, 2018. </a> </span> </span> </li> <li> <span id="scite-19" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-19" href="https://vblocalhost.com/uploads/VB2021-Slowik.pdf" target="_blank"> Slowik, J. (2021, October). THE BAFFLING BERSERK BEAR: A DECADE’S ACTIVITY TARGETING CRITICAL INFRASTRUCTURE. Retrieved December 6, 2021. </a> </span> </span> </li> <li> <span id="scite-20" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-20" href="https://www.cisa.gov/uscert/ncas/alerts/aa20-296a#revisions" target="_blank"> CISA. (2020, December 1). Russian State-Sponsored Advanced Persistent Threat Actor Compromises U.S. Government Targets. Retrieved December 9, 2021. </a> </span> </span> </li> <li> <span id="scite-21" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-21" href="https://www.cyberbit.com/blog/endpoint-security/dtrack-apt-malware-found-in-nuclear-power-plant/" target="_blank"> Hod Gavriel. (2019, November 21). Dtrack: In-depth analysis of APT on a nuclear power plant. Retrieved January 20, 2021. </a> </span> </span> </li> <li> <span id="scite-22" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-22" href="https://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/w32_duqu_the_precursor_to_the_next_stuxnet.pdf" target="_blank"> Symantec Security Response. (2011, November). W32.Duqu: The precursor to the next Stuxnet. Retrieved September 17, 2015. </a> </span> </span> </li> <li> <span id="scite-23" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-23" href="https://www2.fireeye.com/rs/848-DID-242/images/rpt-fin10.pdf" target="_blank"> FireEye iSIGHT Intelligence. (2017, June 16). FIN10: Anatomy of a Cyber Extortion Operation. Retrieved June 25, 2017. </a> </span> </span> </li> <li> <span id="scite-24" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-24" href="https://www.mandiant.com/sites/default/files/2021-09/rpt-fin4.pdf" target="_blank"> Vengerik, B. et al.. (2014, December 5). Hacking the Street? FIN4 Likely Playing the Market. Retrieved December 17, 2018. </a> </span> </span> </li> <li> <span id="scite-25" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-25" href="https://www2.fireeye.com/WBNR-14Q4NAMFIN4.html" target="_blank"> Vengerik, B. & Dennesen, K.. (2014, December 5). Hacking the Street? FIN4 Likely Playing the Market. Retrieved January 15, 2019. </a> </span> </span> </li> <li> <span id="scite-26" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-26" href="https://www2.fireeye.com/WBNR-Are-you-ready-to-respond.html" target="_blank"> Scavella, T. and Rifki, A. (2017, July 20). Are you Ready to Respond? (Webinar). Retrieved October 4, 2017. </a> </span> </span> </li> <li> <span id="scite-27" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-27" href="https://www.darkreading.com/analytics/prolific-cybercrime-gang-favors-legit-login-credentials/d/d-id/1322645?" target="_blank"> Higgins, K. (2015, October 13). Prolific Cybercrime Gang Favors Legit Login Credentials. Retrieved October 4, 2017. </a> </span> </span> </li> <li> <span id="scite-28" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-28" href="https://www.youtube.com/watch?v=fevGZs0EQu8" target="_blank"> Bromiley, M. and Lewis, P. (2016, October 7). Attacking the Hospitality and Gaming Industries: Tracking an Attacker Around the World in 7 Years. Retrieved October 6, 2017. </a> </span> </span> </li> <li> <span id="scite-29" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-29" href="https://www2.fireeye.com/rs/848-DID-242/images/rpt-fin6.pdf" target="_blank"> FireEye Threat Intelligence. (2016, April). Follow the Money: Dissecting the Operations of the Cyber Crime Group FIN6. Retrieved June 1, 2016. </a> </span> </span> </li> <li> <span id="scite-30" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-30" href="https://www.fireeye.com/blog/threat-research/2019/04/pick-six-intercepting-a-fin6-intrusion.html" target="_blank"> McKeague, B. et al. (2019, April 5). Pick-Six: Intercepting a FIN6 Intrusion, an Actor Recently Tied to Ryuk and LockerGoga Ransomware. Retrieved April 17, 2019. </a> </span> </span> </li> <li> <span id="scite-31" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-31" href="https://usa.visa.com/dam/VCOM/global/support-legal/documents/fin6-cybercrime-group-expands-threat-To-ecommerce-merchants.pdf" target="_blank"> Visa Public. (2019, February). FIN6 Cybercrime Group Expands Threat to eCommerce Merchants. Retrieved September 16, 2019. </a> </span> </span> </li> <li> <span id="scite-32" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-32" href="https://www.crowdstrike.com/blog/carbon-spider-embraces-big-game-hunting-part-1/" target="_blank"> Loui, E. and Reynolds, J. (2021, August 30). CARBON SPIDER Embraces Big Game Hunting, Part 1. Retrieved September 20, 2021. </a> </span> </span> </li> <li> <span id="scite-33" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-33" href="https://www2.fireeye.com/WBNR-Know-Your-Enemy-UNC622-Spear-Phishing.html" target="_blank"> Elovitz, S. & Ahl, I. (2016, August 18). Know Your Enemy: New Financially-Motivated & Spear-Phishing Group. Retrieved February 26, 2018. </a> </span> </span> </li> <li> <span id="scite-34" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-34" href="https://us-cert.cisa.gov/ncas/alerts/aa20-259a" target="_blank"> CISA. (2020, September 15). Iran-Based Threat Actor Exploits VPN Vulnerabilities. Retrieved December 21, 2020. </a> </span> </span> </li> </ol> </div> <div class="col"> <ol start="35.0"> <li> <span id="scite-35" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-35" href="https://www.cybereason.com/blog/operation-soft-cell-a-worldwide-campaign-against-telecommunications-providers" target="_blank"> Cybereason Nocturnus. (2019, June 25). Operation Soft Cell: A Worldwide Campaign Against Telecommunications Providers. Retrieved July 18, 2019. </a> </span> </span> </li> <li> <span id="scite-36" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-36" href="https://www.welivesecurity.com/wp-content/uploads/2017/06/Win32_Industroyer.pdf" target="_blank"> Anton Cherepanov. (2017, June 12). Win32/Industroyer: A new threat for industrial controls systems. Retrieved December 18, 2020. </a> </span> </span> </li> <li> <span id="scite-37" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-37" href="https://www.microsoft.com/security/blog/2021/12/06/nickel-targeting-government-organizations-across-latin-america-and-europe" target="_blank"> MSTIC. (2021, December 6). NICKEL targeting government organizations across Latin America and Europe. Retrieved March 18, 2022. </a> </span> </span> </li> <li> <span id="scite-38" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-38" href="https://blog.aquasec.com/threat-alert-kinsing-malware-container-vulnerability" target="_blank"> Singer, G. (2020, April 3). Threat Alert: Kinsing Malware Attacks Targeting Container Environments. Retrieved April 1, 2021. </a> </span> </span> </li> <li> <span id="scite-39" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-39" href="https://www.microsoft.com/security/blog/2022/03/22/dev-0537-criminal-actor-targeting-organizations-for-data-exfiltration-and-destruction/" target="_blank"> MSTIC, DART, M365 Defender. (2022, March 24). DEV-0537 Criminal Actor Targeting Organizations for Data Exfiltration and Destruction. Retrieved May 17, 2022. </a> </span> </span> </li> <li> <span id="scite-40" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-40" href="https://securelist.com/lazarus-threatneedle/100803/" target="_blank"> Vyacheslav Kopeytsev and Seongsu Park. (2021, February 25). Lazarus targets defense industry with ThreatNeedle. Retrieved October 27, 2021. </a> </span> </span> </li> <li> <span id="scite-41" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-41" href="https://us-cert.cisa.gov/ncas/alerts/aa21-200a" target="_blank"> CISA. (2021, July 19). (AA21-200A) Joint Cybersecurity Advisory – Tactics, Techniques, and Procedures of Indicted APT40 Actors Associated with China’s MSS Hainan State Security Department. Retrieved August 12, 2021. </a> </span> </span> </li> <li> <span id="scite-42" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-42" href="https://www.accenture.com/us-en/blogs/cyber-defense/mudcarps-focus-on-submarine-technologies" target="_blank"> Accenture iDefense Unit. (2019, March 5). Mudcarp's Focus on Submarine Technologies. Retrieved August 24, 2021. </a> </span> </span> </li> <li> <span id="scite-43" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-43" href="https://www.anomali.com/blog/pulling-linux-rabbit-rabbot-malware-out-of-a-hat" target="_blank"> Anomali Labs. (2018, December 6). Pulling Linux Rabbit/Rabbot Malware Out of a Hat. Retrieved March 4, 2019. </a> </span> </span> </li> <li> <span id="scite-44" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-44" href="https://web.archive.org/web/20220224041316/https:/www.pwc.co.uk/cyber-security/pdf/cloud-hopper-report-final-v4.pdf" target="_blank"> PwC and BAE Systems. (2017, April). Operation Cloud Hopper. Retrieved April 5, 2017. </a> </span> </span> </li> <li> <span id="scite-45" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-45" href="https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/cicada-apt10-japan-espionage" target="_blank"> Symantec. (2020, November 17). Japan-Linked Organizations Targeted in Long-Running and Sophisticated Attack Campaign. Retrieved December 17, 2020. </a> </span> </span> </li> <li> <span id="scite-46" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-46" href="https://www.justice.gov/opa/page/file/1122671/download" target="_blank"> US District Court Southern District of New York. (2018, December 17). United States v. Zhu Hua Indictment. Retrieved December 17, 2020. </a> </span> </span> </li> <li> <span id="scite-47" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-47" href="https://securelist.com/apt10-sophisticated-multi-layered-loader-ecipekac-discovered-in-a41apt-campaign/101519/" target="_blank"> GREAT. (2021, March 30). APT10: sophisticated multi-layered loader Ecipekac discovered in A41APT campaign. Retrieved June 17, 2021. </a> </span> </span> </li> <li> <span id="scite-48" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-48" href="https://scadahacker.com/library/Documents/Cyber_Events/McAfee%20-%20Night%20Dragon%20-%20Global%20Energy%20Cyberattacks.pdf" target="_blank"> McAfee® Foundstone® Professional Services and McAfee Labs™. (2011, February 10). Global Energy Cyberattacks: “Night Dragon”. Retrieved February 19, 2018. </a> </span> </span> </li> <li> <span id="scite-49" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-49" href="https://pan-unit42.github.io/playbook_viewer/?pb=evasive-serpens" target="_blank"> Unit42. (2016, May 1). Evasive Serpens Unit 42 Playbook Viewer. Retrieved February 6, 2023. </a> </span> </span> </li> <li> <span id="scite-50" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-50" href="https://www.brighttalk.com/webcast/10703/296317/apt34-new-targeted-attack-in-the-middle-east" target="_blank"> Davis, S. and Caban, D. (2017, December 19). APT34 - New Targeted Attack in the Middle East. Retrieved December 20, 2017. </a> </span> </span> </li> <li> <span id="scite-51" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-51" href="https://www.fox-it.com/media/kadlze5c/201912_report_operation_wocao.pdf" target="_blank"> Dantzig, M. v., Schamper, E. (2019, December 19). Operation Wocao: Shining a light on one of China’s hidden hacking groups. Retrieved October 8, 2020. </a> </span> </span> </li> <li> <span id="scite-52" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-52" href="https://airbus-cyber-security.com/the-eye-of-the-tiger/" target="_blank"> Bizeul, D., Fontarensky, I., Mouchoux, R., Perigaud, F., Pernet, C. (2014, July 11). Eye of the Tiger. Retrieved September 29, 2015. </a> </span> </span> </li> <li> <span id="scite-53" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-53" href="https://www.microsoft.com/security/blog/2022/06/02/exposing-polonium-activity-and-infrastructure-targeting-israeli-organizations/" target="_blank"> Microsoft. (2022, June 2). Exposing POLONIUM activity and infrastructure targeting Israeli organizations. Retrieved July 1, 2022. </a> </span> </span> </li> <li> <span id="scite-54" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-54" href="https://www.us-cert.gov/ics/alerts/IR-ALERT-H-16-056-01" target="_blank"> US-CERT. (2016, February 25). ICS Alert (IR-ALERT-H-16-056-01) Cyber-Attack Against Ukrainian Critical Infrastructure. Retrieved June 10, 2020. </a> </span> </span> </li> <li> <span id="scite-55" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-55" href="http://www.symantec.com/connect/blogs/forkmeiamfamous-seaduke-latest-weapon-duke-armory" target="_blank"> Symantec Security Response. (2015, July 13). “Forkmeiamfamous”: Seaduke, latest weapon in the Duke armory. Retrieved July 22, 2015. </a> </span> </span> </li> <li> <span id="scite-56" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-56" href="https://www.group-ib.com/resources/threat-research/silence_moving-into-the-darkside.pdf" target="_blank"> Group-IB. (2018, September). Silence: Moving Into the Darkside. Retrieved May 5, 2020. </a> </span> </span> </li> <li> <span id="scite-57" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-57" href="https://www.justice.gov/usao-sdny/press-release/file/1045781/download" target="_blank"> DOJ. (2018, March 23). U.S. v. Rafatnejad et al . Retrieved February 3, 2021. </a> </span> </span> </li> <li> <span id="scite-58" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-58" href="https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html" target="_blank"> FireEye. (2020, December 13). Highly Evasive Attacker Leverages SolarWinds Supply Chain to Compromise Multiple Global Victims With SUNBURST Backdoor. Retrieved January 4, 2021. </a> </span> </span> </li> <li> <span id="scite-59" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-59" href="https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware/" target="_blank"> Nafisi, R., Lelli, A. (2021, March 4). GoldMax, GoldFinder, and Sibot: Analyzing NOBELIUM’s layered persistence. Retrieved March 8, 2021. </a> </span> </span> </li> <li> <span id="scite-60" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-60" href="https://www.ncsc.gov.uk/files/Advisory-further-TTPs-associated-with-SVR-cyber-actors.pdf" target="_blank"> NCSC, CISA, FBI, NSA. (2021, May 7). Further TTPs associated with SVR cyber actors. Retrieved July 29, 2021. </a> </span> </span> </li> <li> <span id="scite-61" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-61" href="http://www.symantec.com/connect/blogs/indian-organizations-targeted-suckfly-attacks" target="_blank"> DiMaggio, J. (2016, May 17). Indian organizations targeted in Suckfly attacks. Retrieved August 3, 2016. </a> </span> </span> </li> <li> <span id="scite-62" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-62" href="https://www.fireeye.com/blog/threat-research/2019/04/triton-actor-ttp-profile-custom-attack-tools-detections.html" target="_blank"> Miller, S, et al. (2019, April 10). TRITON Actor TTP Profile, Custom Attack Tools, Detections, and ATT&CK Mapping. Retrieved April 16, 2019. </a> </span> </span> </li> <li> <span id="scite-63" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-63" href="https://www.secureworks.com/research/threat-group-3390-targets-organizations-for-cyberespionage" target="_blank"> Dell SecureWorks Counter Threat Unit Threat Intelligence. (2015, August 5). Threat Group-3390 Targets Organizations for Cyberespionage. Retrieved August 18, 2018. </a> </span> </span> </li> <li> <span id="scite-64" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-64" href="https://www.crowdstrike.com/blog/timelining-grim-spiders-big-game-hunting-tactics/" target="_blank"> John, E. and Carvey, H. (2019, May 30). Unraveling the Spiderweb: Timelining ATT&CK Artifacts Used by GRIM SPIDER. Retrieved May 12, 2020. </a> </span> </span> </li> <li> <span id="scite-65" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-65" href="https://learn.microsoft.com/en-us/azure/active-directory/conditional-access/concept-conditional-access-policy-common" target="_blank"> Microsoft. (2022, December 14). Conditional Access templates. Retrieved February 21, 2023. </a> </span> </span> </li> <li> <span id="scite-66" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-66" href="https://www.us-cert.gov/ncas/alerts/TA13-175A" target="_blank"> US-CERT. (n.d.). Risks of Default Passwords on the Internet. Retrieved April 12, 2019. </a> </span> </span> </li> <li> <span id="scite-67" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-67" href="https://technet.microsoft.com/en-us/library/dn487450.aspx" target="_blank"> Microsoft. (2016, April 16). Implementing Least-Privilege Administrative Models. Retrieved June 3, 2016. </a> </span> </span> </li> <li> <span id="scite-68" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-68" href="https://docs.microsoft.com/en-us/windows-server/identity/securing-privileged-access/securing-privileged-access-reference-material#a-nameesaebmaesae-administrative-forest-design-approach" target="_blank"> Plett, C., Poggemeyer, L. (12, October 26). Securing Privileged Access Reference Material. Retrieved April 25, 2017. </a> </span> </span> </li> </ol> </div> </div> </div> </div> </div> </div> </div> </div> <!--stop-indexing-for-search--> <!-- search overlay for entire page -- not displayed inline --> <div class="overlay search" id="search-overlay" style="display: none;"> <div class="overlay-inner"> <!-- text input for searching --> <div class="search-header"> <div class="search-input"> <input type="text" id="search-input" placeholder="search"> </div> <div class="search-icons"> <div class="search-parsing-icon spinner-border" style="display: none" id="search-parsing-icon"></div> <div class="close-search-icon" id="close-search-icon">&times;</div> </div> </div> <!-- results and controls for loading more results --> <div id="search-body" class="search-body"> <div class="results" id="search-results"> <!-- content will be appended here on search --> </div> <div id="load-more-results" class="load-more-results"> <button class="btn btn-default" id="load-more-results-button">load more results</button> </div> </div> </div> </div> </div> <div class="row flex-grow-0 flex-shrink-1"> <!-- footer elements --> <footer class="col footer p-3"> <div class="container-fluid"> <div class="row"> <div class="col-4 col-sm-4 col-md-3"> <div class="footer-center-responsive my-auto"> <a href="https://www.mitre.org" target="_blank" rel="noopener" aria-label="MITRE"> <img src="/versions/v13/theme/images/mitrelogowhiteontrans.gif" class="mitre-logo-wtrans"> </a> </div> </div> <div class="col-2 col-sm-2 footer-responsive-break"></div> <div class="col-6 col-sm-6 text-center"> <p> © 2015-2023, The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. </p> <div class="row"> <div class="col text-right"> <small> <a href="/versions/v13/resources/privacy" class="footer-link">Privacy Policy</a> </small> </div> <div class="col text-center"> <small> <a href="/versions/v13/resources/terms-of-use" class="footer-link">Terms of Use</a> </small> </div> <div class="col text-left "> <small> <a href="/versions/v13/resources/changelog.html" class="footer-link" data-toggle="tooltip" data-placement="top" data-html="true" title="ATT&amp;CK content v13.1&#013;Website v4.0.5">ATT&CK v13.1</a> </small> </div> </div> </div> <div class="w-100 p-2 footer-responsive-break"></div> <div class="col"> <div class="footer-float-right-responsive-brand"> <div class="mb-1"> <a href="https://twitter.com/MITREattack" class="btn btn-primary w-100"> <!-- <i class="fa fa-twitter"></i> --> <img src="/versions/v13/theme/images/twitter.png" class="mr-1 twitter-icon"> <b>@MITREattack</b> </a> </div> <div class=""> <a href="/versions/v13/contact" class="btn btn-primary w-100"> Contact </a> </div> </div> </div> </div> </div> </div> </footer> </div> </div> <!--stopindex--> </div> <!--SCRIPTS--> <script src="/versions/v13/theme/scripts/jquery-3.5.1.min.js"></script> <script src="/versions/v13/theme/scripts/popper.min.js"></script> <script src="/versions/v13/theme/scripts/bootstrap-select.min.js"></script> <script src="/versions/v13/theme/scripts/bootstrap.bundle.min.js"></script> <script src="/versions/v13/theme/scripts/site.js?360"></script> <script src="/versions/v13/theme/scripts/settings.js?3013"></script> <script src="/versions/v13/theme/scripts/search_bundle.js"></script> <script src="/versions/v13/theme/scripts/resizer.js"></script> <!--SCRIPTS--> <script src="/versions/v13/theme/scripts/navigation.js"></script> <script src="/versions/v13/theme/scripts/bootstrap-tourist.js"></script> <script src="/versions/v13/theme/scripts/settings.js"></script> <script src="/versions/v13/theme/scripts/tour/tour-techniques.js"></script> </body> </html>