CINXE.COM

Techniques - ICS | MITRE ATT&CK®

<!DOCTYPE html> <html lang='en'> <head> <script async src="https://www.googletagmanager.com/gtag/js?id=UA-62667723-1"></script> <script> window.dataLayer = window.dataLayer || []; function gtag(){dataLayer.push(arguments);} gtag('js', new Date()); gtag('config', 'UA-62667723-1'); </script> <meta name="google-site-verification" content="2oJKLqNN62z6AOCb0A0IXGtbQuj-lev5YPAHFF_cbHQ"/> <meta charset='utf-8'> <meta name='viewport' content='width=device-width, initial-scale=1,shrink-to-fit=no'> <meta http-equiv="X-UA-Compatible" content="IE=edge"> <link rel='shortcut icon' href="/versions/v13/theme/favicon.ico" type='image/x-icon'> <title>Techniques - ICS | MITRE ATT&CK&reg;</title> <!-- Bootstrap CSS --> <link rel='stylesheet' href="/versions/v13/theme/style/bootstrap.min.css" /> <link rel='stylesheet' href="/versions/v13/theme/style/bootstrap-glyphicon.min.css" /> <link rel='stylesheet' href="/versions/v13/theme/style/bootstrap-tourist.css" /> <link rel='stylesheet' href="/versions/v13/theme/style/bootstrap-select.min.css" /> <link rel="stylesheet" type="text/css" href="/versions/v13/theme/style.min.css?e8044105"> <link rel="stylesheet" href="https://cdnjs.cloudflare.com/ajax/libs/font-awesome/4.7.0/css/font-awesome.min.css"> </head> <body> <div class="container-fluid attack-website-wrapper d-flex flex-column h-100"> <div class="row sticky-top flex-grow-0 flex-shrink-1"> <!-- header elements --> <header class="col px-0"> <nav class='navbar navbar-expand-lg navbar-dark position-static'> <a class='navbar-brand' href="/versions/v13/"><img src="/versions/v13/theme/images/mitre_attack_logo.png" class="attack-logo"></a> <button class='navbar-toggler' type='button' data-toggle='collapse' data-target='#navbarCollapse' aria-controls='navbarCollapse' aria-expanded='false' aria-label='Toggle navigation'> <span class='navbar-toggler-icon'></span> </button> <div class='collapse navbar-collapse' id='navbarCollapse'> <ul class='nav nav-tabs ml-auto'> <li class="nav-item dropdown"> <a class="nav-link dropdown-toggle" href="/versions/v13/matrices/" id="navbarDropdown" role="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false"> <b>Matrices</b> </a> <div class="dropdown-menu " aria-labelledby="navbarDropdown"> <a class="dropdown-item" href="/versions/v13/matrices/enterprise/">Enterprise</a> <a class="dropdown-item" href="/versions/v13/matrices/mobile/">Mobile</a> <a class="dropdown-item" href="/versions/v13/matrices/ics/">ICS</a> </div> </li> <li class="nav-item dropdown"> <a class="nav-link dropdown-toggle" href="/versions/v13/tactics/" id="navbarDropdown" role="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false"> <b>Tactics</b> </a> <div class="dropdown-menu " aria-labelledby="navbarDropdown"> <a class="dropdown-item" href="/versions/v13/tactics/enterprise/">Enterprise</a> <a class="dropdown-item" href="/versions/v13/tactics/mobile/">Mobile</a> <a class="dropdown-item" href="/versions/v13/tactics/ics/">ICS</a> </div> </li> <li class="nav-item dropdown"> <a class="nav-link dropdown-toggle" href="/versions/v13/techniques/" id="navbarDropdown" role="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false"> <b>Techniques</b> </a> <div class="dropdown-menu " aria-labelledby="navbarDropdown"> <a class="dropdown-item" href="/versions/v13/techniques/enterprise/">Enterprise</a> <a class="dropdown-item" href="/versions/v13/techniques/mobile/">Mobile</a> <a class="dropdown-item" href="/versions/v13/techniques/ics/">ICS</a> </div> </li> <li class="nav-item"> <a href="/versions/v13/datasources" class="nav-link" ><b>Data Sources</b></a> </li> <li class="nav-item dropdown"> <a class="nav-link dropdown-toggle" href="/versions/v13/mitigations/" id="navbarDropdown" role="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false"> <b>Mitigations</b> </a> <div class="dropdown-menu " aria-labelledby="navbarDropdown"> <a class="dropdown-item" href="/versions/v13/mitigations/enterprise/">Enterprise</a> <a class="dropdown-item" href="/versions/v13/mitigations/mobile/">Mobile</a> <a class="dropdown-item" href="/versions/v13/mitigations/ics/">ICS</a> </div> </li> <li class="nav-item"> <a href="/versions/v13/groups" class="nav-link" ><b>Groups</b></a> </li> <li class="nav-item"> <a href="/versions/v13/software/" class="nav-link" ><b>Software</b></a> </li> <li class="nav-item"> <a href="/versions/v13/campaigns" class="nav-link" ><b>Campaigns</b></a> </li> <li class="nav-item dropdown"> <a class="nav-link dropdown-toggle" href="/versions/v13/resources/" id="navbarDropdown" role="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false"> <b>Resources</b> </a> <div class="dropdown-menu " aria-labelledby="navbarDropdown"> <a class="dropdown-item" href="/versions/v13/resources/">General Information</a> <a class="dropdown-item" href="/versions/v13/resources/getting-started/">Getting Started</a> <a class="dropdown-item" href="/versions/v13/resources/training/">Training</a> <a class="dropdown-item" href="/versions/v13/resources/attackcon/">ATT&CKcon</a> <a class="dropdown-item" href="/versions/v13/resources/working-with-attack/">Working with ATT&CK</a> <a class="dropdown-item" href="/versions/v13/resources/faq/">FAQ</a> <a class="dropdown-item" href="/resources/updates/">Updates</a> <a class="dropdown-item" href="/resources/versions/">Versions of ATT&CK</a> <a class="dropdown-item" href="/versions/v13/resources/related-projects/">Related Projects</a> <a class="dropdown-item" href="/versions/v13/resources/brand/">Brand Guide</a> </div> </li> <li class="nav-item"> <a href="https://medium.com/mitre-attack/" target="_blank" class="nav-link"> <b>Blog</b>&nbsp; <img src="/versions/v13/theme/images/external-site.svg" alt="External site" class="external-icon" /> </a> </li> <li class="nav-item"> <a href="/versions/v13/resources/contribute/" class="nav-link" ><b>Contribute</b></a> </li> <li class="nav-item"> <button id="search-button" class="btn search-button">Search <div id="search-icon" class="icon-button search-icon"></div></button> </li> </ul> </div> </nav> </header> </div> <div class="row flex-grow-0 flex-shrink-1"> <!-- banner elements --> <div class="col px-0"> <!-- don't edit or remove the line below even though it's commented out, it gets parsed and replaced by the versioning feature --> <div class="container-fluid version-banner"><div class="icon-inline baseline mr-1"><img src="/versions/v13/theme/images/icon-warning-24px.svg"></div>Currently viewing <a href="https://github.com/mitre/cti/releases/tag/ATT%26CK-v13.1" target="_blank">ATT&CK v13.1</a> which was live between April 25, 2023 and October 30, 2023. <a href="/resources/versions/">Learn more about the versioning system</a> or <a href="/">see the live site</a>.</div> </div> </div> <div class="row flex-grow-1 flex-shrink-0"> <!-- main content elements --> <!--start-indexing-for-search--> <div class="sidebar nav sticky-top flex-column pr-0 pt-4 pb-3 pl-3" id="v-tab" role="tablist" aria-orientation="vertical"> <div class="resizer"></div> <!--stop-indexing-for-search--> <div id="v-tab" role="tablist" aria-orientation="vertical" class="h-100"> <div class="sidenav-wrapper"> <div class="heading" data-toggle="collapse" data-target="#sidebar-collapse" id="v-home-tab" aria-selected="false">TECHNIQUES <i class="fa fa-fw fa-chevron-down"></i> <i class="fa fa-fw fa-chevron-up"></i> </div> <br class="br-mobile"> <div class="collapse show" id="sidebar-collapse"> <div class="sidenav-list"> <div class="sidenav"> <div class="sidenav-head " id="enterprise"> <a href="/versions/v13/techniques/enterprise/"> Enterprise </a> <div class="expand-button collapsed" id="enterprise-header" data-toggle="collapse" data-target="#enterprise-body" aria-expanded="false" aria-controls="#enterprise-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-body" aria-labelledby="enterprise-header"> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0043"> <a href="/versions/v13/tactics/TA0043"> Reconnaissance </a> <div class="expand-button collapsed" id="enterprise-TA0043-header" data-toggle="collapse" data-target="#enterprise-TA0043-body" aria-expanded="false" aria-controls="#enterprise-TA0043-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0043-body" aria-labelledby="enterprise-TA0043-header"> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0043-T1595"> <a href="/versions/v13/techniques/T1595/"> Active Scanning </a> <div class="expand-button collapsed" id="enterprise-TA0043-T1595-header" data-toggle="collapse" data-target="#enterprise-TA0043-T1595-body" aria-expanded="false" aria-controls="#enterprise-TA0043-T1595-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0043-T1595-body" aria-labelledby="enterprise-TA0043-T1595-header"> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0043-T1595-T1595.001"> <a href="/versions/v13/techniques/T1595/001/"> Scanning IP Blocks </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0043-T1595-T1595.002"> <a href="/versions/v13/techniques/T1595/002/"> Vulnerability Scanning </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0043-T1595-T1595.003"> <a href="/versions/v13/techniques/T1595/003/"> Wordlist Scanning </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0043-T1592"> <a href="/versions/v13/techniques/T1592/"> Gather Victim Host Information </a> <div class="expand-button collapsed" id="enterprise-TA0043-T1592-header" data-toggle="collapse" data-target="#enterprise-TA0043-T1592-body" aria-expanded="false" aria-controls="#enterprise-TA0043-T1592-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0043-T1592-body" aria-labelledby="enterprise-TA0043-T1592-header"> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0043-T1592-T1592.001"> <a href="/versions/v13/techniques/T1592/001/"> Hardware </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0043-T1592-T1592.002"> <a href="/versions/v13/techniques/T1592/002/"> Software </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0043-T1592-T1592.003"> <a href="/versions/v13/techniques/T1592/003/"> Firmware </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0043-T1592-T1592.004"> <a href="/versions/v13/techniques/T1592/004/"> Client Configurations </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0043-T1589"> <a href="/versions/v13/techniques/T1589/"> Gather Victim Identity Information </a> <div class="expand-button collapsed" id="enterprise-TA0043-T1589-header" data-toggle="collapse" data-target="#enterprise-TA0043-T1589-body" aria-expanded="false" aria-controls="#enterprise-TA0043-T1589-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0043-T1589-body" aria-labelledby="enterprise-TA0043-T1589-header"> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0043-T1589-T1589.001"> <a href="/versions/v13/techniques/T1589/001/"> Credentials </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0043-T1589-T1589.002"> <a href="/versions/v13/techniques/T1589/002/"> Email Addresses </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0043-T1589-T1589.003"> <a href="/versions/v13/techniques/T1589/003/"> Employee Names </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0043-T1590"> <a href="/versions/v13/techniques/T1590/"> Gather Victim Network Information </a> <div class="expand-button collapsed" id="enterprise-TA0043-T1590-header" data-toggle="collapse" data-target="#enterprise-TA0043-T1590-body" aria-expanded="false" aria-controls="#enterprise-TA0043-T1590-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0043-T1590-body" aria-labelledby="enterprise-TA0043-T1590-header"> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0043-T1590-T1590.001"> <a href="/versions/v13/techniques/T1590/001/"> Domain Properties </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0043-T1590-T1590.002"> <a href="/versions/v13/techniques/T1590/002/"> DNS </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0043-T1590-T1590.003"> <a href="/versions/v13/techniques/T1590/003/"> Network Trust Dependencies </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0043-T1590-T1590.004"> <a href="/versions/v13/techniques/T1590/004/"> Network Topology </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0043-T1590-T1590.005"> <a href="/versions/v13/techniques/T1590/005/"> IP Addresses </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0043-T1590-T1590.006"> <a href="/versions/v13/techniques/T1590/006/"> Network Security Appliances </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0043-T1591"> <a href="/versions/v13/techniques/T1591/"> Gather Victim Org Information </a> <div class="expand-button collapsed" id="enterprise-TA0043-T1591-header" data-toggle="collapse" data-target="#enterprise-TA0043-T1591-body" aria-expanded="false" aria-controls="#enterprise-TA0043-T1591-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0043-T1591-body" aria-labelledby="enterprise-TA0043-T1591-header"> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0043-T1591-T1591.001"> <a href="/versions/v13/techniques/T1591/001/"> Determine Physical Locations </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0043-T1591-T1591.002"> <a href="/versions/v13/techniques/T1591/002/"> Business Relationships </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0043-T1591-T1591.003"> <a href="/versions/v13/techniques/T1591/003/"> Identify Business Tempo </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0043-T1591-T1591.004"> <a href="/versions/v13/techniques/T1591/004/"> Identify Roles </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0043-T1598"> <a href="/versions/v13/techniques/T1598/"> Phishing for Information </a> <div class="expand-button collapsed" id="enterprise-TA0043-T1598-header" data-toggle="collapse" data-target="#enterprise-TA0043-T1598-body" aria-expanded="false" aria-controls="#enterprise-TA0043-T1598-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0043-T1598-body" aria-labelledby="enterprise-TA0043-T1598-header"> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0043-T1598-T1598.001"> <a href="/versions/v13/techniques/T1598/001/"> Spearphishing Service </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0043-T1598-T1598.002"> <a href="/versions/v13/techniques/T1598/002/"> Spearphishing Attachment </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0043-T1598-T1598.003"> <a href="/versions/v13/techniques/T1598/003/"> Spearphishing Link </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0043-T1597"> <a href="/versions/v13/techniques/T1597/"> Search Closed Sources </a> <div class="expand-button collapsed" id="enterprise-TA0043-T1597-header" data-toggle="collapse" data-target="#enterprise-TA0043-T1597-body" aria-expanded="false" aria-controls="#enterprise-TA0043-T1597-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0043-T1597-body" aria-labelledby="enterprise-TA0043-T1597-header"> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0043-T1597-T1597.001"> <a href="/versions/v13/techniques/T1597/001/"> Threat Intel Vendors </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0043-T1597-T1597.002"> <a href="/versions/v13/techniques/T1597/002/"> Purchase Technical Data </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0043-T1596"> <a href="/versions/v13/techniques/T1596/"> Search Open Technical Databases </a> <div class="expand-button collapsed" id="enterprise-TA0043-T1596-header" data-toggle="collapse" data-target="#enterprise-TA0043-T1596-body" aria-expanded="false" aria-controls="#enterprise-TA0043-T1596-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0043-T1596-body" aria-labelledby="enterprise-TA0043-T1596-header"> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0043-T1596-T1596.001"> <a href="/versions/v13/techniques/T1596/001/"> DNS/Passive DNS </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0043-T1596-T1596.002"> <a href="/versions/v13/techniques/T1596/002/"> WHOIS </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0043-T1596-T1596.003"> <a href="/versions/v13/techniques/T1596/003/"> Digital Certificates </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0043-T1596-T1596.004"> <a href="/versions/v13/techniques/T1596/004/"> CDNs </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0043-T1596-T1596.005"> <a href="/versions/v13/techniques/T1596/005/"> Scan Databases </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0043-T1593"> <a href="/versions/v13/techniques/T1593/"> Search Open Websites/Domains </a> <div class="expand-button collapsed" id="enterprise-TA0043-T1593-header" data-toggle="collapse" data-target="#enterprise-TA0043-T1593-body" aria-expanded="false" aria-controls="#enterprise-TA0043-T1593-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0043-T1593-body" aria-labelledby="enterprise-TA0043-T1593-header"> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0043-T1593-T1593.001"> <a href="/versions/v13/techniques/T1593/001/"> Social Media </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0043-T1593-T1593.002"> <a href="/versions/v13/techniques/T1593/002/"> Search Engines </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0043-T1593-T1593.003"> <a href="/versions/v13/techniques/T1593/003/"> Code Repositories </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0043-T1594"> <a href="/versions/v13/techniques/T1594/"> Search Victim-Owned Websites </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0042"> <a href="/versions/v13/tactics/TA0042"> Resource Development </a> <div class="expand-button collapsed" id="enterprise-TA0042-header" data-toggle="collapse" data-target="#enterprise-TA0042-body" aria-expanded="false" aria-controls="#enterprise-TA0042-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0042-body" aria-labelledby="enterprise-TA0042-header"> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0042-T1650"> <a href="/versions/v13/techniques/T1650/"> Acquire Access </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0042-T1583"> <a href="/versions/v13/techniques/T1583/"> Acquire Infrastructure </a> <div class="expand-button collapsed" id="enterprise-TA0042-T1583-header" data-toggle="collapse" data-target="#enterprise-TA0042-T1583-body" aria-expanded="false" aria-controls="#enterprise-TA0042-T1583-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0042-T1583-body" aria-labelledby="enterprise-TA0042-T1583-header"> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0042-T1583-T1583.001"> <a href="/versions/v13/techniques/T1583/001/"> Domains </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0042-T1583-T1583.002"> <a href="/versions/v13/techniques/T1583/002/"> DNS Server </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0042-T1583-T1583.003"> <a href="/versions/v13/techniques/T1583/003/"> Virtual Private Server </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0042-T1583-T1583.004"> <a href="/versions/v13/techniques/T1583/004/"> Server </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0042-T1583-T1583.005"> <a href="/versions/v13/techniques/T1583/005/"> Botnet </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0042-T1583-T1583.006"> <a href="/versions/v13/techniques/T1583/006/"> Web Services </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0042-T1583-T1583.007"> <a href="/versions/v13/techniques/T1583/007/"> Serverless </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0042-T1583-T1583.008"> <a href="/versions/v13/techniques/T1583/008/"> Malvertising </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0042-T1586"> <a href="/versions/v13/techniques/T1586/"> Compromise Accounts </a> <div class="expand-button collapsed" id="enterprise-TA0042-T1586-header" data-toggle="collapse" data-target="#enterprise-TA0042-T1586-body" aria-expanded="false" aria-controls="#enterprise-TA0042-T1586-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0042-T1586-body" aria-labelledby="enterprise-TA0042-T1586-header"> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0042-T1586-T1586.001"> <a href="/versions/v13/techniques/T1586/001/"> Social Media Accounts </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0042-T1586-T1586.002"> <a href="/versions/v13/techniques/T1586/002/"> Email Accounts </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0042-T1586-T1586.003"> <a href="/versions/v13/techniques/T1586/003/"> Cloud Accounts </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0042-T1584"> <a href="/versions/v13/techniques/T1584/"> Compromise Infrastructure </a> <div class="expand-button collapsed" id="enterprise-TA0042-T1584-header" data-toggle="collapse" data-target="#enterprise-TA0042-T1584-body" aria-expanded="false" aria-controls="#enterprise-TA0042-T1584-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0042-T1584-body" aria-labelledby="enterprise-TA0042-T1584-header"> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0042-T1584-T1584.001"> <a href="/versions/v13/techniques/T1584/001/"> Domains </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0042-T1584-T1584.002"> <a href="/versions/v13/techniques/T1584/002/"> DNS Server </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0042-T1584-T1584.003"> <a href="/versions/v13/techniques/T1584/003/"> Virtual Private Server </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0042-T1584-T1584.004"> <a href="/versions/v13/techniques/T1584/004/"> Server </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0042-T1584-T1584.005"> <a href="/versions/v13/techniques/T1584/005/"> Botnet </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0042-T1584-T1584.006"> <a href="/versions/v13/techniques/T1584/006/"> Web Services </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0042-T1584-T1584.007"> <a href="/versions/v13/techniques/T1584/007/"> Serverless </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0042-T1587"> <a href="/versions/v13/techniques/T1587/"> Develop Capabilities </a> <div class="expand-button collapsed" id="enterprise-TA0042-T1587-header" data-toggle="collapse" data-target="#enterprise-TA0042-T1587-body" aria-expanded="false" aria-controls="#enterprise-TA0042-T1587-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0042-T1587-body" aria-labelledby="enterprise-TA0042-T1587-header"> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0042-T1587-T1587.001"> <a href="/versions/v13/techniques/T1587/001/"> Malware </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0042-T1587-T1587.002"> <a href="/versions/v13/techniques/T1587/002/"> Code Signing Certificates </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0042-T1587-T1587.003"> <a href="/versions/v13/techniques/T1587/003/"> Digital Certificates </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0042-T1587-T1587.004"> <a href="/versions/v13/techniques/T1587/004/"> Exploits </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0042-T1585"> <a href="/versions/v13/techniques/T1585/"> Establish Accounts </a> <div class="expand-button collapsed" id="enterprise-TA0042-T1585-header" data-toggle="collapse" data-target="#enterprise-TA0042-T1585-body" aria-expanded="false" aria-controls="#enterprise-TA0042-T1585-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0042-T1585-body" aria-labelledby="enterprise-TA0042-T1585-header"> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0042-T1585-T1585.001"> <a href="/versions/v13/techniques/T1585/001/"> Social Media Accounts </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0042-T1585-T1585.002"> <a href="/versions/v13/techniques/T1585/002/"> Email Accounts </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0042-T1585-T1585.003"> <a href="/versions/v13/techniques/T1585/003/"> Cloud Accounts </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0042-T1588"> <a href="/versions/v13/techniques/T1588/"> Obtain Capabilities </a> <div class="expand-button collapsed" id="enterprise-TA0042-T1588-header" data-toggle="collapse" data-target="#enterprise-TA0042-T1588-body" aria-expanded="false" aria-controls="#enterprise-TA0042-T1588-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0042-T1588-body" aria-labelledby="enterprise-TA0042-T1588-header"> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0042-T1588-T1588.001"> <a href="/versions/v13/techniques/T1588/001/"> Malware </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0042-T1588-T1588.002"> <a href="/versions/v13/techniques/T1588/002/"> Tool </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0042-T1588-T1588.003"> <a href="/versions/v13/techniques/T1588/003/"> Code Signing Certificates </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0042-T1588-T1588.004"> <a href="/versions/v13/techniques/T1588/004/"> Digital Certificates </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0042-T1588-T1588.005"> <a href="/versions/v13/techniques/T1588/005/"> Exploits </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0042-T1588-T1588.006"> <a href="/versions/v13/techniques/T1588/006/"> Vulnerabilities </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0042-T1608"> <a href="/versions/v13/techniques/T1608/"> Stage Capabilities </a> <div class="expand-button collapsed" id="enterprise-TA0042-T1608-header" data-toggle="collapse" data-target="#enterprise-TA0042-T1608-body" aria-expanded="false" aria-controls="#enterprise-TA0042-T1608-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0042-T1608-body" aria-labelledby="enterprise-TA0042-T1608-header"> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0042-T1608-T1608.001"> <a href="/versions/v13/techniques/T1608/001/"> Upload Malware </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0042-T1608-T1608.002"> <a href="/versions/v13/techniques/T1608/002/"> Upload Tool </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0042-T1608-T1608.003"> <a href="/versions/v13/techniques/T1608/003/"> Install Digital Certificate </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0042-T1608-T1608.004"> <a href="/versions/v13/techniques/T1608/004/"> Drive-by Target </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0042-T1608-T1608.005"> <a href="/versions/v13/techniques/T1608/005/"> Link Target </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0042-T1608-T1608.006"> <a href="/versions/v13/techniques/T1608/006/"> SEO Poisoning </a> </div> </div> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0001"> <a href="/versions/v13/tactics/TA0001"> Initial Access </a> <div class="expand-button collapsed" id="enterprise-TA0001-header" data-toggle="collapse" data-target="#enterprise-TA0001-body" aria-expanded="false" aria-controls="#enterprise-TA0001-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0001-body" aria-labelledby="enterprise-TA0001-header"> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0001-T1189"> <a href="/versions/v13/techniques/T1189/"> Drive-by Compromise </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0001-T1190"> <a href="/versions/v13/techniques/T1190/"> Exploit Public-Facing Application </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0001-T1133"> <a href="/versions/v13/techniques/T1133/"> External Remote Services </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0001-T1200"> <a href="/versions/v13/techniques/T1200/"> Hardware Additions </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0001-T1566"> <a href="/versions/v13/techniques/T1566/"> Phishing </a> <div class="expand-button collapsed" id="enterprise-TA0001-T1566-header" data-toggle="collapse" data-target="#enterprise-TA0001-T1566-body" aria-expanded="false" aria-controls="#enterprise-TA0001-T1566-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0001-T1566-body" aria-labelledby="enterprise-TA0001-T1566-header"> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0001-T1566-T1566.001"> <a href="/versions/v13/techniques/T1566/001/"> Spearphishing Attachment </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0001-T1566-T1566.002"> <a href="/versions/v13/techniques/T1566/002/"> Spearphishing Link </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0001-T1566-T1566.003"> <a href="/versions/v13/techniques/T1566/003/"> Spearphishing via Service </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0001-T1091"> <a href="/versions/v13/techniques/T1091/"> Replication Through Removable Media </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0001-T1195"> <a href="/versions/v13/techniques/T1195/"> Supply Chain Compromise </a> <div class="expand-button collapsed" id="enterprise-TA0001-T1195-header" data-toggle="collapse" data-target="#enterprise-TA0001-T1195-body" aria-expanded="false" aria-controls="#enterprise-TA0001-T1195-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0001-T1195-body" aria-labelledby="enterprise-TA0001-T1195-header"> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0001-T1195-T1195.001"> <a href="/versions/v13/techniques/T1195/001/"> Compromise Software Dependencies and Development Tools </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0001-T1195-T1195.002"> <a href="/versions/v13/techniques/T1195/002/"> Compromise Software Supply Chain </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0001-T1195-T1195.003"> <a href="/versions/v13/techniques/T1195/003/"> Compromise Hardware Supply Chain </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0001-T1199"> <a href="/versions/v13/techniques/T1199/"> Trusted Relationship </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0001-T1078"> <a href="/versions/v13/techniques/T1078/"> Valid Accounts </a> <div class="expand-button collapsed" id="enterprise-TA0001-T1078-header" data-toggle="collapse" data-target="#enterprise-TA0001-T1078-body" aria-expanded="false" aria-controls="#enterprise-TA0001-T1078-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0001-T1078-body" aria-labelledby="enterprise-TA0001-T1078-header"> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0001-T1078-T1078.001"> <a href="/versions/v13/techniques/T1078/001/"> Default Accounts </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0001-T1078-T1078.002"> <a href="/versions/v13/techniques/T1078/002/"> Domain Accounts </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0001-T1078-T1078.003"> <a href="/versions/v13/techniques/T1078/003/"> Local Accounts </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0001-T1078-T1078.004"> <a href="/versions/v13/techniques/T1078/004/"> Cloud Accounts </a> </div> </div> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0002"> <a href="/versions/v13/tactics/TA0002"> Execution </a> <div class="expand-button collapsed" id="enterprise-TA0002-header" data-toggle="collapse" data-target="#enterprise-TA0002-body" aria-expanded="false" aria-controls="#enterprise-TA0002-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0002-body" aria-labelledby="enterprise-TA0002-header"> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0002-T1651"> <a href="/versions/v13/techniques/T1651/"> Cloud Administration Command </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0002-T1059"> <a href="/versions/v13/techniques/T1059/"> Command and Scripting Interpreter </a> <div class="expand-button collapsed" id="enterprise-TA0002-T1059-header" data-toggle="collapse" data-target="#enterprise-TA0002-T1059-body" aria-expanded="false" aria-controls="#enterprise-TA0002-T1059-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0002-T1059-body" aria-labelledby="enterprise-TA0002-T1059-header"> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0002-T1059-T1059.001"> <a href="/versions/v13/techniques/T1059/001/"> PowerShell </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0002-T1059-T1059.002"> <a href="/versions/v13/techniques/T1059/002/"> AppleScript </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0002-T1059-T1059.003"> <a href="/versions/v13/techniques/T1059/003/"> Windows Command Shell </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0002-T1059-T1059.004"> <a href="/versions/v13/techniques/T1059/004/"> Unix Shell </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0002-T1059-T1059.005"> <a href="/versions/v13/techniques/T1059/005/"> Visual Basic </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0002-T1059-T1059.006"> <a href="/versions/v13/techniques/T1059/006/"> Python </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0002-T1059-T1059.007"> <a href="/versions/v13/techniques/T1059/007/"> JavaScript </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0002-T1059-T1059.008"> <a href="/versions/v13/techniques/T1059/008/"> Network Device CLI </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0002-T1059-T1059.009"> <a href="/versions/v13/techniques/T1059/009/"> Cloud API </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0002-T1609"> <a href="/versions/v13/techniques/T1609/"> Container Administration Command </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0002-T1610"> <a href="/versions/v13/techniques/T1610/"> Deploy Container </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0002-T1203"> <a href="/versions/v13/techniques/T1203/"> Exploitation for Client Execution </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0002-T1559"> <a href="/versions/v13/techniques/T1559/"> Inter-Process Communication </a> <div class="expand-button collapsed" id="enterprise-TA0002-T1559-header" data-toggle="collapse" data-target="#enterprise-TA0002-T1559-body" aria-expanded="false" aria-controls="#enterprise-TA0002-T1559-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0002-T1559-body" aria-labelledby="enterprise-TA0002-T1559-header"> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0002-T1559-T1559.001"> <a href="/versions/v13/techniques/T1559/001/"> Component Object Model </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0002-T1559-T1559.002"> <a href="/versions/v13/techniques/T1559/002/"> Dynamic Data Exchange </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0002-T1559-T1559.003"> <a href="/versions/v13/techniques/T1559/003/"> XPC Services </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0002-T1106"> <a href="/versions/v13/techniques/T1106/"> Native API </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0002-T1053"> <a href="/versions/v13/techniques/T1053/"> Scheduled Task/Job </a> <div class="expand-button collapsed" id="enterprise-TA0002-T1053-header" data-toggle="collapse" data-target="#enterprise-TA0002-T1053-body" aria-expanded="false" aria-controls="#enterprise-TA0002-T1053-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0002-T1053-body" aria-labelledby="enterprise-TA0002-T1053-header"> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0002-T1053-T1053.002"> <a href="/versions/v13/techniques/T1053/002/"> At </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0002-T1053-T1053.003"> <a href="/versions/v13/techniques/T1053/003/"> Cron </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0002-T1053-T1053.005"> <a href="/versions/v13/techniques/T1053/005/"> Scheduled Task </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0002-T1053-T1053.006"> <a href="/versions/v13/techniques/T1053/006/"> Systemd Timers </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0002-T1053-T1053.007"> <a href="/versions/v13/techniques/T1053/007/"> Container Orchestration Job </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0002-T1648"> <a href="/versions/v13/techniques/T1648/"> Serverless Execution </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0002-T1129"> <a href="/versions/v13/techniques/T1129/"> Shared Modules </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0002-T1072"> <a href="/versions/v13/techniques/T1072/"> Software Deployment Tools </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0002-T1569"> <a href="/versions/v13/techniques/T1569/"> System Services </a> <div class="expand-button collapsed" id="enterprise-TA0002-T1569-header" data-toggle="collapse" data-target="#enterprise-TA0002-T1569-body" aria-expanded="false" aria-controls="#enterprise-TA0002-T1569-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0002-T1569-body" aria-labelledby="enterprise-TA0002-T1569-header"> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0002-T1569-T1569.001"> <a href="/versions/v13/techniques/T1569/001/"> Launchctl </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0002-T1569-T1569.002"> <a href="/versions/v13/techniques/T1569/002/"> Service Execution </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0002-T1204"> <a href="/versions/v13/techniques/T1204/"> User Execution </a> <div class="expand-button collapsed" id="enterprise-TA0002-T1204-header" data-toggle="collapse" data-target="#enterprise-TA0002-T1204-body" aria-expanded="false" aria-controls="#enterprise-TA0002-T1204-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0002-T1204-body" aria-labelledby="enterprise-TA0002-T1204-header"> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0002-T1204-T1204.001"> <a href="/versions/v13/techniques/T1204/001/"> Malicious Link </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0002-T1204-T1204.002"> <a href="/versions/v13/techniques/T1204/002/"> Malicious File </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0002-T1204-T1204.003"> <a href="/versions/v13/techniques/T1204/003/"> Malicious Image </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0002-T1047"> <a href="/versions/v13/techniques/T1047/"> Windows Management Instrumentation </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0003"> <a href="/versions/v13/tactics/TA0003"> Persistence </a> <div class="expand-button collapsed" id="enterprise-TA0003-header" data-toggle="collapse" data-target="#enterprise-TA0003-body" aria-expanded="false" aria-controls="#enterprise-TA0003-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0003-body" aria-labelledby="enterprise-TA0003-header"> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0003-T1098"> <a href="/versions/v13/techniques/T1098/"> Account Manipulation </a> <div class="expand-button collapsed" id="enterprise-TA0003-T1098-header" data-toggle="collapse" data-target="#enterprise-TA0003-T1098-body" aria-expanded="false" aria-controls="#enterprise-TA0003-T1098-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0003-T1098-body" aria-labelledby="enterprise-TA0003-T1098-header"> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0003-T1098-T1098.001"> <a href="/versions/v13/techniques/T1098/001/"> Additional Cloud Credentials </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0003-T1098-T1098.002"> <a href="/versions/v13/techniques/T1098/002/"> Additional Email Delegate Permissions </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0003-T1098-T1098.003"> <a href="/versions/v13/techniques/T1098/003/"> Additional Cloud Roles </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0003-T1098-T1098.004"> <a href="/versions/v13/techniques/T1098/004/"> SSH Authorized Keys </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0003-T1098-T1098.005"> <a href="/versions/v13/techniques/T1098/005/"> Device Registration </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0003-T1197"> <a href="/versions/v13/techniques/T1197/"> BITS Jobs </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0003-T1547"> <a href="/versions/v13/techniques/T1547/"> Boot or Logon Autostart Execution </a> <div class="expand-button collapsed" id="enterprise-TA0003-T1547-header" data-toggle="collapse" data-target="#enterprise-TA0003-T1547-body" aria-expanded="false" aria-controls="#enterprise-TA0003-T1547-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0003-T1547-body" aria-labelledby="enterprise-TA0003-T1547-header"> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0003-T1547-T1547.001"> <a href="/versions/v13/techniques/T1547/001/"> Registry Run Keys / Startup Folder </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0003-T1547-T1547.002"> <a href="/versions/v13/techniques/T1547/002/"> Authentication Package </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0003-T1547-T1547.003"> <a href="/versions/v13/techniques/T1547/003/"> Time Providers </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0003-T1547-T1547.004"> <a href="/versions/v13/techniques/T1547/004/"> Winlogon Helper DLL </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0003-T1547-T1547.005"> <a href="/versions/v13/techniques/T1547/005/"> Security Support Provider </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0003-T1547-T1547.006"> <a href="/versions/v13/techniques/T1547/006/"> Kernel Modules and Extensions </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0003-T1547-T1547.007"> <a href="/versions/v13/techniques/T1547/007/"> Re-opened Applications </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0003-T1547-T1547.008"> <a href="/versions/v13/techniques/T1547/008/"> LSASS Driver </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0003-T1547-T1547.009"> <a href="/versions/v13/techniques/T1547/009/"> Shortcut Modification </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0003-T1547-T1547.010"> <a href="/versions/v13/techniques/T1547/010/"> Port Monitors </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0003-T1547-T1547.012"> <a href="/versions/v13/techniques/T1547/012/"> Print Processors </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0003-T1547-T1547.013"> <a href="/versions/v13/techniques/T1547/013/"> XDG Autostart Entries </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0003-T1547-T1547.014"> <a href="/versions/v13/techniques/T1547/014/"> Active Setup </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0003-T1547-T1547.015"> <a href="/versions/v13/techniques/T1547/015/"> Login Items </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0003-T1037"> <a href="/versions/v13/techniques/T1037/"> Boot or Logon Initialization Scripts </a> <div class="expand-button collapsed" id="enterprise-TA0003-T1037-header" data-toggle="collapse" data-target="#enterprise-TA0003-T1037-body" aria-expanded="false" aria-controls="#enterprise-TA0003-T1037-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0003-T1037-body" aria-labelledby="enterprise-TA0003-T1037-header"> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0003-T1037-T1037.001"> <a href="/versions/v13/techniques/T1037/001/"> Logon Script (Windows) </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0003-T1037-T1037.002"> <a href="/versions/v13/techniques/T1037/002/"> Login Hook </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0003-T1037-T1037.003"> <a href="/versions/v13/techniques/T1037/003/"> Network Logon Script </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0003-T1037-T1037.004"> <a href="/versions/v13/techniques/T1037/004/"> RC Scripts </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0003-T1037-T1037.005"> <a href="/versions/v13/techniques/T1037/005/"> Startup Items </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0003-T1176"> <a href="/versions/v13/techniques/T1176/"> Browser Extensions </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0003-T1554"> <a href="/versions/v13/techniques/T1554/"> Compromise Client Software Binary </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0003-T1136"> <a href="/versions/v13/techniques/T1136/"> Create Account </a> <div class="expand-button collapsed" id="enterprise-TA0003-T1136-header" data-toggle="collapse" data-target="#enterprise-TA0003-T1136-body" aria-expanded="false" aria-controls="#enterprise-TA0003-T1136-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0003-T1136-body" aria-labelledby="enterprise-TA0003-T1136-header"> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0003-T1136-T1136.001"> <a href="/versions/v13/techniques/T1136/001/"> Local Account </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0003-T1136-T1136.002"> <a href="/versions/v13/techniques/T1136/002/"> Domain Account </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0003-T1136-T1136.003"> <a href="/versions/v13/techniques/T1136/003/"> Cloud Account </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0003-T1543"> <a href="/versions/v13/techniques/T1543/"> Create or Modify System Process </a> <div class="expand-button collapsed" id="enterprise-TA0003-T1543-header" data-toggle="collapse" data-target="#enterprise-TA0003-T1543-body" aria-expanded="false" aria-controls="#enterprise-TA0003-T1543-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0003-T1543-body" aria-labelledby="enterprise-TA0003-T1543-header"> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0003-T1543-T1543.001"> <a href="/versions/v13/techniques/T1543/001/"> Launch Agent </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0003-T1543-T1543.002"> <a href="/versions/v13/techniques/T1543/002/"> Systemd Service </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0003-T1543-T1543.003"> <a href="/versions/v13/techniques/T1543/003/"> Windows Service </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0003-T1543-T1543.004"> <a href="/versions/v13/techniques/T1543/004/"> Launch Daemon </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0003-T1546"> <a href="/versions/v13/techniques/T1546/"> Event Triggered Execution </a> <div class="expand-button collapsed" id="enterprise-TA0003-T1546-header" data-toggle="collapse" data-target="#enterprise-TA0003-T1546-body" aria-expanded="false" aria-controls="#enterprise-TA0003-T1546-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0003-T1546-body" aria-labelledby="enterprise-TA0003-T1546-header"> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0003-T1546-T1546.001"> <a href="/versions/v13/techniques/T1546/001/"> Change Default File Association </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0003-T1546-T1546.002"> <a href="/versions/v13/techniques/T1546/002/"> Screensaver </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0003-T1546-T1546.003"> <a href="/versions/v13/techniques/T1546/003/"> Windows Management Instrumentation Event Subscription </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0003-T1546-T1546.004"> <a href="/versions/v13/techniques/T1546/004/"> Unix Shell Configuration Modification </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0003-T1546-T1546.005"> <a href="/versions/v13/techniques/T1546/005/"> Trap </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0003-T1546-T1546.006"> <a href="/versions/v13/techniques/T1546/006/"> LC_LOAD_DYLIB Addition </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0003-T1546-T1546.007"> <a href="/versions/v13/techniques/T1546/007/"> Netsh Helper DLL </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0003-T1546-T1546.008"> <a href="/versions/v13/techniques/T1546/008/"> Accessibility Features </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0003-T1546-T1546.009"> <a href="/versions/v13/techniques/T1546/009/"> AppCert DLLs </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0003-T1546-T1546.010"> <a href="/versions/v13/techniques/T1546/010/"> AppInit DLLs </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0003-T1546-T1546.011"> <a href="/versions/v13/techniques/T1546/011/"> Application Shimming </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0003-T1546-T1546.012"> <a href="/versions/v13/techniques/T1546/012/"> Image File Execution Options Injection </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0003-T1546-T1546.013"> <a href="/versions/v13/techniques/T1546/013/"> PowerShell Profile </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0003-T1546-T1546.014"> <a href="/versions/v13/techniques/T1546/014/"> Emond </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0003-T1546-T1546.015"> <a href="/versions/v13/techniques/T1546/015/"> Component Object Model Hijacking </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0003-T1546-T1546.016"> <a href="/versions/v13/techniques/T1546/016/"> Installer Packages </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0003-T1133"> <a href="/versions/v13/techniques/T1133/"> External Remote Services </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0003-T1574"> <a href="/versions/v13/techniques/T1574/"> Hijack Execution Flow </a> <div class="expand-button collapsed" id="enterprise-TA0003-T1574-header" data-toggle="collapse" data-target="#enterprise-TA0003-T1574-body" aria-expanded="false" aria-controls="#enterprise-TA0003-T1574-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0003-T1574-body" aria-labelledby="enterprise-TA0003-T1574-header"> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0003-T1574-T1574.001"> <a href="/versions/v13/techniques/T1574/001/"> DLL Search Order Hijacking </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0003-T1574-T1574.002"> <a href="/versions/v13/techniques/T1574/002/"> DLL Side-Loading </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0003-T1574-T1574.004"> <a href="/versions/v13/techniques/T1574/004/"> Dylib Hijacking </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0003-T1574-T1574.005"> <a href="/versions/v13/techniques/T1574/005/"> Executable Installer File Permissions Weakness </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0003-T1574-T1574.006"> <a href="/versions/v13/techniques/T1574/006/"> Dynamic Linker Hijacking </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0003-T1574-T1574.007"> <a href="/versions/v13/techniques/T1574/007/"> Path Interception by PATH Environment Variable </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0003-T1574-T1574.008"> <a href="/versions/v13/techniques/T1574/008/"> Path Interception by Search Order Hijacking </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0003-T1574-T1574.009"> <a href="/versions/v13/techniques/T1574/009/"> Path Interception by Unquoted Path </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0003-T1574-T1574.010"> <a href="/versions/v13/techniques/T1574/010/"> Services File Permissions Weakness </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0003-T1574-T1574.011"> <a href="/versions/v13/techniques/T1574/011/"> Services Registry Permissions Weakness </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0003-T1574-T1574.012"> <a href="/versions/v13/techniques/T1574/012/"> COR_PROFILER </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0003-T1574-T1574.013"> <a href="/versions/v13/techniques/T1574/013/"> KernelCallbackTable </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0003-T1525"> <a href="/versions/v13/techniques/T1525/"> Implant Internal Image </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0003-T1556"> <a href="/versions/v13/techniques/T1556/"> Modify Authentication Process </a> <div class="expand-button collapsed" id="enterprise-TA0003-T1556-header" data-toggle="collapse" data-target="#enterprise-TA0003-T1556-body" aria-expanded="false" aria-controls="#enterprise-TA0003-T1556-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0003-T1556-body" aria-labelledby="enterprise-TA0003-T1556-header"> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0003-T1556-T1556.001"> <a href="/versions/v13/techniques/T1556/001/"> Domain Controller Authentication </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0003-T1556-T1556.002"> <a href="/versions/v13/techniques/T1556/002/"> Password Filter DLL </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0003-T1556-T1556.003"> <a href="/versions/v13/techniques/T1556/003/"> Pluggable Authentication Modules </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0003-T1556-T1556.004"> <a href="/versions/v13/techniques/T1556/004/"> Network Device Authentication </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0003-T1556-T1556.005"> <a href="/versions/v13/techniques/T1556/005/"> Reversible Encryption </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0003-T1556-T1556.006"> <a href="/versions/v13/techniques/T1556/006/"> Multi-Factor Authentication </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0003-T1556-T1556.007"> <a href="/versions/v13/techniques/T1556/007/"> Hybrid Identity </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0003-T1556-T1556.008"> <a href="/versions/v13/techniques/T1556/008/"> Network Provider DLL </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0003-T1137"> <a href="/versions/v13/techniques/T1137/"> Office Application Startup </a> <div class="expand-button collapsed" id="enterprise-TA0003-T1137-header" data-toggle="collapse" data-target="#enterprise-TA0003-T1137-body" aria-expanded="false" aria-controls="#enterprise-TA0003-T1137-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0003-T1137-body" aria-labelledby="enterprise-TA0003-T1137-header"> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0003-T1137-T1137.001"> <a href="/versions/v13/techniques/T1137/001/"> Office Template Macros </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0003-T1137-T1137.002"> <a href="/versions/v13/techniques/T1137/002/"> Office Test </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0003-T1137-T1137.003"> <a href="/versions/v13/techniques/T1137/003/"> Outlook Forms </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0003-T1137-T1137.004"> <a href="/versions/v13/techniques/T1137/004/"> Outlook Home Page </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0003-T1137-T1137.005"> <a href="/versions/v13/techniques/T1137/005/"> Outlook Rules </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0003-T1137-T1137.006"> <a href="/versions/v13/techniques/T1137/006/"> Add-ins </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0003-T1542"> <a href="/versions/v13/techniques/T1542/"> Pre-OS Boot </a> <div class="expand-button collapsed" id="enterprise-TA0003-T1542-header" data-toggle="collapse" data-target="#enterprise-TA0003-T1542-body" aria-expanded="false" aria-controls="#enterprise-TA0003-T1542-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0003-T1542-body" aria-labelledby="enterprise-TA0003-T1542-header"> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0003-T1542-T1542.001"> <a href="/versions/v13/techniques/T1542/001/"> System Firmware </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0003-T1542-T1542.002"> <a href="/versions/v13/techniques/T1542/002/"> Component Firmware </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0003-T1542-T1542.003"> <a href="/versions/v13/techniques/T1542/003/"> Bootkit </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0003-T1542-T1542.004"> <a href="/versions/v13/techniques/T1542/004/"> ROMMONkit </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0003-T1542-T1542.005"> <a href="/versions/v13/techniques/T1542/005/"> TFTP Boot </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0003-T1053"> <a href="/versions/v13/techniques/T1053/"> Scheduled Task/Job </a> <div class="expand-button collapsed" id="enterprise-TA0003-T1053-header" data-toggle="collapse" data-target="#enterprise-TA0003-T1053-body" aria-expanded="false" aria-controls="#enterprise-TA0003-T1053-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0003-T1053-body" aria-labelledby="enterprise-TA0003-T1053-header"> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0003-T1053-T1053.002"> <a href="/versions/v13/techniques/T1053/002/"> At </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0003-T1053-T1053.003"> <a href="/versions/v13/techniques/T1053/003/"> Cron </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0003-T1053-T1053.005"> <a href="/versions/v13/techniques/T1053/005/"> Scheduled Task </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0003-T1053-T1053.006"> <a href="/versions/v13/techniques/T1053/006/"> Systemd Timers </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0003-T1053-T1053.007"> <a href="/versions/v13/techniques/T1053/007/"> Container Orchestration Job </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0003-T1505"> <a href="/versions/v13/techniques/T1505/"> Server Software Component </a> <div class="expand-button collapsed" id="enterprise-TA0003-T1505-header" data-toggle="collapse" data-target="#enterprise-TA0003-T1505-body" aria-expanded="false" aria-controls="#enterprise-TA0003-T1505-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0003-T1505-body" aria-labelledby="enterprise-TA0003-T1505-header"> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0003-T1505-T1505.001"> <a href="/versions/v13/techniques/T1505/001/"> SQL Stored Procedures </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0003-T1505-T1505.002"> <a href="/versions/v13/techniques/T1505/002/"> Transport Agent </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0003-T1505-T1505.003"> <a href="/versions/v13/techniques/T1505/003/"> Web Shell </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0003-T1505-T1505.004"> <a href="/versions/v13/techniques/T1505/004/"> IIS Components </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0003-T1505-T1505.005"> <a href="/versions/v13/techniques/T1505/005/"> Terminal Services DLL </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0003-T1205"> <a href="/versions/v13/techniques/T1205/"> Traffic Signaling </a> <div class="expand-button collapsed" id="enterprise-TA0003-T1205-header" data-toggle="collapse" data-target="#enterprise-TA0003-T1205-body" aria-expanded="false" aria-controls="#enterprise-TA0003-T1205-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0003-T1205-body" aria-labelledby="enterprise-TA0003-T1205-header"> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0003-T1205-T1205.001"> <a href="/versions/v13/techniques/T1205/001/"> Port Knocking </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0003-T1205-T1205.002"> <a href="/versions/v13/techniques/T1205/002/"> Socket Filters </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0003-T1078"> <a href="/versions/v13/techniques/T1078/"> Valid Accounts </a> <div class="expand-button collapsed" id="enterprise-TA0003-T1078-header" data-toggle="collapse" data-target="#enterprise-TA0003-T1078-body" aria-expanded="false" aria-controls="#enterprise-TA0003-T1078-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0003-T1078-body" aria-labelledby="enterprise-TA0003-T1078-header"> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0003-T1078-T1078.001"> <a href="/versions/v13/techniques/T1078/001/"> Default Accounts </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0003-T1078-T1078.002"> <a href="/versions/v13/techniques/T1078/002/"> Domain Accounts </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0003-T1078-T1078.003"> <a href="/versions/v13/techniques/T1078/003/"> Local Accounts </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0003-T1078-T1078.004"> <a href="/versions/v13/techniques/T1078/004/"> Cloud Accounts </a> </div> </div> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0004"> <a href="/versions/v13/tactics/TA0004"> Privilege Escalation </a> <div class="expand-button collapsed" id="enterprise-TA0004-header" data-toggle="collapse" data-target="#enterprise-TA0004-body" aria-expanded="false" aria-controls="#enterprise-TA0004-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0004-body" aria-labelledby="enterprise-TA0004-header"> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0004-T1548"> <a href="/versions/v13/techniques/T1548/"> Abuse Elevation Control Mechanism </a> <div class="expand-button collapsed" id="enterprise-TA0004-T1548-header" data-toggle="collapse" data-target="#enterprise-TA0004-T1548-body" aria-expanded="false" aria-controls="#enterprise-TA0004-T1548-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0004-T1548-body" aria-labelledby="enterprise-TA0004-T1548-header"> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0004-T1548-T1548.001"> <a href="/versions/v13/techniques/T1548/001/"> Setuid and Setgid </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0004-T1548-T1548.002"> <a href="/versions/v13/techniques/T1548/002/"> Bypass User Account Control </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0004-T1548-T1548.003"> <a href="/versions/v13/techniques/T1548/003/"> Sudo and Sudo Caching </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0004-T1548-T1548.004"> <a href="/versions/v13/techniques/T1548/004/"> Elevated Execution with Prompt </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0004-T1134"> <a href="/versions/v13/techniques/T1134/"> Access Token Manipulation </a> <div class="expand-button collapsed" id="enterprise-TA0004-T1134-header" data-toggle="collapse" data-target="#enterprise-TA0004-T1134-body" aria-expanded="false" aria-controls="#enterprise-TA0004-T1134-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0004-T1134-body" aria-labelledby="enterprise-TA0004-T1134-header"> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0004-T1134-T1134.001"> <a href="/versions/v13/techniques/T1134/001/"> Token Impersonation/Theft </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0004-T1134-T1134.002"> <a href="/versions/v13/techniques/T1134/002/"> Create Process with Token </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0004-T1134-T1134.003"> <a href="/versions/v13/techniques/T1134/003/"> Make and Impersonate Token </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0004-T1134-T1134.004"> <a href="/versions/v13/techniques/T1134/004/"> Parent PID Spoofing </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0004-T1134-T1134.005"> <a href="/versions/v13/techniques/T1134/005/"> SID-History Injection </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0004-T1547"> <a href="/versions/v13/techniques/T1547/"> Boot or Logon Autostart Execution </a> <div class="expand-button collapsed" id="enterprise-TA0004-T1547-header" data-toggle="collapse" data-target="#enterprise-TA0004-T1547-body" aria-expanded="false" aria-controls="#enterprise-TA0004-T1547-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0004-T1547-body" aria-labelledby="enterprise-TA0004-T1547-header"> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0004-T1547-T1547.001"> <a href="/versions/v13/techniques/T1547/001/"> Registry Run Keys / Startup Folder </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0004-T1547-T1547.002"> <a href="/versions/v13/techniques/T1547/002/"> Authentication Package </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0004-T1547-T1547.003"> <a href="/versions/v13/techniques/T1547/003/"> Time Providers </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0004-T1547-T1547.004"> <a href="/versions/v13/techniques/T1547/004/"> Winlogon Helper DLL </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0004-T1547-T1547.005"> <a href="/versions/v13/techniques/T1547/005/"> Security Support Provider </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0004-T1547-T1547.006"> <a href="/versions/v13/techniques/T1547/006/"> Kernel Modules and Extensions </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0004-T1547-T1547.007"> <a href="/versions/v13/techniques/T1547/007/"> Re-opened Applications </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0004-T1547-T1547.008"> <a href="/versions/v13/techniques/T1547/008/"> LSASS Driver </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0004-T1547-T1547.009"> <a href="/versions/v13/techniques/T1547/009/"> Shortcut Modification </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0004-T1547-T1547.010"> <a href="/versions/v13/techniques/T1547/010/"> Port Monitors </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0004-T1547-T1547.012"> <a href="/versions/v13/techniques/T1547/012/"> Print Processors </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0004-T1547-T1547.013"> <a href="/versions/v13/techniques/T1547/013/"> XDG Autostart Entries </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0004-T1547-T1547.014"> <a href="/versions/v13/techniques/T1547/014/"> Active Setup </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0004-T1547-T1547.015"> <a href="/versions/v13/techniques/T1547/015/"> Login Items </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0004-T1037"> <a href="/versions/v13/techniques/T1037/"> Boot or Logon Initialization Scripts </a> <div class="expand-button collapsed" id="enterprise-TA0004-T1037-header" data-toggle="collapse" data-target="#enterprise-TA0004-T1037-body" aria-expanded="false" aria-controls="#enterprise-TA0004-T1037-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0004-T1037-body" aria-labelledby="enterprise-TA0004-T1037-header"> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0004-T1037-T1037.001"> <a href="/versions/v13/techniques/T1037/001/"> Logon Script (Windows) </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0004-T1037-T1037.002"> <a href="/versions/v13/techniques/T1037/002/"> Login Hook </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0004-T1037-T1037.003"> <a href="/versions/v13/techniques/T1037/003/"> Network Logon Script </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0004-T1037-T1037.004"> <a href="/versions/v13/techniques/T1037/004/"> RC Scripts </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0004-T1037-T1037.005"> <a href="/versions/v13/techniques/T1037/005/"> Startup Items </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0004-T1543"> <a href="/versions/v13/techniques/T1543/"> Create or Modify System Process </a> <div class="expand-button collapsed" id="enterprise-TA0004-T1543-header" data-toggle="collapse" data-target="#enterprise-TA0004-T1543-body" aria-expanded="false" aria-controls="#enterprise-TA0004-T1543-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0004-T1543-body" aria-labelledby="enterprise-TA0004-T1543-header"> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0004-T1543-T1543.001"> <a href="/versions/v13/techniques/T1543/001/"> Launch Agent </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0004-T1543-T1543.002"> <a href="/versions/v13/techniques/T1543/002/"> Systemd Service </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0004-T1543-T1543.003"> <a href="/versions/v13/techniques/T1543/003/"> Windows Service </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0004-T1543-T1543.004"> <a href="/versions/v13/techniques/T1543/004/"> Launch Daemon </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0004-T1484"> <a href="/versions/v13/techniques/T1484/"> Domain Policy Modification </a> <div class="expand-button collapsed" id="enterprise-TA0004-T1484-header" data-toggle="collapse" data-target="#enterprise-TA0004-T1484-body" aria-expanded="false" aria-controls="#enterprise-TA0004-T1484-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0004-T1484-body" aria-labelledby="enterprise-TA0004-T1484-header"> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0004-T1484-T1484.001"> <a href="/versions/v13/techniques/T1484/001/"> Group Policy Modification </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0004-T1484-T1484.002"> <a href="/versions/v13/techniques/T1484/002/"> Domain Trust Modification </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0004-T1611"> <a href="/versions/v13/techniques/T1611/"> Escape to Host </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0004-T1546"> <a href="/versions/v13/techniques/T1546/"> Event Triggered Execution </a> <div class="expand-button collapsed" id="enterprise-TA0004-T1546-header" data-toggle="collapse" data-target="#enterprise-TA0004-T1546-body" aria-expanded="false" aria-controls="#enterprise-TA0004-T1546-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0004-T1546-body" aria-labelledby="enterprise-TA0004-T1546-header"> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0004-T1546-T1546.001"> <a href="/versions/v13/techniques/T1546/001/"> Change Default File Association </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0004-T1546-T1546.002"> <a href="/versions/v13/techniques/T1546/002/"> Screensaver </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0004-T1546-T1546.003"> <a href="/versions/v13/techniques/T1546/003/"> Windows Management Instrumentation Event Subscription </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0004-T1546-T1546.004"> <a href="/versions/v13/techniques/T1546/004/"> Unix Shell Configuration Modification </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0004-T1546-T1546.005"> <a href="/versions/v13/techniques/T1546/005/"> Trap </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0004-T1546-T1546.006"> <a href="/versions/v13/techniques/T1546/006/"> LC_LOAD_DYLIB Addition </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0004-T1546-T1546.007"> <a href="/versions/v13/techniques/T1546/007/"> Netsh Helper DLL </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0004-T1546-T1546.008"> <a href="/versions/v13/techniques/T1546/008/"> Accessibility Features </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0004-T1546-T1546.009"> <a href="/versions/v13/techniques/T1546/009/"> AppCert DLLs </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0004-T1546-T1546.010"> <a href="/versions/v13/techniques/T1546/010/"> AppInit DLLs </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0004-T1546-T1546.011"> <a href="/versions/v13/techniques/T1546/011/"> Application Shimming </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0004-T1546-T1546.012"> <a href="/versions/v13/techniques/T1546/012/"> Image File Execution Options Injection </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0004-T1546-T1546.013"> <a href="/versions/v13/techniques/T1546/013/"> PowerShell Profile </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0004-T1546-T1546.014"> <a href="/versions/v13/techniques/T1546/014/"> Emond </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0004-T1546-T1546.015"> <a href="/versions/v13/techniques/T1546/015/"> Component Object Model Hijacking </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0004-T1546-T1546.016"> <a href="/versions/v13/techniques/T1546/016/"> Installer Packages </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0004-T1068"> <a href="/versions/v13/techniques/T1068/"> Exploitation for Privilege Escalation </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0004-T1574"> <a href="/versions/v13/techniques/T1574/"> Hijack Execution Flow </a> <div class="expand-button collapsed" id="enterprise-TA0004-T1574-header" data-toggle="collapse" data-target="#enterprise-TA0004-T1574-body" aria-expanded="false" aria-controls="#enterprise-TA0004-T1574-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0004-T1574-body" aria-labelledby="enterprise-TA0004-T1574-header"> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0004-T1574-T1574.001"> <a href="/versions/v13/techniques/T1574/001/"> DLL Search Order Hijacking </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0004-T1574-T1574.002"> <a href="/versions/v13/techniques/T1574/002/"> DLL Side-Loading </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0004-T1574-T1574.004"> <a href="/versions/v13/techniques/T1574/004/"> Dylib Hijacking </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0004-T1574-T1574.005"> <a href="/versions/v13/techniques/T1574/005/"> Executable Installer File Permissions Weakness </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0004-T1574-T1574.006"> <a href="/versions/v13/techniques/T1574/006/"> Dynamic Linker Hijacking </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0004-T1574-T1574.007"> <a href="/versions/v13/techniques/T1574/007/"> Path Interception by PATH Environment Variable </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0004-T1574-T1574.008"> <a href="/versions/v13/techniques/T1574/008/"> Path Interception by Search Order Hijacking </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0004-T1574-T1574.009"> <a href="/versions/v13/techniques/T1574/009/"> Path Interception by Unquoted Path </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0004-T1574-T1574.010"> <a href="/versions/v13/techniques/T1574/010/"> Services File Permissions Weakness </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0004-T1574-T1574.011"> <a href="/versions/v13/techniques/T1574/011/"> Services Registry Permissions Weakness </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0004-T1574-T1574.012"> <a href="/versions/v13/techniques/T1574/012/"> COR_PROFILER </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0004-T1574-T1574.013"> <a href="/versions/v13/techniques/T1574/013/"> KernelCallbackTable </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0004-T1055"> <a href="/versions/v13/techniques/T1055/"> Process Injection </a> <div class="expand-button collapsed" id="enterprise-TA0004-T1055-header" data-toggle="collapse" data-target="#enterprise-TA0004-T1055-body" aria-expanded="false" aria-controls="#enterprise-TA0004-T1055-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0004-T1055-body" aria-labelledby="enterprise-TA0004-T1055-header"> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0004-T1055-T1055.001"> <a href="/versions/v13/techniques/T1055/001/"> Dynamic-link Library Injection </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0004-T1055-T1055.002"> <a href="/versions/v13/techniques/T1055/002/"> Portable Executable Injection </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0004-T1055-T1055.003"> <a href="/versions/v13/techniques/T1055/003/"> Thread Execution Hijacking </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0004-T1055-T1055.004"> <a href="/versions/v13/techniques/T1055/004/"> Asynchronous Procedure Call </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0004-T1055-T1055.005"> <a href="/versions/v13/techniques/T1055/005/"> Thread Local Storage </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0004-T1055-T1055.008"> <a href="/versions/v13/techniques/T1055/008/"> Ptrace System Calls </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0004-T1055-T1055.009"> <a href="/versions/v13/techniques/T1055/009/"> Proc Memory </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0004-T1055-T1055.011"> <a href="/versions/v13/techniques/T1055/011/"> Extra Window Memory Injection </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0004-T1055-T1055.012"> <a href="/versions/v13/techniques/T1055/012/"> Process Hollowing </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0004-T1055-T1055.013"> <a href="/versions/v13/techniques/T1055/013/"> Process Doppelg盲nging </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0004-T1055-T1055.014"> <a href="/versions/v13/techniques/T1055/014/"> VDSO Hijacking </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0004-T1055-T1055.015"> <a href="/versions/v13/techniques/T1055/015/"> ListPlanting </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0004-T1053"> <a href="/versions/v13/techniques/T1053/"> Scheduled Task/Job </a> <div class="expand-button collapsed" id="enterprise-TA0004-T1053-header" data-toggle="collapse" data-target="#enterprise-TA0004-T1053-body" aria-expanded="false" aria-controls="#enterprise-TA0004-T1053-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0004-T1053-body" aria-labelledby="enterprise-TA0004-T1053-header"> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0004-T1053-T1053.002"> <a href="/versions/v13/techniques/T1053/002/"> At </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0004-T1053-T1053.003"> <a href="/versions/v13/techniques/T1053/003/"> Cron </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0004-T1053-T1053.005"> <a href="/versions/v13/techniques/T1053/005/"> Scheduled Task </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0004-T1053-T1053.006"> <a href="/versions/v13/techniques/T1053/006/"> Systemd Timers </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0004-T1053-T1053.007"> <a href="/versions/v13/techniques/T1053/007/"> Container Orchestration Job </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0004-T1078"> <a href="/versions/v13/techniques/T1078/"> Valid Accounts </a> <div class="expand-button collapsed" id="enterprise-TA0004-T1078-header" data-toggle="collapse" data-target="#enterprise-TA0004-T1078-body" aria-expanded="false" aria-controls="#enterprise-TA0004-T1078-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0004-T1078-body" aria-labelledby="enterprise-TA0004-T1078-header"> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0004-T1078-T1078.001"> <a href="/versions/v13/techniques/T1078/001/"> Default Accounts </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0004-T1078-T1078.002"> <a href="/versions/v13/techniques/T1078/002/"> Domain Accounts </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0004-T1078-T1078.003"> <a href="/versions/v13/techniques/T1078/003/"> Local Accounts </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0004-T1078-T1078.004"> <a href="/versions/v13/techniques/T1078/004/"> Cloud Accounts </a> </div> </div> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005"> <a href="/versions/v13/tactics/TA0005"> Defense Evasion </a> <div class="expand-button collapsed" id="enterprise-TA0005-header" data-toggle="collapse" data-target="#enterprise-TA0005-body" aria-expanded="false" aria-controls="#enterprise-TA0005-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0005-body" aria-labelledby="enterprise-TA0005-header"> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1548"> <a href="/versions/v13/techniques/T1548/"> Abuse Elevation Control Mechanism </a> <div class="expand-button collapsed" id="enterprise-TA0005-T1548-header" data-toggle="collapse" data-target="#enterprise-TA0005-T1548-body" aria-expanded="false" aria-controls="#enterprise-TA0005-T1548-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0005-T1548-body" aria-labelledby="enterprise-TA0005-T1548-header"> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1548-T1548.001"> <a href="/versions/v13/techniques/T1548/001/"> Setuid and Setgid </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1548-T1548.002"> <a href="/versions/v13/techniques/T1548/002/"> Bypass User Account Control </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1548-T1548.003"> <a href="/versions/v13/techniques/T1548/003/"> Sudo and Sudo Caching </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1548-T1548.004"> <a href="/versions/v13/techniques/T1548/004/"> Elevated Execution with Prompt </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1134"> <a href="/versions/v13/techniques/T1134/"> Access Token Manipulation </a> <div class="expand-button collapsed" id="enterprise-TA0005-T1134-header" data-toggle="collapse" data-target="#enterprise-TA0005-T1134-body" aria-expanded="false" aria-controls="#enterprise-TA0005-T1134-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0005-T1134-body" aria-labelledby="enterprise-TA0005-T1134-header"> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1134-T1134.001"> <a href="/versions/v13/techniques/T1134/001/"> Token Impersonation/Theft </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1134-T1134.002"> <a href="/versions/v13/techniques/T1134/002/"> Create Process with Token </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1134-T1134.003"> <a href="/versions/v13/techniques/T1134/003/"> Make and Impersonate Token </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1134-T1134.004"> <a href="/versions/v13/techniques/T1134/004/"> Parent PID Spoofing </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1134-T1134.005"> <a href="/versions/v13/techniques/T1134/005/"> SID-History Injection </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1197"> <a href="/versions/v13/techniques/T1197/"> BITS Jobs </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1612"> <a href="/versions/v13/techniques/T1612/"> Build Image on Host </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1622"> <a href="/versions/v13/techniques/T1622/"> Debugger Evasion </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1140"> <a href="/versions/v13/techniques/T1140/"> Deobfuscate/Decode Files or Information </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1610"> <a href="/versions/v13/techniques/T1610/"> Deploy Container </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1006"> <a href="/versions/v13/techniques/T1006/"> Direct Volume Access </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1484"> <a href="/versions/v13/techniques/T1484/"> Domain Policy Modification </a> <div class="expand-button collapsed" id="enterprise-TA0005-T1484-header" data-toggle="collapse" data-target="#enterprise-TA0005-T1484-body" aria-expanded="false" aria-controls="#enterprise-TA0005-T1484-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0005-T1484-body" aria-labelledby="enterprise-TA0005-T1484-header"> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1484-T1484.001"> <a href="/versions/v13/techniques/T1484/001/"> Group Policy Modification </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1484-T1484.002"> <a href="/versions/v13/techniques/T1484/002/"> Domain Trust Modification </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1480"> <a href="/versions/v13/techniques/T1480/"> Execution Guardrails </a> <div class="expand-button collapsed" id="enterprise-TA0005-T1480-header" data-toggle="collapse" data-target="#enterprise-TA0005-T1480-body" aria-expanded="false" aria-controls="#enterprise-TA0005-T1480-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0005-T1480-body" aria-labelledby="enterprise-TA0005-T1480-header"> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1480-T1480.001"> <a href="/versions/v13/techniques/T1480/001/"> Environmental Keying </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1211"> <a href="/versions/v13/techniques/T1211/"> Exploitation for Defense Evasion </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1222"> <a href="/versions/v13/techniques/T1222/"> File and Directory Permissions Modification </a> <div class="expand-button collapsed" id="enterprise-TA0005-T1222-header" data-toggle="collapse" data-target="#enterprise-TA0005-T1222-body" aria-expanded="false" aria-controls="#enterprise-TA0005-T1222-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0005-T1222-body" aria-labelledby="enterprise-TA0005-T1222-header"> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1222-T1222.001"> <a href="/versions/v13/techniques/T1222/001/"> Windows File and Directory Permissions Modification </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1222-T1222.002"> <a href="/versions/v13/techniques/T1222/002/"> Linux and Mac File and Directory Permissions Modification </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1564"> <a href="/versions/v13/techniques/T1564/"> Hide Artifacts </a> <div class="expand-button collapsed" id="enterprise-TA0005-T1564-header" data-toggle="collapse" data-target="#enterprise-TA0005-T1564-body" aria-expanded="false" aria-controls="#enterprise-TA0005-T1564-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0005-T1564-body" aria-labelledby="enterprise-TA0005-T1564-header"> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1564-T1564.001"> <a href="/versions/v13/techniques/T1564/001/"> Hidden Files and Directories </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1564-T1564.002"> <a href="/versions/v13/techniques/T1564/002/"> Hidden Users </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1564-T1564.003"> <a href="/versions/v13/techniques/T1564/003/"> Hidden Window </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1564-T1564.004"> <a href="/versions/v13/techniques/T1564/004/"> NTFS File Attributes </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1564-T1564.005"> <a href="/versions/v13/techniques/T1564/005/"> Hidden File System </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1564-T1564.006"> <a href="/versions/v13/techniques/T1564/006/"> Run Virtual Instance </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1564-T1564.007"> <a href="/versions/v13/techniques/T1564/007/"> VBA Stomping </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1564-T1564.008"> <a href="/versions/v13/techniques/T1564/008/"> Email Hiding Rules </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1564-T1564.009"> <a href="/versions/v13/techniques/T1564/009/"> Resource Forking </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1564-T1564.010"> <a href="/versions/v13/techniques/T1564/010/"> Process Argument Spoofing </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1574"> <a href="/versions/v13/techniques/T1574/"> Hijack Execution Flow </a> <div class="expand-button collapsed" id="enterprise-TA0005-T1574-header" data-toggle="collapse" data-target="#enterprise-TA0005-T1574-body" aria-expanded="false" aria-controls="#enterprise-TA0005-T1574-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0005-T1574-body" aria-labelledby="enterprise-TA0005-T1574-header"> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1574-T1574.001"> <a href="/versions/v13/techniques/T1574/001/"> DLL Search Order Hijacking </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1574-T1574.002"> <a href="/versions/v13/techniques/T1574/002/"> DLL Side-Loading </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1574-T1574.004"> <a href="/versions/v13/techniques/T1574/004/"> Dylib Hijacking </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1574-T1574.005"> <a href="/versions/v13/techniques/T1574/005/"> Executable Installer File Permissions Weakness </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1574-T1574.006"> <a href="/versions/v13/techniques/T1574/006/"> Dynamic Linker Hijacking </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1574-T1574.007"> <a href="/versions/v13/techniques/T1574/007/"> Path Interception by PATH Environment Variable </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1574-T1574.008"> <a href="/versions/v13/techniques/T1574/008/"> Path Interception by Search Order Hijacking </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1574-T1574.009"> <a href="/versions/v13/techniques/T1574/009/"> Path Interception by Unquoted Path </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1574-T1574.010"> <a href="/versions/v13/techniques/T1574/010/"> Services File Permissions Weakness </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1574-T1574.011"> <a href="/versions/v13/techniques/T1574/011/"> Services Registry Permissions Weakness </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1574-T1574.012"> <a href="/versions/v13/techniques/T1574/012/"> COR_PROFILER </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1574-T1574.013"> <a href="/versions/v13/techniques/T1574/013/"> KernelCallbackTable </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1562"> <a href="/versions/v13/techniques/T1562/"> Impair Defenses </a> <div class="expand-button collapsed" id="enterprise-TA0005-T1562-header" data-toggle="collapse" data-target="#enterprise-TA0005-T1562-body" aria-expanded="false" aria-controls="#enterprise-TA0005-T1562-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0005-T1562-body" aria-labelledby="enterprise-TA0005-T1562-header"> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1562-T1562.001"> <a href="/versions/v13/techniques/T1562/001/"> Disable or Modify Tools </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1562-T1562.002"> <a href="/versions/v13/techniques/T1562/002/"> Disable Windows Event Logging </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1562-T1562.003"> <a href="/versions/v13/techniques/T1562/003/"> Impair Command History Logging </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1562-T1562.004"> <a href="/versions/v13/techniques/T1562/004/"> Disable or Modify System Firewall </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1562-T1562.006"> <a href="/versions/v13/techniques/T1562/006/"> Indicator Blocking </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1562-T1562.007"> <a href="/versions/v13/techniques/T1562/007/"> Disable or Modify Cloud Firewall </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1562-T1562.008"> <a href="/versions/v13/techniques/T1562/008/"> Disable Cloud Logs </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1562-T1562.009"> <a href="/versions/v13/techniques/T1562/009/"> Safe Mode Boot </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1562-T1562.010"> <a href="/versions/v13/techniques/T1562/010/"> Downgrade Attack </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1562-T1562.011"> <a href="/versions/v13/techniques/T1562/011/"> Spoof Security Alerting </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1070"> <a href="/versions/v13/techniques/T1070/"> Indicator Removal </a> <div class="expand-button collapsed" id="enterprise-TA0005-T1070-header" data-toggle="collapse" data-target="#enterprise-TA0005-T1070-body" aria-expanded="false" aria-controls="#enterprise-TA0005-T1070-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0005-T1070-body" aria-labelledby="enterprise-TA0005-T1070-header"> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1070-T1070.001"> <a href="/versions/v13/techniques/T1070/001/"> Clear Windows Event Logs </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1070-T1070.002"> <a href="/versions/v13/techniques/T1070/002/"> Clear Linux or Mac System Logs </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1070-T1070.003"> <a href="/versions/v13/techniques/T1070/003/"> Clear Command History </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1070-T1070.004"> <a href="/versions/v13/techniques/T1070/004/"> File Deletion </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1070-T1070.005"> <a href="/versions/v13/techniques/T1070/005/"> Network Share Connection Removal </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1070-T1070.006"> <a href="/versions/v13/techniques/T1070/006/"> Timestomp </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1070-T1070.007"> <a href="/versions/v13/techniques/T1070/007/"> Clear Network Connection History and Configurations </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1070-T1070.008"> <a href="/versions/v13/techniques/T1070/008/"> Clear Mailbox Data </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1070-T1070.009"> <a href="/versions/v13/techniques/T1070/009/"> Clear Persistence </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1202"> <a href="/versions/v13/techniques/T1202/"> Indirect Command Execution </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1036"> <a href="/versions/v13/techniques/T1036/"> Masquerading </a> <div class="expand-button collapsed" id="enterprise-TA0005-T1036-header" data-toggle="collapse" data-target="#enterprise-TA0005-T1036-body" aria-expanded="false" aria-controls="#enterprise-TA0005-T1036-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0005-T1036-body" aria-labelledby="enterprise-TA0005-T1036-header"> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1036-T1036.001"> <a href="/versions/v13/techniques/T1036/001/"> Invalid Code Signature </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1036-T1036.002"> <a href="/versions/v13/techniques/T1036/002/"> Right-to-Left Override </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1036-T1036.003"> <a href="/versions/v13/techniques/T1036/003/"> Rename System Utilities </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1036-T1036.004"> <a href="/versions/v13/techniques/T1036/004/"> Masquerade Task or Service </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1036-T1036.005"> <a href="/versions/v13/techniques/T1036/005/"> Match Legitimate Name or Location </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1036-T1036.006"> <a href="/versions/v13/techniques/T1036/006/"> Space after Filename </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1036-T1036.007"> <a href="/versions/v13/techniques/T1036/007/"> Double File Extension </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1036-T1036.008"> <a href="/versions/v13/techniques/T1036/008/"> Masquerade File Type </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1556"> <a href="/versions/v13/techniques/T1556/"> Modify Authentication Process </a> <div class="expand-button collapsed" id="enterprise-TA0005-T1556-header" data-toggle="collapse" data-target="#enterprise-TA0005-T1556-body" aria-expanded="false" aria-controls="#enterprise-TA0005-T1556-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0005-T1556-body" aria-labelledby="enterprise-TA0005-T1556-header"> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1556-T1556.001"> <a href="/versions/v13/techniques/T1556/001/"> Domain Controller Authentication </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1556-T1556.002"> <a href="/versions/v13/techniques/T1556/002/"> Password Filter DLL </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1556-T1556.003"> <a href="/versions/v13/techniques/T1556/003/"> Pluggable Authentication Modules </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1556-T1556.004"> <a href="/versions/v13/techniques/T1556/004/"> Network Device Authentication </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1556-T1556.005"> <a href="/versions/v13/techniques/T1556/005/"> Reversible Encryption </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1556-T1556.006"> <a href="/versions/v13/techniques/T1556/006/"> Multi-Factor Authentication </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1556-T1556.007"> <a href="/versions/v13/techniques/T1556/007/"> Hybrid Identity </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1556-T1556.008"> <a href="/versions/v13/techniques/T1556/008/"> Network Provider DLL </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1578"> <a href="/versions/v13/techniques/T1578/"> Modify Cloud Compute Infrastructure </a> <div class="expand-button collapsed" id="enterprise-TA0005-T1578-header" data-toggle="collapse" data-target="#enterprise-TA0005-T1578-body" aria-expanded="false" aria-controls="#enterprise-TA0005-T1578-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0005-T1578-body" aria-labelledby="enterprise-TA0005-T1578-header"> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1578-T1578.001"> <a href="/versions/v13/techniques/T1578/001/"> Create Snapshot </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1578-T1578.002"> <a href="/versions/v13/techniques/T1578/002/"> Create Cloud Instance </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1578-T1578.003"> <a href="/versions/v13/techniques/T1578/003/"> Delete Cloud Instance </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1578-T1578.004"> <a href="/versions/v13/techniques/T1578/004/"> Revert Cloud Instance </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1112"> <a href="/versions/v13/techniques/T1112/"> Modify Registry </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1601"> <a href="/versions/v13/techniques/T1601/"> Modify System Image </a> <div class="expand-button collapsed" id="enterprise-TA0005-T1601-header" data-toggle="collapse" data-target="#enterprise-TA0005-T1601-body" aria-expanded="false" aria-controls="#enterprise-TA0005-T1601-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0005-T1601-body" aria-labelledby="enterprise-TA0005-T1601-header"> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1601-T1601.001"> <a href="/versions/v13/techniques/T1601/001/"> Patch System Image </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1601-T1601.002"> <a href="/versions/v13/techniques/T1601/002/"> Downgrade System Image </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1599"> <a href="/versions/v13/techniques/T1599/"> Network Boundary Bridging </a> <div class="expand-button collapsed" id="enterprise-TA0005-T1599-header" data-toggle="collapse" data-target="#enterprise-TA0005-T1599-body" aria-expanded="false" aria-controls="#enterprise-TA0005-T1599-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0005-T1599-body" aria-labelledby="enterprise-TA0005-T1599-header"> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1599-T1599.001"> <a href="/versions/v13/techniques/T1599/001/"> Network Address Translation Traversal </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1027"> <a href="/versions/v13/techniques/T1027/"> Obfuscated Files or Information </a> <div class="expand-button collapsed" id="enterprise-TA0005-T1027-header" data-toggle="collapse" data-target="#enterprise-TA0005-T1027-body" aria-expanded="false" aria-controls="#enterprise-TA0005-T1027-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0005-T1027-body" aria-labelledby="enterprise-TA0005-T1027-header"> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1027-T1027.001"> <a href="/versions/v13/techniques/T1027/001/"> Binary Padding </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1027-T1027.002"> <a href="/versions/v13/techniques/T1027/002/"> Software Packing </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1027-T1027.003"> <a href="/versions/v13/techniques/T1027/003/"> Steganography </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1027-T1027.004"> <a href="/versions/v13/techniques/T1027/004/"> Compile After Delivery </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1027-T1027.005"> <a href="/versions/v13/techniques/T1027/005/"> Indicator Removal from Tools </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1027-T1027.006"> <a href="/versions/v13/techniques/T1027/006/"> HTML Smuggling </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1027-T1027.007"> <a href="/versions/v13/techniques/T1027/007/"> Dynamic API Resolution </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1027-T1027.008"> <a href="/versions/v13/techniques/T1027/008/"> Stripped Payloads </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1027-T1027.009"> <a href="/versions/v13/techniques/T1027/009/"> Embedded Payloads </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1027-T1027.010"> <a href="/versions/v13/techniques/T1027/010/"> Command Obfuscation </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1027-T1027.011"> <a href="/versions/v13/techniques/T1027/011/"> Fileless Storage </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1647"> <a href="/versions/v13/techniques/T1647/"> Plist File Modification </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1542"> <a href="/versions/v13/techniques/T1542/"> Pre-OS Boot </a> <div class="expand-button collapsed" id="enterprise-TA0005-T1542-header" data-toggle="collapse" data-target="#enterprise-TA0005-T1542-body" aria-expanded="false" aria-controls="#enterprise-TA0005-T1542-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0005-T1542-body" aria-labelledby="enterprise-TA0005-T1542-header"> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1542-T1542.001"> <a href="/versions/v13/techniques/T1542/001/"> System Firmware </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1542-T1542.002"> <a href="/versions/v13/techniques/T1542/002/"> Component Firmware </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1542-T1542.003"> <a href="/versions/v13/techniques/T1542/003/"> Bootkit </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1542-T1542.004"> <a href="/versions/v13/techniques/T1542/004/"> ROMMONkit </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1542-T1542.005"> <a href="/versions/v13/techniques/T1542/005/"> TFTP Boot </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1055"> <a href="/versions/v13/techniques/T1055/"> Process Injection </a> <div class="expand-button collapsed" id="enterprise-TA0005-T1055-header" data-toggle="collapse" data-target="#enterprise-TA0005-T1055-body" aria-expanded="false" aria-controls="#enterprise-TA0005-T1055-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0005-T1055-body" aria-labelledby="enterprise-TA0005-T1055-header"> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1055-T1055.001"> <a href="/versions/v13/techniques/T1055/001/"> Dynamic-link Library Injection </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1055-T1055.002"> <a href="/versions/v13/techniques/T1055/002/"> Portable Executable Injection </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1055-T1055.003"> <a href="/versions/v13/techniques/T1055/003/"> Thread Execution Hijacking </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1055-T1055.004"> <a href="/versions/v13/techniques/T1055/004/"> Asynchronous Procedure Call </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1055-T1055.005"> <a href="/versions/v13/techniques/T1055/005/"> Thread Local Storage </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1055-T1055.008"> <a href="/versions/v13/techniques/T1055/008/"> Ptrace System Calls </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1055-T1055.009"> <a href="/versions/v13/techniques/T1055/009/"> Proc Memory </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1055-T1055.011"> <a href="/versions/v13/techniques/T1055/011/"> Extra Window Memory Injection </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1055-T1055.012"> <a href="/versions/v13/techniques/T1055/012/"> Process Hollowing </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1055-T1055.013"> <a href="/versions/v13/techniques/T1055/013/"> Process Doppelg盲nging </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1055-T1055.014"> <a href="/versions/v13/techniques/T1055/014/"> VDSO Hijacking </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1055-T1055.015"> <a href="/versions/v13/techniques/T1055/015/"> ListPlanting </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1620"> <a href="/versions/v13/techniques/T1620/"> Reflective Code Loading </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1207"> <a href="/versions/v13/techniques/T1207/"> Rogue Domain Controller </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1014"> <a href="/versions/v13/techniques/T1014/"> Rootkit </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1553"> <a href="/versions/v13/techniques/T1553/"> Subvert Trust Controls </a> <div class="expand-button collapsed" id="enterprise-TA0005-T1553-header" data-toggle="collapse" data-target="#enterprise-TA0005-T1553-body" aria-expanded="false" aria-controls="#enterprise-TA0005-T1553-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0005-T1553-body" aria-labelledby="enterprise-TA0005-T1553-header"> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1553-T1553.001"> <a href="/versions/v13/techniques/T1553/001/"> Gatekeeper Bypass </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1553-T1553.002"> <a href="/versions/v13/techniques/T1553/002/"> Code Signing </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1553-T1553.003"> <a href="/versions/v13/techniques/T1553/003/"> SIP and Trust Provider Hijacking </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1553-T1553.004"> <a href="/versions/v13/techniques/T1553/004/"> Install Root Certificate </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1553-T1553.005"> <a href="/versions/v13/techniques/T1553/005/"> Mark-of-the-Web Bypass </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1553-T1553.006"> <a href="/versions/v13/techniques/T1553/006/"> Code Signing Policy Modification </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1218"> <a href="/versions/v13/techniques/T1218/"> System Binary Proxy Execution </a> <div class="expand-button collapsed" id="enterprise-TA0005-T1218-header" data-toggle="collapse" data-target="#enterprise-TA0005-T1218-body" aria-expanded="false" aria-controls="#enterprise-TA0005-T1218-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0005-T1218-body" aria-labelledby="enterprise-TA0005-T1218-header"> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1218-T1218.001"> <a href="/versions/v13/techniques/T1218/001/"> Compiled HTML File </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1218-T1218.002"> <a href="/versions/v13/techniques/T1218/002/"> Control Panel </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1218-T1218.003"> <a href="/versions/v13/techniques/T1218/003/"> CMSTP </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1218-T1218.004"> <a href="/versions/v13/techniques/T1218/004/"> InstallUtil </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1218-T1218.005"> <a href="/versions/v13/techniques/T1218/005/"> Mshta </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1218-T1218.007"> <a href="/versions/v13/techniques/T1218/007/"> Msiexec </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1218-T1218.008"> <a href="/versions/v13/techniques/T1218/008/"> Odbcconf </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1218-T1218.009"> <a href="/versions/v13/techniques/T1218/009/"> Regsvcs/Regasm </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1218-T1218.010"> <a href="/versions/v13/techniques/T1218/010/"> Regsvr32 </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1218-T1218.011"> <a href="/versions/v13/techniques/T1218/011/"> Rundll32 </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1218-T1218.012"> <a href="/versions/v13/techniques/T1218/012/"> Verclsid </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1218-T1218.013"> <a href="/versions/v13/techniques/T1218/013/"> Mavinject </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1218-T1218.014"> <a href="/versions/v13/techniques/T1218/014/"> MMC </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1216"> <a href="/versions/v13/techniques/T1216/"> System Script Proxy Execution </a> <div class="expand-button collapsed" id="enterprise-TA0005-T1216-header" data-toggle="collapse" data-target="#enterprise-TA0005-T1216-body" aria-expanded="false" aria-controls="#enterprise-TA0005-T1216-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0005-T1216-body" aria-labelledby="enterprise-TA0005-T1216-header"> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1216-T1216.001"> <a href="/versions/v13/techniques/T1216/001/"> PubPrn </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1221"> <a href="/versions/v13/techniques/T1221/"> Template Injection </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1205"> <a href="/versions/v13/techniques/T1205/"> Traffic Signaling </a> <div class="expand-button collapsed" id="enterprise-TA0005-T1205-header" data-toggle="collapse" data-target="#enterprise-TA0005-T1205-body" aria-expanded="false" aria-controls="#enterprise-TA0005-T1205-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0005-T1205-body" aria-labelledby="enterprise-TA0005-T1205-header"> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1205-T1205.001"> <a href="/versions/v13/techniques/T1205/001/"> Port Knocking </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1205-T1205.002"> <a href="/versions/v13/techniques/T1205/002/"> Socket Filters </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1127"> <a href="/versions/v13/techniques/T1127/"> Trusted Developer Utilities Proxy Execution </a> <div class="expand-button collapsed" id="enterprise-TA0005-T1127-header" data-toggle="collapse" data-target="#enterprise-TA0005-T1127-body" aria-expanded="false" aria-controls="#enterprise-TA0005-T1127-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0005-T1127-body" aria-labelledby="enterprise-TA0005-T1127-header"> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1127-T1127.001"> <a href="/versions/v13/techniques/T1127/001/"> MSBuild </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1535"> <a href="/versions/v13/techniques/T1535/"> Unused/Unsupported Cloud Regions </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1550"> <a href="/versions/v13/techniques/T1550/"> Use Alternate Authentication Material </a> <div class="expand-button collapsed" id="enterprise-TA0005-T1550-header" data-toggle="collapse" data-target="#enterprise-TA0005-T1550-body" aria-expanded="false" aria-controls="#enterprise-TA0005-T1550-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0005-T1550-body" aria-labelledby="enterprise-TA0005-T1550-header"> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1550-T1550.001"> <a href="/versions/v13/techniques/T1550/001/"> Application Access Token </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1550-T1550.002"> <a href="/versions/v13/techniques/T1550/002/"> Pass the Hash </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1550-T1550.003"> <a href="/versions/v13/techniques/T1550/003/"> Pass the Ticket </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1550-T1550.004"> <a href="/versions/v13/techniques/T1550/004/"> Web Session Cookie </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1078"> <a href="/versions/v13/techniques/T1078/"> Valid Accounts </a> <div class="expand-button collapsed" id="enterprise-TA0005-T1078-header" data-toggle="collapse" data-target="#enterprise-TA0005-T1078-body" aria-expanded="false" aria-controls="#enterprise-TA0005-T1078-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0005-T1078-body" aria-labelledby="enterprise-TA0005-T1078-header"> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1078-T1078.001"> <a href="/versions/v13/techniques/T1078/001/"> Default Accounts </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1078-T1078.002"> <a href="/versions/v13/techniques/T1078/002/"> Domain Accounts </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1078-T1078.003"> <a href="/versions/v13/techniques/T1078/003/"> Local Accounts </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1078-T1078.004"> <a href="/versions/v13/techniques/T1078/004/"> Cloud Accounts </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1497"> <a href="/versions/v13/techniques/T1497/"> Virtualization/Sandbox Evasion </a> <div class="expand-button collapsed" id="enterprise-TA0005-T1497-header" data-toggle="collapse" data-target="#enterprise-TA0005-T1497-body" aria-expanded="false" aria-controls="#enterprise-TA0005-T1497-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0005-T1497-body" aria-labelledby="enterprise-TA0005-T1497-header"> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1497-T1497.001"> <a href="/versions/v13/techniques/T1497/001/"> System Checks </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1497-T1497.002"> <a href="/versions/v13/techniques/T1497/002/"> User Activity Based Checks </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1497-T1497.003"> <a href="/versions/v13/techniques/T1497/003/"> Time Based Evasion </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1600"> <a href="/versions/v13/techniques/T1600/"> Weaken Encryption </a> <div class="expand-button collapsed" id="enterprise-TA0005-T1600-header" data-toggle="collapse" data-target="#enterprise-TA0005-T1600-body" aria-expanded="false" aria-controls="#enterprise-TA0005-T1600-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0005-T1600-body" aria-labelledby="enterprise-TA0005-T1600-header"> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1600-T1600.001"> <a href="/versions/v13/techniques/T1600/001/"> Reduce Key Space </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1600-T1600.002"> <a href="/versions/v13/techniques/T1600/002/"> Disable Crypto Hardware </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1220"> <a href="/versions/v13/techniques/T1220/"> XSL Script Processing </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0006"> <a href="/versions/v13/tactics/TA0006"> Credential Access </a> <div class="expand-button collapsed" id="enterprise-TA0006-header" data-toggle="collapse" data-target="#enterprise-TA0006-body" aria-expanded="false" aria-controls="#enterprise-TA0006-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0006-body" aria-labelledby="enterprise-TA0006-header"> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0006-T1557"> <a href="/versions/v13/techniques/T1557/"> Adversary-in-the-Middle </a> <div class="expand-button collapsed" id="enterprise-TA0006-T1557-header" data-toggle="collapse" data-target="#enterprise-TA0006-T1557-body" aria-expanded="false" aria-controls="#enterprise-TA0006-T1557-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0006-T1557-body" aria-labelledby="enterprise-TA0006-T1557-header"> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0006-T1557-T1557.001"> <a href="/versions/v13/techniques/T1557/001/"> LLMNR/NBT-NS Poisoning and SMB Relay </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0006-T1557-T1557.002"> <a href="/versions/v13/techniques/T1557/002/"> ARP Cache Poisoning </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0006-T1557-T1557.003"> <a href="/versions/v13/techniques/T1557/003/"> DHCP Spoofing </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0006-T1110"> <a href="/versions/v13/techniques/T1110/"> Brute Force </a> <div class="expand-button collapsed" id="enterprise-TA0006-T1110-header" data-toggle="collapse" data-target="#enterprise-TA0006-T1110-body" aria-expanded="false" aria-controls="#enterprise-TA0006-T1110-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0006-T1110-body" aria-labelledby="enterprise-TA0006-T1110-header"> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0006-T1110-T1110.001"> <a href="/versions/v13/techniques/T1110/001/"> Password Guessing </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0006-T1110-T1110.002"> <a href="/versions/v13/techniques/T1110/002/"> Password Cracking </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0006-T1110-T1110.003"> <a href="/versions/v13/techniques/T1110/003/"> Password Spraying </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0006-T1110-T1110.004"> <a href="/versions/v13/techniques/T1110/004/"> Credential Stuffing </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0006-T1555"> <a href="/versions/v13/techniques/T1555/"> Credentials from Password Stores </a> <div class="expand-button collapsed" id="enterprise-TA0006-T1555-header" data-toggle="collapse" data-target="#enterprise-TA0006-T1555-body" aria-expanded="false" aria-controls="#enterprise-TA0006-T1555-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0006-T1555-body" aria-labelledby="enterprise-TA0006-T1555-header"> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0006-T1555-T1555.001"> <a href="/versions/v13/techniques/T1555/001/"> Keychain </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0006-T1555-T1555.002"> <a href="/versions/v13/techniques/T1555/002/"> Securityd Memory </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0006-T1555-T1555.003"> <a href="/versions/v13/techniques/T1555/003/"> Credentials from Web Browsers </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0006-T1555-T1555.004"> <a href="/versions/v13/techniques/T1555/004/"> Windows Credential Manager </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0006-T1555-T1555.005"> <a href="/versions/v13/techniques/T1555/005/"> Password Managers </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0006-T1212"> <a href="/versions/v13/techniques/T1212/"> Exploitation for Credential Access </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0006-T1187"> <a href="/versions/v13/techniques/T1187/"> Forced Authentication </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0006-T1606"> <a href="/versions/v13/techniques/T1606/"> Forge Web Credentials </a> <div class="expand-button collapsed" id="enterprise-TA0006-T1606-header" data-toggle="collapse" data-target="#enterprise-TA0006-T1606-body" aria-expanded="false" aria-controls="#enterprise-TA0006-T1606-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0006-T1606-body" aria-labelledby="enterprise-TA0006-T1606-header"> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0006-T1606-T1606.001"> <a href="/versions/v13/techniques/T1606/001/"> Web Cookies </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0006-T1606-T1606.002"> <a href="/versions/v13/techniques/T1606/002/"> SAML Tokens </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0006-T1056"> <a href="/versions/v13/techniques/T1056/"> Input Capture </a> <div class="expand-button collapsed" id="enterprise-TA0006-T1056-header" data-toggle="collapse" data-target="#enterprise-TA0006-T1056-body" aria-expanded="false" aria-controls="#enterprise-TA0006-T1056-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0006-T1056-body" aria-labelledby="enterprise-TA0006-T1056-header"> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0006-T1056-T1056.001"> <a href="/versions/v13/techniques/T1056/001/"> Keylogging </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0006-T1056-T1056.002"> <a href="/versions/v13/techniques/T1056/002/"> GUI Input Capture </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0006-T1056-T1056.003"> <a href="/versions/v13/techniques/T1056/003/"> Web Portal Capture </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0006-T1056-T1056.004"> <a href="/versions/v13/techniques/T1056/004/"> Credential API Hooking </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0006-T1556"> <a href="/versions/v13/techniques/T1556/"> Modify Authentication Process </a> <div class="expand-button collapsed" id="enterprise-TA0006-T1556-header" data-toggle="collapse" data-target="#enterprise-TA0006-T1556-body" aria-expanded="false" aria-controls="#enterprise-TA0006-T1556-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0006-T1556-body" aria-labelledby="enterprise-TA0006-T1556-header"> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0006-T1556-T1556.001"> <a href="/versions/v13/techniques/T1556/001/"> Domain Controller Authentication </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0006-T1556-T1556.002"> <a href="/versions/v13/techniques/T1556/002/"> Password Filter DLL </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0006-T1556-T1556.003"> <a href="/versions/v13/techniques/T1556/003/"> Pluggable Authentication Modules </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0006-T1556-T1556.004"> <a href="/versions/v13/techniques/T1556/004/"> Network Device Authentication </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0006-T1556-T1556.005"> <a href="/versions/v13/techniques/T1556/005/"> Reversible Encryption </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0006-T1556-T1556.006"> <a href="/versions/v13/techniques/T1556/006/"> Multi-Factor Authentication </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0006-T1556-T1556.007"> <a href="/versions/v13/techniques/T1556/007/"> Hybrid Identity </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0006-T1556-T1556.008"> <a href="/versions/v13/techniques/T1556/008/"> Network Provider DLL </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0006-T1111"> <a href="/versions/v13/techniques/T1111/"> Multi-Factor Authentication Interception </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0006-T1621"> <a href="/versions/v13/techniques/T1621/"> Multi-Factor Authentication Request Generation </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0006-T1040"> <a href="/versions/v13/techniques/T1040/"> Network Sniffing </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0006-T1003"> <a href="/versions/v13/techniques/T1003/"> OS Credential Dumping </a> <div class="expand-button collapsed" id="enterprise-TA0006-T1003-header" data-toggle="collapse" data-target="#enterprise-TA0006-T1003-body" aria-expanded="false" aria-controls="#enterprise-TA0006-T1003-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0006-T1003-body" aria-labelledby="enterprise-TA0006-T1003-header"> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0006-T1003-T1003.001"> <a href="/versions/v13/techniques/T1003/001/"> LSASS Memory </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0006-T1003-T1003.002"> <a href="/versions/v13/techniques/T1003/002/"> Security Account Manager </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0006-T1003-T1003.003"> <a href="/versions/v13/techniques/T1003/003/"> NTDS </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0006-T1003-T1003.004"> <a href="/versions/v13/techniques/T1003/004/"> LSA Secrets </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0006-T1003-T1003.005"> <a href="/versions/v13/techniques/T1003/005/"> Cached Domain Credentials </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0006-T1003-T1003.006"> <a href="/versions/v13/techniques/T1003/006/"> DCSync </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0006-T1003-T1003.007"> <a href="/versions/v13/techniques/T1003/007/"> Proc Filesystem </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0006-T1003-T1003.008"> <a href="/versions/v13/techniques/T1003/008/"> /etc/passwd and /etc/shadow </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0006-T1528"> <a href="/versions/v13/techniques/T1528/"> Steal Application Access Token </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0006-T1649"> <a href="/versions/v13/techniques/T1649/"> Steal or Forge Authentication Certificates </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0006-T1558"> <a href="/versions/v13/techniques/T1558/"> Steal or Forge Kerberos Tickets </a> <div class="expand-button collapsed" id="enterprise-TA0006-T1558-header" data-toggle="collapse" data-target="#enterprise-TA0006-T1558-body" aria-expanded="false" aria-controls="#enterprise-TA0006-T1558-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0006-T1558-body" aria-labelledby="enterprise-TA0006-T1558-header"> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0006-T1558-T1558.001"> <a href="/versions/v13/techniques/T1558/001/"> Golden Ticket </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0006-T1558-T1558.002"> <a href="/versions/v13/techniques/T1558/002/"> Silver Ticket </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0006-T1558-T1558.003"> <a href="/versions/v13/techniques/T1558/003/"> Kerberoasting </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0006-T1558-T1558.004"> <a href="/versions/v13/techniques/T1558/004/"> AS-REP Roasting </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0006-T1539"> <a href="/versions/v13/techniques/T1539/"> Steal Web Session Cookie </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0006-T1552"> <a href="/versions/v13/techniques/T1552/"> Unsecured Credentials </a> <div class="expand-button collapsed" id="enterprise-TA0006-T1552-header" data-toggle="collapse" data-target="#enterprise-TA0006-T1552-body" aria-expanded="false" aria-controls="#enterprise-TA0006-T1552-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0006-T1552-body" aria-labelledby="enterprise-TA0006-T1552-header"> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0006-T1552-T1552.001"> <a href="/versions/v13/techniques/T1552/001/"> Credentials In Files </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0006-T1552-T1552.002"> <a href="/versions/v13/techniques/T1552/002/"> Credentials in Registry </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0006-T1552-T1552.003"> <a href="/versions/v13/techniques/T1552/003/"> Bash History </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0006-T1552-T1552.004"> <a href="/versions/v13/techniques/T1552/004/"> Private Keys </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0006-T1552-T1552.005"> <a href="/versions/v13/techniques/T1552/005/"> Cloud Instance Metadata API </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0006-T1552-T1552.006"> <a href="/versions/v13/techniques/T1552/006/"> Group Policy Preferences </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0006-T1552-T1552.007"> <a href="/versions/v13/techniques/T1552/007/"> Container API </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0006-T1552-T1552.008"> <a href="/versions/v13/techniques/T1552/008/"> Chat Messages </a> </div> </div> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0007"> <a href="/versions/v13/tactics/TA0007"> Discovery </a> <div class="expand-button collapsed" id="enterprise-TA0007-header" data-toggle="collapse" data-target="#enterprise-TA0007-body" aria-expanded="false" aria-controls="#enterprise-TA0007-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0007-body" aria-labelledby="enterprise-TA0007-header"> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0007-T1087"> <a href="/versions/v13/techniques/T1087/"> Account Discovery </a> <div class="expand-button collapsed" id="enterprise-TA0007-T1087-header" data-toggle="collapse" data-target="#enterprise-TA0007-T1087-body" aria-expanded="false" aria-controls="#enterprise-TA0007-T1087-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0007-T1087-body" aria-labelledby="enterprise-TA0007-T1087-header"> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0007-T1087-T1087.001"> <a href="/versions/v13/techniques/T1087/001/"> Local Account </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0007-T1087-T1087.002"> <a href="/versions/v13/techniques/T1087/002/"> Domain Account </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0007-T1087-T1087.003"> <a href="/versions/v13/techniques/T1087/003/"> Email Account </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0007-T1087-T1087.004"> <a href="/versions/v13/techniques/T1087/004/"> Cloud Account </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0007-T1010"> <a href="/versions/v13/techniques/T1010/"> Application Window Discovery </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0007-T1217"> <a href="/versions/v13/techniques/T1217/"> Browser Information Discovery </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0007-T1580"> <a href="/versions/v13/techniques/T1580/"> Cloud Infrastructure Discovery </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0007-T1538"> <a href="/versions/v13/techniques/T1538/"> Cloud Service Dashboard </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0007-T1526"> <a href="/versions/v13/techniques/T1526/"> Cloud Service Discovery </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0007-T1619"> <a href="/versions/v13/techniques/T1619/"> Cloud Storage Object Discovery </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0007-T1613"> <a href="/versions/v13/techniques/T1613/"> Container and Resource Discovery </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0007-T1622"> <a href="/versions/v13/techniques/T1622/"> Debugger Evasion </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0007-T1652"> <a href="/versions/v13/techniques/T1652/"> Device Driver Discovery </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0007-T1482"> <a href="/versions/v13/techniques/T1482/"> Domain Trust Discovery </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0007-T1083"> <a href="/versions/v13/techniques/T1083/"> File and Directory Discovery </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0007-T1615"> <a href="/versions/v13/techniques/T1615/"> Group Policy Discovery </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0007-T1046"> <a href="/versions/v13/techniques/T1046/"> Network Service Discovery </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0007-T1135"> <a href="/versions/v13/techniques/T1135/"> Network Share Discovery </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0007-T1040"> <a href="/versions/v13/techniques/T1040/"> Network Sniffing </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0007-T1201"> <a href="/versions/v13/techniques/T1201/"> Password Policy Discovery </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0007-T1120"> <a href="/versions/v13/techniques/T1120/"> Peripheral Device Discovery </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0007-T1069"> <a href="/versions/v13/techniques/T1069/"> Permission Groups Discovery </a> <div class="expand-button collapsed" id="enterprise-TA0007-T1069-header" data-toggle="collapse" data-target="#enterprise-TA0007-T1069-body" aria-expanded="false" aria-controls="#enterprise-TA0007-T1069-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0007-T1069-body" aria-labelledby="enterprise-TA0007-T1069-header"> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0007-T1069-T1069.001"> <a href="/versions/v13/techniques/T1069/001/"> Local Groups </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0007-T1069-T1069.002"> <a href="/versions/v13/techniques/T1069/002/"> Domain Groups </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0007-T1069-T1069.003"> <a href="/versions/v13/techniques/T1069/003/"> Cloud Groups </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0007-T1057"> <a href="/versions/v13/techniques/T1057/"> Process Discovery </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0007-T1012"> <a href="/versions/v13/techniques/T1012/"> Query Registry </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0007-T1018"> <a href="/versions/v13/techniques/T1018/"> Remote System Discovery </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0007-T1518"> <a href="/versions/v13/techniques/T1518/"> Software Discovery </a> <div class="expand-button collapsed" id="enterprise-TA0007-T1518-header" data-toggle="collapse" data-target="#enterprise-TA0007-T1518-body" aria-expanded="false" aria-controls="#enterprise-TA0007-T1518-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0007-T1518-body" aria-labelledby="enterprise-TA0007-T1518-header"> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0007-T1518-T1518.001"> <a href="/versions/v13/techniques/T1518/001/"> Security Software Discovery </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0007-T1082"> <a href="/versions/v13/techniques/T1082/"> System Information Discovery </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0007-T1614"> <a href="/versions/v13/techniques/T1614/"> System Location Discovery </a> <div class="expand-button collapsed" id="enterprise-TA0007-T1614-header" data-toggle="collapse" data-target="#enterprise-TA0007-T1614-body" aria-expanded="false" aria-controls="#enterprise-TA0007-T1614-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0007-T1614-body" aria-labelledby="enterprise-TA0007-T1614-header"> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0007-T1614-T1614.001"> <a href="/versions/v13/techniques/T1614/001/"> System Language Discovery </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0007-T1016"> <a href="/versions/v13/techniques/T1016/"> System Network Configuration Discovery </a> <div class="expand-button collapsed" id="enterprise-TA0007-T1016-header" data-toggle="collapse" data-target="#enterprise-TA0007-T1016-body" aria-expanded="false" aria-controls="#enterprise-TA0007-T1016-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0007-T1016-body" aria-labelledby="enterprise-TA0007-T1016-header"> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0007-T1016-T1016.001"> <a href="/versions/v13/techniques/T1016/001/"> Internet Connection Discovery </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0007-T1049"> <a href="/versions/v13/techniques/T1049/"> System Network Connections Discovery </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0007-T1033"> <a href="/versions/v13/techniques/T1033/"> System Owner/User Discovery </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0007-T1007"> <a href="/versions/v13/techniques/T1007/"> System Service Discovery </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0007-T1124"> <a href="/versions/v13/techniques/T1124/"> System Time Discovery </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0007-T1497"> <a href="/versions/v13/techniques/T1497/"> Virtualization/Sandbox Evasion </a> <div class="expand-button collapsed" id="enterprise-TA0007-T1497-header" data-toggle="collapse" data-target="#enterprise-TA0007-T1497-body" aria-expanded="false" aria-controls="#enterprise-TA0007-T1497-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0007-T1497-body" aria-labelledby="enterprise-TA0007-T1497-header"> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0007-T1497-T1497.001"> <a href="/versions/v13/techniques/T1497/001/"> System Checks </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0007-T1497-T1497.002"> <a href="/versions/v13/techniques/T1497/002/"> User Activity Based Checks </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0007-T1497-T1497.003"> <a href="/versions/v13/techniques/T1497/003/"> Time Based Evasion </a> </div> </div> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0008"> <a href="/versions/v13/tactics/TA0008"> Lateral Movement </a> <div class="expand-button collapsed" id="enterprise-TA0008-header" data-toggle="collapse" data-target="#enterprise-TA0008-body" aria-expanded="false" aria-controls="#enterprise-TA0008-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0008-body" aria-labelledby="enterprise-TA0008-header"> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0008-T1210"> <a href="/versions/v13/techniques/T1210/"> Exploitation of Remote Services </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0008-T1534"> <a href="/versions/v13/techniques/T1534/"> Internal Spearphishing </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0008-T1570"> <a href="/versions/v13/techniques/T1570/"> Lateral Tool Transfer </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0008-T1563"> <a href="/versions/v13/techniques/T1563/"> Remote Service Session Hijacking </a> <div class="expand-button collapsed" id="enterprise-TA0008-T1563-header" data-toggle="collapse" data-target="#enterprise-TA0008-T1563-body" aria-expanded="false" aria-controls="#enterprise-TA0008-T1563-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0008-T1563-body" aria-labelledby="enterprise-TA0008-T1563-header"> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0008-T1563-T1563.001"> <a href="/versions/v13/techniques/T1563/001/"> SSH Hijacking </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0008-T1563-T1563.002"> <a href="/versions/v13/techniques/T1563/002/"> RDP Hijacking </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0008-T1021"> <a href="/versions/v13/techniques/T1021/"> Remote Services </a> <div class="expand-button collapsed" id="enterprise-TA0008-T1021-header" data-toggle="collapse" data-target="#enterprise-TA0008-T1021-body" aria-expanded="false" aria-controls="#enterprise-TA0008-T1021-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0008-T1021-body" aria-labelledby="enterprise-TA0008-T1021-header"> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0008-T1021-T1021.001"> <a href="/versions/v13/techniques/T1021/001/"> Remote Desktop Protocol </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0008-T1021-T1021.002"> <a href="/versions/v13/techniques/T1021/002/"> SMB/Windows Admin Shares </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0008-T1021-T1021.003"> <a href="/versions/v13/techniques/T1021/003/"> Distributed Component Object Model </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0008-T1021-T1021.004"> <a href="/versions/v13/techniques/T1021/004/"> SSH </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0008-T1021-T1021.005"> <a href="/versions/v13/techniques/T1021/005/"> VNC </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0008-T1021-T1021.006"> <a href="/versions/v13/techniques/T1021/006/"> Windows Remote Management </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0008-T1021-T1021.007"> <a href="/versions/v13/techniques/T1021/007/"> Cloud Services </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0008-T1091"> <a href="/versions/v13/techniques/T1091/"> Replication Through Removable Media </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0008-T1072"> <a href="/versions/v13/techniques/T1072/"> Software Deployment Tools </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0008-T1080"> <a href="/versions/v13/techniques/T1080/"> Taint Shared Content </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0008-T1550"> <a href="/versions/v13/techniques/T1550/"> Use Alternate Authentication Material </a> <div class="expand-button collapsed" id="enterprise-TA0008-T1550-header" data-toggle="collapse" data-target="#enterprise-TA0008-T1550-body" aria-expanded="false" aria-controls="#enterprise-TA0008-T1550-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0008-T1550-body" aria-labelledby="enterprise-TA0008-T1550-header"> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0008-T1550-T1550.001"> <a href="/versions/v13/techniques/T1550/001/"> Application Access Token </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0008-T1550-T1550.002"> <a href="/versions/v13/techniques/T1550/002/"> Pass the Hash </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0008-T1550-T1550.003"> <a href="/versions/v13/techniques/T1550/003/"> Pass the Ticket </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0008-T1550-T1550.004"> <a href="/versions/v13/techniques/T1550/004/"> Web Session Cookie </a> </div> </div> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0009"> <a href="/versions/v13/tactics/TA0009"> Collection </a> <div class="expand-button collapsed" id="enterprise-TA0009-header" data-toggle="collapse" data-target="#enterprise-TA0009-body" aria-expanded="false" aria-controls="#enterprise-TA0009-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0009-body" aria-labelledby="enterprise-TA0009-header"> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0009-T1557"> <a href="/versions/v13/techniques/T1557/"> Adversary-in-the-Middle </a> <div class="expand-button collapsed" id="enterprise-TA0009-T1557-header" data-toggle="collapse" data-target="#enterprise-TA0009-T1557-body" aria-expanded="false" aria-controls="#enterprise-TA0009-T1557-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0009-T1557-body" aria-labelledby="enterprise-TA0009-T1557-header"> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0009-T1557-T1557.001"> <a href="/versions/v13/techniques/T1557/001/"> LLMNR/NBT-NS Poisoning and SMB Relay </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0009-T1557-T1557.002"> <a href="/versions/v13/techniques/T1557/002/"> ARP Cache Poisoning </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0009-T1557-T1557.003"> <a href="/versions/v13/techniques/T1557/003/"> DHCP Spoofing </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0009-T1560"> <a href="/versions/v13/techniques/T1560/"> Archive Collected Data </a> <div class="expand-button collapsed" id="enterprise-TA0009-T1560-header" data-toggle="collapse" data-target="#enterprise-TA0009-T1560-body" aria-expanded="false" aria-controls="#enterprise-TA0009-T1560-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0009-T1560-body" aria-labelledby="enterprise-TA0009-T1560-header"> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0009-T1560-T1560.001"> <a href="/versions/v13/techniques/T1560/001/"> Archive via Utility </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0009-T1560-T1560.002"> <a href="/versions/v13/techniques/T1560/002/"> Archive via Library </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0009-T1560-T1560.003"> <a href="/versions/v13/techniques/T1560/003/"> Archive via Custom Method </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0009-T1123"> <a href="/versions/v13/techniques/T1123/"> Audio Capture </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0009-T1119"> <a href="/versions/v13/techniques/T1119/"> Automated Collection </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0009-T1185"> <a href="/versions/v13/techniques/T1185/"> Browser Session Hijacking </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0009-T1115"> <a href="/versions/v13/techniques/T1115/"> Clipboard Data </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0009-T1530"> <a href="/versions/v13/techniques/T1530/"> Data from Cloud Storage </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0009-T1602"> <a href="/versions/v13/techniques/T1602/"> Data from Configuration Repository </a> <div class="expand-button collapsed" id="enterprise-TA0009-T1602-header" data-toggle="collapse" data-target="#enterprise-TA0009-T1602-body" aria-expanded="false" aria-controls="#enterprise-TA0009-T1602-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0009-T1602-body" aria-labelledby="enterprise-TA0009-T1602-header"> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0009-T1602-T1602.001"> <a href="/versions/v13/techniques/T1602/001/"> SNMP (MIB Dump) </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0009-T1602-T1602.002"> <a href="/versions/v13/techniques/T1602/002/"> Network Device Configuration Dump </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0009-T1213"> <a href="/versions/v13/techniques/T1213/"> Data from Information Repositories </a> <div class="expand-button collapsed" id="enterprise-TA0009-T1213-header" data-toggle="collapse" data-target="#enterprise-TA0009-T1213-body" aria-expanded="false" aria-controls="#enterprise-TA0009-T1213-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0009-T1213-body" aria-labelledby="enterprise-TA0009-T1213-header"> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0009-T1213-T1213.001"> <a href="/versions/v13/techniques/T1213/001/"> Confluence </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0009-T1213-T1213.002"> <a href="/versions/v13/techniques/T1213/002/"> Sharepoint </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0009-T1213-T1213.003"> <a href="/versions/v13/techniques/T1213/003/"> Code Repositories </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0009-T1005"> <a href="/versions/v13/techniques/T1005/"> Data from Local System </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0009-T1039"> <a href="/versions/v13/techniques/T1039/"> Data from Network Shared Drive </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0009-T1025"> <a href="/versions/v13/techniques/T1025/"> Data from Removable Media </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0009-T1074"> <a href="/versions/v13/techniques/T1074/"> Data Staged </a> <div class="expand-button collapsed" id="enterprise-TA0009-T1074-header" data-toggle="collapse" data-target="#enterprise-TA0009-T1074-body" aria-expanded="false" aria-controls="#enterprise-TA0009-T1074-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0009-T1074-body" aria-labelledby="enterprise-TA0009-T1074-header"> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0009-T1074-T1074.001"> <a href="/versions/v13/techniques/T1074/001/"> Local Data Staging </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0009-T1074-T1074.002"> <a href="/versions/v13/techniques/T1074/002/"> Remote Data Staging </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0009-T1114"> <a href="/versions/v13/techniques/T1114/"> Email Collection </a> <div class="expand-button collapsed" id="enterprise-TA0009-T1114-header" data-toggle="collapse" data-target="#enterprise-TA0009-T1114-body" aria-expanded="false" aria-controls="#enterprise-TA0009-T1114-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0009-T1114-body" aria-labelledby="enterprise-TA0009-T1114-header"> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0009-T1114-T1114.001"> <a href="/versions/v13/techniques/T1114/001/"> Local Email Collection </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0009-T1114-T1114.002"> <a href="/versions/v13/techniques/T1114/002/"> Remote Email Collection </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0009-T1114-T1114.003"> <a href="/versions/v13/techniques/T1114/003/"> Email Forwarding Rule </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0009-T1056"> <a href="/versions/v13/techniques/T1056/"> Input Capture </a> <div class="expand-button collapsed" id="enterprise-TA0009-T1056-header" data-toggle="collapse" data-target="#enterprise-TA0009-T1056-body" aria-expanded="false" aria-controls="#enterprise-TA0009-T1056-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0009-T1056-body" aria-labelledby="enterprise-TA0009-T1056-header"> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0009-T1056-T1056.001"> <a href="/versions/v13/techniques/T1056/001/"> Keylogging </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0009-T1056-T1056.002"> <a href="/versions/v13/techniques/T1056/002/"> GUI Input Capture </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0009-T1056-T1056.003"> <a href="/versions/v13/techniques/T1056/003/"> Web Portal Capture </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0009-T1056-T1056.004"> <a href="/versions/v13/techniques/T1056/004/"> Credential API Hooking </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0009-T1113"> <a href="/versions/v13/techniques/T1113/"> Screen Capture </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0009-T1125"> <a href="/versions/v13/techniques/T1125/"> Video Capture </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0011"> <a href="/versions/v13/tactics/TA0011"> Command and Control </a> <div class="expand-button collapsed" id="enterprise-TA0011-header" data-toggle="collapse" data-target="#enterprise-TA0011-body" aria-expanded="false" aria-controls="#enterprise-TA0011-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0011-body" aria-labelledby="enterprise-TA0011-header"> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0011-T1071"> <a href="/versions/v13/techniques/T1071/"> Application Layer Protocol </a> <div class="expand-button collapsed" id="enterprise-TA0011-T1071-header" data-toggle="collapse" data-target="#enterprise-TA0011-T1071-body" aria-expanded="false" aria-controls="#enterprise-TA0011-T1071-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0011-T1071-body" aria-labelledby="enterprise-TA0011-T1071-header"> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0011-T1071-T1071.001"> <a href="/versions/v13/techniques/T1071/001/"> Web Protocols </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0011-T1071-T1071.002"> <a href="/versions/v13/techniques/T1071/002/"> File Transfer Protocols </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0011-T1071-T1071.003"> <a href="/versions/v13/techniques/T1071/003/"> Mail Protocols </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0011-T1071-T1071.004"> <a href="/versions/v13/techniques/T1071/004/"> DNS </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0011-T1092"> <a href="/versions/v13/techniques/T1092/"> Communication Through Removable Media </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0011-T1132"> <a href="/versions/v13/techniques/T1132/"> Data Encoding </a> <div class="expand-button collapsed" id="enterprise-TA0011-T1132-header" data-toggle="collapse" data-target="#enterprise-TA0011-T1132-body" aria-expanded="false" aria-controls="#enterprise-TA0011-T1132-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0011-T1132-body" aria-labelledby="enterprise-TA0011-T1132-header"> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0011-T1132-T1132.001"> <a href="/versions/v13/techniques/T1132/001/"> Standard Encoding </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0011-T1132-T1132.002"> <a href="/versions/v13/techniques/T1132/002/"> Non-Standard Encoding </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0011-T1001"> <a href="/versions/v13/techniques/T1001/"> Data Obfuscation </a> <div class="expand-button collapsed" id="enterprise-TA0011-T1001-header" data-toggle="collapse" data-target="#enterprise-TA0011-T1001-body" aria-expanded="false" aria-controls="#enterprise-TA0011-T1001-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0011-T1001-body" aria-labelledby="enterprise-TA0011-T1001-header"> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0011-T1001-T1001.001"> <a href="/versions/v13/techniques/T1001/001/"> Junk Data </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0011-T1001-T1001.002"> <a href="/versions/v13/techniques/T1001/002/"> Steganography </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0011-T1001-T1001.003"> <a href="/versions/v13/techniques/T1001/003/"> Protocol Impersonation </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0011-T1568"> <a href="/versions/v13/techniques/T1568/"> Dynamic Resolution </a> <div class="expand-button collapsed" id="enterprise-TA0011-T1568-header" data-toggle="collapse" data-target="#enterprise-TA0011-T1568-body" aria-expanded="false" aria-controls="#enterprise-TA0011-T1568-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0011-T1568-body" aria-labelledby="enterprise-TA0011-T1568-header"> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0011-T1568-T1568.001"> <a href="/versions/v13/techniques/T1568/001/"> Fast Flux DNS </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0011-T1568-T1568.002"> <a href="/versions/v13/techniques/T1568/002/"> Domain Generation Algorithms </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0011-T1568-T1568.003"> <a href="/versions/v13/techniques/T1568/003/"> DNS Calculation </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0011-T1573"> <a href="/versions/v13/techniques/T1573/"> Encrypted Channel </a> <div class="expand-button collapsed" id="enterprise-TA0011-T1573-header" data-toggle="collapse" data-target="#enterprise-TA0011-T1573-body" aria-expanded="false" aria-controls="#enterprise-TA0011-T1573-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0011-T1573-body" aria-labelledby="enterprise-TA0011-T1573-header"> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0011-T1573-T1573.001"> <a href="/versions/v13/techniques/T1573/001/"> Symmetric Cryptography </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0011-T1573-T1573.002"> <a href="/versions/v13/techniques/T1573/002/"> Asymmetric Cryptography </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0011-T1008"> <a href="/versions/v13/techniques/T1008/"> Fallback Channels </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0011-T1105"> <a href="/versions/v13/techniques/T1105/"> Ingress Tool Transfer </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0011-T1104"> <a href="/versions/v13/techniques/T1104/"> Multi-Stage Channels </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0011-T1095"> <a href="/versions/v13/techniques/T1095/"> Non-Application Layer Protocol </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0011-T1571"> <a href="/versions/v13/techniques/T1571/"> Non-Standard Port </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0011-T1572"> <a href="/versions/v13/techniques/T1572/"> Protocol Tunneling </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0011-T1090"> <a href="/versions/v13/techniques/T1090/"> Proxy </a> <div class="expand-button collapsed" id="enterprise-TA0011-T1090-header" data-toggle="collapse" data-target="#enterprise-TA0011-T1090-body" aria-expanded="false" aria-controls="#enterprise-TA0011-T1090-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0011-T1090-body" aria-labelledby="enterprise-TA0011-T1090-header"> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0011-T1090-T1090.001"> <a href="/versions/v13/techniques/T1090/001/"> Internal Proxy </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0011-T1090-T1090.002"> <a href="/versions/v13/techniques/T1090/002/"> External Proxy </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0011-T1090-T1090.003"> <a href="/versions/v13/techniques/T1090/003/"> Multi-hop Proxy </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0011-T1090-T1090.004"> <a href="/versions/v13/techniques/T1090/004/"> Domain Fronting </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0011-T1219"> <a href="/versions/v13/techniques/T1219/"> Remote Access Software </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0011-T1205"> <a href="/versions/v13/techniques/T1205/"> Traffic Signaling </a> <div class="expand-button collapsed" id="enterprise-TA0011-T1205-header" data-toggle="collapse" data-target="#enterprise-TA0011-T1205-body" aria-expanded="false" aria-controls="#enterprise-TA0011-T1205-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0011-T1205-body" aria-labelledby="enterprise-TA0011-T1205-header"> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0011-T1205-T1205.001"> <a href="/versions/v13/techniques/T1205/001/"> Port Knocking </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0011-T1205-T1205.002"> <a href="/versions/v13/techniques/T1205/002/"> Socket Filters </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0011-T1102"> <a href="/versions/v13/techniques/T1102/"> Web Service </a> <div class="expand-button collapsed" id="enterprise-TA0011-T1102-header" data-toggle="collapse" data-target="#enterprise-TA0011-T1102-body" aria-expanded="false" aria-controls="#enterprise-TA0011-T1102-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0011-T1102-body" aria-labelledby="enterprise-TA0011-T1102-header"> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0011-T1102-T1102.001"> <a href="/versions/v13/techniques/T1102/001/"> Dead Drop Resolver </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0011-T1102-T1102.002"> <a href="/versions/v13/techniques/T1102/002/"> Bidirectional Communication </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0011-T1102-T1102.003"> <a href="/versions/v13/techniques/T1102/003/"> One-Way Communication </a> </div> </div> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0010"> <a href="/versions/v13/tactics/TA0010"> Exfiltration </a> <div class="expand-button collapsed" id="enterprise-TA0010-header" data-toggle="collapse" data-target="#enterprise-TA0010-body" aria-expanded="false" aria-controls="#enterprise-TA0010-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0010-body" aria-labelledby="enterprise-TA0010-header"> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0010-T1020"> <a href="/versions/v13/techniques/T1020/"> Automated Exfiltration </a> <div class="expand-button collapsed" id="enterprise-TA0010-T1020-header" data-toggle="collapse" data-target="#enterprise-TA0010-T1020-body" aria-expanded="false" aria-controls="#enterprise-TA0010-T1020-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0010-T1020-body" aria-labelledby="enterprise-TA0010-T1020-header"> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0010-T1020-T1020.001"> <a href="/versions/v13/techniques/T1020/001/"> Traffic Duplication </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0010-T1030"> <a href="/versions/v13/techniques/T1030/"> Data Transfer Size Limits </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0010-T1048"> <a href="/versions/v13/techniques/T1048/"> Exfiltration Over Alternative Protocol </a> <div class="expand-button collapsed" id="enterprise-TA0010-T1048-header" data-toggle="collapse" data-target="#enterprise-TA0010-T1048-body" aria-expanded="false" aria-controls="#enterprise-TA0010-T1048-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0010-T1048-body" aria-labelledby="enterprise-TA0010-T1048-header"> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0010-T1048-T1048.001"> <a href="/versions/v13/techniques/T1048/001/"> Exfiltration Over Symmetric Encrypted Non-C2 Protocol </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0010-T1048-T1048.002"> <a href="/versions/v13/techniques/T1048/002/"> Exfiltration Over Asymmetric Encrypted Non-C2 Protocol </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0010-T1048-T1048.003"> <a href="/versions/v13/techniques/T1048/003/"> Exfiltration Over Unencrypted Non-C2 Protocol </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0010-T1041"> <a href="/versions/v13/techniques/T1041/"> Exfiltration Over C2 Channel </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0010-T1011"> <a href="/versions/v13/techniques/T1011/"> Exfiltration Over Other Network Medium </a> <div class="expand-button collapsed" id="enterprise-TA0010-T1011-header" data-toggle="collapse" data-target="#enterprise-TA0010-T1011-body" aria-expanded="false" aria-controls="#enterprise-TA0010-T1011-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0010-T1011-body" aria-labelledby="enterprise-TA0010-T1011-header"> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0010-T1011-T1011.001"> <a href="/versions/v13/techniques/T1011/001/"> Exfiltration Over Bluetooth </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0010-T1052"> <a href="/versions/v13/techniques/T1052/"> Exfiltration Over Physical Medium </a> <div class="expand-button collapsed" id="enterprise-TA0010-T1052-header" data-toggle="collapse" data-target="#enterprise-TA0010-T1052-body" aria-expanded="false" aria-controls="#enterprise-TA0010-T1052-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0010-T1052-body" aria-labelledby="enterprise-TA0010-T1052-header"> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0010-T1052-T1052.001"> <a href="/versions/v13/techniques/T1052/001/"> Exfiltration over USB </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0010-T1567"> <a href="/versions/v13/techniques/T1567/"> Exfiltration Over Web Service </a> <div class="expand-button collapsed" id="enterprise-TA0010-T1567-header" data-toggle="collapse" data-target="#enterprise-TA0010-T1567-body" aria-expanded="false" aria-controls="#enterprise-TA0010-T1567-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0010-T1567-body" aria-labelledby="enterprise-TA0010-T1567-header"> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0010-T1567-T1567.001"> <a href="/versions/v13/techniques/T1567/001/"> Exfiltration to Code Repository </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0010-T1567-T1567.002"> <a href="/versions/v13/techniques/T1567/002/"> Exfiltration to Cloud Storage </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0010-T1567-T1567.003"> <a href="/versions/v13/techniques/T1567/003/"> Exfiltration to Text Storage Sites </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0010-T1029"> <a href="/versions/v13/techniques/T1029/"> Scheduled Transfer </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0010-T1537"> <a href="/versions/v13/techniques/T1537/"> Transfer Data to Cloud Account </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0040"> <a href="/versions/v13/tactics/TA0040"> Impact </a> <div class="expand-button collapsed" id="enterprise-TA0040-header" data-toggle="collapse" data-target="#enterprise-TA0040-body" aria-expanded="false" aria-controls="#enterprise-TA0040-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0040-body" aria-labelledby="enterprise-TA0040-header"> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0040-T1531"> <a href="/versions/v13/techniques/T1531/"> Account Access Removal </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0040-T1485"> <a href="/versions/v13/techniques/T1485/"> Data Destruction </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0040-T1486"> <a href="/versions/v13/techniques/T1486/"> Data Encrypted for Impact </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0040-T1565"> <a href="/versions/v13/techniques/T1565/"> Data Manipulation </a> <div class="expand-button collapsed" id="enterprise-TA0040-T1565-header" data-toggle="collapse" data-target="#enterprise-TA0040-T1565-body" aria-expanded="false" aria-controls="#enterprise-TA0040-T1565-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0040-T1565-body" aria-labelledby="enterprise-TA0040-T1565-header"> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0040-T1565-T1565.001"> <a href="/versions/v13/techniques/T1565/001/"> Stored Data Manipulation </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0040-T1565-T1565.002"> <a href="/versions/v13/techniques/T1565/002/"> Transmitted Data Manipulation </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0040-T1565-T1565.003"> <a href="/versions/v13/techniques/T1565/003/"> Runtime Data Manipulation </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0040-T1491"> <a href="/versions/v13/techniques/T1491/"> Defacement </a> <div class="expand-button collapsed" id="enterprise-TA0040-T1491-header" data-toggle="collapse" data-target="#enterprise-TA0040-T1491-body" aria-expanded="false" aria-controls="#enterprise-TA0040-T1491-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0040-T1491-body" aria-labelledby="enterprise-TA0040-T1491-header"> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0040-T1491-T1491.001"> <a href="/versions/v13/techniques/T1491/001/"> Internal Defacement </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0040-T1491-T1491.002"> <a href="/versions/v13/techniques/T1491/002/"> External Defacement </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0040-T1561"> <a href="/versions/v13/techniques/T1561/"> Disk Wipe </a> <div class="expand-button collapsed" id="enterprise-TA0040-T1561-header" data-toggle="collapse" data-target="#enterprise-TA0040-T1561-body" aria-expanded="false" aria-controls="#enterprise-TA0040-T1561-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0040-T1561-body" aria-labelledby="enterprise-TA0040-T1561-header"> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0040-T1561-T1561.001"> <a href="/versions/v13/techniques/T1561/001/"> Disk Content Wipe </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0040-T1561-T1561.002"> <a href="/versions/v13/techniques/T1561/002/"> Disk Structure Wipe </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0040-T1499"> <a href="/versions/v13/techniques/T1499/"> Endpoint Denial of Service </a> <div class="expand-button collapsed" id="enterprise-TA0040-T1499-header" data-toggle="collapse" data-target="#enterprise-TA0040-T1499-body" aria-expanded="false" aria-controls="#enterprise-TA0040-T1499-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0040-T1499-body" aria-labelledby="enterprise-TA0040-T1499-header"> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0040-T1499-T1499.001"> <a href="/versions/v13/techniques/T1499/001/"> OS Exhaustion Flood </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0040-T1499-T1499.002"> <a href="/versions/v13/techniques/T1499/002/"> Service Exhaustion Flood </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0040-T1499-T1499.003"> <a href="/versions/v13/techniques/T1499/003/"> Application Exhaustion Flood </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0040-T1499-T1499.004"> <a href="/versions/v13/techniques/T1499/004/"> Application or System Exploitation </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0040-T1495"> <a href="/versions/v13/techniques/T1495/"> Firmware Corruption </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0040-T1490"> <a href="/versions/v13/techniques/T1490/"> Inhibit System Recovery </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0040-T1498"> <a href="/versions/v13/techniques/T1498/"> Network Denial of Service </a> <div class="expand-button collapsed" id="enterprise-TA0040-T1498-header" data-toggle="collapse" data-target="#enterprise-TA0040-T1498-body" aria-expanded="false" aria-controls="#enterprise-TA0040-T1498-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0040-T1498-body" aria-labelledby="enterprise-TA0040-T1498-header"> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0040-T1498-T1498.001"> <a href="/versions/v13/techniques/T1498/001/"> Direct Network Flood </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0040-T1498-T1498.002"> <a href="/versions/v13/techniques/T1498/002/"> Reflection Amplification </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0040-T1496"> <a href="/versions/v13/techniques/T1496/"> Resource Hijacking </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0040-T1489"> <a href="/versions/v13/techniques/T1489/"> Service Stop </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0040-T1529"> <a href="/versions/v13/techniques/T1529/"> System Shutdown/Reboot </a> </div> </div> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="mobile"> <a href="/versions/v13/techniques/mobile/"> Mobile </a> <div class="expand-button collapsed" id="mobile-header" data-toggle="collapse" data-target="#mobile-body" aria-expanded="false" aria-controls="#mobile-body"></div> </div> <div class="sidenav-body collapse" id="mobile-body" aria-labelledby="mobile-header"> <div class="sidenav"> <div class="sidenav-head " id="mobile-TA0027"> <a href="/versions/v13/tactics/TA0027"> Initial Access </a> <div class="expand-button collapsed" id="mobile-TA0027-header" data-toggle="collapse" data-target="#mobile-TA0027-body" aria-expanded="false" aria-controls="#mobile-TA0027-body"></div> </div> <div class="sidenav-body collapse" id="mobile-TA0027-body" aria-labelledby="mobile-TA0027-header"> <div class="sidenav"> <div class="sidenav-head " id="mobile-TA0027-T1456"> <a href="/versions/v13/techniques/T1456/"> Drive-By Compromise </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="mobile-TA0027-T1461"> <a href="/versions/v13/techniques/T1461/"> Lockscreen Bypass </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="mobile-TA0027-T1458"> <a href="/versions/v13/techniques/T1458/"> Replication Through Removable Media </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="mobile-TA0027-T1474"> <a href="/versions/v13/techniques/T1474/"> Supply Chain Compromise </a> <div class="expand-button collapsed" id="mobile-TA0027-T1474-header" data-toggle="collapse" data-target="#mobile-TA0027-T1474-body" aria-expanded="false" aria-controls="#mobile-TA0027-T1474-body"></div> </div> <div class="sidenav-body collapse" id="mobile-TA0027-T1474-body" aria-labelledby="mobile-TA0027-T1474-header"> <div class="sidenav"> <div class="sidenav-head " id="mobile-TA0027-T1474-T1474.001"> <a href="/versions/v13/techniques/T1474/001/"> Compromise Software Dependencies and Development Tools </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="mobile-TA0027-T1474-T1474.002"> <a href="/versions/v13/techniques/T1474/002/"> Compromise Hardware Supply Chain </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="mobile-TA0027-T1474-T1474.003"> <a href="/versions/v13/techniques/T1474/003/"> Compromise Software Supply Chain </a> </div> </div> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="mobile-TA0041"> <a href="/versions/v13/tactics/TA0041"> Execution </a> <div class="expand-button collapsed" id="mobile-TA0041-header" data-toggle="collapse" data-target="#mobile-TA0041-body" aria-expanded="false" aria-controls="#mobile-TA0041-body"></div> </div> <div class="sidenav-body collapse" id="mobile-TA0041-body" aria-labelledby="mobile-TA0041-header"> <div class="sidenav"> <div class="sidenav-head " id="mobile-TA0041-T1623"> <a href="/versions/v13/techniques/T1623/"> Command and Scripting Interpreter </a> <div class="expand-button collapsed" id="mobile-TA0041-T1623-header" data-toggle="collapse" data-target="#mobile-TA0041-T1623-body" aria-expanded="false" aria-controls="#mobile-TA0041-T1623-body"></div> </div> <div class="sidenav-body collapse" id="mobile-TA0041-T1623-body" aria-labelledby="mobile-TA0041-T1623-header"> <div class="sidenav"> <div class="sidenav-head " id="mobile-TA0041-T1623-T1623.001"> <a href="/versions/v13/techniques/T1623/001/"> Unix Shell </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="mobile-TA0041-T1575"> <a href="/versions/v13/techniques/T1575/"> Native API </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="mobile-TA0041-T1603"> <a href="/versions/v13/techniques/T1603/"> Scheduled Task/Job </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="mobile-TA0028"> <a href="/versions/v13/tactics/TA0028"> Persistence </a> <div class="expand-button collapsed" id="mobile-TA0028-header" data-toggle="collapse" data-target="#mobile-TA0028-body" aria-expanded="false" aria-controls="#mobile-TA0028-body"></div> </div> <div class="sidenav-body collapse" id="mobile-TA0028-body" aria-labelledby="mobile-TA0028-header"> <div class="sidenav"> <div class="sidenav-head " id="mobile-TA0028-T1398"> <a href="/versions/v13/techniques/T1398/"> Boot or Logon Initialization Scripts </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="mobile-TA0028-T1577"> <a href="/versions/v13/techniques/T1577/"> Compromise Application Executable </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="mobile-TA0028-T1645"> <a href="/versions/v13/techniques/T1645/"> Compromise Client Software Binary </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="mobile-TA0028-T1624"> <a href="/versions/v13/techniques/T1624/"> Event Triggered Execution </a> <div class="expand-button collapsed" id="mobile-TA0028-T1624-header" data-toggle="collapse" data-target="#mobile-TA0028-T1624-body" aria-expanded="false" aria-controls="#mobile-TA0028-T1624-body"></div> </div> <div class="sidenav-body collapse" id="mobile-TA0028-T1624-body" aria-labelledby="mobile-TA0028-T1624-header"> <div class="sidenav"> <div class="sidenav-head " id="mobile-TA0028-T1624-T1624.001"> <a href="/versions/v13/techniques/T1624/001/"> Broadcast Receivers </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="mobile-TA0028-T1541"> <a href="/versions/v13/techniques/T1541/"> Foreground Persistence </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="mobile-TA0028-T1625"> <a href="/versions/v13/techniques/T1625/"> Hijack Execution Flow </a> <div class="expand-button collapsed" id="mobile-TA0028-T1625-header" data-toggle="collapse" data-target="#mobile-TA0028-T1625-body" aria-expanded="false" aria-controls="#mobile-TA0028-T1625-body"></div> </div> <div class="sidenav-body collapse" id="mobile-TA0028-T1625-body" aria-labelledby="mobile-TA0028-T1625-header"> <div class="sidenav"> <div class="sidenav-head " id="mobile-TA0028-T1625-T1625.001"> <a href="/versions/v13/techniques/T1625/001/"> System Runtime API Hijacking </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="mobile-TA0028-T1603"> <a href="/versions/v13/techniques/T1603/"> Scheduled Task/Job </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="mobile-TA0029"> <a href="/versions/v13/tactics/TA0029"> Privilege Escalation </a> <div class="expand-button collapsed" id="mobile-TA0029-header" data-toggle="collapse" data-target="#mobile-TA0029-body" aria-expanded="false" aria-controls="#mobile-TA0029-body"></div> </div> <div class="sidenav-body collapse" id="mobile-TA0029-body" aria-labelledby="mobile-TA0029-header"> <div class="sidenav"> <div class="sidenav-head " id="mobile-TA0029-T1626"> <a href="/versions/v13/techniques/T1626/"> Abuse Elevation Control Mechanism </a> <div class="expand-button collapsed" id="mobile-TA0029-T1626-header" data-toggle="collapse" data-target="#mobile-TA0029-T1626-body" aria-expanded="false" aria-controls="#mobile-TA0029-T1626-body"></div> </div> <div class="sidenav-body collapse" id="mobile-TA0029-T1626-body" aria-labelledby="mobile-TA0029-T1626-header"> <div class="sidenav"> <div class="sidenav-head " id="mobile-TA0029-T1626-T1626.001"> <a href="/versions/v13/techniques/T1626/001/"> Device Administrator Permissions </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="mobile-TA0029-T1404"> <a href="/versions/v13/techniques/T1404/"> Exploitation for Privilege Escalation </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="mobile-TA0029-T1631"> <a href="/versions/v13/techniques/T1631/"> Process Injection </a> <div class="expand-button collapsed" id="mobile-TA0029-T1631-header" data-toggle="collapse" data-target="#mobile-TA0029-T1631-body" aria-expanded="false" aria-controls="#mobile-TA0029-T1631-body"></div> </div> <div class="sidenav-body collapse" id="mobile-TA0029-T1631-body" aria-labelledby="mobile-TA0029-T1631-header"> <div class="sidenav"> <div class="sidenav-head " id="mobile-TA0029-T1631-T1631.001"> <a href="/versions/v13/techniques/T1631/001/"> Ptrace System Calls </a> </div> </div> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="mobile-TA0030"> <a href="/versions/v13/tactics/TA0030"> Defense Evasion </a> <div class="expand-button collapsed" id="mobile-TA0030-header" data-toggle="collapse" data-target="#mobile-TA0030-body" aria-expanded="false" aria-controls="#mobile-TA0030-body"></div> </div> <div class="sidenav-body collapse" id="mobile-TA0030-body" aria-labelledby="mobile-TA0030-header"> <div class="sidenav"> <div class="sidenav-head " id="mobile-TA0030-T1407"> <a href="/versions/v13/techniques/T1407/"> Download New Code at Runtime </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="mobile-TA0030-T1627"> <a href="/versions/v13/techniques/T1627/"> Execution Guardrails </a> <div class="expand-button collapsed" id="mobile-TA0030-T1627-header" data-toggle="collapse" data-target="#mobile-TA0030-T1627-body" aria-expanded="false" aria-controls="#mobile-TA0030-T1627-body"></div> </div> <div class="sidenav-body collapse" id="mobile-TA0030-T1627-body" aria-labelledby="mobile-TA0030-T1627-header"> <div class="sidenav"> <div class="sidenav-head " id="mobile-TA0030-T1627-T1627.001"> <a href="/versions/v13/techniques/T1627/001/"> Geofencing </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="mobile-TA0030-T1541"> <a href="/versions/v13/techniques/T1541/"> Foreground Persistence </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="mobile-TA0030-T1628"> <a href="/versions/v13/techniques/T1628/"> Hide Artifacts </a> <div class="expand-button collapsed" id="mobile-TA0030-T1628-header" data-toggle="collapse" data-target="#mobile-TA0030-T1628-body" aria-expanded="false" aria-controls="#mobile-TA0030-T1628-body"></div> </div> <div class="sidenav-body collapse" id="mobile-TA0030-T1628-body" aria-labelledby="mobile-TA0030-T1628-header"> <div class="sidenav"> <div class="sidenav-head " id="mobile-TA0030-T1628-T1628.001"> <a href="/versions/v13/techniques/T1628/001/"> Suppress Application Icon </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="mobile-TA0030-T1628-T1628.002"> <a href="/versions/v13/techniques/T1628/002/"> User Evasion </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="mobile-TA0030-T1617"> <a href="/versions/v13/techniques/T1617/"> Hooking </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="mobile-TA0030-T1629"> <a href="/versions/v13/techniques/T1629/"> Impair Defenses </a> <div class="expand-button collapsed" id="mobile-TA0030-T1629-header" data-toggle="collapse" data-target="#mobile-TA0030-T1629-body" aria-expanded="false" aria-controls="#mobile-TA0030-T1629-body"></div> </div> <div class="sidenav-body collapse" id="mobile-TA0030-T1629-body" aria-labelledby="mobile-TA0030-T1629-header"> <div class="sidenav"> <div class="sidenav-head " id="mobile-TA0030-T1629-T1629.001"> <a href="/versions/v13/techniques/T1629/001/"> Prevent Application Removal </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="mobile-TA0030-T1629-T1629.002"> <a href="/versions/v13/techniques/T1629/002/"> Device Lockout </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="mobile-TA0030-T1629-T1629.003"> <a href="/versions/v13/techniques/T1629/003/"> Disable or Modify Tools </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="mobile-TA0030-T1630"> <a href="/versions/v13/techniques/T1630/"> Indicator Removal on Host </a> <div class="expand-button collapsed" id="mobile-TA0030-T1630-header" data-toggle="collapse" data-target="#mobile-TA0030-T1630-body" aria-expanded="false" aria-controls="#mobile-TA0030-T1630-body"></div> </div> <div class="sidenav-body collapse" id="mobile-TA0030-T1630-body" aria-labelledby="mobile-TA0030-T1630-header"> <div class="sidenav"> <div class="sidenav-head " id="mobile-TA0030-T1630-T1630.001"> <a href="/versions/v13/techniques/T1630/001/"> Uninstall Malicious Application </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="mobile-TA0030-T1630-T1630.002"> <a href="/versions/v13/techniques/T1630/002/"> File Deletion </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="mobile-TA0030-T1630-T1630.003"> <a href="/versions/v13/techniques/T1630/003/"> Disguise Root/Jailbreak Indicators </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="mobile-TA0030-T1516"> <a href="/versions/v13/techniques/T1516/"> Input Injection </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="mobile-TA0030-T1575"> <a href="/versions/v13/techniques/T1575/"> Native API </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="mobile-TA0030-T1406"> <a href="/versions/v13/techniques/T1406/"> Obfuscated Files or Information </a> <div class="expand-button collapsed" id="mobile-TA0030-T1406-header" data-toggle="collapse" data-target="#mobile-TA0030-T1406-body" aria-expanded="false" aria-controls="#mobile-TA0030-T1406-body"></div> </div> <div class="sidenav-body collapse" id="mobile-TA0030-T1406-body" aria-labelledby="mobile-TA0030-T1406-header"> <div class="sidenav"> <div class="sidenav-head " id="mobile-TA0030-T1406-T1406.001"> <a href="/versions/v13/techniques/T1406/001/"> Steganography </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="mobile-TA0030-T1406-T1406.002"> <a href="/versions/v13/techniques/T1406/002/"> Software Packing </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="mobile-TA0030-T1631"> <a href="/versions/v13/techniques/T1631/"> Process Injection </a> <div class="expand-button collapsed" id="mobile-TA0030-T1631-header" data-toggle="collapse" data-target="#mobile-TA0030-T1631-body" aria-expanded="false" aria-controls="#mobile-TA0030-T1631-body"></div> </div> <div class="sidenav-body collapse" id="mobile-TA0030-T1631-body" aria-labelledby="mobile-TA0030-T1631-header"> <div class="sidenav"> <div class="sidenav-head " id="mobile-TA0030-T1631-T1631.001"> <a href="/versions/v13/techniques/T1631/001/"> Ptrace System Calls </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="mobile-TA0030-T1604"> <a href="/versions/v13/techniques/T1604/"> Proxy Through Victim </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="mobile-TA0030-T1632"> <a href="/versions/v13/techniques/T1632/"> Subvert Trust Controls </a> <div class="expand-button collapsed" id="mobile-TA0030-T1632-header" data-toggle="collapse" data-target="#mobile-TA0030-T1632-body" aria-expanded="false" aria-controls="#mobile-TA0030-T1632-body"></div> </div> <div class="sidenav-body collapse" id="mobile-TA0030-T1632-body" aria-labelledby="mobile-TA0030-T1632-header"> <div class="sidenav"> <div class="sidenav-head " id="mobile-TA0030-T1632-T1632.001"> <a href="/versions/v13/techniques/T1632/001/"> Code Signing Policy Modification </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="mobile-TA0030-T1633"> <a href="/versions/v13/techniques/T1633/"> Virtualization/Sandbox Evasion </a> <div class="expand-button collapsed" id="mobile-TA0030-T1633-header" data-toggle="collapse" data-target="#mobile-TA0030-T1633-body" aria-expanded="false" aria-controls="#mobile-TA0030-T1633-body"></div> </div> <div class="sidenav-body collapse" id="mobile-TA0030-T1633-body" aria-labelledby="mobile-TA0030-T1633-header"> <div class="sidenav"> <div class="sidenav-head " id="mobile-TA0030-T1633-T1633.001"> <a href="/versions/v13/techniques/T1633/001/"> System Checks </a> </div> </div> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="mobile-TA0031"> <a href="/versions/v13/tactics/TA0031"> Credential Access </a> <div class="expand-button collapsed" id="mobile-TA0031-header" data-toggle="collapse" data-target="#mobile-TA0031-body" aria-expanded="false" aria-controls="#mobile-TA0031-body"></div> </div> <div class="sidenav-body collapse" id="mobile-TA0031-body" aria-labelledby="mobile-TA0031-header"> <div class="sidenav"> <div class="sidenav-head " id="mobile-TA0031-T1517"> <a href="/versions/v13/techniques/T1517/"> Access Notifications </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="mobile-TA0031-T1414"> <a href="/versions/v13/techniques/T1414/"> Clipboard Data </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="mobile-TA0031-T1634"> <a href="/versions/v13/techniques/T1634/"> Credentials from Password Store </a> <div class="expand-button collapsed" id="mobile-TA0031-T1634-header" data-toggle="collapse" data-target="#mobile-TA0031-T1634-body" aria-expanded="false" aria-controls="#mobile-TA0031-T1634-body"></div> </div> <div class="sidenav-body collapse" id="mobile-TA0031-T1634-body" aria-labelledby="mobile-TA0031-T1634-header"> <div class="sidenav"> <div class="sidenav-head " id="mobile-TA0031-T1634-T1634.001"> <a href="/versions/v13/techniques/T1634/001/"> Keychain </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="mobile-TA0031-T1417"> <a href="/versions/v13/techniques/T1417/"> Input Capture </a> <div class="expand-button collapsed" id="mobile-TA0031-T1417-header" data-toggle="collapse" data-target="#mobile-TA0031-T1417-body" aria-expanded="false" aria-controls="#mobile-TA0031-T1417-body"></div> </div> <div class="sidenav-body collapse" id="mobile-TA0031-T1417-body" aria-labelledby="mobile-TA0031-T1417-header"> <div class="sidenav"> <div class="sidenav-head " id="mobile-TA0031-T1417-T1417.001"> <a href="/versions/v13/techniques/T1417/001/"> Keylogging </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="mobile-TA0031-T1417-T1417.002"> <a href="/versions/v13/techniques/T1417/002/"> GUI Input Capture </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="mobile-TA0031-T1635"> <a href="/versions/v13/techniques/T1635/"> Steal Application Access Token </a> <div class="expand-button collapsed" id="mobile-TA0031-T1635-header" data-toggle="collapse" data-target="#mobile-TA0031-T1635-body" aria-expanded="false" aria-controls="#mobile-TA0031-T1635-body"></div> </div> <div class="sidenav-body collapse" id="mobile-TA0031-T1635-body" aria-labelledby="mobile-TA0031-T1635-header"> <div class="sidenav"> <div class="sidenav-head " id="mobile-TA0031-T1635-T1635.001"> <a href="/versions/v13/techniques/T1635/001/"> URI Hijacking </a> </div> </div> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="mobile-TA0032"> <a href="/versions/v13/tactics/TA0032"> Discovery </a> <div class="expand-button collapsed" id="mobile-TA0032-header" data-toggle="collapse" data-target="#mobile-TA0032-body" aria-expanded="false" aria-controls="#mobile-TA0032-body"></div> </div> <div class="sidenav-body collapse" id="mobile-TA0032-body" aria-labelledby="mobile-TA0032-header"> <div class="sidenav"> <div class="sidenav-head " id="mobile-TA0032-T1420"> <a href="/versions/v13/techniques/T1420/"> File and Directory Discovery </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="mobile-TA0032-T1430"> <a href="/versions/v13/techniques/T1430/"> Location Tracking </a> <div class="expand-button collapsed" id="mobile-TA0032-T1430-header" data-toggle="collapse" data-target="#mobile-TA0032-T1430-body" aria-expanded="false" aria-controls="#mobile-TA0032-T1430-body"></div> </div> <div class="sidenav-body collapse" id="mobile-TA0032-T1430-body" aria-labelledby="mobile-TA0032-T1430-header"> <div class="sidenav"> <div class="sidenav-head " id="mobile-TA0032-T1430-T1430.001"> <a href="/versions/v13/techniques/T1430/001/"> Remote Device Management Services </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="mobile-TA0032-T1430-T1430.002"> <a href="/versions/v13/techniques/T1430/002/"> Impersonate SS7 Nodes </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="mobile-TA0032-T1423"> <a href="/versions/v13/techniques/T1423/"> Network Service Scanning </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="mobile-TA0032-T1424"> <a href="/versions/v13/techniques/T1424/"> Process Discovery </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="mobile-TA0032-T1418"> <a href="/versions/v13/techniques/T1418/"> Software Discovery </a> <div class="expand-button collapsed" id="mobile-TA0032-T1418-header" data-toggle="collapse" data-target="#mobile-TA0032-T1418-body" aria-expanded="false" aria-controls="#mobile-TA0032-T1418-body"></div> </div> <div class="sidenav-body collapse" id="mobile-TA0032-T1418-body" aria-labelledby="mobile-TA0032-T1418-header"> <div class="sidenav"> <div class="sidenav-head " id="mobile-TA0032-T1418-T1418.001"> <a href="/versions/v13/techniques/T1418/001/"> Security Software Discovery </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="mobile-TA0032-T1426"> <a href="/versions/v13/techniques/T1426/"> System Information Discovery </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="mobile-TA0032-T1422"> <a href="/versions/v13/techniques/T1422/"> System Network Configuration Discovery </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="mobile-TA0032-T1421"> <a href="/versions/v13/techniques/T1421/"> System Network Connections Discovery </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="mobile-TA0033"> <a href="/versions/v13/tactics/TA0033"> Lateral Movement </a> <div class="expand-button collapsed" id="mobile-TA0033-header" data-toggle="collapse" data-target="#mobile-TA0033-body" aria-expanded="false" aria-controls="#mobile-TA0033-body"></div> </div> <div class="sidenav-body collapse" id="mobile-TA0033-body" aria-labelledby="mobile-TA0033-header"> <div class="sidenav"> <div class="sidenav-head " id="mobile-TA0033-T1428"> <a href="/versions/v13/techniques/T1428/"> Exploitation of Remote Services </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="mobile-TA0033-T1458"> <a href="/versions/v13/techniques/T1458/"> Replication Through Removable Media </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="mobile-TA0035"> <a href="/versions/v13/tactics/TA0035"> Collection </a> <div class="expand-button collapsed" id="mobile-TA0035-header" data-toggle="collapse" data-target="#mobile-TA0035-body" aria-expanded="false" aria-controls="#mobile-TA0035-body"></div> </div> <div class="sidenav-body collapse" id="mobile-TA0035-body" aria-labelledby="mobile-TA0035-header"> <div class="sidenav"> <div class="sidenav-head " id="mobile-TA0035-T1517"> <a href="/versions/v13/techniques/T1517/"> Access Notifications </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="mobile-TA0035-T1638"> <a href="/versions/v13/techniques/T1638/"> Adversary-in-the-Middle </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="mobile-TA0035-T1532"> <a href="/versions/v13/techniques/T1532/"> Archive Collected Data </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="mobile-TA0035-T1429"> <a href="/versions/v13/techniques/T1429/"> Audio Capture </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="mobile-TA0035-T1616"> <a href="/versions/v13/techniques/T1616/"> Call Control </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="mobile-TA0035-T1414"> <a href="/versions/v13/techniques/T1414/"> Clipboard Data </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="mobile-TA0035-T1533"> <a href="/versions/v13/techniques/T1533/"> Data from Local System </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="mobile-TA0035-T1417"> <a href="/versions/v13/techniques/T1417/"> Input Capture </a> <div class="expand-button collapsed" id="mobile-TA0035-T1417-header" data-toggle="collapse" data-target="#mobile-TA0035-T1417-body" aria-expanded="false" aria-controls="#mobile-TA0035-T1417-body"></div> </div> <div class="sidenav-body collapse" id="mobile-TA0035-T1417-body" aria-labelledby="mobile-TA0035-T1417-header"> <div class="sidenav"> <div class="sidenav-head " id="mobile-TA0035-T1417-T1417.001"> <a href="/versions/v13/techniques/T1417/001/"> Keylogging </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="mobile-TA0035-T1417-T1417.002"> <a href="/versions/v13/techniques/T1417/002/"> GUI Input Capture </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="mobile-TA0035-T1430"> <a href="/versions/v13/techniques/T1430/"> Location Tracking </a> <div class="expand-button collapsed" id="mobile-TA0035-T1430-header" data-toggle="collapse" data-target="#mobile-TA0035-T1430-body" aria-expanded="false" aria-controls="#mobile-TA0035-T1430-body"></div> </div> <div class="sidenav-body collapse" id="mobile-TA0035-T1430-body" aria-labelledby="mobile-TA0035-T1430-header"> <div class="sidenav"> <div class="sidenav-head " id="mobile-TA0035-T1430-T1430.001"> <a href="/versions/v13/techniques/T1430/001/"> Remote Device Management Services </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="mobile-TA0035-T1430-T1430.002"> <a href="/versions/v13/techniques/T1430/002/"> Impersonate SS7 Nodes </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="mobile-TA0035-T1636"> <a href="/versions/v13/techniques/T1636/"> Protected User Data </a> <div class="expand-button collapsed" id="mobile-TA0035-T1636-header" data-toggle="collapse" data-target="#mobile-TA0035-T1636-body" aria-expanded="false" aria-controls="#mobile-TA0035-T1636-body"></div> </div> <div class="sidenav-body collapse" id="mobile-TA0035-T1636-body" aria-labelledby="mobile-TA0035-T1636-header"> <div class="sidenav"> <div class="sidenav-head " id="mobile-TA0035-T1636-T1636.001"> <a href="/versions/v13/techniques/T1636/001/"> Calendar Entries </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="mobile-TA0035-T1636-T1636.002"> <a href="/versions/v13/techniques/T1636/002/"> Call Log </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="mobile-TA0035-T1636-T1636.003"> <a href="/versions/v13/techniques/T1636/003/"> Contact List </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="mobile-TA0035-T1636-T1636.004"> <a href="/versions/v13/techniques/T1636/004/"> SMS Messages </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="mobile-TA0035-T1513"> <a href="/versions/v13/techniques/T1513/"> Screen Capture </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="mobile-TA0035-T1409"> <a href="/versions/v13/techniques/T1409/"> Stored Application Data </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="mobile-TA0035-T1512"> <a href="/versions/v13/techniques/T1512/"> Video Capture </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="mobile-TA0037"> <a href="/versions/v13/tactics/TA0037"> Command and Control </a> <div class="expand-button collapsed" id="mobile-TA0037-header" data-toggle="collapse" data-target="#mobile-TA0037-body" aria-expanded="false" aria-controls="#mobile-TA0037-body"></div> </div> <div class="sidenav-body collapse" id="mobile-TA0037-body" aria-labelledby="mobile-TA0037-header"> <div class="sidenav"> <div class="sidenav-head " id="mobile-TA0037-T1437"> <a href="/versions/v13/techniques/T1437/"> Application Layer Protocol </a> <div class="expand-button collapsed" id="mobile-TA0037-T1437-header" data-toggle="collapse" data-target="#mobile-TA0037-T1437-body" aria-expanded="false" aria-controls="#mobile-TA0037-T1437-body"></div> </div> <div class="sidenav-body collapse" id="mobile-TA0037-T1437-body" aria-labelledby="mobile-TA0037-T1437-header"> <div class="sidenav"> <div class="sidenav-head " id="mobile-TA0037-T1437-T1437.001"> <a href="/versions/v13/techniques/T1437/001/"> Web Protocols </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="mobile-TA0037-T1616"> <a href="/versions/v13/techniques/T1616/"> Call Control </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="mobile-TA0037-T1637"> <a href="/versions/v13/techniques/T1637/"> Dynamic Resolution </a> <div class="expand-button collapsed" id="mobile-TA0037-T1637-header" data-toggle="collapse" data-target="#mobile-TA0037-T1637-body" aria-expanded="false" aria-controls="#mobile-TA0037-T1637-body"></div> </div> <div class="sidenav-body collapse" id="mobile-TA0037-T1637-body" aria-labelledby="mobile-TA0037-T1637-header"> <div class="sidenav"> <div class="sidenav-head " id="mobile-TA0037-T1637-T1637.001"> <a href="/versions/v13/techniques/T1637/001/"> Domain Generation Algorithms </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="mobile-TA0037-T1521"> <a href="/versions/v13/techniques/T1521/"> Encrypted Channel </a> <div class="expand-button collapsed" id="mobile-TA0037-T1521-header" data-toggle="collapse" data-target="#mobile-TA0037-T1521-body" aria-expanded="false" aria-controls="#mobile-TA0037-T1521-body"></div> </div> <div class="sidenav-body collapse" id="mobile-TA0037-T1521-body" aria-labelledby="mobile-TA0037-T1521-header"> <div class="sidenav"> <div class="sidenav-head " id="mobile-TA0037-T1521-T1521.001"> <a href="/versions/v13/techniques/T1521/001/"> Symmetric Cryptography </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="mobile-TA0037-T1521-T1521.002"> <a href="/versions/v13/techniques/T1521/002/"> Asymmetric Cryptography </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="mobile-TA0037-T1544"> <a href="/versions/v13/techniques/T1544/"> Ingress Tool Transfer </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="mobile-TA0037-T1509"> <a href="/versions/v13/techniques/T1509/"> Non-Standard Port </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="mobile-TA0037-T1644"> <a href="/versions/v13/techniques/T1644/"> Out of Band Data </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="mobile-TA0037-T1481"> <a href="/versions/v13/techniques/T1481/"> Web Service </a> <div class="expand-button collapsed" id="mobile-TA0037-T1481-header" data-toggle="collapse" data-target="#mobile-TA0037-T1481-body" aria-expanded="false" aria-controls="#mobile-TA0037-T1481-body"></div> </div> <div class="sidenav-body collapse" id="mobile-TA0037-T1481-body" aria-labelledby="mobile-TA0037-T1481-header"> <div class="sidenav"> <div class="sidenav-head " id="mobile-TA0037-T1481-T1481.001"> <a href="/versions/v13/techniques/T1481/001/"> Dead Drop Resolver </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="mobile-TA0037-T1481-T1481.002"> <a href="/versions/v13/techniques/T1481/002/"> Bidirectional Communication </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="mobile-TA0037-T1481-T1481.003"> <a href="/versions/v13/techniques/T1481/003/"> One-Way Communication </a> </div> </div> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="mobile-TA0036"> <a href="/versions/v13/tactics/TA0036"> Exfiltration </a> <div class="expand-button collapsed" id="mobile-TA0036-header" data-toggle="collapse" data-target="#mobile-TA0036-body" aria-expanded="false" aria-controls="#mobile-TA0036-body"></div> </div> <div class="sidenav-body collapse" id="mobile-TA0036-body" aria-labelledby="mobile-TA0036-header"> <div class="sidenav"> <div class="sidenav-head " id="mobile-TA0036-T1639"> <a href="/versions/v13/techniques/T1639/"> Exfiltration Over Alternative Protocol </a> <div class="expand-button collapsed" id="mobile-TA0036-T1639-header" data-toggle="collapse" data-target="#mobile-TA0036-T1639-body" aria-expanded="false" aria-controls="#mobile-TA0036-T1639-body"></div> </div> <div class="sidenav-body collapse" id="mobile-TA0036-T1639-body" aria-labelledby="mobile-TA0036-T1639-header"> <div class="sidenav"> <div class="sidenav-head " id="mobile-TA0036-T1639-T1639.001"> <a href="/versions/v13/techniques/T1639/001/"> Exfiltration Over Unencrypted Non-C2 Protocol </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="mobile-TA0036-T1646"> <a href="/versions/v13/techniques/T1646/"> Exfiltration Over C2 Channel </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="mobile-TA0034"> <a href="/versions/v13/tactics/TA0034"> Impact </a> <div class="expand-button collapsed" id="mobile-TA0034-header" data-toggle="collapse" data-target="#mobile-TA0034-body" aria-expanded="false" aria-controls="#mobile-TA0034-body"></div> </div> <div class="sidenav-body collapse" id="mobile-TA0034-body" aria-labelledby="mobile-TA0034-header"> <div class="sidenav"> <div class="sidenav-head " id="mobile-TA0034-T1640"> <a href="/versions/v13/techniques/T1640/"> Account Access Removal </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="mobile-TA0034-T1616"> <a href="/versions/v13/techniques/T1616/"> Call Control </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="mobile-TA0034-T1471"> <a href="/versions/v13/techniques/T1471/"> Data Encrypted for Impact </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="mobile-TA0034-T1641"> <a href="/versions/v13/techniques/T1641/"> Data Manipulation </a> <div class="expand-button collapsed" id="mobile-TA0034-T1641-header" data-toggle="collapse" data-target="#mobile-TA0034-T1641-body" aria-expanded="false" aria-controls="#mobile-TA0034-T1641-body"></div> </div> <div class="sidenav-body collapse" id="mobile-TA0034-T1641-body" aria-labelledby="mobile-TA0034-T1641-header"> <div class="sidenav"> <div class="sidenav-head " id="mobile-TA0034-T1641-T1641.001"> <a href="/versions/v13/techniques/T1641/001/"> Transmitted Data Manipulation </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="mobile-TA0034-T1642"> <a href="/versions/v13/techniques/T1642/"> Endpoint Denial of Service </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="mobile-TA0034-T1643"> <a href="/versions/v13/techniques/T1643/"> Generate Traffic from Victim </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="mobile-TA0034-T1516"> <a href="/versions/v13/techniques/T1516/"> Input Injection </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="mobile-TA0034-T1464"> <a href="/versions/v13/techniques/T1464/"> Network Denial of Service </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="mobile-TA0034-T1582"> <a href="/versions/v13/techniques/T1582/"> SMS Control </a> </div> </div> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head active " id="ics"> <a href="/versions/v13/techniques/ics/"> ICS </a> <div class="expand-button collapsed" id="ics-header" data-toggle="collapse" data-target="#ics-body" aria-expanded="false" aria-controls="#ics-body"></div> </div> <div class="sidenav-body collapse" id="ics-body" aria-labelledby="ics-header"> <div class="sidenav"> <div class="sidenav-head " id="ics-TA0108"> <a href="/versions/v13/tactics/TA0108"> Initial Access </a> <div class="expand-button collapsed" id="ics-TA0108-header" data-toggle="collapse" data-target="#ics-TA0108-body" aria-expanded="false" aria-controls="#ics-TA0108-body"></div> </div> <div class="sidenav-body collapse" id="ics-TA0108-body" aria-labelledby="ics-TA0108-header"> <div class="sidenav"> <div class="sidenav-head " id="ics-TA0108-T0817"> <a href="/versions/v13/techniques/T0817/"> Drive-by Compromise </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="ics-TA0108-T0819"> <a href="/versions/v13/techniques/T0819/"> Exploit Public-Facing Application </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="ics-TA0108-T0866"> <a href="/versions/v13/techniques/T0866/"> Exploitation of Remote Services </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="ics-TA0108-T0822"> <a href="/versions/v13/techniques/T0822/"> External Remote Services </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="ics-TA0108-T0883"> <a href="/versions/v13/techniques/T0883/"> Internet Accessible Device </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="ics-TA0108-T0886"> <a href="/versions/v13/techniques/T0886/"> Remote Services </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="ics-TA0108-T0847"> <a href="/versions/v13/techniques/T0847/"> Replication Through Removable Media </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="ics-TA0108-T0848"> <a href="/versions/v13/techniques/T0848/"> Rogue Master </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="ics-TA0108-T0865"> <a href="/versions/v13/techniques/T0865/"> Spearphishing Attachment </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="ics-TA0108-T0862"> <a href="/versions/v13/techniques/T0862/"> Supply Chain Compromise </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="ics-TA0108-T0864"> <a href="/versions/v13/techniques/T0864/"> Transient Cyber Asset </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="ics-TA0108-T0860"> <a href="/versions/v13/techniques/T0860/"> Wireless Compromise </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="ics-TA0104"> <a href="/versions/v13/tactics/TA0104"> Execution </a> <div class="expand-button collapsed" id="ics-TA0104-header" data-toggle="collapse" data-target="#ics-TA0104-body" aria-expanded="false" aria-controls="#ics-TA0104-body"></div> </div> <div class="sidenav-body collapse" id="ics-TA0104-body" aria-labelledby="ics-TA0104-header"> <div class="sidenav"> <div class="sidenav-head " id="ics-TA0104-T0858"> <a href="/versions/v13/techniques/T0858/"> Change Operating Mode </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="ics-TA0104-T0807"> <a href="/versions/v13/techniques/T0807/"> Command-Line Interface </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="ics-TA0104-T0871"> <a href="/versions/v13/techniques/T0871/"> Execution through API </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="ics-TA0104-T0823"> <a href="/versions/v13/techniques/T0823/"> Graphical User Interface </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="ics-TA0104-T0874"> <a href="/versions/v13/techniques/T0874/"> Hooking </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="ics-TA0104-T0821"> <a href="/versions/v13/techniques/T0821/"> Modify Controller Tasking </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="ics-TA0104-T0834"> <a href="/versions/v13/techniques/T0834/"> Native API </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="ics-TA0104-T0853"> <a href="/versions/v13/techniques/T0853/"> Scripting </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="ics-TA0104-T0863"> <a href="/versions/v13/techniques/T0863/"> User Execution </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="ics-TA0110"> <a href="/versions/v13/tactics/TA0110"> Persistence </a> <div class="expand-button collapsed" id="ics-TA0110-header" data-toggle="collapse" data-target="#ics-TA0110-body" aria-expanded="false" aria-controls="#ics-TA0110-body"></div> </div> <div class="sidenav-body collapse" id="ics-TA0110-body" aria-labelledby="ics-TA0110-header"> <div class="sidenav"> <div class="sidenav-head " id="ics-TA0110-T0891"> <a href="/versions/v13/techniques/T0891/"> Hardcoded Credentials </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="ics-TA0110-T0889"> <a href="/versions/v13/techniques/T0889/"> Modify Program </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="ics-TA0110-T0839"> <a href="/versions/v13/techniques/T0839/"> Module Firmware </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="ics-TA0110-T0873"> <a href="/versions/v13/techniques/T0873/"> Project File Infection </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="ics-TA0110-T0857"> <a href="/versions/v13/techniques/T0857/"> System Firmware </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="ics-TA0110-T0859"> <a href="/versions/v13/techniques/T0859/"> Valid Accounts </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="ics-TA0111"> <a href="/versions/v13/tactics/TA0111"> Privilege Escalation </a> <div class="expand-button collapsed" id="ics-TA0111-header" data-toggle="collapse" data-target="#ics-TA0111-body" aria-expanded="false" aria-controls="#ics-TA0111-body"></div> </div> <div class="sidenav-body collapse" id="ics-TA0111-body" aria-labelledby="ics-TA0111-header"> <div class="sidenav"> <div class="sidenav-head " id="ics-TA0111-T0890"> <a href="/versions/v13/techniques/T0890/"> Exploitation for Privilege Escalation </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="ics-TA0111-T0874"> <a href="/versions/v13/techniques/T0874/"> Hooking </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="ics-TA0103"> <a href="/versions/v13/tactics/TA0103"> Evasion </a> <div class="expand-button collapsed" id="ics-TA0103-header" data-toggle="collapse" data-target="#ics-TA0103-body" aria-expanded="false" aria-controls="#ics-TA0103-body"></div> </div> <div class="sidenav-body collapse" id="ics-TA0103-body" aria-labelledby="ics-TA0103-header"> <div class="sidenav"> <div class="sidenav-head " id="ics-TA0103-T0858"> <a href="/versions/v13/techniques/T0858/"> Change Operating Mode </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="ics-TA0103-T0820"> <a href="/versions/v13/techniques/T0820/"> Exploitation for Evasion </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="ics-TA0103-T0872"> <a href="/versions/v13/techniques/T0872/"> Indicator Removal on Host </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="ics-TA0103-T0849"> <a href="/versions/v13/techniques/T0849/"> Masquerading </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="ics-TA0103-T0851"> <a href="/versions/v13/techniques/T0851/"> Rootkit </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="ics-TA0103-T0856"> <a href="/versions/v13/techniques/T0856/"> Spoof Reporting Message </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="ics-TA0102"> <a href="/versions/v13/tactics/TA0102"> Discovery </a> <div class="expand-button collapsed" id="ics-TA0102-header" data-toggle="collapse" data-target="#ics-TA0102-body" aria-expanded="false" aria-controls="#ics-TA0102-body"></div> </div> <div class="sidenav-body collapse" id="ics-TA0102-body" aria-labelledby="ics-TA0102-header"> <div class="sidenav"> <div class="sidenav-head " id="ics-TA0102-T0840"> <a href="/versions/v13/techniques/T0840/"> Network Connection Enumeration </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="ics-TA0102-T0842"> <a href="/versions/v13/techniques/T0842/"> Network Sniffing </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="ics-TA0102-T0846"> <a href="/versions/v13/techniques/T0846/"> Remote System Discovery </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="ics-TA0102-T0888"> <a href="/versions/v13/techniques/T0888/"> Remote System Information Discovery </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="ics-TA0102-T0887"> <a href="/versions/v13/techniques/T0887/"> Wireless Sniffing </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="ics-TA0109"> <a href="/versions/v13/tactics/TA0109"> Lateral Movement </a> <div class="expand-button collapsed" id="ics-TA0109-header" data-toggle="collapse" data-target="#ics-TA0109-body" aria-expanded="false" aria-controls="#ics-TA0109-body"></div> </div> <div class="sidenav-body collapse" id="ics-TA0109-body" aria-labelledby="ics-TA0109-header"> <div class="sidenav"> <div class="sidenav-head " id="ics-TA0109-T0812"> <a href="/versions/v13/techniques/T0812/"> Default Credentials </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="ics-TA0109-T0866"> <a href="/versions/v13/techniques/T0866/"> Exploitation of Remote Services </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="ics-TA0109-T0891"> <a href="/versions/v13/techniques/T0891/"> Hardcoded Credentials </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="ics-TA0109-T0867"> <a href="/versions/v13/techniques/T0867/"> Lateral Tool Transfer </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="ics-TA0109-T0843"> <a href="/versions/v13/techniques/T0843/"> Program Download </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="ics-TA0109-T0886"> <a href="/versions/v13/techniques/T0886/"> Remote Services </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="ics-TA0109-T0859"> <a href="/versions/v13/techniques/T0859/"> Valid Accounts </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="ics-TA0100"> <a href="/versions/v13/tactics/TA0100"> Collection </a> <div class="expand-button collapsed" id="ics-TA0100-header" data-toggle="collapse" data-target="#ics-TA0100-body" aria-expanded="false" aria-controls="#ics-TA0100-body"></div> </div> <div class="sidenav-body collapse" id="ics-TA0100-body" aria-labelledby="ics-TA0100-header"> <div class="sidenav"> <div class="sidenav-head " id="ics-TA0100-T0830"> <a href="/versions/v13/techniques/T0830/"> Adversary-in-the-Middle </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="ics-TA0100-T0802"> <a href="/versions/v13/techniques/T0802/"> Automated Collection </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="ics-TA0100-T0811"> <a href="/versions/v13/techniques/T0811/"> Data from Information Repositories </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="ics-TA0100-T0893"> <a href="/versions/v13/techniques/T0893/"> Data from Local System </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="ics-TA0100-T0868"> <a href="/versions/v13/techniques/T0868/"> Detect Operating Mode </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="ics-TA0100-T0877"> <a href="/versions/v13/techniques/T0877/"> I/O Image </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="ics-TA0100-T0801"> <a href="/versions/v13/techniques/T0801/"> Monitor Process State </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="ics-TA0100-T0861"> <a href="/versions/v13/techniques/T0861/"> Point & Tag Identification </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="ics-TA0100-T0845"> <a href="/versions/v13/techniques/T0845/"> Program Upload </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="ics-TA0100-T0852"> <a href="/versions/v13/techniques/T0852/"> Screen Capture </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="ics-TA0100-T0887"> <a href="/versions/v13/techniques/T0887/"> Wireless Sniffing </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="ics-TA0101"> <a href="/versions/v13/tactics/TA0101"> Command and Control </a> <div class="expand-button collapsed" id="ics-TA0101-header" data-toggle="collapse" data-target="#ics-TA0101-body" aria-expanded="false" aria-controls="#ics-TA0101-body"></div> </div> <div class="sidenav-body collapse" id="ics-TA0101-body" aria-labelledby="ics-TA0101-header"> <div class="sidenav"> <div class="sidenav-head " id="ics-TA0101-T0885"> <a href="/versions/v13/techniques/T0885/"> Commonly Used Port </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="ics-TA0101-T0884"> <a href="/versions/v13/techniques/T0884/"> Connection Proxy </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="ics-TA0101-T0869"> <a href="/versions/v13/techniques/T0869/"> Standard Application Layer Protocol </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="ics-TA0107"> <a href="/versions/v13/tactics/TA0107"> Inhibit Response Function </a> <div class="expand-button collapsed" id="ics-TA0107-header" data-toggle="collapse" data-target="#ics-TA0107-body" aria-expanded="false" aria-controls="#ics-TA0107-body"></div> </div> <div class="sidenav-body collapse" id="ics-TA0107-body" aria-labelledby="ics-TA0107-header"> <div class="sidenav"> <div class="sidenav-head " id="ics-TA0107-T0800"> <a href="/versions/v13/techniques/T0800/"> Activate Firmware Update Mode </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="ics-TA0107-T0878"> <a href="/versions/v13/techniques/T0878/"> Alarm Suppression </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="ics-TA0107-T0803"> <a href="/versions/v13/techniques/T0803/"> Block Command Message </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="ics-TA0107-T0804"> <a href="/versions/v13/techniques/T0804/"> Block Reporting Message </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="ics-TA0107-T0805"> <a href="/versions/v13/techniques/T0805/"> Block Serial COM </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="ics-TA0107-T0892"> <a href="/versions/v13/techniques/T0892/"> Change Credential </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="ics-TA0107-T0809"> <a href="/versions/v13/techniques/T0809/"> Data Destruction </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="ics-TA0107-T0814"> <a href="/versions/v13/techniques/T0814/"> Denial of Service </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="ics-TA0107-T0816"> <a href="/versions/v13/techniques/T0816/"> Device Restart/Shutdown </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="ics-TA0107-T0835"> <a href="/versions/v13/techniques/T0835/"> Manipulate I/O Image </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="ics-TA0107-T0838"> <a href="/versions/v13/techniques/T0838/"> Modify Alarm Settings </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="ics-TA0107-T0851"> <a href="/versions/v13/techniques/T0851/"> Rootkit </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="ics-TA0107-T0881"> <a href="/versions/v13/techniques/T0881/"> Service Stop </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="ics-TA0107-T0857"> <a href="/versions/v13/techniques/T0857/"> System Firmware </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="ics-TA0106"> <a href="/versions/v13/tactics/TA0106"> Impair Process Control </a> <div class="expand-button collapsed" id="ics-TA0106-header" data-toggle="collapse" data-target="#ics-TA0106-body" aria-expanded="false" aria-controls="#ics-TA0106-body"></div> </div> <div class="sidenav-body collapse" id="ics-TA0106-body" aria-labelledby="ics-TA0106-header"> <div class="sidenav"> <div class="sidenav-head " id="ics-TA0106-T0806"> <a href="/versions/v13/techniques/T0806/"> Brute Force I/O </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="ics-TA0106-T0836"> <a href="/versions/v13/techniques/T0836/"> Modify Parameter </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="ics-TA0106-T0839"> <a href="/versions/v13/techniques/T0839/"> Module Firmware </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="ics-TA0106-T0856"> <a href="/versions/v13/techniques/T0856/"> Spoof Reporting Message </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="ics-TA0106-T0855"> <a href="/versions/v13/techniques/T0855/"> Unauthorized Command Message </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="ics-TA0105"> <a href="/versions/v13/tactics/TA0105"> Impact </a> <div class="expand-button collapsed" id="ics-TA0105-header" data-toggle="collapse" data-target="#ics-TA0105-body" aria-expanded="false" aria-controls="#ics-TA0105-body"></div> </div> <div class="sidenav-body collapse" id="ics-TA0105-body" aria-labelledby="ics-TA0105-header"> <div class="sidenav"> <div class="sidenav-head " id="ics-TA0105-T0879"> <a href="/versions/v13/techniques/T0879/"> Damage to Property </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="ics-TA0105-T0813"> <a href="/versions/v13/techniques/T0813/"> Denial of Control </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="ics-TA0105-T0815"> <a href="/versions/v13/techniques/T0815/"> Denial of View </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="ics-TA0105-T0826"> <a href="/versions/v13/techniques/T0826/"> Loss of Availability </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="ics-TA0105-T0827"> <a href="/versions/v13/techniques/T0827/"> Loss of Control </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="ics-TA0105-T0828"> <a href="/versions/v13/techniques/T0828/"> Loss of Productivity and Revenue </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="ics-TA0105-T0837"> <a href="/versions/v13/techniques/T0837/"> Loss of Protection </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="ics-TA0105-T0880"> <a href="/versions/v13/techniques/T0880/"> Loss of Safety </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="ics-TA0105-T0829"> <a href="/versions/v13/techniques/T0829/"> Loss of View </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="ics-TA0105-T0831"> <a href="/versions/v13/techniques/T0831/"> Manipulation of Control </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="ics-TA0105-T0832"> <a href="/versions/v13/techniques/T0832/"> Manipulation of View </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="ics-TA0105-T0882"> <a href="/versions/v13/techniques/T0882/"> Theft of Operational Information </a> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> <!--start-indexing-for-search--> </div> <div class="tab-content col-xl-9 col-lg-9 col-md-8 pt-4" id="v-tabContent"> <div class="tab-pane fade show active" id="v-attckmatrix" role="tabpanel" aria-labelledby="v-attckmatrix-tab"> <ol class="breadcrumb"> <li class="breadcrumb-item"><a href="/versions/v13/">Home</a></li> <li class="breadcrumb-item"><a href="/versions/v13/techniques/ics/">Techniques</a></li> <li class="breadcrumb-item">ICS</li> </ol> <div class="tab-pane fade show active" id="v-" role="tabpanel" aria-labelledby="v--tab"></div> <div class="row"> <div class="col-xl-12"> <div class="jumbotron jumbotron-fluid"> <div class="container-fluid"> <div class="container overflow-x-auto"> <div class="row"> <div class="col-md-10"> <h1> ICS Techniques </h1> <p> Techniques represent 'how' an adversary achieves a tactical goal by performing an action. For example, an adversary may dump credentials to achieve credential access. </p> </div> <div class="col-md-2 div-count"> <div class="row table-object-count pr-3"> <h6>Techniques: 81</h6> </div> <div class="row table-object-count pr-3"> <h6>Sub-techniques: 0</h6> </div> </div> </div> <table class="table-techniques"> <thead> <tr> <td colspan="2">ID</td> <td>Name</td> <td>Description</td> </tr> </thead> <tbody> <tr class="technique"> <td colspan="2"> <a href="/versions/v13/techniques/T0800"> T0800 </a> </td> <td> <a href="/versions/v13/techniques/T0800"> Activate Firmware Update Mode </a> </td> <td> Adversaries may activate firmware update mode on devices to prevent expected response functions from engaging in reaction to an emergency or process malfunction. For example, devices such as protection relays may have an operation mode designed for firmware installation. This mode may halt process monitoring and related functions to allow new firmware to be loaded. A device left in update mode may be placed in an inactive holding state if no firmware is provided to it. By entering and leaving a device in this mode, the adversary may deny its usual functionalities. </td> </tr> <tr class="technique"> <td colspan="2"> <a href="/versions/v13/techniques/T0830"> T0830 </a> </td> <td> <a href="/versions/v13/techniques/T0830"> Adversary-in-the-Middle </a> </td> <td> Adversaries with privileged network access may seek to modify network traffic in real time using adversary-in-the-middle (AiTM) attacks. This type of attack allows the adversary to intercept traffic to and/or from a particular device on the network. If a AiTM attack is established, then the adversary has the ability to block, log, modify, or inject traffic into the communication stream. There are several ways to accomplish this attack, but some of the most-common are Address Resolution Protocol (ARP) poisoning and the use of a proxy. </td> </tr> <tr class="technique"> <td colspan="2"> <a href="/versions/v13/techniques/T0878"> T0878 </a> </td> <td> <a href="/versions/v13/techniques/T0878"> Alarm Suppression </a> </td> <td> Adversaries may target protection function alarms to prevent them from notifying operators of critical conditions. Alarm messages may be a part of an overall reporting system and of particular interest for adversaries. Disruption of the alarm system does not imply the disruption of the reporting system as a whole. </td> </tr> <tr class="technique"> <td colspan="2"> <a href="/versions/v13/techniques/T0802"> T0802 </a> </td> <td> <a href="/versions/v13/techniques/T0802"> Automated Collection </a> </td> <td> Adversaries may automate collection of industrial environment information using tools or scripts. This automated collection may leverage native control protocols and tools available in the control systems environment. For example, the OPC protocol may be used to enumerate and gather information. Access to a system or interface with these native protocols may allow collection and enumeration of other attached, communicating servers and devices. </td> </tr> <tr class="technique"> <td colspan="2"> <a href="/versions/v13/techniques/T0803"> T0803 </a> </td> <td> <a href="/versions/v13/techniques/T0803"> Block Command Message </a> </td> <td> Adversaries may block a command message from reaching its intended target to prevent command execution. In OT networks, command messages are sent to provide instructions to control system devices. A blocked command message can inhibit response functions from correcting a disruption or unsafe condition. </td> </tr> <tr class="technique"> <td colspan="2"> <a href="/versions/v13/techniques/T0804"> T0804 </a> </td> <td> <a href="/versions/v13/techniques/T0804"> Block Reporting Message </a> </td> <td> Adversaries may block or prevent a reporting message from reaching its intended target. In control systems, reporting messages contain telemetry data (e.g., I/O values) pertaining to the current state of equipment and the industrial process. By blocking these reporting messages, an adversary can potentially hide their actions from an operator. </td> </tr> <tr class="technique"> <td colspan="2"> <a href="/versions/v13/techniques/T0805"> T0805 </a> </td> <td> <a href="/versions/v13/techniques/T0805"> Block Serial COM </a> </td> <td> Adversaries may block access to serial COM to prevent instructions or configurations from reaching target devices. Serial Communication ports (COM) allow communication with control system devices. Devices can receive command and configuration messages over such serial COM. Devices also use serial COM to send command and reporting messages. Blocking device serial COM may also block command messages and block reporting messages. </td> </tr> <tr class="technique"> <td colspan="2"> <a href="/versions/v13/techniques/T0806"> T0806 </a> </td> <td> <a href="/versions/v13/techniques/T0806"> Brute Force I/O </a> </td> <td> Adversaries may repetitively or successively change I/O point values to perform an action. Brute Force I/O may be achieved by changing either a range of I/O point values or a single point value repeatedly to manipulate a process function. The adversary's goal and the information they have about the target environment will influence which of the options they choose. In the case of brute forcing a range of point values, the adversary may be able to achieve an impact without targeting a specific point. In the case where a single point is targeted, the adversary may be able to generate instability on the process function associated with that particular point. </td> </tr> <tr class="technique"> <td colspan="2"> <a href="/versions/v13/techniques/T0892"> T0892 </a> </td> <td> <a href="/versions/v13/techniques/T0892"> Change Credential </a> </td> <td> Adversaries may modify software and device credentials to prevent operator and responder access. Depending on the device, the modification or addition of this password could prevent any device configuration actions from being accomplished and may require a factory reset or replacement of hardware. These credentials are often built-in features provided by the device vendors as a means to restrict access to management interfaces. </td> </tr> <tr class="technique"> <td colspan="2"> <a href="/versions/v13/techniques/T0858"> T0858 </a> </td> <td> <a href="/versions/v13/techniques/T0858"> Change Operating Mode </a> </td> <td> Adversaries may change the operating mode of a controller to gain additional access to engineering functions such as Program Download. Programmable controllers typically have several modes of operation that control the state of the user program and control access to the controllers API. Operating modes can be physically selected using a key switch on the face of the controller but may also be selected with calls to the controllers API. Operating modes and the mechanisms by which they are selected often vary by vendor and product line. Some commonly implemented operating modes are described below: </td> </tr> <tr class="technique"> <td colspan="2"> <a href="/versions/v13/techniques/T0807"> T0807 </a> </td> <td> <a href="/versions/v13/techniques/T0807"> Command-Line Interface </a> </td> <td> Adversaries may utilize command-line interfaces (CLIs) to interact with systems and execute commands. CLIs provide a means of interacting with computer systems and are a common feature across many types of platforms and devices within control systems environments. Adversaries may also use CLIs to install and run new software, including malicious tools that may be installed over the course of an operation. </td> </tr> <tr class="technique"> <td colspan="2"> <a href="/versions/v13/techniques/T0885"> T0885 </a> </td> <td> <a href="/versions/v13/techniques/T0885"> Commonly Used Port </a> </td> <td> Adversaries may communicate over a commonly used port to bypass firewalls or network detection systems and to blend in with normal network activity, to avoid more detailed inspection. They may use the protocol associated with the port, or a completely different protocol. They may use commonly open ports, such as the examples provided below. </td> </tr> <tr class="technique"> <td colspan="2"> <a href="/versions/v13/techniques/T0884"> T0884 </a> </td> <td> <a href="/versions/v13/techniques/T0884"> Connection Proxy </a> </td> <td> Adversaries may use a connection proxy to direct network traffic between systems or act as an intermediary for network communications. </td> </tr> <tr class="technique"> <td colspan="2"> <a href="/versions/v13/techniques/T0879"> T0879 </a> </td> <td> <a href="/versions/v13/techniques/T0879"> Damage to Property </a> </td> <td> Adversaries may cause damage and destruction of property to infrastructure, equipment, and the surrounding environment when attacking control systems. This technique may result in device and operational equipment breakdown, or represent tangential damage from other techniques used in an attack. Depending on the severity of physical damage and disruption caused to control processes and systems, this technique may result in <a href="/versions/v13/techniques/T0880">Loss of Safety</a>. Operations that result in <a href="/versions/v13/techniques/T0827">Loss of Control</a> may also cause damage to property, which may be directly or indirectly motivated by an adversary seeking to cause impact in the form of <a href="/versions/v13/techniques/T0828">Loss of Productivity and Revenue</a>. </td> </tr> <tr class="technique"> <td colspan="2"> <a href="/versions/v13/techniques/T0809"> T0809 </a> </td> <td> <a href="/versions/v13/techniques/T0809"> Data Destruction </a> </td> <td> Adversaries may perform data destruction over the course of an operation. The adversary may drop or create malware, tools, or other non-native files on a target system to accomplish this, potentially leaving behind traces of malicious activities. Such non-native files and other data may be removed over the course of an intrusion to maintain a small footprint or as a standard part of the post-intrusion cleanup process. </td> </tr> <tr class="technique"> <td colspan="2"> <a href="/versions/v13/techniques/T0811"> T0811 </a> </td> <td> <a href="/versions/v13/techniques/T0811"> Data from Information Repositories </a> </td> <td> Adversaries may target and collect data from information repositories. This can include sensitive data such as specifications, schematics, or diagrams of control system layouts, devices, and processes. Examples of information repositories include reference databases in the process environment, as well as databases in the corporate network that might contain information about the ICS. </td> </tr> <tr class="technique"> <td colspan="2"> <a href="/versions/v13/techniques/T0893"> T0893 </a> </td> <td> <a href="/versions/v13/techniques/T0893"> Data from Local System </a> </td> <td> Adversaries may target and collect data from local system sources, such as file systems, configuration files, or local databases. This can include sensitive data such as specifications, schematics, or diagrams of control system layouts, devices, and processes. </td> </tr> <tr class="technique"> <td colspan="2"> <a href="/versions/v13/techniques/T0812"> T0812 </a> </td> <td> <a href="/versions/v13/techniques/T0812"> Default Credentials </a> </td> <td> Adversaries may leverage manufacturer or supplier set default credentials on control system devices. These default credentials may have administrative permissions and may be necessary for initial configuration of the device. It is general best practice to change the passwords for these accounts as soon as possible, but some manufacturers may have devices that have passwords or usernames that cannot be changed. </td> </tr> <tr class="technique"> <td colspan="2"> <a href="/versions/v13/techniques/T0813"> T0813 </a> </td> <td> <a href="/versions/v13/techniques/T0813"> Denial of Control </a> </td> <td> Adversaries may cause a denial of control to temporarily prevent operators and engineers from interacting with process controls. An adversary may attempt to deny process control access to cause a temporary loss of communication with the control device or to prevent operator adjustment of process controls. An affected process may still be operating during the period of control loss, but not necessarily in a desired state. </td> </tr> <tr class="technique"> <td colspan="2"> <a href="/versions/v13/techniques/T0814"> T0814 </a> </td> <td> <a href="/versions/v13/techniques/T0814"> Denial of Service </a> </td> <td> Adversaries may perform Denial-of-Service (DoS) attacks to disrupt expected device functionality. Examples of DoS attacks include overwhelming the target device with a high volume of requests in a short time period and sending the target device a request it does not know how to handle. Disrupting device state may temporarily render it unresponsive, possibly lasting until a reboot can occur. When placed in this state, devices may be unable to send and receive requests, and may not perform expected response functions in reaction to other events in the environment. </td> </tr> <tr class="technique"> <td colspan="2"> <a href="/versions/v13/techniques/T0815"> T0815 </a> </td> <td> <a href="/versions/v13/techniques/T0815"> Denial of View </a> </td> <td> Adversaries may cause a denial of view in attempt to disrupt and prevent operator oversight on the status of an ICS environment. This may manifest itself as a temporary communication failure between a device and its control source, where the interface recovers and becomes available once the interference ceases. </td> </tr> <tr class="technique"> <td colspan="2"> <a href="/versions/v13/techniques/T0868"> T0868 </a> </td> <td> <a href="/versions/v13/techniques/T0868"> Detect Operating Mode </a> </td> <td> Adversaries may gather information about a PLCs or controllers current operating mode. Operating modes dictate what change or maintenance functions can be manipulated and are often controlled by a key switch on the PLC (e.g., run, prog [program], and remote). Knowledge of these states may be valuable to an adversary to determine if they are able to reprogram the PLC. Operating modes and the mechanisms by which they are selected often vary by vendor and product line. Some commonly implemented operating modes are described below: </td> </tr> <tr class="technique"> <td colspan="2"> <a href="/versions/v13/techniques/T0816"> T0816 </a> </td> <td> <a href="/versions/v13/techniques/T0816"> Device Restart/Shutdown </a> </td> <td> Adversaries may forcibly restart or shutdown a device in an ICS environment to disrupt and potentially negatively impact physical processes. Methods of device restart and shutdown exist in some devices as built-in, standard functionalities. These functionalities can be executed using interactive device web interfaces, CLIs, and network protocol commands. </td> </tr> <tr class="technique"> <td colspan="2"> <a href="/versions/v13/techniques/T0817"> T0817 </a> </td> <td> <a href="/versions/v13/techniques/T0817"> Drive-by Compromise </a> </td> <td> Adversaries may gain access to a system during a drive-by compromise, when a user visits a website as part of a regular browsing session. With this technique, the user's web browser is targeted and exploited simply by visiting the compromised website. </td> </tr> <tr class="technique"> <td colspan="2"> <a href="/versions/v13/techniques/T0871"> T0871 </a> </td> <td> <a href="/versions/v13/techniques/T0871"> Execution through API </a> </td> <td> Adversaries may attempt to leverage Application Program Interfaces (APIs) used for communication between control software and the hardware. Specific functionality is often coded into APIs which can be called by software to engage specific functions on a device or other software. </td> </tr> <tr class="technique"> <td colspan="2"> <a href="/versions/v13/techniques/T0819"> T0819 </a> </td> <td> <a href="/versions/v13/techniques/T0819"> Exploit Public-Facing Application </a> </td> <td> Adversaries may leverage weaknesses to exploit internet-facing software for initial access into an industrial network. Internet-facing software may be user applications, underlying networking implementations, an assets operating system, weak defenses, etc. Targets of this technique may be intentionally exposed for the purpose of remote management and visibility. </td> </tr> <tr class="technique"> <td colspan="2"> <a href="/versions/v13/techniques/T0820"> T0820 </a> </td> <td> <a href="/versions/v13/techniques/T0820"> Exploitation for Evasion </a> </td> <td> Adversaries may exploit a software vulnerability to take advantage of a programming error in a program, service, or within the operating system software or kernel itself to evade detection. Vulnerabilities may exist in software that can be used to disable or circumvent security features. </td> </tr> <tr class="technique"> <td colspan="2"> <a href="/versions/v13/techniques/T0890"> T0890 </a> </td> <td> <a href="/versions/v13/techniques/T0890"> Exploitation for Privilege Escalation </a> </td> <td> Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions. </td> </tr> <tr class="technique"> <td colspan="2"> <a href="/versions/v13/techniques/T0866"> T0866 </a> </td> <td> <a href="/versions/v13/techniques/T0866"> Exploitation of Remote Services </a> </td> <td> Adversaries may exploit a software vulnerability to take advantage of a programming error in a program, service, or within the operating system software or kernel itself to enable remote service abuse. A common goal for post-compromise exploitation of remote services is for initial access into and lateral movement throughout the ICS environment to enable access to targeted systems. </td> </tr> <tr class="technique"> <td colspan="2"> <a href="/versions/v13/techniques/T0822"> T0822 </a> </td> <td> <a href="/versions/v13/techniques/T0822"> External Remote Services </a> </td> <td> Adversaries may leverage external remote services as a point of initial access into your network. These services allow users to connect to internal network resources from external locations. Examples are VPNs, Citrix, and other access mechanisms. Remote service gateways often manage connections and credential authentication for these services. </td> </tr> <tr class="technique"> <td colspan="2"> <a href="/versions/v13/techniques/T0823"> T0823 </a> </td> <td> <a href="/versions/v13/techniques/T0823"> Graphical User Interface </a> </td> <td> Adversaries may attempt to gain access to a machine via a Graphical User Interface (GUI) to enhance execution capabilities. Access to a GUI allows a user to interact with a computer in a more visual manner than a CLI. A GUI allows users to move a cursor and click on interface objects, with a mouse and keyboard as the main input devices, as opposed to just using the keyboard. </td> </tr> <tr class="technique"> <td colspan="2"> <a href="/versions/v13/techniques/T0891"> T0891 </a> </td> <td> <a href="/versions/v13/techniques/T0891"> Hardcoded Credentials </a> </td> <td> Adversaries may leverage credentials that are hardcoded in software or firmware to gain an unauthorized interactive user session to an asset. Examples credentials that may be hardcoded in an asset include: </td> </tr> <tr class="technique"> <td colspan="2"> <a href="/versions/v13/techniques/T0874"> T0874 </a> </td> <td> <a href="/versions/v13/techniques/T0874"> Hooking </a> </td> <td> Adversaries may hook into application programming interface (API) functions used by processes to redirect calls for execution and privilege escalation means. Windows processes often leverage these API functions to perform tasks that require reusable system resources. Windows API functions are typically stored in dynamic-link libraries (DLLs) as exported functions. </td> </tr> <tr class="technique"> <td colspan="2"> <a href="/versions/v13/techniques/T0877"> T0877 </a> </td> <td> <a href="/versions/v13/techniques/T0877"> I/O Image </a> </td> <td> Adversaries may seek to capture process values related to the inputs and outputs of a PLC. During the scan cycle, a PLC reads the status of all inputs and stores them in an image table. The image table is the PLCs internal storage location where values of inputs/outputs for one scan are stored while it executes the user program. After the PLC has solved the entire logic program, it updates the output image table. The contents of this output image table are written to the corresponding output points in I/O Modules. </td> </tr> <tr class="technique"> <td colspan="2"> <a href="/versions/v13/techniques/T0872"> T0872 </a> </td> <td> <a href="/versions/v13/techniques/T0872"> Indicator Removal on Host </a> </td> <td> Adversaries may attempt to remove indicators of their presence on a system in an effort to cover their tracks. In cases where an adversary may feel detection is imminent, they may try to overwrite, delete, or cover up changes they have made to the device. </td> </tr> <tr class="technique"> <td colspan="2"> <a href="/versions/v13/techniques/T0883"> T0883 </a> </td> <td> <a href="/versions/v13/techniques/T0883"> Internet Accessible Device </a> </td> <td> Adversaries may gain access into industrial environments through systems exposed directly to the internet for remote access rather than through <a href="/versions/v13/techniques/T0822">External Remote Services</a>. Internet Accessible Devices are exposed to the internet unintentionally or intentionally without adequate protections. This may allow for adversaries to move directly into the control system network. Access onto these devices is accomplished without the use of exploits, these would be represented within the <a href="/versions/v13/techniques/T0819">Exploit Public-Facing Application</a> technique. </td> </tr> <tr class="technique"> <td colspan="2"> <a href="/versions/v13/techniques/T0867"> T0867 </a> </td> <td> <a href="/versions/v13/techniques/T0867"> Lateral Tool Transfer </a> </td> <td> Adversaries may transfer tools or other files from one system to another to stage adversary tools or other files over the course of an operation. Copying of files may also be performed laterally between internal victim systems to support Lateral Movement with remote Execution using inherent file sharing protocols such as file sharing over SMB to connected network shares. </td> </tr> <tr class="technique"> <td colspan="2"> <a href="/versions/v13/techniques/T0826"> T0826 </a> </td> <td> <a href="/versions/v13/techniques/T0826"> Loss of Availability </a> </td> <td> Adversaries may attempt to disrupt essential components or systems to prevent owner and operator from delivering products or services. </td> </tr> <tr class="technique"> <td colspan="2"> <a href="/versions/v13/techniques/T0827"> T0827 </a> </td> <td> <a href="/versions/v13/techniques/T0827"> Loss of Control </a> </td> <td> Adversaries may seek to achieve a sustained loss of control or a runaway condition in which operators cannot issue any commands even if the malicious interference has subsided. </td> </tr> <tr class="technique"> <td colspan="2"> <a href="/versions/v13/techniques/T0828"> T0828 </a> </td> <td> <a href="/versions/v13/techniques/T0828"> Loss of Productivity and Revenue </a> </td> <td> Adversaries may cause loss of productivity and revenue through disruption and even damage to the availability and integrity of control system operations, devices, and related processes. This technique may manifest as a direct effect of an ICS-targeting attack or tangentially, due to an IT-targeting attack against non-segregated environments. </td> </tr> <tr class="technique"> <td colspan="2"> <a href="/versions/v13/techniques/T0837"> T0837 </a> </td> <td> <a href="/versions/v13/techniques/T0837"> Loss of Protection </a> </td> <td> Adversaries may compromise protective system functions designed to prevent the effects of faults and abnormal conditions. This can result in equipment damage, prolonged process disruptions and hazards to personnel. </td> </tr> <tr class="technique"> <td colspan="2"> <a href="/versions/v13/techniques/T0880"> T0880 </a> </td> <td> <a href="/versions/v13/techniques/T0880"> Loss of Safety </a> </td> <td> Adversaries may compromise safety system functions designed to maintain safe operation of a process when unacceptable or dangerous conditions occur. Safety systems are often composed of the same elements as control systems but have the sole purpose of ensuring the process fails in a predetermined safe manner. </td> </tr> <tr class="technique"> <td colspan="2"> <a href="/versions/v13/techniques/T0829"> T0829 </a> </td> <td> <a href="/versions/v13/techniques/T0829"> Loss of View </a> </td> <td> Adversaries may cause a sustained or permanent loss of view where the ICS equipment will require local, hands-on operator intervention; for instance, a restart or manual operation. By causing a sustained reporting or visibility loss, the adversary can effectively hide the present state of operations. This loss of view can occur without affecting the physical processes themselves. </td> </tr> <tr class="technique"> <td colspan="2"> <a href="/versions/v13/techniques/T0835"> T0835 </a> </td> <td> <a href="/versions/v13/techniques/T0835"> Manipulate I/O Image </a> </td> <td> Adversaries may manipulate the I/O image of PLCs through various means to prevent them from functioning as expected. Methods of I/O image manipulation may include overriding the I/O table via direct memory manipulation or using the override function used for testing PLC programs. During the scan cycle, a PLC reads the status of all inputs and stores them in an image table. The image table is the PLCs internal storage location where values of inputs/outputs for one scan are stored while it executes the user program. After the PLC has solved the entire logic program, it updates the output image table. The contents of this output image table are written to the corresponding output points in I/O Modules. </td> </tr> <tr class="technique"> <td colspan="2"> <a href="/versions/v13/techniques/T0831"> T0831 </a> </td> <td> <a href="/versions/v13/techniques/T0831"> Manipulation of Control </a> </td> <td> Adversaries may manipulate physical process control within the industrial environment. Methods of manipulating control can include changes to set point values, tags, or other parameters. Adversaries may manipulate control systems devices or possibly leverage their own, to communicate with and command physical control processes. The duration of manipulation may be temporary or longer sustained, depending on operator detection. </td> </tr> <tr class="technique"> <td colspan="2"> <a href="/versions/v13/techniques/T0832"> T0832 </a> </td> <td> <a href="/versions/v13/techniques/T0832"> Manipulation of View </a> </td> <td> Adversaries may attempt to manipulate the information reported back to operators or controllers. This manipulation may be short term or sustained. During this time the process itself could be in a much different state than what is reported. </td> </tr> <tr class="technique"> <td colspan="2"> <a href="/versions/v13/techniques/T0849"> T0849 </a> </td> <td> <a href="/versions/v13/techniques/T0849"> Masquerading </a> </td> <td> Adversaries may use masquerading to disguise a malicious application or executable as another file, to avoid operator and engineer suspicion. Possible disguises of these masquerading files can include commonly found programs, expected vendor executables and configuration files, and other commonplace application and naming conventions. By impersonating expected and vendor-relevant files and applications, operators and engineers may not notice the presence of the underlying malicious content and possibly end up running those masquerading as legitimate functions. </td> </tr> <tr class="technique"> <td colspan="2"> <a href="/versions/v13/techniques/T0838"> T0838 </a> </td> <td> <a href="/versions/v13/techniques/T0838"> Modify Alarm Settings </a> </td> <td> Adversaries may modify alarm settings to prevent alerts that may inform operators of their presence or to prevent responses to dangerous and unintended scenarios. Reporting messages are a standard part of data acquisition in control systems. Reporting messages are used as a way to transmit system state information and acknowledgements that specific actions have occurred. These messages provide vital information for the management of a physical process, and keep operators, engineers, and administrators aware of the state of system devices and physical processes. </td> </tr> <tr class="technique"> <td colspan="2"> <a href="/versions/v13/techniques/T0821"> T0821 </a> </td> <td> <a href="/versions/v13/techniques/T0821"> Modify Controller Tasking </a> </td> <td> Adversaries may modify the tasking of a controller to allow for the execution of their own programs. This can allow an adversary to manipulate the execution flow and behavior of a controller. </td> </tr> <tr class="technique"> <td colspan="2"> <a href="/versions/v13/techniques/T0836"> T0836 </a> </td> <td> <a href="/versions/v13/techniques/T0836"> Modify Parameter </a> </td> <td> Adversaries may modify parameters used to instruct industrial control system devices. These devices operate via programs that dictate how and when to perform actions based on such parameters. Such parameters can determine the extent to which an action is performed and may specify additional options. For example, a program on a control system device dictating motor processes may take a parameter defining the total number of seconds to run that motor. </td> </tr> <tr class="technique"> <td colspan="2"> <a href="/versions/v13/techniques/T0889"> T0889 </a> </td> <td> <a href="/versions/v13/techniques/T0889"> Modify Program </a> </td> <td> Adversaries may modify or add a program on a controller to affect how it interacts with the physical process, peripheral devices and other hosts on the network. Modification to controller programs can be accomplished using a Program Download in addition to other types of program modification such as online edit and program append. </td> </tr> <tr class="technique"> <td colspan="2"> <a href="/versions/v13/techniques/T0839"> T0839 </a> </td> <td> <a href="/versions/v13/techniques/T0839"> Module Firmware </a> </td> <td> Adversaries may install malicious or vulnerable firmware onto modular hardware devices. Control system devices often contain modular hardware devices. These devices may have their own set of firmware that is separate from the firmware of the main control system equipment. </td> </tr> <tr class="technique"> <td colspan="2"> <a href="/versions/v13/techniques/T0801"> T0801 </a> </td> <td> <a href="/versions/v13/techniques/T0801"> Monitor Process State </a> </td> <td> Adversaries may gather information about the physical process state. This information may be used to gain more information about the process itself or used as a trigger for malicious actions. The sources of process state information may vary such as, OPC tags, historian data, specific PLC block information, or network traffic. </td> </tr> <tr class="technique"> <td colspan="2"> <a href="/versions/v13/techniques/T0834"> T0834 </a> </td> <td> <a href="/versions/v13/techniques/T0834"> Native API </a> </td> <td> Adversaries may directly interact with the native OS application programming interface (API) to access system functions. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes. These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations. </td> </tr> <tr class="technique"> <td colspan="2"> <a href="/versions/v13/techniques/T0840"> T0840 </a> </td> <td> <a href="/versions/v13/techniques/T0840"> Network Connection Enumeration </a> </td> <td> Adversaries may perform network connection enumeration to discover information about device communication patterns. If an adversary can inspect the state of a network connection with tools, such as Netstat, in conjunction with <a href="/versions/v13/techniques/T0857">System Firmware</a>, then they can determine the role of certain devices on the network . The adversary can also use <a href="/versions/v13/techniques/T0842">Network Sniffing</a> to watch network traffic for details about the source, destination, protocol, and content. </td> </tr> <tr class="technique"> <td colspan="2"> <a href="/versions/v13/techniques/T0842"> T0842 </a> </td> <td> <a href="/versions/v13/techniques/T0842"> Network Sniffing </a> </td> <td> Network sniffing is the practice of using a network interface on a computer system to monitor or capture information regardless of whether it is the specified destination for the information. </td> </tr> <tr class="technique"> <td colspan="2"> <a href="/versions/v13/techniques/T0861"> T0861 </a> </td> <td> <a href="/versions/v13/techniques/T0861"> Point & Tag Identification </a> </td> <td> Adversaries may collect point and tag values to gain a more comprehensive understanding of the process environment. Points may be values such as inputs, memory locations, outputs or other process specific variables. Tags are the identifiers given to points for operator convenience. </td> </tr> <tr class="technique"> <td colspan="2"> <a href="/versions/v13/techniques/T0843"> T0843 </a> </td> <td> <a href="/versions/v13/techniques/T0843"> Program Download </a> </td> <td> Adversaries may perform a program download to transfer a user program to a controller. </td> </tr> <tr class="technique"> <td colspan="2"> <a href="/versions/v13/techniques/T0845"> T0845 </a> </td> <td> <a href="/versions/v13/techniques/T0845"> Program Upload </a> </td> <td> Adversaries may attempt to upload a program from a PLC to gather information about an industrial process. Uploading a program may allow them to acquire and study the underlying logic. Methods of program upload include vendor software, which enables the user to upload and read a program running on a PLC. This software can be used to upload the target program to a workstation, jump box, or an interfacing device. </td> </tr> <tr class="technique"> <td colspan="2"> <a href="/versions/v13/techniques/T0873"> T0873 </a> </td> <td> <a href="/versions/v13/techniques/T0873"> Project File Infection </a> </td> <td> Adversaries may attempt to infect project files with malicious code. These project files may consist of objects, program organization units, variables such as tags, documentation, and other configurations needed for PLC programs to function. Using built in functions of the engineering software, adversaries may be able to download an infected program to a PLC in the operating environment enabling further <a href="https://attack.mitre.org/tactics/TA0104">Execution</a> and <a href="https://attack.mitre.org/tactics/TA0110">Persistence</a> techniques. </td> </tr> <tr class="technique"> <td colspan="2"> <a href="/versions/v13/techniques/T0886"> T0886 </a> </td> <td> <a href="/versions/v13/techniques/T0886"> Remote Services </a> </td> <td> Adversaries may leverage remote services to move between assets and network segments. These services are often used to allow operators to interact with systems remotely within the network, some examples are RDP, SMB, SSH, and other similar mechanisms. </td> </tr> <tr class="technique"> <td colspan="2"> <a href="/versions/v13/techniques/T0846"> T0846 </a> </td> <td> <a href="/versions/v13/techniques/T0846"> Remote System Discovery </a> </td> <td> Adversaries may attempt to get a listing of other systems by IP address, hostname, or other logical identifier on a network that may be used for subsequent Lateral Movement or Discovery techniques. Functionality could exist within adversary tools to enable this, but utilities available on the operating system or vendor software could also be used. </td> </tr> <tr class="technique"> <td colspan="2"> <a href="/versions/v13/techniques/T0888"> T0888 </a> </td> <td> <a href="/versions/v13/techniques/T0888"> Remote System Information Discovery </a> </td> <td> An adversary may attempt to get detailed information about remote systems and their peripherals, such as make/model, role, and configuration. Adversaries may use information from Remote System Information Discovery to aid in targeting and shaping follow-on behaviors. For example, the system's operational role and model information can dictate whether it is a relevant target for the adversary's operational objectives. In addition, the system's configuration may be used to scope subsequent technique usage. </td> </tr> <tr class="technique"> <td colspan="2"> <a href="/versions/v13/techniques/T0847"> T0847 </a> </td> <td> <a href="/versions/v13/techniques/T0847"> Replication Through Removable Media </a> </td> <td> Adversaries may move onto systems, such as those separated from the enterprise network, by copying malware to removable media which is inserted into the control systems environment. The adversary may rely on unknowing trusted third parties, such as suppliers or contractors with access privileges, to introduce the removable media. This technique enables initial access to target devices that never connect to untrusted networks, but are physically accessible. </td> </tr> <tr class="technique"> <td colspan="2"> <a href="/versions/v13/techniques/T0848"> T0848 </a> </td> <td> <a href="/versions/v13/techniques/T0848"> Rogue Master </a> </td> <td> Adversaries may setup a rogue master to leverage control server functions to communicate with outstations. A rogue master can be used to send legitimate control messages to other control system devices, affecting processes in unintended ways. It may also be used to disrupt network communications by capturing and receiving the network traffic meant for the actual master. Impersonating a master may also allow an adversary to avoid detection. </td> </tr> <tr class="technique"> <td colspan="2"> <a href="/versions/v13/techniques/T0851"> T0851 </a> </td> <td> <a href="/versions/v13/techniques/T0851"> Rootkit </a> </td> <td> Adversaries may deploy rootkits to hide the presence of programs, files, network connections, services, drivers, and other system components. Rootkits are programs that hide the existence of malware by intercepting and modifying operating-system API calls that supply system information. Rootkits or rootkit-enabling functionality may reside at the user or kernel level in the operating system, or lower. </td> </tr> <tr class="technique"> <td colspan="2"> <a href="/versions/v13/techniques/T0852"> T0852 </a> </td> <td> <a href="/versions/v13/techniques/T0852"> Screen Capture </a> </td> <td> Adversaries may attempt to perform screen capture of devices in the control system environment. Screenshots may be taken of workstations, HMIs, or other devices that display environment-relevant process, device, reporting, alarm, or related data. These device displays may reveal information regarding the ICS process, layout, control, and related schematics. In particular, an HMI can provide a lot of important industrial process information. Analysis of screen captures may provide the adversary with an understanding of intended operations and interactions between critical devices. </td> </tr> <tr class="technique"> <td colspan="2"> <a href="/versions/v13/techniques/T0853"> T0853 </a> </td> <td> <a href="/versions/v13/techniques/T0853"> Scripting </a> </td> <td> Adversaries may use scripting languages to execute arbitrary code in the form of a pre-written script or in the form of user-supplied code to an interpreter. Scripting languages are programming languages that differ from compiled languages, in that scripting languages use an interpreter, instead of a compiler. These interpreters read and compile part of the source code just before it is executed, as opposed to compilers, which compile each and every line of code to an executable file. Scripting allows software developers to run their code on any system where the interpreter exists. This way, they can distribute one package, instead of precompiling executables for many different systems. Scripting languages, such as Python, have their interpreters shipped as a default with many Linux distributions. </td> </tr> <tr class="technique"> <td colspan="2"> <a href="/versions/v13/techniques/T0881"> T0881 </a> </td> <td> <a href="/versions/v13/techniques/T0881"> Service Stop </a> </td> <td> Adversaries may stop or disable services on a system to render those services unavailable to legitimate users. Stopping critical services can inhibit or stop response to an incident or aid in the adversary's overall objectives to cause damage to the environment. Services may not allow for modification of their data stores while running. Adversaries may stop services in order to conduct Data Destruction. </td> </tr> <tr class="technique"> <td colspan="2"> <a href="/versions/v13/techniques/T0865"> T0865 </a> </td> <td> <a href="/versions/v13/techniques/T0865"> Spearphishing Attachment </a> </td> <td> Adversaries may use a spearphishing attachment, a variant of spearphishing, as a form of a social engineering attack against specific targets. Spearphishing attachments are different from other forms of spearphishing in that they employ malware attached to an email. All forms of spearphishing are electronically delivered and target a specific individual, company, or industry. In this scenario, adversaries attach a file to the spearphishing email and usually rely upon <a href="/versions/v13/techniques/T0863">User Execution</a> to gain execution and access. </td> </tr> <tr class="technique"> <td colspan="2"> <a href="/versions/v13/techniques/T0856"> T0856 </a> </td> <td> <a href="/versions/v13/techniques/T0856"> Spoof Reporting Message </a> </td> <td> Adversaries may spoof reporting messages in control system environments for evasion and to impair process control. In control systems, reporting messages contain telemetry data (e.g., I/O values) pertaining to the current state of equipment and the industrial process. Reporting messages are important for monitoring the normal operation of a system or identifying important events such as deviations from expected values. </td> </tr> <tr class="technique"> <td colspan="2"> <a href="/versions/v13/techniques/T0869"> T0869 </a> </td> <td> <a href="/versions/v13/techniques/T0869"> Standard Application Layer Protocol </a> </td> <td> Adversaries may establish command and control capabilities over commonly used application layer protocols such as HTTP(S), OPC, RDP, telnet, DNP3, and modbus. These protocols may be used to disguise adversary actions as benign network traffic. Standard protocols may be seen on their associated port or in some cases over a non-standard port. Adversaries may use these protocols to reach out of the network for command and control, or in some cases to other infected devices within the network. </td> </tr> <tr class="technique"> <td colspan="2"> <a href="/versions/v13/techniques/T0862"> T0862 </a> </td> <td> <a href="/versions/v13/techniques/T0862"> Supply Chain Compromise </a> </td> <td> Adversaries may perform supply chain compromise to gain control systems environment access by means of infected products, software, and workflows. Supply chain compromise is the manipulation of products, such as devices or software, or their delivery mechanisms before receipt by the end consumer. Adversary compromise of these products and mechanisms is done for the goal of data or system compromise, once infected products are introduced to the target environment. </td> </tr> <tr class="technique"> <td colspan="2"> <a href="/versions/v13/techniques/T0857"> T0857 </a> </td> <td> <a href="/versions/v13/techniques/T0857"> System Firmware </a> </td> <td> System firmware on modern assets is often designed with an update feature. Older device firmware may be factory installed and require special reprograming equipment. When available, the firmware update feature enables vendors to remotely patch bugs and perform upgrades. Device firmware updates are often delegated to the user and may be done using a software update package. It may also be possible to perform this task over the network. </td> </tr> <tr class="technique"> <td colspan="2"> <a href="/versions/v13/techniques/T0882"> T0882 </a> </td> <td> <a href="/versions/v13/techniques/T0882"> Theft of Operational Information </a> </td> <td> Adversaries may steal operational information on a production environment as a direct mission outcome for personal gain or to inform future operations. This information may include design documents, schedules, rotational data, or similar artifacts that provide insight on operations. In the Bowman Dam incident, adversaries probed systems for operational data. </td> </tr> <tr class="technique"> <td colspan="2"> <a href="/versions/v13/techniques/T0864"> T0864 </a> </td> <td> <a href="/versions/v13/techniques/T0864"> Transient Cyber Asset </a> </td> <td> Adversaries may target devices that are transient across ICS networks and external networks. Normally, transient assets are brought into an environment by authorized personnel and do not remain in that environment on a permanent basis. Transient assets are commonly needed to support management functions and may be more common in systems where a remotely managed asset is not feasible, external connections for remote access do not exist, or 3rd party contractor/vendor access is required. </td> </tr> <tr class="technique"> <td colspan="2"> <a href="/versions/v13/techniques/T0855"> T0855 </a> </td> <td> <a href="/versions/v13/techniques/T0855"> Unauthorized Command Message </a> </td> <td> Adversaries may send unauthorized command messages to instruct control system assets to perform actions outside of their intended functionality, or without the logical preconditions to trigger their expected function. Command messages are used in ICS networks to give direct instructions to control systems devices. If an adversary can send an unauthorized command message to a control system, then it can instruct the control systems device to perform an action outside the normal bounds of the device's actions. An adversary could potentially instruct a control systems device to perform an action that will cause an <a href="https://attack.mitre.org/tactics/TA0105">Impact</a>. </td> </tr> <tr class="technique"> <td colspan="2"> <a href="/versions/v13/techniques/T0863"> T0863 </a> </td> <td> <a href="/versions/v13/techniques/T0863"> User Execution </a> </td> <td> Adversaries may rely on a targeted organizations user interaction for the execution of malicious code. User interaction may consist of installing applications, opening email attachments, or granting higher permissions to documents. </td> </tr> <tr class="technique"> <td colspan="2"> <a href="/versions/v13/techniques/T0859"> T0859 </a> </td> <td> <a href="/versions/v13/techniques/T0859"> Valid Accounts </a> </td> <td> Adversaries may steal the credentials of a specific user or service account using credential access techniques. In some cases, default credentials for control system devices may be publicly available. Compromised credentials may be used to bypass access controls placed on various resources on hosts and within the network, and may even be used for persistent access to remote systems. Compromised and default credentials may also grant an adversary increased privilege to specific systems and devices or access to restricted areas of the network. Adversaries may choose not to use malware or tools, in conjunction with the legitimate access those credentials provide, to make it harder to detect their presence or to control devices and send legitimate commands in an unintended way. </td> </tr> <tr class="technique"> <td colspan="2"> <a href="/versions/v13/techniques/T0860"> T0860 </a> </td> <td> <a href="/versions/v13/techniques/T0860"> Wireless Compromise </a> </td> <td> Adversaries may perform wireless compromise as a method of gaining communications and unauthorized access to a wireless network. Access to a wireless network may be gained through the compromise of a wireless device. Adversaries may also utilize radios and other wireless communication devices on the same frequency as the wireless network. Wireless compromise can be done as an initial access vector from a remote distance. </td> </tr> <tr class="technique"> <td colspan="2"> <a href="/versions/v13/techniques/T0887"> T0887 </a> </td> <td> <a href="/versions/v13/techniques/T0887"> Wireless Sniffing </a> </td> <td> Adversaries may seek to capture radio frequency (RF) communication used for remote control and reporting in distributed environments. RF communication frequencies vary between 3 kHz to 300 GHz, although are commonly between 300 MHz to 6 GHz. The wavelength and frequency of the signal affect how the signal propagates through open air, obstacles (e.g. walls and trees) and the type of radio required to capture them. These characteristics are often standardized in the protocol and hardware and may have an effect on how the signal is captured. Some examples of wireless protocols that may be found in cyber-physical environments are: WirelessHART, Zigbee, WIA-FA, and 700 MHz Public Safety Spectrum. </td> </tr> </tbody> </table> </div> </div> </div> </div> </div> </div> </div> <!--stop-indexing-for-search--> <!-- search overlay for entire page -- not displayed inline --> <div class="overlay search" id="search-overlay" style="display: none;"> <div class="overlay-inner"> <!-- text input for searching --> <div class="search-header"> <div class="search-input"> <input type="text" id="search-input" placeholder="search"> </div> <div class="search-icons"> <div class="search-parsing-icon spinner-border" style="display: none" id="search-parsing-icon"></div> <div class="close-search-icon" id="close-search-icon">&times;</div> </div> </div> <!-- results and controls for loading more results --> <div id="search-body" class="search-body"> <div class="results" id="search-results"> <!-- content will be appended here on search --> </div> <div id="load-more-results" class="load-more-results"> <button class="btn btn-default" id="load-more-results-button">load more results</button> </div> </div> </div> </div> </div> <div class="row flex-grow-0 flex-shrink-1"> <!-- footer elements --> <footer class="col footer p-3"> <div class="container-fluid"> <div class="row"> <div class="col-4 col-sm-4 col-md-3"> <div class="footer-center-responsive my-auto"> <a href="https://www.mitre.org" target="_blank" rel="noopener" aria-label="MITRE"> <img src="/versions/v13/theme/images/mitrelogowhiteontrans.gif" class="mitre-logo-wtrans"> </a> </div> </div> <div class="col-2 col-sm-2 footer-responsive-break"></div> <div class="col-6 col-sm-6 text-center"> <p> 漏 2015-2023, The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. </p> <div class="row"> <div class="col text-right"> <small> <a href="/versions/v13/resources/privacy" class="footer-link">Privacy Policy</a> </small> </div> <div class="col text-center"> <small> <a href="/versions/v13/resources/terms-of-use" class="footer-link">Terms of Use</a> </small> </div> <div class="col text-left "> <small> <a href="/versions/v13/resources/changelog.html" class="footer-link" data-toggle="tooltip" data-placement="top" data-html="true" title="ATT&amp;CK content v13.1&#013;Website v4.0.5">ATT&CK v13.1</a> </small> </div> </div> </div> <div class="w-100 p-2 footer-responsive-break"></div> <div class="col"> <div class="footer-float-right-responsive-brand"> <div class="mb-1"> <a href="https://twitter.com/MITREattack" class="btn btn-primary w-100"> <!-- <i class="fa fa-twitter"></i> --> <img src="/versions/v13/theme/images/twitter.png" class="mr-1 twitter-icon"> <b>@MITREattack</b> </a> </div> <div class=""> <a href="/versions/v13/contact" class="btn btn-primary w-100"> Contact </a> </div> </div> </div> </div> </div> </div> </footer> </div> </div> <!--stopindex--> </div> <!--SCRIPTS--> <script src="/versions/v13/theme/scripts/jquery-3.5.1.min.js"></script> <script src="/versions/v13/theme/scripts/popper.min.js"></script> <script src="/versions/v13/theme/scripts/bootstrap-select.min.js"></script> <script src="/versions/v13/theme/scripts/bootstrap.bundle.min.js"></script> <script src="/versions/v13/theme/scripts/site.js?2348"></script> <script src="/versions/v13/theme/scripts/settings.js?1246"></script> <script src="/versions/v13/theme/scripts/search_bundle.js"></script> <script src="/versions/v13/theme/scripts/resizer.js"></script> <!--SCRIPTS--> <script src="/versions/v13/theme/scripts/navigation.js"></script> </body> </html>

Pages: 1 2 3 4 5 6 7 8 9 10