CINXE.COM

Data Staged: Local Data Staging, Sub-technique T1074.001 - Enterprise | MITRE ATT&CK®

<!DOCTYPE html> <html lang='en'> <head> <script async src="https://www.googletagmanager.com/gtag/js?id=UA-62667723-1"></script> <script> window.dataLayer = window.dataLayer || []; function gtag(){dataLayer.push(arguments);} gtag('js', new Date()); gtag('config', 'UA-62667723-1'); </script> <meta name="google-site-verification" content="2oJKLqNN62z6AOCb0A0IXGtbQuj-lev5YPAHFF_cbHQ"/> <meta charset='utf-8'> <meta name='viewport' content='width=device-width, initial-scale=1, shrink-to-fit=no'> <meta http-equiv="X-UA-Compatible" content="IE=edge"> <link rel='shortcut icon' href="/versions/v9/theme/favicon.ico" type='image/x-icon'> <title>Data Staged: Local Data Staging, Sub-technique T1074.001 - Enterprise | MITRE ATT&CK&reg;</title> <!-- Bootstrap CSS --> <link rel='stylesheet' href="/versions/v9/theme/style/bootstrap.min.css" /> <link rel='stylesheet' href="/versions/v9/theme/style/bootstrap-glyphicon.min.css" /> <link rel='stylesheet' href="/versions/v9/theme/style/bootstrap-tourist.css" /> <link rel="stylesheet" type="text/css" href="/versions/v9/theme/style.min.css?426cc53a"> </head> <body> <!--stopindex--> <header> <nav class='navbar navbar-expand-lg navbar-dark fixed-top'> <a class='navbar-brand' href="/versions/v9/"><img src="/versions/v9/theme/images/mitre_attack_logo.png" class="attack-logo"></a> <button class='navbar-toggler' type='button' data-toggle='collapse' data-target='#navbarCollapse' aria-controls='navbarCollapse' aria-expanded='false' aria-label='Toggle navigation'> <span class='navbar-toggler-icon'></span> </button> <div class='collapse navbar-collapse' id='navbarCollapse'> <ul class='nav nav-tabs ml-auto'> <li class="nav-item"> <a href="/versions/v9/matrices/" class="nav-link" ><b>Matrices</b></a> </li> <li class="nav-item dropdown"> <a class="nav-link dropdown-toggle" href="/versions/v9/tactics/" id="navbarDropdown" role="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false"> <b>Tactics</b> </a> <div class="dropdown-menu " aria-labelledby="navbarDropdown"> <a class="dropdown-item" href="/versions/v9/tactics/enterprise/">Enterprise</a> <a class="dropdown-item" href="/versions/v9/tactics/mobile/">Mobile</a> </div> </li> <li class="nav-item dropdown"> <a class="nav-link dropdown-toggle" href="/versions/v9/techniques/" id="navbarDropdown" role="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false"> <b>Techniques</b> </a> <div class="dropdown-menu " aria-labelledby="navbarDropdown"> <a class="dropdown-item" href="/versions/v9/techniques/enterprise/">Enterprise</a> <a class="dropdown-item" href="/versions/v9/techniques/mobile/">Mobile</a> </div> </li> <li class="nav-item dropdown"> <a class="nav-link dropdown-toggle" href="/versions/v9/mitigations/" id="navbarDropdown" role="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false"> <b>Mitigations</b> </a> <div class="dropdown-menu " aria-labelledby="navbarDropdown"> <a class="dropdown-item" href="/versions/v9/mitigations/enterprise/">Enterprise</a> <a class="dropdown-item" href="/versions/v9/mitigations/mobile/">Mobile</a> </div> </li> <li class="nav-item"> <a href="/versions/v9/groups" class="nav-link" ><b>Groups</b></a> </li> <li class="nav-item"> <a href="/versions/v9/software/" class="nav-link" ><b>Software</b></a> </li> <li class="nav-item dropdown"> <a class="nav-link dropdown-toggle" href="/versions/v9/resources/" id="navbarDropdown" role="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false"> <b>Resources</b> </a> <div class="dropdown-menu " aria-labelledby="navbarDropdown"> <a class="dropdown-item" href="/versions/v9/resources/">General Information</a> <a class="dropdown-item" href="/versions/v9/resources/getting-started/">Getting Started</a> <a class="dropdown-item" href="/versions/v9/resources/training/">Training</a> <a class="dropdown-item" href="/versions/v9/resources/attackcon/">ATT&CKcon</a> <a class="dropdown-item" href="/versions/v9/resources/working-with-attack/">Working with ATT&CK</a> <a class="dropdown-item" href="/versions/v9/resources/faq/">FAQ</a> <a class="dropdown-item" href="/resources/updates/">Updates</a> <a class="dropdown-item" href="/resources/versions/">Versions of ATT&CK</a> <a class="dropdown-item" href="/versions/v9/resources/related-projects/">Related Projects</a> </div> </li> <li class="nav-item"> <a href="https://medium.com/mitre-attack/" target="_blank" class="nav-link"> <b>Blog</b>&nbsp; <img src="/versions/v9/theme/images/external-site.svg" alt="External site" class="external-icon" /> </a> </li> <li class="nav-item"> <a href="/versions/v9/resources/contribute/" class="nav-link" ><b>Contribute</b></a> </li> <li class="nav-item"> <button id="search-button" class="btn search-button">Search <div class="search-icon"></div></button> </li> </ul> </div> </nav> </header> <!-- don't edit or remove the line below even though it's commented out, it gets parsed and replaced by the versioning feature --> <div class="container-fluid version-banner"><div class="icon-inline baseline mr-1"><img src="/versions/v9/theme/images/icon-warning-24px.svg"></div>Currently viewing <a href="https://github.com/mitre/cti/releases/tag/ATT%26CK-v9.0" target="_blank">ATT&CK v9.0</a> which was live between April 29, 2021 and October 20, 2021. <a href="/resources/versions/">Learn more about the versioning system</a> or <a href="/">see the live site</a>.</div> <div id='content' class="maincontent"> <!--start-indexing-for-search--> <div class='container-fluid h-100'> <div class='row h-100'> <div class="nav flex-column col-xl-2 col-lg-3 col-md-3 sidebar nav pt-5 pb-3 pl-3 border-right" id="v-tab" role="tablist" aria-orientation="vertical"> <!--stop-indexing-for-search--> <div id="v-tab" role="tablist" aria-orientation="vertical"> <span class="heading" id="v-home-tab" aria-selected="false">TECHNIQUES</span> <div class="sidenav"> <div class="sidenav-head " id="enterprise"> <a href="/versions/v9/techniques/enterprise/"> Enterprise </a> <div class="expand-button collapsed" id="enterprise-header" data-toggle="collapse" data-target="#enterprise-body" aria-expanded="false" aria-controls="#enterprise-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-body" aria-labelledby="enterprise-header"> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0043"> <a href="/versions/v9/tactics/TA0043"> Reconnaissance </a> <div class="expand-button collapsed" id="enterprise-TA0043-header" data-toggle="collapse" data-target="#enterprise-TA0043-body" aria-expanded="false" aria-controls="#enterprise-TA0043-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0043-body" aria-labelledby="enterprise-TA0043-header"> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0043-T1595"> <a href="/versions/v9/techniques/T1595/"> Active Scanning </a> <div class="expand-button collapsed" id="enterprise-TA0043-T1595-header" data-toggle="collapse" data-target="#enterprise-TA0043-T1595-body" aria-expanded="false" aria-controls="#enterprise-TA0043-T1595-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0043-T1595-body" aria-labelledby="enterprise-TA0043-T1595-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0043-T1595-T1595.001"> <a href="/versions/v9/techniques/T1595/001/"> Scanning IP Blocks </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0043-T1595-T1595.002"> <a href="/versions/v9/techniques/T1595/002/"> Vulnerability Scanning </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0043-T1592"> <a href="/versions/v9/techniques/T1592/"> Gather Victim Host Information </a> <div class="expand-button collapsed" id="enterprise-TA0043-T1592-header" data-toggle="collapse" data-target="#enterprise-TA0043-T1592-body" aria-expanded="false" aria-controls="#enterprise-TA0043-T1592-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0043-T1592-body" aria-labelledby="enterprise-TA0043-T1592-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0043-T1592-T1592.001"> <a href="/versions/v9/techniques/T1592/001/"> Hardware </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0043-T1592-T1592.002"> <a href="/versions/v9/techniques/T1592/002/"> Software </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0043-T1592-T1592.003"> <a href="/versions/v9/techniques/T1592/003/"> Firmware </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0043-T1592-T1592.004"> <a href="/versions/v9/techniques/T1592/004/"> Client Configurations </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0043-T1589"> <a href="/versions/v9/techniques/T1589/"> Gather Victim Identity Information </a> <div class="expand-button collapsed" id="enterprise-TA0043-T1589-header" data-toggle="collapse" data-target="#enterprise-TA0043-T1589-body" aria-expanded="false" aria-controls="#enterprise-TA0043-T1589-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0043-T1589-body" aria-labelledby="enterprise-TA0043-T1589-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0043-T1589-T1589.001"> <a href="/versions/v9/techniques/T1589/001/"> Credentials </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0043-T1589-T1589.002"> <a href="/versions/v9/techniques/T1589/002/"> Email Addresses </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0043-T1589-T1589.003"> <a href="/versions/v9/techniques/T1589/003/"> Employee Names </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0043-T1590"> <a href="/versions/v9/techniques/T1590/"> Gather Victim Network Information </a> <div class="expand-button collapsed" id="enterprise-TA0043-T1590-header" data-toggle="collapse" data-target="#enterprise-TA0043-T1590-body" aria-expanded="false" aria-controls="#enterprise-TA0043-T1590-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0043-T1590-body" aria-labelledby="enterprise-TA0043-T1590-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0043-T1590-T1590.001"> <a href="/versions/v9/techniques/T1590/001/"> Domain Properties </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0043-T1590-T1590.002"> <a href="/versions/v9/techniques/T1590/002/"> DNS </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0043-T1590-T1590.003"> <a href="/versions/v9/techniques/T1590/003/"> Network Trust Dependencies </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0043-T1590-T1590.004"> <a href="/versions/v9/techniques/T1590/004/"> Network Topology </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0043-T1590-T1590.005"> <a href="/versions/v9/techniques/T1590/005/"> IP Addresses </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0043-T1590-T1590.006"> <a href="/versions/v9/techniques/T1590/006/"> Network Security Appliances </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0043-T1591"> <a href="/versions/v9/techniques/T1591/"> Gather Victim Org Information </a> <div class="expand-button collapsed" id="enterprise-TA0043-T1591-header" data-toggle="collapse" data-target="#enterprise-TA0043-T1591-body" aria-expanded="false" aria-controls="#enterprise-TA0043-T1591-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0043-T1591-body" aria-labelledby="enterprise-TA0043-T1591-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0043-T1591-T1591.001"> <a href="/versions/v9/techniques/T1591/001/"> Determine Physical Locations </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0043-T1591-T1591.002"> <a href="/versions/v9/techniques/T1591/002/"> Business Relationships </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0043-T1591-T1591.003"> <a href="/versions/v9/techniques/T1591/003/"> Identify Business Tempo </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0043-T1591-T1591.004"> <a href="/versions/v9/techniques/T1591/004/"> Identify Roles </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0043-T1598"> <a href="/versions/v9/techniques/T1598/"> Phishing for Information </a> <div class="expand-button collapsed" id="enterprise-TA0043-T1598-header" data-toggle="collapse" data-target="#enterprise-TA0043-T1598-body" aria-expanded="false" aria-controls="#enterprise-TA0043-T1598-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0043-T1598-body" aria-labelledby="enterprise-TA0043-T1598-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0043-T1598-T1598.001"> <a href="/versions/v9/techniques/T1598/001/"> Spearphishing Service </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0043-T1598-T1598.002"> <a href="/versions/v9/techniques/T1598/002/"> Spearphishing Attachment </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0043-T1598-T1598.003"> <a href="/versions/v9/techniques/T1598/003/"> Spearphishing Link </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0043-T1597"> <a href="/versions/v9/techniques/T1597/"> Search Closed Sources </a> <div class="expand-button collapsed" id="enterprise-TA0043-T1597-header" data-toggle="collapse" data-target="#enterprise-TA0043-T1597-body" aria-expanded="false" aria-controls="#enterprise-TA0043-T1597-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0043-T1597-body" aria-labelledby="enterprise-TA0043-T1597-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0043-T1597-T1597.001"> <a href="/versions/v9/techniques/T1597/001/"> Threat Intel Vendors </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0043-T1597-T1597.002"> <a href="/versions/v9/techniques/T1597/002/"> Purchase Technical Data </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0043-T1596"> <a href="/versions/v9/techniques/T1596/"> Search Open Technical Databases </a> <div class="expand-button collapsed" id="enterprise-TA0043-T1596-header" data-toggle="collapse" data-target="#enterprise-TA0043-T1596-body" aria-expanded="false" aria-controls="#enterprise-TA0043-T1596-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0043-T1596-body" aria-labelledby="enterprise-TA0043-T1596-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0043-T1596-T1596.001"> <a href="/versions/v9/techniques/T1596/001/"> DNS/Passive DNS </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0043-T1596-T1596.002"> <a href="/versions/v9/techniques/T1596/002/"> WHOIS </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0043-T1596-T1596.003"> <a href="/versions/v9/techniques/T1596/003/"> Digital Certificates </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0043-T1596-T1596.004"> <a href="/versions/v9/techniques/T1596/004/"> CDNs </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0043-T1596-T1596.005"> <a href="/versions/v9/techniques/T1596/005/"> Scan Databases </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0043-T1593"> <a href="/versions/v9/techniques/T1593/"> Search Open Websites/Domains </a> <div class="expand-button collapsed" id="enterprise-TA0043-T1593-header" data-toggle="collapse" data-target="#enterprise-TA0043-T1593-body" aria-expanded="false" aria-controls="#enterprise-TA0043-T1593-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0043-T1593-body" aria-labelledby="enterprise-TA0043-T1593-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0043-T1593-T1593.001"> <a href="/versions/v9/techniques/T1593/001/"> Social Media </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0043-T1593-T1593.002"> <a href="/versions/v9/techniques/T1593/002/"> Search Engines </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0043-T1594"> <a href="/versions/v9/techniques/T1594/"> Search Victim-Owned Websites </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0042"> <a href="/versions/v9/tactics/TA0042"> Resource Development </a> <div class="expand-button collapsed" id="enterprise-TA0042-header" data-toggle="collapse" data-target="#enterprise-TA0042-body" aria-expanded="false" aria-controls="#enterprise-TA0042-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0042-body" aria-labelledby="enterprise-TA0042-header"> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0042-T1583"> <a href="/versions/v9/techniques/T1583/"> Acquire Infrastructure </a> <div class="expand-button collapsed" id="enterprise-TA0042-T1583-header" data-toggle="collapse" data-target="#enterprise-TA0042-T1583-body" aria-expanded="false" aria-controls="#enterprise-TA0042-T1583-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0042-T1583-body" aria-labelledby="enterprise-TA0042-T1583-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0042-T1583-T1583.001"> <a href="/versions/v9/techniques/T1583/001/"> Domains </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0042-T1583-T1583.002"> <a href="/versions/v9/techniques/T1583/002/"> DNS Server </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0042-T1583-T1583.003"> <a href="/versions/v9/techniques/T1583/003/"> Virtual Private Server </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0042-T1583-T1583.004"> <a href="/versions/v9/techniques/T1583/004/"> Server </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0042-T1583-T1583.005"> <a href="/versions/v9/techniques/T1583/005/"> Botnet </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0042-T1583-T1583.006"> <a href="/versions/v9/techniques/T1583/006/"> Web Services </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0042-T1586"> <a href="/versions/v9/techniques/T1586/"> Compromise Accounts </a> <div class="expand-button collapsed" id="enterprise-TA0042-T1586-header" data-toggle="collapse" data-target="#enterprise-TA0042-T1586-body" aria-expanded="false" aria-controls="#enterprise-TA0042-T1586-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0042-T1586-body" aria-labelledby="enterprise-TA0042-T1586-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0042-T1586-T1586.001"> <a href="/versions/v9/techniques/T1586/001/"> Social Media Accounts </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0042-T1586-T1586.002"> <a href="/versions/v9/techniques/T1586/002/"> Email Accounts </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0042-T1584"> <a href="/versions/v9/techniques/T1584/"> Compromise Infrastructure </a> <div class="expand-button collapsed" id="enterprise-TA0042-T1584-header" data-toggle="collapse" data-target="#enterprise-TA0042-T1584-body" aria-expanded="false" aria-controls="#enterprise-TA0042-T1584-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0042-T1584-body" aria-labelledby="enterprise-TA0042-T1584-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0042-T1584-T1584.001"> <a href="/versions/v9/techniques/T1584/001/"> Domains </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0042-T1584-T1584.002"> <a href="/versions/v9/techniques/T1584/002/"> DNS Server </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0042-T1584-T1584.003"> <a href="/versions/v9/techniques/T1584/003/"> Virtual Private Server </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0042-T1584-T1584.004"> <a href="/versions/v9/techniques/T1584/004/"> Server </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0042-T1584-T1584.005"> <a href="/versions/v9/techniques/T1584/005/"> Botnet </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0042-T1584-T1584.006"> <a href="/versions/v9/techniques/T1584/006/"> Web Services </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0042-T1587"> <a href="/versions/v9/techniques/T1587/"> Develop Capabilities </a> <div class="expand-button collapsed" id="enterprise-TA0042-T1587-header" data-toggle="collapse" data-target="#enterprise-TA0042-T1587-body" aria-expanded="false" aria-controls="#enterprise-TA0042-T1587-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0042-T1587-body" aria-labelledby="enterprise-TA0042-T1587-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0042-T1587-T1587.001"> <a href="/versions/v9/techniques/T1587/001/"> Malware </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0042-T1587-T1587.002"> <a href="/versions/v9/techniques/T1587/002/"> Code Signing Certificates </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0042-T1587-T1587.003"> <a href="/versions/v9/techniques/T1587/003/"> Digital Certificates </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0042-T1587-T1587.004"> <a href="/versions/v9/techniques/T1587/004/"> Exploits </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0042-T1585"> <a href="/versions/v9/techniques/T1585/"> Establish Accounts </a> <div class="expand-button collapsed" id="enterprise-TA0042-T1585-header" data-toggle="collapse" data-target="#enterprise-TA0042-T1585-body" aria-expanded="false" aria-controls="#enterprise-TA0042-T1585-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0042-T1585-body" aria-labelledby="enterprise-TA0042-T1585-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0042-T1585-T1585.001"> <a href="/versions/v9/techniques/T1585/001/"> Social Media Accounts </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0042-T1585-T1585.002"> <a href="/versions/v9/techniques/T1585/002/"> Email Accounts </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0042-T1588"> <a href="/versions/v9/techniques/T1588/"> Obtain Capabilities </a> <div class="expand-button collapsed" id="enterprise-TA0042-T1588-header" data-toggle="collapse" data-target="#enterprise-TA0042-T1588-body" aria-expanded="false" aria-controls="#enterprise-TA0042-T1588-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0042-T1588-body" aria-labelledby="enterprise-TA0042-T1588-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0042-T1588-T1588.001"> <a href="/versions/v9/techniques/T1588/001/"> Malware </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0042-T1588-T1588.002"> <a href="/versions/v9/techniques/T1588/002/"> Tool </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0042-T1588-T1588.003"> <a href="/versions/v9/techniques/T1588/003/"> Code Signing Certificates </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0042-T1588-T1588.004"> <a href="/versions/v9/techniques/T1588/004/"> Digital Certificates </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0042-T1588-T1588.005"> <a href="/versions/v9/techniques/T1588/005/"> Exploits </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0042-T1588-T1588.006"> <a href="/versions/v9/techniques/T1588/006/"> Vulnerabilities </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0042-T1608"> <a href="/versions/v9/techniques/T1608/"> Stage Capabilities </a> <div class="expand-button collapsed" id="enterprise-TA0042-T1608-header" data-toggle="collapse" data-target="#enterprise-TA0042-T1608-body" aria-expanded="false" aria-controls="#enterprise-TA0042-T1608-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0042-T1608-body" aria-labelledby="enterprise-TA0042-T1608-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0042-T1608-T1608.001"> <a href="/versions/v9/techniques/T1608/001/"> Upload Malware </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0042-T1608-T1608.002"> <a href="/versions/v9/techniques/T1608/002/"> Upload Tool </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0042-T1608-T1608.003"> <a href="/versions/v9/techniques/T1608/003/"> Install Digital Certificate </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0042-T1608-T1608.004"> <a href="/versions/v9/techniques/T1608/004/"> Drive-by Target </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0042-T1608-T1608.005"> <a href="/versions/v9/techniques/T1608/005/"> Link Target </a> </div> </div> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0001"> <a href="/versions/v9/tactics/TA0001"> Initial Access </a> <div class="expand-button collapsed" id="enterprise-TA0001-header" data-toggle="collapse" data-target="#enterprise-TA0001-body" aria-expanded="false" aria-controls="#enterprise-TA0001-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0001-body" aria-labelledby="enterprise-TA0001-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0001-T1189"> <a href="/versions/v9/techniques/T1189/"> Drive-by Compromise </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0001-T1190"> <a href="/versions/v9/techniques/T1190/"> Exploit Public-Facing Application </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0001-T1133"> <a href="/versions/v9/techniques/T1133/"> External Remote Services </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0001-T1200"> <a href="/versions/v9/techniques/T1200/"> Hardware Additions </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0001-T1566"> <a href="/versions/v9/techniques/T1566/"> Phishing </a> <div class="expand-button collapsed" id="enterprise-TA0001-T1566-header" data-toggle="collapse" data-target="#enterprise-TA0001-T1566-body" aria-expanded="false" aria-controls="#enterprise-TA0001-T1566-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0001-T1566-body" aria-labelledby="enterprise-TA0001-T1566-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0001-T1566-T1566.001"> <a href="/versions/v9/techniques/T1566/001/"> Spearphishing Attachment </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0001-T1566-T1566.002"> <a href="/versions/v9/techniques/T1566/002/"> Spearphishing Link </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0001-T1566-T1566.003"> <a href="/versions/v9/techniques/T1566/003/"> Spearphishing via Service </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0001-T1091"> <a href="/versions/v9/techniques/T1091/"> Replication Through Removable Media </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0001-T1195"> <a href="/versions/v9/techniques/T1195/"> Supply Chain Compromise </a> <div class="expand-button collapsed" id="enterprise-TA0001-T1195-header" data-toggle="collapse" data-target="#enterprise-TA0001-T1195-body" aria-expanded="false" aria-controls="#enterprise-TA0001-T1195-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0001-T1195-body" aria-labelledby="enterprise-TA0001-T1195-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0001-T1195-T1195.001"> <a href="/versions/v9/techniques/T1195/001/"> Compromise Software Dependencies and Development Tools </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0001-T1195-T1195.002"> <a href="/versions/v9/techniques/T1195/002/"> Compromise Software Supply Chain </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0001-T1195-T1195.003"> <a href="/versions/v9/techniques/T1195/003/"> Compromise Hardware Supply Chain </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0001-T1199"> <a href="/versions/v9/techniques/T1199/"> Trusted Relationship </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0001-T1078"> <a href="/versions/v9/techniques/T1078/"> Valid Accounts </a> <div class="expand-button collapsed" id="enterprise-TA0001-T1078-header" data-toggle="collapse" data-target="#enterprise-TA0001-T1078-body" aria-expanded="false" aria-controls="#enterprise-TA0001-T1078-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0001-T1078-body" aria-labelledby="enterprise-TA0001-T1078-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0001-T1078-T1078.001"> <a href="/versions/v9/techniques/T1078/001/"> Default Accounts </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0001-T1078-T1078.002"> <a href="/versions/v9/techniques/T1078/002/"> Domain Accounts </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0001-T1078-T1078.003"> <a href="/versions/v9/techniques/T1078/003/"> Local Accounts </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0001-T1078-T1078.004"> <a href="/versions/v9/techniques/T1078/004/"> Cloud Accounts </a> </div> </div> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0002"> <a href="/versions/v9/tactics/TA0002"> Execution </a> <div class="expand-button collapsed" id="enterprise-TA0002-header" data-toggle="collapse" data-target="#enterprise-TA0002-body" aria-expanded="false" aria-controls="#enterprise-TA0002-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0002-body" aria-labelledby="enterprise-TA0002-header"> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0002-T1059"> <a href="/versions/v9/techniques/T1059/"> Command and Scripting Interpreter </a> <div class="expand-button collapsed" id="enterprise-TA0002-T1059-header" data-toggle="collapse" data-target="#enterprise-TA0002-T1059-body" aria-expanded="false" aria-controls="#enterprise-TA0002-T1059-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0002-T1059-body" aria-labelledby="enterprise-TA0002-T1059-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0002-T1059-T1059.001"> <a href="/versions/v9/techniques/T1059/001/"> PowerShell </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0002-T1059-T1059.002"> <a href="/versions/v9/techniques/T1059/002/"> AppleScript </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0002-T1059-T1059.003"> <a href="/versions/v9/techniques/T1059/003/"> Windows Command Shell </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0002-T1059-T1059.004"> <a href="/versions/v9/techniques/T1059/004/"> Unix Shell </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0002-T1059-T1059.005"> <a href="/versions/v9/techniques/T1059/005/"> Visual Basic </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0002-T1059-T1059.006"> <a href="/versions/v9/techniques/T1059/006/"> Python </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0002-T1059-T1059.007"> <a href="/versions/v9/techniques/T1059/007/"> JavaScript </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0002-T1059-T1059.008"> <a href="/versions/v9/techniques/T1059/008/"> Network Device CLI </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0002-T1609"> <a href="/versions/v9/techniques/T1609/"> Container Administration Command </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0002-T1610"> <a href="/versions/v9/techniques/T1610/"> Deploy Container </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0002-T1203"> <a href="/versions/v9/techniques/T1203/"> Exploitation for Client Execution </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0002-T1559"> <a href="/versions/v9/techniques/T1559/"> Inter-Process Communication </a> <div class="expand-button collapsed" id="enterprise-TA0002-T1559-header" data-toggle="collapse" data-target="#enterprise-TA0002-T1559-body" aria-expanded="false" aria-controls="#enterprise-TA0002-T1559-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0002-T1559-body" aria-labelledby="enterprise-TA0002-T1559-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0002-T1559-T1559.001"> <a href="/versions/v9/techniques/T1559/001/"> Component Object Model </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0002-T1559-T1559.002"> <a href="/versions/v9/techniques/T1559/002/"> Dynamic Data Exchange </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0002-T1106"> <a href="/versions/v9/techniques/T1106/"> Native API </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0002-T1053"> <a href="/versions/v9/techniques/T1053/"> Scheduled Task/Job </a> <div class="expand-button collapsed" id="enterprise-TA0002-T1053-header" data-toggle="collapse" data-target="#enterprise-TA0002-T1053-body" aria-expanded="false" aria-controls="#enterprise-TA0002-T1053-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0002-T1053-body" aria-labelledby="enterprise-TA0002-T1053-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0002-T1053-T1053.001"> <a href="/versions/v9/techniques/T1053/001/"> At (Linux) </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0002-T1053-T1053.002"> <a href="/versions/v9/techniques/T1053/002/"> At (Windows) </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0002-T1053-T1053.003"> <a href="/versions/v9/techniques/T1053/003/"> Cron </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0002-T1053-T1053.004"> <a href="/versions/v9/techniques/T1053/004/"> Launchd </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0002-T1053-T1053.005"> <a href="/versions/v9/techniques/T1053/005/"> Scheduled Task </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0002-T1053-T1053.006"> <a href="/versions/v9/techniques/T1053/006/"> Systemd Timers </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0002-T1053-T1053.007"> <a href="/versions/v9/techniques/T1053/007/"> Container Orchestration Job </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0002-T1129"> <a href="/versions/v9/techniques/T1129/"> Shared Modules </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0002-T1072"> <a href="/versions/v9/techniques/T1072/"> Software Deployment Tools </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0002-T1569"> <a href="/versions/v9/techniques/T1569/"> System Services </a> <div class="expand-button collapsed" id="enterprise-TA0002-T1569-header" data-toggle="collapse" data-target="#enterprise-TA0002-T1569-body" aria-expanded="false" aria-controls="#enterprise-TA0002-T1569-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0002-T1569-body" aria-labelledby="enterprise-TA0002-T1569-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0002-T1569-T1569.001"> <a href="/versions/v9/techniques/T1569/001/"> Launchctl </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0002-T1569-T1569.002"> <a href="/versions/v9/techniques/T1569/002/"> Service Execution </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0002-T1204"> <a href="/versions/v9/techniques/T1204/"> User Execution </a> <div class="expand-button collapsed" id="enterprise-TA0002-T1204-header" data-toggle="collapse" data-target="#enterprise-TA0002-T1204-body" aria-expanded="false" aria-controls="#enterprise-TA0002-T1204-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0002-T1204-body" aria-labelledby="enterprise-TA0002-T1204-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0002-T1204-T1204.001"> <a href="/versions/v9/techniques/T1204/001/"> Malicious Link </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0002-T1204-T1204.002"> <a href="/versions/v9/techniques/T1204/002/"> Malicious File </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0002-T1204-T1204.003"> <a href="/versions/v9/techniques/T1204/003/"> Malicious Image </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0002-T1047"> <a href="/versions/v9/techniques/T1047/"> Windows Management Instrumentation </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0003"> <a href="/versions/v9/tactics/TA0003"> Persistence </a> <div class="expand-button collapsed" id="enterprise-TA0003-header" data-toggle="collapse" data-target="#enterprise-TA0003-body" aria-expanded="false" aria-controls="#enterprise-TA0003-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0003-body" aria-labelledby="enterprise-TA0003-header"> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0003-T1098"> <a href="/versions/v9/techniques/T1098/"> Account Manipulation </a> <div class="expand-button collapsed" id="enterprise-TA0003-T1098-header" data-toggle="collapse" data-target="#enterprise-TA0003-T1098-body" aria-expanded="false" aria-controls="#enterprise-TA0003-T1098-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0003-T1098-body" aria-labelledby="enterprise-TA0003-T1098-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0003-T1098-T1098.001"> <a href="/versions/v9/techniques/T1098/001/"> Additional Cloud Credentials </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0003-T1098-T1098.002"> <a href="/versions/v9/techniques/T1098/002/"> Exchange Email Delegate Permissions </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0003-T1098-T1098.003"> <a href="/versions/v9/techniques/T1098/003/"> Add Office 365 Global Administrator Role </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0003-T1098-T1098.004"> <a href="/versions/v9/techniques/T1098/004/"> SSH Authorized Keys </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0003-T1197"> <a href="/versions/v9/techniques/T1197/"> BITS Jobs </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0003-T1547"> <a href="/versions/v9/techniques/T1547/"> Boot or Logon Autostart Execution </a> <div class="expand-button collapsed" id="enterprise-TA0003-T1547-header" data-toggle="collapse" data-target="#enterprise-TA0003-T1547-body" aria-expanded="false" aria-controls="#enterprise-TA0003-T1547-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0003-T1547-body" aria-labelledby="enterprise-TA0003-T1547-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0003-T1547-T1547.001"> <a href="/versions/v9/techniques/T1547/001/"> Registry Run Keys / Startup Folder </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0003-T1547-T1547.002"> <a href="/versions/v9/techniques/T1547/002/"> Authentication Package </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0003-T1547-T1547.003"> <a href="/versions/v9/techniques/T1547/003/"> Time Providers </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0003-T1547-T1547.004"> <a href="/versions/v9/techniques/T1547/004/"> Winlogon Helper DLL </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0003-T1547-T1547.005"> <a href="/versions/v9/techniques/T1547/005/"> Security Support Provider </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0003-T1547-T1547.006"> <a href="/versions/v9/techniques/T1547/006/"> Kernel Modules and Extensions </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0003-T1547-T1547.007"> <a href="/versions/v9/techniques/T1547/007/"> Re-opened Applications </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0003-T1547-T1547.008"> <a href="/versions/v9/techniques/T1547/008/"> LSASS Driver </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0003-T1547-T1547.009"> <a href="/versions/v9/techniques/T1547/009/"> Shortcut Modification </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0003-T1547-T1547.010"> <a href="/versions/v9/techniques/T1547/010/"> Port Monitors </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0003-T1547-T1547.011"> <a href="/versions/v9/techniques/T1547/011/"> Plist Modification </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0003-T1547-T1547.012"> <a href="/versions/v9/techniques/T1547/012/"> Print Processors </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0003-T1547-T1547.013"> <a href="/versions/v9/techniques/T1547/013/"> XDG Autostart Entries </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0003-T1547-T1547.014"> <a href="/versions/v9/techniques/T1547/014/"> Active Setup </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0003-T1037"> <a href="/versions/v9/techniques/T1037/"> Boot or Logon Initialization Scripts </a> <div class="expand-button collapsed" id="enterprise-TA0003-T1037-header" data-toggle="collapse" data-target="#enterprise-TA0003-T1037-body" aria-expanded="false" aria-controls="#enterprise-TA0003-T1037-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0003-T1037-body" aria-labelledby="enterprise-TA0003-T1037-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0003-T1037-T1037.001"> <a href="/versions/v9/techniques/T1037/001/"> Logon Script (Windows) </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0003-T1037-T1037.002"> <a href="/versions/v9/techniques/T1037/002/"> Logon Script (Mac) </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0003-T1037-T1037.003"> <a href="/versions/v9/techniques/T1037/003/"> Network Logon Script </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0003-T1037-T1037.004"> <a href="/versions/v9/techniques/T1037/004/"> RC Scripts </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0003-T1037-T1037.005"> <a href="/versions/v9/techniques/T1037/005/"> Startup Items </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0003-T1176"> <a href="/versions/v9/techniques/T1176/"> Browser Extensions </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0003-T1554"> <a href="/versions/v9/techniques/T1554/"> Compromise Client Software Binary </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0003-T1136"> <a href="/versions/v9/techniques/T1136/"> Create Account </a> <div class="expand-button collapsed" id="enterprise-TA0003-T1136-header" data-toggle="collapse" data-target="#enterprise-TA0003-T1136-body" aria-expanded="false" aria-controls="#enterprise-TA0003-T1136-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0003-T1136-body" aria-labelledby="enterprise-TA0003-T1136-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0003-T1136-T1136.001"> <a href="/versions/v9/techniques/T1136/001/"> Local Account </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0003-T1136-T1136.002"> <a href="/versions/v9/techniques/T1136/002/"> Domain Account </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0003-T1136-T1136.003"> <a href="/versions/v9/techniques/T1136/003/"> Cloud Account </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0003-T1543"> <a href="/versions/v9/techniques/T1543/"> Create or Modify System Process </a> <div class="expand-button collapsed" id="enterprise-TA0003-T1543-header" data-toggle="collapse" data-target="#enterprise-TA0003-T1543-body" aria-expanded="false" aria-controls="#enterprise-TA0003-T1543-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0003-T1543-body" aria-labelledby="enterprise-TA0003-T1543-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0003-T1543-T1543.001"> <a href="/versions/v9/techniques/T1543/001/"> Launch Agent </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0003-T1543-T1543.002"> <a href="/versions/v9/techniques/T1543/002/"> Systemd Service </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0003-T1543-T1543.003"> <a href="/versions/v9/techniques/T1543/003/"> Windows Service </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0003-T1543-T1543.004"> <a href="/versions/v9/techniques/T1543/004/"> Launch Daemon </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0003-T1546"> <a href="/versions/v9/techniques/T1546/"> Event Triggered Execution </a> <div class="expand-button collapsed" id="enterprise-TA0003-T1546-header" data-toggle="collapse" data-target="#enterprise-TA0003-T1546-body" aria-expanded="false" aria-controls="#enterprise-TA0003-T1546-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0003-T1546-body" aria-labelledby="enterprise-TA0003-T1546-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0003-T1546-T1546.001"> <a href="/versions/v9/techniques/T1546/001/"> Change Default File Association </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0003-T1546-T1546.002"> <a href="/versions/v9/techniques/T1546/002/"> Screensaver </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0003-T1546-T1546.003"> <a href="/versions/v9/techniques/T1546/003/"> Windows Management Instrumentation Event Subscription </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0003-T1546-T1546.004"> <a href="/versions/v9/techniques/T1546/004/"> Unix Shell Configuration Modification </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0003-T1546-T1546.005"> <a href="/versions/v9/techniques/T1546/005/"> Trap </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0003-T1546-T1546.006"> <a href="/versions/v9/techniques/T1546/006/"> LC_LOAD_DYLIB Addition </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0003-T1546-T1546.007"> <a href="/versions/v9/techniques/T1546/007/"> Netsh Helper DLL </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0003-T1546-T1546.008"> <a href="/versions/v9/techniques/T1546/008/"> Accessibility Features </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0003-T1546-T1546.009"> <a href="/versions/v9/techniques/T1546/009/"> AppCert DLLs </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0003-T1546-T1546.010"> <a href="/versions/v9/techniques/T1546/010/"> AppInit DLLs </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0003-T1546-T1546.011"> <a href="/versions/v9/techniques/T1546/011/"> Application Shimming </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0003-T1546-T1546.012"> <a href="/versions/v9/techniques/T1546/012/"> Image File Execution Options Injection </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0003-T1546-T1546.013"> <a href="/versions/v9/techniques/T1546/013/"> PowerShell Profile </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0003-T1546-T1546.014"> <a href="/versions/v9/techniques/T1546/014/"> Emond </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0003-T1546-T1546.015"> <a href="/versions/v9/techniques/T1546/015/"> Component Object Model Hijacking </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0003-T1133"> <a href="/versions/v9/techniques/T1133/"> External Remote Services </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0003-T1574"> <a href="/versions/v9/techniques/T1574/"> Hijack Execution Flow </a> <div class="expand-button collapsed" id="enterprise-TA0003-T1574-header" data-toggle="collapse" data-target="#enterprise-TA0003-T1574-body" aria-expanded="false" aria-controls="#enterprise-TA0003-T1574-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0003-T1574-body" aria-labelledby="enterprise-TA0003-T1574-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0003-T1574-T1574.001"> <a href="/versions/v9/techniques/T1574/001/"> DLL Search Order Hijacking </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0003-T1574-T1574.002"> <a href="/versions/v9/techniques/T1574/002/"> DLL Side-Loading </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0003-T1574-T1574.004"> <a href="/versions/v9/techniques/T1574/004/"> Dylib Hijacking </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0003-T1574-T1574.005"> <a href="/versions/v9/techniques/T1574/005/"> Executable Installer File Permissions Weakness </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0003-T1574-T1574.006"> <a href="/versions/v9/techniques/T1574/006/"> Dynamic Linker Hijacking </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0003-T1574-T1574.007"> <a href="/versions/v9/techniques/T1574/007/"> Path Interception by PATH Environment Variable </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0003-T1574-T1574.008"> <a href="/versions/v9/techniques/T1574/008/"> Path Interception by Search Order Hijacking </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0003-T1574-T1574.009"> <a href="/versions/v9/techniques/T1574/009/"> Path Interception by Unquoted Path </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0003-T1574-T1574.010"> <a href="/versions/v9/techniques/T1574/010/"> Services File Permissions Weakness </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0003-T1574-T1574.011"> <a href="/versions/v9/techniques/T1574/011/"> Services Registry Permissions Weakness </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0003-T1574-T1574.012"> <a href="/versions/v9/techniques/T1574/012/"> COR_PROFILER </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0003-T1525"> <a href="/versions/v9/techniques/T1525/"> Implant Internal Image </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0003-T1556"> <a href="/versions/v9/techniques/T1556/"> Modify Authentication Process </a> <div class="expand-button collapsed" id="enterprise-TA0003-T1556-header" data-toggle="collapse" data-target="#enterprise-TA0003-T1556-body" aria-expanded="false" aria-controls="#enterprise-TA0003-T1556-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0003-T1556-body" aria-labelledby="enterprise-TA0003-T1556-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0003-T1556-T1556.001"> <a href="/versions/v9/techniques/T1556/001/"> Domain Controller Authentication </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0003-T1556-T1556.002"> <a href="/versions/v9/techniques/T1556/002/"> Password Filter DLL </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0003-T1556-T1556.003"> <a href="/versions/v9/techniques/T1556/003/"> Pluggable Authentication Modules </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0003-T1556-T1556.004"> <a href="/versions/v9/techniques/T1556/004/"> Network Device Authentication </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0003-T1137"> <a href="/versions/v9/techniques/T1137/"> Office Application Startup </a> <div class="expand-button collapsed" id="enterprise-TA0003-T1137-header" data-toggle="collapse" data-target="#enterprise-TA0003-T1137-body" aria-expanded="false" aria-controls="#enterprise-TA0003-T1137-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0003-T1137-body" aria-labelledby="enterprise-TA0003-T1137-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0003-T1137-T1137.001"> <a href="/versions/v9/techniques/T1137/001/"> Office Template Macros </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0003-T1137-T1137.002"> <a href="/versions/v9/techniques/T1137/002/"> Office Test </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0003-T1137-T1137.003"> <a href="/versions/v9/techniques/T1137/003/"> Outlook Forms </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0003-T1137-T1137.004"> <a href="/versions/v9/techniques/T1137/004/"> Outlook Home Page </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0003-T1137-T1137.005"> <a href="/versions/v9/techniques/T1137/005/"> Outlook Rules </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0003-T1137-T1137.006"> <a href="/versions/v9/techniques/T1137/006/"> Add-ins </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0003-T1542"> <a href="/versions/v9/techniques/T1542/"> Pre-OS Boot </a> <div class="expand-button collapsed" id="enterprise-TA0003-T1542-header" data-toggle="collapse" data-target="#enterprise-TA0003-T1542-body" aria-expanded="false" aria-controls="#enterprise-TA0003-T1542-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0003-T1542-body" aria-labelledby="enterprise-TA0003-T1542-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0003-T1542-T1542.001"> <a href="/versions/v9/techniques/T1542/001/"> System Firmware </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0003-T1542-T1542.002"> <a href="/versions/v9/techniques/T1542/002/"> Component Firmware </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0003-T1542-T1542.003"> <a href="/versions/v9/techniques/T1542/003/"> Bootkit </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0003-T1542-T1542.004"> <a href="/versions/v9/techniques/T1542/004/"> ROMMONkit </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0003-T1542-T1542.005"> <a href="/versions/v9/techniques/T1542/005/"> TFTP Boot </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0003-T1053"> <a href="/versions/v9/techniques/T1053/"> Scheduled Task/Job </a> <div class="expand-button collapsed" id="enterprise-TA0003-T1053-header" data-toggle="collapse" data-target="#enterprise-TA0003-T1053-body" aria-expanded="false" aria-controls="#enterprise-TA0003-T1053-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0003-T1053-body" aria-labelledby="enterprise-TA0003-T1053-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0003-T1053-T1053.001"> <a href="/versions/v9/techniques/T1053/001/"> At (Linux) </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0003-T1053-T1053.002"> <a href="/versions/v9/techniques/T1053/002/"> At (Windows) </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0003-T1053-T1053.003"> <a href="/versions/v9/techniques/T1053/003/"> Cron </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0003-T1053-T1053.004"> <a href="/versions/v9/techniques/T1053/004/"> Launchd </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0003-T1053-T1053.005"> <a href="/versions/v9/techniques/T1053/005/"> Scheduled Task </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0003-T1053-T1053.006"> <a href="/versions/v9/techniques/T1053/006/"> Systemd Timers </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0003-T1053-T1053.007"> <a href="/versions/v9/techniques/T1053/007/"> Container Orchestration Job </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0003-T1505"> <a href="/versions/v9/techniques/T1505/"> Server Software Component </a> <div class="expand-button collapsed" id="enterprise-TA0003-T1505-header" data-toggle="collapse" data-target="#enterprise-TA0003-T1505-body" aria-expanded="false" aria-controls="#enterprise-TA0003-T1505-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0003-T1505-body" aria-labelledby="enterprise-TA0003-T1505-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0003-T1505-T1505.001"> <a href="/versions/v9/techniques/T1505/001/"> SQL Stored Procedures </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0003-T1505-T1505.002"> <a href="/versions/v9/techniques/T1505/002/"> Transport Agent </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0003-T1505-T1505.003"> <a href="/versions/v9/techniques/T1505/003/"> Web Shell </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0003-T1205"> <a href="/versions/v9/techniques/T1205/"> Traffic Signaling </a> <div class="expand-button collapsed" id="enterprise-TA0003-T1205-header" data-toggle="collapse" data-target="#enterprise-TA0003-T1205-body" aria-expanded="false" aria-controls="#enterprise-TA0003-T1205-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0003-T1205-body" aria-labelledby="enterprise-TA0003-T1205-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0003-T1205-T1205.001"> <a href="/versions/v9/techniques/T1205/001/"> Port Knocking </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0003-T1078"> <a href="/versions/v9/techniques/T1078/"> Valid Accounts </a> <div class="expand-button collapsed" id="enterprise-TA0003-T1078-header" data-toggle="collapse" data-target="#enterprise-TA0003-T1078-body" aria-expanded="false" aria-controls="#enterprise-TA0003-T1078-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0003-T1078-body" aria-labelledby="enterprise-TA0003-T1078-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0003-T1078-T1078.001"> <a href="/versions/v9/techniques/T1078/001/"> Default Accounts </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0003-T1078-T1078.002"> <a href="/versions/v9/techniques/T1078/002/"> Domain Accounts </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0003-T1078-T1078.003"> <a href="/versions/v9/techniques/T1078/003/"> Local Accounts </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0003-T1078-T1078.004"> <a href="/versions/v9/techniques/T1078/004/"> Cloud Accounts </a> </div> </div> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0004"> <a href="/versions/v9/tactics/TA0004"> Privilege Escalation </a> <div class="expand-button collapsed" id="enterprise-TA0004-header" data-toggle="collapse" data-target="#enterprise-TA0004-body" aria-expanded="false" aria-controls="#enterprise-TA0004-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0004-body" aria-labelledby="enterprise-TA0004-header"> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0004-T1548"> <a href="/versions/v9/techniques/T1548/"> Abuse Elevation Control Mechanism </a> <div class="expand-button collapsed" id="enterprise-TA0004-T1548-header" data-toggle="collapse" data-target="#enterprise-TA0004-T1548-body" aria-expanded="false" aria-controls="#enterprise-TA0004-T1548-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0004-T1548-body" aria-labelledby="enterprise-TA0004-T1548-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0004-T1548-T1548.001"> <a href="/versions/v9/techniques/T1548/001/"> Setuid and Setgid </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0004-T1548-T1548.002"> <a href="/versions/v9/techniques/T1548/002/"> Bypass User Account Control </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0004-T1548-T1548.003"> <a href="/versions/v9/techniques/T1548/003/"> Sudo and Sudo Caching </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0004-T1548-T1548.004"> <a href="/versions/v9/techniques/T1548/004/"> Elevated Execution with Prompt </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0004-T1134"> <a href="/versions/v9/techniques/T1134/"> Access Token Manipulation </a> <div class="expand-button collapsed" id="enterprise-TA0004-T1134-header" data-toggle="collapse" data-target="#enterprise-TA0004-T1134-body" aria-expanded="false" aria-controls="#enterprise-TA0004-T1134-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0004-T1134-body" aria-labelledby="enterprise-TA0004-T1134-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0004-T1134-T1134.001"> <a href="/versions/v9/techniques/T1134/001/"> Token Impersonation/Theft </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0004-T1134-T1134.002"> <a href="/versions/v9/techniques/T1134/002/"> Create Process with Token </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0004-T1134-T1134.003"> <a href="/versions/v9/techniques/T1134/003/"> Make and Impersonate Token </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0004-T1134-T1134.004"> <a href="/versions/v9/techniques/T1134/004/"> Parent PID Spoofing </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0004-T1134-T1134.005"> <a href="/versions/v9/techniques/T1134/005/"> SID-History Injection </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0004-T1547"> <a href="/versions/v9/techniques/T1547/"> Boot or Logon Autostart Execution </a> <div class="expand-button collapsed" id="enterprise-TA0004-T1547-header" data-toggle="collapse" data-target="#enterprise-TA0004-T1547-body" aria-expanded="false" aria-controls="#enterprise-TA0004-T1547-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0004-T1547-body" aria-labelledby="enterprise-TA0004-T1547-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0004-T1547-T1547.001"> <a href="/versions/v9/techniques/T1547/001/"> Registry Run Keys / Startup Folder </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0004-T1547-T1547.002"> <a href="/versions/v9/techniques/T1547/002/"> Authentication Package </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0004-T1547-T1547.003"> <a href="/versions/v9/techniques/T1547/003/"> Time Providers </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0004-T1547-T1547.004"> <a href="/versions/v9/techniques/T1547/004/"> Winlogon Helper DLL </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0004-T1547-T1547.005"> <a href="/versions/v9/techniques/T1547/005/"> Security Support Provider </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0004-T1547-T1547.006"> <a href="/versions/v9/techniques/T1547/006/"> Kernel Modules and Extensions </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0004-T1547-T1547.007"> <a href="/versions/v9/techniques/T1547/007/"> Re-opened Applications </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0004-T1547-T1547.008"> <a href="/versions/v9/techniques/T1547/008/"> LSASS Driver </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0004-T1547-T1547.009"> <a href="/versions/v9/techniques/T1547/009/"> Shortcut Modification </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0004-T1547-T1547.010"> <a href="/versions/v9/techniques/T1547/010/"> Port Monitors </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0004-T1547-T1547.011"> <a href="/versions/v9/techniques/T1547/011/"> Plist Modification </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0004-T1547-T1547.012"> <a href="/versions/v9/techniques/T1547/012/"> Print Processors </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0004-T1547-T1547.013"> <a href="/versions/v9/techniques/T1547/013/"> XDG Autostart Entries </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0004-T1547-T1547.014"> <a href="/versions/v9/techniques/T1547/014/"> Active Setup </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0004-T1037"> <a href="/versions/v9/techniques/T1037/"> Boot or Logon Initialization Scripts </a> <div class="expand-button collapsed" id="enterprise-TA0004-T1037-header" data-toggle="collapse" data-target="#enterprise-TA0004-T1037-body" aria-expanded="false" aria-controls="#enterprise-TA0004-T1037-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0004-T1037-body" aria-labelledby="enterprise-TA0004-T1037-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0004-T1037-T1037.001"> <a href="/versions/v9/techniques/T1037/001/"> Logon Script (Windows) </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0004-T1037-T1037.002"> <a href="/versions/v9/techniques/T1037/002/"> Logon Script (Mac) </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0004-T1037-T1037.003"> <a href="/versions/v9/techniques/T1037/003/"> Network Logon Script </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0004-T1037-T1037.004"> <a href="/versions/v9/techniques/T1037/004/"> RC Scripts </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0004-T1037-T1037.005"> <a href="/versions/v9/techniques/T1037/005/"> Startup Items </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0004-T1543"> <a href="/versions/v9/techniques/T1543/"> Create or Modify System Process </a> <div class="expand-button collapsed" id="enterprise-TA0004-T1543-header" data-toggle="collapse" data-target="#enterprise-TA0004-T1543-body" aria-expanded="false" aria-controls="#enterprise-TA0004-T1543-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0004-T1543-body" aria-labelledby="enterprise-TA0004-T1543-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0004-T1543-T1543.001"> <a href="/versions/v9/techniques/T1543/001/"> Launch Agent </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0004-T1543-T1543.002"> <a href="/versions/v9/techniques/T1543/002/"> Systemd Service </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0004-T1543-T1543.003"> <a href="/versions/v9/techniques/T1543/003/"> Windows Service </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0004-T1543-T1543.004"> <a href="/versions/v9/techniques/T1543/004/"> Launch Daemon </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0004-T1484"> <a href="/versions/v9/techniques/T1484/"> Domain Policy Modification </a> <div class="expand-button collapsed" id="enterprise-TA0004-T1484-header" data-toggle="collapse" data-target="#enterprise-TA0004-T1484-body" aria-expanded="false" aria-controls="#enterprise-TA0004-T1484-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0004-T1484-body" aria-labelledby="enterprise-TA0004-T1484-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0004-T1484-T1484.001"> <a href="/versions/v9/techniques/T1484/001/"> Group Policy Modification </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0004-T1484-T1484.002"> <a href="/versions/v9/techniques/T1484/002/"> Domain Trust Modification </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0004-T1611"> <a href="/versions/v9/techniques/T1611/"> Escape to Host </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0004-T1546"> <a href="/versions/v9/techniques/T1546/"> Event Triggered Execution </a> <div class="expand-button collapsed" id="enterprise-TA0004-T1546-header" data-toggle="collapse" data-target="#enterprise-TA0004-T1546-body" aria-expanded="false" aria-controls="#enterprise-TA0004-T1546-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0004-T1546-body" aria-labelledby="enterprise-TA0004-T1546-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0004-T1546-T1546.001"> <a href="/versions/v9/techniques/T1546/001/"> Change Default File Association </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0004-T1546-T1546.002"> <a href="/versions/v9/techniques/T1546/002/"> Screensaver </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0004-T1546-T1546.003"> <a href="/versions/v9/techniques/T1546/003/"> Windows Management Instrumentation Event Subscription </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0004-T1546-T1546.004"> <a href="/versions/v9/techniques/T1546/004/"> Unix Shell Configuration Modification </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0004-T1546-T1546.005"> <a href="/versions/v9/techniques/T1546/005/"> Trap </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0004-T1546-T1546.006"> <a href="/versions/v9/techniques/T1546/006/"> LC_LOAD_DYLIB Addition </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0004-T1546-T1546.007"> <a href="/versions/v9/techniques/T1546/007/"> Netsh Helper DLL </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0004-T1546-T1546.008"> <a href="/versions/v9/techniques/T1546/008/"> Accessibility Features </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0004-T1546-T1546.009"> <a href="/versions/v9/techniques/T1546/009/"> AppCert DLLs </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0004-T1546-T1546.010"> <a href="/versions/v9/techniques/T1546/010/"> AppInit DLLs </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0004-T1546-T1546.011"> <a href="/versions/v9/techniques/T1546/011/"> Application Shimming </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0004-T1546-T1546.012"> <a href="/versions/v9/techniques/T1546/012/"> Image File Execution Options Injection </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0004-T1546-T1546.013"> <a href="/versions/v9/techniques/T1546/013/"> PowerShell Profile </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0004-T1546-T1546.014"> <a href="/versions/v9/techniques/T1546/014/"> Emond </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0004-T1546-T1546.015"> <a href="/versions/v9/techniques/T1546/015/"> Component Object Model Hijacking </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0004-T1068"> <a href="/versions/v9/techniques/T1068/"> Exploitation for Privilege Escalation </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0004-T1574"> <a href="/versions/v9/techniques/T1574/"> Hijack Execution Flow </a> <div class="expand-button collapsed" id="enterprise-TA0004-T1574-header" data-toggle="collapse" data-target="#enterprise-TA0004-T1574-body" aria-expanded="false" aria-controls="#enterprise-TA0004-T1574-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0004-T1574-body" aria-labelledby="enterprise-TA0004-T1574-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0004-T1574-T1574.001"> <a href="/versions/v9/techniques/T1574/001/"> DLL Search Order Hijacking </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0004-T1574-T1574.002"> <a href="/versions/v9/techniques/T1574/002/"> DLL Side-Loading </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0004-T1574-T1574.004"> <a href="/versions/v9/techniques/T1574/004/"> Dylib Hijacking </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0004-T1574-T1574.005"> <a href="/versions/v9/techniques/T1574/005/"> Executable Installer File Permissions Weakness </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0004-T1574-T1574.006"> <a href="/versions/v9/techniques/T1574/006/"> Dynamic Linker Hijacking </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0004-T1574-T1574.007"> <a href="/versions/v9/techniques/T1574/007/"> Path Interception by PATH Environment Variable </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0004-T1574-T1574.008"> <a href="/versions/v9/techniques/T1574/008/"> Path Interception by Search Order Hijacking </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0004-T1574-T1574.009"> <a href="/versions/v9/techniques/T1574/009/"> Path Interception by Unquoted Path </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0004-T1574-T1574.010"> <a href="/versions/v9/techniques/T1574/010/"> Services File Permissions Weakness </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0004-T1574-T1574.011"> <a href="/versions/v9/techniques/T1574/011/"> Services Registry Permissions Weakness </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0004-T1574-T1574.012"> <a href="/versions/v9/techniques/T1574/012/"> COR_PROFILER </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0004-T1055"> <a href="/versions/v9/techniques/T1055/"> Process Injection </a> <div class="expand-button collapsed" id="enterprise-TA0004-T1055-header" data-toggle="collapse" data-target="#enterprise-TA0004-T1055-body" aria-expanded="false" aria-controls="#enterprise-TA0004-T1055-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0004-T1055-body" aria-labelledby="enterprise-TA0004-T1055-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0004-T1055-T1055.001"> <a href="/versions/v9/techniques/T1055/001/"> Dynamic-link Library Injection </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0004-T1055-T1055.002"> <a href="/versions/v9/techniques/T1055/002/"> Portable Executable Injection </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0004-T1055-T1055.003"> <a href="/versions/v9/techniques/T1055/003/"> Thread Execution Hijacking </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0004-T1055-T1055.004"> <a href="/versions/v9/techniques/T1055/004/"> Asynchronous Procedure Call </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0004-T1055-T1055.005"> <a href="/versions/v9/techniques/T1055/005/"> Thread Local Storage </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0004-T1055-T1055.008"> <a href="/versions/v9/techniques/T1055/008/"> Ptrace System Calls </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0004-T1055-T1055.009"> <a href="/versions/v9/techniques/T1055/009/"> Proc Memory </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0004-T1055-T1055.011"> <a href="/versions/v9/techniques/T1055/011/"> Extra Window Memory Injection </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0004-T1055-T1055.012"> <a href="/versions/v9/techniques/T1055/012/"> Process Hollowing </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0004-T1055-T1055.013"> <a href="/versions/v9/techniques/T1055/013/"> Process Doppelgänging </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0004-T1055-T1055.014"> <a href="/versions/v9/techniques/T1055/014/"> VDSO Hijacking </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0004-T1053"> <a href="/versions/v9/techniques/T1053/"> Scheduled Task/Job </a> <div class="expand-button collapsed" id="enterprise-TA0004-T1053-header" data-toggle="collapse" data-target="#enterprise-TA0004-T1053-body" aria-expanded="false" aria-controls="#enterprise-TA0004-T1053-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0004-T1053-body" aria-labelledby="enterprise-TA0004-T1053-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0004-T1053-T1053.001"> <a href="/versions/v9/techniques/T1053/001/"> At (Linux) </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0004-T1053-T1053.002"> <a href="/versions/v9/techniques/T1053/002/"> At (Windows) </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0004-T1053-T1053.003"> <a href="/versions/v9/techniques/T1053/003/"> Cron </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0004-T1053-T1053.004"> <a href="/versions/v9/techniques/T1053/004/"> Launchd </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0004-T1053-T1053.005"> <a href="/versions/v9/techniques/T1053/005/"> Scheduled Task </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0004-T1053-T1053.006"> <a href="/versions/v9/techniques/T1053/006/"> Systemd Timers </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0004-T1053-T1053.007"> <a href="/versions/v9/techniques/T1053/007/"> Container Orchestration Job </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0004-T1078"> <a href="/versions/v9/techniques/T1078/"> Valid Accounts </a> <div class="expand-button collapsed" id="enterprise-TA0004-T1078-header" data-toggle="collapse" data-target="#enterprise-TA0004-T1078-body" aria-expanded="false" aria-controls="#enterprise-TA0004-T1078-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0004-T1078-body" aria-labelledby="enterprise-TA0004-T1078-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0004-T1078-T1078.001"> <a href="/versions/v9/techniques/T1078/001/"> Default Accounts </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0004-T1078-T1078.002"> <a href="/versions/v9/techniques/T1078/002/"> Domain Accounts </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0004-T1078-T1078.003"> <a href="/versions/v9/techniques/T1078/003/"> Local Accounts </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0004-T1078-T1078.004"> <a href="/versions/v9/techniques/T1078/004/"> Cloud Accounts </a> </div> </div> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005"> <a href="/versions/v9/tactics/TA0005"> Defense Evasion </a> <div class="expand-button collapsed" id="enterprise-TA0005-header" data-toggle="collapse" data-target="#enterprise-TA0005-body" aria-expanded="false" aria-controls="#enterprise-TA0005-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0005-body" aria-labelledby="enterprise-TA0005-header"> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1548"> <a href="/versions/v9/techniques/T1548/"> Abuse Elevation Control Mechanism </a> <div class="expand-button collapsed" id="enterprise-TA0005-T1548-header" data-toggle="collapse" data-target="#enterprise-TA0005-T1548-body" aria-expanded="false" aria-controls="#enterprise-TA0005-T1548-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0005-T1548-body" aria-labelledby="enterprise-TA0005-T1548-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1548-T1548.001"> <a href="/versions/v9/techniques/T1548/001/"> Setuid and Setgid </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1548-T1548.002"> <a href="/versions/v9/techniques/T1548/002/"> Bypass User Account Control </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1548-T1548.003"> <a href="/versions/v9/techniques/T1548/003/"> Sudo and Sudo Caching </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1548-T1548.004"> <a href="/versions/v9/techniques/T1548/004/"> Elevated Execution with Prompt </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1134"> <a href="/versions/v9/techniques/T1134/"> Access Token Manipulation </a> <div class="expand-button collapsed" id="enterprise-TA0005-T1134-header" data-toggle="collapse" data-target="#enterprise-TA0005-T1134-body" aria-expanded="false" aria-controls="#enterprise-TA0005-T1134-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0005-T1134-body" aria-labelledby="enterprise-TA0005-T1134-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1134-T1134.001"> <a href="/versions/v9/techniques/T1134/001/"> Token Impersonation/Theft </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1134-T1134.002"> <a href="/versions/v9/techniques/T1134/002/"> Create Process with Token </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1134-T1134.003"> <a href="/versions/v9/techniques/T1134/003/"> Make and Impersonate Token </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1134-T1134.004"> <a href="/versions/v9/techniques/T1134/004/"> Parent PID Spoofing </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1134-T1134.005"> <a href="/versions/v9/techniques/T1134/005/"> SID-History Injection </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1197"> <a href="/versions/v9/techniques/T1197/"> BITS Jobs </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1612"> <a href="/versions/v9/techniques/T1612/"> Build Image on Host </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1140"> <a href="/versions/v9/techniques/T1140/"> Deobfuscate/Decode Files or Information </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1610"> <a href="/versions/v9/techniques/T1610/"> Deploy Container </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1006"> <a href="/versions/v9/techniques/T1006/"> Direct Volume Access </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1484"> <a href="/versions/v9/techniques/T1484/"> Domain Policy Modification </a> <div class="expand-button collapsed" id="enterprise-TA0005-T1484-header" data-toggle="collapse" data-target="#enterprise-TA0005-T1484-body" aria-expanded="false" aria-controls="#enterprise-TA0005-T1484-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0005-T1484-body" aria-labelledby="enterprise-TA0005-T1484-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1484-T1484.001"> <a href="/versions/v9/techniques/T1484/001/"> Group Policy Modification </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1484-T1484.002"> <a href="/versions/v9/techniques/T1484/002/"> Domain Trust Modification </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1480"> <a href="/versions/v9/techniques/T1480/"> Execution Guardrails </a> <div class="expand-button collapsed" id="enterprise-TA0005-T1480-header" data-toggle="collapse" data-target="#enterprise-TA0005-T1480-body" aria-expanded="false" aria-controls="#enterprise-TA0005-T1480-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0005-T1480-body" aria-labelledby="enterprise-TA0005-T1480-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1480-T1480.001"> <a href="/versions/v9/techniques/T1480/001/"> Environmental Keying </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1211"> <a href="/versions/v9/techniques/T1211/"> Exploitation for Defense Evasion </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1222"> <a href="/versions/v9/techniques/T1222/"> File and Directory Permissions Modification </a> <div class="expand-button collapsed" id="enterprise-TA0005-T1222-header" data-toggle="collapse" data-target="#enterprise-TA0005-T1222-body" aria-expanded="false" aria-controls="#enterprise-TA0005-T1222-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0005-T1222-body" aria-labelledby="enterprise-TA0005-T1222-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1222-T1222.001"> <a href="/versions/v9/techniques/T1222/001/"> Windows File and Directory Permissions Modification </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1222-T1222.002"> <a href="/versions/v9/techniques/T1222/002/"> Linux and Mac File and Directory Permissions Modification </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1564"> <a href="/versions/v9/techniques/T1564/"> Hide Artifacts </a> <div class="expand-button collapsed" id="enterprise-TA0005-T1564-header" data-toggle="collapse" data-target="#enterprise-TA0005-T1564-body" aria-expanded="false" aria-controls="#enterprise-TA0005-T1564-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0005-T1564-body" aria-labelledby="enterprise-TA0005-T1564-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1564-T1564.001"> <a href="/versions/v9/techniques/T1564/001/"> Hidden Files and Directories </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1564-T1564.002"> <a href="/versions/v9/techniques/T1564/002/"> Hidden Users </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1564-T1564.003"> <a href="/versions/v9/techniques/T1564/003/"> Hidden Window </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1564-T1564.004"> <a href="/versions/v9/techniques/T1564/004/"> NTFS File Attributes </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1564-T1564.005"> <a href="/versions/v9/techniques/T1564/005/"> Hidden File System </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1564-T1564.006"> <a href="/versions/v9/techniques/T1564/006/"> Run Virtual Instance </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1564-T1564.007"> <a href="/versions/v9/techniques/T1564/007/"> VBA Stomping </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1574"> <a href="/versions/v9/techniques/T1574/"> Hijack Execution Flow </a> <div class="expand-button collapsed" id="enterprise-TA0005-T1574-header" data-toggle="collapse" data-target="#enterprise-TA0005-T1574-body" aria-expanded="false" aria-controls="#enterprise-TA0005-T1574-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0005-T1574-body" aria-labelledby="enterprise-TA0005-T1574-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1574-T1574.001"> <a href="/versions/v9/techniques/T1574/001/"> DLL Search Order Hijacking </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1574-T1574.002"> <a href="/versions/v9/techniques/T1574/002/"> DLL Side-Loading </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1574-T1574.004"> <a href="/versions/v9/techniques/T1574/004/"> Dylib Hijacking </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1574-T1574.005"> <a href="/versions/v9/techniques/T1574/005/"> Executable Installer File Permissions Weakness </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1574-T1574.006"> <a href="/versions/v9/techniques/T1574/006/"> Dynamic Linker Hijacking </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1574-T1574.007"> <a href="/versions/v9/techniques/T1574/007/"> Path Interception by PATH Environment Variable </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1574-T1574.008"> <a href="/versions/v9/techniques/T1574/008/"> Path Interception by Search Order Hijacking </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1574-T1574.009"> <a href="/versions/v9/techniques/T1574/009/"> Path Interception by Unquoted Path </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1574-T1574.010"> <a href="/versions/v9/techniques/T1574/010/"> Services File Permissions Weakness </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1574-T1574.011"> <a href="/versions/v9/techniques/T1574/011/"> Services Registry Permissions Weakness </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1574-T1574.012"> <a href="/versions/v9/techniques/T1574/012/"> COR_PROFILER </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1562"> <a href="/versions/v9/techniques/T1562/"> Impair Defenses </a> <div class="expand-button collapsed" id="enterprise-TA0005-T1562-header" data-toggle="collapse" data-target="#enterprise-TA0005-T1562-body" aria-expanded="false" aria-controls="#enterprise-TA0005-T1562-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0005-T1562-body" aria-labelledby="enterprise-TA0005-T1562-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1562-T1562.001"> <a href="/versions/v9/techniques/T1562/001/"> Disable or Modify Tools </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1562-T1562.002"> <a href="/versions/v9/techniques/T1562/002/"> Disable Windows Event Logging </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1562-T1562.003"> <a href="/versions/v9/techniques/T1562/003/"> Impair Command History Logging </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1562-T1562.004"> <a href="/versions/v9/techniques/T1562/004/"> Disable or Modify System Firewall </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1562-T1562.006"> <a href="/versions/v9/techniques/T1562/006/"> Indicator Blocking </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1562-T1562.007"> <a href="/versions/v9/techniques/T1562/007/"> Disable or Modify Cloud Firewall </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1562-T1562.008"> <a href="/versions/v9/techniques/T1562/008/"> Disable Cloud Logs </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1070"> <a href="/versions/v9/techniques/T1070/"> Indicator Removal on Host </a> <div class="expand-button collapsed" id="enterprise-TA0005-T1070-header" data-toggle="collapse" data-target="#enterprise-TA0005-T1070-body" aria-expanded="false" aria-controls="#enterprise-TA0005-T1070-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0005-T1070-body" aria-labelledby="enterprise-TA0005-T1070-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1070-T1070.001"> <a href="/versions/v9/techniques/T1070/001/"> Clear Windows Event Logs </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1070-T1070.002"> <a href="/versions/v9/techniques/T1070/002/"> Clear Linux or Mac System Logs </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1070-T1070.003"> <a href="/versions/v9/techniques/T1070/003/"> Clear Command History </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1070-T1070.004"> <a href="/versions/v9/techniques/T1070/004/"> File Deletion </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1070-T1070.005"> <a href="/versions/v9/techniques/T1070/005/"> Network Share Connection Removal </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1070-T1070.006"> <a href="/versions/v9/techniques/T1070/006/"> Timestomp </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1202"> <a href="/versions/v9/techniques/T1202/"> Indirect Command Execution </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1036"> <a href="/versions/v9/techniques/T1036/"> Masquerading </a> <div class="expand-button collapsed" id="enterprise-TA0005-T1036-header" data-toggle="collapse" data-target="#enterprise-TA0005-T1036-body" aria-expanded="false" aria-controls="#enterprise-TA0005-T1036-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0005-T1036-body" aria-labelledby="enterprise-TA0005-T1036-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1036-T1036.001"> <a href="/versions/v9/techniques/T1036/001/"> Invalid Code Signature </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1036-T1036.002"> <a href="/versions/v9/techniques/T1036/002/"> Right-to-Left Override </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1036-T1036.003"> <a href="/versions/v9/techniques/T1036/003/"> Rename System Utilities </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1036-T1036.004"> <a href="/versions/v9/techniques/T1036/004/"> Masquerade Task or Service </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1036-T1036.005"> <a href="/versions/v9/techniques/T1036/005/"> Match Legitimate Name or Location </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1036-T1036.006"> <a href="/versions/v9/techniques/T1036/006/"> Space after Filename </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1556"> <a href="/versions/v9/techniques/T1556/"> Modify Authentication Process </a> <div class="expand-button collapsed" id="enterprise-TA0005-T1556-header" data-toggle="collapse" data-target="#enterprise-TA0005-T1556-body" aria-expanded="false" aria-controls="#enterprise-TA0005-T1556-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0005-T1556-body" aria-labelledby="enterprise-TA0005-T1556-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1556-T1556.001"> <a href="/versions/v9/techniques/T1556/001/"> Domain Controller Authentication </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1556-T1556.002"> <a href="/versions/v9/techniques/T1556/002/"> Password Filter DLL </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1556-T1556.003"> <a href="/versions/v9/techniques/T1556/003/"> Pluggable Authentication Modules </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1556-T1556.004"> <a href="/versions/v9/techniques/T1556/004/"> Network Device Authentication </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1578"> <a href="/versions/v9/techniques/T1578/"> Modify Cloud Compute Infrastructure </a> <div class="expand-button collapsed" id="enterprise-TA0005-T1578-header" data-toggle="collapse" data-target="#enterprise-TA0005-T1578-body" aria-expanded="false" aria-controls="#enterprise-TA0005-T1578-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0005-T1578-body" aria-labelledby="enterprise-TA0005-T1578-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1578-T1578.001"> <a href="/versions/v9/techniques/T1578/001/"> Create Snapshot </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1578-T1578.002"> <a href="/versions/v9/techniques/T1578/002/"> Create Cloud Instance </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1578-T1578.003"> <a href="/versions/v9/techniques/T1578/003/"> Delete Cloud Instance </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1578-T1578.004"> <a href="/versions/v9/techniques/T1578/004/"> Revert Cloud Instance </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1112"> <a href="/versions/v9/techniques/T1112/"> Modify Registry </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1601"> <a href="/versions/v9/techniques/T1601/"> Modify System Image </a> <div class="expand-button collapsed" id="enterprise-TA0005-T1601-header" data-toggle="collapse" data-target="#enterprise-TA0005-T1601-body" aria-expanded="false" aria-controls="#enterprise-TA0005-T1601-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0005-T1601-body" aria-labelledby="enterprise-TA0005-T1601-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1601-T1601.001"> <a href="/versions/v9/techniques/T1601/001/"> Patch System Image </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1601-T1601.002"> <a href="/versions/v9/techniques/T1601/002/"> Downgrade System Image </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1599"> <a href="/versions/v9/techniques/T1599/"> Network Boundary Bridging </a> <div class="expand-button collapsed" id="enterprise-TA0005-T1599-header" data-toggle="collapse" data-target="#enterprise-TA0005-T1599-body" aria-expanded="false" aria-controls="#enterprise-TA0005-T1599-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0005-T1599-body" aria-labelledby="enterprise-TA0005-T1599-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1599-T1599.001"> <a href="/versions/v9/techniques/T1599/001/"> Network Address Translation Traversal </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1027"> <a href="/versions/v9/techniques/T1027/"> Obfuscated Files or Information </a> <div class="expand-button collapsed" id="enterprise-TA0005-T1027-header" data-toggle="collapse" data-target="#enterprise-TA0005-T1027-body" aria-expanded="false" aria-controls="#enterprise-TA0005-T1027-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0005-T1027-body" aria-labelledby="enterprise-TA0005-T1027-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1027-T1027.001"> <a href="/versions/v9/techniques/T1027/001/"> Binary Padding </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1027-T1027.002"> <a href="/versions/v9/techniques/T1027/002/"> Software Packing </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1027-T1027.003"> <a href="/versions/v9/techniques/T1027/003/"> Steganography </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1027-T1027.004"> <a href="/versions/v9/techniques/T1027/004/"> Compile After Delivery </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1027-T1027.005"> <a href="/versions/v9/techniques/T1027/005/"> Indicator Removal from Tools </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1542"> <a href="/versions/v9/techniques/T1542/"> Pre-OS Boot </a> <div class="expand-button collapsed" id="enterprise-TA0005-T1542-header" data-toggle="collapse" data-target="#enterprise-TA0005-T1542-body" aria-expanded="false" aria-controls="#enterprise-TA0005-T1542-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0005-T1542-body" aria-labelledby="enterprise-TA0005-T1542-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1542-T1542.001"> <a href="/versions/v9/techniques/T1542/001/"> System Firmware </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1542-T1542.002"> <a href="/versions/v9/techniques/T1542/002/"> Component Firmware </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1542-T1542.003"> <a href="/versions/v9/techniques/T1542/003/"> Bootkit </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1542-T1542.004"> <a href="/versions/v9/techniques/T1542/004/"> ROMMONkit </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1542-T1542.005"> <a href="/versions/v9/techniques/T1542/005/"> TFTP Boot </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1055"> <a href="/versions/v9/techniques/T1055/"> Process Injection </a> <div class="expand-button collapsed" id="enterprise-TA0005-T1055-header" data-toggle="collapse" data-target="#enterprise-TA0005-T1055-body" aria-expanded="false" aria-controls="#enterprise-TA0005-T1055-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0005-T1055-body" aria-labelledby="enterprise-TA0005-T1055-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1055-T1055.001"> <a href="/versions/v9/techniques/T1055/001/"> Dynamic-link Library Injection </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1055-T1055.002"> <a href="/versions/v9/techniques/T1055/002/"> Portable Executable Injection </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1055-T1055.003"> <a href="/versions/v9/techniques/T1055/003/"> Thread Execution Hijacking </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1055-T1055.004"> <a href="/versions/v9/techniques/T1055/004/"> Asynchronous Procedure Call </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1055-T1055.005"> <a href="/versions/v9/techniques/T1055/005/"> Thread Local Storage </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1055-T1055.008"> <a href="/versions/v9/techniques/T1055/008/"> Ptrace System Calls </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1055-T1055.009"> <a href="/versions/v9/techniques/T1055/009/"> Proc Memory </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1055-T1055.011"> <a href="/versions/v9/techniques/T1055/011/"> Extra Window Memory Injection </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1055-T1055.012"> <a href="/versions/v9/techniques/T1055/012/"> Process Hollowing </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1055-T1055.013"> <a href="/versions/v9/techniques/T1055/013/"> Process Doppelgänging </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1055-T1055.014"> <a href="/versions/v9/techniques/T1055/014/"> VDSO Hijacking </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1207"> <a href="/versions/v9/techniques/T1207/"> Rogue Domain Controller </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1014"> <a href="/versions/v9/techniques/T1014/"> Rootkit </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1218"> <a href="/versions/v9/techniques/T1218/"> Signed Binary Proxy Execution </a> <div class="expand-button collapsed" id="enterprise-TA0005-T1218-header" data-toggle="collapse" data-target="#enterprise-TA0005-T1218-body" aria-expanded="false" aria-controls="#enterprise-TA0005-T1218-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0005-T1218-body" aria-labelledby="enterprise-TA0005-T1218-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1218-T1218.001"> <a href="/versions/v9/techniques/T1218/001/"> Compiled HTML File </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1218-T1218.002"> <a href="/versions/v9/techniques/T1218/002/"> Control Panel </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1218-T1218.003"> <a href="/versions/v9/techniques/T1218/003/"> CMSTP </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1218-T1218.004"> <a href="/versions/v9/techniques/T1218/004/"> InstallUtil </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1218-T1218.005"> <a href="/versions/v9/techniques/T1218/005/"> Mshta </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1218-T1218.007"> <a href="/versions/v9/techniques/T1218/007/"> Msiexec </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1218-T1218.008"> <a href="/versions/v9/techniques/T1218/008/"> Odbcconf </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1218-T1218.009"> <a href="/versions/v9/techniques/T1218/009/"> Regsvcs/Regasm </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1218-T1218.010"> <a href="/versions/v9/techniques/T1218/010/"> Regsvr32 </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1218-T1218.011"> <a href="/versions/v9/techniques/T1218/011/"> Rundll32 </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1218-T1218.012"> <a href="/versions/v9/techniques/T1218/012/"> Verclsid </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1216"> <a href="/versions/v9/techniques/T1216/"> Signed Script Proxy Execution </a> <div class="expand-button collapsed" id="enterprise-TA0005-T1216-header" data-toggle="collapse" data-target="#enterprise-TA0005-T1216-body" aria-expanded="false" aria-controls="#enterprise-TA0005-T1216-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0005-T1216-body" aria-labelledby="enterprise-TA0005-T1216-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1216-T1216.001"> <a href="/versions/v9/techniques/T1216/001/"> PubPrn </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1553"> <a href="/versions/v9/techniques/T1553/"> Subvert Trust Controls </a> <div class="expand-button collapsed" id="enterprise-TA0005-T1553-header" data-toggle="collapse" data-target="#enterprise-TA0005-T1553-body" aria-expanded="false" aria-controls="#enterprise-TA0005-T1553-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0005-T1553-body" aria-labelledby="enterprise-TA0005-T1553-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1553-T1553.001"> <a href="/versions/v9/techniques/T1553/001/"> Gatekeeper Bypass </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1553-T1553.002"> <a href="/versions/v9/techniques/T1553/002/"> Code Signing </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1553-T1553.003"> <a href="/versions/v9/techniques/T1553/003/"> SIP and Trust Provider Hijacking </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1553-T1553.004"> <a href="/versions/v9/techniques/T1553/004/"> Install Root Certificate </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1553-T1553.005"> <a href="/versions/v9/techniques/T1553/005/"> Mark-of-the-Web Bypass </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1553-T1553.006"> <a href="/versions/v9/techniques/T1553/006/"> Code Signing Policy Modification </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1221"> <a href="/versions/v9/techniques/T1221/"> Template Injection </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1205"> <a href="/versions/v9/techniques/T1205/"> Traffic Signaling </a> <div class="expand-button collapsed" id="enterprise-TA0005-T1205-header" data-toggle="collapse" data-target="#enterprise-TA0005-T1205-body" aria-expanded="false" aria-controls="#enterprise-TA0005-T1205-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0005-T1205-body" aria-labelledby="enterprise-TA0005-T1205-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1205-T1205.001"> <a href="/versions/v9/techniques/T1205/001/"> Port Knocking </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1127"> <a href="/versions/v9/techniques/T1127/"> Trusted Developer Utilities Proxy Execution </a> <div class="expand-button collapsed" id="enterprise-TA0005-T1127-header" data-toggle="collapse" data-target="#enterprise-TA0005-T1127-body" aria-expanded="false" aria-controls="#enterprise-TA0005-T1127-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0005-T1127-body" aria-labelledby="enterprise-TA0005-T1127-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1127-T1127.001"> <a href="/versions/v9/techniques/T1127/001/"> MSBuild </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1535"> <a href="/versions/v9/techniques/T1535/"> Unused/Unsupported Cloud Regions </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1550"> <a href="/versions/v9/techniques/T1550/"> Use Alternate Authentication Material </a> <div class="expand-button collapsed" id="enterprise-TA0005-T1550-header" data-toggle="collapse" data-target="#enterprise-TA0005-T1550-body" aria-expanded="false" aria-controls="#enterprise-TA0005-T1550-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0005-T1550-body" aria-labelledby="enterprise-TA0005-T1550-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1550-T1550.001"> <a href="/versions/v9/techniques/T1550/001/"> Application Access Token </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1550-T1550.002"> <a href="/versions/v9/techniques/T1550/002/"> Pass the Hash </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1550-T1550.003"> <a href="/versions/v9/techniques/T1550/003/"> Pass the Ticket </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1550-T1550.004"> <a href="/versions/v9/techniques/T1550/004/"> Web Session Cookie </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1078"> <a href="/versions/v9/techniques/T1078/"> Valid Accounts </a> <div class="expand-button collapsed" id="enterprise-TA0005-T1078-header" data-toggle="collapse" data-target="#enterprise-TA0005-T1078-body" aria-expanded="false" aria-controls="#enterprise-TA0005-T1078-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0005-T1078-body" aria-labelledby="enterprise-TA0005-T1078-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1078-T1078.001"> <a href="/versions/v9/techniques/T1078/001/"> Default Accounts </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1078-T1078.002"> <a href="/versions/v9/techniques/T1078/002/"> Domain Accounts </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1078-T1078.003"> <a href="/versions/v9/techniques/T1078/003/"> Local Accounts </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1078-T1078.004"> <a href="/versions/v9/techniques/T1078/004/"> Cloud Accounts </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1497"> <a href="/versions/v9/techniques/T1497/"> Virtualization/Sandbox Evasion </a> <div class="expand-button collapsed" id="enterprise-TA0005-T1497-header" data-toggle="collapse" data-target="#enterprise-TA0005-T1497-body" aria-expanded="false" aria-controls="#enterprise-TA0005-T1497-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0005-T1497-body" aria-labelledby="enterprise-TA0005-T1497-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1497-T1497.001"> <a href="/versions/v9/techniques/T1497/001/"> System Checks </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1497-T1497.002"> <a href="/versions/v9/techniques/T1497/002/"> User Activity Based Checks </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1497-T1497.003"> <a href="/versions/v9/techniques/T1497/003/"> Time Based Evasion </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1600"> <a href="/versions/v9/techniques/T1600/"> Weaken Encryption </a> <div class="expand-button collapsed" id="enterprise-TA0005-T1600-header" data-toggle="collapse" data-target="#enterprise-TA0005-T1600-body" aria-expanded="false" aria-controls="#enterprise-TA0005-T1600-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0005-T1600-body" aria-labelledby="enterprise-TA0005-T1600-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1600-T1600.001"> <a href="/versions/v9/techniques/T1600/001/"> Reduce Key Space </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1600-T1600.002"> <a href="/versions/v9/techniques/T1600/002/"> Disable Crypto Hardware </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1220"> <a href="/versions/v9/techniques/T1220/"> XSL Script Processing </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0006"> <a href="/versions/v9/tactics/TA0006"> Credential Access </a> <div class="expand-button collapsed" id="enterprise-TA0006-header" data-toggle="collapse" data-target="#enterprise-TA0006-body" aria-expanded="false" aria-controls="#enterprise-TA0006-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0006-body" aria-labelledby="enterprise-TA0006-header"> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0006-T1110"> <a href="/versions/v9/techniques/T1110/"> Brute Force </a> <div class="expand-button collapsed" id="enterprise-TA0006-T1110-header" data-toggle="collapse" data-target="#enterprise-TA0006-T1110-body" aria-expanded="false" aria-controls="#enterprise-TA0006-T1110-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0006-T1110-body" aria-labelledby="enterprise-TA0006-T1110-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0006-T1110-T1110.001"> <a href="/versions/v9/techniques/T1110/001/"> Password Guessing </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0006-T1110-T1110.002"> <a href="/versions/v9/techniques/T1110/002/"> Password Cracking </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0006-T1110-T1110.003"> <a href="/versions/v9/techniques/T1110/003/"> Password Spraying </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0006-T1110-T1110.004"> <a href="/versions/v9/techniques/T1110/004/"> Credential Stuffing </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0006-T1555"> <a href="/versions/v9/techniques/T1555/"> Credentials from Password Stores </a> <div class="expand-button collapsed" id="enterprise-TA0006-T1555-header" data-toggle="collapse" data-target="#enterprise-TA0006-T1555-body" aria-expanded="false" aria-controls="#enterprise-TA0006-T1555-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0006-T1555-body" aria-labelledby="enterprise-TA0006-T1555-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0006-T1555-T1555.001"> <a href="/versions/v9/techniques/T1555/001/"> Keychain </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0006-T1555-T1555.002"> <a href="/versions/v9/techniques/T1555/002/"> Securityd Memory </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0006-T1555-T1555.003"> <a href="/versions/v9/techniques/T1555/003/"> Credentials from Web Browsers </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0006-T1555-T1555.004"> <a href="/versions/v9/techniques/T1555/004/"> Windows Credential Manager </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0006-T1555-T1555.005"> <a href="/versions/v9/techniques/T1555/005/"> Password Managers </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0006-T1212"> <a href="/versions/v9/techniques/T1212/"> Exploitation for Credential Access </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0006-T1187"> <a href="/versions/v9/techniques/T1187/"> Forced Authentication </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0006-T1606"> <a href="/versions/v9/techniques/T1606/"> Forge Web Credentials </a> <div class="expand-button collapsed" id="enterprise-TA0006-T1606-header" data-toggle="collapse" data-target="#enterprise-TA0006-T1606-body" aria-expanded="false" aria-controls="#enterprise-TA0006-T1606-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0006-T1606-body" aria-labelledby="enterprise-TA0006-T1606-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0006-T1606-T1606.001"> <a href="/versions/v9/techniques/T1606/001/"> Web Cookies </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0006-T1606-T1606.002"> <a href="/versions/v9/techniques/T1606/002/"> SAML Tokens </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0006-T1056"> <a href="/versions/v9/techniques/T1056/"> Input Capture </a> <div class="expand-button collapsed" id="enterprise-TA0006-T1056-header" data-toggle="collapse" data-target="#enterprise-TA0006-T1056-body" aria-expanded="false" aria-controls="#enterprise-TA0006-T1056-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0006-T1056-body" aria-labelledby="enterprise-TA0006-T1056-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0006-T1056-T1056.001"> <a href="/versions/v9/techniques/T1056/001/"> Keylogging </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0006-T1056-T1056.002"> <a href="/versions/v9/techniques/T1056/002/"> GUI Input Capture </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0006-T1056-T1056.003"> <a href="/versions/v9/techniques/T1056/003/"> Web Portal Capture </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0006-T1056-T1056.004"> <a href="/versions/v9/techniques/T1056/004/"> Credential API Hooking </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0006-T1557"> <a href="/versions/v9/techniques/T1557/"> Man-in-the-Middle </a> <div class="expand-button collapsed" id="enterprise-TA0006-T1557-header" data-toggle="collapse" data-target="#enterprise-TA0006-T1557-body" aria-expanded="false" aria-controls="#enterprise-TA0006-T1557-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0006-T1557-body" aria-labelledby="enterprise-TA0006-T1557-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0006-T1557-T1557.001"> <a href="/versions/v9/techniques/T1557/001/"> LLMNR/NBT-NS Poisoning and SMB Relay </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0006-T1557-T1557.002"> <a href="/versions/v9/techniques/T1557/002/"> ARP Cache Poisoning </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0006-T1556"> <a href="/versions/v9/techniques/T1556/"> Modify Authentication Process </a> <div class="expand-button collapsed" id="enterprise-TA0006-T1556-header" data-toggle="collapse" data-target="#enterprise-TA0006-T1556-body" aria-expanded="false" aria-controls="#enterprise-TA0006-T1556-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0006-T1556-body" aria-labelledby="enterprise-TA0006-T1556-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0006-T1556-T1556.001"> <a href="/versions/v9/techniques/T1556/001/"> Domain Controller Authentication </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0006-T1556-T1556.002"> <a href="/versions/v9/techniques/T1556/002/"> Password Filter DLL </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0006-T1556-T1556.003"> <a href="/versions/v9/techniques/T1556/003/"> Pluggable Authentication Modules </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0006-T1556-T1556.004"> <a href="/versions/v9/techniques/T1556/004/"> Network Device Authentication </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0006-T1040"> <a href="/versions/v9/techniques/T1040/"> Network Sniffing </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0006-T1003"> <a href="/versions/v9/techniques/T1003/"> OS Credential Dumping </a> <div class="expand-button collapsed" id="enterprise-TA0006-T1003-header" data-toggle="collapse" data-target="#enterprise-TA0006-T1003-body" aria-expanded="false" aria-controls="#enterprise-TA0006-T1003-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0006-T1003-body" aria-labelledby="enterprise-TA0006-T1003-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0006-T1003-T1003.001"> <a href="/versions/v9/techniques/T1003/001/"> LSASS Memory </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0006-T1003-T1003.002"> <a href="/versions/v9/techniques/T1003/002/"> Security Account Manager </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0006-T1003-T1003.003"> <a href="/versions/v9/techniques/T1003/003/"> NTDS </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0006-T1003-T1003.004"> <a href="/versions/v9/techniques/T1003/004/"> LSA Secrets </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0006-T1003-T1003.005"> <a href="/versions/v9/techniques/T1003/005/"> Cached Domain Credentials </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0006-T1003-T1003.006"> <a href="/versions/v9/techniques/T1003/006/"> DCSync </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0006-T1003-T1003.007"> <a href="/versions/v9/techniques/T1003/007/"> Proc Filesystem </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0006-T1003-T1003.008"> <a href="/versions/v9/techniques/T1003/008/"> /etc/passwd and /etc/shadow </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0006-T1528"> <a href="/versions/v9/techniques/T1528/"> Steal Application Access Token </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0006-T1558"> <a href="/versions/v9/techniques/T1558/"> Steal or Forge Kerberos Tickets </a> <div class="expand-button collapsed" id="enterprise-TA0006-T1558-header" data-toggle="collapse" data-target="#enterprise-TA0006-T1558-body" aria-expanded="false" aria-controls="#enterprise-TA0006-T1558-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0006-T1558-body" aria-labelledby="enterprise-TA0006-T1558-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0006-T1558-T1558.001"> <a href="/versions/v9/techniques/T1558/001/"> Golden Ticket </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0006-T1558-T1558.002"> <a href="/versions/v9/techniques/T1558/002/"> Silver Ticket </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0006-T1558-T1558.003"> <a href="/versions/v9/techniques/T1558/003/"> Kerberoasting </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0006-T1558-T1558.004"> <a href="/versions/v9/techniques/T1558/004/"> AS-REP Roasting </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0006-T1539"> <a href="/versions/v9/techniques/T1539/"> Steal Web Session Cookie </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0006-T1111"> <a href="/versions/v9/techniques/T1111/"> Two-Factor Authentication Interception </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0006-T1552"> <a href="/versions/v9/techniques/T1552/"> Unsecured Credentials </a> <div class="expand-button collapsed" id="enterprise-TA0006-T1552-header" data-toggle="collapse" data-target="#enterprise-TA0006-T1552-body" aria-expanded="false" aria-controls="#enterprise-TA0006-T1552-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0006-T1552-body" aria-labelledby="enterprise-TA0006-T1552-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0006-T1552-T1552.001"> <a href="/versions/v9/techniques/T1552/001/"> Credentials In Files </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0006-T1552-T1552.002"> <a href="/versions/v9/techniques/T1552/002/"> Credentials in Registry </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0006-T1552-T1552.003"> <a href="/versions/v9/techniques/T1552/003/"> Bash History </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0006-T1552-T1552.004"> <a href="/versions/v9/techniques/T1552/004/"> Private Keys </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0006-T1552-T1552.005"> <a href="/versions/v9/techniques/T1552/005/"> Cloud Instance Metadata API </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0006-T1552-T1552.006"> <a href="/versions/v9/techniques/T1552/006/"> Group Policy Preferences </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0006-T1552-T1552.007"> <a href="/versions/v9/techniques/T1552/007/"> Container API </a> </div> </div> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0007"> <a href="/versions/v9/tactics/TA0007"> Discovery </a> <div class="expand-button collapsed" id="enterprise-TA0007-header" data-toggle="collapse" data-target="#enterprise-TA0007-body" aria-expanded="false" aria-controls="#enterprise-TA0007-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0007-body" aria-labelledby="enterprise-TA0007-header"> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0007-T1087"> <a href="/versions/v9/techniques/T1087/"> Account Discovery </a> <div class="expand-button collapsed" id="enterprise-TA0007-T1087-header" data-toggle="collapse" data-target="#enterprise-TA0007-T1087-body" aria-expanded="false" aria-controls="#enterprise-TA0007-T1087-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0007-T1087-body" aria-labelledby="enterprise-TA0007-T1087-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0007-T1087-T1087.001"> <a href="/versions/v9/techniques/T1087/001/"> Local Account </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0007-T1087-T1087.002"> <a href="/versions/v9/techniques/T1087/002/"> Domain Account </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0007-T1087-T1087.003"> <a href="/versions/v9/techniques/T1087/003/"> Email Account </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0007-T1087-T1087.004"> <a href="/versions/v9/techniques/T1087/004/"> Cloud Account </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0007-T1010"> <a href="/versions/v9/techniques/T1010/"> Application Window Discovery </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0007-T1217"> <a href="/versions/v9/techniques/T1217/"> Browser Bookmark Discovery </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0007-T1580"> <a href="/versions/v9/techniques/T1580/"> Cloud Infrastructure Discovery </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0007-T1538"> <a href="/versions/v9/techniques/T1538/"> Cloud Service Dashboard </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0007-T1526"> <a href="/versions/v9/techniques/T1526/"> Cloud Service Discovery </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0007-T1613"> <a href="/versions/v9/techniques/T1613/"> Container and Resource Discovery </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0007-T1482"> <a href="/versions/v9/techniques/T1482/"> Domain Trust Discovery </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0007-T1083"> <a href="/versions/v9/techniques/T1083/"> File and Directory Discovery </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0007-T1046"> <a href="/versions/v9/techniques/T1046/"> Network Service Scanning </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0007-T1135"> <a href="/versions/v9/techniques/T1135/"> Network Share Discovery </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0007-T1040"> <a href="/versions/v9/techniques/T1040/"> Network Sniffing </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0007-T1201"> <a href="/versions/v9/techniques/T1201/"> Password Policy Discovery </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0007-T1120"> <a href="/versions/v9/techniques/T1120/"> Peripheral Device Discovery </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0007-T1069"> <a href="/versions/v9/techniques/T1069/"> Permission Groups Discovery </a> <div class="expand-button collapsed" id="enterprise-TA0007-T1069-header" data-toggle="collapse" data-target="#enterprise-TA0007-T1069-body" aria-expanded="false" aria-controls="#enterprise-TA0007-T1069-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0007-T1069-body" aria-labelledby="enterprise-TA0007-T1069-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0007-T1069-T1069.001"> <a href="/versions/v9/techniques/T1069/001/"> Local Groups </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0007-T1069-T1069.002"> <a href="/versions/v9/techniques/T1069/002/"> Domain Groups </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0007-T1069-T1069.003"> <a href="/versions/v9/techniques/T1069/003/"> Cloud Groups </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0007-T1057"> <a href="/versions/v9/techniques/T1057/"> Process Discovery </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0007-T1012"> <a href="/versions/v9/techniques/T1012/"> Query Registry </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0007-T1018"> <a href="/versions/v9/techniques/T1018/"> Remote System Discovery </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0007-T1518"> <a href="/versions/v9/techniques/T1518/"> Software Discovery </a> <div class="expand-button collapsed" id="enterprise-TA0007-T1518-header" data-toggle="collapse" data-target="#enterprise-TA0007-T1518-body" aria-expanded="false" aria-controls="#enterprise-TA0007-T1518-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0007-T1518-body" aria-labelledby="enterprise-TA0007-T1518-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0007-T1518-T1518.001"> <a href="/versions/v9/techniques/T1518/001/"> Security Software Discovery </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0007-T1082"> <a href="/versions/v9/techniques/T1082/"> System Information Discovery </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0007-T1614"> <a href="/versions/v9/techniques/T1614/"> System Location Discovery </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0007-T1016"> <a href="/versions/v9/techniques/T1016/"> System Network Configuration Discovery </a> <div class="expand-button collapsed" id="enterprise-TA0007-T1016-header" data-toggle="collapse" data-target="#enterprise-TA0007-T1016-body" aria-expanded="false" aria-controls="#enterprise-TA0007-T1016-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0007-T1016-body" aria-labelledby="enterprise-TA0007-T1016-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0007-T1016-T1016.001"> <a href="/versions/v9/techniques/T1016/001/"> Internet Connection Discovery </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0007-T1049"> <a href="/versions/v9/techniques/T1049/"> System Network Connections Discovery </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0007-T1033"> <a href="/versions/v9/techniques/T1033/"> System Owner/User Discovery </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0007-T1007"> <a href="/versions/v9/techniques/T1007/"> System Service Discovery </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0007-T1124"> <a href="/versions/v9/techniques/T1124/"> System Time Discovery </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0007-T1497"> <a href="/versions/v9/techniques/T1497/"> Virtualization/Sandbox Evasion </a> <div class="expand-button collapsed" id="enterprise-TA0007-T1497-header" data-toggle="collapse" data-target="#enterprise-TA0007-T1497-body" aria-expanded="false" aria-controls="#enterprise-TA0007-T1497-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0007-T1497-body" aria-labelledby="enterprise-TA0007-T1497-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0007-T1497-T1497.001"> <a href="/versions/v9/techniques/T1497/001/"> System Checks </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0007-T1497-T1497.002"> <a href="/versions/v9/techniques/T1497/002/"> User Activity Based Checks </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0007-T1497-T1497.003"> <a href="/versions/v9/techniques/T1497/003/"> Time Based Evasion </a> </div> </div> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0008"> <a href="/versions/v9/tactics/TA0008"> Lateral Movement </a> <div class="expand-button collapsed" id="enterprise-TA0008-header" data-toggle="collapse" data-target="#enterprise-TA0008-body" aria-expanded="false" aria-controls="#enterprise-TA0008-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0008-body" aria-labelledby="enterprise-TA0008-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0008-T1210"> <a href="/versions/v9/techniques/T1210/"> Exploitation of Remote Services </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0008-T1534"> <a href="/versions/v9/techniques/T1534/"> Internal Spearphishing </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0008-T1570"> <a href="/versions/v9/techniques/T1570/"> Lateral Tool Transfer </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0008-T1563"> <a href="/versions/v9/techniques/T1563/"> Remote Service Session Hijacking </a> <div class="expand-button collapsed" id="enterprise-TA0008-T1563-header" data-toggle="collapse" data-target="#enterprise-TA0008-T1563-body" aria-expanded="false" aria-controls="#enterprise-TA0008-T1563-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0008-T1563-body" aria-labelledby="enterprise-TA0008-T1563-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0008-T1563-T1563.001"> <a href="/versions/v9/techniques/T1563/001/"> SSH Hijacking </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0008-T1563-T1563.002"> <a href="/versions/v9/techniques/T1563/002/"> RDP Hijacking </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0008-T1021"> <a href="/versions/v9/techniques/T1021/"> Remote Services </a> <div class="expand-button collapsed" id="enterprise-TA0008-T1021-header" data-toggle="collapse" data-target="#enterprise-TA0008-T1021-body" aria-expanded="false" aria-controls="#enterprise-TA0008-T1021-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0008-T1021-body" aria-labelledby="enterprise-TA0008-T1021-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0008-T1021-T1021.001"> <a href="/versions/v9/techniques/T1021/001/"> Remote Desktop Protocol </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0008-T1021-T1021.002"> <a href="/versions/v9/techniques/T1021/002/"> SMB/Windows Admin Shares </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0008-T1021-T1021.003"> <a href="/versions/v9/techniques/T1021/003/"> Distributed Component Object Model </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0008-T1021-T1021.004"> <a href="/versions/v9/techniques/T1021/004/"> SSH </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0008-T1021-T1021.005"> <a href="/versions/v9/techniques/T1021/005/"> VNC </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0008-T1021-T1021.006"> <a href="/versions/v9/techniques/T1021/006/"> Windows Remote Management </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0008-T1091"> <a href="/versions/v9/techniques/T1091/"> Replication Through Removable Media </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0008-T1072"> <a href="/versions/v9/techniques/T1072/"> Software Deployment Tools </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0008-T1080"> <a href="/versions/v9/techniques/T1080/"> Taint Shared Content </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0008-T1550"> <a href="/versions/v9/techniques/T1550/"> Use Alternate Authentication Material </a> <div class="expand-button collapsed" id="enterprise-TA0008-T1550-header" data-toggle="collapse" data-target="#enterprise-TA0008-T1550-body" aria-expanded="false" aria-controls="#enterprise-TA0008-T1550-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0008-T1550-body" aria-labelledby="enterprise-TA0008-T1550-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0008-T1550-T1550.001"> <a href="/versions/v9/techniques/T1550/001/"> Application Access Token </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0008-T1550-T1550.002"> <a href="/versions/v9/techniques/T1550/002/"> Pass the Hash </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0008-T1550-T1550.003"> <a href="/versions/v9/techniques/T1550/003/"> Pass the Ticket </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0008-T1550-T1550.004"> <a href="/versions/v9/techniques/T1550/004/"> Web Session Cookie </a> </div> </div> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0009"> <a href="/versions/v9/tactics/TA0009"> Collection </a> <div class="expand-button collapsed" id="enterprise-TA0009-header" data-toggle="collapse" data-target="#enterprise-TA0009-body" aria-expanded="false" aria-controls="#enterprise-TA0009-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0009-body" aria-labelledby="enterprise-TA0009-header"> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0009-T1560"> <a href="/versions/v9/techniques/T1560/"> Archive Collected Data </a> <div class="expand-button collapsed" id="enterprise-TA0009-T1560-header" data-toggle="collapse" data-target="#enterprise-TA0009-T1560-body" aria-expanded="false" aria-controls="#enterprise-TA0009-T1560-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0009-T1560-body" aria-labelledby="enterprise-TA0009-T1560-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0009-T1560-T1560.001"> <a href="/versions/v9/techniques/T1560/001/"> Archive via Utility </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0009-T1560-T1560.002"> <a href="/versions/v9/techniques/T1560/002/"> Archive via Library </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0009-T1560-T1560.003"> <a href="/versions/v9/techniques/T1560/003/"> Archive via Custom Method </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0009-T1123"> <a href="/versions/v9/techniques/T1123/"> Audio Capture </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0009-T1119"> <a href="/versions/v9/techniques/T1119/"> Automated Collection </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0009-T1115"> <a href="/versions/v9/techniques/T1115/"> Clipboard Data </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0009-T1530"> <a href="/versions/v9/techniques/T1530/"> Data from Cloud Storage Object </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0009-T1602"> <a href="/versions/v9/techniques/T1602/"> Data from Configuration Repository </a> <div class="expand-button collapsed" id="enterprise-TA0009-T1602-header" data-toggle="collapse" data-target="#enterprise-TA0009-T1602-body" aria-expanded="false" aria-controls="#enterprise-TA0009-T1602-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0009-T1602-body" aria-labelledby="enterprise-TA0009-T1602-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0009-T1602-T1602.001"> <a href="/versions/v9/techniques/T1602/001/"> SNMP (MIB Dump) </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0009-T1602-T1602.002"> <a href="/versions/v9/techniques/T1602/002/"> Network Device Configuration Dump </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0009-T1213"> <a href="/versions/v9/techniques/T1213/"> Data from Information Repositories </a> <div class="expand-button collapsed" id="enterprise-TA0009-T1213-header" data-toggle="collapse" data-target="#enterprise-TA0009-T1213-body" aria-expanded="false" aria-controls="#enterprise-TA0009-T1213-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0009-T1213-body" aria-labelledby="enterprise-TA0009-T1213-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0009-T1213-T1213.001"> <a href="/versions/v9/techniques/T1213/001/"> Confluence </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0009-T1213-T1213.002"> <a href="/versions/v9/techniques/T1213/002/"> Sharepoint </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0009-T1005"> <a href="/versions/v9/techniques/T1005/"> Data from Local System </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0009-T1039"> <a href="/versions/v9/techniques/T1039/"> Data from Network Shared Drive </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0009-T1025"> <a href="/versions/v9/techniques/T1025/"> Data from Removable Media </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0009-T1074"> <a href="/versions/v9/techniques/T1074/"> Data Staged </a> <div class="expand-button collapsed" id="enterprise-TA0009-T1074-header" data-toggle="collapse" data-target="#enterprise-TA0009-T1074-body" aria-expanded="false" aria-controls="#enterprise-TA0009-T1074-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0009-T1074-body" aria-labelledby="enterprise-TA0009-T1074-header"> <div class="sidenav"> <div class="sidenav-head active" id="enterprise-TA0009-T1074-T1074.001"> <a href="/versions/v9/techniques/T1074/001/"> Local Data Staging </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0009-T1074-T1074.002"> <a href="/versions/v9/techniques/T1074/002/"> Remote Data Staging </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0009-T1114"> <a href="/versions/v9/techniques/T1114/"> Email Collection </a> <div class="expand-button collapsed" id="enterprise-TA0009-T1114-header" data-toggle="collapse" data-target="#enterprise-TA0009-T1114-body" aria-expanded="false" aria-controls="#enterprise-TA0009-T1114-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0009-T1114-body" aria-labelledby="enterprise-TA0009-T1114-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0009-T1114-T1114.001"> <a href="/versions/v9/techniques/T1114/001/"> Local Email Collection </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0009-T1114-T1114.002"> <a href="/versions/v9/techniques/T1114/002/"> Remote Email Collection </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0009-T1114-T1114.003"> <a href="/versions/v9/techniques/T1114/003/"> Email Forwarding Rule </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0009-T1056"> <a href="/versions/v9/techniques/T1056/"> Input Capture </a> <div class="expand-button collapsed" id="enterprise-TA0009-T1056-header" data-toggle="collapse" data-target="#enterprise-TA0009-T1056-body" aria-expanded="false" aria-controls="#enterprise-TA0009-T1056-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0009-T1056-body" aria-labelledby="enterprise-TA0009-T1056-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0009-T1056-T1056.001"> <a href="/versions/v9/techniques/T1056/001/"> Keylogging </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0009-T1056-T1056.002"> <a href="/versions/v9/techniques/T1056/002/"> GUI Input Capture </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0009-T1056-T1056.003"> <a href="/versions/v9/techniques/T1056/003/"> Web Portal Capture </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0009-T1056-T1056.004"> <a href="/versions/v9/techniques/T1056/004/"> Credential API Hooking </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0009-T1185"> <a href="/versions/v9/techniques/T1185/"> Man in the Browser </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0009-T1557"> <a href="/versions/v9/techniques/T1557/"> Man-in-the-Middle </a> <div class="expand-button collapsed" id="enterprise-TA0009-T1557-header" data-toggle="collapse" data-target="#enterprise-TA0009-T1557-body" aria-expanded="false" aria-controls="#enterprise-TA0009-T1557-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0009-T1557-body" aria-labelledby="enterprise-TA0009-T1557-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0009-T1557-T1557.001"> <a href="/versions/v9/techniques/T1557/001/"> LLMNR/NBT-NS Poisoning and SMB Relay </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0009-T1557-T1557.002"> <a href="/versions/v9/techniques/T1557/002/"> ARP Cache Poisoning </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0009-T1113"> <a href="/versions/v9/techniques/T1113/"> Screen Capture </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0009-T1125"> <a href="/versions/v9/techniques/T1125/"> Video Capture </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0011"> <a href="/versions/v9/tactics/TA0011"> Command and Control </a> <div class="expand-button collapsed" id="enterprise-TA0011-header" data-toggle="collapse" data-target="#enterprise-TA0011-body" aria-expanded="false" aria-controls="#enterprise-TA0011-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0011-body" aria-labelledby="enterprise-TA0011-header"> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0011-T1071"> <a href="/versions/v9/techniques/T1071/"> Application Layer Protocol </a> <div class="expand-button collapsed" id="enterprise-TA0011-T1071-header" data-toggle="collapse" data-target="#enterprise-TA0011-T1071-body" aria-expanded="false" aria-controls="#enterprise-TA0011-T1071-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0011-T1071-body" aria-labelledby="enterprise-TA0011-T1071-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0011-T1071-T1071.001"> <a href="/versions/v9/techniques/T1071/001/"> Web Protocols </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0011-T1071-T1071.002"> <a href="/versions/v9/techniques/T1071/002/"> File Transfer Protocols </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0011-T1071-T1071.003"> <a href="/versions/v9/techniques/T1071/003/"> Mail Protocols </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0011-T1071-T1071.004"> <a href="/versions/v9/techniques/T1071/004/"> DNS </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0011-T1092"> <a href="/versions/v9/techniques/T1092/"> Communication Through Removable Media </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0011-T1132"> <a href="/versions/v9/techniques/T1132/"> Data Encoding </a> <div class="expand-button collapsed" id="enterprise-TA0011-T1132-header" data-toggle="collapse" data-target="#enterprise-TA0011-T1132-body" aria-expanded="false" aria-controls="#enterprise-TA0011-T1132-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0011-T1132-body" aria-labelledby="enterprise-TA0011-T1132-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0011-T1132-T1132.001"> <a href="/versions/v9/techniques/T1132/001/"> Standard Encoding </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0011-T1132-T1132.002"> <a href="/versions/v9/techniques/T1132/002/"> Non-Standard Encoding </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0011-T1001"> <a href="/versions/v9/techniques/T1001/"> Data Obfuscation </a> <div class="expand-button collapsed" id="enterprise-TA0011-T1001-header" data-toggle="collapse" data-target="#enterprise-TA0011-T1001-body" aria-expanded="false" aria-controls="#enterprise-TA0011-T1001-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0011-T1001-body" aria-labelledby="enterprise-TA0011-T1001-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0011-T1001-T1001.001"> <a href="/versions/v9/techniques/T1001/001/"> Junk Data </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0011-T1001-T1001.002"> <a href="/versions/v9/techniques/T1001/002/"> Steganography </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0011-T1001-T1001.003"> <a href="/versions/v9/techniques/T1001/003/"> Protocol Impersonation </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0011-T1568"> <a href="/versions/v9/techniques/T1568/"> Dynamic Resolution </a> <div class="expand-button collapsed" id="enterprise-TA0011-T1568-header" data-toggle="collapse" data-target="#enterprise-TA0011-T1568-body" aria-expanded="false" aria-controls="#enterprise-TA0011-T1568-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0011-T1568-body" aria-labelledby="enterprise-TA0011-T1568-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0011-T1568-T1568.001"> <a href="/versions/v9/techniques/T1568/001/"> Fast Flux DNS </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0011-T1568-T1568.002"> <a href="/versions/v9/techniques/T1568/002/"> Domain Generation Algorithms </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0011-T1568-T1568.003"> <a href="/versions/v9/techniques/T1568/003/"> DNS Calculation </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0011-T1573"> <a href="/versions/v9/techniques/T1573/"> Encrypted Channel </a> <div class="expand-button collapsed" id="enterprise-TA0011-T1573-header" data-toggle="collapse" data-target="#enterprise-TA0011-T1573-body" aria-expanded="false" aria-controls="#enterprise-TA0011-T1573-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0011-T1573-body" aria-labelledby="enterprise-TA0011-T1573-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0011-T1573-T1573.001"> <a href="/versions/v9/techniques/T1573/001/"> Symmetric Cryptography </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0011-T1573-T1573.002"> <a href="/versions/v9/techniques/T1573/002/"> Asymmetric Cryptography </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0011-T1008"> <a href="/versions/v9/techniques/T1008/"> Fallback Channels </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0011-T1105"> <a href="/versions/v9/techniques/T1105/"> Ingress Tool Transfer </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0011-T1104"> <a href="/versions/v9/techniques/T1104/"> Multi-Stage Channels </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0011-T1095"> <a href="/versions/v9/techniques/T1095/"> Non-Application Layer Protocol </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0011-T1571"> <a href="/versions/v9/techniques/T1571/"> Non-Standard Port </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0011-T1572"> <a href="/versions/v9/techniques/T1572/"> Protocol Tunneling </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0011-T1090"> <a href="/versions/v9/techniques/T1090/"> Proxy </a> <div class="expand-button collapsed" id="enterprise-TA0011-T1090-header" data-toggle="collapse" data-target="#enterprise-TA0011-T1090-body" aria-expanded="false" aria-controls="#enterprise-TA0011-T1090-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0011-T1090-body" aria-labelledby="enterprise-TA0011-T1090-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0011-T1090-T1090.001"> <a href="/versions/v9/techniques/T1090/001/"> Internal Proxy </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0011-T1090-T1090.002"> <a href="/versions/v9/techniques/T1090/002/"> External Proxy </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0011-T1090-T1090.003"> <a href="/versions/v9/techniques/T1090/003/"> Multi-hop Proxy </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0011-T1090-T1090.004"> <a href="/versions/v9/techniques/T1090/004/"> Domain Fronting </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0011-T1219"> <a href="/versions/v9/techniques/T1219/"> Remote Access Software </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0011-T1205"> <a href="/versions/v9/techniques/T1205/"> Traffic Signaling </a> <div class="expand-button collapsed" id="enterprise-TA0011-T1205-header" data-toggle="collapse" data-target="#enterprise-TA0011-T1205-body" aria-expanded="false" aria-controls="#enterprise-TA0011-T1205-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0011-T1205-body" aria-labelledby="enterprise-TA0011-T1205-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0011-T1205-T1205.001"> <a href="/versions/v9/techniques/T1205/001/"> Port Knocking </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0011-T1102"> <a href="/versions/v9/techniques/T1102/"> Web Service </a> <div class="expand-button collapsed" id="enterprise-TA0011-T1102-header" data-toggle="collapse" data-target="#enterprise-TA0011-T1102-body" aria-expanded="false" aria-controls="#enterprise-TA0011-T1102-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0011-T1102-body" aria-labelledby="enterprise-TA0011-T1102-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0011-T1102-T1102.001"> <a href="/versions/v9/techniques/T1102/001/"> Dead Drop Resolver </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0011-T1102-T1102.002"> <a href="/versions/v9/techniques/T1102/002/"> Bidirectional Communication </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0011-T1102-T1102.003"> <a href="/versions/v9/techniques/T1102/003/"> One-Way Communication </a> </div> </div> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0010"> <a href="/versions/v9/tactics/TA0010"> Exfiltration </a> <div class="expand-button collapsed" id="enterprise-TA0010-header" data-toggle="collapse" data-target="#enterprise-TA0010-body" aria-expanded="false" aria-controls="#enterprise-TA0010-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0010-body" aria-labelledby="enterprise-TA0010-header"> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0010-T1020"> <a href="/versions/v9/techniques/T1020/"> Automated Exfiltration </a> <div class="expand-button collapsed" id="enterprise-TA0010-T1020-header" data-toggle="collapse" data-target="#enterprise-TA0010-T1020-body" aria-expanded="false" aria-controls="#enterprise-TA0010-T1020-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0010-T1020-body" aria-labelledby="enterprise-TA0010-T1020-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0010-T1020-T1020.001"> <a href="/versions/v9/techniques/T1020/001/"> Traffic Duplication </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0010-T1030"> <a href="/versions/v9/techniques/T1030/"> Data Transfer Size Limits </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0010-T1048"> <a href="/versions/v9/techniques/T1048/"> Exfiltration Over Alternative Protocol </a> <div class="expand-button collapsed" id="enterprise-TA0010-T1048-header" data-toggle="collapse" data-target="#enterprise-TA0010-T1048-body" aria-expanded="false" aria-controls="#enterprise-TA0010-T1048-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0010-T1048-body" aria-labelledby="enterprise-TA0010-T1048-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0010-T1048-T1048.001"> <a href="/versions/v9/techniques/T1048/001/"> Exfiltration Over Symmetric Encrypted Non-C2 Protocol </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0010-T1048-T1048.002"> <a href="/versions/v9/techniques/T1048/002/"> Exfiltration Over Asymmetric Encrypted Non-C2 Protocol </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0010-T1048-T1048.003"> <a href="/versions/v9/techniques/T1048/003/"> Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0010-T1041"> <a href="/versions/v9/techniques/T1041/"> Exfiltration Over C2 Channel </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0010-T1011"> <a href="/versions/v9/techniques/T1011/"> Exfiltration Over Other Network Medium </a> <div class="expand-button collapsed" id="enterprise-TA0010-T1011-header" data-toggle="collapse" data-target="#enterprise-TA0010-T1011-body" aria-expanded="false" aria-controls="#enterprise-TA0010-T1011-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0010-T1011-body" aria-labelledby="enterprise-TA0010-T1011-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0010-T1011-T1011.001"> <a href="/versions/v9/techniques/T1011/001/"> Exfiltration Over Bluetooth </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0010-T1052"> <a href="/versions/v9/techniques/T1052/"> Exfiltration Over Physical Medium </a> <div class="expand-button collapsed" id="enterprise-TA0010-T1052-header" data-toggle="collapse" data-target="#enterprise-TA0010-T1052-body" aria-expanded="false" aria-controls="#enterprise-TA0010-T1052-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0010-T1052-body" aria-labelledby="enterprise-TA0010-T1052-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0010-T1052-T1052.001"> <a href="/versions/v9/techniques/T1052/001/"> Exfiltration over USB </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0010-T1567"> <a href="/versions/v9/techniques/T1567/"> Exfiltration Over Web Service </a> <div class="expand-button collapsed" id="enterprise-TA0010-T1567-header" data-toggle="collapse" data-target="#enterprise-TA0010-T1567-body" aria-expanded="false" aria-controls="#enterprise-TA0010-T1567-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0010-T1567-body" aria-labelledby="enterprise-TA0010-T1567-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0010-T1567-T1567.001"> <a href="/versions/v9/techniques/T1567/001/"> Exfiltration to Code Repository </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0010-T1567-T1567.002"> <a href="/versions/v9/techniques/T1567/002/"> Exfiltration to Cloud Storage </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0010-T1029"> <a href="/versions/v9/techniques/T1029/"> Scheduled Transfer </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0010-T1537"> <a href="/versions/v9/techniques/T1537/"> Transfer Data to Cloud Account </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0040"> <a href="/versions/v9/tactics/TA0040"> Impact </a> <div class="expand-button collapsed" id="enterprise-TA0040-header" data-toggle="collapse" data-target="#enterprise-TA0040-body" aria-expanded="false" aria-controls="#enterprise-TA0040-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0040-body" aria-labelledby="enterprise-TA0040-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0040-T1531"> <a href="/versions/v9/techniques/T1531/"> Account Access Removal </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0040-T1485"> <a href="/versions/v9/techniques/T1485/"> Data Destruction </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0040-T1486"> <a href="/versions/v9/techniques/T1486/"> Data Encrypted for Impact </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0040-T1565"> <a href="/versions/v9/techniques/T1565/"> Data Manipulation </a> <div class="expand-button collapsed" id="enterprise-TA0040-T1565-header" data-toggle="collapse" data-target="#enterprise-TA0040-T1565-body" aria-expanded="false" aria-controls="#enterprise-TA0040-T1565-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0040-T1565-body" aria-labelledby="enterprise-TA0040-T1565-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0040-T1565-T1565.001"> <a href="/versions/v9/techniques/T1565/001/"> Stored Data Manipulation </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0040-T1565-T1565.002"> <a href="/versions/v9/techniques/T1565/002/"> Transmitted Data Manipulation </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0040-T1565-T1565.003"> <a href="/versions/v9/techniques/T1565/003/"> Runtime Data Manipulation </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0040-T1491"> <a href="/versions/v9/techniques/T1491/"> Defacement </a> <div class="expand-button collapsed" id="enterprise-TA0040-T1491-header" data-toggle="collapse" data-target="#enterprise-TA0040-T1491-body" aria-expanded="false" aria-controls="#enterprise-TA0040-T1491-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0040-T1491-body" aria-labelledby="enterprise-TA0040-T1491-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0040-T1491-T1491.001"> <a href="/versions/v9/techniques/T1491/001/"> Internal Defacement </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0040-T1491-T1491.002"> <a href="/versions/v9/techniques/T1491/002/"> External Defacement </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0040-T1561"> <a href="/versions/v9/techniques/T1561/"> Disk Wipe </a> <div class="expand-button collapsed" id="enterprise-TA0040-T1561-header" data-toggle="collapse" data-target="#enterprise-TA0040-T1561-body" aria-expanded="false" aria-controls="#enterprise-TA0040-T1561-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0040-T1561-body" aria-labelledby="enterprise-TA0040-T1561-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0040-T1561-T1561.001"> <a href="/versions/v9/techniques/T1561/001/"> Disk Content Wipe </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0040-T1561-T1561.002"> <a href="/versions/v9/techniques/T1561/002/"> Disk Structure Wipe </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0040-T1499"> <a href="/versions/v9/techniques/T1499/"> Endpoint Denial of Service </a> <div class="expand-button collapsed" id="enterprise-TA0040-T1499-header" data-toggle="collapse" data-target="#enterprise-TA0040-T1499-body" aria-expanded="false" aria-controls="#enterprise-TA0040-T1499-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0040-T1499-body" aria-labelledby="enterprise-TA0040-T1499-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0040-T1499-T1499.001"> <a href="/versions/v9/techniques/T1499/001/"> OS Exhaustion Flood </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0040-T1499-T1499.002"> <a href="/versions/v9/techniques/T1499/002/"> Service Exhaustion Flood </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0040-T1499-T1499.003"> <a href="/versions/v9/techniques/T1499/003/"> Application Exhaustion Flood </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0040-T1499-T1499.004"> <a href="/versions/v9/techniques/T1499/004/"> Application or System Exploitation </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0040-T1495"> <a href="/versions/v9/techniques/T1495/"> Firmware Corruption </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0040-T1490"> <a href="/versions/v9/techniques/T1490/"> Inhibit System Recovery </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0040-T1498"> <a href="/versions/v9/techniques/T1498/"> Network Denial of Service </a> <div class="expand-button collapsed" id="enterprise-TA0040-T1498-header" data-toggle="collapse" data-target="#enterprise-TA0040-T1498-body" aria-expanded="false" aria-controls="#enterprise-TA0040-T1498-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0040-T1498-body" aria-labelledby="enterprise-TA0040-T1498-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0040-T1498-T1498.001"> <a href="/versions/v9/techniques/T1498/001/"> Direct Network Flood </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0040-T1498-T1498.002"> <a href="/versions/v9/techniques/T1498/002/"> Reflection Amplification </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0040-T1496"> <a href="/versions/v9/techniques/T1496/"> Resource Hijacking </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0040-T1489"> <a href="/versions/v9/techniques/T1489/"> Service Stop </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0040-T1529"> <a href="/versions/v9/techniques/T1529/"> System Shutdown/Reboot </a> </div> </div> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="mobile"> <a href="/versions/v9/techniques/mobile/"> Mobile </a> <div class="expand-button collapsed" id="mobile-header" data-toggle="collapse" data-target="#mobile-body" aria-expanded="false" aria-controls="#mobile-body"></div> </div> <div class="sidenav-body collapse" id="mobile-body" aria-labelledby="mobile-header"> <div class="sidenav"> <div class="sidenav-head " id="mobile-TA0027"> <a href="/versions/v9/tactics/TA0027"> Initial Access </a> <div class="expand-button collapsed" id="mobile-TA0027-header" data-toggle="collapse" data-target="#mobile-TA0027-body" aria-expanded="false" aria-controls="#mobile-TA0027-body"></div> </div> <div class="sidenav-body collapse" id="mobile-TA0027-body" aria-labelledby="mobile-TA0027-header"> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0027-T1475"> <a href="/versions/v9/techniques/T1475/"> Deliver Malicious App via Authorized App Store </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0027-T1476"> <a href="/versions/v9/techniques/T1476/"> Deliver Malicious App via Other Means </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0027-T1456"> <a href="/versions/v9/techniques/T1456/"> Drive-by Compromise </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0027-T1458"> <a href="/versions/v9/techniques/T1458/"> Exploit via Charging Station or PC </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0027-T1477"> <a href="/versions/v9/techniques/T1477/"> Exploit via Radio Interfaces </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0027-T1478"> <a href="/versions/v9/techniques/T1478/"> Install Insecure or Malicious Configuration </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0027-T1461"> <a href="/versions/v9/techniques/T1461/"> Lockscreen Bypass </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0027-T1444"> <a href="/versions/v9/techniques/T1444/"> Masquerade as Legitimate Application </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0027-T1474"> <a href="/versions/v9/techniques/T1474/"> Supply Chain Compromise </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="mobile-TA0041"> <a href="/versions/v9/tactics/TA0041"> Execution </a> <div class="expand-button collapsed" id="mobile-TA0041-header" data-toggle="collapse" data-target="#mobile-TA0041-body" aria-expanded="false" aria-controls="#mobile-TA0041-body"></div> </div> <div class="sidenav-body collapse" id="mobile-TA0041-body" aria-labelledby="mobile-TA0041-header"> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0041-T1402"> <a href="/versions/v9/techniques/T1402/"> Broadcast Receivers </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0041-T1605"> <a href="/versions/v9/techniques/T1605/"> Command-Line Interface </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0041-T1575"> <a href="/versions/v9/techniques/T1575/"> Native Code </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0041-T1603"> <a href="/versions/v9/techniques/T1603/"> Scheduled Task/Job </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="mobile-TA0028"> <a href="/versions/v9/tactics/TA0028"> Persistence </a> <div class="expand-button collapsed" id="mobile-TA0028-header" data-toggle="collapse" data-target="#mobile-TA0028-body" aria-expanded="false" aria-controls="#mobile-TA0028-body"></div> </div> <div class="sidenav-body collapse" id="mobile-TA0028-body" aria-labelledby="mobile-TA0028-header"> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0028-T1402"> <a href="/versions/v9/techniques/T1402/"> Broadcast Receivers </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0028-T1540"> <a href="/versions/v9/techniques/T1540/"> Code Injection </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0028-T1577"> <a href="/versions/v9/techniques/T1577/"> Compromise Application Executable </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0028-T1541"> <a href="/versions/v9/techniques/T1541/"> Foreground Persistence </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0028-T1403"> <a href="/versions/v9/techniques/T1403/"> Modify Cached Executable Code </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0028-T1398"> <a href="/versions/v9/techniques/T1398/"> Modify OS Kernel or Boot Partition </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0028-T1400"> <a href="/versions/v9/techniques/T1400/"> Modify System Partition </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0028-T1399"> <a href="/versions/v9/techniques/T1399/"> Modify Trusted Execution Environment </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0028-T1603"> <a href="/versions/v9/techniques/T1603/"> Scheduled Task/Job </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="mobile-TA0029"> <a href="/versions/v9/tactics/TA0029"> Privilege Escalation </a> <div class="expand-button collapsed" id="mobile-TA0029-header" data-toggle="collapse" data-target="#mobile-TA0029-body" aria-expanded="false" aria-controls="#mobile-TA0029-body"></div> </div> <div class="sidenav-body collapse" id="mobile-TA0029-body" aria-labelledby="mobile-TA0029-header"> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0029-T1540"> <a href="/versions/v9/techniques/T1540/"> Code Injection </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0029-T1401"> <a href="/versions/v9/techniques/T1401/"> Device Administrator Permissions </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0029-T1404"> <a href="/versions/v9/techniques/T1404/"> Exploit OS Vulnerability </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0029-T1405"> <a href="/versions/v9/techniques/T1405/"> Exploit TEE Vulnerability </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="mobile-TA0030"> <a href="/versions/v9/tactics/TA0030"> Defense Evasion </a> <div class="expand-button collapsed" id="mobile-TA0030-header" data-toggle="collapse" data-target="#mobile-TA0030-body" aria-expanded="false" aria-controls="#mobile-TA0030-body"></div> </div> <div class="sidenav-body collapse" id="mobile-TA0030-body" aria-labelledby="mobile-TA0030-header"> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0030-T1418"> <a href="/versions/v9/techniques/T1418/"> Application Discovery </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0030-T1540"> <a href="/versions/v9/techniques/T1540/"> Code Injection </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0030-T1447"> <a href="/versions/v9/techniques/T1447/"> Delete Device Data </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0030-T1446"> <a href="/versions/v9/techniques/T1446/"> Device Lockout </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0030-T1408"> <a href="/versions/v9/techniques/T1408/"> Disguise Root/Jailbreak Indicators </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0030-T1407"> <a href="/versions/v9/techniques/T1407/"> Download New Code at Runtime </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0030-T1523"> <a href="/versions/v9/techniques/T1523/"> Evade Analysis Environment </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0030-T1581"> <a href="/versions/v9/techniques/T1581/"> Geofencing </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0030-T1516"> <a href="/versions/v9/techniques/T1516/"> Input Injection </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0030-T1478"> <a href="/versions/v9/techniques/T1478/"> Install Insecure or Malicious Configuration </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0030-T1444"> <a href="/versions/v9/techniques/T1444/"> Masquerade as Legitimate Application </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0030-T1398"> <a href="/versions/v9/techniques/T1398/"> Modify OS Kernel or Boot Partition </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0030-T1400"> <a href="/versions/v9/techniques/T1400/"> Modify System Partition </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0030-T1399"> <a href="/versions/v9/techniques/T1399/"> Modify Trusted Execution Environment </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0030-T1575"> <a href="/versions/v9/techniques/T1575/"> Native Code </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0030-T1406"> <a href="/versions/v9/techniques/T1406/"> Obfuscated Files or Information </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0030-T1604"> <a href="/versions/v9/techniques/T1604/"> Proxy Through Victim </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0030-T1508"> <a href="/versions/v9/techniques/T1508/"> Suppress Application Icon </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0030-T1576"> <a href="/versions/v9/techniques/T1576/"> Uninstall Malicious Application </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="mobile-TA0031"> <a href="/versions/v9/tactics/TA0031"> Credential Access </a> <div class="expand-button collapsed" id="mobile-TA0031-header" data-toggle="collapse" data-target="#mobile-TA0031-body" aria-expanded="false" aria-controls="#mobile-TA0031-body"></div> </div> <div class="sidenav-body collapse" id="mobile-TA0031-body" aria-labelledby="mobile-TA0031-header"> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0031-T1517"> <a href="/versions/v9/techniques/T1517/"> Access Notifications </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0031-T1413"> <a href="/versions/v9/techniques/T1413/"> Access Sensitive Data in Device Logs </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0031-T1409"> <a href="/versions/v9/techniques/T1409/"> Access Stored Application Data </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0031-T1414"> <a href="/versions/v9/techniques/T1414/"> Capture Clipboard Data </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0031-T1412"> <a href="/versions/v9/techniques/T1412/"> Capture SMS Messages </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0031-T1405"> <a href="/versions/v9/techniques/T1405/"> Exploit TEE Vulnerability </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0031-T1417"> <a href="/versions/v9/techniques/T1417/"> Input Capture </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0031-T1411"> <a href="/versions/v9/techniques/T1411/"> Input Prompt </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0031-T1579"> <a href="/versions/v9/techniques/T1579/"> Keychain </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0031-T1410"> <a href="/versions/v9/techniques/T1410/"> Network Traffic Capture or Redirection </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0031-T1416"> <a href="/versions/v9/techniques/T1416/"> URI Hijacking </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="mobile-TA0032"> <a href="/versions/v9/tactics/TA0032"> Discovery </a> <div class="expand-button collapsed" id="mobile-TA0032-header" data-toggle="collapse" data-target="#mobile-TA0032-body" aria-expanded="false" aria-controls="#mobile-TA0032-body"></div> </div> <div class="sidenav-body collapse" id="mobile-TA0032-body" aria-labelledby="mobile-TA0032-header"> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0032-T1418"> <a href="/versions/v9/techniques/T1418/"> Application Discovery </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0032-T1523"> <a href="/versions/v9/techniques/T1523/"> Evade Analysis Environment </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0032-T1420"> <a href="/versions/v9/techniques/T1420/"> File and Directory Discovery </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0032-T1430"> <a href="/versions/v9/techniques/T1430/"> Location Tracking </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0032-T1423"> <a href="/versions/v9/techniques/T1423/"> Network Service Scanning </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0032-T1424"> <a href="/versions/v9/techniques/T1424/"> Process Discovery </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0032-T1426"> <a href="/versions/v9/techniques/T1426/"> System Information Discovery </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0032-T1422"> <a href="/versions/v9/techniques/T1422/"> System Network Configuration Discovery </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0032-T1421"> <a href="/versions/v9/techniques/T1421/"> System Network Connections Discovery </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="mobile-TA0033"> <a href="/versions/v9/tactics/TA0033"> Lateral Movement </a> <div class="expand-button collapsed" id="mobile-TA0033-header" data-toggle="collapse" data-target="#mobile-TA0033-body" aria-expanded="false" aria-controls="#mobile-TA0033-body"></div> </div> <div class="sidenav-body collapse" id="mobile-TA0033-body" aria-labelledby="mobile-TA0033-header"> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0033-T1427"> <a href="/versions/v9/techniques/T1427/"> Attack PC via USB Connection </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0033-T1428"> <a href="/versions/v9/techniques/T1428/"> Exploit Enterprise Resources </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="mobile-TA0035"> <a href="/versions/v9/tactics/TA0035"> Collection </a> <div class="expand-button collapsed" id="mobile-TA0035-header" data-toggle="collapse" data-target="#mobile-TA0035-body" aria-expanded="false" aria-controls="#mobile-TA0035-body"></div> </div> <div class="sidenav-body collapse" id="mobile-TA0035-body" aria-labelledby="mobile-TA0035-header"> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0035-T1435"> <a href="/versions/v9/techniques/T1435/"> Access Calendar Entries </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0035-T1433"> <a href="/versions/v9/techniques/T1433/"> Access Call Log </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0035-T1432"> <a href="/versions/v9/techniques/T1432/"> Access Contact List </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0035-T1517"> <a href="/versions/v9/techniques/T1517/"> Access Notifications </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0035-T1413"> <a href="/versions/v9/techniques/T1413/"> Access Sensitive Data in Device Logs </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0035-T1409"> <a href="/versions/v9/techniques/T1409/"> Access Stored Application Data </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0035-T1429"> <a href="/versions/v9/techniques/T1429/"> Capture Audio </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0035-T1512"> <a href="/versions/v9/techniques/T1512/"> Capture Camera </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0035-T1414"> <a href="/versions/v9/techniques/T1414/"> Capture Clipboard Data </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0035-T1412"> <a href="/versions/v9/techniques/T1412/"> Capture SMS Messages </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0035-T1533"> <a href="/versions/v9/techniques/T1533/"> Data from Local System </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0035-T1541"> <a href="/versions/v9/techniques/T1541/"> Foreground Persistence </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0035-T1417"> <a href="/versions/v9/techniques/T1417/"> Input Capture </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0035-T1430"> <a href="/versions/v9/techniques/T1430/"> Location Tracking </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0035-T1507"> <a href="/versions/v9/techniques/T1507/"> Network Information Discovery </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0035-T1410"> <a href="/versions/v9/techniques/T1410/"> Network Traffic Capture or Redirection </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0035-T1513"> <a href="/versions/v9/techniques/T1513/"> Screen Capture </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="mobile-TA0037"> <a href="/versions/v9/tactics/TA0037"> Command and Control </a> <div class="expand-button collapsed" id="mobile-TA0037-header" data-toggle="collapse" data-target="#mobile-TA0037-body" aria-expanded="false" aria-controls="#mobile-TA0037-body"></div> </div> <div class="sidenav-body collapse" id="mobile-TA0037-body" aria-labelledby="mobile-TA0037-header"> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0037-T1438"> <a href="/versions/v9/techniques/T1438/"> Alternate Network Mediums </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0037-T1436"> <a href="/versions/v9/techniques/T1436/"> Commonly Used Port </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0037-T1520"> <a href="/versions/v9/techniques/T1520/"> Domain Generation Algorithms </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0037-T1544"> <a href="/versions/v9/techniques/T1544/"> Remote File Copy </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0037-T1437"> <a href="/versions/v9/techniques/T1437/"> Standard Application Layer Protocol </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0037-T1521"> <a href="/versions/v9/techniques/T1521/"> Standard Cryptographic Protocol </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0037-T1509"> <a href="/versions/v9/techniques/T1509/"> Uncommonly Used Port </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0037-T1481"> <a href="/versions/v9/techniques/T1481/"> Web Service </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="mobile-TA0036"> <a href="/versions/v9/tactics/TA0036"> Exfiltration </a> <div class="expand-button collapsed" id="mobile-TA0036-header" data-toggle="collapse" data-target="#mobile-TA0036-body" aria-expanded="false" aria-controls="#mobile-TA0036-body"></div> </div> <div class="sidenav-body collapse" id="mobile-TA0036-body" aria-labelledby="mobile-TA0036-header"> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0036-T1438"> <a href="/versions/v9/techniques/T1438/"> Alternate Network Mediums </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0036-T1436"> <a href="/versions/v9/techniques/T1436/"> Commonly Used Port </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0036-T1532"> <a href="/versions/v9/techniques/T1532/"> Data Encrypted </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0036-T1437"> <a href="/versions/v9/techniques/T1437/"> Standard Application Layer Protocol </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="mobile-TA0034"> <a href="/versions/v9/tactics/TA0034"> Impact </a> <div class="expand-button collapsed" id="mobile-TA0034-header" data-toggle="collapse" data-target="#mobile-TA0034-body" aria-expanded="false" aria-controls="#mobile-TA0034-body"></div> </div> <div class="sidenav-body collapse" id="mobile-TA0034-body" aria-labelledby="mobile-TA0034-header"> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0034-T1448"> <a href="/versions/v9/techniques/T1448/"> Carrier Billing Fraud </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0034-T1510"> <a href="/versions/v9/techniques/T1510/"> Clipboard Modification </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0034-T1471"> <a href="/versions/v9/techniques/T1471/"> Data Encrypted for Impact </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0034-T1447"> <a href="/versions/v9/techniques/T1447/"> Delete Device Data </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0034-T1446"> <a href="/versions/v9/techniques/T1446/"> Device Lockout </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0034-T1472"> <a href="/versions/v9/techniques/T1472/"> Generate Fraudulent Advertising Revenue </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0034-T1516"> <a href="/versions/v9/techniques/T1516/"> Input Injection </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0034-T1452"> <a href="/versions/v9/techniques/T1452/"> Manipulate App Store Rankings or Ratings </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0034-T1400"> <a href="/versions/v9/techniques/T1400/"> Modify System Partition </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0034-T1582"> <a href="/versions/v9/techniques/T1582/"> SMS Control </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="mobile-TA0038"> <a href="/versions/v9/tactics/TA0038"> Network Effects </a> <div class="expand-button collapsed" id="mobile-TA0038-header" data-toggle="collapse" data-target="#mobile-TA0038-body" aria-expanded="false" aria-controls="#mobile-TA0038-body"></div> </div> <div class="sidenav-body collapse" id="mobile-TA0038-body" aria-labelledby="mobile-TA0038-header"> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0038-T1466"> <a href="/versions/v9/techniques/T1466/"> Downgrade to Insecure Protocols </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0038-T1439"> <a href="/versions/v9/techniques/T1439/"> Eavesdrop on Insecure Network Communication </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0038-T1449"> <a href="/versions/v9/techniques/T1449/"> Exploit SS7 to Redirect Phone Calls/SMS </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0038-T1450"> <a href="/versions/v9/techniques/T1450/"> Exploit SS7 to Track Device Location </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0038-T1464"> <a href="/versions/v9/techniques/T1464/"> Jamming or Denial of Service </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0038-T1463"> <a href="/versions/v9/techniques/T1463/"> Manipulate Device Communication </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0038-T1467"> <a href="/versions/v9/techniques/T1467/"> Rogue Cellular Base Station </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0038-T1465"> <a href="/versions/v9/techniques/T1465/"> Rogue Wi-Fi Access Points </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0038-T1451"> <a href="/versions/v9/techniques/T1451/"> SIM Card Swap </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="mobile-TA0039"> <a href="/versions/v9/tactics/TA0039"> Remote Service Effects </a> <div class="expand-button collapsed" id="mobile-TA0039-header" data-toggle="collapse" data-target="#mobile-TA0039-body" aria-expanded="false" aria-controls="#mobile-TA0039-body"></div> </div> <div class="sidenav-body collapse" id="mobile-TA0039-body" aria-labelledby="mobile-TA0039-header"> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0039-T1470"> <a href="/versions/v9/techniques/T1470/"> Obtain Device Cloud Backups </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0039-T1468"> <a href="/versions/v9/techniques/T1468/"> Remotely Track Device Without Authorization </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0039-T1469"> <a href="/versions/v9/techniques/T1469/"> Remotely Wipe Data Without Authorization </a> </div> </div> </div> </div> </div> </div> </div> <!--start-indexing-for-search--> </div> <div class="tab-content col-xl-10 col-lg-9 col-md-9 pt-4" id="v-tabContent"> <div class="tab-pane fade show active" id="v-attckmatrix" role="tabpanel" aria-labelledby="v-attckmatrix-tab"> <ol class="breadcrumb"> <li class="breadcrumb-item"><a href="/versions/v9/">Home</a></li> <li class="breadcrumb-item"><a href="/versions/v9/techniques/enterprise">Techniques</a></li> <li class="breadcrumb-item"><a href="/versions/v9/techniques/enterprise">Enterprise</a></li> <li class="breadcrumb-item"><a href="/versions/v9/techniques/T1074">Data Staged</a></li> <li class="breadcrumb-item">Local Data Staging</li> </ol> <div class="tab-pane fade show active" id="v-" role="tabpanel" aria-labelledby="v--tab"></div> <div class="row"> <div class="col-xl-12"> <div class="jumbotron jumbotron-fluid"> <div class="container-fluid"> <h1 id=""> <span id="subtechnique-parent-name">Data Staged:</span> Local Data Staging </h1> <div class="row"> <div class="col-md-8"> <!--stop-indexing-for-search--> <div class="card-block pb-2"> <div class="card"> <div class="card-header collapsed" id="subtechniques-card-header" data-toggle="collapse" data-target="#subtechniques-card-body" aria-expanded="false" aria-controls="subtechniques-card-body"> <h5 class="mb-0" id ="sub-techniques">Other sub-techniques of Data Staged (2)</h5> </div> <div id="subtechniques-card-body" class="card-body p-0 collapse" aria-labelledby="subtechniques-card-header"> <table class="table table-bordered"> <thead> <tr> <th scope="col">ID</th> <th scope="col">Name</th> </tr> </thead> <tbody> <tr> <td class="active"> T1074.001 </td> <td class="active"> Local Data Staging </td> </tr> <tr> <td> <a href="/versions/v9/techniques/T1074/002/" class="subtechnique-table-item" data-subtechnique_id="T1074.002"> T1074.002 </a> </td> <td> <a href="/versions/v9/techniques/T1074/002/" class="subtechnique-table-item" data-subtechnique_id="T1074.002"> Remote Data Staging </a> </td> </tr> </tbody> </table> </div> </div> </div> <!--start-indexing-for-search--> <div class="description-body"> <p>Adversaries may stage collected data in a central location or directory on the local system prior to Exfiltration. Data may be kept in separate files or combined into one file through techniques such as <a href="/versions/v9/techniques/T1560">Archive Collected Data</a>. Interactive command shells may be used, and common functionality within <a href="/versions/v9/software/S0106">cmd</a> and bash may be used to copy data into a staging location.</p> </div> </div> <div class="col-md-4"> <div class="card"> <div class="card-body"> <div class="row card-data" id="card-id"> <div class="col-md-1 px-0 text-center"></div> <div class="col-md-11 pl-0"> <span class="h5 card-title">ID:&nbsp;</span>T1074.001 </div> </div> <!--stop-indexing-for-search--> <div class="row card-data"> <div class="col-md-1 px-0 text-center"></div> <div class="col-md-11 pl-0"> <span class="h5 card-title">Sub-technique of:&nbsp;</span> <a href="/versions/v9/techniques/T1074">T1074</a> </div> </div> <!--start-indexing-for-search--> <div id="card-tactics" class="row card-data"> <div class="col-md-1 px-0 text-center"> <span data-toggle="tooltip" data-placement="left" title="" data-test-ignore="true" data-original-title="The tactic objectives that the (sub-)technique can be used to accomplish">&#9432;</span> </div> <div class="col-md-11 pl-0"> <span class="h5 card-title">Tactic:</span> <a href="/versions/v9/tactics/TA0009">Collection</a> </div> </div> <div class="row card-data"> <div class="col-md-1 px-0 text-center"> <span data-toggle="tooltip" data-placement="left" title="" data-test-ignore="true" data-original-title="The system an adversary is operating within; could be an operating system or application">&#9432;</span> </div> <div class="col-md-11 pl-0"> <span class="h5 card-title">Platforms:&nbsp;</span>Linux, Windows, macOS </div> </div> <div class="row card-data"> <div class="col-md-1 px-0 text-center"> <span data-toggle="tooltip" data-placement="left" title="" data-test-ignore="true" data-original-title="Source of information collected by a sensor or logging system that may be used to collect information relevant to identifying the action being performed, sequence of actions, or the results of those actions by an adversary">&#9432;</span> </div> <div class="col-md-11 pl-0"> <span class="h5 card-title">Data Sources:&nbsp;</span><a target='_blank' href='https://github.com/mitre-attack/attack-datasources/blob/main/contribution/command.yml'>Command</a>: Command Execution, <a target='_blank' href='https://github.com/mitre-attack/attack-datasources/blob/main/contribution/file.yml'>File</a>: File Access, <a target='_blank' href='https://github.com/mitre-attack/attack-datasources/blob/main/contribution/file.yml'>File</a>: File Creation </div> </div> <div class="row card-data"> <div class="col-md-1 px-0 text-center"></div> <div class="col-md-11 pl-0"> <span class="h5 card-title">Version:&nbsp;</span>1.0 </div> </div> <div class="row card-data"> <div class="col-md-1 px-0 text-center"></div> <div class="col-md-11 pl-0"> <span class="h5 card-title">Created:&nbsp;</span>13 March 2020 </div> </div> <div class="row card-data"> <div class="col-md-1 px-0 text-center"></div> <div class="col-md-11 pl-0"> <span class="h5 card-title">Last Modified:&nbsp;</span>26 May 2020 </div> </div> </div> </div> <div class="text-center pt-2 version-button permalink"> <div class="live"> <a data-toggle="tooltip" data-placement="bottom" title="Permalink to this version of T1074.001" href="/versions/v9/techniques/T1074/001/" data-test-ignore="true">Version Permalink</a> </div> <div class="permalink"> <a data-toggle="tooltip" data-placement="bottom" title="Go to the live version of T1074.001" href="/techniques/T1074/001/" data-test-ignore="true">Live Version</a><!--do not change this line without also changing versions.py--> </div> </div> </div> </div> <h2 class="pt-3" id ="examples">Procedure Examples</h2> <table class="table table-bordered table-alternate mt-2"> <thead> <tr> <th scope="col">ID</th> <th scope="col">Name</th> <th scope="col">Description</th> </tr> </thead> <tbody> <tr> <td> <a href="/versions/v9/software/S0045"> S0045 </a> </td> <td> <a href="/versions/v9/software/S0045"> ADVSTORESHELL </a> </td> <td> <p><a href="/versions/v9/software/S0045">ADVSTORESHELL</a> stores output from command execution in a .dat file in the %TEMP% directory.<span onclick=scrollToRef('scite-1') id="scite-ref-1-a" class="scite-citeref-number" data-reference="ESET Sednit Part 2"><sup><a href="http://www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part-2.pdf" target="_blank" data-hasqtip="0" aria-describedby="qtip-0">[1]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v9/groups/G0007"> G0007 </a> </td> <td> <a href="/versions/v9/groups/G0007"> APT28 </a> </td> <td> <p><a href="/versions/v9/groups/G0007">APT28</a> has stored captured credential information in a file named pi.log.<span onclick=scrollToRef('scite-2') id="scite-ref-2-a" class="scite-citeref-number" data-reference="Microsoft SIR Vol 19"><sup><a href="http://download.microsoft.com/download/4/4/C/44CDEF0E-7924-4787-A56A-16261691ACE3/Microsoft_Security_Intelligence_Report_Volume_19_English.pdf" target="_blank" data-hasqtip="1" aria-describedby="qtip-1">[2]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v9/groups/G0022"> G0022 </a> </td> <td> <a href="/versions/v9/groups/G0022"> APT3 </a> </td> <td> <p><a href="/versions/v9/groups/G0022">APT3</a> has been known to stage files for exfiltration in a single location.<span onclick=scrollToRef('scite-3') id="scite-ref-3-a" class="scite-citeref-number" data-reference="aptsim"><sup><a href="http://carnal0wnage.attackresearch.com/2012/09/more-on-aptsim.html" target="_blank" data-hasqtip="2" aria-describedby="qtip-2">[3]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v9/groups/G0087"> G0087 </a> </td> <td> <a href="/versions/v9/groups/G0087"> APT39 </a> </td> <td> <p><a href="/versions/v9/groups/G0087">APT39</a> has utilized tools to aggregate data prior to exfiltration.<span onclick=scrollToRef('scite-4') id="scite-ref-4-a" class="scite-citeref-number" data-reference="FBI FLASH APT39 September 2020"><sup><a href="https://www.iranwatch.org/sites/default/files/public-intelligence-alert.pdf" target="_blank" data-hasqtip="3" aria-describedby="qtip-3">[4]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0373"> S0373 </a> </td> <td> <a href="/versions/v9/software/S0373"> Astaroth </a> </td> <td> <p><a href="/versions/v9/software/S0373">Astaroth</a> collects data in a plaintext file named r1.log before exfiltration. <span onclick=scrollToRef('scite-5') id="scite-ref-5-a" class="scite-citeref-number" data-reference="Cofense Astaroth Sept 2018"><sup><a href="https://cofense.com/seeing-resurgence-demonic-astaroth-wmic-trojan/" target="_blank" data-hasqtip="4" aria-describedby="qtip-4">[5]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0438"> S0438 </a> </td> <td> <a href="/versions/v9/software/S0438"> Attor </a> </td> <td> <p><a href="/versions/v9/software/S0438">Attor</a> has staged collected data in a central upload directory prior to exfiltration.<span onclick=scrollToRef('scite-6') id="scite-ref-6-a" class="scite-citeref-number" data-reference="ESET Attor Oct 2019"><sup><a href="https://www.welivesecurity.com/wp-content/uploads/2019/10/ESET_Attor.pdf" target="_blank" data-hasqtip="5" aria-describedby="qtip-5">[6]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0128"> S0128 </a> </td> <td> <a href="/versions/v9/software/S0128"> BADNEWS </a> </td> <td> <p><a href="/versions/v9/software/S0128">BADNEWS</a> copies documents under 15MB found on the victim system to is the user's <code>%temp%\SMB\</code> folder. It also copies files from USB devices to a predefined directory.<span onclick=scrollToRef('scite-7') id="scite-ref-7-a" class="scite-citeref-number" data-reference="Forcepoint Monsoon"><sup><a href="https://www.forcepoint.com/sites/default/files/resources/files/forcepoint-security-labs-monsoon-analysis-report.pdf" target="_blank" data-hasqtip="6" aria-describedby="qtip-6">[7]</a></sup></span><span onclick=scrollToRef('scite-8') id="scite-ref-8-a" class="scite-citeref-number" data-reference="TrendMicro Patchwork Dec 2017"><sup><a href="https://documents.trendmicro.com/assets/tech-brief-untangling-the-patchwork-cyberespionage-group.pdf" target="_blank" data-hasqtip="7" aria-describedby="qtip-7">[8]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0337"> S0337 </a> </td> <td> <a href="/versions/v9/software/S0337"> BadPatch </a> </td> <td> <p><a href="/versions/v9/software/S0337">BadPatch</a> stores collected data in log files before exfiltration.<span onclick=scrollToRef('scite-9') id="scite-ref-9-a" class="scite-citeref-number" data-reference="Unit 42 BadPatch Oct 2017"><sup><a href="https://researchcenter.paloaltonetworks.com/2017/10/unit42-badpatch/" target="_blank" data-hasqtip="8" aria-describedby="qtip-8">[9]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0274"> S0274 </a> </td> <td> <a href="/versions/v9/software/S0274"> Calisto </a> </td> <td> <p><a href="/versions/v9/software/S0274">Calisto</a> uses a hidden directory named .calisto to store data from the victim’s machine before exfiltration.<span onclick=scrollToRef('scite-10') id="scite-ref-10-a" class="scite-citeref-number" data-reference="Securelist Calisto July 2018"><sup><a href="https://securelist.com/calisto-trojan-for-macos/86543/" target="_blank" data-hasqtip="9" aria-describedby="qtip-9">[10]</a></sup></span><span onclick=scrollToRef('scite-11') id="scite-ref-11-a" class="scite-citeref-number" data-reference="Symantec Calisto July 2018"><sup><a href="https://www.symantec.com/security-center/writeup/2018-073014-2512-99?om_rssid=sr-latestthreats30days" target="_blank" data-hasqtip="10" aria-describedby="qtip-10">[11]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0335"> S0335 </a> </td> <td> <a href="/versions/v9/software/S0335"> Carbon </a> </td> <td> <p><a href="/versions/v9/software/S0335">Carbon</a> creates a base directory that contains the files and folders that are collected.<span onclick=scrollToRef('scite-12') id="scite-ref-12-a" class="scite-citeref-number" data-reference="ESET Carbon Mar 2017"><sup><a href="https://www.welivesecurity.com/2017/03/30/carbon-paper-peering-turlas-second-stage-backdoor/" target="_blank" data-hasqtip="11" aria-describedby="qtip-11">[12]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0261"> S0261 </a> </td> <td> <a href="/versions/v9/software/S0261"> Catchamas </a> </td> <td> <p><a href="/versions/v9/software/S0261">Catchamas</a> stores the gathered data from the machine in .db files and .bmp files under four separate locations.<span onclick=scrollToRef('scite-13') id="scite-ref-13-a" class="scite-citeref-number" data-reference="Symantec Catchamas April 2018"><sup><a href="https://www-west.symantec.com/content/symantec/english/en/security-center/writeup.html/2018-040209-1742-99" target="_blank" data-hasqtip="12" aria-describedby="qtip-12">[13]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v9/groups/G0114"> G0114 </a> </td> <td> <a href="/versions/v9/groups/G0114"> Chimera </a> </td> <td> <p><a href="/versions/v9/groups/G0114">Chimera</a> has staged stolen data locally on compromised hosts.<span onclick=scrollToRef('scite-14') id="scite-ref-14-a" class="scite-citeref-number" data-reference="NCC Group Chimera January 2021"><sup><a href="https://research.nccgroup.com/2021/01/12/abusing-cloud-services-to-fly-under-the-radar/" target="_blank" data-hasqtip="13" aria-describedby="qtip-13">[14]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0538"> S0538 </a> </td> <td> <a href="/versions/v9/software/S0538"> Crutch </a> </td> <td> <p><a href="/versions/v9/software/S0538">Crutch</a> has staged stolen files in the <code>C:\AMD\Temp</code> directory.<span onclick=scrollToRef('scite-15') id="scite-ref-15-a" class="scite-citeref-number" data-reference="ESET Crutch December 2020"><sup><a href="https://www.welivesecurity.com/2020/12/02/turla-crutch-keeping-back-door-open/" target="_blank" data-hasqtip="14" aria-describedby="qtip-14">[15]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v9/groups/G0074"> G0074 </a> </td> <td> <a href="/versions/v9/groups/G0074"> Dragonfly 2.0 </a> </td> <td> <p><a href="/versions/v9/groups/G0074">Dragonfly 2.0</a> created a directory named "out" in the user's %AppData% folder and copied files to it.<span onclick=scrollToRef('scite-16') id="scite-ref-16-a" class="scite-citeref-number" data-reference="US-CERT TA18-074A"><sup><a href="https://www.us-cert.gov/ncas/alerts/TA18-074A" target="_blank" data-hasqtip="15" aria-describedby="qtip-15">[16]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0567"> S0567 </a> </td> <td> <a href="/versions/v9/software/S0567"> Dtrack </a> </td> <td> <p><a href="/versions/v9/software/S0567">Dtrack</a> can save collected data to disk, different file formats, and network shares.<span onclick=scrollToRef('scite-17') id="scite-ref-17-a" class="scite-citeref-number" data-reference="Securelist Dtrack"><sup><a href="https://securelist.com/my-name-is-dtrack/93338/" target="_blank" data-hasqtip="16" aria-describedby="qtip-16">[17]</a></sup></span><span onclick=scrollToRef('scite-18') id="scite-ref-18-a" class="scite-citeref-number" data-reference="CyberBit Dtrack"><sup><a href="https://www.cyberbit.com/blog/endpoint-security/dtrack-apt-malware-found-in-nuclear-power-plant/" target="_blank" data-hasqtip="17" aria-describedby="qtip-17">[18]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0038"> S0038 </a> </td> <td> <a href="/versions/v9/software/S0038"> Duqu </a> </td> <td> <p>Modules can be pushed to and executed by <a href="/versions/v9/software/S0038">Duqu</a> that copy data to a staging area, compress it, and XOR encrypt it.<span onclick=scrollToRef('scite-19') id="scite-ref-19-a" class="scite-citeref-number" data-reference="Symantec W32.Duqu"><sup><a href="https://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/w32_duqu_the_precursor_to_the_next_stuxnet.pdf" target="_blank" data-hasqtip="18" aria-describedby="qtip-18">[19]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0062"> S0062 </a> </td> <td> <a href="/versions/v9/software/S0062"> DustySky </a> </td> <td> <p><a href="/versions/v9/software/S0062">DustySky</a> created folders in temp directories to host collected files before exfiltration.<span onclick=scrollToRef('scite-20') id="scite-ref-20-a" class="scite-citeref-number" data-reference="Kaspersky MoleRATs April 2019"><sup><a href="https://securelist.com/gaza-cybergang-group1-operation-sneakypastes/90068/" target="_blank" data-hasqtip="19" aria-describedby="qtip-19">[20]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0024"> S0024 </a> </td> <td> <a href="/versions/v9/software/S0024"> Dyre </a> </td> <td> <p><a href="/versions/v9/software/S0024">Dyre</a> has the ability to create files in a TEMP folder to act as a database to store information.<span onclick=scrollToRef('scite-21') id="scite-ref-21-a" class="scite-citeref-number" data-reference="Malwarebytes Dyreza November 2015"><sup><a href="https://blog.malwarebytes.com/threat-analysis/2015/11/a-technical-look-at-dyreza/" target="_blank" data-hasqtip="20" aria-describedby="qtip-20">[21]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0593"> S0593 </a> </td> <td> <a href="/versions/v9/software/S0593"> ECCENTRICBANDWAGON </a> </td> <td> <p><a href="/versions/v9/software/S0593">ECCENTRICBANDWAGON</a> has stored keystrokes and screenshots within the <code>%temp%\GoogleChrome</code>, <code>%temp%\Downloads</code>, and <code>%temp%\TrendMicroUpdate</code> directories.<span onclick=scrollToRef('scite-22') id="scite-ref-22-a" class="scite-citeref-number" data-reference="CISA EB Aug 2020"><sup><a href="https://us-cert.cisa.gov/ncas/analysis-reports/ar20-239a" target="_blank" data-hasqtip="21" aria-describedby="qtip-21">[22]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0081"> S0081 </a> </td> <td> <a href="/versions/v9/software/S0081"> Elise </a> </td> <td> <p><a href="/versions/v9/software/S0081">Elise</a> creates a file in <code>AppData\Local\Microsoft\Windows\Explorer</code> and stores all harvested data in that file.<span onclick=scrollToRef('scite-23') id="scite-ref-23-a" class="scite-citeref-number" data-reference="Accenture Dragonfish Jan 2018"><sup><a href="https://www.accenture.com/t20180127T003755Z_w_/us-en/_acnmedia/PDF-46/Accenture-Security-Dragonfish-Threat-Analysis.pdf" target="_blank" data-hasqtip="22" aria-describedby="qtip-22">[23]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0343"> S0343 </a> </td> <td> <a href="/versions/v9/software/S0343"> Exaramel for Windows </a> </td> <td> <p><a href="/versions/v9/software/S0343">Exaramel for Windows</a> specifies a path to store files scheduled for exfiltration.<span onclick=scrollToRef('scite-24') id="scite-ref-24-a" class="scite-citeref-number" data-reference="ESET TeleBots Oct 2018"><sup><a href="https://www.welivesecurity.com/2018/10/11/new-telebots-backdoor-linking-industroyer-notpetya/" target="_blank" data-hasqtip="23" aria-describedby="qtip-23">[24]</a></sup></span> </p> </td> </tr> <tr> <td> <a href="/versions/v9/groups/G0053"> G0053 </a> </td> <td> <a href="/versions/v9/groups/G0053"> FIN5 </a> </td> <td> <p><a href="/versions/v9/groups/G0053">FIN5</a> scripts save memory dump data into a specific directory on hosts in the victim environment.<span onclick=scrollToRef('scite-25') id="scite-ref-25-a" class="scite-citeref-number" data-reference="Mandiant FIN5 GrrCON Oct 2016"><sup><a href="https://www.youtube.com/watch?v=fevGZs0EQu8" target="_blank" data-hasqtip="24" aria-describedby="qtip-24">[25]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0036"> S0036 </a> </td> <td> <a href="/versions/v9/software/S0036"> FLASHFLOOD </a> </td> <td> <p><a href="/versions/v9/software/S0036">FLASHFLOOD</a> stages data it copies from the local system or removable drives in the "%WINDIR%\$NtUninstallKB885884$\" directory.<span onclick=scrollToRef('scite-26') id="scite-ref-26-a" class="scite-citeref-number" data-reference="FireEye APT30"><sup><a href="https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf" target="_blank" data-hasqtip="25" aria-describedby="qtip-25">[26]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0503"> S0503 </a> </td> <td> <a href="/versions/v9/software/S0503"> FrameworkPOS </a> </td> <td> <p><a href="/versions/v9/software/S0503">FrameworkPOS</a> can identifiy payment card track data on the victim and copy it to a local file in a subdirectory of C:\Windows.<span onclick=scrollToRef('scite-27') id="scite-ref-27-a" class="scite-citeref-number" data-reference="FireEye FIN6 April 2016"><sup><a href="https://www2.fireeye.com/rs/848-DID-242/images/rpt-fin6.pdf" target="_blank" data-hasqtip="26" aria-describedby="qtip-26">[27]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v9/groups/G0093"> G0093 </a> </td> <td> <a href="/versions/v9/groups/G0093"> GALLIUM </a> </td> <td> <p><a href="/versions/v9/groups/G0093">GALLIUM</a> compressed and staged files in multi-part archives in the Recycle Bin prior to exfiltration.<span onclick=scrollToRef('scite-28') id="scite-ref-28-a" class="scite-citeref-number" data-reference="Cybereason Soft Cell June 2019"><sup><a href="https://www.cybereason.com/blog/operation-soft-cell-a-worldwide-campaign-against-telecommunications-providers" target="_blank" data-hasqtip="27" aria-describedby="qtip-27">[28]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0249"> S0249 </a> </td> <td> <a href="/versions/v9/software/S0249"> Gold Dragon </a> </td> <td> <p><a href="/versions/v9/software/S0249">Gold Dragon</a> stores information gathered from the endpoint in a file named 1.hwp.<span onclick=scrollToRef('scite-29') id="scite-ref-29-a" class="scite-citeref-number" data-reference="McAfee Gold Dragon"><sup><a href="https://www.mcafee.com/blogs/other-blogs/mcafee-labs/gold-dragon-widens-olympics-malware-attacks-gains-permanent-presence-on-victims-systems/" target="_blank" data-hasqtip="28" aria-describedby="qtip-28">[29]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0170"> S0170 </a> </td> <td> <a href="/versions/v9/software/S0170"> Helminth </a> </td> <td> <p><a href="/versions/v9/software/S0170">Helminth</a> creates folders to store output from batch scripts prior to sending the information to its C2 server.<span onclick=scrollToRef('scite-30') id="scite-ref-30-a" class="scite-citeref-number" data-reference="Palo Alto OilRig May 2016"><sup><a href="http://researchcenter.paloaltonetworks.com/2016/05/the-oilrig-campaign-attacks-on-saudi-arabian-organizations-deliver-helminth-backdoor/" target="_blank" data-hasqtip="29" aria-describedby="qtip-29">[30]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v9/groups/G0072"> G0072 </a> </td> <td> <a href="/versions/v9/groups/G0072"> Honeybee </a> </td> <td> <p><a href="/versions/v9/groups/G0072">Honeybee</a> adds collected files to a temp.zip file saved in the %temp% folder, then base64 encodes it and uploads it to control server.<span onclick=scrollToRef('scite-31') id="scite-ref-31-a" class="scite-citeref-number" data-reference="McAfee Honeybee"><sup><a href="https://www.mcafee.com/blogs/other-blogs/mcafee-labs/mcafee-uncovers-operation-honeybee-malicious-document-campaign-targeting-humanitarian-aid-groups/" target="_blank" data-hasqtip="30" aria-describedby="qtip-30">[31]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0260"> S0260 </a> </td> <td> <a href="/versions/v9/software/S0260"> InvisiMole </a> </td> <td> <p><a href="/versions/v9/software/S0260">InvisiMole</a> determines a working directory where it stores all the gathered data about the compromised machine.<span onclick=scrollToRef('scite-32') id="scite-ref-32-a" class="scite-citeref-number" data-reference="ESET InvisiMole June 2018"><sup><a href="https://www.welivesecurity.com/2018/06/07/invisimole-equipped-spyware-undercover/" target="_blank" data-hasqtip="31" aria-describedby="qtip-31">[32]</a></sup></span><span onclick=scrollToRef('scite-33') id="scite-ref-33-a" class="scite-citeref-number" data-reference="ESET InvisiMole June 2020"><sup><a href="https://www.welivesecurity.com/wp-content/uploads/2020/06/ESET_InvisiMole.pdf" target="_blank" data-hasqtip="32" aria-describedby="qtip-32">[33]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0265"> S0265 </a> </td> <td> <a href="/versions/v9/software/S0265"> Kazuar </a> </td> <td> <p><a href="/versions/v9/software/S0265">Kazuar</a> stages command output and collected data in files before exfiltration.<span onclick=scrollToRef('scite-34') id="scite-ref-34-a" class="scite-citeref-number" data-reference="Unit 42 Kazuar May 2017"><sup><a href="https://researchcenter.paloaltonetworks.com/2017/05/unit42-kazuar-multiplatform-espionage-backdoor-api-access/" target="_blank" data-hasqtip="33" aria-describedby="qtip-33">[34]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0526"> S0526 </a> </td> <td> <a href="/versions/v9/software/S0526"> KGH_SPY </a> </td> <td> <p><a href="/versions/v9/software/S0526">KGH_SPY</a> can save collected system information to a file named "info" before exfiltration.<span onclick=scrollToRef('scite-35') id="scite-ref-35-a" class="scite-citeref-number" data-reference="Cybereason Kimsuky November 2020"><sup><a href="https://www.cybereason.com/blog/back-to-the-future-inside-the-kimsuky-kgh-spyware-suite" target="_blank" data-hasqtip="34" aria-describedby="qtip-34">[35]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v9/groups/G0094"> G0094 </a> </td> <td> <a href="/versions/v9/groups/G0094"> Kimsuky </a> </td> <td> <p><a href="/versions/v9/groups/G0094">Kimsuky</a> has staged collected data files under <code>C:\Program Files\Common Files\System\Ole DB\</code>.<span onclick=scrollToRef('scite-36') id="scite-ref-36-a" class="scite-citeref-number" data-reference="CISA AA20-301A Kimsuky"><sup><a href="https://us-cert.cisa.gov/ncas/alerts/aa20-301a" target="_blank" data-hasqtip="35" aria-describedby="qtip-35">[36]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v9/groups/G0032"> G0032 </a> </td> <td> <a href="/versions/v9/groups/G0032"> Lazarus Group </a> </td> <td> <p><a href="/versions/v9/groups/G0032">Lazarus Group</a> malware IndiaIndia saves information gathered about the victim to a file that is saved in the %TEMP% directory, then compressed, encrypted, and uploaded to a C2 server.<span onclick=scrollToRef('scite-37') id="scite-ref-37-a" class="scite-citeref-number" data-reference="Novetta Blockbuster"><sup><a href="https://www.operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-Report.pdf" target="_blank" data-hasqtip="36" aria-describedby="qtip-36">[37]</a></sup></span><span onclick=scrollToRef('scite-38') id="scite-ref-38-a" class="scite-citeref-number" data-reference="Novetta Blockbuster Loaders"><sup><a href="https://operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-Loaders-Installers-and-Uninstallers-Report.pdf" target="_blank" data-hasqtip="37" aria-describedby="qtip-37">[38]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v9/groups/G0065"> G0065 </a> </td> <td> <a href="/versions/v9/groups/G0065"> Leviathan </a> </td> <td> <p><a href="/versions/v9/groups/G0065">Leviathan</a> has used C:\Windows\Debug and C:\Perflogs as staging directories.<span onclick=scrollToRef('scite-39') id="scite-ref-39-a" class="scite-citeref-number" data-reference="FireEye Periscope March 2018"><sup><a href="https://www.fireeye.com/blog/threat-research/2018/03/suspected-chinese-espionage-group-targeting-maritime-and-engineering-industries.html" target="_blank" data-hasqtip="38" aria-describedby="qtip-38">[39]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0395"> S0395 </a> </td> <td> <a href="/versions/v9/software/S0395"> LightNeuron </a> </td> <td> <p><a href="/versions/v9/software/S0395">LightNeuron</a> can store email data in files and directories specified in its configuration, such as <code>C:\Windows\ServiceProfiles\NetworkService\appdata\Local\Temp\</code>.<span onclick=scrollToRef('scite-40') id="scite-ref-40-a" class="scite-citeref-number" data-reference="ESET LightNeuron May 2019"><sup><a href="https://www.welivesecurity.com/wp-content/uploads/2019/05/ESET-LightNeuron.pdf" target="_blank" data-hasqtip="39" aria-describedby="qtip-39">[40]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0409"> S0409 </a> </td> <td> <a href="/versions/v9/software/S0409"> Machete </a> </td> <td> <p><a href="/versions/v9/software/S0409">Machete</a> stores files and logs in a folder on the local drive.<span onclick=scrollToRef('scite-41') id="scite-ref-41-a" class="scite-citeref-number" data-reference="ESET Machete July 2019"><sup><a href="https://www.welivesecurity.com/wp-content/uploads/2019/08/ESET_Machete.pdf" target="_blank" data-hasqtip="40" aria-describedby="qtip-40">[41]</a></sup></span><span onclick=scrollToRef('scite-42') id="scite-ref-42-a" class="scite-citeref-number" data-reference="Cylance Machete Mar 2017"><sup><a href="https://threatvector.cylance.com/en_us/home/el-machete-malware-attacks-cut-through-latam.html" target="_blank" data-hasqtip="41" aria-describedby="qtip-41">[42]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v9/groups/G0045"> G0045 </a> </td> <td> <a href="/versions/v9/groups/G0045"> menuPass </a> </td> <td> <p><a href="/versions/v9/groups/G0045">menuPass</a> stages data prior to exfiltration in multi-part archives, often saved in the Recycle Bin.<span onclick=scrollToRef('scite-43') id="scite-ref-43-a" class="scite-citeref-number" data-reference="PWC Cloud Hopper April 2017"><sup><a href="https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-report-final-v4.pdf" target="_blank" data-hasqtip="42" aria-describedby="qtip-42">[43]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0443"> S0443 </a> </td> <td> <a href="/versions/v9/software/S0443"> MESSAGETAP </a> </td> <td> <p><a href="/versions/v9/software/S0443">MESSAGETAP</a> stored targeted SMS messages that matched its target list in CSV files on the compromised system.<span onclick=scrollToRef('scite-44') id="scite-ref-44-a" class="scite-citeref-number" data-reference="FireEye MESSAGETAP October 2019"><sup><a href="https://www.fireeye.com/blog/threat-research/2019/10/messagetap-who-is-reading-your-text-messages.html" target="_blank" data-hasqtip="43" aria-describedby="qtip-43">[44]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0149"> S0149 </a> </td> <td> <a href="/versions/v9/software/S0149"> MoonWind </a> </td> <td> <p><a href="/versions/v9/software/S0149">MoonWind</a> saves information from its keylogging routine as a .zip file in the present working directory.<span onclick=scrollToRef('scite-45') id="scite-ref-45-a" class="scite-citeref-number" data-reference="Palo Alto MoonWind March 2017"><sup><a href="http://researchcenter.paloaltonetworks.com/2017/03/unit42-trochilus-rat-new-moonwind-rat-used-attack-thai-utility-organizations/" target="_blank" data-hasqtip="44" aria-describedby="qtip-44">[45]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v9/groups/G0129"> G0129 </a> </td> <td> <a href="/versions/v9/groups/G0129"> Mustang Panda </a> </td> <td> <p><a href="/versions/v9/groups/G0129">Mustang Panda</a> has stored collected credential files in <code>c:\windows\temp</code> prior to exfiltration. <a href="/versions/v9/groups/G0129">Mustang Panda</a> has also stored documents for exfiltration in a hidden folder on USB drives.<span onclick=scrollToRef('scite-46') id="scite-ref-46-a" class="scite-citeref-number" data-reference="Secureworks BRONZE PRESIDENT December 2019"><sup><a href="https://www.secureworks.com/research/bronze-president-targets-ngos" target="_blank" data-hasqtip="45" aria-describedby="qtip-45">[46]</a></sup></span><span onclick=scrollToRef('scite-47') id="scite-ref-47-a" class="scite-citeref-number" data-reference="Avira Mustang Panda January 2020"><sup><a href="https://www.avira.com/en/blog/new-wave-of-plugx-targets-hong-kong" target="_blank" data-hasqtip="46" aria-describedby="qtip-46">[47]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0247"> S0247 </a> </td> <td> <a href="/versions/v9/software/S0247"> NavRAT </a> </td> <td> <p><a href="/versions/v9/software/S0247">NavRAT</a> writes multiple outputs to a TMP file using the &gt;&gt; method.<span onclick=scrollToRef('scite-48') id="scite-ref-48-a" class="scite-citeref-number" data-reference="Talos NavRAT May 2018"><sup><a href="https://blog.talosintelligence.com/2018/05/navrat.html" target="_blank" data-hasqtip="47" aria-describedby="qtip-47">[48]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0198"> S0198 </a> </td> <td> <a href="/versions/v9/software/S0198"> NETWIRE </a> </td> <td> <p><a href="/versions/v9/software/S0198">NETWIRE</a> has the ability to write collected data to a file created in the <code>./LOGS</code> directory.<span onclick=scrollToRef('scite-49') id="scite-ref-49-a" class="scite-citeref-number" data-reference="FireEye NETWIRE March 2019"><sup><a href="https://www.fireeye.com/blog/threat-research/2019/03/dissecting-netwire-phishing-campaign-usage-of-process-hollowing.html" target="_blank" data-hasqtip="48" aria-describedby="qtip-48">[49]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0353"> S0353 </a> </td> <td> <a href="/versions/v9/software/S0353"> NOKKI </a> </td> <td> <p><a href="/versions/v9/software/S0353">NOKKI</a> can collect data from the victim and stage it in <code>LOCALAPPDATA%\MicroSoft Updatea\uplog.tmp</code>.<span onclick=scrollToRef('scite-50') id="scite-ref-50-a" class="scite-citeref-number" data-reference="Unit 42 NOKKI Sept 2018"><sup><a href="https://researchcenter.paloaltonetworks.com/2018/09/unit42-new-konni-malware-attacking-eurasia-southeast-asia/" target="_blank" data-hasqtip="49" aria-describedby="qtip-49">[50]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0264"> S0264 </a> </td> <td> <a href="/versions/v9/software/S0264"> OopsIE </a> </td> <td> <p><a href="/versions/v9/software/S0264">OopsIE</a> stages the output from command execution and collected files in specific folders before exfiltration.<span onclick=scrollToRef('scite-51') id="scite-ref-51-a" class="scite-citeref-number" data-reference="Unit 42 OopsIE! Feb 2018"><sup><a href="https://researchcenter.paloaltonetworks.com/2018/02/unit42-oopsie-oilrig-uses-threedollars-deliver-new-trojan/" target="_blank" data-hasqtip="50" aria-describedby="qtip-50">[51]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v9/groups/G0116"> G0116 </a> </td> <td> <a href="/versions/v9/groups/G0116"> Operation Wocao </a> </td> <td> <p><a href="/versions/v9/groups/G0116">Operation Wocao</a> has staged archived files in a temporary directory prior to exfiltration.<span onclick=scrollToRef('scite-52') id="scite-ref-52-a" class="scite-citeref-number" data-reference="FoxIT Wocao December 2019"><sup><a href="https://resources.fox-it.com/rs/170-CAK-271/images/201912_Report_Operation_Wocao.pdf" target="_blank" data-hasqtip="51" aria-describedby="qtip-51">[52]</a></sup></span> </p> </td> </tr> <tr> <td> <a href="/versions/v9/groups/G0040"> G0040 </a> </td> <td> <a href="/versions/v9/groups/G0040"> Patchwork </a> </td> <td> <p><a href="/versions/v9/groups/G0040">Patchwork</a> copied all targeted files to a directory called index that was eventually uploaded to the C&amp;C server.<span onclick=scrollToRef('scite-8') id="scite-ref-8-a" class="scite-citeref-number" data-reference="TrendMicro Patchwork Dec 2017"><sup><a href="https://documents.trendmicro.com/assets/tech-brief-untangling-the-patchwork-cyberespionage-group.pdf" target="_blank" data-hasqtip="7" aria-describedby="qtip-7">[8]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0012"> S0012 </a> </td> <td> <a href="/versions/v9/software/S0012"> PoisonIvy </a> </td> <td> <p><a href="/versions/v9/software/S0012">PoisonIvy</a> stages collected data in a text file.<span onclick=scrollToRef('scite-53') id="scite-ref-53-a" class="scite-citeref-number" data-reference="Symantec Darkmoon Aug 2005"><sup><a href="https://www.symantec.com/security_response/writeup.jsp?docid=2005-081910-3934-99" target="_blank" data-hasqtip="52" aria-describedby="qtip-52">[53]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0113"> S0113 </a> </td> <td> <a href="/versions/v9/software/S0113"> Prikormka </a> </td> <td> <p><a href="/versions/v9/software/S0113">Prikormka</a> creates a directory, <code>%USERPROFILE%\AppData\Local\SKC\</code>, which is used to store collected log files.<span onclick=scrollToRef('scite-54') id="scite-ref-54-a" class="scite-citeref-number" data-reference="ESET Operation Groundbait"><sup><a href="http://www.welivesecurity.com/wp-content/uploads/2016/05/Operation-Groundbait.pdf" target="_blank" data-hasqtip="53" aria-describedby="qtip-53">[54]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0147"> S0147 </a> </td> <td> <a href="/versions/v9/software/S0147"> Pteranodon </a> </td> <td> <p><a href="/versions/v9/software/S0147">Pteranodon</a> creates various subdirectories under <code>%Temp%\reports\%</code> and copies files to those subdirectories. It also creates a folder at <code>C:\Users\<Username>\AppData\Roaming\Microsoft\store</code> to store screenshot JPEG files.<span onclick=scrollToRef('scite-55') id="scite-ref-55-a" class="scite-citeref-number" data-reference="Palo Alto Gamaredon Feb 2017"><sup><a href="https://researchcenter.paloaltonetworks.com/2017/02/unit-42-title-gamaredon-group-toolset-evolution/" target="_blank" data-hasqtip="54" aria-describedby="qtip-54">[55]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0196"> S0196 </a> </td> <td> <a href="/versions/v9/software/S0196"> PUNCHBUGGY </a> </td> <td> <p><a href="/versions/v9/software/S0196">PUNCHBUGGY</a> has saved information to a random temp file before exfil.<span onclick=scrollToRef('scite-56') id="scite-ref-56-a" class="scite-citeref-number" data-reference="Morphisec ShellTea June 2019"><sup><a href="http://blog.morphisec.com/security-alert-fin8-is-back" target="_blank" data-hasqtip="55" aria-describedby="qtip-55">[56]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0197"> S0197 </a> </td> <td> <a href="/versions/v9/software/S0197"> PUNCHTRACK </a> </td> <td> <p><a href="/versions/v9/software/S0197">PUNCHTRACK</a> aggregates collected data in a tmp file.<span onclick=scrollToRef('scite-57') id="scite-ref-57-a" class="scite-citeref-number" data-reference="FireEye Know Your Enemy FIN8 Aug 2016"><sup><a href="https://www2.fireeye.com/WBNR-Know-Your-Enemy-UNC622-Spear-Phishing.html" target="_blank" data-hasqtip="56" aria-describedby="qtip-56">[57]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0458"> S0458 </a> </td> <td> <a href="/versions/v9/software/S0458"> Ramsay </a> </td> <td> <p><a href="/versions/v9/software/S0458">Ramsay</a> can stage data prior to exfiltration in <code>%APPDATA%\Microsoft\UserSetting</code> and <code>%APPDATA%\Microsoft\UserSetting\MediaCache</code>.<span onclick=scrollToRef('scite-58') id="scite-ref-58-a" class="scite-citeref-number" data-reference="Eset Ramsay May 2020"><sup><a href="https://www.welivesecurity.com/2020/05/13/ramsay-cyberespionage-toolkit-airgapped-networks/" target="_blank" data-hasqtip="57" aria-describedby="qtip-57">[58]</a></sup></span><span onclick=scrollToRef('scite-59') id="scite-ref-59-a" class="scite-citeref-number" data-reference="Antiy CERT Ramsay April 2020"><sup><a href="https://www.programmersought.com/article/62493896999/" target="_blank" data-hasqtip="58" aria-describedby="qtip-58">[59]</a></sup></span> </p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0169"> S0169 </a> </td> <td> <a href="/versions/v9/software/S0169"> RawPOS </a> </td> <td> <p>Data captured by <a href="/versions/v9/software/S0169">RawPOS</a> is placed in a temporary file under a directory named "memdump".<span onclick=scrollToRef('scite-60') id="scite-ref-60-a" class="scite-citeref-number" data-reference="Kroll RawPOS Jan 2017"><sup><a href="https://www.kroll.com/en/insights/publications/malware-analysis-report-rawpos-malware" target="_blank" data-hasqtip="59" aria-describedby="qtip-59">[60]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0090"> S0090 </a> </td> <td> <a href="/versions/v9/software/S0090"> Rover </a> </td> <td> <p><a href="/versions/v9/software/S0090">Rover</a> copies files from removable drives to <code>C:\system</code>.<span onclick=scrollToRef('scite-61') id="scite-ref-61-a" class="scite-citeref-number" data-reference="Palo Alto Rover"><sup><a href="http://researchcenter.paloaltonetworks.com/2016/02/new-malware-rover-targets-indian-ambassador-to-afghanistan/" target="_blank" data-hasqtip="60" aria-describedby="qtip-60">[61]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v9/groups/G0121"> G0121 </a> </td> <td> <a href="/versions/v9/groups/G0121"> Sidewinder </a> </td> <td> <p><a href="/versions/v9/groups/G0121">Sidewinder</a> has collected stolen files in a temporary folder in preparation for exfiltration.<span onclick=scrollToRef('scite-62') id="scite-ref-62-a" class="scite-citeref-number" data-reference="ATT Sidewinder January 2021"><sup><a href="https://cdn-cybersecurity.att.com/docs/global-perspective-of-the-sidewinder-apt.pdf" target="_blank" data-hasqtip="61" aria-describedby="qtip-61">[62]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0035"> S0035 </a> </td> <td> <a href="/versions/v9/software/S0035"> SPACESHIP </a> </td> <td> <p><a href="/versions/v9/software/S0035">SPACESHIP</a> identifies files with certain extensions and copies them to a directory in the user's profile.<span onclick=scrollToRef('scite-26') id="scite-ref-26-a" class="scite-citeref-number" data-reference="FireEye APT30"><sup><a href="https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf" target="_blank" data-hasqtip="25" aria-describedby="qtip-25">[26]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v9/groups/G0088"> G0088 </a> </td> <td> <a href="/versions/v9/groups/G0088"> TEMP.Veles </a> </td> <td> <p><a href="/versions/v9/groups/G0088">TEMP.Veles</a> has created staging folders in directories that were infrequently used by legitimate users or processes.<span onclick=scrollToRef('scite-63') id="scite-ref-63-a" class="scite-citeref-number" data-reference="FireEye TRITON 2019"><sup><a href="https://www.fireeye.com/blog/threat-research/2019/04/triton-actor-ttp-profile-custom-attack-tools-detections.html" target="_blank" data-hasqtip="62" aria-describedby="qtip-62">[63]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v9/groups/G0027"> G0027 </a> </td> <td> <a href="/versions/v9/groups/G0027"> Threat Group-3390 </a> </td> <td> <p><a href="/versions/v9/groups/G0027">Threat Group-3390</a> has locally staged encrypted archives for later exfiltration efforts.<span onclick=scrollToRef('scite-64') id="scite-ref-64-a" class="scite-citeref-number" data-reference="SecureWorks BRONZE UNION June 2017"><sup><a href="https://www.secureworks.com/research/bronze-union" target="_blank" data-hasqtip="63" aria-describedby="qtip-63">[64]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0094"> S0094 </a> </td> <td> <a href="/versions/v9/software/S0094"> Trojan.Karagany </a> </td> <td> <p><a href="/versions/v9/software/S0094">Trojan.Karagany</a> can create directories to store plugin output and stage data for exfiltration.<span onclick=scrollToRef('scite-65') id="scite-ref-65-a" class="scite-citeref-number" data-reference="Symantec Dragonfly"><sup><a href="http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/Dragonfly_Threat_Against_Western_Energy_Suppliers.pdf" target="_blank" data-hasqtip="64" aria-describedby="qtip-64">[65]</a></sup></span><span onclick=scrollToRef('scite-66') id="scite-ref-66-a" class="scite-citeref-number" data-reference="Secureworks Karagany July 2019"><sup><a href="https://www.secureworks.com/research/updated-karagany-malware-targets-energy-sector" target="_blank" data-hasqtip="65" aria-describedby="qtip-65">[66]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0386"> S0386 </a> </td> <td> <a href="/versions/v9/software/S0386"> Ursnif </a> </td> <td> <p><a href="/versions/v9/software/S0386">Ursnif</a> has used tmp files to stage gathered information.<span onclick=scrollToRef('scite-67') id="scite-ref-67-a" class="scite-citeref-number" data-reference="TrendMicro Ursnif Mar 2015"><sup><a href="https://blog.trendmicro.com/trendlabs-security-intelligence/ursnif-the-multifaceted-malware/?_ga=2.165628854.808042651.1508120821-744063452.1505819992" target="_blank" data-hasqtip="66" aria-describedby="qtip-66">[67]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0136"> S0136 </a> </td> <td> <a href="/versions/v9/software/S0136"> USBStealer </a> </td> <td> <p><a href="/versions/v9/software/S0136">USBStealer</a> collects files matching certain criteria from the victim and stores them in a local directory for later exfiltration.<span onclick=scrollToRef('scite-68') id="scite-ref-68-a" class="scite-citeref-number" data-reference="ESET Sednit USBStealer 2014"><sup><a href="http://www.welivesecurity.com/2014/11/11/sednit-espionage-group-attacking-air-gapped-networks/" target="_blank" data-hasqtip="67" aria-describedby="qtip-67">[68]</a></sup></span><span onclick=scrollToRef('scite-69') id="scite-ref-69-a" class="scite-citeref-number" data-reference="Kaspersky Sofacy"><sup><a href="https://securelist.com/sofacy-apt-hits-high-profile-targets-with-updated-toolset/72924/" target="_blank" data-hasqtip="68" aria-describedby="qtip-68">[69]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0251"> S0251 </a> </td> <td> <a href="/versions/v9/software/S0251"> Zebrocy </a> </td> <td> <p><a href="/versions/v9/software/S0251">Zebrocy</a> stores all collected information in a single file before exfiltration.<span onclick=scrollToRef('scite-70') id="scite-ref-70-a" class="scite-citeref-number" data-reference="ESET Zebrocy Nov 2018"><sup><a href="https://www.welivesecurity.com/2018/11/20/sednit-whats-going-zebrocy/" target="_blank" data-hasqtip="69" aria-describedby="qtip-69">[70]</a></sup></span></p> </td> </tr> </tbody> </table> <h2 class="pt-3" id ="mitigations">Mitigations</h2> <p> This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of system features. </p> <h2 class="pt-3" id="detection">Detection</h2> <div> <p>Processes that appear to be reading files from disparate locations and writing them to the same directory or file may be an indication of data being staged, especially if they are suspected of performing encryption or compression on the files, such as 7zip, RAR, ZIP, or zlib. Monitor publicly writeable directories, central locations, and commonly used staging directories (recycle bin, temp folders, etc.) to regularly check for compressed or encrypted data that may be indicative of staging.</p><p>Monitor processes and command-line arguments for actions that could be taken to collect and combine files. Remote access tools with built-in features may interact directly with the Windows API to gather and copy to a location. Data may also be acquired and staged through Windows system management tools such as <a href="/versions/v9/techniques/T1047">Windows Management Instrumentation</a> and <a href="/versions/v9/techniques/T1059/001">PowerShell</a>.</p> </div> <h2 class="pt-3" id="references">References</h2> <div class="row"> <div class="col"> <ol> <li> <span id="scite-1" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-1" href="http://www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part-2.pdf" target="_blank"> ESET. (2016, October). En Route with Sednit - Part 2: Observing the Comings and Goings. Retrieved November 21, 2016. </a> </span> </span> </li> <li> <span id="scite-2" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-2" href="http://download.microsoft.com/download/4/4/C/44CDEF0E-7924-4787-A56A-16261691ACE3/Microsoft_Security_Intelligence_Report_Volume_19_English.pdf" target="_blank"> Anthe, C. et al. (2015, October 19). Microsoft Security Intelligence Report Volume 19. Retrieved December 23, 2015. </a> </span> </span> </li> <li> <span id="scite-3" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-3" href="http://carnal0wnage.attackresearch.com/2012/09/more-on-aptsim.html" target="_blank"> valsmith. (2012, September 21). More on APTSim. Retrieved September 28, 2017. </a> </span> </span> </li> <li> <span id="scite-4" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-4" href="https://www.iranwatch.org/sites/default/files/public-intelligence-alert.pdf" target="_blank"> FBI. (2020, September 17). Indicators of Compromise Associated with Rana Intelligence Computing, also known as Advanced Persistent Threat 39, Chafer, Cadelspy, Remexi, and ITG07. Retrieved December 10, 2020. </a> </span> </span> </li> <li> <span id="scite-5" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-5" href="https://cofense.com/seeing-resurgence-demonic-astaroth-wmic-trojan/" target="_blank"> Doaty, J., Garrett, P.. (2018, September 10). We’re Seeing a Resurgence of the Demonic Astaroth WMIC Trojan. Retrieved April 17, 2019. </a> </span> </span> </li> <li> <span id="scite-6" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-6" href="https://www.welivesecurity.com/wp-content/uploads/2019/10/ESET_Attor.pdf" target="_blank"> Hromcova, Z. (2019, October). AT COMMANDS, TOR-BASED COMMUNICATIONS: MEET ATTOR, A FANTASY CREATURE AND ALSO A SPY PLATFORM. Retrieved May 6, 2020. </a> </span> </span> </li> <li> <span id="scite-7" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-7" href="https://www.forcepoint.com/sites/default/files/resources/files/forcepoint-security-labs-monsoon-analysis-report.pdf" target="_blank"> Settle, A., et al. (2016, August 8). MONSOON - Analysis Of An APT Campaign. Retrieved September 22, 2016. </a> </span> </span> </li> <li> <span id="scite-8" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-8" href="https://documents.trendmicro.com/assets/tech-brief-untangling-the-patchwork-cyberespionage-group.pdf" target="_blank"> Lunghi, D., et al. (2017, December). Untangling the Patchwork Cyberespionage Group. Retrieved July 10, 2018. </a> </span> </span> </li> <li> <span id="scite-9" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-9" href="https://researchcenter.paloaltonetworks.com/2017/10/unit42-badpatch/" target="_blank"> Bar, T., Conant, S. (2017, October 20). BadPatch. Retrieved November 13, 2018. </a> </span> </span> </li> <li> <span id="scite-10" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-10" href="https://securelist.com/calisto-trojan-for-macos/86543/" target="_blank"> Kuzin, M., Zelensky S. (2018, July 20). Calisto Trojan for macOS. Retrieved September 7, 2018. </a> </span> </span> </li> <li> <span id="scite-11" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-11" href="https://www.symantec.com/security-center/writeup/2018-073014-2512-99?om_rssid=sr-latestthreats30days" target="_blank"> Pantig, J. (2018, July 30). OSX.Calisto. Retrieved September 7, 2018. </a> </span> </span> </li> <li> <span id="scite-12" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-12" href="https://www.welivesecurity.com/2017/03/30/carbon-paper-peering-turlas-second-stage-backdoor/" target="_blank"> ESET. (2017, March 30). Carbon Paper: Peering into Turla’s second stage backdoor. Retrieved November 7, 2018. </a> </span> </span> </li> <li> <span id="scite-13" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-13" href="https://www-west.symantec.com/content/symantec/english/en/security-center/writeup.html/2018-040209-1742-99" target="_blank"> Balanza, M. (2018, April 02). Infostealer.Catchamas. Retrieved July 10, 2018. </a> </span> </span> </li> <li> <span id="scite-14" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-14" href="https://research.nccgroup.com/2021/01/12/abusing-cloud-services-to-fly-under-the-radar/" target="_blank"> Jansen, W . (2021, January 12). Abusing cloud services to fly under the radar. Retrieved January 19, 2021. </a> </span> </span> </li> <li> <span id="scite-15" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-15" href="https://www.welivesecurity.com/2020/12/02/turla-crutch-keeping-back-door-open/" target="_blank"> Faou, M. (2020, December 2). Turla Crutch: Keeping the “back door” open. Retrieved December 4, 2020. </a> </span> </span> </li> <li> <span id="scite-16" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-16" href="https://www.us-cert.gov/ncas/alerts/TA18-074A" target="_blank"> US-CERT. (2018, March 16). Alert (TA18-074A): Russian Government Cyber Activity Targeting Energy and Other Critical Infrastructure Sectors. Retrieved June 6, 2018. </a> </span> </span> </li> <li> <span id="scite-17" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-17" href="https://securelist.com/my-name-is-dtrack/93338/" target="_blank"> Konstantin Zykov. (2019, September 23). Hello! My name is Dtrack. Retrieved January 20, 2021. </a> </span> </span> </li> <li> <span id="scite-18" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-18" href="https://www.cyberbit.com/blog/endpoint-security/dtrack-apt-malware-found-in-nuclear-power-plant/" target="_blank"> Hod Gavriel. (2019, November 21). Dtrack: In-depth analysis of APT on a nuclear power plant. Retrieved January 20, 2021. </a> </span> </span> </li> <li> <span id="scite-19" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-19" href="https://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/w32_duqu_the_precursor_to_the_next_stuxnet.pdf" target="_blank"> Symantec Security Response. (2011, November). W32.Duqu: The precursor to the next Stuxnet. Retrieved September 17, 2015. </a> </span> </span> </li> <li> <span id="scite-20" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-20" href="https://securelist.com/gaza-cybergang-group1-operation-sneakypastes/90068/" target="_blank"> GReAT. (2019, April 10). Gaza Cybergang Group1, operation SneakyPastes. Retrieved May 13, 2020. </a> </span> </span> </li> <li> <span id="scite-21" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-21" href="https://blog.malwarebytes.com/threat-analysis/2015/11/a-technical-look-at-dyreza/" target="_blank"> hasherezade. (2015, November 4). A Technical Look At Dyreza. Retrieved June 15, 2020. </a> </span> </span> </li> <li> <span id="scite-22" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-22" href="https://us-cert.cisa.gov/ncas/analysis-reports/ar20-239a" target="_blank"> Cybersecurity and Infrastructure Security Agency. (2020, August 26). MAR-10301706-1.v1 - North Korean Remote Access Tool: ECCENTRICBANDWAGON. Retrieved March 18, 2021. </a> </span> </span> </li> <li> <span id="scite-23" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-23" href="https://www.accenture.com/t20180127T003755Z_w_/us-en/_acnmedia/PDF-46/Accenture-Security-Dragonfish-Threat-Analysis.pdf" target="_blank"> Accenture Security. (2018, January 27). DRAGONFISH DELIVERS NEW FORM OF ELISE MALWARE TARGETING ASEAN DEFENCE MINISTERS’ MEETING AND ASSOCIATES. Retrieved November 14, 2018. </a> </span> </span> </li> <li> <span id="scite-24" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-24" href="https://www.welivesecurity.com/2018/10/11/new-telebots-backdoor-linking-industroyer-notpetya/" target="_blank"> Cherepanov, A., Lipovsky, R. (2018, October 11). New TeleBots backdoor: First evidence linking Industroyer to NotPetya. Retrieved November 27, 2018. </a> </span> </span> </li> <li> <span id="scite-25" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-25" href="https://www.youtube.com/watch?v=fevGZs0EQu8" target="_blank"> Bromiley, M. and Lewis, P. (2016, October 7). Attacking the Hospitality and Gaming Industries: Tracking an Attacker Around the World in 7 Years. Retrieved October 6, 2017. </a> </span> </span> </li> <li> <span id="scite-26" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-26" href="https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf" target="_blank"> FireEye Labs. (2015, April). APT30 AND THE MECHANICS OF A LONG-RUNNING CYBER ESPIONAGE OPERATION. Retrieved May 1, 2015. </a> </span> </span> </li> <li> <span id="scite-27" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-27" href="https://www2.fireeye.com/rs/848-DID-242/images/rpt-fin6.pdf" target="_blank"> FireEye Threat Intelligence. (2016, April). Follow the Money: Dissecting the Operations of the Cyber Crime Group FIN6. Retrieved June 1, 2016. </a> </span> </span> </li> <li> <span id="scite-28" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-28" href="https://www.cybereason.com/blog/operation-soft-cell-a-worldwide-campaign-against-telecommunications-providers" target="_blank"> Cybereason Nocturnus. (2019, June 25). Operation Soft Cell: A Worldwide Campaign Against Telecommunications Providers. Retrieved July 18, 2019. </a> </span> </span> </li> <li> <span id="scite-29" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-29" href="https://www.mcafee.com/blogs/other-blogs/mcafee-labs/gold-dragon-widens-olympics-malware-attacks-gains-permanent-presence-on-victims-systems/" target="_blank"> Sherstobitoff, R., Saavedra-Morales, J. (2018, February 02). Gold Dragon Widens Olympics Malware Attacks, Gains Permanent Presence on Victims’ Systems. Retrieved June 6, 2018. </a> </span> </span> </li> <li> <span id="scite-30" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-30" href="http://researchcenter.paloaltonetworks.com/2016/05/the-oilrig-campaign-attacks-on-saudi-arabian-organizations-deliver-helminth-backdoor/" target="_blank"> Falcone, R. and Lee, B.. (2016, May 26). The OilRig Campaign: Attacks on Saudi Arabian Organizations Deliver Helminth Backdoor. Retrieved May 3, 2017. </a> </span> </span> </li> <li> <span id="scite-31" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-31" href="https://www.mcafee.com/blogs/other-blogs/mcafee-labs/mcafee-uncovers-operation-honeybee-malicious-document-campaign-targeting-humanitarian-aid-groups/" target="_blank"> Sherstobitoff, R. (2018, March 02). McAfee Uncovers Operation Honeybee, a Malicious Document Campaign Targeting Humanitarian Aid Groups. Retrieved May 16, 2018. </a> </span> </span> </li> <li> <span id="scite-32" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-32" href="https://www.welivesecurity.com/2018/06/07/invisimole-equipped-spyware-undercover/" target="_blank"> Hromcová, Z. (2018, June 07). InvisiMole: Surprisingly equipped spyware, undercover since 2013. Retrieved July 10, 2018. </a> </span> </span> </li> <li> <span id="scite-33" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-33" href="https://www.welivesecurity.com/wp-content/uploads/2020/06/ESET_InvisiMole.pdf" target="_blank"> Hromcova, Z. and Cherpanov, A. (2020, June). INVISIMOLE: THE HIDDEN PART OF THE STORY. Retrieved July 16, 2020. </a> </span> </span> </li> <li> <span id="scite-34" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-34" href="https://researchcenter.paloaltonetworks.com/2017/05/unit42-kazuar-multiplatform-espionage-backdoor-api-access/" target="_blank"> Levene, B, et al. (2017, May 03). Kazuar: Multiplatform Espionage Backdoor with API Access. Retrieved July 17, 2018. </a> </span> </span> </li> <li> <span id="scite-35" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-35" href="https://www.cybereason.com/blog/back-to-the-future-inside-the-kimsuky-kgh-spyware-suite" target="_blank"> Dahan, A. et al. (2020, November 2). Back to the Future: Inside the Kimsuky KGH Spyware Suite. Retrieved November 6, 2020. </a> </span> </span> </li> </ol> </div> <div class="col"> <ol start="36.0"> <li> <span id="scite-36" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-36" href="https://us-cert.cisa.gov/ncas/alerts/aa20-301a" target="_blank"> CISA, FBI, CNMF. (2020, October 27). https://us-cert.cisa.gov/ncas/alerts/aa20-301a. Retrieved November 4, 2020. </a> </span> </span> </li> <li> <span id="scite-37" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-37" href="https://www.operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-Report.pdf" target="_blank"> Novetta Threat Research Group. (2016, February 24). Operation Blockbuster: Unraveling the Long Thread of the Sony Attack. Retrieved February 25, 2016. </a> </span> </span> </li> <li> <span id="scite-38" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-38" href="https://operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-Loaders-Installers-and-Uninstallers-Report.pdf" target="_blank"> Novetta Threat Research Group. (2016, February 24). Operation Blockbuster: Loaders, Installers and Uninstallers Report. Retrieved March 2, 2016. </a> </span> </span> </li> <li> <span id="scite-39" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-39" href="https://www.fireeye.com/blog/threat-research/2018/03/suspected-chinese-espionage-group-targeting-maritime-and-engineering-industries.html" target="_blank"> FireEye. (2018, March 16). Suspected Chinese Cyber Espionage Group (TEMP.Periscope) Targeting U.S. Engineering and Maritime Industries. Retrieved April 11, 2018. </a> </span> </span> </li> <li> <span id="scite-40" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-40" href="https://www.welivesecurity.com/wp-content/uploads/2019/05/ESET-LightNeuron.pdf" target="_blank"> Faou, M. (2019, May). Turla LightNeuron: One email away from remote code execution. Retrieved June 24, 2019. </a> </span> </span> </li> <li> <span id="scite-41" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-41" href="https://www.welivesecurity.com/wp-content/uploads/2019/08/ESET_Machete.pdf" target="_blank"> ESET. (2019, July). MACHETE JUST GOT SHARPER Venezuelan government institutions under attack. Retrieved September 13, 2019. </a> </span> </span> </li> <li> <span id="scite-42" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-42" href="https://threatvector.cylance.com/en_us/home/el-machete-malware-attacks-cut-through-latam.html" target="_blank"> The Cylance Threat Research Team. (2017, March 22). El Machete's Malware Attacks Cut Through LATAM. Retrieved September 13, 2019. </a> </span> </span> </li> <li> <span id="scite-43" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-43" href="https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-report-final-v4.pdf" target="_blank"> PwC and BAE Systems. (2017, April). Operation Cloud Hopper. Retrieved April 5, 2017. </a> </span> </span> </li> <li> <span id="scite-44" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-44" href="https://www.fireeye.com/blog/threat-research/2019/10/messagetap-who-is-reading-your-text-messages.html" target="_blank"> Leong, R., Perez, D., Dean, T. (2019, October 31). MESSAGETAP: Who’s Reading Your Text Messages?. Retrieved May 11, 2020. </a> </span> </span> </li> <li> <span id="scite-45" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-45" href="http://researchcenter.paloaltonetworks.com/2017/03/unit42-trochilus-rat-new-moonwind-rat-used-attack-thai-utility-organizations/" target="_blank"> Miller-Osborn, J. and Grunzweig, J.. (2017, March 30). Trochilus and New MoonWind RATs Used In Attack Against Thai Organizations. Retrieved March 30, 2017. </a> </span> </span> </li> <li> <span id="scite-46" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-46" href="https://www.secureworks.com/research/bronze-president-targets-ngos" target="_blank"> Counter Threat Unit Research Team. (2019, December 29). BRONZE PRESIDENT Targets NGOs. Retrieved April 13, 2021. </a> </span> </span> </li> <li> <span id="scite-47" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-47" href="https://www.avira.com/en/blog/new-wave-of-plugx-targets-hong-kong" target="_blank"> Hamzeloofard, S. (2020, January 31). New wave of PlugX targets Hong Kong | Avira Blog. Retrieved April 13, 2021. </a> </span> </span> </li> <li> <span id="scite-48" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-48" href="https://blog.talosintelligence.com/2018/05/navrat.html" target="_blank"> Mercer, W., Rascagneres, P. (2018, May 31). NavRAT Uses US-North Korea Summit As Decoy For Attacks In South Korea. Retrieved June 11, 2018. </a> </span> </span> </li> <li> <span id="scite-49" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-49" href="https://www.fireeye.com/blog/threat-research/2019/03/dissecting-netwire-phishing-campaign-usage-of-process-hollowing.html" target="_blank"> Maniath, S. and Kadam P. (2019, March 19). Dissecting a NETWIRE Phishing Campaign's Usage of Process Hollowing. Retrieved January 7, 2021. </a> </span> </span> </li> <li> <span id="scite-50" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-50" href="https://researchcenter.paloaltonetworks.com/2018/09/unit42-new-konni-malware-attacking-eurasia-southeast-asia/" target="_blank"> Grunzweig, J., Lee, B. (2018, September 27). New KONNI Malware attacking Eurasia and Southeast Asia. Retrieved November 5, 2018. </a> </span> </span> </li> <li> <span id="scite-51" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-51" href="https://researchcenter.paloaltonetworks.com/2018/02/unit42-oopsie-oilrig-uses-threedollars-deliver-new-trojan/" target="_blank"> Lee, B., Falcone, R. (2018, February 23). OopsIE! OilRig Uses ThreeDollars to Deliver New Trojan. Retrieved July 16, 2018. </a> </span> </span> </li> <li> <span id="scite-52" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-52" href="https://resources.fox-it.com/rs/170-CAK-271/images/201912_Report_Operation_Wocao.pdf" target="_blank"> Dantzig, M. v., Schamper, E. (2019, December 19). Operation Wocao: Shining a light on one of China’s hidden hacking groups. Retrieved October 8, 2020. </a> </span> </span> </li> <li> <span id="scite-53" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-53" href="https://www.symantec.com/security_response/writeup.jsp?docid=2005-081910-3934-99" target="_blank"> Hayashi, K. (2005, August 18). Backdoor.Darkmoon. Retrieved February 23, 2018. </a> </span> </span> </li> <li> <span id="scite-54" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-54" href="http://www.welivesecurity.com/wp-content/uploads/2016/05/Operation-Groundbait.pdf" target="_blank"> Cherepanov, A.. (2016, May 17). Operation Groundbait: Analysis of a surveillance toolkit. Retrieved May 18, 2016. </a> </span> </span> </li> <li> <span id="scite-55" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-55" href="https://researchcenter.paloaltonetworks.com/2017/02/unit-42-title-gamaredon-group-toolset-evolution/" target="_blank"> Kasza, A. and Reichel, D. (2017, February 27). The Gamaredon Group Toolset Evolution. Retrieved March 1, 2017. </a> </span> </span> </li> <li> <span id="scite-56" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-56" href="http://blog.morphisec.com/security-alert-fin8-is-back" target="_blank"> Gorelik, M.. (2019, June 10). SECURITY ALERT: FIN8 IS BACK IN BUSINESS, TARGETING THE HOSPITALITY INDUSTRY. Retrieved June 13, 2019. </a> </span> </span> </li> <li> <span id="scite-57" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-57" href="https://www2.fireeye.com/WBNR-Know-Your-Enemy-UNC622-Spear-Phishing.html" target="_blank"> Elovitz, S. & Ahl, I. (2016, August 18). Know Your Enemy: New Financially-Motivated & Spear-Phishing Group. Retrieved February 26, 2018. </a> </span> </span> </li> <li> <span id="scite-58" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-58" href="https://www.welivesecurity.com/2020/05/13/ramsay-cyberespionage-toolkit-airgapped-networks/" target="_blank"> Sanmillan, I.. (2020, May 13). Ramsay: A cyber‑espionage toolkit tailored for air‑gapped networks. Retrieved May 27, 2020. </a> </span> </span> </li> <li> <span id="scite-59" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-59" href="https://www.programmersought.com/article/62493896999/" target="_blank"> Antiy CERT. (2020, April 20). Analysis of Ramsay components of Darkhotel's infiltration and isolation network. Retrieved March 24, 2021. </a> </span> </span> </li> <li> <span id="scite-60" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-60" href="https://www.kroll.com/en/insights/publications/malware-analysis-report-rawpos-malware" target="_blank"> Nesbit, B. and Ackerman, D. (2017, January). Malware Analysis Report - RawPOS Malware: Deconstructing an Intruder’s Toolkit. Retrieved October 4, 2017. </a> </span> </span> </li> <li> <span id="scite-61" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-61" href="http://researchcenter.paloaltonetworks.com/2016/02/new-malware-rover-targets-indian-ambassador-to-afghanistan/" target="_blank"> Ray, V., Hayashi, K. (2016, February 29). New Malware ‘Rover’ Targets Indian Ambassador to Afghanistan. Retrieved February 29, 2016. </a> </span> </span> </li> <li> <span id="scite-62" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-62" href="https://cdn-cybersecurity.att.com/docs/global-perspective-of-the-sidewinder-apt.pdf" target="_blank"> Hegel, T. (2021, January 13). A Global Perspective of the SideWinder APT. Retrieved January 27, 2021. </a> </span> </span> </li> <li> <span id="scite-63" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-63" href="https://www.fireeye.com/blog/threat-research/2019/04/triton-actor-ttp-profile-custom-attack-tools-detections.html" target="_blank"> Miller, S, et al. (2019, April 10). TRITON Actor TTP Profile, Custom Attack Tools, Detections, and ATT&CK Mapping. Retrieved April 16, 2019. </a> </span> </span> </li> <li> <span id="scite-64" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-64" href="https://www.secureworks.com/research/bronze-union" target="_blank"> Counter Threat Unit Research Team. (2017, June 27). BRONZE UNION Cyberespionage Persists Despite Disclosures. Retrieved July 13, 2017. </a> </span> </span> </li> <li> <span id="scite-65" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-65" href="http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/Dragonfly_Threat_Against_Western_Energy_Suppliers.pdf" target="_blank"> Symantec Security Response. (2014, July 7). Dragonfly: Cyberespionage Attacks Against Energy Suppliers. Retrieved April 8, 2016. </a> </span> </span> </li> <li> <span id="scite-66" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-66" href="https://www.secureworks.com/research/updated-karagany-malware-targets-energy-sector" target="_blank"> Secureworks. (2019, July 24). Updated Karagany Malware Targets Energy Sector. Retrieved August 12, 2020. </a> </span> </span> </li> <li> <span id="scite-67" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-67" href="https://blog.trendmicro.com/trendlabs-security-intelligence/ursnif-the-multifaceted-malware/?_ga=2.165628854.808042651.1508120821-744063452.1505819992" target="_blank"> Caragay, R. (2015, March 26). URSNIF: The Multifaceted Malware. Retrieved June 5, 2019. </a> </span> </span> </li> <li> <span id="scite-68" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-68" href="http://www.welivesecurity.com/2014/11/11/sednit-espionage-group-attacking-air-gapped-networks/" target="_blank"> Calvet, J. (2014, November 11). Sednit Espionage Group Attacking Air-Gapped Networks. Retrieved January 4, 2017. </a> </span> </span> </li> <li> <span id="scite-69" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-69" href="https://securelist.com/sofacy-apt-hits-high-profile-targets-with-updated-toolset/72924/" target="_blank"> Kaspersky Lab's Global Research and Analysis Team. (2015, December 4). Sofacy APT hits high profile targets with updated toolset. Retrieved December 10, 2015. </a> </span> </span> </li> <li> <span id="scite-70" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-70" href="https://www.welivesecurity.com/2018/11/20/sednit-whats-going-zebrocy/" target="_blank"> ESET. (2018, November 20). Sednit: What’s going on with Zebrocy?. Retrieved February 12, 2019. </a> </span> </span> </li> </ol> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> <!--stop-indexing-for-search--> <div class="overlay search" id="search-overlay" style="display: none;"> <div class="overlay-inner"> <!-- text input for searching --> <div class="search-header"> <div class="search-input"> <input type="text" id="search-input" placeholder="search"> </div> <div class="search-icons"> <div class="search-parsing-icon spinner-border" style="display: none" id="search-parsing-icon"></div> <div class="close-search-icon" id="close-search-icon">&times;</div> </div> </div> <!-- results and controls for loading more results --> <div id="search-body" class="search-body"> <div class="results" id="search-results"> <!-- content will be appended here on search --> </div> <div id="load-more-results" class="load-more-results"> <button class="btn btn-default" id="load-more-results-button">load more results</button> </div> </div> </div> </div> </div> <footer class="footer p-3"> <div class="container-fluid"> <div class="row"> <div class="col-4 col-sm-4 col-md-3"> <div class="footer-center-responsive my-auto"> <a href="https://www.mitre.org" target="_blank" rel="noopener" aria-label="MITRE"> <img src="/versions/v9/theme/images/mitrelogowhiteontrans.gif" class="mitre-logo-wtrans"> </a> </div> </div> <div class="col-2 col-sm-2 footer-responsive-break"></div> <div class="col-6 col-sm-6 text-center"> <p> © 2015-2021, The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. </p> <div class="row"> <div class="col text-right"> <small> <a href="/versions/v9/resources/privacy" class="footer-link">Privacy Policy</a> </small> </div> <div class="col text-center"> <small> <a href="/versions/v9/resources/terms-of-use" class="footer-link">Terms of Use</a> </small> </div> <div class="col text-left "> <small> <a href="/versions/v9/resources/changelog.html" class="footer-link" data-toggle="tooltip" data-placement="top" title="ATT&amp;CK content version 9.0&#013;Website version 3.3.1">ATT&CK v9.0</a> </small> </div> </div> </div> <div class="w-100 p-2 footer-responsive-break"></div> <div class="col"> <div class="footer-float-right-responsive-brand"> <div class="mb-1"> <a href="https://twitter.com/MITREattack" class="btn btn-primary w-100"> <!-- <i class="fa fa-twitter"></i> --> <img src="/versions/v9/theme/images/twitter.png" class="mr-1 twitter-icon"> <b>@MITREattack</b> </a> </div> <div class=""> <a href="/versions/v9/contact" class="btn btn-primary w-100"> Contact </a> </div> </div> </div> </div> </div> </div> </footer> </div> <!--SCRIPTS--> <script src="/versions/v9/theme/scripts/jquery-3.5.1.min.js"></script> <script src="/versions/v9/theme/scripts/popper.min.js"></script> <script src="/versions/v9/theme/scripts/bootstrap.bundle.min.js"></script> <script src="/versions/v9/theme/scripts/site.js"></script> <script src="/versions/v9/theme/scripts/flexsearch.es5.js"></script> <script src="/versions/v9/theme/scripts/localforage.min.js"></script> <script src="/versions/v9/theme/scripts/settings.js?406"></script> <script src="/versions/v9/theme/scripts/search_babelized.js"></script> <!--SCRIPTS--> <script src="/versions/v9/theme/scripts/navigation.js"></script> <script src="/versions/v9/theme/scripts/bootstrap-tourist.js"></script> <script src="/versions/v9/theme/scripts/settings.js"></script> <script src="/versions/v9/theme/scripts/tour/tour-subtechniques.js"></script> </body> </html>

Pages: 1 2 3 4 5 6 7 8 9 10