CINXE.COM
Persistence, Tactic TA0003 - Enterprise | MITRE ATT&CK®
<!DOCTYPE html> <html lang='en'> <head> <script async src="https://www.googletagmanager.com/gtag/js?id=UA-62667723-1"></script> <script> window.dataLayer = window.dataLayer || []; function gtag(){dataLayer.push(arguments);} gtag('js', new Date()); gtag('config', 'UA-62667723-1'); </script> <meta name="google-site-verification" content="2oJKLqNN62z6AOCb0A0IXGtbQuj-lev5YPAHFF_cbHQ"/> <meta charset='utf-8'> <meta name='viewport' content='width=device-width, initial-scale=1, shrink-to-fit=no'> <meta http-equiv="X-UA-Compatible" content="IE=edge"> <link rel='shortcut icon' href="/versions/v9/theme/favicon.ico" type='image/x-icon'> <title>Persistence, Tactic TA0003 - Enterprise | MITRE ATT&CK®</title> <!-- Bootstrap CSS --> <link rel='stylesheet' href="/versions/v9/theme/style/bootstrap.min.css" /> <link rel='stylesheet' href="/versions/v9/theme/style/bootstrap-glyphicon.min.css" /> <link rel='stylesheet' href="/versions/v9/theme/style/bootstrap-tourist.css" /> <link rel="stylesheet" type="text/css" href="/versions/v9/theme/style.min.css?426cc53a"> </head> <body> <!--stopindex--> <header> <nav class='navbar navbar-expand-lg navbar-dark fixed-top'> <a class='navbar-brand' href="/versions/v9/"><img src="/versions/v9/theme/images/mitre_attack_logo.png" class="attack-logo"></a> <button class='navbar-toggler' type='button' data-toggle='collapse' data-target='#navbarCollapse' aria-controls='navbarCollapse' aria-expanded='false' aria-label='Toggle navigation'> <span class='navbar-toggler-icon'></span> </button> <div class='collapse navbar-collapse' id='navbarCollapse'> <ul class='nav nav-tabs ml-auto'> <li class="nav-item"> <a href="/versions/v9/matrices/" class="nav-link" ><b>Matrices</b></a> </li> <li class="nav-item dropdown"> <a class="nav-link dropdown-toggle" href="/versions/v9/tactics/" id="navbarDropdown" role="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false"> <b>Tactics</b> </a> <div class="dropdown-menu " aria-labelledby="navbarDropdown"> <a class="dropdown-item" href="/versions/v9/tactics/enterprise/">Enterprise</a> <a class="dropdown-item" href="/versions/v9/tactics/mobile/">Mobile</a> </div> </li> <li class="nav-item dropdown"> <a class="nav-link dropdown-toggle" href="/versions/v9/techniques/" id="navbarDropdown" role="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false"> <b>Techniques</b> </a> <div class="dropdown-menu " aria-labelledby="navbarDropdown"> <a class="dropdown-item" href="/versions/v9/techniques/enterprise/">Enterprise</a> <a class="dropdown-item" href="/versions/v9/techniques/mobile/">Mobile</a> </div> </li> <li class="nav-item dropdown"> <a class="nav-link dropdown-toggle" href="/versions/v9/mitigations/" id="navbarDropdown" role="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false"> <b>Mitigations</b> </a> <div class="dropdown-menu " aria-labelledby="navbarDropdown"> <a class="dropdown-item" href="/versions/v9/mitigations/enterprise/">Enterprise</a> <a class="dropdown-item" href="/versions/v9/mitigations/mobile/">Mobile</a> </div> </li> <li class="nav-item"> <a href="/versions/v9/groups" class="nav-link" ><b>Groups</b></a> </li> <li class="nav-item"> <a href="/versions/v9/software/" class="nav-link" ><b>Software</b></a> </li> <li class="nav-item dropdown"> <a class="nav-link dropdown-toggle" href="/versions/v9/resources/" id="navbarDropdown" role="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false"> <b>Resources</b> </a> <div class="dropdown-menu " aria-labelledby="navbarDropdown"> <a class="dropdown-item" href="/versions/v9/resources/">General Information</a> <a class="dropdown-item" href="/versions/v9/resources/getting-started/">Getting Started</a> <a class="dropdown-item" href="/versions/v9/resources/training/">Training</a> <a class="dropdown-item" href="/versions/v9/resources/attackcon/">ATT&CKcon</a> <a class="dropdown-item" href="/versions/v9/resources/working-with-attack/">Working with ATT&CK</a> <a class="dropdown-item" href="/versions/v9/resources/faq/">FAQ</a> <a class="dropdown-item" href="/resources/updates/">Updates</a> <a class="dropdown-item" href="/resources/versions/">Versions of ATT&CK</a> <a class="dropdown-item" href="/versions/v9/resources/related-projects/">Related Projects</a> </div> </li> <li class="nav-item"> <a href="https://medium.com/mitre-attack/" target="_blank" class="nav-link"> <b>Blog</b> <img src="/versions/v9/theme/images/external-site.svg" alt="External site" class="external-icon" /> </a> </li> <li class="nav-item"> <a href="/versions/v9/resources/contribute/" class="nav-link" ><b>Contribute</b></a> </li> <li class="nav-item"> <button id="search-button" class="btn search-button">Search <div class="search-icon"></div></button> </li> </ul> </div> </nav> </header> <!-- don't edit or remove the line below even though it's commented out, it gets parsed and replaced by the versioning feature --> <div class="container-fluid version-banner"><div class="icon-inline baseline mr-1"><img src="/versions/v9/theme/images/icon-warning-24px.svg"></div>Currently viewing <a href="https://github.com/mitre/cti/releases/tag/ATT%26CK-v9.0" target="_blank">ATT&CK v9.0</a> which was live between April 29, 2021 and October 20, 2021. <a href="/resources/versions/">Learn more about the versioning system</a> or <a href="/">see the live site</a>.</div> <div id='content' class="maincontent"> <!--start-indexing-for-search--> <div class='container-fluid h-100'> <div class='row h-100'> <div class="nav flex-column col-xl-2 col-lg-3 col-md-3 sidebar nav pt-5 pb-3 pl-3 border-right" id="v-tab" role="tablist" aria-orientation="vertical"> <!--stop-indexing-for-search--> <div class="group-nav-desktop-view"> <span class="heading" id="v-home-tab" aria-selected="false">TACTICS</span> <div class="sidenav"> <div class="sidenav-head " id="enterprise"> <a href="/versions/v9/tactics/enterprise/"> Enterprise </a> <div class="expand-button collapsed" id="enterprise-header" data-toggle="collapse" data-target="#enterprise-body" aria-expanded="false" aria-controls="#enterprise-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-body" aria-labelledby="enterprise-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-Reconnaissance"> <a href="/versions/v9/tactics/TA0043/"> Reconnaissance </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-Resource Development"> <a href="/versions/v9/tactics/TA0042/"> Resource Development </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-Initial Access"> <a href="/versions/v9/tactics/TA0001/"> Initial Access </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-Execution"> <a href="/versions/v9/tactics/TA0002/"> Execution </a> </div> </div> <div class="sidenav"> <div class="sidenav-head active" id="enterprise-Persistence"> <a href="/versions/v9/tactics/TA0003/"> Persistence </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-Privilege Escalation"> <a href="/versions/v9/tactics/TA0004/"> Privilege Escalation </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-Defense Evasion"> <a href="/versions/v9/tactics/TA0005/"> Defense Evasion </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-Credential Access"> <a href="/versions/v9/tactics/TA0006/"> Credential Access </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-Discovery"> <a href="/versions/v9/tactics/TA0007/"> Discovery </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-Lateral Movement"> <a href="/versions/v9/tactics/TA0008/"> Lateral Movement </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-Collection"> <a href="/versions/v9/tactics/TA0009/"> Collection </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-Command and Control"> <a href="/versions/v9/tactics/TA0011/"> Command and Control </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-Exfiltration"> <a href="/versions/v9/tactics/TA0010/"> Exfiltration </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-Impact"> <a href="/versions/v9/tactics/TA0040/"> Impact </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="mobile"> <a href="/versions/v9/tactics/mobile/"> Mobile </a> <div class="expand-button collapsed" id="mobile-header" data-toggle="collapse" data-target="#mobile-body" aria-expanded="false" aria-controls="#mobile-body"></div> </div> <div class="sidenav-body collapse" id="mobile-body" aria-labelledby="mobile-header"> <div class="sidenav"> <div class="sidenav-head" id="mobile-Initial Access"> <a href="/versions/v9/tactics/TA0027/"> Initial Access </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-Execution"> <a href="/versions/v9/tactics/TA0041/"> Execution </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-Persistence"> <a href="/versions/v9/tactics/TA0028/"> Persistence </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-Privilege Escalation"> <a href="/versions/v9/tactics/TA0029/"> Privilege Escalation </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-Defense Evasion"> <a href="/versions/v9/tactics/TA0030/"> Defense Evasion </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-Credential Access"> <a href="/versions/v9/tactics/TA0031/"> Credential Access </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-Discovery"> <a href="/versions/v9/tactics/TA0032/"> Discovery </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-Lateral Movement"> <a href="/versions/v9/tactics/TA0033/"> Lateral Movement </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-Collection"> <a href="/versions/v9/tactics/TA0035/"> Collection </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-Command and Control"> <a href="/versions/v9/tactics/TA0037/"> Command and Control </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-Exfiltration"> <a href="/versions/v9/tactics/TA0036/"> Exfiltration </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-Impact"> <a href="/versions/v9/tactics/TA0034/"> Impact </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-Network Effects"> <a href="/versions/v9/tactics/TA0038/"> Network Effects </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-Remote Service Effects"> <a href="/versions/v9/tactics/TA0039/"> Remote Service Effects </a> </div> </div> </div> </div> </div> <!--start-indexing-for-search--> </div> <div class="tab-content col-xl-10 col-lg-9 col-md-9 pt-4" id="v-tabContent"> <div class="tab-pane fade show active" id="v-attckmatrix" role="tabpanel" aria-labelledby="v-attckmatrix-tab"> <ol class="breadcrumb"> <li class="breadcrumb-item"><a href="/versions/v9/">Home</a></li> <li class="breadcrumb-item"><a href="/versions/v9/tactics/enterprise">Tactics</a></li> <li class="breadcrumb-item"><a href="/versions/v9/tactics/enterprise">Enterprise</a></li> <li class="breadcrumb-item">Persistence</li> </ol> <div class="tab-pane fade show active" id="v-" role="tabpanel" aria-labelledby="v--tab"></div> <div class="row"> <div class="col-xl-12"> <div class="jumbotron jumbotron-fluid"> <div class="container-fluid"> <h1> Persistence </h1> <div class="row"> <div class="col-md-8"> <div class="description-body"> <p>The adversary is trying to maintain their foothold.</p><p>Persistence consists of techniques that adversaries use to keep access to systems across restarts, changed credentials, and other interruptions that could cut off their access. Techniques used for persistence include any access, action, or configuration changes that let them maintain their foothold on systems, such as replacing or hijacking legitimate code or adding startup code. </p> </div> </div> <div class="col-md-4"> <div class="card"> <div class="card-body"> <div class="card-data"><span class="h5 card-title">ID:</span> TA0003</div> <div class="card-data"><span class="h5 card-title">Created: </span>17 October 2018</div> <div class="card-data"><span class="h5 card-title">Last Modified: </span>19 July 2019</div> </div> </div> <div class="text-center pt-2 version-button permalink"> <div class="live"> <a data-toggle="tooltip" data-placement="bottom" title="Permalink to this version of TA0003" href="/versions/v9/tactics/TA0003/" data-test-ignore="true">Version Permalink</a> </div> <div class="permalink"> <a data-toggle="tooltip" data-placement="bottom" title="Go to the live version of TA0003" href="/tactics/TA0003/" data-test-ignore="true">Live Version</a><!--do not change this line without also changing versions.py--> </div> </div> </div> </div> <h2 class="pt-3" id ="techniques">Techniques</h2><h6 class="table-object-count">Techniques: 19</h6> <table class="table-techniques"> <thead> <tr> <td colspan="2">ID</td> <td>Name</td> <td>Description</td> </tr> </thead> <tbody> <tr class="technique"> <td colspan="2"> <a href="/versions/v9/techniques/T1098"> T1098 </a> </td> <td> <a href="/versions/v9/techniques/T1098"> Account Manipulation </a> </td> <td> Adversaries may manipulate accounts to maintain access to victim systems. Account manipulation may consist of any action that preserves adversary access to a compromised account, such as modifying credentials or permission groups. These actions could also include account activity designed to subvert security policies, such as performing iterative password updates to bypass password duration policies and preserve the life of compromised credentials. In order to create or manipulate accounts, the adversary must already have sufficient permissions on systems or the domain. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1098/001"> .001 </a> </td> <td> <a href="/versions/v9/techniques/T1098/001"> Additional Cloud Credentials </a> </td> <td> Adversaries may add adversary-controlled credentials to a cloud account to maintain persistent access to victim accounts and instances within the environment. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1098/002"> .002 </a> </td> <td> <a href="/versions/v9/techniques/T1098/002"> Exchange Email Delegate Permissions </a> </td> <td> Adversaries may grant additional permission levels, such as ReadPermission or FullAccess, to maintain persistent access to an adversary-controlled email account. The <code>Add-MailboxPermission</code> <a href="/versions/v9/techniques/T1059/001">PowerShell</a> cmdlet, available in on-premises Exchange and in the cloud-based service Office 365, adds permissions to a mailbox. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1098/003"> .003 </a> </td> <td> <a href="/versions/v9/techniques/T1098/003"> Add Office 365 Global Administrator Role </a> </td> <td> An adversary may add the Global Administrator role to an adversary-controlled account to maintain persistent access to an Office 365 tenant. With sufficient permissions, a compromised account can gain almost unlimited access to data and settings (including the ability to reset the passwords of other admins) via the global admin role. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1098/004"> .004 </a> </td> <td> <a href="/versions/v9/techniques/T1098/004"> SSH Authorized Keys </a> </td> <td> Adversaries may modify the SSH <code>authorized_keys</code> file to maintain persistence on a victim host. Linux distributions and macOS commonly use key-based authentication to secure the authentication process of SSH sessions for remote management. The <code>authorized_keys</code> file in SSH specifies the SSH keys that can be used for logging into the user account for which the file is configured. This file is usually found in the user's home directory under <code><user-home>/.ssh/authorized_keys</code>. Users may edit the system鈥檚 SSH config file to modify the directives PubkeyAuthentication and RSAAuthentication to the value "yes" to ensure public key and RSA authentication are enabled. The SSH config file is usually located under <code>/etc/ssh/sshd_config</code>. </td> </tr> <tr class="technique"> <td colspan="2"> <a href="/versions/v9/techniques/T1197"> T1197 </a> </td> <td> <a href="/versions/v9/techniques/T1197"> BITS Jobs </a> </td> <td> Adversaries may abuse BITS jobs to persistently execute or clean up after malicious payloads. Windows Background Intelligent Transfer Service (BITS) is a low-bandwidth, asynchronous file transfer mechanism exposed through <a href="/versions/v9/techniques/T1559/001">Component Object Model</a> (COM). BITS is commonly used by updaters, messengers, and other applications preferred to operate in the background (using available idle bandwidth) without interrupting other networked applications. File transfer tasks are implemented as BITS jobs, which contain a queue of one or more file operations. </td> </tr> <tr class="technique"> <td colspan="2"> <a href="/versions/v9/techniques/T1547"> T1547 </a> </td> <td> <a href="/versions/v9/techniques/T1547"> Boot or Logon Autostart Execution </a> </td> <td> Adversaries may configure system settings to automatically execute a program during system boot or logon to maintain persistence or gain higher-level privileges on compromised systems. Operating systems may have mechanisms for automatically running a program on system boot or account logon.聽 These mechanisms may include automatically executing programs that are placed in specially designated directories or are referenced by repositories that store configuration information, such as the Windows Registry. An adversary may achieve the same goal by modifying or extending features of the kernel. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1547/001"> .001 </a> </td> <td> <a href="/versions/v9/techniques/T1547/001"> Registry Run Keys / Startup Folder </a> </td> <td> Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in. These programs will be executed under the context of the user and will have the account's associated permissions level. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1547/002"> .002 </a> </td> <td> <a href="/versions/v9/techniques/T1547/002"> Authentication Package </a> </td> <td> Adversaries may abuse authentication packages to execute DLLs when the system boots. Windows authentication package DLLs are loaded by the Local Security Authority (LSA) process at system start. They provide support for multiple logon processes and multiple security protocols to the operating system. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1547/003"> .003 </a> </td> <td> <a href="/versions/v9/techniques/T1547/003"> Time Providers </a> </td> <td> Adversaries may abuse time providers to execute DLLs when the system boots. The Windows Time service (W32Time) enables time synchronization across and within domains. W32Time time providers are responsible for retrieving time stamps from hardware/network resources and outputting these values to other network clients. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1547/004"> .004 </a> </td> <td> <a href="/versions/v9/techniques/T1547/004"> Winlogon Helper DLL </a> </td> <td> Adversaries may abuse features of Winlogon to execute DLLs and/or executables when a user logs in. Winlogon.exe is a Windows component responsible for actions at logon/logoff as well as the secure attention sequence (SAS) triggered by Ctrl-Alt-Delete. Registry entries in <code>HKLM\Software[\Wow6432Node\]\Microsoft\Windows NT\CurrentVersion\Winlogon\</code> and <code>HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\</code> are used to manage additional helper programs and functionalities that support Winlogon. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1547/005"> .005 </a> </td> <td> <a href="/versions/v9/techniques/T1547/005"> Security Support Provider </a> </td> <td> Adversaries may abuse security support providers (SSPs) to execute DLLs when the system boots. Windows SSP DLLs are loaded into the Local Security Authority (LSA) process at system start. Once loaded into the LSA, SSP DLLs have access to encrypted and plaintext passwords that are stored in Windows, such as any logged-on user's Domain password or smart card PINs. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1547/006"> .006 </a> </td> <td> <a href="/versions/v9/techniques/T1547/006"> Kernel Modules and Extensions </a> </td> <td> Adversaries may modify the kernel to automatically execute programs on system boot. Loadable Kernel Modules (LKMs) are pieces of code that can be loaded and unloaded into the kernel upon demand. They extend the functionality of the kernel without the need to reboot the system. For example, one type of module is the device driver, which allows the kernel to access hardware connected to the system. 聽 </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1547/007"> .007 </a> </td> <td> <a href="/versions/v9/techniques/T1547/007"> Re-opened Applications </a> </td> <td> Adversaries may modify plist files to automatically run an application when a user logs in. Starting in Mac OS X 10.7 (Lion), users can specify certain applications to be re-opened when a user logs into their machine after reboot. While this is usually done via a Graphical User Interface (GUI) on an app-by-app basis, there are property list files (plist) that contain this information as well located at <code>~/Library/Preferences/com.apple.loginwindow.plist</code> and <code>~/Library/Preferences/ByHost/com.apple.loginwindow.* .plist</code>. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1547/008"> .008 </a> </td> <td> <a href="/versions/v9/techniques/T1547/008"> LSASS Driver </a> </td> <td> Adversaries may modify or add LSASS drivers to obtain persistence on compromised systems. The Windows security subsystem is a set of components that manage and enforce the security policy for a computer or domain. The Local Security Authority (LSA) is the main component responsible for local security policy and user authentication. The LSA includes multiple dynamic link libraries (DLLs) associated with various other security functions, all of which run in the context of the LSA Subsystem Service (LSASS) lsass.exe process. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1547/009"> .009 </a> </td> <td> <a href="/versions/v9/techniques/T1547/009"> Shortcut Modification </a> </td> <td> Adversaries may create or edit shortcuts to run a program during system boot or user login. Shortcuts or symbolic links are ways of referencing other files or programs that will be opened or executed when the shortcut is clicked or executed by a system startup process. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1547/010"> .010 </a> </td> <td> <a href="/versions/v9/techniques/T1547/010"> Port Monitors </a> </td> <td> Adversaries may use port monitors to run an attacker supplied DLL during system boot for persistence or privilege escalation. A port monitor can be set through the <code>AddMonitor</code> API call to set a DLL to be loaded at startup. This DLL can be located in <code>C:\Windows\System32</code> and will be loaded by the print spooler service, spoolsv.exe, on boot. The spoolsv.exe process also runs under SYSTEM level permissions. Alternatively, an arbitrary DLL can be loaded if permissions allow writing a fully-qualified pathname for that DLL to <code>HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitors</code>. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1547/011"> .011 </a> </td> <td> <a href="/versions/v9/techniques/T1547/011"> Plist Modification </a> </td> <td> Adversaries may modify plist files to run a program during system boot or user login. Property list (plist) files contain all of the information that macOS and OS X uses to configure applications and services. These files are UTF-8 encoded and formatted like XML documents via a series of keys surrounded by < >. They detail when programs should execute, file paths to the executables, program arguments, required OS permissions, and many others. plists are located in certain locations depending on their purpose such as <code>/Library/Preferences</code> (which execute with elevated privileges) and <code>~/Library/Preferences</code> (which execute with a user's privileges). </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1547/012"> .012 </a> </td> <td> <a href="/versions/v9/techniques/T1547/012"> Print Processors </a> </td> <td> Adversaries may abuse print processors to run malicious DLLs during system boot for persistence and/or privilege escalation. Print processors are DLLs that are loaded by the print spooler service, spoolsv.exe, during boot. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1547/013"> .013 </a> </td> <td> <a href="/versions/v9/techniques/T1547/013"> XDG Autostart Entries </a> </td> <td> Adversaries may modify XDG autostart entries to execute programs or commands during system boot. Linux desktop environments that are XDG compliant implement functionality for XDG autostart entries. These entries will allow an application to automatically start during the startup of a desktop environment after user logon. By default, XDG autostart entries are stored within the <code>/etc/xdg/autostart</code> or <code>~/.config/autostart</code> directories and have a .desktop file extension. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1547/014"> .014 </a> </td> <td> <a href="/versions/v9/techniques/T1547/014"> Active Setup </a> </td> <td> Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine. Active Setup is a Windows mechanism that is used to execute programs when a user logs in. The value stored in the Registry key will be executed after a user logs into the computer. These programs will be executed under the context of the user and will have the account's associated permissions level. </td> </tr> <tr class="technique"> <td colspan="2"> <a href="/versions/v9/techniques/T1037"> T1037 </a> </td> <td> <a href="/versions/v9/techniques/T1037"> Boot or Logon Initialization Scripts </a> </td> <td> Adversaries may use scripts automatically executed at boot or logon initialization to establish persistence. Initialization scripts can be used to perform administrative functions, which may often execute other programs or send information to an internal logging server. These scripts can vary based on operating system and whether applied locally or remotely. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1037/001"> .001 </a> </td> <td> <a href="/versions/v9/techniques/T1037/001"> Logon Script (Windows) </a> </td> <td> Adversaries may use Windows logon scripts automatically executed at logon initialization to establish persistence. Windows allows logon scripts to be run whenever a specific user or group of users log into a system. This is done via adding a path to a script to the <code>HKCU\Environment\UserInitMprLogonScript</code> Registry key. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1037/002"> .002 </a> </td> <td> <a href="/versions/v9/techniques/T1037/002"> Logon Script (Mac) </a> </td> <td> Adversaries may use macOS logon scripts automatically executed at logon initialization to establish persistence. macOS allows logon scripts (known as login hooks) to be executed whenever a specific user logs into a system. A login hook tells Mac OS X to execute a certain script when a user logs in, but unlike <a href="/versions/v9/techniques/T1037/005">Startup Items</a>, a login hook executes as the elevated root user. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1037/003"> .003 </a> </td> <td> <a href="/versions/v9/techniques/T1037/003"> Network Logon Script </a> </td> <td> Adversaries may use network logon scripts automatically executed at logon initialization to establish persistence. Network logon scripts can be assigned using Active Directory or Group Policy Objects. These logon scripts run with the privileges of the user they are assigned to. Depending on the systems within the network, initializing one of these scripts could apply to more than one or potentially all systems. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1037/004"> .004 </a> </td> <td> <a href="/versions/v9/techniques/T1037/004"> RC Scripts </a> </td> <td> Adversaries may establish persistence by modifying RC scripts which are executed during a Unix-like system鈥檚 startup. These files allow system administrators to map and start custom services at startup for different run levels. RC scripts require root privileges to modify. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1037/005"> .005 </a> </td> <td> <a href="/versions/v9/techniques/T1037/005"> Startup Items </a> </td> <td> Adversaries may use startup items automatically executed at boot initialization to establish persistence. Startup items execute during the final phase of the boot process and contain shell scripts or other executable files along with configuration information used by the system to determine the execution order for all startup items. </td> </tr> <tr class="technique"> <td colspan="2"> <a href="/versions/v9/techniques/T1176"> T1176 </a> </td> <td> <a href="/versions/v9/techniques/T1176"> Browser Extensions </a> </td> <td> Adversaries may abuse Internet browser extensions to establish persistent access to victim systems. Browser extensions or plugins are small programs that can add functionality and customize aspects of Internet browsers. They can be installed directly or through a browser's app store and generally have access and permissions to everything that the browser can access. </td> </tr> <tr class="technique"> <td colspan="2"> <a href="/versions/v9/techniques/T1554"> T1554 </a> </td> <td> <a href="/versions/v9/techniques/T1554"> Compromise Client Software Binary </a> </td> <td> Adversaries may modify client software binaries to establish persistent access to systems. Client software enables users to access services provided by a server. Common client software types are SSH clients, FTP clients, email clients, and web browsers. </td> </tr> <tr class="technique"> <td colspan="2"> <a href="/versions/v9/techniques/T1136"> T1136 </a> </td> <td> <a href="/versions/v9/techniques/T1136"> Create Account </a> </td> <td> Adversaries may create an account to maintain access to victim systems. With a sufficient level of access, creating such accounts may be used to establish secondary credentialed access that do not require persistent remote access tools to be deployed on the system. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1136/001"> .001 </a> </td> <td> <a href="/versions/v9/techniques/T1136/001"> Local Account </a> </td> <td> Adversaries may create a local account to maintain access to victim systems. Local accounts are those configured by an organization for use by users, remote support, services, or for administration on a single system or service. With a sufficient level of access, the <code>net user /add</code> command can be used to create a local account. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1136/002"> .002 </a> </td> <td> <a href="/versions/v9/techniques/T1136/002"> Domain Account </a> </td> <td> Adversaries may create a domain account to maintain access to victim systems. Domain accounts are those managed by Active Directory Domain Services where access and permissions are configured across systems and services that are part of that domain. Domain accounts can cover user, administrator, and service accounts. With a sufficient level of access, the <code>net user /add /domain</code> command can be used to create a domain account. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1136/003"> .003 </a> </td> <td> <a href="/versions/v9/techniques/T1136/003"> Cloud Account </a> </td> <td> Adversaries may create a cloud account to maintain access to victim systems. With a sufficient level of access, such accounts may be used to establish secondary credentialed access that does not require persistent remote access tools to be deployed on the system. </td> </tr> <tr class="technique"> <td colspan="2"> <a href="/versions/v9/techniques/T1543"> T1543 </a> </td> <td> <a href="/versions/v9/techniques/T1543"> Create or Modify System Process </a> </td> <td> Adversaries may create or modify system-level processes to repeatedly execute malicious payloads as part of persistence. When operating systems boot up, they can start processes that perform background system functions. On Windows and Linux, these system processes are referred to as services. On macOS, launchd processes known as <a href="/versions/v9/techniques/T1543/004">Launch Daemon</a> and <a href="/versions/v9/techniques/T1543/001">Launch Agent</a> are run to finish system initialization and load user specific parameters. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1543/001"> .001 </a> </td> <td> <a href="/versions/v9/techniques/T1543/001"> Launch Agent </a> </td> <td> Adversaries may create or modify launch agents to repeatedly execute malicious payloads as part of persistence. Per Apple鈥檚 developer documentation, when a user logs in, a per-user launchd process is started which loads the parameters for each launch-on-demand user agent from the property list (plist) files found in <code>/System/Library/LaunchAgents</code>, <code>/Library/LaunchAgents</code>, and <code>$HOME/Library/LaunchAgents</code> . These launch agents have property list files which point to the executables that will be launched . </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1543/002"> .002 </a> </td> <td> <a href="/versions/v9/techniques/T1543/002"> Systemd Service </a> </td> <td> Adversaries may create or modify systemd services to repeatedly execute malicious payloads as part of persistence. The systemd service manager is commonly used for managing background daemon processes (also known as services) and other system resources. Systemd is the default initialization (init) system on many Linux distributions starting with Debian 8, Ubuntu 15.04, CentOS 7, RHEL 7, Fedora 15, and replaces legacy init systems including SysVinit and Upstart while remaining backwards compatible with the aforementioned init systems. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1543/003"> .003 </a> </td> <td> <a href="/versions/v9/techniques/T1543/003"> Windows Service </a> </td> <td> Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions. Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry. Service configurations can be modified using utilities such as sc.exe and <a href="/versions/v9/software/S0075">Reg</a>. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1543/004"> .004 </a> </td> <td> <a href="/versions/v9/techniques/T1543/004"> Launch Daemon </a> </td> <td> Adversaries may create or modify launch daemons to repeatedly execute malicious payloads as part of persistence. Per Apple鈥檚 developer documentation, when macOS and OS X boot up, launchd is run to finish system initialization. This process loads the parameters for each launch-on-demand system-level daemon from the property list (plist) files found in <code>/System/Library/LaunchDaemons</code> and <code>/Library/LaunchDaemons</code> . These LaunchDaemons have property list files which point to the executables that will be launched . </td> </tr> <tr class="technique"> <td colspan="2"> <a href="/versions/v9/techniques/T1546"> T1546 </a> </td> <td> <a href="/versions/v9/techniques/T1546"> Event Triggered Execution </a> </td> <td> Adversaries may establish persistence and/or elevate privileges using system mechanisms that trigger execution based on specific events. Various operating systems have means to monitor and subscribe to events such as logons or other user activity such as running specific applications/binaries. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1546/001"> .001 </a> </td> <td> <a href="/versions/v9/techniques/T1546/001"> Change Default File Association </a> </td> <td> Adversaries may establish persistence by executing malicious content triggered by a file type association. When a file is opened, the default program used to open the file (also called the file association or handler) is checked. File association selections are stored in the Windows Registry and can be edited by users, administrators, or programs that have Registry access or by administrators using the built-in assoc utility. Applications can modify the file association for a given file extension to call an arbitrary program when a file with the given extension is opened. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1546/002"> .002 </a> </td> <td> <a href="/versions/v9/techniques/T1546/002"> Screensaver </a> </td> <td> Adversaries may establish persistence by executing malicious content triggered by user inactivity. Screensavers are programs that execute after a configurable time of user inactivity and consist of Portable Executable (PE) files with a .scr file extension. The Windows screensaver application scrnsave.scr is located in <code>C:\Windows\System32\</code>, and <code>C:\Windows\sysWOW64\</code> on 64-bit Windows systems, along with screensavers included with base Windows installations. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1546/003"> .003 </a> </td> <td> <a href="/versions/v9/techniques/T1546/003"> Windows Management Instrumentation Event Subscription </a> </td> <td> Adversaries may establish persistence and elevate privileges by executing malicious content triggered by a Windows Management Instrumentation (WMI) event subscription. WMI can be used to install event filters, providers, consumers, and bindings that execute code when a defined event occurs. Examples of events that may be subscribed to are the wall clock time, user loging, or the computer's uptime. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1546/004"> .004 </a> </td> <td> <a href="/versions/v9/techniques/T1546/004"> Unix Shell Configuration Modification </a> </td> <td> Adversaries may establish persistence through executing malicious commands triggered by a user鈥檚 shell. User <a href="/versions/v9/techniques/T1059/004">Unix Shell</a>s execute several configuration scripts at different points throughout the session based on events. For example, when a user opens a command-line interface or remotely logs in (such as via SSH) a login shell is initiated. The login shell executes scripts from the system (<code>/etc</code>) and the user鈥檚 home directory (<code>~/</code>) to configure the environment. All login shells on a system use /etc/profile when initiated. These configuration scripts run at the permission level of their directory and are often used to set environment variables, create aliases, and customize the user鈥檚 environment. When the shell exits or terminates, additional shell scripts are executed to ensure the shell exits appropriately. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1546/005"> .005 </a> </td> <td> <a href="/versions/v9/techniques/T1546/005"> Trap </a> </td> <td> Adversaries may establish persistence by executing malicious content triggered by an interrupt signal. The <code>trap</code> command allows programs and shells to specify commands that will be executed upon receiving interrupt signals. A common situation is a script allowing for graceful termination and handling of common keyboard interrupts like <code>ctrl+c</code> and <code>ctrl+d</code>. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1546/006"> .006 </a> </td> <td> <a href="/versions/v9/techniques/T1546/006"> LC_LOAD_DYLIB Addition </a> </td> <td> Adversaries may establish persistence by executing malicious content triggered by the execution of tainted binaries. Mach-O binaries have a series of headers that are used to perform certain operations when a binary is loaded. The LC_LOAD_DYLIB header in a Mach-O binary tells macOS and OS X which dynamic libraries (dylibs) to load during execution time. These can be added ad-hoc to the compiled binary as long as adjustments are made to the rest of the fields and dependencies. There are tools available to perform these changes. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1546/007"> .007 </a> </td> <td> <a href="/versions/v9/techniques/T1546/007"> Netsh Helper DLL </a> </td> <td> Adversaries may establish persistence by executing malicious content triggered by Netsh Helper DLLs. Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system. It contains functionality to add helper DLLs for extending functionality of the utility. The paths to registered netsh.exe helper DLLs are entered into the Windows Registry at <code>HKLM\SOFTWARE\Microsoft\Netsh</code>. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1546/008"> .008 </a> </td> <td> <a href="/versions/v9/techniques/T1546/008"> Accessibility Features </a> </td> <td> Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by accessibility features. Windows contains accessibility features that may be launched with a key combination before a user has logged in (ex: when the user is on the Windows logon screen). An adversary can modify the way these programs are launched to get a command prompt or backdoor without logging in to the system. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1546/009"> .009 </a> </td> <td> <a href="/versions/v9/techniques/T1546/009"> AppCert DLLs </a> </td> <td> Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by AppCert DLLs loaded into processes. Dynamic-link libraries (DLLs) that are specified in the <code>AppCertDLLs</code> Registry key under <code>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\</code> are loaded into every process that calls the ubiquitously used application programming interface (API) functions <code>CreateProcess</code>, <code>CreateProcessAsUser</code>, <code>CreateProcessWithLoginW</code>, <code>CreateProcessWithTokenW</code>, or <code>WinExec</code>. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1546/010"> .010 </a> </td> <td> <a href="/versions/v9/techniques/T1546/010"> AppInit DLLs </a> </td> <td> Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by AppInit DLLs loaded into processes. Dynamic-link libraries (DLLs) that are specified in the <code>AppInit_DLLs</code> value in the Registry keys <code>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows</code> or <code>HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Windows</code> are loaded by user32.dll into every process that loads user32.dll. In practice this is nearly every program, since user32.dll is a very common library. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1546/011"> .011 </a> </td> <td> <a href="/versions/v9/techniques/T1546/011"> Application Shimming </a> </td> <td> Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by application shims. The Microsoft Windows Application Compatibility Infrastructure/Framework (Application Shim) was created to allow for backward compatibility of software as the operating system codebase changes over time. For example, the application shimming feature allows developers to apply fixes to applications (without rewriting code) that were created for Windows XP so that it will work with Windows 10. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1546/012"> .012 </a> </td> <td> <a href="/versions/v9/techniques/T1546/012"> Image File Execution Options Injection </a> </td> <td> Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by Image File Execution Options (IFEO) debuggers. IFEOs enable a developer to attach a debugger to an application. When a process is created, a debugger present in an application鈥檚 IFEO will be prepended to the application鈥檚 name, effectively launching the new process under the debugger (e.g., <code>C:\dbg\ntsd.exe -g notepad.exe</code>). </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1546/013"> .013 </a> </td> <td> <a href="/versions/v9/techniques/T1546/013"> PowerShell Profile </a> </td> <td> Adversaries may gain persistence and elevate privileges by executing malicious content triggered by PowerShell profiles. A PowerShell profile (<code>profile.ps1</code>) is a script that runs when <a href="/versions/v9/techniques/T1059/001">PowerShell</a> starts and can be used as a logon script to customize user environments. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1546/014"> .014 </a> </td> <td> <a href="/versions/v9/techniques/T1546/014"> Emond </a> </td> <td> Adversaries may gain persistence and elevate privileges by executing malicious content triggered by the Event Monitor Daemon (emond). Emond is a <a href="/versions/v9/techniques/T1543/004">Launch Daemon</a> that accepts events from various services, runs them through a simple rules engine, and takes action. The emond binary at <code>/sbin/emond</code> will load any rules from the <code>/etc/emond.d/rules/</code> directory and take action once an explicitly defined event takes place. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1546/015"> .015 </a> </td> <td> <a href="/versions/v9/techniques/T1546/015"> Component Object Model Hijacking </a> </td> <td> Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects. COM is a system within Windows to enable interaction between software components through the operating system. References to various COM objects are stored in the Registry. </td> </tr> <tr class="technique"> <td colspan="2"> <a href="/versions/v9/techniques/T1133"> T1133 </a> </td> <td> <a href="/versions/v9/techniques/T1133"> External Remote Services </a> </td> <td> Adversaries may leverage external-facing remote services to initially access and/or persist within a network. Remote services such as VPNs, Citrix, and other access mechanisms allow users to connect to internal enterprise network resources from external locations. There are often remote service gateways that manage connections and credential authentication for these services. Services such as <a href="/versions/v9/techniques/T1021/006">Windows Remote Management</a> can also be used externally. </td> </tr> <tr class="technique"> <td colspan="2"> <a href="/versions/v9/techniques/T1574"> T1574 </a> </td> <td> <a href="/versions/v9/techniques/T1574"> Hijack Execution Flow </a> </td> <td> Adversaries may execute their own malicious payloads by hijacking the way operating systems run programs. Hijacking execution flow can be for the purposes of persistence, since this hijacked execution may reoccur over time. Adversaries may also use these mechanisms to elevate privileges or evade defenses, such as application control or other restrictions on execution. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1574/001"> .001 </a> </td> <td> <a href="/versions/v9/techniques/T1574/001"> DLL Search Order Hijacking </a> </td> <td> Adversaries may execute their own malicious payloads by hijacking the search order used to load DLLs. Windows systems use a common method to look for required DLLs to load into a program. Hijacking DLL loads may be for the purpose of establishing persistence as well as elevating privileges and/or evading restrictions on file execution. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1574/002"> .002 </a> </td> <td> <a href="/versions/v9/techniques/T1574/002"> DLL Side-Loading </a> </td> <td> Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to <a href="/versions/v9/techniques/T1574/001">DLL Search Order Hijacking</a>, side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s). </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1574/004"> .004 </a> </td> <td> <a href="/versions/v9/techniques/T1574/004"> Dylib Hijacking </a> </td> <td> Adversaries may execute their own payloads by placing a malicious dynamic library (dylib) with an expected name in a path a victim application searches at runtime. The dynamic loader will try to find the dylibs based on the sequential order of the search paths. Paths to dylibs may be prefixed with <code>@rpath</code>, which allows developers to use relative paths to specify an array of search paths used at runtime based on the location of the executable. Additionally, if weak linking is used, such as the <code>LC_LOAD_WEAK_DYLIB</code> function, an application will still execute even if an expected dylib is not present. Weak linking enables developers to run an application on multiple macOS versions as new APIs are added. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1574/005"> .005 </a> </td> <td> <a href="/versions/v9/techniques/T1574/005"> Executable Installer File Permissions Weakness </a> </td> <td> Adversaries may execute their own malicious payloads by hijacking the binaries used by an installer. These processes may automatically execute specific binaries as part of their functionality or to perform other actions. If the permissions on the file system directory containing a target binary, or permissions on the binary itself, are improperly set, then the target binary may be overwritten with another binary using user-level permissions and executed by the original process. If the original process and thread are running under a higher permissions level, then the replaced binary will also execute under higher-level permissions, which could include SYSTEM. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1574/006"> .006 </a> </td> <td> <a href="/versions/v9/techniques/T1574/006"> Dynamic Linker Hijacking </a> </td> <td> Adversaries may execute their own malicious payloads by hijacking environment variables the dynamic linker uses to load shared libraries. During the execution preparation phase of a program, the dynamic linker loads specified absolute paths of shared libraries from environment variables and files, such as <code>LD_PRELOAD</code> on Linux or <code>DYLD_INSERT_LIBRARIES</code> on macOS. Libraries specified in environment variables are loaded first, taking precedence over system libraries with the same function name. These variables are often used by developers to debug binaries without needing to recompile, deconflict mapped symbols, and implement custom functions without changing the original library. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1574/007"> .007 </a> </td> <td> <a href="/versions/v9/techniques/T1574/007"> Path Interception by PATH Environment Variable </a> </td> <td> Adversaries may execute their own malicious payloads by hijacking environment variables used to load libraries. Adversaries may place a program in an earlier entry in the list of directories stored in the PATH environment variable, which Windows will then execute when it searches sequentially through that PATH listing in search of the binary that was called from a script or the command line. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1574/008"> .008 </a> </td> <td> <a href="/versions/v9/techniques/T1574/008"> Path Interception by Search Order Hijacking </a> </td> <td> Adversaries may execute their own malicious payloads by hijacking the search order used to load other programs. Because some programs do not call other programs using the full path, adversaries may place their own file in the directory where the calling program is located, causing the operating system to launch their malicious software at the request of the calling program. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1574/009"> .009 </a> </td> <td> <a href="/versions/v9/techniques/T1574/009"> Path Interception by Unquoted Path </a> </td> <td> Adversaries may execute their own malicious payloads by hijacking vulnerable file path references. Adversaries can take advantage of paths that lack surrounding quotations by placing an executable in a higher level directory within the path, so that Windows will choose the adversary's executable to launch. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1574/010"> .010 </a> </td> <td> <a href="/versions/v9/techniques/T1574/010"> Services File Permissions Weakness </a> </td> <td> Adversaries may execute their own malicious payloads by hijacking the binaries used by services. Adversaries may use flaws in the permissions of Windows services to replace the binary that is executed upon service start. These service processes may automatically execute specific binaries as part of their functionality or to perform other actions. If the permissions on the file system directory containing a target binary, or permissions on the binary itself are improperly set, then the target binary may be overwritten with another binary using user-level permissions and executed by the original process. If the original process and thread are running under a higher permissions level, then the replaced binary will also execute under higher-level permissions, which could include SYSTEM. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1574/011"> .011 </a> </td> <td> <a href="/versions/v9/techniques/T1574/011"> Services Registry Permissions Weakness </a> </td> <td> Adversaries may execute their own malicious payloads by hijacking the Registry entries used by services. Adversaries may use flaws in the permissions for registry to redirect from the originally specified executable to one that they control, in order to launch their own code at Service start. Windows stores local service configuration information in the Registry under <code>HKLM\SYSTEM\CurrentControlSet\Services</code>. The information stored under a service's Registry keys can be manipulated to modify a service's execution parameters through tools such as the service controller, sc.exe, <a href="/versions/v9/techniques/T1059/001">PowerShell</a>, or <a href="/versions/v9/software/S0075">Reg</a>. Access to Registry keys is controlled through Access Control Lists and permissions. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1574/012"> .012 </a> </td> <td> <a href="/versions/v9/techniques/T1574/012"> COR_PROFILER </a> </td> <td> Adversaries may leverage the COR_PROFILER environment variable to hijack the execution flow of programs that load the .NET CLR. The COR_PROFILER is a .NET Framework feature which allows developers to specify an unmanaged (or external of .NET) profiling DLL to be loaded into each .NET process that loads the Common Language Runtime (CLR). These profiliers are designed to monitor, troubleshoot, and debug managed code executed by the .NET CLR. </td> </tr> <tr class="technique"> <td colspan="2"> <a href="/versions/v9/techniques/T1525"> T1525 </a> </td> <td> <a href="/versions/v9/techniques/T1525"> Implant Internal Image </a> </td> <td> Adversaries may implant cloud or container images with malicious code to establish persistence after gaining access to an environment. Amazon Web Services (AWS) Amazon Machine Images (AMIs), Google Cloud Platform (GCP) Images, and Azure Images as well as popular container runtimes such as Docker can be implanted or backdoored. Unlike <a href="/versions/v9/techniques/T1608/001">Upload Malware</a>, this technique focuses on adversaries implanting an image in a registry within a victim鈥檚 environment. Depending on how the infrastructure is provisioned, this could provide persistent access if the infrastructure provisioning tool is instructed to always use the latest image. </td> </tr> <tr class="technique"> <td colspan="2"> <a href="/versions/v9/techniques/T1556"> T1556 </a> </td> <td> <a href="/versions/v9/techniques/T1556"> Modify Authentication Process </a> </td> <td> Adversaries may modify authentication mechanisms and processes to access user credentials or enable otherwise unwarranted access to accounts. The authentication process is handled by mechanisms, such as the Local Security Authentication Server (LSASS) process and the Security Accounts Manager (SAM) on Windows, pluggable authentication modules (PAM) on Unix-based systems, and authorization plugins on MacOS systems, responsible for gathering, storing, and validating credentials. By modifying an authentication process, an adversary may be able to authenticate to a service or system without using <a href="/versions/v9/techniques/T1078">Valid Accounts</a>. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1556/001"> .001 </a> </td> <td> <a href="/versions/v9/techniques/T1556/001"> Domain Controller Authentication </a> </td> <td> Adversaries may patch the authentication process on a domain controller to bypass the typical authentication mechanisms and enable access to accounts. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1556/002"> .002 </a> </td> <td> <a href="/versions/v9/techniques/T1556/002"> Password Filter DLL </a> </td> <td> Adversaries may register malicious password filter dynamic link libraries (DLLs) into the authentication process to acquire user credentials as they are validated. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1556/003"> .003 </a> </td> <td> <a href="/versions/v9/techniques/T1556/003"> Pluggable Authentication Modules </a> </td> <td> Adversaries may modify pluggable authentication modules (PAM) to access user credentials or enable otherwise unwarranted access to accounts. PAM is a modular system of configuration files, libraries, and executable files which guide authentication for many services. The most common authentication module is <code>pam_unix.so</code>, which retrieves, sets, and verifies account authentication information in <code>/etc/passwd</code> and <code>/etc/shadow</code>. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1556/004"> .004 </a> </td> <td> <a href="/versions/v9/techniques/T1556/004"> Network Device Authentication </a> </td> <td> Adversaries may use <a href="/versions/v9/techniques/T1601/001">Patch System Image</a> to hard code a password in the operating system, thus bypassing of native authentication mechanisms for local accounts on network devices. </td> </tr> <tr class="technique"> <td colspan="2"> <a href="/versions/v9/techniques/T1137"> T1137 </a> </td> <td> <a href="/versions/v9/techniques/T1137"> Office Application Startup </a> </td> <td> Adversaries may leverage Microsoft Office-based applications for persistence between startups. Microsoft Office is a fairly common application suite on Windows-based operating systems within an enterprise network. There are multiple mechanisms that can be used with Office for persistence when an Office-based application is started; this can include the use of Office Template Macros and add-ins. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1137/001"> .001 </a> </td> <td> <a href="/versions/v9/techniques/T1137/001"> Office Template Macros </a> </td> <td> Adversaries may abuse Microsoft Office templates to obtain persistence on a compromised system. Microsoft Office contains templates that are part of common Office applications and are used to customize styles. The base templates within the application are used each time an application starts. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1137/002"> .002 </a> </td> <td> <a href="/versions/v9/techniques/T1137/002"> Office Test </a> </td> <td> Adversaries may abuse the Microsoft Office "Office Test" Registry key to obtain persistence on a compromised system. An Office Test Registry location exists that allows a user to specify an arbitrary DLL that will be executed every time an Office application is started. This Registry key is thought to be used by Microsoft to load DLLs for testing and debugging purposes while developing Office applications. This Registry key is not created by default during an Office installation. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1137/003"> .003 </a> </td> <td> <a href="/versions/v9/techniques/T1137/003"> Outlook Forms </a> </td> <td> Adversaries may abuse Microsoft Outlook forms to obtain persistence on a compromised system. Outlook forms are used as templates for presentation and functionality in Outlook messages. Custom Outlook forms can be created that will execute code when a specifically crafted email is sent by an adversary utilizing the same custom Outlook form. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1137/004"> .004 </a> </td> <td> <a href="/versions/v9/techniques/T1137/004"> Outlook Home Page </a> </td> <td> Adversaries may abuse Microsoft Outlook's Home Page feature to obtain persistence on a compromised system. Outlook Home Page is a legacy feature used to customize the presentation of Outlook folders. This feature allows for an internal or external URL to be loaded and presented whenever a folder is opened. A malicious HTML page can be crafted that will execute code when loaded by Outlook Home Page. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1137/005"> .005 </a> </td> <td> <a href="/versions/v9/techniques/T1137/005"> Outlook Rules </a> </td> <td> Adversaries may abuse Microsoft Outlook rules to obtain persistence on a compromised system. Outlook rules allow a user to define automated behavior to manage email messages. A benign rule might, for example, automatically move an email to a particular folder in Outlook if it contains specific words from a specific sender. Malicious Outlook rules can be created that can trigger code execution when an adversary sends a specifically crafted email to that user. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1137/006"> .006 </a> </td> <td> <a href="/versions/v9/techniques/T1137/006"> Add-ins </a> </td> <td> Adversaries may abuse Microsoft Office add-ins to obtain persistence on a compromised system. Office add-ins can be used to add functionality to Office programs. There are different types of add-ins that can be used by the various Office products; including Word/Excel add-in Libraries (WLL/XLL), VBA add-ins, Office Component Object Model (COM) add-ins, automation add-ins, VBA Editor (VBE), Visual Studio Tools for Office (VSTO) add-ins, and Outlook add-ins. </td> </tr> <tr class="technique"> <td colspan="2"> <a href="/versions/v9/techniques/T1542"> T1542 </a> </td> <td> <a href="/versions/v9/techniques/T1542"> Pre-OS Boot </a> </td> <td> Adversaries may abuse Pre-OS Boot mechanisms as a way to establish persistence on a system. During the booting process of a computer, firmware and various startup services are loaded before the operating system. These programs control flow of execution before the operating system takes control. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1542/001"> .001 </a> </td> <td> <a href="/versions/v9/techniques/T1542/001"> System Firmware </a> </td> <td> Adversaries may modify system firmware to persist on systems.The BIOS (Basic Input/Output System) and The Unified Extensible Firmware Interface (UEFI) or Extensible Firmware Interface (EFI) are examples of system firmware that operate as the software interface between the operating system and hardware of a computer. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1542/002"> .002 </a> </td> <td> <a href="/versions/v9/techniques/T1542/002"> Component Firmware </a> </td> <td> Adversaries may modify component firmware to persist on systems. Some adversaries may employ sophisticated means to compromise computer components and install malicious firmware that will execute adversary code outside of the operating system and main system firmware or BIOS. This technique may be similar to <a href="/versions/v9/techniques/T1542/001">System Firmware</a> but conducted upon other system components/devices that may not have the same capability or level of integrity checking. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1542/003"> .003 </a> </td> <td> <a href="/versions/v9/techniques/T1542/003"> Bootkit </a> </td> <td> Adversaries may use bootkits to persist on systems. Bootkits reside at a layer below the operating system and may make it difficult to perform full remediation unless an organization suspects one was used and can act accordingly. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1542/004"> .004 </a> </td> <td> <a href="/versions/v9/techniques/T1542/004"> ROMMONkit </a> </td> <td> Adversaries may abuse the ROM Monitor (ROMMON) by loading an unauthorized firmware with adversary code to provide persistent access and manipulate device behavior that is difficult to detect. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1542/005"> .005 </a> </td> <td> <a href="/versions/v9/techniques/T1542/005"> TFTP Boot </a> </td> <td> Adversaries may abuse netbooting to load an unauthorized network device operating system from a Trivial File Transfer Protocol (TFTP) server. TFTP boot (netbooting) is commonly used by network administrators to load configuration-controlled network device images from a centralized management server. Netbooting is one option in the boot sequence and can be used to centralize, manage, and control device images. </td> </tr> <tr class="technique"> <td colspan="2"> <a href="/versions/v9/techniques/T1053"> T1053 </a> </td> <td> <a href="/versions/v9/techniques/T1053"> Scheduled Task/Job </a> </td> <td> Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically requires being a member of an admin or otherwise privileged group on the remote system. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1053/001"> .001 </a> </td> <td> <a href="/versions/v9/techniques/T1053/001"> At (Linux) </a> </td> <td> Adversaries may abuse the <a href="/versions/v9/software/S0110">at</a> utility to perform task scheduling for initial or recurring execution of malicious code. The <a href="/versions/v9/software/S0110">at</a> command within Linux operating systems enables administrators to schedule tasks. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1053/002"> .002 </a> </td> <td> <a href="/versions/v9/techniques/T1053/002"> At (Windows) </a> </td> <td> Adversaries may abuse the <code>at.exe</code> utility to perform task scheduling for initial or recurring execution of malicious code. The <a href="/versions/v9/software/S0110">at</a> utility exists as an executable within Windows for scheduling tasks at a specified time and date. Using <a href="/versions/v9/software/S0110">at</a> requires that the Task Scheduler service be running, and the user to be logged on as a member of the local Administrators group. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1053/003"> .003 </a> </td> <td> <a href="/versions/v9/techniques/T1053/003"> Cron </a> </td> <td> Adversaries may abuse the <code>cron</code> utility to perform task scheduling for initial or recurring execution of malicious code. The <code>cron</code> utility is a time-based job scheduler for Unix-like operating systems. The <code> crontab</code> file contains the schedule of cron entries to be run and the specified times for execution. Any <code>crontab</code> files are stored in operating system-specific file paths. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1053/004"> .004 </a> </td> <td> <a href="/versions/v9/techniques/T1053/004"> Launchd </a> </td> <td> Adversaries may abuse the <code>Launchd</code> daemon to perform task scheduling for initial or recurring execution of malicious code. The <code>launchd</code> daemon, native to macOS, is responsible for loading and maintaining services within the operating system. This process loads the parameters for each launch-on-demand system-level daemon from the property list (plist) files found in <code>/System/Library/LaunchDaemons</code> and <code>/Library/LaunchDaemons</code> . These LaunchDaemons have property list files which point to the executables that will be launched . </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1053/005"> .005 </a> </td> <td> <a href="/versions/v9/techniques/T1053/005"> Scheduled Task </a> </td> <td> Adversaries may abuse the Windows Task Scheduler to perform task scheduling for initial or recurring execution of malicious code. There are multiple ways to access the Task Scheduler in Windows. The <code>schtasks</code> can be run directly on the command line, or the Task Scheduler can be opened through the GUI within the Administrator Tools section of the Control Panel. In some cases, adversaries have used a .NET wrapper for the Windows Task Scheduler, and alternatively, adversaries have used the Windows netapi32 library to create a scheduled task. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1053/006"> .006 </a> </td> <td> <a href="/versions/v9/techniques/T1053/006"> Systemd Timers </a> </td> <td> Adversaries may abuse systemd timers to perform task scheduling for initial or recurring execution of malicious code. Systemd timers are unit files with file extension <code>.timer</code> that control services. Timers can be set to run on a calendar event or after a time span relative to a starting point. They can be used as an alternative to <a href="/versions/v9/techniques/T1053/003">Cron</a> in Linux environments. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1053/007"> .007 </a> </td> <td> <a href="/versions/v9/techniques/T1053/007"> Container Orchestration Job </a> </td> <td> Adversaries may abuse task scheduling functionality provided by container orchestration tools such as Kubernetes to schedule deployment of containers configured to execute malicious code. Container orchestration jobs run these automated tasks at a specific date and time, similar to cron jobs on a Linux system. Deployments of this type can also be configured to maintain a quantity of containers over time, automating the process of maintaining persistence within a cluster. </td> </tr> <tr class="technique"> <td colspan="2"> <a href="/versions/v9/techniques/T1505"> T1505 </a> </td> <td> <a href="/versions/v9/techniques/T1505"> Server Software Component </a> </td> <td> Adversaries may abuse legitimate extensible development features of servers to establish persistent access to systems. Enterprise server applications may include features that allow developers to write and install software or scripts to extend the functionality of the main application. Adversaries may install malicious components to extend and abuse server applications. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1505/001"> .001 </a> </td> <td> <a href="/versions/v9/techniques/T1505/001"> SQL Stored Procedures </a> </td> <td> Adversaries may abuse SQL stored procedures to establish persistent access to systems. SQL Stored Procedures are code that can be saved and reused so that database users do not waste time rewriting frequently used SQL queries. Stored procedures can be invoked via SQL statements to the database using the procedure name or via defined events (e.g. when a SQL server application is started/restarted). </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1505/002"> .002 </a> </td> <td> <a href="/versions/v9/techniques/T1505/002"> Transport Agent </a> </td> <td> Adversaries may abuse Microsoft transport agents to establish persistent access to systems. Microsoft Exchange transport agents can operate on email messages passing through the transport pipeline to perform various tasks such as filtering spam, filtering malicious attachments, journaling, or adding a corporate signature to the end of all outgoing emails. Transport agents can be written by application developers and then compiled to .NET assemblies that are subsequently registered with the Exchange server. Transport agents will be invoked during a specified stage of email processing and carry out developer defined tasks. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1505/003"> .003 </a> </td> <td> <a href="/versions/v9/techniques/T1505/003"> Web Shell </a> </td> <td> Adversaries may backdoor web servers with web shells to establish persistent access to systems. A Web shell is a Web script that is placed on an openly accessible Web server to allow an adversary to use the Web server as a gateway into a network. A Web shell may provide a set of functions to execute or a command-line interface on the system that hosts the Web server. </td> </tr> <tr class="technique"> <td colspan="2"> <a href="/versions/v9/techniques/T1205"> T1205 </a> </td> <td> <a href="/versions/v9/techniques/T1205"> Traffic Signaling </a> </td> <td> Adversaries may use traffic signaling to hide open ports or other malicious functionality used for persistence or command and control. Traffic signaling involves the use of a magic value or sequence that must be sent to a system to trigger a special response, such as opening a closed port or executing a malicious task. This may take the form of sending a series of packets with certain characteristics before a port will be opened that the adversary can use for command and control. Usually this series of packets consists of attempted connections to a predefined sequence of closed ports (i.e. <a href="/versions/v9/techniques/T1205/001">Port Knocking</a>), but can involve unusual flags, specific strings, or other unique characteristics. After the sequence is completed, opening a port may be accomplished by the host-based firewall, but could also be implemented by custom software. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1205/001"> .001 </a> </td> <td> <a href="/versions/v9/techniques/T1205/001"> Port Knocking </a> </td> <td> Adversaries may use port knocking to hide open ports used for persistence or command and control. To enable a port, an adversary sends a series of attempted connections to a predefined sequence of closed ports. After the sequence is completed, opening a port is often accomplished by the host based firewall, but could also be implemented by custom software. </td> </tr> <tr class="technique"> <td colspan="2"> <a href="/versions/v9/techniques/T1078"> T1078 </a> </td> <td> <a href="/versions/v9/techniques/T1078"> Valid Accounts </a> </td> <td> Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access and remote desktop. Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1078/001"> .001 </a> </td> <td> <a href="/versions/v9/techniques/T1078/001"> Default Accounts </a> </td> <td> Adversaries may obtain and abuse credentials of a default account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Default accounts are those that are built-into an OS, such as the Guest or Administrator accounts on Windows systems. Default accounts also include default factory/provider set accounts on other types of systems, software, or devices, including the root user account in AWS and the default service account in Kubernetes. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1078/002"> .002 </a> </td> <td> <a href="/versions/v9/techniques/T1078/002"> Domain Accounts </a> </td> <td> Adversaries may obtain and abuse credentials of a domain account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Domain accounts are those managed by Active Directory Domain Services where access and permissions are configured across systems and services that are part of that domain. Domain accounts can cover users, administrators, and services. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1078/003"> .003 </a> </td> <td> <a href="/versions/v9/techniques/T1078/003"> Local Accounts </a> </td> <td> Adversaries may obtain and abuse credentials of a local account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Local accounts are those configured by an organization for use by users, remote support, services, or for administration on a single system or service. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1078/004"> .004 </a> </td> <td> <a href="/versions/v9/techniques/T1078/004"> Cloud Accounts </a> </td> <td> Adversaries may obtain and abuse credentials of a cloud account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Cloud accounts are those created and configured by an organization for use by users, remote support, services, or for administration of resources within a cloud service provider or SaaS application. In some cases, cloud accounts may be federated with traditional identity management system, such as Window Active Directory. </td> </tr> </tbody> </table> </div> </div> </div> </div> </div> </div> </div> </div> <!--stop-indexing-for-search--> <div class="overlay search" id="search-overlay" style="display: none;"> <div class="overlay-inner"> <!-- text input for searching --> <div class="search-header"> <div class="search-input"> <input type="text" id="search-input" placeholder="search"> </div> <div class="search-icons"> <div class="search-parsing-icon spinner-border" style="display: none" id="search-parsing-icon"></div> <div class="close-search-icon" id="close-search-icon">×</div> </div> </div> <!-- results and controls for loading more results --> <div id="search-body" class="search-body"> <div class="results" id="search-results"> <!-- content will be appended here on search --> </div> <div id="load-more-results" class="load-more-results"> <button class="btn btn-default" id="load-more-results-button">load more results</button> </div> </div> </div> </div> </div> <footer class="footer p-3"> <div class="container-fluid"> <div class="row"> <div class="col-4 col-sm-4 col-md-3"> <div class="footer-center-responsive my-auto"> <a href="https://www.mitre.org" target="_blank" rel="noopener" aria-label="MITRE"> <img src="/versions/v9/theme/images/mitrelogowhiteontrans.gif" class="mitre-logo-wtrans"> </a> </div> </div> <div class="col-2 col-sm-2 footer-responsive-break"></div> <div class="col-6 col-sm-6 text-center"> <p> 漏 2015-2021, The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. </p> <div class="row"> <div class="col text-right"> <small> <a href="/versions/v9/resources/privacy" class="footer-link">Privacy Policy</a> </small> </div> <div class="col text-center"> <small> <a href="/versions/v9/resources/terms-of-use" class="footer-link">Terms of Use</a> </small> </div> <div class="col text-left "> <small> <a href="/versions/v9/resources/changelog.html" class="footer-link" data-toggle="tooltip" data-placement="top" title="ATT&CK content version 9.0
Website version 3.3.1">ATT&CK v9.0</a> </small> </div> </div> </div> <div class="w-100 p-2 footer-responsive-break"></div> <div class="col"> <div class="footer-float-right-responsive-brand"> <div class="mb-1"> <a href="https://twitter.com/MITREattack" class="btn btn-primary w-100"> <!-- <i class="fa fa-twitter"></i> --> <img src="/versions/v9/theme/images/twitter.png" class="mr-1 twitter-icon"> <b>@MITREattack</b> </a> </div> <div class=""> <a href="/versions/v9/contact" class="btn btn-primary w-100"> Contact </a> </div> </div> </div> </div> </div> </div> </footer> </div> <!--SCRIPTS--> <script src="/versions/v9/theme/scripts/jquery-3.5.1.min.js"></script> <script src="/versions/v9/theme/scripts/popper.min.js"></script> <script src="/versions/v9/theme/scripts/bootstrap.bundle.min.js"></script> <script src="/versions/v9/theme/scripts/site.js"></script> <script src="/versions/v9/theme/scripts/flexsearch.es5.js"></script> <script src="/versions/v9/theme/scripts/localforage.min.js"></script> <script src="/versions/v9/theme/scripts/settings.js?5694"></script> <script src="/versions/v9/theme/scripts/search_babelized.js"></script> <!--SCRIPTS--> <script src="/versions/v9/theme/scripts/navigation.js"></script> </body> </html>