CINXE.COM
Archive Collected Data: Archive via Utility, Sub-technique T1560.001 - Enterprise | MITRE ATT&CK®
<!DOCTYPE html> <html lang='en'> <head> <script async src="https://www.googletagmanager.com/gtag/js?id=UA-62667723-1"></script> <script> window.dataLayer = window.dataLayer || []; function gtag(){dataLayer.push(arguments);} gtag('js', new Date()); gtag('config', 'UA-62667723-1'); </script> <meta name="google-site-verification" content="2oJKLqNN62z6AOCb0A0IXGtbQuj-lev5YPAHFF_cbHQ"/> <meta charset='utf-8'> <meta name='viewport' content='width=device-width, initial-scale=1, shrink-to-fit=no'> <meta http-equiv="X-UA-Compatible" content="IE=edge"> <link rel='shortcut icon' href="/versions/v9/theme/favicon.ico" type='image/x-icon'> <title>Archive Collected Data: Archive via Utility, Sub-technique T1560.001 - Enterprise | MITRE ATT&CK®</title> <!-- Bootstrap CSS --> <link rel='stylesheet' href="/versions/v9/theme/style/bootstrap.min.css" /> <link rel='stylesheet' href="/versions/v9/theme/style/bootstrap-glyphicon.min.css" /> <link rel='stylesheet' href="/versions/v9/theme/style/bootstrap-tourist.css" /> <link rel="stylesheet" type="text/css" href="/versions/v9/theme/style.min.css?426cc53a"> </head> <body> <!--stopindex--> <header> <nav class='navbar navbar-expand-lg navbar-dark fixed-top'> <a class='navbar-brand' href="/versions/v9/"><img src="/versions/v9/theme/images/mitre_attack_logo.png" class="attack-logo"></a> <button class='navbar-toggler' type='button' data-toggle='collapse' data-target='#navbarCollapse' aria-controls='navbarCollapse' aria-expanded='false' aria-label='Toggle navigation'> <span class='navbar-toggler-icon'></span> </button> <div class='collapse navbar-collapse' id='navbarCollapse'> <ul class='nav nav-tabs ml-auto'> <li class="nav-item"> <a href="/versions/v9/matrices/" class="nav-link" ><b>Matrices</b></a> </li> <li class="nav-item dropdown"> <a class="nav-link dropdown-toggle" href="/versions/v9/tactics/" id="navbarDropdown" role="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false"> <b>Tactics</b> </a> <div class="dropdown-menu " aria-labelledby="navbarDropdown"> <a class="dropdown-item" href="/versions/v9/tactics/enterprise/">Enterprise</a> <a class="dropdown-item" href="/versions/v9/tactics/mobile/">Mobile</a> </div> </li> <li class="nav-item dropdown"> <a class="nav-link dropdown-toggle" href="/versions/v9/techniques/" id="navbarDropdown" role="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false"> <b>Techniques</b> </a> <div class="dropdown-menu " aria-labelledby="navbarDropdown"> <a class="dropdown-item" href="/versions/v9/techniques/enterprise/">Enterprise</a> <a class="dropdown-item" href="/versions/v9/techniques/mobile/">Mobile</a> </div> </li> <li class="nav-item dropdown"> <a class="nav-link dropdown-toggle" href="/versions/v9/mitigations/" id="navbarDropdown" role="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false"> <b>Mitigations</b> </a> <div class="dropdown-menu " aria-labelledby="navbarDropdown"> <a class="dropdown-item" href="/versions/v9/mitigations/enterprise/">Enterprise</a> <a class="dropdown-item" href="/versions/v9/mitigations/mobile/">Mobile</a> </div> </li> <li class="nav-item"> <a href="/versions/v9/groups" class="nav-link" ><b>Groups</b></a> </li> <li class="nav-item"> <a href="/versions/v9/software/" class="nav-link" ><b>Software</b></a> </li> <li class="nav-item dropdown"> <a class="nav-link dropdown-toggle" href="/versions/v9/resources/" id="navbarDropdown" role="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false"> <b>Resources</b> </a> <div class="dropdown-menu " aria-labelledby="navbarDropdown"> <a class="dropdown-item" href="/versions/v9/resources/">General Information</a> <a class="dropdown-item" href="/versions/v9/resources/getting-started/">Getting Started</a> <a class="dropdown-item" href="/versions/v9/resources/training/">Training</a> <a class="dropdown-item" href="/versions/v9/resources/attackcon/">ATT&CKcon</a> <a class="dropdown-item" href="/versions/v9/resources/working-with-attack/">Working with ATT&CK</a> <a class="dropdown-item" href="/versions/v9/resources/faq/">FAQ</a> <a class="dropdown-item" href="/resources/updates/">Updates</a> <a class="dropdown-item" href="/resources/versions/">Versions of ATT&CK</a> <a class="dropdown-item" href="/versions/v9/resources/related-projects/">Related Projects</a> </div> </li> <li class="nav-item"> <a href="https://medium.com/mitre-attack/" target="_blank" class="nav-link"> <b>Blog</b> <img src="/versions/v9/theme/images/external-site.svg" alt="External site" class="external-icon" /> </a> </li> <li class="nav-item"> <a href="/versions/v9/resources/contribute/" class="nav-link" ><b>Contribute</b></a> </li> <li class="nav-item"> <button id="search-button" class="btn search-button">Search <div class="search-icon"></div></button> </li> </ul> </div> </nav> </header> <!-- don't edit or remove the line below even though it's commented out, it gets parsed and replaced by the versioning feature --> <div class="container-fluid version-banner"><div class="icon-inline baseline mr-1"><img src="/versions/v9/theme/images/icon-warning-24px.svg"></div>Currently viewing <a href="https://github.com/mitre/cti/releases/tag/ATT%26CK-v9.0" target="_blank">ATT&CK v9.0</a> which was live between April 29, 2021 and October 20, 2021. <a href="/resources/versions/">Learn more about the versioning system</a> or <a href="/">see the live site</a>.</div> <div id='content' class="maincontent"> <!--start-indexing-for-search--> <div class='container-fluid h-100'> <div class='row h-100'> <div class="nav flex-column col-xl-2 col-lg-3 col-md-3 sidebar nav pt-5 pb-3 pl-3 border-right" id="v-tab" role="tablist" aria-orientation="vertical"> <!--stop-indexing-for-search--> <div id="v-tab" role="tablist" aria-orientation="vertical"> <span class="heading" id="v-home-tab" aria-selected="false">TECHNIQUES</span> <div class="sidenav"> <div class="sidenav-head " id="enterprise"> <a href="/versions/v9/techniques/enterprise/"> Enterprise </a> <div class="expand-button collapsed" id="enterprise-header" data-toggle="collapse" data-target="#enterprise-body" aria-expanded="false" aria-controls="#enterprise-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-body" aria-labelledby="enterprise-header"> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0043"> <a href="/versions/v9/tactics/TA0043"> Reconnaissance </a> <div class="expand-button collapsed" id="enterprise-TA0043-header" data-toggle="collapse" data-target="#enterprise-TA0043-body" aria-expanded="false" aria-controls="#enterprise-TA0043-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0043-body" aria-labelledby="enterprise-TA0043-header"> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0043-T1595"> <a href="/versions/v9/techniques/T1595/"> Active Scanning </a> <div class="expand-button collapsed" id="enterprise-TA0043-T1595-header" data-toggle="collapse" data-target="#enterprise-TA0043-T1595-body" aria-expanded="false" aria-controls="#enterprise-TA0043-T1595-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0043-T1595-body" aria-labelledby="enterprise-TA0043-T1595-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0043-T1595-T1595.001"> <a href="/versions/v9/techniques/T1595/001/"> Scanning IP Blocks </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0043-T1595-T1595.002"> <a href="/versions/v9/techniques/T1595/002/"> Vulnerability Scanning </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0043-T1592"> <a href="/versions/v9/techniques/T1592/"> Gather Victim Host Information </a> <div class="expand-button collapsed" id="enterprise-TA0043-T1592-header" data-toggle="collapse" data-target="#enterprise-TA0043-T1592-body" aria-expanded="false" aria-controls="#enterprise-TA0043-T1592-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0043-T1592-body" aria-labelledby="enterprise-TA0043-T1592-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0043-T1592-T1592.001"> <a href="/versions/v9/techniques/T1592/001/"> Hardware </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0043-T1592-T1592.002"> <a href="/versions/v9/techniques/T1592/002/"> Software </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0043-T1592-T1592.003"> <a href="/versions/v9/techniques/T1592/003/"> Firmware </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0043-T1592-T1592.004"> <a href="/versions/v9/techniques/T1592/004/"> Client Configurations </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0043-T1589"> <a href="/versions/v9/techniques/T1589/"> Gather Victim Identity Information </a> <div class="expand-button collapsed" id="enterprise-TA0043-T1589-header" data-toggle="collapse" data-target="#enterprise-TA0043-T1589-body" aria-expanded="false" aria-controls="#enterprise-TA0043-T1589-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0043-T1589-body" aria-labelledby="enterprise-TA0043-T1589-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0043-T1589-T1589.001"> <a href="/versions/v9/techniques/T1589/001/"> Credentials </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0043-T1589-T1589.002"> <a href="/versions/v9/techniques/T1589/002/"> Email Addresses </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0043-T1589-T1589.003"> <a href="/versions/v9/techniques/T1589/003/"> Employee Names </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0043-T1590"> <a href="/versions/v9/techniques/T1590/"> Gather Victim Network Information </a> <div class="expand-button collapsed" id="enterprise-TA0043-T1590-header" data-toggle="collapse" data-target="#enterprise-TA0043-T1590-body" aria-expanded="false" aria-controls="#enterprise-TA0043-T1590-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0043-T1590-body" aria-labelledby="enterprise-TA0043-T1590-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0043-T1590-T1590.001"> <a href="/versions/v9/techniques/T1590/001/"> Domain Properties </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0043-T1590-T1590.002"> <a href="/versions/v9/techniques/T1590/002/"> DNS </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0043-T1590-T1590.003"> <a href="/versions/v9/techniques/T1590/003/"> Network Trust Dependencies </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0043-T1590-T1590.004"> <a href="/versions/v9/techniques/T1590/004/"> Network Topology </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0043-T1590-T1590.005"> <a href="/versions/v9/techniques/T1590/005/"> IP Addresses </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0043-T1590-T1590.006"> <a href="/versions/v9/techniques/T1590/006/"> Network Security Appliances </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0043-T1591"> <a href="/versions/v9/techniques/T1591/"> Gather Victim Org Information </a> <div class="expand-button collapsed" id="enterprise-TA0043-T1591-header" data-toggle="collapse" data-target="#enterprise-TA0043-T1591-body" aria-expanded="false" aria-controls="#enterprise-TA0043-T1591-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0043-T1591-body" aria-labelledby="enterprise-TA0043-T1591-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0043-T1591-T1591.001"> <a href="/versions/v9/techniques/T1591/001/"> Determine Physical Locations </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0043-T1591-T1591.002"> <a href="/versions/v9/techniques/T1591/002/"> Business Relationships </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0043-T1591-T1591.003"> <a href="/versions/v9/techniques/T1591/003/"> Identify Business Tempo </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0043-T1591-T1591.004"> <a href="/versions/v9/techniques/T1591/004/"> Identify Roles </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0043-T1598"> <a href="/versions/v9/techniques/T1598/"> Phishing for Information </a> <div class="expand-button collapsed" id="enterprise-TA0043-T1598-header" data-toggle="collapse" data-target="#enterprise-TA0043-T1598-body" aria-expanded="false" aria-controls="#enterprise-TA0043-T1598-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0043-T1598-body" aria-labelledby="enterprise-TA0043-T1598-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0043-T1598-T1598.001"> <a href="/versions/v9/techniques/T1598/001/"> Spearphishing Service </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0043-T1598-T1598.002"> <a href="/versions/v9/techniques/T1598/002/"> Spearphishing Attachment </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0043-T1598-T1598.003"> <a href="/versions/v9/techniques/T1598/003/"> Spearphishing Link </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0043-T1597"> <a href="/versions/v9/techniques/T1597/"> Search Closed Sources </a> <div class="expand-button collapsed" id="enterprise-TA0043-T1597-header" data-toggle="collapse" data-target="#enterprise-TA0043-T1597-body" aria-expanded="false" aria-controls="#enterprise-TA0043-T1597-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0043-T1597-body" aria-labelledby="enterprise-TA0043-T1597-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0043-T1597-T1597.001"> <a href="/versions/v9/techniques/T1597/001/"> Threat Intel Vendors </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0043-T1597-T1597.002"> <a href="/versions/v9/techniques/T1597/002/"> Purchase Technical Data </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0043-T1596"> <a href="/versions/v9/techniques/T1596/"> Search Open Technical Databases </a> <div class="expand-button collapsed" id="enterprise-TA0043-T1596-header" data-toggle="collapse" data-target="#enterprise-TA0043-T1596-body" aria-expanded="false" aria-controls="#enterprise-TA0043-T1596-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0043-T1596-body" aria-labelledby="enterprise-TA0043-T1596-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0043-T1596-T1596.001"> <a href="/versions/v9/techniques/T1596/001/"> DNS/Passive DNS </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0043-T1596-T1596.002"> <a href="/versions/v9/techniques/T1596/002/"> WHOIS </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0043-T1596-T1596.003"> <a href="/versions/v9/techniques/T1596/003/"> Digital Certificates </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0043-T1596-T1596.004"> <a href="/versions/v9/techniques/T1596/004/"> CDNs </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0043-T1596-T1596.005"> <a href="/versions/v9/techniques/T1596/005/"> Scan Databases </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0043-T1593"> <a href="/versions/v9/techniques/T1593/"> Search Open Websites/Domains </a> <div class="expand-button collapsed" id="enterprise-TA0043-T1593-header" data-toggle="collapse" data-target="#enterprise-TA0043-T1593-body" aria-expanded="false" aria-controls="#enterprise-TA0043-T1593-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0043-T1593-body" aria-labelledby="enterprise-TA0043-T1593-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0043-T1593-T1593.001"> <a href="/versions/v9/techniques/T1593/001/"> Social Media </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0043-T1593-T1593.002"> <a href="/versions/v9/techniques/T1593/002/"> Search Engines </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0043-T1594"> <a href="/versions/v9/techniques/T1594/"> Search Victim-Owned Websites </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0042"> <a href="/versions/v9/tactics/TA0042"> Resource Development </a> <div class="expand-button collapsed" id="enterprise-TA0042-header" data-toggle="collapse" data-target="#enterprise-TA0042-body" aria-expanded="false" aria-controls="#enterprise-TA0042-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0042-body" aria-labelledby="enterprise-TA0042-header"> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0042-T1583"> <a href="/versions/v9/techniques/T1583/"> Acquire Infrastructure </a> <div class="expand-button collapsed" id="enterprise-TA0042-T1583-header" data-toggle="collapse" data-target="#enterprise-TA0042-T1583-body" aria-expanded="false" aria-controls="#enterprise-TA0042-T1583-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0042-T1583-body" aria-labelledby="enterprise-TA0042-T1583-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0042-T1583-T1583.001"> <a href="/versions/v9/techniques/T1583/001/"> Domains </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0042-T1583-T1583.002"> <a href="/versions/v9/techniques/T1583/002/"> DNS Server </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0042-T1583-T1583.003"> <a href="/versions/v9/techniques/T1583/003/"> Virtual Private Server </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0042-T1583-T1583.004"> <a href="/versions/v9/techniques/T1583/004/"> Server </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0042-T1583-T1583.005"> <a href="/versions/v9/techniques/T1583/005/"> Botnet </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0042-T1583-T1583.006"> <a href="/versions/v9/techniques/T1583/006/"> Web Services </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0042-T1586"> <a href="/versions/v9/techniques/T1586/"> Compromise Accounts </a> <div class="expand-button collapsed" id="enterprise-TA0042-T1586-header" data-toggle="collapse" data-target="#enterprise-TA0042-T1586-body" aria-expanded="false" aria-controls="#enterprise-TA0042-T1586-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0042-T1586-body" aria-labelledby="enterprise-TA0042-T1586-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0042-T1586-T1586.001"> <a href="/versions/v9/techniques/T1586/001/"> Social Media Accounts </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0042-T1586-T1586.002"> <a href="/versions/v9/techniques/T1586/002/"> Email Accounts </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0042-T1584"> <a href="/versions/v9/techniques/T1584/"> Compromise Infrastructure </a> <div class="expand-button collapsed" id="enterprise-TA0042-T1584-header" data-toggle="collapse" data-target="#enterprise-TA0042-T1584-body" aria-expanded="false" aria-controls="#enterprise-TA0042-T1584-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0042-T1584-body" aria-labelledby="enterprise-TA0042-T1584-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0042-T1584-T1584.001"> <a href="/versions/v9/techniques/T1584/001/"> Domains </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0042-T1584-T1584.002"> <a href="/versions/v9/techniques/T1584/002/"> DNS Server </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0042-T1584-T1584.003"> <a href="/versions/v9/techniques/T1584/003/"> Virtual Private Server </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0042-T1584-T1584.004"> <a href="/versions/v9/techniques/T1584/004/"> Server </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0042-T1584-T1584.005"> <a href="/versions/v9/techniques/T1584/005/"> Botnet </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0042-T1584-T1584.006"> <a href="/versions/v9/techniques/T1584/006/"> Web Services </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0042-T1587"> <a href="/versions/v9/techniques/T1587/"> Develop Capabilities </a> <div class="expand-button collapsed" id="enterprise-TA0042-T1587-header" data-toggle="collapse" data-target="#enterprise-TA0042-T1587-body" aria-expanded="false" aria-controls="#enterprise-TA0042-T1587-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0042-T1587-body" aria-labelledby="enterprise-TA0042-T1587-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0042-T1587-T1587.001"> <a href="/versions/v9/techniques/T1587/001/"> Malware </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0042-T1587-T1587.002"> <a href="/versions/v9/techniques/T1587/002/"> Code Signing Certificates </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0042-T1587-T1587.003"> <a href="/versions/v9/techniques/T1587/003/"> Digital Certificates </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0042-T1587-T1587.004"> <a href="/versions/v9/techniques/T1587/004/"> Exploits </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0042-T1585"> <a href="/versions/v9/techniques/T1585/"> Establish Accounts </a> <div class="expand-button collapsed" id="enterprise-TA0042-T1585-header" data-toggle="collapse" data-target="#enterprise-TA0042-T1585-body" aria-expanded="false" aria-controls="#enterprise-TA0042-T1585-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0042-T1585-body" aria-labelledby="enterprise-TA0042-T1585-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0042-T1585-T1585.001"> <a href="/versions/v9/techniques/T1585/001/"> Social Media Accounts </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0042-T1585-T1585.002"> <a href="/versions/v9/techniques/T1585/002/"> Email Accounts </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0042-T1588"> <a href="/versions/v9/techniques/T1588/"> Obtain Capabilities </a> <div class="expand-button collapsed" id="enterprise-TA0042-T1588-header" data-toggle="collapse" data-target="#enterprise-TA0042-T1588-body" aria-expanded="false" aria-controls="#enterprise-TA0042-T1588-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0042-T1588-body" aria-labelledby="enterprise-TA0042-T1588-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0042-T1588-T1588.001"> <a href="/versions/v9/techniques/T1588/001/"> Malware </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0042-T1588-T1588.002"> <a href="/versions/v9/techniques/T1588/002/"> Tool </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0042-T1588-T1588.003"> <a href="/versions/v9/techniques/T1588/003/"> Code Signing Certificates </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0042-T1588-T1588.004"> <a href="/versions/v9/techniques/T1588/004/"> Digital Certificates </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0042-T1588-T1588.005"> <a href="/versions/v9/techniques/T1588/005/"> Exploits </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0042-T1588-T1588.006"> <a href="/versions/v9/techniques/T1588/006/"> Vulnerabilities </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0042-T1608"> <a href="/versions/v9/techniques/T1608/"> Stage Capabilities </a> <div class="expand-button collapsed" id="enterprise-TA0042-T1608-header" data-toggle="collapse" data-target="#enterprise-TA0042-T1608-body" aria-expanded="false" aria-controls="#enterprise-TA0042-T1608-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0042-T1608-body" aria-labelledby="enterprise-TA0042-T1608-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0042-T1608-T1608.001"> <a href="/versions/v9/techniques/T1608/001/"> Upload Malware </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0042-T1608-T1608.002"> <a href="/versions/v9/techniques/T1608/002/"> Upload Tool </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0042-T1608-T1608.003"> <a href="/versions/v9/techniques/T1608/003/"> Install Digital Certificate </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0042-T1608-T1608.004"> <a href="/versions/v9/techniques/T1608/004/"> Drive-by Target </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0042-T1608-T1608.005"> <a href="/versions/v9/techniques/T1608/005/"> Link Target </a> </div> </div> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0001"> <a href="/versions/v9/tactics/TA0001"> Initial Access </a> <div class="expand-button collapsed" id="enterprise-TA0001-header" data-toggle="collapse" data-target="#enterprise-TA0001-body" aria-expanded="false" aria-controls="#enterprise-TA0001-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0001-body" aria-labelledby="enterprise-TA0001-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0001-T1189"> <a href="/versions/v9/techniques/T1189/"> Drive-by Compromise </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0001-T1190"> <a href="/versions/v9/techniques/T1190/"> Exploit Public-Facing Application </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0001-T1133"> <a href="/versions/v9/techniques/T1133/"> External Remote Services </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0001-T1200"> <a href="/versions/v9/techniques/T1200/"> Hardware Additions </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0001-T1566"> <a href="/versions/v9/techniques/T1566/"> Phishing </a> <div class="expand-button collapsed" id="enterprise-TA0001-T1566-header" data-toggle="collapse" data-target="#enterprise-TA0001-T1566-body" aria-expanded="false" aria-controls="#enterprise-TA0001-T1566-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0001-T1566-body" aria-labelledby="enterprise-TA0001-T1566-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0001-T1566-T1566.001"> <a href="/versions/v9/techniques/T1566/001/"> Spearphishing Attachment </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0001-T1566-T1566.002"> <a href="/versions/v9/techniques/T1566/002/"> Spearphishing Link </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0001-T1566-T1566.003"> <a href="/versions/v9/techniques/T1566/003/"> Spearphishing via Service </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0001-T1091"> <a href="/versions/v9/techniques/T1091/"> Replication Through Removable Media </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0001-T1195"> <a href="/versions/v9/techniques/T1195/"> Supply Chain Compromise </a> <div class="expand-button collapsed" id="enterprise-TA0001-T1195-header" data-toggle="collapse" data-target="#enterprise-TA0001-T1195-body" aria-expanded="false" aria-controls="#enterprise-TA0001-T1195-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0001-T1195-body" aria-labelledby="enterprise-TA0001-T1195-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0001-T1195-T1195.001"> <a href="/versions/v9/techniques/T1195/001/"> Compromise Software Dependencies and Development Tools </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0001-T1195-T1195.002"> <a href="/versions/v9/techniques/T1195/002/"> Compromise Software Supply Chain </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0001-T1195-T1195.003"> <a href="/versions/v9/techniques/T1195/003/"> Compromise Hardware Supply Chain </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0001-T1199"> <a href="/versions/v9/techniques/T1199/"> Trusted Relationship </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0001-T1078"> <a href="/versions/v9/techniques/T1078/"> Valid Accounts </a> <div class="expand-button collapsed" id="enterprise-TA0001-T1078-header" data-toggle="collapse" data-target="#enterprise-TA0001-T1078-body" aria-expanded="false" aria-controls="#enterprise-TA0001-T1078-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0001-T1078-body" aria-labelledby="enterprise-TA0001-T1078-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0001-T1078-T1078.001"> <a href="/versions/v9/techniques/T1078/001/"> Default Accounts </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0001-T1078-T1078.002"> <a href="/versions/v9/techniques/T1078/002/"> Domain Accounts </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0001-T1078-T1078.003"> <a href="/versions/v9/techniques/T1078/003/"> Local Accounts </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0001-T1078-T1078.004"> <a href="/versions/v9/techniques/T1078/004/"> Cloud Accounts </a> </div> </div> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0002"> <a href="/versions/v9/tactics/TA0002"> Execution </a> <div class="expand-button collapsed" id="enterprise-TA0002-header" data-toggle="collapse" data-target="#enterprise-TA0002-body" aria-expanded="false" aria-controls="#enterprise-TA0002-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0002-body" aria-labelledby="enterprise-TA0002-header"> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0002-T1059"> <a href="/versions/v9/techniques/T1059/"> Command and Scripting Interpreter </a> <div class="expand-button collapsed" id="enterprise-TA0002-T1059-header" data-toggle="collapse" data-target="#enterprise-TA0002-T1059-body" aria-expanded="false" aria-controls="#enterprise-TA0002-T1059-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0002-T1059-body" aria-labelledby="enterprise-TA0002-T1059-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0002-T1059-T1059.001"> <a href="/versions/v9/techniques/T1059/001/"> PowerShell </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0002-T1059-T1059.002"> <a href="/versions/v9/techniques/T1059/002/"> AppleScript </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0002-T1059-T1059.003"> <a href="/versions/v9/techniques/T1059/003/"> Windows Command Shell </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0002-T1059-T1059.004"> <a href="/versions/v9/techniques/T1059/004/"> Unix Shell </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0002-T1059-T1059.005"> <a href="/versions/v9/techniques/T1059/005/"> Visual Basic </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0002-T1059-T1059.006"> <a href="/versions/v9/techniques/T1059/006/"> Python </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0002-T1059-T1059.007"> <a href="/versions/v9/techniques/T1059/007/"> JavaScript </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0002-T1059-T1059.008"> <a href="/versions/v9/techniques/T1059/008/"> Network Device CLI </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0002-T1609"> <a href="/versions/v9/techniques/T1609/"> Container Administration Command </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0002-T1610"> <a href="/versions/v9/techniques/T1610/"> Deploy Container </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0002-T1203"> <a href="/versions/v9/techniques/T1203/"> Exploitation for Client Execution </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0002-T1559"> <a href="/versions/v9/techniques/T1559/"> Inter-Process Communication </a> <div class="expand-button collapsed" id="enterprise-TA0002-T1559-header" data-toggle="collapse" data-target="#enterprise-TA0002-T1559-body" aria-expanded="false" aria-controls="#enterprise-TA0002-T1559-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0002-T1559-body" aria-labelledby="enterprise-TA0002-T1559-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0002-T1559-T1559.001"> <a href="/versions/v9/techniques/T1559/001/"> Component Object Model </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0002-T1559-T1559.002"> <a href="/versions/v9/techniques/T1559/002/"> Dynamic Data Exchange </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0002-T1106"> <a href="/versions/v9/techniques/T1106/"> Native API </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0002-T1053"> <a href="/versions/v9/techniques/T1053/"> Scheduled Task/Job </a> <div class="expand-button collapsed" id="enterprise-TA0002-T1053-header" data-toggle="collapse" data-target="#enterprise-TA0002-T1053-body" aria-expanded="false" aria-controls="#enterprise-TA0002-T1053-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0002-T1053-body" aria-labelledby="enterprise-TA0002-T1053-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0002-T1053-T1053.001"> <a href="/versions/v9/techniques/T1053/001/"> At (Linux) </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0002-T1053-T1053.002"> <a href="/versions/v9/techniques/T1053/002/"> At (Windows) </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0002-T1053-T1053.003"> <a href="/versions/v9/techniques/T1053/003/"> Cron </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0002-T1053-T1053.004"> <a href="/versions/v9/techniques/T1053/004/"> Launchd </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0002-T1053-T1053.005"> <a href="/versions/v9/techniques/T1053/005/"> Scheduled Task </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0002-T1053-T1053.006"> <a href="/versions/v9/techniques/T1053/006/"> Systemd Timers </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0002-T1053-T1053.007"> <a href="/versions/v9/techniques/T1053/007/"> Container Orchestration Job </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0002-T1129"> <a href="/versions/v9/techniques/T1129/"> Shared Modules </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0002-T1072"> <a href="/versions/v9/techniques/T1072/"> Software Deployment Tools </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0002-T1569"> <a href="/versions/v9/techniques/T1569/"> System Services </a> <div class="expand-button collapsed" id="enterprise-TA0002-T1569-header" data-toggle="collapse" data-target="#enterprise-TA0002-T1569-body" aria-expanded="false" aria-controls="#enterprise-TA0002-T1569-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0002-T1569-body" aria-labelledby="enterprise-TA0002-T1569-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0002-T1569-T1569.001"> <a href="/versions/v9/techniques/T1569/001/"> Launchctl </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0002-T1569-T1569.002"> <a href="/versions/v9/techniques/T1569/002/"> Service Execution </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0002-T1204"> <a href="/versions/v9/techniques/T1204/"> User Execution </a> <div class="expand-button collapsed" id="enterprise-TA0002-T1204-header" data-toggle="collapse" data-target="#enterprise-TA0002-T1204-body" aria-expanded="false" aria-controls="#enterprise-TA0002-T1204-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0002-T1204-body" aria-labelledby="enterprise-TA0002-T1204-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0002-T1204-T1204.001"> <a href="/versions/v9/techniques/T1204/001/"> Malicious Link </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0002-T1204-T1204.002"> <a href="/versions/v9/techniques/T1204/002/"> Malicious File </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0002-T1204-T1204.003"> <a href="/versions/v9/techniques/T1204/003/"> Malicious Image </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0002-T1047"> <a href="/versions/v9/techniques/T1047/"> Windows Management Instrumentation </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0003"> <a href="/versions/v9/tactics/TA0003"> Persistence </a> <div class="expand-button collapsed" id="enterprise-TA0003-header" data-toggle="collapse" data-target="#enterprise-TA0003-body" aria-expanded="false" aria-controls="#enterprise-TA0003-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0003-body" aria-labelledby="enterprise-TA0003-header"> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0003-T1098"> <a href="/versions/v9/techniques/T1098/"> Account Manipulation </a> <div class="expand-button collapsed" id="enterprise-TA0003-T1098-header" data-toggle="collapse" data-target="#enterprise-TA0003-T1098-body" aria-expanded="false" aria-controls="#enterprise-TA0003-T1098-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0003-T1098-body" aria-labelledby="enterprise-TA0003-T1098-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0003-T1098-T1098.001"> <a href="/versions/v9/techniques/T1098/001/"> Additional Cloud Credentials </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0003-T1098-T1098.002"> <a href="/versions/v9/techniques/T1098/002/"> Exchange Email Delegate Permissions </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0003-T1098-T1098.003"> <a href="/versions/v9/techniques/T1098/003/"> Add Office 365 Global Administrator Role </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0003-T1098-T1098.004"> <a href="/versions/v9/techniques/T1098/004/"> SSH Authorized Keys </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0003-T1197"> <a href="/versions/v9/techniques/T1197/"> BITS Jobs </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0003-T1547"> <a href="/versions/v9/techniques/T1547/"> Boot or Logon Autostart Execution </a> <div class="expand-button collapsed" id="enterprise-TA0003-T1547-header" data-toggle="collapse" data-target="#enterprise-TA0003-T1547-body" aria-expanded="false" aria-controls="#enterprise-TA0003-T1547-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0003-T1547-body" aria-labelledby="enterprise-TA0003-T1547-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0003-T1547-T1547.001"> <a href="/versions/v9/techniques/T1547/001/"> Registry Run Keys / Startup Folder </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0003-T1547-T1547.002"> <a href="/versions/v9/techniques/T1547/002/"> Authentication Package </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0003-T1547-T1547.003"> <a href="/versions/v9/techniques/T1547/003/"> Time Providers </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0003-T1547-T1547.004"> <a href="/versions/v9/techniques/T1547/004/"> Winlogon Helper DLL </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0003-T1547-T1547.005"> <a href="/versions/v9/techniques/T1547/005/"> Security Support Provider </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0003-T1547-T1547.006"> <a href="/versions/v9/techniques/T1547/006/"> Kernel Modules and Extensions </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0003-T1547-T1547.007"> <a href="/versions/v9/techniques/T1547/007/"> Re-opened Applications </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0003-T1547-T1547.008"> <a href="/versions/v9/techniques/T1547/008/"> LSASS Driver </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0003-T1547-T1547.009"> <a href="/versions/v9/techniques/T1547/009/"> Shortcut Modification </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0003-T1547-T1547.010"> <a href="/versions/v9/techniques/T1547/010/"> Port Monitors </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0003-T1547-T1547.011"> <a href="/versions/v9/techniques/T1547/011/"> Plist Modification </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0003-T1547-T1547.012"> <a href="/versions/v9/techniques/T1547/012/"> Print Processors </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0003-T1547-T1547.013"> <a href="/versions/v9/techniques/T1547/013/"> XDG Autostart Entries </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0003-T1547-T1547.014"> <a href="/versions/v9/techniques/T1547/014/"> Active Setup </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0003-T1037"> <a href="/versions/v9/techniques/T1037/"> Boot or Logon Initialization Scripts </a> <div class="expand-button collapsed" id="enterprise-TA0003-T1037-header" data-toggle="collapse" data-target="#enterprise-TA0003-T1037-body" aria-expanded="false" aria-controls="#enterprise-TA0003-T1037-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0003-T1037-body" aria-labelledby="enterprise-TA0003-T1037-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0003-T1037-T1037.001"> <a href="/versions/v9/techniques/T1037/001/"> Logon Script (Windows) </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0003-T1037-T1037.002"> <a href="/versions/v9/techniques/T1037/002/"> Logon Script (Mac) </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0003-T1037-T1037.003"> <a href="/versions/v9/techniques/T1037/003/"> Network Logon Script </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0003-T1037-T1037.004"> <a href="/versions/v9/techniques/T1037/004/"> RC Scripts </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0003-T1037-T1037.005"> <a href="/versions/v9/techniques/T1037/005/"> Startup Items </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0003-T1176"> <a href="/versions/v9/techniques/T1176/"> Browser Extensions </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0003-T1554"> <a href="/versions/v9/techniques/T1554/"> Compromise Client Software Binary </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0003-T1136"> <a href="/versions/v9/techniques/T1136/"> Create Account </a> <div class="expand-button collapsed" id="enterprise-TA0003-T1136-header" data-toggle="collapse" data-target="#enterprise-TA0003-T1136-body" aria-expanded="false" aria-controls="#enterprise-TA0003-T1136-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0003-T1136-body" aria-labelledby="enterprise-TA0003-T1136-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0003-T1136-T1136.001"> <a href="/versions/v9/techniques/T1136/001/"> Local Account </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0003-T1136-T1136.002"> <a href="/versions/v9/techniques/T1136/002/"> Domain Account </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0003-T1136-T1136.003"> <a href="/versions/v9/techniques/T1136/003/"> Cloud Account </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0003-T1543"> <a href="/versions/v9/techniques/T1543/"> Create or Modify System Process </a> <div class="expand-button collapsed" id="enterprise-TA0003-T1543-header" data-toggle="collapse" data-target="#enterprise-TA0003-T1543-body" aria-expanded="false" aria-controls="#enterprise-TA0003-T1543-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0003-T1543-body" aria-labelledby="enterprise-TA0003-T1543-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0003-T1543-T1543.001"> <a href="/versions/v9/techniques/T1543/001/"> Launch Agent </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0003-T1543-T1543.002"> <a href="/versions/v9/techniques/T1543/002/"> Systemd Service </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0003-T1543-T1543.003"> <a href="/versions/v9/techniques/T1543/003/"> Windows Service </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0003-T1543-T1543.004"> <a href="/versions/v9/techniques/T1543/004/"> Launch Daemon </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0003-T1546"> <a href="/versions/v9/techniques/T1546/"> Event Triggered Execution </a> <div class="expand-button collapsed" id="enterprise-TA0003-T1546-header" data-toggle="collapse" data-target="#enterprise-TA0003-T1546-body" aria-expanded="false" aria-controls="#enterprise-TA0003-T1546-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0003-T1546-body" aria-labelledby="enterprise-TA0003-T1546-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0003-T1546-T1546.001"> <a href="/versions/v9/techniques/T1546/001/"> Change Default File Association </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0003-T1546-T1546.002"> <a href="/versions/v9/techniques/T1546/002/"> Screensaver </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0003-T1546-T1546.003"> <a href="/versions/v9/techniques/T1546/003/"> Windows Management Instrumentation Event Subscription </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0003-T1546-T1546.004"> <a href="/versions/v9/techniques/T1546/004/"> Unix Shell Configuration Modification </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0003-T1546-T1546.005"> <a href="/versions/v9/techniques/T1546/005/"> Trap </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0003-T1546-T1546.006"> <a href="/versions/v9/techniques/T1546/006/"> LC_LOAD_DYLIB Addition </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0003-T1546-T1546.007"> <a href="/versions/v9/techniques/T1546/007/"> Netsh Helper DLL </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0003-T1546-T1546.008"> <a href="/versions/v9/techniques/T1546/008/"> Accessibility Features </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0003-T1546-T1546.009"> <a href="/versions/v9/techniques/T1546/009/"> AppCert DLLs </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0003-T1546-T1546.010"> <a href="/versions/v9/techniques/T1546/010/"> AppInit DLLs </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0003-T1546-T1546.011"> <a href="/versions/v9/techniques/T1546/011/"> Application Shimming </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0003-T1546-T1546.012"> <a href="/versions/v9/techniques/T1546/012/"> Image File Execution Options Injection </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0003-T1546-T1546.013"> <a href="/versions/v9/techniques/T1546/013/"> PowerShell Profile </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0003-T1546-T1546.014"> <a href="/versions/v9/techniques/T1546/014/"> Emond </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0003-T1546-T1546.015"> <a href="/versions/v9/techniques/T1546/015/"> Component Object Model Hijacking </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0003-T1133"> <a href="/versions/v9/techniques/T1133/"> External Remote Services </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0003-T1574"> <a href="/versions/v9/techniques/T1574/"> Hijack Execution Flow </a> <div class="expand-button collapsed" id="enterprise-TA0003-T1574-header" data-toggle="collapse" data-target="#enterprise-TA0003-T1574-body" aria-expanded="false" aria-controls="#enterprise-TA0003-T1574-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0003-T1574-body" aria-labelledby="enterprise-TA0003-T1574-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0003-T1574-T1574.001"> <a href="/versions/v9/techniques/T1574/001/"> DLL Search Order Hijacking </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0003-T1574-T1574.002"> <a href="/versions/v9/techniques/T1574/002/"> DLL Side-Loading </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0003-T1574-T1574.004"> <a href="/versions/v9/techniques/T1574/004/"> Dylib Hijacking </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0003-T1574-T1574.005"> <a href="/versions/v9/techniques/T1574/005/"> Executable Installer File Permissions Weakness </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0003-T1574-T1574.006"> <a href="/versions/v9/techniques/T1574/006/"> Dynamic Linker Hijacking </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0003-T1574-T1574.007"> <a href="/versions/v9/techniques/T1574/007/"> Path Interception by PATH Environment Variable </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0003-T1574-T1574.008"> <a href="/versions/v9/techniques/T1574/008/"> Path Interception by Search Order Hijacking </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0003-T1574-T1574.009"> <a href="/versions/v9/techniques/T1574/009/"> Path Interception by Unquoted Path </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0003-T1574-T1574.010"> <a href="/versions/v9/techniques/T1574/010/"> Services File Permissions Weakness </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0003-T1574-T1574.011"> <a href="/versions/v9/techniques/T1574/011/"> Services Registry Permissions Weakness </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0003-T1574-T1574.012"> <a href="/versions/v9/techniques/T1574/012/"> COR_PROFILER </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0003-T1525"> <a href="/versions/v9/techniques/T1525/"> Implant Internal Image </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0003-T1556"> <a href="/versions/v9/techniques/T1556/"> Modify Authentication Process </a> <div class="expand-button collapsed" id="enterprise-TA0003-T1556-header" data-toggle="collapse" data-target="#enterprise-TA0003-T1556-body" aria-expanded="false" aria-controls="#enterprise-TA0003-T1556-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0003-T1556-body" aria-labelledby="enterprise-TA0003-T1556-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0003-T1556-T1556.001"> <a href="/versions/v9/techniques/T1556/001/"> Domain Controller Authentication </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0003-T1556-T1556.002"> <a href="/versions/v9/techniques/T1556/002/"> Password Filter DLL </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0003-T1556-T1556.003"> <a href="/versions/v9/techniques/T1556/003/"> Pluggable Authentication Modules </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0003-T1556-T1556.004"> <a href="/versions/v9/techniques/T1556/004/"> Network Device Authentication </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0003-T1137"> <a href="/versions/v9/techniques/T1137/"> Office Application Startup </a> <div class="expand-button collapsed" id="enterprise-TA0003-T1137-header" data-toggle="collapse" data-target="#enterprise-TA0003-T1137-body" aria-expanded="false" aria-controls="#enterprise-TA0003-T1137-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0003-T1137-body" aria-labelledby="enterprise-TA0003-T1137-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0003-T1137-T1137.001"> <a href="/versions/v9/techniques/T1137/001/"> Office Template Macros </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0003-T1137-T1137.002"> <a href="/versions/v9/techniques/T1137/002/"> Office Test </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0003-T1137-T1137.003"> <a href="/versions/v9/techniques/T1137/003/"> Outlook Forms </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0003-T1137-T1137.004"> <a href="/versions/v9/techniques/T1137/004/"> Outlook Home Page </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0003-T1137-T1137.005"> <a href="/versions/v9/techniques/T1137/005/"> Outlook Rules </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0003-T1137-T1137.006"> <a href="/versions/v9/techniques/T1137/006/"> Add-ins </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0003-T1542"> <a href="/versions/v9/techniques/T1542/"> Pre-OS Boot </a> <div class="expand-button collapsed" id="enterprise-TA0003-T1542-header" data-toggle="collapse" data-target="#enterprise-TA0003-T1542-body" aria-expanded="false" aria-controls="#enterprise-TA0003-T1542-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0003-T1542-body" aria-labelledby="enterprise-TA0003-T1542-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0003-T1542-T1542.001"> <a href="/versions/v9/techniques/T1542/001/"> System Firmware </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0003-T1542-T1542.002"> <a href="/versions/v9/techniques/T1542/002/"> Component Firmware </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0003-T1542-T1542.003"> <a href="/versions/v9/techniques/T1542/003/"> Bootkit </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0003-T1542-T1542.004"> <a href="/versions/v9/techniques/T1542/004/"> ROMMONkit </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0003-T1542-T1542.005"> <a href="/versions/v9/techniques/T1542/005/"> TFTP Boot </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0003-T1053"> <a href="/versions/v9/techniques/T1053/"> Scheduled Task/Job </a> <div class="expand-button collapsed" id="enterprise-TA0003-T1053-header" data-toggle="collapse" data-target="#enterprise-TA0003-T1053-body" aria-expanded="false" aria-controls="#enterprise-TA0003-T1053-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0003-T1053-body" aria-labelledby="enterprise-TA0003-T1053-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0003-T1053-T1053.001"> <a href="/versions/v9/techniques/T1053/001/"> At (Linux) </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0003-T1053-T1053.002"> <a href="/versions/v9/techniques/T1053/002/"> At (Windows) </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0003-T1053-T1053.003"> <a href="/versions/v9/techniques/T1053/003/"> Cron </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0003-T1053-T1053.004"> <a href="/versions/v9/techniques/T1053/004/"> Launchd </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0003-T1053-T1053.005"> <a href="/versions/v9/techniques/T1053/005/"> Scheduled Task </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0003-T1053-T1053.006"> <a href="/versions/v9/techniques/T1053/006/"> Systemd Timers </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0003-T1053-T1053.007"> <a href="/versions/v9/techniques/T1053/007/"> Container Orchestration Job </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0003-T1505"> <a href="/versions/v9/techniques/T1505/"> Server Software Component </a> <div class="expand-button collapsed" id="enterprise-TA0003-T1505-header" data-toggle="collapse" data-target="#enterprise-TA0003-T1505-body" aria-expanded="false" aria-controls="#enterprise-TA0003-T1505-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0003-T1505-body" aria-labelledby="enterprise-TA0003-T1505-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0003-T1505-T1505.001"> <a href="/versions/v9/techniques/T1505/001/"> SQL Stored Procedures </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0003-T1505-T1505.002"> <a href="/versions/v9/techniques/T1505/002/"> Transport Agent </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0003-T1505-T1505.003"> <a href="/versions/v9/techniques/T1505/003/"> Web Shell </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0003-T1205"> <a href="/versions/v9/techniques/T1205/"> Traffic Signaling </a> <div class="expand-button collapsed" id="enterprise-TA0003-T1205-header" data-toggle="collapse" data-target="#enterprise-TA0003-T1205-body" aria-expanded="false" aria-controls="#enterprise-TA0003-T1205-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0003-T1205-body" aria-labelledby="enterprise-TA0003-T1205-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0003-T1205-T1205.001"> <a href="/versions/v9/techniques/T1205/001/"> Port Knocking </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0003-T1078"> <a href="/versions/v9/techniques/T1078/"> Valid Accounts </a> <div class="expand-button collapsed" id="enterprise-TA0003-T1078-header" data-toggle="collapse" data-target="#enterprise-TA0003-T1078-body" aria-expanded="false" aria-controls="#enterprise-TA0003-T1078-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0003-T1078-body" aria-labelledby="enterprise-TA0003-T1078-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0003-T1078-T1078.001"> <a href="/versions/v9/techniques/T1078/001/"> Default Accounts </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0003-T1078-T1078.002"> <a href="/versions/v9/techniques/T1078/002/"> Domain Accounts </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0003-T1078-T1078.003"> <a href="/versions/v9/techniques/T1078/003/"> Local Accounts </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0003-T1078-T1078.004"> <a href="/versions/v9/techniques/T1078/004/"> Cloud Accounts </a> </div> </div> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0004"> <a href="/versions/v9/tactics/TA0004"> Privilege Escalation </a> <div class="expand-button collapsed" id="enterprise-TA0004-header" data-toggle="collapse" data-target="#enterprise-TA0004-body" aria-expanded="false" aria-controls="#enterprise-TA0004-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0004-body" aria-labelledby="enterprise-TA0004-header"> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0004-T1548"> <a href="/versions/v9/techniques/T1548/"> Abuse Elevation Control Mechanism </a> <div class="expand-button collapsed" id="enterprise-TA0004-T1548-header" data-toggle="collapse" data-target="#enterprise-TA0004-T1548-body" aria-expanded="false" aria-controls="#enterprise-TA0004-T1548-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0004-T1548-body" aria-labelledby="enterprise-TA0004-T1548-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0004-T1548-T1548.001"> <a href="/versions/v9/techniques/T1548/001/"> Setuid and Setgid </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0004-T1548-T1548.002"> <a href="/versions/v9/techniques/T1548/002/"> Bypass User Account Control </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0004-T1548-T1548.003"> <a href="/versions/v9/techniques/T1548/003/"> Sudo and Sudo Caching </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0004-T1548-T1548.004"> <a href="/versions/v9/techniques/T1548/004/"> Elevated Execution with Prompt </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0004-T1134"> <a href="/versions/v9/techniques/T1134/"> Access Token Manipulation </a> <div class="expand-button collapsed" id="enterprise-TA0004-T1134-header" data-toggle="collapse" data-target="#enterprise-TA0004-T1134-body" aria-expanded="false" aria-controls="#enterprise-TA0004-T1134-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0004-T1134-body" aria-labelledby="enterprise-TA0004-T1134-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0004-T1134-T1134.001"> <a href="/versions/v9/techniques/T1134/001/"> Token Impersonation/Theft </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0004-T1134-T1134.002"> <a href="/versions/v9/techniques/T1134/002/"> Create Process with Token </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0004-T1134-T1134.003"> <a href="/versions/v9/techniques/T1134/003/"> Make and Impersonate Token </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0004-T1134-T1134.004"> <a href="/versions/v9/techniques/T1134/004/"> Parent PID Spoofing </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0004-T1134-T1134.005"> <a href="/versions/v9/techniques/T1134/005/"> SID-History Injection </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0004-T1547"> <a href="/versions/v9/techniques/T1547/"> Boot or Logon Autostart Execution </a> <div class="expand-button collapsed" id="enterprise-TA0004-T1547-header" data-toggle="collapse" data-target="#enterprise-TA0004-T1547-body" aria-expanded="false" aria-controls="#enterprise-TA0004-T1547-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0004-T1547-body" aria-labelledby="enterprise-TA0004-T1547-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0004-T1547-T1547.001"> <a href="/versions/v9/techniques/T1547/001/"> Registry Run Keys / Startup Folder </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0004-T1547-T1547.002"> <a href="/versions/v9/techniques/T1547/002/"> Authentication Package </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0004-T1547-T1547.003"> <a href="/versions/v9/techniques/T1547/003/"> Time Providers </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0004-T1547-T1547.004"> <a href="/versions/v9/techniques/T1547/004/"> Winlogon Helper DLL </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0004-T1547-T1547.005"> <a href="/versions/v9/techniques/T1547/005/"> Security Support Provider </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0004-T1547-T1547.006"> <a href="/versions/v9/techniques/T1547/006/"> Kernel Modules and Extensions </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0004-T1547-T1547.007"> <a href="/versions/v9/techniques/T1547/007/"> Re-opened Applications </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0004-T1547-T1547.008"> <a href="/versions/v9/techniques/T1547/008/"> LSASS Driver </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0004-T1547-T1547.009"> <a href="/versions/v9/techniques/T1547/009/"> Shortcut Modification </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0004-T1547-T1547.010"> <a href="/versions/v9/techniques/T1547/010/"> Port Monitors </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0004-T1547-T1547.011"> <a href="/versions/v9/techniques/T1547/011/"> Plist Modification </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0004-T1547-T1547.012"> <a href="/versions/v9/techniques/T1547/012/"> Print Processors </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0004-T1547-T1547.013"> <a href="/versions/v9/techniques/T1547/013/"> XDG Autostart Entries </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0004-T1547-T1547.014"> <a href="/versions/v9/techniques/T1547/014/"> Active Setup </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0004-T1037"> <a href="/versions/v9/techniques/T1037/"> Boot or Logon Initialization Scripts </a> <div class="expand-button collapsed" id="enterprise-TA0004-T1037-header" data-toggle="collapse" data-target="#enterprise-TA0004-T1037-body" aria-expanded="false" aria-controls="#enterprise-TA0004-T1037-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0004-T1037-body" aria-labelledby="enterprise-TA0004-T1037-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0004-T1037-T1037.001"> <a href="/versions/v9/techniques/T1037/001/"> Logon Script (Windows) </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0004-T1037-T1037.002"> <a href="/versions/v9/techniques/T1037/002/"> Logon Script (Mac) </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0004-T1037-T1037.003"> <a href="/versions/v9/techniques/T1037/003/"> Network Logon Script </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0004-T1037-T1037.004"> <a href="/versions/v9/techniques/T1037/004/"> RC Scripts </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0004-T1037-T1037.005"> <a href="/versions/v9/techniques/T1037/005/"> Startup Items </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0004-T1543"> <a href="/versions/v9/techniques/T1543/"> Create or Modify System Process </a> <div class="expand-button collapsed" id="enterprise-TA0004-T1543-header" data-toggle="collapse" data-target="#enterprise-TA0004-T1543-body" aria-expanded="false" aria-controls="#enterprise-TA0004-T1543-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0004-T1543-body" aria-labelledby="enterprise-TA0004-T1543-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0004-T1543-T1543.001"> <a href="/versions/v9/techniques/T1543/001/"> Launch Agent </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0004-T1543-T1543.002"> <a href="/versions/v9/techniques/T1543/002/"> Systemd Service </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0004-T1543-T1543.003"> <a href="/versions/v9/techniques/T1543/003/"> Windows Service </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0004-T1543-T1543.004"> <a href="/versions/v9/techniques/T1543/004/"> Launch Daemon </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0004-T1484"> <a href="/versions/v9/techniques/T1484/"> Domain Policy Modification </a> <div class="expand-button collapsed" id="enterprise-TA0004-T1484-header" data-toggle="collapse" data-target="#enterprise-TA0004-T1484-body" aria-expanded="false" aria-controls="#enterprise-TA0004-T1484-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0004-T1484-body" aria-labelledby="enterprise-TA0004-T1484-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0004-T1484-T1484.001"> <a href="/versions/v9/techniques/T1484/001/"> Group Policy Modification </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0004-T1484-T1484.002"> <a href="/versions/v9/techniques/T1484/002/"> Domain Trust Modification </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0004-T1611"> <a href="/versions/v9/techniques/T1611/"> Escape to Host </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0004-T1546"> <a href="/versions/v9/techniques/T1546/"> Event Triggered Execution </a> <div class="expand-button collapsed" id="enterprise-TA0004-T1546-header" data-toggle="collapse" data-target="#enterprise-TA0004-T1546-body" aria-expanded="false" aria-controls="#enterprise-TA0004-T1546-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0004-T1546-body" aria-labelledby="enterprise-TA0004-T1546-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0004-T1546-T1546.001"> <a href="/versions/v9/techniques/T1546/001/"> Change Default File Association </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0004-T1546-T1546.002"> <a href="/versions/v9/techniques/T1546/002/"> Screensaver </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0004-T1546-T1546.003"> <a href="/versions/v9/techniques/T1546/003/"> Windows Management Instrumentation Event Subscription </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0004-T1546-T1546.004"> <a href="/versions/v9/techniques/T1546/004/"> Unix Shell Configuration Modification </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0004-T1546-T1546.005"> <a href="/versions/v9/techniques/T1546/005/"> Trap </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0004-T1546-T1546.006"> <a href="/versions/v9/techniques/T1546/006/"> LC_LOAD_DYLIB Addition </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0004-T1546-T1546.007"> <a href="/versions/v9/techniques/T1546/007/"> Netsh Helper DLL </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0004-T1546-T1546.008"> <a href="/versions/v9/techniques/T1546/008/"> Accessibility Features </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0004-T1546-T1546.009"> <a href="/versions/v9/techniques/T1546/009/"> AppCert DLLs </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0004-T1546-T1546.010"> <a href="/versions/v9/techniques/T1546/010/"> AppInit DLLs </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0004-T1546-T1546.011"> <a href="/versions/v9/techniques/T1546/011/"> Application Shimming </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0004-T1546-T1546.012"> <a href="/versions/v9/techniques/T1546/012/"> Image File Execution Options Injection </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0004-T1546-T1546.013"> <a href="/versions/v9/techniques/T1546/013/"> PowerShell Profile </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0004-T1546-T1546.014"> <a href="/versions/v9/techniques/T1546/014/"> Emond </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0004-T1546-T1546.015"> <a href="/versions/v9/techniques/T1546/015/"> Component Object Model Hijacking </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0004-T1068"> <a href="/versions/v9/techniques/T1068/"> Exploitation for Privilege Escalation </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0004-T1574"> <a href="/versions/v9/techniques/T1574/"> Hijack Execution Flow </a> <div class="expand-button collapsed" id="enterprise-TA0004-T1574-header" data-toggle="collapse" data-target="#enterprise-TA0004-T1574-body" aria-expanded="false" aria-controls="#enterprise-TA0004-T1574-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0004-T1574-body" aria-labelledby="enterprise-TA0004-T1574-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0004-T1574-T1574.001"> <a href="/versions/v9/techniques/T1574/001/"> DLL Search Order Hijacking </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0004-T1574-T1574.002"> <a href="/versions/v9/techniques/T1574/002/"> DLL Side-Loading </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0004-T1574-T1574.004"> <a href="/versions/v9/techniques/T1574/004/"> Dylib Hijacking </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0004-T1574-T1574.005"> <a href="/versions/v9/techniques/T1574/005/"> Executable Installer File Permissions Weakness </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0004-T1574-T1574.006"> <a href="/versions/v9/techniques/T1574/006/"> Dynamic Linker Hijacking </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0004-T1574-T1574.007"> <a href="/versions/v9/techniques/T1574/007/"> Path Interception by PATH Environment Variable </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0004-T1574-T1574.008"> <a href="/versions/v9/techniques/T1574/008/"> Path Interception by Search Order Hijacking </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0004-T1574-T1574.009"> <a href="/versions/v9/techniques/T1574/009/"> Path Interception by Unquoted Path </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0004-T1574-T1574.010"> <a href="/versions/v9/techniques/T1574/010/"> Services File Permissions Weakness </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0004-T1574-T1574.011"> <a href="/versions/v9/techniques/T1574/011/"> Services Registry Permissions Weakness </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0004-T1574-T1574.012"> <a href="/versions/v9/techniques/T1574/012/"> COR_PROFILER </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0004-T1055"> <a href="/versions/v9/techniques/T1055/"> Process Injection </a> <div class="expand-button collapsed" id="enterprise-TA0004-T1055-header" data-toggle="collapse" data-target="#enterprise-TA0004-T1055-body" aria-expanded="false" aria-controls="#enterprise-TA0004-T1055-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0004-T1055-body" aria-labelledby="enterprise-TA0004-T1055-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0004-T1055-T1055.001"> <a href="/versions/v9/techniques/T1055/001/"> Dynamic-link Library Injection </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0004-T1055-T1055.002"> <a href="/versions/v9/techniques/T1055/002/"> Portable Executable Injection </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0004-T1055-T1055.003"> <a href="/versions/v9/techniques/T1055/003/"> Thread Execution Hijacking </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0004-T1055-T1055.004"> <a href="/versions/v9/techniques/T1055/004/"> Asynchronous Procedure Call </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0004-T1055-T1055.005"> <a href="/versions/v9/techniques/T1055/005/"> Thread Local Storage </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0004-T1055-T1055.008"> <a href="/versions/v9/techniques/T1055/008/"> Ptrace System Calls </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0004-T1055-T1055.009"> <a href="/versions/v9/techniques/T1055/009/"> Proc Memory </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0004-T1055-T1055.011"> <a href="/versions/v9/techniques/T1055/011/"> Extra Window Memory Injection </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0004-T1055-T1055.012"> <a href="/versions/v9/techniques/T1055/012/"> Process Hollowing </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0004-T1055-T1055.013"> <a href="/versions/v9/techniques/T1055/013/"> Process Doppelgänging </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0004-T1055-T1055.014"> <a href="/versions/v9/techniques/T1055/014/"> VDSO Hijacking </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0004-T1053"> <a href="/versions/v9/techniques/T1053/"> Scheduled Task/Job </a> <div class="expand-button collapsed" id="enterprise-TA0004-T1053-header" data-toggle="collapse" data-target="#enterprise-TA0004-T1053-body" aria-expanded="false" aria-controls="#enterprise-TA0004-T1053-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0004-T1053-body" aria-labelledby="enterprise-TA0004-T1053-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0004-T1053-T1053.001"> <a href="/versions/v9/techniques/T1053/001/"> At (Linux) </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0004-T1053-T1053.002"> <a href="/versions/v9/techniques/T1053/002/"> At (Windows) </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0004-T1053-T1053.003"> <a href="/versions/v9/techniques/T1053/003/"> Cron </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0004-T1053-T1053.004"> <a href="/versions/v9/techniques/T1053/004/"> Launchd </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0004-T1053-T1053.005"> <a href="/versions/v9/techniques/T1053/005/"> Scheduled Task </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0004-T1053-T1053.006"> <a href="/versions/v9/techniques/T1053/006/"> Systemd Timers </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0004-T1053-T1053.007"> <a href="/versions/v9/techniques/T1053/007/"> Container Orchestration Job </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0004-T1078"> <a href="/versions/v9/techniques/T1078/"> Valid Accounts </a> <div class="expand-button collapsed" id="enterprise-TA0004-T1078-header" data-toggle="collapse" data-target="#enterprise-TA0004-T1078-body" aria-expanded="false" aria-controls="#enterprise-TA0004-T1078-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0004-T1078-body" aria-labelledby="enterprise-TA0004-T1078-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0004-T1078-T1078.001"> <a href="/versions/v9/techniques/T1078/001/"> Default Accounts </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0004-T1078-T1078.002"> <a href="/versions/v9/techniques/T1078/002/"> Domain Accounts </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0004-T1078-T1078.003"> <a href="/versions/v9/techniques/T1078/003/"> Local Accounts </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0004-T1078-T1078.004"> <a href="/versions/v9/techniques/T1078/004/"> Cloud Accounts </a> </div> </div> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005"> <a href="/versions/v9/tactics/TA0005"> Defense Evasion </a> <div class="expand-button collapsed" id="enterprise-TA0005-header" data-toggle="collapse" data-target="#enterprise-TA0005-body" aria-expanded="false" aria-controls="#enterprise-TA0005-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0005-body" aria-labelledby="enterprise-TA0005-header"> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1548"> <a href="/versions/v9/techniques/T1548/"> Abuse Elevation Control Mechanism </a> <div class="expand-button collapsed" id="enterprise-TA0005-T1548-header" data-toggle="collapse" data-target="#enterprise-TA0005-T1548-body" aria-expanded="false" aria-controls="#enterprise-TA0005-T1548-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0005-T1548-body" aria-labelledby="enterprise-TA0005-T1548-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1548-T1548.001"> <a href="/versions/v9/techniques/T1548/001/"> Setuid and Setgid </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1548-T1548.002"> <a href="/versions/v9/techniques/T1548/002/"> Bypass User Account Control </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1548-T1548.003"> <a href="/versions/v9/techniques/T1548/003/"> Sudo and Sudo Caching </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1548-T1548.004"> <a href="/versions/v9/techniques/T1548/004/"> Elevated Execution with Prompt </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1134"> <a href="/versions/v9/techniques/T1134/"> Access Token Manipulation </a> <div class="expand-button collapsed" id="enterprise-TA0005-T1134-header" data-toggle="collapse" data-target="#enterprise-TA0005-T1134-body" aria-expanded="false" aria-controls="#enterprise-TA0005-T1134-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0005-T1134-body" aria-labelledby="enterprise-TA0005-T1134-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1134-T1134.001"> <a href="/versions/v9/techniques/T1134/001/"> Token Impersonation/Theft </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1134-T1134.002"> <a href="/versions/v9/techniques/T1134/002/"> Create Process with Token </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1134-T1134.003"> <a href="/versions/v9/techniques/T1134/003/"> Make and Impersonate Token </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1134-T1134.004"> <a href="/versions/v9/techniques/T1134/004/"> Parent PID Spoofing </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1134-T1134.005"> <a href="/versions/v9/techniques/T1134/005/"> SID-History Injection </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1197"> <a href="/versions/v9/techniques/T1197/"> BITS Jobs </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1612"> <a href="/versions/v9/techniques/T1612/"> Build Image on Host </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1140"> <a href="/versions/v9/techniques/T1140/"> Deobfuscate/Decode Files or Information </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1610"> <a href="/versions/v9/techniques/T1610/"> Deploy Container </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1006"> <a href="/versions/v9/techniques/T1006/"> Direct Volume Access </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1484"> <a href="/versions/v9/techniques/T1484/"> Domain Policy Modification </a> <div class="expand-button collapsed" id="enterprise-TA0005-T1484-header" data-toggle="collapse" data-target="#enterprise-TA0005-T1484-body" aria-expanded="false" aria-controls="#enterprise-TA0005-T1484-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0005-T1484-body" aria-labelledby="enterprise-TA0005-T1484-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1484-T1484.001"> <a href="/versions/v9/techniques/T1484/001/"> Group Policy Modification </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1484-T1484.002"> <a href="/versions/v9/techniques/T1484/002/"> Domain Trust Modification </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1480"> <a href="/versions/v9/techniques/T1480/"> Execution Guardrails </a> <div class="expand-button collapsed" id="enterprise-TA0005-T1480-header" data-toggle="collapse" data-target="#enterprise-TA0005-T1480-body" aria-expanded="false" aria-controls="#enterprise-TA0005-T1480-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0005-T1480-body" aria-labelledby="enterprise-TA0005-T1480-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1480-T1480.001"> <a href="/versions/v9/techniques/T1480/001/"> Environmental Keying </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1211"> <a href="/versions/v9/techniques/T1211/"> Exploitation for Defense Evasion </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1222"> <a href="/versions/v9/techniques/T1222/"> File and Directory Permissions Modification </a> <div class="expand-button collapsed" id="enterprise-TA0005-T1222-header" data-toggle="collapse" data-target="#enterprise-TA0005-T1222-body" aria-expanded="false" aria-controls="#enterprise-TA0005-T1222-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0005-T1222-body" aria-labelledby="enterprise-TA0005-T1222-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1222-T1222.001"> <a href="/versions/v9/techniques/T1222/001/"> Windows File and Directory Permissions Modification </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1222-T1222.002"> <a href="/versions/v9/techniques/T1222/002/"> Linux and Mac File and Directory Permissions Modification </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1564"> <a href="/versions/v9/techniques/T1564/"> Hide Artifacts </a> <div class="expand-button collapsed" id="enterprise-TA0005-T1564-header" data-toggle="collapse" data-target="#enterprise-TA0005-T1564-body" aria-expanded="false" aria-controls="#enterprise-TA0005-T1564-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0005-T1564-body" aria-labelledby="enterprise-TA0005-T1564-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1564-T1564.001"> <a href="/versions/v9/techniques/T1564/001/"> Hidden Files and Directories </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1564-T1564.002"> <a href="/versions/v9/techniques/T1564/002/"> Hidden Users </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1564-T1564.003"> <a href="/versions/v9/techniques/T1564/003/"> Hidden Window </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1564-T1564.004"> <a href="/versions/v9/techniques/T1564/004/"> NTFS File Attributes </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1564-T1564.005"> <a href="/versions/v9/techniques/T1564/005/"> Hidden File System </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1564-T1564.006"> <a href="/versions/v9/techniques/T1564/006/"> Run Virtual Instance </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1564-T1564.007"> <a href="/versions/v9/techniques/T1564/007/"> VBA Stomping </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1574"> <a href="/versions/v9/techniques/T1574/"> Hijack Execution Flow </a> <div class="expand-button collapsed" id="enterprise-TA0005-T1574-header" data-toggle="collapse" data-target="#enterprise-TA0005-T1574-body" aria-expanded="false" aria-controls="#enterprise-TA0005-T1574-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0005-T1574-body" aria-labelledby="enterprise-TA0005-T1574-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1574-T1574.001"> <a href="/versions/v9/techniques/T1574/001/"> DLL Search Order Hijacking </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1574-T1574.002"> <a href="/versions/v9/techniques/T1574/002/"> DLL Side-Loading </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1574-T1574.004"> <a href="/versions/v9/techniques/T1574/004/"> Dylib Hijacking </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1574-T1574.005"> <a href="/versions/v9/techniques/T1574/005/"> Executable Installer File Permissions Weakness </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1574-T1574.006"> <a href="/versions/v9/techniques/T1574/006/"> Dynamic Linker Hijacking </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1574-T1574.007"> <a href="/versions/v9/techniques/T1574/007/"> Path Interception by PATH Environment Variable </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1574-T1574.008"> <a href="/versions/v9/techniques/T1574/008/"> Path Interception by Search Order Hijacking </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1574-T1574.009"> <a href="/versions/v9/techniques/T1574/009/"> Path Interception by Unquoted Path </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1574-T1574.010"> <a href="/versions/v9/techniques/T1574/010/"> Services File Permissions Weakness </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1574-T1574.011"> <a href="/versions/v9/techniques/T1574/011/"> Services Registry Permissions Weakness </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1574-T1574.012"> <a href="/versions/v9/techniques/T1574/012/"> COR_PROFILER </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1562"> <a href="/versions/v9/techniques/T1562/"> Impair Defenses </a> <div class="expand-button collapsed" id="enterprise-TA0005-T1562-header" data-toggle="collapse" data-target="#enterprise-TA0005-T1562-body" aria-expanded="false" aria-controls="#enterprise-TA0005-T1562-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0005-T1562-body" aria-labelledby="enterprise-TA0005-T1562-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1562-T1562.001"> <a href="/versions/v9/techniques/T1562/001/"> Disable or Modify Tools </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1562-T1562.002"> <a href="/versions/v9/techniques/T1562/002/"> Disable Windows Event Logging </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1562-T1562.003"> <a href="/versions/v9/techniques/T1562/003/"> Impair Command History Logging </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1562-T1562.004"> <a href="/versions/v9/techniques/T1562/004/"> Disable or Modify System Firewall </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1562-T1562.006"> <a href="/versions/v9/techniques/T1562/006/"> Indicator Blocking </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1562-T1562.007"> <a href="/versions/v9/techniques/T1562/007/"> Disable or Modify Cloud Firewall </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1562-T1562.008"> <a href="/versions/v9/techniques/T1562/008/"> Disable Cloud Logs </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1070"> <a href="/versions/v9/techniques/T1070/"> Indicator Removal on Host </a> <div class="expand-button collapsed" id="enterprise-TA0005-T1070-header" data-toggle="collapse" data-target="#enterprise-TA0005-T1070-body" aria-expanded="false" aria-controls="#enterprise-TA0005-T1070-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0005-T1070-body" aria-labelledby="enterprise-TA0005-T1070-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1070-T1070.001"> <a href="/versions/v9/techniques/T1070/001/"> Clear Windows Event Logs </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1070-T1070.002"> <a href="/versions/v9/techniques/T1070/002/"> Clear Linux or Mac System Logs </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1070-T1070.003"> <a href="/versions/v9/techniques/T1070/003/"> Clear Command History </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1070-T1070.004"> <a href="/versions/v9/techniques/T1070/004/"> File Deletion </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1070-T1070.005"> <a href="/versions/v9/techniques/T1070/005/"> Network Share Connection Removal </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1070-T1070.006"> <a href="/versions/v9/techniques/T1070/006/"> Timestomp </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1202"> <a href="/versions/v9/techniques/T1202/"> Indirect Command Execution </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1036"> <a href="/versions/v9/techniques/T1036/"> Masquerading </a> <div class="expand-button collapsed" id="enterprise-TA0005-T1036-header" data-toggle="collapse" data-target="#enterprise-TA0005-T1036-body" aria-expanded="false" aria-controls="#enterprise-TA0005-T1036-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0005-T1036-body" aria-labelledby="enterprise-TA0005-T1036-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1036-T1036.001"> <a href="/versions/v9/techniques/T1036/001/"> Invalid Code Signature </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1036-T1036.002"> <a href="/versions/v9/techniques/T1036/002/"> Right-to-Left Override </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1036-T1036.003"> <a href="/versions/v9/techniques/T1036/003/"> Rename System Utilities </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1036-T1036.004"> <a href="/versions/v9/techniques/T1036/004/"> Masquerade Task or Service </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1036-T1036.005"> <a href="/versions/v9/techniques/T1036/005/"> Match Legitimate Name or Location </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1036-T1036.006"> <a href="/versions/v9/techniques/T1036/006/"> Space after Filename </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1556"> <a href="/versions/v9/techniques/T1556/"> Modify Authentication Process </a> <div class="expand-button collapsed" id="enterprise-TA0005-T1556-header" data-toggle="collapse" data-target="#enterprise-TA0005-T1556-body" aria-expanded="false" aria-controls="#enterprise-TA0005-T1556-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0005-T1556-body" aria-labelledby="enterprise-TA0005-T1556-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1556-T1556.001"> <a href="/versions/v9/techniques/T1556/001/"> Domain Controller Authentication </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1556-T1556.002"> <a href="/versions/v9/techniques/T1556/002/"> Password Filter DLL </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1556-T1556.003"> <a href="/versions/v9/techniques/T1556/003/"> Pluggable Authentication Modules </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1556-T1556.004"> <a href="/versions/v9/techniques/T1556/004/"> Network Device Authentication </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1578"> <a href="/versions/v9/techniques/T1578/"> Modify Cloud Compute Infrastructure </a> <div class="expand-button collapsed" id="enterprise-TA0005-T1578-header" data-toggle="collapse" data-target="#enterprise-TA0005-T1578-body" aria-expanded="false" aria-controls="#enterprise-TA0005-T1578-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0005-T1578-body" aria-labelledby="enterprise-TA0005-T1578-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1578-T1578.001"> <a href="/versions/v9/techniques/T1578/001/"> Create Snapshot </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1578-T1578.002"> <a href="/versions/v9/techniques/T1578/002/"> Create Cloud Instance </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1578-T1578.003"> <a href="/versions/v9/techniques/T1578/003/"> Delete Cloud Instance </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1578-T1578.004"> <a href="/versions/v9/techniques/T1578/004/"> Revert Cloud Instance </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1112"> <a href="/versions/v9/techniques/T1112/"> Modify Registry </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1601"> <a href="/versions/v9/techniques/T1601/"> Modify System Image </a> <div class="expand-button collapsed" id="enterprise-TA0005-T1601-header" data-toggle="collapse" data-target="#enterprise-TA0005-T1601-body" aria-expanded="false" aria-controls="#enterprise-TA0005-T1601-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0005-T1601-body" aria-labelledby="enterprise-TA0005-T1601-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1601-T1601.001"> <a href="/versions/v9/techniques/T1601/001/"> Patch System Image </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1601-T1601.002"> <a href="/versions/v9/techniques/T1601/002/"> Downgrade System Image </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1599"> <a href="/versions/v9/techniques/T1599/"> Network Boundary Bridging </a> <div class="expand-button collapsed" id="enterprise-TA0005-T1599-header" data-toggle="collapse" data-target="#enterprise-TA0005-T1599-body" aria-expanded="false" aria-controls="#enterprise-TA0005-T1599-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0005-T1599-body" aria-labelledby="enterprise-TA0005-T1599-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1599-T1599.001"> <a href="/versions/v9/techniques/T1599/001/"> Network Address Translation Traversal </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1027"> <a href="/versions/v9/techniques/T1027/"> Obfuscated Files or Information </a> <div class="expand-button collapsed" id="enterprise-TA0005-T1027-header" data-toggle="collapse" data-target="#enterprise-TA0005-T1027-body" aria-expanded="false" aria-controls="#enterprise-TA0005-T1027-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0005-T1027-body" aria-labelledby="enterprise-TA0005-T1027-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1027-T1027.001"> <a href="/versions/v9/techniques/T1027/001/"> Binary Padding </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1027-T1027.002"> <a href="/versions/v9/techniques/T1027/002/"> Software Packing </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1027-T1027.003"> <a href="/versions/v9/techniques/T1027/003/"> Steganography </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1027-T1027.004"> <a href="/versions/v9/techniques/T1027/004/"> Compile After Delivery </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1027-T1027.005"> <a href="/versions/v9/techniques/T1027/005/"> Indicator Removal from Tools </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1542"> <a href="/versions/v9/techniques/T1542/"> Pre-OS Boot </a> <div class="expand-button collapsed" id="enterprise-TA0005-T1542-header" data-toggle="collapse" data-target="#enterprise-TA0005-T1542-body" aria-expanded="false" aria-controls="#enterprise-TA0005-T1542-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0005-T1542-body" aria-labelledby="enterprise-TA0005-T1542-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1542-T1542.001"> <a href="/versions/v9/techniques/T1542/001/"> System Firmware </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1542-T1542.002"> <a href="/versions/v9/techniques/T1542/002/"> Component Firmware </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1542-T1542.003"> <a href="/versions/v9/techniques/T1542/003/"> Bootkit </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1542-T1542.004"> <a href="/versions/v9/techniques/T1542/004/"> ROMMONkit </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1542-T1542.005"> <a href="/versions/v9/techniques/T1542/005/"> TFTP Boot </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1055"> <a href="/versions/v9/techniques/T1055/"> Process Injection </a> <div class="expand-button collapsed" id="enterprise-TA0005-T1055-header" data-toggle="collapse" data-target="#enterprise-TA0005-T1055-body" aria-expanded="false" aria-controls="#enterprise-TA0005-T1055-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0005-T1055-body" aria-labelledby="enterprise-TA0005-T1055-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1055-T1055.001"> <a href="/versions/v9/techniques/T1055/001/"> Dynamic-link Library Injection </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1055-T1055.002"> <a href="/versions/v9/techniques/T1055/002/"> Portable Executable Injection </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1055-T1055.003"> <a href="/versions/v9/techniques/T1055/003/"> Thread Execution Hijacking </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1055-T1055.004"> <a href="/versions/v9/techniques/T1055/004/"> Asynchronous Procedure Call </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1055-T1055.005"> <a href="/versions/v9/techniques/T1055/005/"> Thread Local Storage </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1055-T1055.008"> <a href="/versions/v9/techniques/T1055/008/"> Ptrace System Calls </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1055-T1055.009"> <a href="/versions/v9/techniques/T1055/009/"> Proc Memory </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1055-T1055.011"> <a href="/versions/v9/techniques/T1055/011/"> Extra Window Memory Injection </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1055-T1055.012"> <a href="/versions/v9/techniques/T1055/012/"> Process Hollowing </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1055-T1055.013"> <a href="/versions/v9/techniques/T1055/013/"> Process Doppelgänging </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1055-T1055.014"> <a href="/versions/v9/techniques/T1055/014/"> VDSO Hijacking </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1207"> <a href="/versions/v9/techniques/T1207/"> Rogue Domain Controller </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1014"> <a href="/versions/v9/techniques/T1014/"> Rootkit </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1218"> <a href="/versions/v9/techniques/T1218/"> Signed Binary Proxy Execution </a> <div class="expand-button collapsed" id="enterprise-TA0005-T1218-header" data-toggle="collapse" data-target="#enterprise-TA0005-T1218-body" aria-expanded="false" aria-controls="#enterprise-TA0005-T1218-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0005-T1218-body" aria-labelledby="enterprise-TA0005-T1218-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1218-T1218.001"> <a href="/versions/v9/techniques/T1218/001/"> Compiled HTML File </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1218-T1218.002"> <a href="/versions/v9/techniques/T1218/002/"> Control Panel </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1218-T1218.003"> <a href="/versions/v9/techniques/T1218/003/"> CMSTP </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1218-T1218.004"> <a href="/versions/v9/techniques/T1218/004/"> InstallUtil </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1218-T1218.005"> <a href="/versions/v9/techniques/T1218/005/"> Mshta </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1218-T1218.007"> <a href="/versions/v9/techniques/T1218/007/"> Msiexec </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1218-T1218.008"> <a href="/versions/v9/techniques/T1218/008/"> Odbcconf </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1218-T1218.009"> <a href="/versions/v9/techniques/T1218/009/"> Regsvcs/Regasm </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1218-T1218.010"> <a href="/versions/v9/techniques/T1218/010/"> Regsvr32 </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1218-T1218.011"> <a href="/versions/v9/techniques/T1218/011/"> Rundll32 </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1218-T1218.012"> <a href="/versions/v9/techniques/T1218/012/"> Verclsid </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1216"> <a href="/versions/v9/techniques/T1216/"> Signed Script Proxy Execution </a> <div class="expand-button collapsed" id="enterprise-TA0005-T1216-header" data-toggle="collapse" data-target="#enterprise-TA0005-T1216-body" aria-expanded="false" aria-controls="#enterprise-TA0005-T1216-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0005-T1216-body" aria-labelledby="enterprise-TA0005-T1216-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1216-T1216.001"> <a href="/versions/v9/techniques/T1216/001/"> PubPrn </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1553"> <a href="/versions/v9/techniques/T1553/"> Subvert Trust Controls </a> <div class="expand-button collapsed" id="enterprise-TA0005-T1553-header" data-toggle="collapse" data-target="#enterprise-TA0005-T1553-body" aria-expanded="false" aria-controls="#enterprise-TA0005-T1553-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0005-T1553-body" aria-labelledby="enterprise-TA0005-T1553-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1553-T1553.001"> <a href="/versions/v9/techniques/T1553/001/"> Gatekeeper Bypass </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1553-T1553.002"> <a href="/versions/v9/techniques/T1553/002/"> Code Signing </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1553-T1553.003"> <a href="/versions/v9/techniques/T1553/003/"> SIP and Trust Provider Hijacking </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1553-T1553.004"> <a href="/versions/v9/techniques/T1553/004/"> Install Root Certificate </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1553-T1553.005"> <a href="/versions/v9/techniques/T1553/005/"> Mark-of-the-Web Bypass </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1553-T1553.006"> <a href="/versions/v9/techniques/T1553/006/"> Code Signing Policy Modification </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1221"> <a href="/versions/v9/techniques/T1221/"> Template Injection </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1205"> <a href="/versions/v9/techniques/T1205/"> Traffic Signaling </a> <div class="expand-button collapsed" id="enterprise-TA0005-T1205-header" data-toggle="collapse" data-target="#enterprise-TA0005-T1205-body" aria-expanded="false" aria-controls="#enterprise-TA0005-T1205-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0005-T1205-body" aria-labelledby="enterprise-TA0005-T1205-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1205-T1205.001"> <a href="/versions/v9/techniques/T1205/001/"> Port Knocking </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1127"> <a href="/versions/v9/techniques/T1127/"> Trusted Developer Utilities Proxy Execution </a> <div class="expand-button collapsed" id="enterprise-TA0005-T1127-header" data-toggle="collapse" data-target="#enterprise-TA0005-T1127-body" aria-expanded="false" aria-controls="#enterprise-TA0005-T1127-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0005-T1127-body" aria-labelledby="enterprise-TA0005-T1127-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1127-T1127.001"> <a href="/versions/v9/techniques/T1127/001/"> MSBuild </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1535"> <a href="/versions/v9/techniques/T1535/"> Unused/Unsupported Cloud Regions </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1550"> <a href="/versions/v9/techniques/T1550/"> Use Alternate Authentication Material </a> <div class="expand-button collapsed" id="enterprise-TA0005-T1550-header" data-toggle="collapse" data-target="#enterprise-TA0005-T1550-body" aria-expanded="false" aria-controls="#enterprise-TA0005-T1550-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0005-T1550-body" aria-labelledby="enterprise-TA0005-T1550-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1550-T1550.001"> <a href="/versions/v9/techniques/T1550/001/"> Application Access Token </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1550-T1550.002"> <a href="/versions/v9/techniques/T1550/002/"> Pass the Hash </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1550-T1550.003"> <a href="/versions/v9/techniques/T1550/003/"> Pass the Ticket </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1550-T1550.004"> <a href="/versions/v9/techniques/T1550/004/"> Web Session Cookie </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1078"> <a href="/versions/v9/techniques/T1078/"> Valid Accounts </a> <div class="expand-button collapsed" id="enterprise-TA0005-T1078-header" data-toggle="collapse" data-target="#enterprise-TA0005-T1078-body" aria-expanded="false" aria-controls="#enterprise-TA0005-T1078-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0005-T1078-body" aria-labelledby="enterprise-TA0005-T1078-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1078-T1078.001"> <a href="/versions/v9/techniques/T1078/001/"> Default Accounts </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1078-T1078.002"> <a href="/versions/v9/techniques/T1078/002/"> Domain Accounts </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1078-T1078.003"> <a href="/versions/v9/techniques/T1078/003/"> Local Accounts </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1078-T1078.004"> <a href="/versions/v9/techniques/T1078/004/"> Cloud Accounts </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1497"> <a href="/versions/v9/techniques/T1497/"> Virtualization/Sandbox Evasion </a> <div class="expand-button collapsed" id="enterprise-TA0005-T1497-header" data-toggle="collapse" data-target="#enterprise-TA0005-T1497-body" aria-expanded="false" aria-controls="#enterprise-TA0005-T1497-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0005-T1497-body" aria-labelledby="enterprise-TA0005-T1497-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1497-T1497.001"> <a href="/versions/v9/techniques/T1497/001/"> System Checks </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1497-T1497.002"> <a href="/versions/v9/techniques/T1497/002/"> User Activity Based Checks </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1497-T1497.003"> <a href="/versions/v9/techniques/T1497/003/"> Time Based Evasion </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1600"> <a href="/versions/v9/techniques/T1600/"> Weaken Encryption </a> <div class="expand-button collapsed" id="enterprise-TA0005-T1600-header" data-toggle="collapse" data-target="#enterprise-TA0005-T1600-body" aria-expanded="false" aria-controls="#enterprise-TA0005-T1600-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0005-T1600-body" aria-labelledby="enterprise-TA0005-T1600-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1600-T1600.001"> <a href="/versions/v9/techniques/T1600/001/"> Reduce Key Space </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1600-T1600.002"> <a href="/versions/v9/techniques/T1600/002/"> Disable Crypto Hardware </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1220"> <a href="/versions/v9/techniques/T1220/"> XSL Script Processing </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0006"> <a href="/versions/v9/tactics/TA0006"> Credential Access </a> <div class="expand-button collapsed" id="enterprise-TA0006-header" data-toggle="collapse" data-target="#enterprise-TA0006-body" aria-expanded="false" aria-controls="#enterprise-TA0006-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0006-body" aria-labelledby="enterprise-TA0006-header"> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0006-T1110"> <a href="/versions/v9/techniques/T1110/"> Brute Force </a> <div class="expand-button collapsed" id="enterprise-TA0006-T1110-header" data-toggle="collapse" data-target="#enterprise-TA0006-T1110-body" aria-expanded="false" aria-controls="#enterprise-TA0006-T1110-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0006-T1110-body" aria-labelledby="enterprise-TA0006-T1110-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0006-T1110-T1110.001"> <a href="/versions/v9/techniques/T1110/001/"> Password Guessing </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0006-T1110-T1110.002"> <a href="/versions/v9/techniques/T1110/002/"> Password Cracking </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0006-T1110-T1110.003"> <a href="/versions/v9/techniques/T1110/003/"> Password Spraying </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0006-T1110-T1110.004"> <a href="/versions/v9/techniques/T1110/004/"> Credential Stuffing </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0006-T1555"> <a href="/versions/v9/techniques/T1555/"> Credentials from Password Stores </a> <div class="expand-button collapsed" id="enterprise-TA0006-T1555-header" data-toggle="collapse" data-target="#enterprise-TA0006-T1555-body" aria-expanded="false" aria-controls="#enterprise-TA0006-T1555-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0006-T1555-body" aria-labelledby="enterprise-TA0006-T1555-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0006-T1555-T1555.001"> <a href="/versions/v9/techniques/T1555/001/"> Keychain </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0006-T1555-T1555.002"> <a href="/versions/v9/techniques/T1555/002/"> Securityd Memory </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0006-T1555-T1555.003"> <a href="/versions/v9/techniques/T1555/003/"> Credentials from Web Browsers </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0006-T1555-T1555.004"> <a href="/versions/v9/techniques/T1555/004/"> Windows Credential Manager </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0006-T1555-T1555.005"> <a href="/versions/v9/techniques/T1555/005/"> Password Managers </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0006-T1212"> <a href="/versions/v9/techniques/T1212/"> Exploitation for Credential Access </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0006-T1187"> <a href="/versions/v9/techniques/T1187/"> Forced Authentication </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0006-T1606"> <a href="/versions/v9/techniques/T1606/"> Forge Web Credentials </a> <div class="expand-button collapsed" id="enterprise-TA0006-T1606-header" data-toggle="collapse" data-target="#enterprise-TA0006-T1606-body" aria-expanded="false" aria-controls="#enterprise-TA0006-T1606-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0006-T1606-body" aria-labelledby="enterprise-TA0006-T1606-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0006-T1606-T1606.001"> <a href="/versions/v9/techniques/T1606/001/"> Web Cookies </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0006-T1606-T1606.002"> <a href="/versions/v9/techniques/T1606/002/"> SAML Tokens </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0006-T1056"> <a href="/versions/v9/techniques/T1056/"> Input Capture </a> <div class="expand-button collapsed" id="enterprise-TA0006-T1056-header" data-toggle="collapse" data-target="#enterprise-TA0006-T1056-body" aria-expanded="false" aria-controls="#enterprise-TA0006-T1056-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0006-T1056-body" aria-labelledby="enterprise-TA0006-T1056-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0006-T1056-T1056.001"> <a href="/versions/v9/techniques/T1056/001/"> Keylogging </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0006-T1056-T1056.002"> <a href="/versions/v9/techniques/T1056/002/"> GUI Input Capture </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0006-T1056-T1056.003"> <a href="/versions/v9/techniques/T1056/003/"> Web Portal Capture </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0006-T1056-T1056.004"> <a href="/versions/v9/techniques/T1056/004/"> Credential API Hooking </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0006-T1557"> <a href="/versions/v9/techniques/T1557/"> Man-in-the-Middle </a> <div class="expand-button collapsed" id="enterprise-TA0006-T1557-header" data-toggle="collapse" data-target="#enterprise-TA0006-T1557-body" aria-expanded="false" aria-controls="#enterprise-TA0006-T1557-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0006-T1557-body" aria-labelledby="enterprise-TA0006-T1557-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0006-T1557-T1557.001"> <a href="/versions/v9/techniques/T1557/001/"> LLMNR/NBT-NS Poisoning and SMB Relay </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0006-T1557-T1557.002"> <a href="/versions/v9/techniques/T1557/002/"> ARP Cache Poisoning </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0006-T1556"> <a href="/versions/v9/techniques/T1556/"> Modify Authentication Process </a> <div class="expand-button collapsed" id="enterprise-TA0006-T1556-header" data-toggle="collapse" data-target="#enterprise-TA0006-T1556-body" aria-expanded="false" aria-controls="#enterprise-TA0006-T1556-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0006-T1556-body" aria-labelledby="enterprise-TA0006-T1556-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0006-T1556-T1556.001"> <a href="/versions/v9/techniques/T1556/001/"> Domain Controller Authentication </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0006-T1556-T1556.002"> <a href="/versions/v9/techniques/T1556/002/"> Password Filter DLL </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0006-T1556-T1556.003"> <a href="/versions/v9/techniques/T1556/003/"> Pluggable Authentication Modules </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0006-T1556-T1556.004"> <a href="/versions/v9/techniques/T1556/004/"> Network Device Authentication </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0006-T1040"> <a href="/versions/v9/techniques/T1040/"> Network Sniffing </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0006-T1003"> <a href="/versions/v9/techniques/T1003/"> OS Credential Dumping </a> <div class="expand-button collapsed" id="enterprise-TA0006-T1003-header" data-toggle="collapse" data-target="#enterprise-TA0006-T1003-body" aria-expanded="false" aria-controls="#enterprise-TA0006-T1003-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0006-T1003-body" aria-labelledby="enterprise-TA0006-T1003-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0006-T1003-T1003.001"> <a href="/versions/v9/techniques/T1003/001/"> LSASS Memory </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0006-T1003-T1003.002"> <a href="/versions/v9/techniques/T1003/002/"> Security Account Manager </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0006-T1003-T1003.003"> <a href="/versions/v9/techniques/T1003/003/"> NTDS </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0006-T1003-T1003.004"> <a href="/versions/v9/techniques/T1003/004/"> LSA Secrets </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0006-T1003-T1003.005"> <a href="/versions/v9/techniques/T1003/005/"> Cached Domain Credentials </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0006-T1003-T1003.006"> <a href="/versions/v9/techniques/T1003/006/"> DCSync </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0006-T1003-T1003.007"> <a href="/versions/v9/techniques/T1003/007/"> Proc Filesystem </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0006-T1003-T1003.008"> <a href="/versions/v9/techniques/T1003/008/"> /etc/passwd and /etc/shadow </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0006-T1528"> <a href="/versions/v9/techniques/T1528/"> Steal Application Access Token </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0006-T1558"> <a href="/versions/v9/techniques/T1558/"> Steal or Forge Kerberos Tickets </a> <div class="expand-button collapsed" id="enterprise-TA0006-T1558-header" data-toggle="collapse" data-target="#enterprise-TA0006-T1558-body" aria-expanded="false" aria-controls="#enterprise-TA0006-T1558-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0006-T1558-body" aria-labelledby="enterprise-TA0006-T1558-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0006-T1558-T1558.001"> <a href="/versions/v9/techniques/T1558/001/"> Golden Ticket </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0006-T1558-T1558.002"> <a href="/versions/v9/techniques/T1558/002/"> Silver Ticket </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0006-T1558-T1558.003"> <a href="/versions/v9/techniques/T1558/003/"> Kerberoasting </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0006-T1558-T1558.004"> <a href="/versions/v9/techniques/T1558/004/"> AS-REP Roasting </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0006-T1539"> <a href="/versions/v9/techniques/T1539/"> Steal Web Session Cookie </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0006-T1111"> <a href="/versions/v9/techniques/T1111/"> Two-Factor Authentication Interception </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0006-T1552"> <a href="/versions/v9/techniques/T1552/"> Unsecured Credentials </a> <div class="expand-button collapsed" id="enterprise-TA0006-T1552-header" data-toggle="collapse" data-target="#enterprise-TA0006-T1552-body" aria-expanded="false" aria-controls="#enterprise-TA0006-T1552-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0006-T1552-body" aria-labelledby="enterprise-TA0006-T1552-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0006-T1552-T1552.001"> <a href="/versions/v9/techniques/T1552/001/"> Credentials In Files </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0006-T1552-T1552.002"> <a href="/versions/v9/techniques/T1552/002/"> Credentials in Registry </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0006-T1552-T1552.003"> <a href="/versions/v9/techniques/T1552/003/"> Bash History </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0006-T1552-T1552.004"> <a href="/versions/v9/techniques/T1552/004/"> Private Keys </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0006-T1552-T1552.005"> <a href="/versions/v9/techniques/T1552/005/"> Cloud Instance Metadata API </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0006-T1552-T1552.006"> <a href="/versions/v9/techniques/T1552/006/"> Group Policy Preferences </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0006-T1552-T1552.007"> <a href="/versions/v9/techniques/T1552/007/"> Container API </a> </div> </div> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0007"> <a href="/versions/v9/tactics/TA0007"> Discovery </a> <div class="expand-button collapsed" id="enterprise-TA0007-header" data-toggle="collapse" data-target="#enterprise-TA0007-body" aria-expanded="false" aria-controls="#enterprise-TA0007-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0007-body" aria-labelledby="enterprise-TA0007-header"> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0007-T1087"> <a href="/versions/v9/techniques/T1087/"> Account Discovery </a> <div class="expand-button collapsed" id="enterprise-TA0007-T1087-header" data-toggle="collapse" data-target="#enterprise-TA0007-T1087-body" aria-expanded="false" aria-controls="#enterprise-TA0007-T1087-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0007-T1087-body" aria-labelledby="enterprise-TA0007-T1087-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0007-T1087-T1087.001"> <a href="/versions/v9/techniques/T1087/001/"> Local Account </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0007-T1087-T1087.002"> <a href="/versions/v9/techniques/T1087/002/"> Domain Account </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0007-T1087-T1087.003"> <a href="/versions/v9/techniques/T1087/003/"> Email Account </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0007-T1087-T1087.004"> <a href="/versions/v9/techniques/T1087/004/"> Cloud Account </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0007-T1010"> <a href="/versions/v9/techniques/T1010/"> Application Window Discovery </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0007-T1217"> <a href="/versions/v9/techniques/T1217/"> Browser Bookmark Discovery </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0007-T1580"> <a href="/versions/v9/techniques/T1580/"> Cloud Infrastructure Discovery </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0007-T1538"> <a href="/versions/v9/techniques/T1538/"> Cloud Service Dashboard </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0007-T1526"> <a href="/versions/v9/techniques/T1526/"> Cloud Service Discovery </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0007-T1613"> <a href="/versions/v9/techniques/T1613/"> Container and Resource Discovery </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0007-T1482"> <a href="/versions/v9/techniques/T1482/"> Domain Trust Discovery </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0007-T1083"> <a href="/versions/v9/techniques/T1083/"> File and Directory Discovery </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0007-T1046"> <a href="/versions/v9/techniques/T1046/"> Network Service Scanning </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0007-T1135"> <a href="/versions/v9/techniques/T1135/"> Network Share Discovery </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0007-T1040"> <a href="/versions/v9/techniques/T1040/"> Network Sniffing </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0007-T1201"> <a href="/versions/v9/techniques/T1201/"> Password Policy Discovery </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0007-T1120"> <a href="/versions/v9/techniques/T1120/"> Peripheral Device Discovery </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0007-T1069"> <a href="/versions/v9/techniques/T1069/"> Permission Groups Discovery </a> <div class="expand-button collapsed" id="enterprise-TA0007-T1069-header" data-toggle="collapse" data-target="#enterprise-TA0007-T1069-body" aria-expanded="false" aria-controls="#enterprise-TA0007-T1069-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0007-T1069-body" aria-labelledby="enterprise-TA0007-T1069-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0007-T1069-T1069.001"> <a href="/versions/v9/techniques/T1069/001/"> Local Groups </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0007-T1069-T1069.002"> <a href="/versions/v9/techniques/T1069/002/"> Domain Groups </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0007-T1069-T1069.003"> <a href="/versions/v9/techniques/T1069/003/"> Cloud Groups </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0007-T1057"> <a href="/versions/v9/techniques/T1057/"> Process Discovery </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0007-T1012"> <a href="/versions/v9/techniques/T1012/"> Query Registry </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0007-T1018"> <a href="/versions/v9/techniques/T1018/"> Remote System Discovery </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0007-T1518"> <a href="/versions/v9/techniques/T1518/"> Software Discovery </a> <div class="expand-button collapsed" id="enterprise-TA0007-T1518-header" data-toggle="collapse" data-target="#enterprise-TA0007-T1518-body" aria-expanded="false" aria-controls="#enterprise-TA0007-T1518-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0007-T1518-body" aria-labelledby="enterprise-TA0007-T1518-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0007-T1518-T1518.001"> <a href="/versions/v9/techniques/T1518/001/"> Security Software Discovery </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0007-T1082"> <a href="/versions/v9/techniques/T1082/"> System Information Discovery </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0007-T1614"> <a href="/versions/v9/techniques/T1614/"> System Location Discovery </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0007-T1016"> <a href="/versions/v9/techniques/T1016/"> System Network Configuration Discovery </a> <div class="expand-button collapsed" id="enterprise-TA0007-T1016-header" data-toggle="collapse" data-target="#enterprise-TA0007-T1016-body" aria-expanded="false" aria-controls="#enterprise-TA0007-T1016-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0007-T1016-body" aria-labelledby="enterprise-TA0007-T1016-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0007-T1016-T1016.001"> <a href="/versions/v9/techniques/T1016/001/"> Internet Connection Discovery </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0007-T1049"> <a href="/versions/v9/techniques/T1049/"> System Network Connections Discovery </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0007-T1033"> <a href="/versions/v9/techniques/T1033/"> System Owner/User Discovery </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0007-T1007"> <a href="/versions/v9/techniques/T1007/"> System Service Discovery </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0007-T1124"> <a href="/versions/v9/techniques/T1124/"> System Time Discovery </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0007-T1497"> <a href="/versions/v9/techniques/T1497/"> Virtualization/Sandbox Evasion </a> <div class="expand-button collapsed" id="enterprise-TA0007-T1497-header" data-toggle="collapse" data-target="#enterprise-TA0007-T1497-body" aria-expanded="false" aria-controls="#enterprise-TA0007-T1497-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0007-T1497-body" aria-labelledby="enterprise-TA0007-T1497-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0007-T1497-T1497.001"> <a href="/versions/v9/techniques/T1497/001/"> System Checks </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0007-T1497-T1497.002"> <a href="/versions/v9/techniques/T1497/002/"> User Activity Based Checks </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0007-T1497-T1497.003"> <a href="/versions/v9/techniques/T1497/003/"> Time Based Evasion </a> </div> </div> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0008"> <a href="/versions/v9/tactics/TA0008"> Lateral Movement </a> <div class="expand-button collapsed" id="enterprise-TA0008-header" data-toggle="collapse" data-target="#enterprise-TA0008-body" aria-expanded="false" aria-controls="#enterprise-TA0008-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0008-body" aria-labelledby="enterprise-TA0008-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0008-T1210"> <a href="/versions/v9/techniques/T1210/"> Exploitation of Remote Services </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0008-T1534"> <a href="/versions/v9/techniques/T1534/"> Internal Spearphishing </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0008-T1570"> <a href="/versions/v9/techniques/T1570/"> Lateral Tool Transfer </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0008-T1563"> <a href="/versions/v9/techniques/T1563/"> Remote Service Session Hijacking </a> <div class="expand-button collapsed" id="enterprise-TA0008-T1563-header" data-toggle="collapse" data-target="#enterprise-TA0008-T1563-body" aria-expanded="false" aria-controls="#enterprise-TA0008-T1563-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0008-T1563-body" aria-labelledby="enterprise-TA0008-T1563-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0008-T1563-T1563.001"> <a href="/versions/v9/techniques/T1563/001/"> SSH Hijacking </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0008-T1563-T1563.002"> <a href="/versions/v9/techniques/T1563/002/"> RDP Hijacking </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0008-T1021"> <a href="/versions/v9/techniques/T1021/"> Remote Services </a> <div class="expand-button collapsed" id="enterprise-TA0008-T1021-header" data-toggle="collapse" data-target="#enterprise-TA0008-T1021-body" aria-expanded="false" aria-controls="#enterprise-TA0008-T1021-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0008-T1021-body" aria-labelledby="enterprise-TA0008-T1021-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0008-T1021-T1021.001"> <a href="/versions/v9/techniques/T1021/001/"> Remote Desktop Protocol </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0008-T1021-T1021.002"> <a href="/versions/v9/techniques/T1021/002/"> SMB/Windows Admin Shares </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0008-T1021-T1021.003"> <a href="/versions/v9/techniques/T1021/003/"> Distributed Component Object Model </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0008-T1021-T1021.004"> <a href="/versions/v9/techniques/T1021/004/"> SSH </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0008-T1021-T1021.005"> <a href="/versions/v9/techniques/T1021/005/"> VNC </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0008-T1021-T1021.006"> <a href="/versions/v9/techniques/T1021/006/"> Windows Remote Management </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0008-T1091"> <a href="/versions/v9/techniques/T1091/"> Replication Through Removable Media </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0008-T1072"> <a href="/versions/v9/techniques/T1072/"> Software Deployment Tools </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0008-T1080"> <a href="/versions/v9/techniques/T1080/"> Taint Shared Content </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0008-T1550"> <a href="/versions/v9/techniques/T1550/"> Use Alternate Authentication Material </a> <div class="expand-button collapsed" id="enterprise-TA0008-T1550-header" data-toggle="collapse" data-target="#enterprise-TA0008-T1550-body" aria-expanded="false" aria-controls="#enterprise-TA0008-T1550-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0008-T1550-body" aria-labelledby="enterprise-TA0008-T1550-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0008-T1550-T1550.001"> <a href="/versions/v9/techniques/T1550/001/"> Application Access Token </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0008-T1550-T1550.002"> <a href="/versions/v9/techniques/T1550/002/"> Pass the Hash </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0008-T1550-T1550.003"> <a href="/versions/v9/techniques/T1550/003/"> Pass the Ticket </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0008-T1550-T1550.004"> <a href="/versions/v9/techniques/T1550/004/"> Web Session Cookie </a> </div> </div> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0009"> <a href="/versions/v9/tactics/TA0009"> Collection </a> <div class="expand-button collapsed" id="enterprise-TA0009-header" data-toggle="collapse" data-target="#enterprise-TA0009-body" aria-expanded="false" aria-controls="#enterprise-TA0009-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0009-body" aria-labelledby="enterprise-TA0009-header"> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0009-T1560"> <a href="/versions/v9/techniques/T1560/"> Archive Collected Data </a> <div class="expand-button collapsed" id="enterprise-TA0009-T1560-header" data-toggle="collapse" data-target="#enterprise-TA0009-T1560-body" aria-expanded="false" aria-controls="#enterprise-TA0009-T1560-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0009-T1560-body" aria-labelledby="enterprise-TA0009-T1560-header"> <div class="sidenav"> <div class="sidenav-head active" id="enterprise-TA0009-T1560-T1560.001"> <a href="/versions/v9/techniques/T1560/001/"> Archive via Utility </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0009-T1560-T1560.002"> <a href="/versions/v9/techniques/T1560/002/"> Archive via Library </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0009-T1560-T1560.003"> <a href="/versions/v9/techniques/T1560/003/"> Archive via Custom Method </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0009-T1123"> <a href="/versions/v9/techniques/T1123/"> Audio Capture </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0009-T1119"> <a href="/versions/v9/techniques/T1119/"> Automated Collection </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0009-T1115"> <a href="/versions/v9/techniques/T1115/"> Clipboard Data </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0009-T1530"> <a href="/versions/v9/techniques/T1530/"> Data from Cloud Storage Object </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0009-T1602"> <a href="/versions/v9/techniques/T1602/"> Data from Configuration Repository </a> <div class="expand-button collapsed" id="enterprise-TA0009-T1602-header" data-toggle="collapse" data-target="#enterprise-TA0009-T1602-body" aria-expanded="false" aria-controls="#enterprise-TA0009-T1602-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0009-T1602-body" aria-labelledby="enterprise-TA0009-T1602-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0009-T1602-T1602.001"> <a href="/versions/v9/techniques/T1602/001/"> SNMP (MIB Dump) </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0009-T1602-T1602.002"> <a href="/versions/v9/techniques/T1602/002/"> Network Device Configuration Dump </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0009-T1213"> <a href="/versions/v9/techniques/T1213/"> Data from Information Repositories </a> <div class="expand-button collapsed" id="enterprise-TA0009-T1213-header" data-toggle="collapse" data-target="#enterprise-TA0009-T1213-body" aria-expanded="false" aria-controls="#enterprise-TA0009-T1213-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0009-T1213-body" aria-labelledby="enterprise-TA0009-T1213-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0009-T1213-T1213.001"> <a href="/versions/v9/techniques/T1213/001/"> Confluence </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0009-T1213-T1213.002"> <a href="/versions/v9/techniques/T1213/002/"> Sharepoint </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0009-T1005"> <a href="/versions/v9/techniques/T1005/"> Data from Local System </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0009-T1039"> <a href="/versions/v9/techniques/T1039/"> Data from Network Shared Drive </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0009-T1025"> <a href="/versions/v9/techniques/T1025/"> Data from Removable Media </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0009-T1074"> <a href="/versions/v9/techniques/T1074/"> Data Staged </a> <div class="expand-button collapsed" id="enterprise-TA0009-T1074-header" data-toggle="collapse" data-target="#enterprise-TA0009-T1074-body" aria-expanded="false" aria-controls="#enterprise-TA0009-T1074-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0009-T1074-body" aria-labelledby="enterprise-TA0009-T1074-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0009-T1074-T1074.001"> <a href="/versions/v9/techniques/T1074/001/"> Local Data Staging </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0009-T1074-T1074.002"> <a href="/versions/v9/techniques/T1074/002/"> Remote Data Staging </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0009-T1114"> <a href="/versions/v9/techniques/T1114/"> Email Collection </a> <div class="expand-button collapsed" id="enterprise-TA0009-T1114-header" data-toggle="collapse" data-target="#enterprise-TA0009-T1114-body" aria-expanded="false" aria-controls="#enterprise-TA0009-T1114-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0009-T1114-body" aria-labelledby="enterprise-TA0009-T1114-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0009-T1114-T1114.001"> <a href="/versions/v9/techniques/T1114/001/"> Local Email Collection </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0009-T1114-T1114.002"> <a href="/versions/v9/techniques/T1114/002/"> Remote Email Collection </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0009-T1114-T1114.003"> <a href="/versions/v9/techniques/T1114/003/"> Email Forwarding Rule </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0009-T1056"> <a href="/versions/v9/techniques/T1056/"> Input Capture </a> <div class="expand-button collapsed" id="enterprise-TA0009-T1056-header" data-toggle="collapse" data-target="#enterprise-TA0009-T1056-body" aria-expanded="false" aria-controls="#enterprise-TA0009-T1056-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0009-T1056-body" aria-labelledby="enterprise-TA0009-T1056-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0009-T1056-T1056.001"> <a href="/versions/v9/techniques/T1056/001/"> Keylogging </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0009-T1056-T1056.002"> <a href="/versions/v9/techniques/T1056/002/"> GUI Input Capture </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0009-T1056-T1056.003"> <a href="/versions/v9/techniques/T1056/003/"> Web Portal Capture </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0009-T1056-T1056.004"> <a href="/versions/v9/techniques/T1056/004/"> Credential API Hooking </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0009-T1185"> <a href="/versions/v9/techniques/T1185/"> Man in the Browser </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0009-T1557"> <a href="/versions/v9/techniques/T1557/"> Man-in-the-Middle </a> <div class="expand-button collapsed" id="enterprise-TA0009-T1557-header" data-toggle="collapse" data-target="#enterprise-TA0009-T1557-body" aria-expanded="false" aria-controls="#enterprise-TA0009-T1557-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0009-T1557-body" aria-labelledby="enterprise-TA0009-T1557-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0009-T1557-T1557.001"> <a href="/versions/v9/techniques/T1557/001/"> LLMNR/NBT-NS Poisoning and SMB Relay </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0009-T1557-T1557.002"> <a href="/versions/v9/techniques/T1557/002/"> ARP Cache Poisoning </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0009-T1113"> <a href="/versions/v9/techniques/T1113/"> Screen Capture </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0009-T1125"> <a href="/versions/v9/techniques/T1125/"> Video Capture </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0011"> <a href="/versions/v9/tactics/TA0011"> Command and Control </a> <div class="expand-button collapsed" id="enterprise-TA0011-header" data-toggle="collapse" data-target="#enterprise-TA0011-body" aria-expanded="false" aria-controls="#enterprise-TA0011-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0011-body" aria-labelledby="enterprise-TA0011-header"> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0011-T1071"> <a href="/versions/v9/techniques/T1071/"> Application Layer Protocol </a> <div class="expand-button collapsed" id="enterprise-TA0011-T1071-header" data-toggle="collapse" data-target="#enterprise-TA0011-T1071-body" aria-expanded="false" aria-controls="#enterprise-TA0011-T1071-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0011-T1071-body" aria-labelledby="enterprise-TA0011-T1071-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0011-T1071-T1071.001"> <a href="/versions/v9/techniques/T1071/001/"> Web Protocols </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0011-T1071-T1071.002"> <a href="/versions/v9/techniques/T1071/002/"> File Transfer Protocols </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0011-T1071-T1071.003"> <a href="/versions/v9/techniques/T1071/003/"> Mail Protocols </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0011-T1071-T1071.004"> <a href="/versions/v9/techniques/T1071/004/"> DNS </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0011-T1092"> <a href="/versions/v9/techniques/T1092/"> Communication Through Removable Media </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0011-T1132"> <a href="/versions/v9/techniques/T1132/"> Data Encoding </a> <div class="expand-button collapsed" id="enterprise-TA0011-T1132-header" data-toggle="collapse" data-target="#enterprise-TA0011-T1132-body" aria-expanded="false" aria-controls="#enterprise-TA0011-T1132-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0011-T1132-body" aria-labelledby="enterprise-TA0011-T1132-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0011-T1132-T1132.001"> <a href="/versions/v9/techniques/T1132/001/"> Standard Encoding </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0011-T1132-T1132.002"> <a href="/versions/v9/techniques/T1132/002/"> Non-Standard Encoding </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0011-T1001"> <a href="/versions/v9/techniques/T1001/"> Data Obfuscation </a> <div class="expand-button collapsed" id="enterprise-TA0011-T1001-header" data-toggle="collapse" data-target="#enterprise-TA0011-T1001-body" aria-expanded="false" aria-controls="#enterprise-TA0011-T1001-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0011-T1001-body" aria-labelledby="enterprise-TA0011-T1001-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0011-T1001-T1001.001"> <a href="/versions/v9/techniques/T1001/001/"> Junk Data </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0011-T1001-T1001.002"> <a href="/versions/v9/techniques/T1001/002/"> Steganography </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0011-T1001-T1001.003"> <a href="/versions/v9/techniques/T1001/003/"> Protocol Impersonation </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0011-T1568"> <a href="/versions/v9/techniques/T1568/"> Dynamic Resolution </a> <div class="expand-button collapsed" id="enterprise-TA0011-T1568-header" data-toggle="collapse" data-target="#enterprise-TA0011-T1568-body" aria-expanded="false" aria-controls="#enterprise-TA0011-T1568-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0011-T1568-body" aria-labelledby="enterprise-TA0011-T1568-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0011-T1568-T1568.001"> <a href="/versions/v9/techniques/T1568/001/"> Fast Flux DNS </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0011-T1568-T1568.002"> <a href="/versions/v9/techniques/T1568/002/"> Domain Generation Algorithms </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0011-T1568-T1568.003"> <a href="/versions/v9/techniques/T1568/003/"> DNS Calculation </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0011-T1573"> <a href="/versions/v9/techniques/T1573/"> Encrypted Channel </a> <div class="expand-button collapsed" id="enterprise-TA0011-T1573-header" data-toggle="collapse" data-target="#enterprise-TA0011-T1573-body" aria-expanded="false" aria-controls="#enterprise-TA0011-T1573-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0011-T1573-body" aria-labelledby="enterprise-TA0011-T1573-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0011-T1573-T1573.001"> <a href="/versions/v9/techniques/T1573/001/"> Symmetric Cryptography </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0011-T1573-T1573.002"> <a href="/versions/v9/techniques/T1573/002/"> Asymmetric Cryptography </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0011-T1008"> <a href="/versions/v9/techniques/T1008/"> Fallback Channels </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0011-T1105"> <a href="/versions/v9/techniques/T1105/"> Ingress Tool Transfer </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0011-T1104"> <a href="/versions/v9/techniques/T1104/"> Multi-Stage Channels </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0011-T1095"> <a href="/versions/v9/techniques/T1095/"> Non-Application Layer Protocol </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0011-T1571"> <a href="/versions/v9/techniques/T1571/"> Non-Standard Port </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0011-T1572"> <a href="/versions/v9/techniques/T1572/"> Protocol Tunneling </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0011-T1090"> <a href="/versions/v9/techniques/T1090/"> Proxy </a> <div class="expand-button collapsed" id="enterprise-TA0011-T1090-header" data-toggle="collapse" data-target="#enterprise-TA0011-T1090-body" aria-expanded="false" aria-controls="#enterprise-TA0011-T1090-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0011-T1090-body" aria-labelledby="enterprise-TA0011-T1090-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0011-T1090-T1090.001"> <a href="/versions/v9/techniques/T1090/001/"> Internal Proxy </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0011-T1090-T1090.002"> <a href="/versions/v9/techniques/T1090/002/"> External Proxy </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0011-T1090-T1090.003"> <a href="/versions/v9/techniques/T1090/003/"> Multi-hop Proxy </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0011-T1090-T1090.004"> <a href="/versions/v9/techniques/T1090/004/"> Domain Fronting </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0011-T1219"> <a href="/versions/v9/techniques/T1219/"> Remote Access Software </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0011-T1205"> <a href="/versions/v9/techniques/T1205/"> Traffic Signaling </a> <div class="expand-button collapsed" id="enterprise-TA0011-T1205-header" data-toggle="collapse" data-target="#enterprise-TA0011-T1205-body" aria-expanded="false" aria-controls="#enterprise-TA0011-T1205-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0011-T1205-body" aria-labelledby="enterprise-TA0011-T1205-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0011-T1205-T1205.001"> <a href="/versions/v9/techniques/T1205/001/"> Port Knocking </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0011-T1102"> <a href="/versions/v9/techniques/T1102/"> Web Service </a> <div class="expand-button collapsed" id="enterprise-TA0011-T1102-header" data-toggle="collapse" data-target="#enterprise-TA0011-T1102-body" aria-expanded="false" aria-controls="#enterprise-TA0011-T1102-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0011-T1102-body" aria-labelledby="enterprise-TA0011-T1102-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0011-T1102-T1102.001"> <a href="/versions/v9/techniques/T1102/001/"> Dead Drop Resolver </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0011-T1102-T1102.002"> <a href="/versions/v9/techniques/T1102/002/"> Bidirectional Communication </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0011-T1102-T1102.003"> <a href="/versions/v9/techniques/T1102/003/"> One-Way Communication </a> </div> </div> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0010"> <a href="/versions/v9/tactics/TA0010"> Exfiltration </a> <div class="expand-button collapsed" id="enterprise-TA0010-header" data-toggle="collapse" data-target="#enterprise-TA0010-body" aria-expanded="false" aria-controls="#enterprise-TA0010-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0010-body" aria-labelledby="enterprise-TA0010-header"> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0010-T1020"> <a href="/versions/v9/techniques/T1020/"> Automated Exfiltration </a> <div class="expand-button collapsed" id="enterprise-TA0010-T1020-header" data-toggle="collapse" data-target="#enterprise-TA0010-T1020-body" aria-expanded="false" aria-controls="#enterprise-TA0010-T1020-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0010-T1020-body" aria-labelledby="enterprise-TA0010-T1020-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0010-T1020-T1020.001"> <a href="/versions/v9/techniques/T1020/001/"> Traffic Duplication </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0010-T1030"> <a href="/versions/v9/techniques/T1030/"> Data Transfer Size Limits </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0010-T1048"> <a href="/versions/v9/techniques/T1048/"> Exfiltration Over Alternative Protocol </a> <div class="expand-button collapsed" id="enterprise-TA0010-T1048-header" data-toggle="collapse" data-target="#enterprise-TA0010-T1048-body" aria-expanded="false" aria-controls="#enterprise-TA0010-T1048-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0010-T1048-body" aria-labelledby="enterprise-TA0010-T1048-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0010-T1048-T1048.001"> <a href="/versions/v9/techniques/T1048/001/"> Exfiltration Over Symmetric Encrypted Non-C2 Protocol </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0010-T1048-T1048.002"> <a href="/versions/v9/techniques/T1048/002/"> Exfiltration Over Asymmetric Encrypted Non-C2 Protocol </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0010-T1048-T1048.003"> <a href="/versions/v9/techniques/T1048/003/"> Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0010-T1041"> <a href="/versions/v9/techniques/T1041/"> Exfiltration Over C2 Channel </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0010-T1011"> <a href="/versions/v9/techniques/T1011/"> Exfiltration Over Other Network Medium </a> <div class="expand-button collapsed" id="enterprise-TA0010-T1011-header" data-toggle="collapse" data-target="#enterprise-TA0010-T1011-body" aria-expanded="false" aria-controls="#enterprise-TA0010-T1011-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0010-T1011-body" aria-labelledby="enterprise-TA0010-T1011-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0010-T1011-T1011.001"> <a href="/versions/v9/techniques/T1011/001/"> Exfiltration Over Bluetooth </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0010-T1052"> <a href="/versions/v9/techniques/T1052/"> Exfiltration Over Physical Medium </a> <div class="expand-button collapsed" id="enterprise-TA0010-T1052-header" data-toggle="collapse" data-target="#enterprise-TA0010-T1052-body" aria-expanded="false" aria-controls="#enterprise-TA0010-T1052-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0010-T1052-body" aria-labelledby="enterprise-TA0010-T1052-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0010-T1052-T1052.001"> <a href="/versions/v9/techniques/T1052/001/"> Exfiltration over USB </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0010-T1567"> <a href="/versions/v9/techniques/T1567/"> Exfiltration Over Web Service </a> <div class="expand-button collapsed" id="enterprise-TA0010-T1567-header" data-toggle="collapse" data-target="#enterprise-TA0010-T1567-body" aria-expanded="false" aria-controls="#enterprise-TA0010-T1567-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0010-T1567-body" aria-labelledby="enterprise-TA0010-T1567-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0010-T1567-T1567.001"> <a href="/versions/v9/techniques/T1567/001/"> Exfiltration to Code Repository </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0010-T1567-T1567.002"> <a href="/versions/v9/techniques/T1567/002/"> Exfiltration to Cloud Storage </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0010-T1029"> <a href="/versions/v9/techniques/T1029/"> Scheduled Transfer </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0010-T1537"> <a href="/versions/v9/techniques/T1537/"> Transfer Data to Cloud Account </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0040"> <a href="/versions/v9/tactics/TA0040"> Impact </a> <div class="expand-button collapsed" id="enterprise-TA0040-header" data-toggle="collapse" data-target="#enterprise-TA0040-body" aria-expanded="false" aria-controls="#enterprise-TA0040-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0040-body" aria-labelledby="enterprise-TA0040-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0040-T1531"> <a href="/versions/v9/techniques/T1531/"> Account Access Removal </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0040-T1485"> <a href="/versions/v9/techniques/T1485/"> Data Destruction </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0040-T1486"> <a href="/versions/v9/techniques/T1486/"> Data Encrypted for Impact </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0040-T1565"> <a href="/versions/v9/techniques/T1565/"> Data Manipulation </a> <div class="expand-button collapsed" id="enterprise-TA0040-T1565-header" data-toggle="collapse" data-target="#enterprise-TA0040-T1565-body" aria-expanded="false" aria-controls="#enterprise-TA0040-T1565-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0040-T1565-body" aria-labelledby="enterprise-TA0040-T1565-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0040-T1565-T1565.001"> <a href="/versions/v9/techniques/T1565/001/"> Stored Data Manipulation </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0040-T1565-T1565.002"> <a href="/versions/v9/techniques/T1565/002/"> Transmitted Data Manipulation </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0040-T1565-T1565.003"> <a href="/versions/v9/techniques/T1565/003/"> Runtime Data Manipulation </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0040-T1491"> <a href="/versions/v9/techniques/T1491/"> Defacement </a> <div class="expand-button collapsed" id="enterprise-TA0040-T1491-header" data-toggle="collapse" data-target="#enterprise-TA0040-T1491-body" aria-expanded="false" aria-controls="#enterprise-TA0040-T1491-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0040-T1491-body" aria-labelledby="enterprise-TA0040-T1491-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0040-T1491-T1491.001"> <a href="/versions/v9/techniques/T1491/001/"> Internal Defacement </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0040-T1491-T1491.002"> <a href="/versions/v9/techniques/T1491/002/"> External Defacement </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0040-T1561"> <a href="/versions/v9/techniques/T1561/"> Disk Wipe </a> <div class="expand-button collapsed" id="enterprise-TA0040-T1561-header" data-toggle="collapse" data-target="#enterprise-TA0040-T1561-body" aria-expanded="false" aria-controls="#enterprise-TA0040-T1561-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0040-T1561-body" aria-labelledby="enterprise-TA0040-T1561-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0040-T1561-T1561.001"> <a href="/versions/v9/techniques/T1561/001/"> Disk Content Wipe </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0040-T1561-T1561.002"> <a href="/versions/v9/techniques/T1561/002/"> Disk Structure Wipe </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0040-T1499"> <a href="/versions/v9/techniques/T1499/"> Endpoint Denial of Service </a> <div class="expand-button collapsed" id="enterprise-TA0040-T1499-header" data-toggle="collapse" data-target="#enterprise-TA0040-T1499-body" aria-expanded="false" aria-controls="#enterprise-TA0040-T1499-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0040-T1499-body" aria-labelledby="enterprise-TA0040-T1499-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0040-T1499-T1499.001"> <a href="/versions/v9/techniques/T1499/001/"> OS Exhaustion Flood </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0040-T1499-T1499.002"> <a href="/versions/v9/techniques/T1499/002/"> Service Exhaustion Flood </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0040-T1499-T1499.003"> <a href="/versions/v9/techniques/T1499/003/"> Application Exhaustion Flood </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0040-T1499-T1499.004"> <a href="/versions/v9/techniques/T1499/004/"> Application or System Exploitation </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0040-T1495"> <a href="/versions/v9/techniques/T1495/"> Firmware Corruption </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0040-T1490"> <a href="/versions/v9/techniques/T1490/"> Inhibit System Recovery </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0040-T1498"> <a href="/versions/v9/techniques/T1498/"> Network Denial of Service </a> <div class="expand-button collapsed" id="enterprise-TA0040-T1498-header" data-toggle="collapse" data-target="#enterprise-TA0040-T1498-body" aria-expanded="false" aria-controls="#enterprise-TA0040-T1498-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0040-T1498-body" aria-labelledby="enterprise-TA0040-T1498-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0040-T1498-T1498.001"> <a href="/versions/v9/techniques/T1498/001/"> Direct Network Flood </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0040-T1498-T1498.002"> <a href="/versions/v9/techniques/T1498/002/"> Reflection Amplification </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0040-T1496"> <a href="/versions/v9/techniques/T1496/"> Resource Hijacking </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0040-T1489"> <a href="/versions/v9/techniques/T1489/"> Service Stop </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0040-T1529"> <a href="/versions/v9/techniques/T1529/"> System Shutdown/Reboot </a> </div> </div> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="mobile"> <a href="/versions/v9/techniques/mobile/"> Mobile </a> <div class="expand-button collapsed" id="mobile-header" data-toggle="collapse" data-target="#mobile-body" aria-expanded="false" aria-controls="#mobile-body"></div> </div> <div class="sidenav-body collapse" id="mobile-body" aria-labelledby="mobile-header"> <div class="sidenav"> <div class="sidenav-head " id="mobile-TA0027"> <a href="/versions/v9/tactics/TA0027"> Initial Access </a> <div class="expand-button collapsed" id="mobile-TA0027-header" data-toggle="collapse" data-target="#mobile-TA0027-body" aria-expanded="false" aria-controls="#mobile-TA0027-body"></div> </div> <div class="sidenav-body collapse" id="mobile-TA0027-body" aria-labelledby="mobile-TA0027-header"> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0027-T1475"> <a href="/versions/v9/techniques/T1475/"> Deliver Malicious App via Authorized App Store </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0027-T1476"> <a href="/versions/v9/techniques/T1476/"> Deliver Malicious App via Other Means </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0027-T1456"> <a href="/versions/v9/techniques/T1456/"> Drive-by Compromise </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0027-T1458"> <a href="/versions/v9/techniques/T1458/"> Exploit via Charging Station or PC </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0027-T1477"> <a href="/versions/v9/techniques/T1477/"> Exploit via Radio Interfaces </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0027-T1478"> <a href="/versions/v9/techniques/T1478/"> Install Insecure or Malicious Configuration </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0027-T1461"> <a href="/versions/v9/techniques/T1461/"> Lockscreen Bypass </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0027-T1444"> <a href="/versions/v9/techniques/T1444/"> Masquerade as Legitimate Application </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0027-T1474"> <a href="/versions/v9/techniques/T1474/"> Supply Chain Compromise </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="mobile-TA0041"> <a href="/versions/v9/tactics/TA0041"> Execution </a> <div class="expand-button collapsed" id="mobile-TA0041-header" data-toggle="collapse" data-target="#mobile-TA0041-body" aria-expanded="false" aria-controls="#mobile-TA0041-body"></div> </div> <div class="sidenav-body collapse" id="mobile-TA0041-body" aria-labelledby="mobile-TA0041-header"> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0041-T1402"> <a href="/versions/v9/techniques/T1402/"> Broadcast Receivers </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0041-T1605"> <a href="/versions/v9/techniques/T1605/"> Command-Line Interface </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0041-T1575"> <a href="/versions/v9/techniques/T1575/"> Native Code </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0041-T1603"> <a href="/versions/v9/techniques/T1603/"> Scheduled Task/Job </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="mobile-TA0028"> <a href="/versions/v9/tactics/TA0028"> Persistence </a> <div class="expand-button collapsed" id="mobile-TA0028-header" data-toggle="collapse" data-target="#mobile-TA0028-body" aria-expanded="false" aria-controls="#mobile-TA0028-body"></div> </div> <div class="sidenav-body collapse" id="mobile-TA0028-body" aria-labelledby="mobile-TA0028-header"> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0028-T1402"> <a href="/versions/v9/techniques/T1402/"> Broadcast Receivers </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0028-T1540"> <a href="/versions/v9/techniques/T1540/"> Code Injection </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0028-T1577"> <a href="/versions/v9/techniques/T1577/"> Compromise Application Executable </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0028-T1541"> <a href="/versions/v9/techniques/T1541/"> Foreground Persistence </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0028-T1403"> <a href="/versions/v9/techniques/T1403/"> Modify Cached Executable Code </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0028-T1398"> <a href="/versions/v9/techniques/T1398/"> Modify OS Kernel or Boot Partition </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0028-T1400"> <a href="/versions/v9/techniques/T1400/"> Modify System Partition </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0028-T1399"> <a href="/versions/v9/techniques/T1399/"> Modify Trusted Execution Environment </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0028-T1603"> <a href="/versions/v9/techniques/T1603/"> Scheduled Task/Job </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="mobile-TA0029"> <a href="/versions/v9/tactics/TA0029"> Privilege Escalation </a> <div class="expand-button collapsed" id="mobile-TA0029-header" data-toggle="collapse" data-target="#mobile-TA0029-body" aria-expanded="false" aria-controls="#mobile-TA0029-body"></div> </div> <div class="sidenav-body collapse" id="mobile-TA0029-body" aria-labelledby="mobile-TA0029-header"> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0029-T1540"> <a href="/versions/v9/techniques/T1540/"> Code Injection </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0029-T1401"> <a href="/versions/v9/techniques/T1401/"> Device Administrator Permissions </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0029-T1404"> <a href="/versions/v9/techniques/T1404/"> Exploit OS Vulnerability </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0029-T1405"> <a href="/versions/v9/techniques/T1405/"> Exploit TEE Vulnerability </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="mobile-TA0030"> <a href="/versions/v9/tactics/TA0030"> Defense Evasion </a> <div class="expand-button collapsed" id="mobile-TA0030-header" data-toggle="collapse" data-target="#mobile-TA0030-body" aria-expanded="false" aria-controls="#mobile-TA0030-body"></div> </div> <div class="sidenav-body collapse" id="mobile-TA0030-body" aria-labelledby="mobile-TA0030-header"> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0030-T1418"> <a href="/versions/v9/techniques/T1418/"> Application Discovery </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0030-T1540"> <a href="/versions/v9/techniques/T1540/"> Code Injection </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0030-T1447"> <a href="/versions/v9/techniques/T1447/"> Delete Device Data </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0030-T1446"> <a href="/versions/v9/techniques/T1446/"> Device Lockout </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0030-T1408"> <a href="/versions/v9/techniques/T1408/"> Disguise Root/Jailbreak Indicators </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0030-T1407"> <a href="/versions/v9/techniques/T1407/"> Download New Code at Runtime </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0030-T1523"> <a href="/versions/v9/techniques/T1523/"> Evade Analysis Environment </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0030-T1581"> <a href="/versions/v9/techniques/T1581/"> Geofencing </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0030-T1516"> <a href="/versions/v9/techniques/T1516/"> Input Injection </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0030-T1478"> <a href="/versions/v9/techniques/T1478/"> Install Insecure or Malicious Configuration </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0030-T1444"> <a href="/versions/v9/techniques/T1444/"> Masquerade as Legitimate Application </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0030-T1398"> <a href="/versions/v9/techniques/T1398/"> Modify OS Kernel or Boot Partition </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0030-T1400"> <a href="/versions/v9/techniques/T1400/"> Modify System Partition </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0030-T1399"> <a href="/versions/v9/techniques/T1399/"> Modify Trusted Execution Environment </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0030-T1575"> <a href="/versions/v9/techniques/T1575/"> Native Code </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0030-T1406"> <a href="/versions/v9/techniques/T1406/"> Obfuscated Files or Information </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0030-T1604"> <a href="/versions/v9/techniques/T1604/"> Proxy Through Victim </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0030-T1508"> <a href="/versions/v9/techniques/T1508/"> Suppress Application Icon </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0030-T1576"> <a href="/versions/v9/techniques/T1576/"> Uninstall Malicious Application </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="mobile-TA0031"> <a href="/versions/v9/tactics/TA0031"> Credential Access </a> <div class="expand-button collapsed" id="mobile-TA0031-header" data-toggle="collapse" data-target="#mobile-TA0031-body" aria-expanded="false" aria-controls="#mobile-TA0031-body"></div> </div> <div class="sidenav-body collapse" id="mobile-TA0031-body" aria-labelledby="mobile-TA0031-header"> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0031-T1517"> <a href="/versions/v9/techniques/T1517/"> Access Notifications </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0031-T1413"> <a href="/versions/v9/techniques/T1413/"> Access Sensitive Data in Device Logs </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0031-T1409"> <a href="/versions/v9/techniques/T1409/"> Access Stored Application Data </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0031-T1414"> <a href="/versions/v9/techniques/T1414/"> Capture Clipboard Data </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0031-T1412"> <a href="/versions/v9/techniques/T1412/"> Capture SMS Messages </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0031-T1405"> <a href="/versions/v9/techniques/T1405/"> Exploit TEE Vulnerability </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0031-T1417"> <a href="/versions/v9/techniques/T1417/"> Input Capture </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0031-T1411"> <a href="/versions/v9/techniques/T1411/"> Input Prompt </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0031-T1579"> <a href="/versions/v9/techniques/T1579/"> Keychain </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0031-T1410"> <a href="/versions/v9/techniques/T1410/"> Network Traffic Capture or Redirection </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0031-T1416"> <a href="/versions/v9/techniques/T1416/"> URI Hijacking </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="mobile-TA0032"> <a href="/versions/v9/tactics/TA0032"> Discovery </a> <div class="expand-button collapsed" id="mobile-TA0032-header" data-toggle="collapse" data-target="#mobile-TA0032-body" aria-expanded="false" aria-controls="#mobile-TA0032-body"></div> </div> <div class="sidenav-body collapse" id="mobile-TA0032-body" aria-labelledby="mobile-TA0032-header"> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0032-T1418"> <a href="/versions/v9/techniques/T1418/"> Application Discovery </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0032-T1523"> <a href="/versions/v9/techniques/T1523/"> Evade Analysis Environment </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0032-T1420"> <a href="/versions/v9/techniques/T1420/"> File and Directory Discovery </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0032-T1430"> <a href="/versions/v9/techniques/T1430/"> Location Tracking </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0032-T1423"> <a href="/versions/v9/techniques/T1423/"> Network Service Scanning </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0032-T1424"> <a href="/versions/v9/techniques/T1424/"> Process Discovery </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0032-T1426"> <a href="/versions/v9/techniques/T1426/"> System Information Discovery </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0032-T1422"> <a href="/versions/v9/techniques/T1422/"> System Network Configuration Discovery </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0032-T1421"> <a href="/versions/v9/techniques/T1421/"> System Network Connections Discovery </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="mobile-TA0033"> <a href="/versions/v9/tactics/TA0033"> Lateral Movement </a> <div class="expand-button collapsed" id="mobile-TA0033-header" data-toggle="collapse" data-target="#mobile-TA0033-body" aria-expanded="false" aria-controls="#mobile-TA0033-body"></div> </div> <div class="sidenav-body collapse" id="mobile-TA0033-body" aria-labelledby="mobile-TA0033-header"> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0033-T1427"> <a href="/versions/v9/techniques/T1427/"> Attack PC via USB Connection </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0033-T1428"> <a href="/versions/v9/techniques/T1428/"> Exploit Enterprise Resources </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="mobile-TA0035"> <a href="/versions/v9/tactics/TA0035"> Collection </a> <div class="expand-button collapsed" id="mobile-TA0035-header" data-toggle="collapse" data-target="#mobile-TA0035-body" aria-expanded="false" aria-controls="#mobile-TA0035-body"></div> </div> <div class="sidenav-body collapse" id="mobile-TA0035-body" aria-labelledby="mobile-TA0035-header"> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0035-T1435"> <a href="/versions/v9/techniques/T1435/"> Access Calendar Entries </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0035-T1433"> <a href="/versions/v9/techniques/T1433/"> Access Call Log </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0035-T1432"> <a href="/versions/v9/techniques/T1432/"> Access Contact List </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0035-T1517"> <a href="/versions/v9/techniques/T1517/"> Access Notifications </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0035-T1413"> <a href="/versions/v9/techniques/T1413/"> Access Sensitive Data in Device Logs </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0035-T1409"> <a href="/versions/v9/techniques/T1409/"> Access Stored Application Data </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0035-T1429"> <a href="/versions/v9/techniques/T1429/"> Capture Audio </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0035-T1512"> <a href="/versions/v9/techniques/T1512/"> Capture Camera </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0035-T1414"> <a href="/versions/v9/techniques/T1414/"> Capture Clipboard Data </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0035-T1412"> <a href="/versions/v9/techniques/T1412/"> Capture SMS Messages </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0035-T1533"> <a href="/versions/v9/techniques/T1533/"> Data from Local System </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0035-T1541"> <a href="/versions/v9/techniques/T1541/"> Foreground Persistence </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0035-T1417"> <a href="/versions/v9/techniques/T1417/"> Input Capture </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0035-T1430"> <a href="/versions/v9/techniques/T1430/"> Location Tracking </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0035-T1507"> <a href="/versions/v9/techniques/T1507/"> Network Information Discovery </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0035-T1410"> <a href="/versions/v9/techniques/T1410/"> Network Traffic Capture or Redirection </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0035-T1513"> <a href="/versions/v9/techniques/T1513/"> Screen Capture </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="mobile-TA0037"> <a href="/versions/v9/tactics/TA0037"> Command and Control </a> <div class="expand-button collapsed" id="mobile-TA0037-header" data-toggle="collapse" data-target="#mobile-TA0037-body" aria-expanded="false" aria-controls="#mobile-TA0037-body"></div> </div> <div class="sidenav-body collapse" id="mobile-TA0037-body" aria-labelledby="mobile-TA0037-header"> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0037-T1438"> <a href="/versions/v9/techniques/T1438/"> Alternate Network Mediums </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0037-T1436"> <a href="/versions/v9/techniques/T1436/"> Commonly Used Port </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0037-T1520"> <a href="/versions/v9/techniques/T1520/"> Domain Generation Algorithms </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0037-T1544"> <a href="/versions/v9/techniques/T1544/"> Remote File Copy </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0037-T1437"> <a href="/versions/v9/techniques/T1437/"> Standard Application Layer Protocol </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0037-T1521"> <a href="/versions/v9/techniques/T1521/"> Standard Cryptographic Protocol </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0037-T1509"> <a href="/versions/v9/techniques/T1509/"> Uncommonly Used Port </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0037-T1481"> <a href="/versions/v9/techniques/T1481/"> Web Service </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="mobile-TA0036"> <a href="/versions/v9/tactics/TA0036"> Exfiltration </a> <div class="expand-button collapsed" id="mobile-TA0036-header" data-toggle="collapse" data-target="#mobile-TA0036-body" aria-expanded="false" aria-controls="#mobile-TA0036-body"></div> </div> <div class="sidenav-body collapse" id="mobile-TA0036-body" aria-labelledby="mobile-TA0036-header"> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0036-T1438"> <a href="/versions/v9/techniques/T1438/"> Alternate Network Mediums </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0036-T1436"> <a href="/versions/v9/techniques/T1436/"> Commonly Used Port </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0036-T1532"> <a href="/versions/v9/techniques/T1532/"> Data Encrypted </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0036-T1437"> <a href="/versions/v9/techniques/T1437/"> Standard Application Layer Protocol </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="mobile-TA0034"> <a href="/versions/v9/tactics/TA0034"> Impact </a> <div class="expand-button collapsed" id="mobile-TA0034-header" data-toggle="collapse" data-target="#mobile-TA0034-body" aria-expanded="false" aria-controls="#mobile-TA0034-body"></div> </div> <div class="sidenav-body collapse" id="mobile-TA0034-body" aria-labelledby="mobile-TA0034-header"> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0034-T1448"> <a href="/versions/v9/techniques/T1448/"> Carrier Billing Fraud </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0034-T1510"> <a href="/versions/v9/techniques/T1510/"> Clipboard Modification </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0034-T1471"> <a href="/versions/v9/techniques/T1471/"> Data Encrypted for Impact </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0034-T1447"> <a href="/versions/v9/techniques/T1447/"> Delete Device Data </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0034-T1446"> <a href="/versions/v9/techniques/T1446/"> Device Lockout </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0034-T1472"> <a href="/versions/v9/techniques/T1472/"> Generate Fraudulent Advertising Revenue </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0034-T1516"> <a href="/versions/v9/techniques/T1516/"> Input Injection </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0034-T1452"> <a href="/versions/v9/techniques/T1452/"> Manipulate App Store Rankings or Ratings </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0034-T1400"> <a href="/versions/v9/techniques/T1400/"> Modify System Partition </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0034-T1582"> <a href="/versions/v9/techniques/T1582/"> SMS Control </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="mobile-TA0038"> <a href="/versions/v9/tactics/TA0038"> Network Effects </a> <div class="expand-button collapsed" id="mobile-TA0038-header" data-toggle="collapse" data-target="#mobile-TA0038-body" aria-expanded="false" aria-controls="#mobile-TA0038-body"></div> </div> <div class="sidenav-body collapse" id="mobile-TA0038-body" aria-labelledby="mobile-TA0038-header"> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0038-T1466"> <a href="/versions/v9/techniques/T1466/"> Downgrade to Insecure Protocols </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0038-T1439"> <a href="/versions/v9/techniques/T1439/"> Eavesdrop on Insecure Network Communication </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0038-T1449"> <a href="/versions/v9/techniques/T1449/"> Exploit SS7 to Redirect Phone Calls/SMS </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0038-T1450"> <a href="/versions/v9/techniques/T1450/"> Exploit SS7 to Track Device Location </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0038-T1464"> <a href="/versions/v9/techniques/T1464/"> Jamming or Denial of Service </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0038-T1463"> <a href="/versions/v9/techniques/T1463/"> Manipulate Device Communication </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0038-T1467"> <a href="/versions/v9/techniques/T1467/"> Rogue Cellular Base Station </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0038-T1465"> <a href="/versions/v9/techniques/T1465/"> Rogue Wi-Fi Access Points </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0038-T1451"> <a href="/versions/v9/techniques/T1451/"> SIM Card Swap </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="mobile-TA0039"> <a href="/versions/v9/tactics/TA0039"> Remote Service Effects </a> <div class="expand-button collapsed" id="mobile-TA0039-header" data-toggle="collapse" data-target="#mobile-TA0039-body" aria-expanded="false" aria-controls="#mobile-TA0039-body"></div> </div> <div class="sidenav-body collapse" id="mobile-TA0039-body" aria-labelledby="mobile-TA0039-header"> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0039-T1470"> <a href="/versions/v9/techniques/T1470/"> Obtain Device Cloud Backups </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0039-T1468"> <a href="/versions/v9/techniques/T1468/"> Remotely Track Device Without Authorization </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0039-T1469"> <a href="/versions/v9/techniques/T1469/"> Remotely Wipe Data Without Authorization </a> </div> </div> </div> </div> </div> </div> </div> <!--start-indexing-for-search--> </div> <div class="tab-content col-xl-10 col-lg-9 col-md-9 pt-4" id="v-tabContent"> <div class="tab-pane fade show active" id="v-attckmatrix" role="tabpanel" aria-labelledby="v-attckmatrix-tab"> <ol class="breadcrumb"> <li class="breadcrumb-item"><a href="/versions/v9/">Home</a></li> <li class="breadcrumb-item"><a href="/versions/v9/techniques/enterprise">Techniques</a></li> <li class="breadcrumb-item"><a href="/versions/v9/techniques/enterprise">Enterprise</a></li> <li class="breadcrumb-item"><a href="/versions/v9/techniques/T1560">Archive Collected Data</a></li> <li class="breadcrumb-item">Archive via Utility</li> </ol> <div class="tab-pane fade show active" id="v-" role="tabpanel" aria-labelledby="v--tab"></div> <div class="row"> <div class="col-xl-12"> <div class="jumbotron jumbotron-fluid"> <div class="container-fluid"> <h1 id=""> <span id="subtechnique-parent-name">Archive Collected Data:</span> Archive via Utility </h1> <div class="row"> <div class="col-md-8"> <!--stop-indexing-for-search--> <div class="card-block pb-2"> <div class="card"> <div class="card-header collapsed" id="subtechniques-card-header" data-toggle="collapse" data-target="#subtechniques-card-body" aria-expanded="false" aria-controls="subtechniques-card-body"> <h5 class="mb-0" id ="sub-techniques">Other sub-techniques of Archive Collected Data (3)</h5> </div> <div id="subtechniques-card-body" class="card-body p-0 collapse" aria-labelledby="subtechniques-card-header"> <table class="table table-bordered"> <thead> <tr> <th scope="col">ID</th> <th scope="col">Name</th> </tr> </thead> <tbody> <tr> <td class="active"> T1560.001 </td> <td class="active"> Archive via Utility </td> </tr> <tr> <td> <a href="/versions/v9/techniques/T1560/002/" class="subtechnique-table-item" data-subtechnique_id="T1560.002"> T1560.002 </a> </td> <td> <a href="/versions/v9/techniques/T1560/002/" class="subtechnique-table-item" data-subtechnique_id="T1560.002"> Archive via Library </a> </td> </tr> <tr> <td> <a href="/versions/v9/techniques/T1560/003/" class="subtechnique-table-item" data-subtechnique_id="T1560.003"> T1560.003 </a> </td> <td> <a href="/versions/v9/techniques/T1560/003/" class="subtechnique-table-item" data-subtechnique_id="T1560.003"> Archive via Custom Method </a> </td> </tr> </tbody> </table> </div> </div> </div> <!--start-indexing-for-search--> <div class="description-body"> <p>An adversary may compress or encrypt data that is collected prior to exfiltration using 3rd party utilities. Many utilities exist that can archive data, including 7-Zip<span onclick=scrollToRef('scite-1') id="scite-ref-1-a" class="scite-citeref-number" data-reference="7zip Homepage"><sup><a href="https://www.7-zip.org/" target="_blank" data-hasqtip="0" aria-describedby="qtip-0">[1]</a></sup></span>, WinRAR<span onclick=scrollToRef('scite-2') id="scite-ref-2-a" class="scite-citeref-number" data-reference="WinRAR Homepage"><sup><a href="https://www.rarlab.com/" target="_blank" data-hasqtip="1" aria-describedby="qtip-1">[2]</a></sup></span>, and WinZip<span onclick=scrollToRef('scite-3') id="scite-ref-3-a" class="scite-citeref-number" data-reference="WinZip Homepage"><sup><a href="https://www.winzip.com/win/en/" target="_blank" data-hasqtip="2" aria-describedby="qtip-2">[3]</a></sup></span>. Most utilities include functionality to encrypt and/or compress data.</p><p>Some 3rd party utilities may be preinstalled, such as <code>tar</code> on Linux and macOS or <code>zip</code> on Windows systems.</p> </div> </div> <div class="col-md-4"> <div class="card"> <div class="card-body"> <div class="row card-data" id="card-id"> <div class="col-md-1 px-0 text-center"></div> <div class="col-md-11 pl-0"> <span class="h5 card-title">ID: </span>T1560.001 </div> </div> <!--stop-indexing-for-search--> <div class="row card-data"> <div class="col-md-1 px-0 text-center"></div> <div class="col-md-11 pl-0"> <span class="h5 card-title">Sub-technique of: </span> <a href="/versions/v9/techniques/T1560">T1560</a> </div> </div> <!--start-indexing-for-search--> <div id="card-tactics" class="row card-data"> <div class="col-md-1 px-0 text-center"> <span data-toggle="tooltip" data-placement="left" title="" data-test-ignore="true" data-original-title="The tactic objectives that the (sub-)technique can be used to accomplish">ⓘ</span> </div> <div class="col-md-11 pl-0"> <span class="h5 card-title">Tactic:</span> <a href="/versions/v9/tactics/TA0009">Collection</a> </div> </div> <div class="row card-data"> <div class="col-md-1 px-0 text-center"> <span data-toggle="tooltip" data-placement="left" title="" data-test-ignore="true" data-original-title="The system an adversary is operating within; could be an operating system or application">ⓘ</span> </div> <div class="col-md-11 pl-0"> <span class="h5 card-title">Platforms: </span>Linux, Windows, macOS </div> </div> <div class="row card-data"> <div class="col-md-1 px-0 text-center"> <span data-toggle="tooltip" data-placement="left" title="" data-test-ignore="true" data-original-title="Source of information collected by a sensor or logging system that may be used to collect information relevant to identifying the action being performed, sequence of actions, or the results of those actions by an adversary">ⓘ</span> </div> <div class="col-md-11 pl-0"> <span class="h5 card-title">Data Sources: </span><a target='_blank' href='https://github.com/mitre-attack/attack-datasources/blob/main/contribution/command.yml'>Command</a>: Command Execution, <a target='_blank' href='https://github.com/mitre-attack/attack-datasources/blob/main/contribution/file.yml'>File</a>: File Creation, <a target='_blank' href='https://github.com/mitre-attack/attack-datasources/blob/main/contribution/process.yml'>Process</a>: Process Creation </div> </div> <div class="row card-data"> <div class="col-md-1 px-0 text-center"></div> <div class="col-md-11 pl-0"> <span class="h5 card-title">Version: </span>1.0 </div> </div> <div class="row card-data"> <div class="col-md-1 px-0 text-center"></div> <div class="col-md-11 pl-0"> <span class="h5 card-title">Created: </span>20 February 2020 </div> </div> <div class="row card-data"> <div class="col-md-1 px-0 text-center"></div> <div class="col-md-11 pl-0"> <span class="h5 card-title">Last Modified: </span>25 March 2020 </div> </div> </div> </div> <div class="text-center pt-2 version-button permalink"> <div class="live"> <a data-toggle="tooltip" data-placement="bottom" title="Permalink to this version of T1560.001" href="/versions/v9/techniques/T1560/001/" data-test-ignore="true">Version Permalink</a> </div> <div class="permalink"> <a data-toggle="tooltip" data-placement="bottom" title="Go to the live version of T1560.001" href="/techniques/T1560/001/" data-test-ignore="true">Live Version</a><!--do not change this line without also changing versions.py--> </div> </div> </div> </div> <h2 class="pt-3" id ="examples">Procedure Examples</h2> <table class="table table-bordered table-alternate mt-2"> <thead> <tr> <th scope="col">ID</th> <th scope="col">Name</th> <th scope="col">Description</th> </tr> </thead> <tbody> <tr> <td> <a href="/versions/v9/groups/G0006"> G0006 </a> </td> <td> <a href="/versions/v9/groups/G0006"> APT1 </a> </td> <td> <p><a href="/versions/v9/groups/G0006">APT1</a> has used RAR to compress files before moving them outside of the victim network.<span onclick=scrollToRef('scite-4') id="scite-ref-4-a" class="scite-citeref-number" data-reference="Mandiant APT1"><sup><a href="https://www.fireeye.com/content/dam/fireeye-www/services/pdfs/mandiant-apt1-report.pdf" target="_blank" data-hasqtip="3" aria-describedby="qtip-3">[4]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v9/groups/G0016"> G0016 </a> </td> <td> <a href="/versions/v9/groups/G0016"> APT29 </a> </td> <td> <p><a href="/versions/v9/groups/G0016">APT29</a> used 7-Zip to compress stolen emails into password-protected archives prior to exfiltration.<span onclick=scrollToRef('scite-5') id="scite-ref-5-a" class="scite-citeref-number" data-reference="Volexity SolarWinds"><sup><a href="https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/" target="_blank" data-hasqtip="4" aria-describedby="qtip-4">[5]</a></sup></span><span onclick=scrollToRef('scite-6') id="scite-ref-6-a" class="scite-citeref-number" data-reference="Microsoft Deep Dive Solorigate January 2021"><sup><a href="https://www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/" target="_blank" data-hasqtip="5" aria-describedby="qtip-5">[6]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v9/groups/G0022"> G0022 </a> </td> <td> <a href="/versions/v9/groups/G0022"> APT3 </a> </td> <td> <p><a href="/versions/v9/groups/G0022">APT3</a> has used tools to compress data before exfilling it.<span onclick=scrollToRef('scite-7') id="scite-ref-7-a" class="scite-citeref-number" data-reference="aptsim"><sup><a href="http://carnal0wnage.attackresearch.com/2012/09/more-on-aptsim.html" target="_blank" data-hasqtip="6" aria-describedby="qtip-6">[7]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v9/groups/G0064"> G0064 </a> </td> <td> <a href="/versions/v9/groups/G0064"> APT33 </a> </td> <td> <p><a href="/versions/v9/groups/G0064">APT33</a> has used WinRAR to compress data prior to exfil.<span onclick=scrollToRef('scite-8') id="scite-ref-8-a" class="scite-citeref-number" data-reference="Symantec Elfin Mar 2019"><sup><a href="https://www.symantec.com/blogs/threat-intelligence/elfin-apt33-espionage" target="_blank" data-hasqtip="7" aria-describedby="qtip-7">[8]</a></sup></span> </p> </td> </tr> <tr> <td> <a href="/versions/v9/groups/G0087"> G0087 </a> </td> <td> <a href="/versions/v9/groups/G0087"> APT39 </a> </td> <td> <p><a href="/versions/v9/groups/G0087">APT39</a> has used WinRAR and 7-Zip to compress an archive stolen data. <span onclick=scrollToRef('scite-9') id="scite-ref-9-a" class="scite-citeref-number" data-reference="FireEye APT39 Jan 2019"><sup><a href="https://www.fireeye.com/blog/threat-research/2019/01/apt39-iranian-cyber-espionage-group-focused-on-personal-information.html" target="_blank" data-hasqtip="8" aria-describedby="qtip-8">[9]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v9/groups/G0096"> G0096 </a> </td> <td> <a href="/versions/v9/groups/G0096"> APT41 </a> </td> <td> <p><a href="/versions/v9/groups/G0096">APT41</a> created a RAR archive of targeted files for exfiltration.<span onclick=scrollToRef('scite-10') id="scite-ref-10-a" class="scite-citeref-number" data-reference="FireEye APT41 Aug 2019"><sup><a href="https://content.fireeye.com/apt-41/rpt-apt41" target="_blank" data-hasqtip="9" aria-describedby="qtip-9">[10]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v9/groups/G0060"> G0060 </a> </td> <td> <a href="/versions/v9/groups/G0060"> BRONZE BUTLER </a> </td> <td> <p><a href="/versions/v9/groups/G0060">BRONZE BUTLER</a> has compressed data into password-protected RAR archives prior to exfiltration.<span onclick=scrollToRef('scite-11') id="scite-ref-11-a" class="scite-citeref-number" data-reference="Secureworks BRONZE BUTLER Oct 2017"><sup><a href="https://www.secureworks.com/research/bronze-butler-targets-japanese-businesses" target="_blank" data-hasqtip="10" aria-describedby="qtip-10">[11]</a></sup></span><span onclick=scrollToRef('scite-12') id="scite-ref-12-a" class="scite-citeref-number" data-reference="Trend Micro Tick November 2019"><sup><a href="https://documents.trendmicro.com/assets/pdf/Operation-ENDTRADE-TICK-s-Multi-Stage-Backdoors-for-Attacking-Industries-and-Stealing-Classified-Data.pdf" target="_blank" data-hasqtip="11" aria-describedby="qtip-11">[12]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0274"> S0274 </a> </td> <td> <a href="/versions/v9/software/S0274"> Calisto </a> </td> <td> <p><a href="/versions/v9/software/S0274">Calisto</a> uses the <code>zip -r</code> command to compress the data collected on the local system.<span onclick=scrollToRef('scite-13') id="scite-ref-13-a" class="scite-citeref-number" data-reference="Securelist Calisto July 2018"><sup><a href="https://securelist.com/calisto-trojan-for-macos/86543/" target="_blank" data-hasqtip="12" aria-describedby="qtip-12">[13]</a></sup></span><span onclick=scrollToRef('scite-14') id="scite-ref-14-a" class="scite-citeref-number" data-reference="Symantec Calisto July 2018"><sup><a href="https://www.symantec.com/security-center/writeup/2018-073014-2512-99?om_rssid=sr-latestthreats30days" target="_blank" data-hasqtip="13" aria-describedby="qtip-13">[14]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v9/groups/G0114"> G0114 </a> </td> <td> <a href="/versions/v9/groups/G0114"> Chimera </a> </td> <td> <p><a href="/versions/v9/groups/G0114">Chimera</a> has used gzip for Linux OS and a modified RAR software to archive data on Windows hosts.<span onclick=scrollToRef('scite-15') id="scite-ref-15-a" class="scite-citeref-number" data-reference="Cycraft Chimera April 2020"><sup><a href="https://cycraft.com/download/%5BTLP-White%5D20200415%20Chimera_V4.1.pdf" target="_blank" data-hasqtip="14" aria-describedby="qtip-14">[15]</a></sup></span><span onclick=scrollToRef('scite-16') id="scite-ref-16-a" class="scite-citeref-number" data-reference="NCC Group Chimera January 2021"><sup><a href="https://research.nccgroup.com/2021/01/12/abusing-cloud-services-to-fly-under-the-radar/" target="_blank" data-hasqtip="15" aria-describedby="qtip-15">[16]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v9/groups/G0052"> G0052 </a> </td> <td> <a href="/versions/v9/groups/G0052"> CopyKittens </a> </td> <td> <p><a href="/versions/v9/groups/G0052">CopyKittens</a> uses ZPP, a .NET console program, to compress files with ZIP.<span onclick=scrollToRef('scite-17') id="scite-ref-17-a" class="scite-citeref-number" data-reference="ClearSky Wilted Tulip July 2017"><sup><a href="http://www.clearskysec.com/wp-content/uploads/2017/07/Operation_Wilted_Tulip.pdf" target="_blank" data-hasqtip="16" aria-describedby="qtip-16">[17]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0212"> S0212 </a> </td> <td> <a href="/versions/v9/software/S0212"> CORALDECK </a> </td> <td> <p><a href="/versions/v9/software/S0212">CORALDECK</a> has created password-protected RAR, WinImage, and zip archives to be exfiltrated.<span onclick=scrollToRef('scite-18') id="scite-ref-18-a" class="scite-citeref-number" data-reference="FireEye APT37 Feb 2018"><sup><a href="https://www2.fireeye.com/rs/848-DID-242/images/rpt_APT37.pdf" target="_blank" data-hasqtip="17" aria-describedby="qtip-17">[18]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0538"> S0538 </a> </td> <td> <a href="/versions/v9/software/S0538"> Crutch </a> </td> <td> <p><a href="/versions/v9/software/S0538">Crutch</a> has used the WinRAR utility to compress and encrypt stolen files.<span onclick=scrollToRef('scite-19') id="scite-ref-19-a" class="scite-citeref-number" data-reference="ESET Crutch December 2020"><sup><a href="https://www.welivesecurity.com/2020/12/02/turla-crutch-keeping-back-door-open/" target="_blank" data-hasqtip="18" aria-describedby="qtip-18">[19]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0187"> S0187 </a> </td> <td> <a href="/versions/v9/software/S0187"> Daserf </a> </td> <td> <p><a href="/versions/v9/software/S0187">Daserf</a> hides collected data in password-protected .rar archives.<span onclick=scrollToRef('scite-20') id="scite-ref-20-a" class="scite-citeref-number" data-reference="Symantec Tick Apr 2016"><sup><a href="https://www.symantec.com/connect/blogs/tick-cyberespionage-group-zeros-japan" target="_blank" data-hasqtip="19" aria-describedby="qtip-19">[20]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0062"> S0062 </a> </td> <td> <a href="/versions/v9/software/S0062"> DustySky </a> </td> <td> <p><a href="/versions/v9/software/S0062">DustySky</a> can compress files via RAR while staging data to be exfiltrated.<span onclick=scrollToRef('scite-21') id="scite-ref-21-a" class="scite-citeref-number" data-reference="Kaspersky MoleRATs April 2019"><sup><a href="https://securelist.com/gaza-cybergang-group1-operation-sneakypastes/90068/" target="_blank" data-hasqtip="20" aria-describedby="qtip-20">[21]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v9/groups/G0061"> G0061 </a> </td> <td> <a href="/versions/v9/groups/G0061"> FIN8 </a> </td> <td> <p><a href="/versions/v9/groups/G0061">FIN8</a> has used RAR to compress collected data before <a href="https://attack.mitre.org/tactics/TA0010">Exfiltration</a>.<span onclick=scrollToRef('scite-22') id="scite-ref-22-a" class="scite-citeref-number" data-reference="FireEye Know Your Enemy FIN8 Aug 2016"><sup><a href="https://www2.fireeye.com/WBNR-Know-Your-Enemy-UNC622-Spear-Phishing.html" target="_blank" data-hasqtip="21" aria-describedby="qtip-21">[22]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v9/groups/G0117"> G0117 </a> </td> <td> <a href="/versions/v9/groups/G0117"> Fox Kitten </a> </td> <td> <p><a href="/versions/v9/groups/G0117">Fox Kitten</a> has used 7-Zip to archive data.<span onclick=scrollToRef('scite-23') id="scite-ref-23-a" class="scite-citeref-number" data-reference="CISA AA20-259A Iran-Based Actor September 2020"><sup><a href="https://us-cert.cisa.gov/ncas/alerts/aa20-259a" target="_blank" data-hasqtip="22" aria-describedby="qtip-22">[23]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v9/groups/G0093"> G0093 </a> </td> <td> <a href="/versions/v9/groups/G0093"> GALLIUM </a> </td> <td> <p><a href="/versions/v9/groups/G0093">GALLIUM</a> used WinRAR to compress and encrypt stolen data prior to exfiltration.<span onclick=scrollToRef('scite-24') id="scite-ref-24-a" class="scite-citeref-number" data-reference="Cybereason Soft Cell June 2019"><sup><a href="https://www.cybereason.com/blog/operation-soft-cell-a-worldwide-campaign-against-telecommunications-providers" target="_blank" data-hasqtip="23" aria-describedby="qtip-23">[24]</a></sup></span><span onclick=scrollToRef('scite-25') id="scite-ref-25-a" class="scite-citeref-number" data-reference="Microsoft GALLIUM December 2019"><sup><a href="https://www.microsoft.com/security/blog/2019/12/12/gallium-targeting-global-telecom/" target="_blank" data-hasqtip="24" aria-describedby="qtip-24">[25]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v9/groups/G0084"> G0084 </a> </td> <td> <a href="/versions/v9/groups/G0084"> Gallmaker </a> </td> <td> <p><a href="/versions/v9/groups/G0084">Gallmaker</a> has used WinZip, likely to archive data prior to exfiltration.<span onclick=scrollToRef('scite-26') id="scite-ref-26-a" class="scite-citeref-number" data-reference="Symantec Gallmaker Oct 2018"><sup><a href="https://www.symantec.com/blogs/threat-intelligence/gallmaker-attack-group" target="_blank" data-hasqtip="25" aria-describedby="qtip-25">[26]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v9/groups/G0125"> G0125 </a> </td> <td> <a href="/versions/v9/groups/G0125"> HAFNIUM </a> </td> <td> <p><a href="/versions/v9/groups/G0125">HAFNIUM</a> has used 7-Zip and WinRAR to compress stolen files for exfiltration.<span onclick=scrollToRef('scite-27') id="scite-ref-27-a" class="scite-citeref-number" data-reference="Microsoft HAFNIUM March 2020"><sup><a href="https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/" target="_blank" data-hasqtip="26" aria-describedby="qtip-26">[27]</a></sup></span><span onclick=scrollToRef('scite-28') id="scite-ref-28-a" class="scite-citeref-number" data-reference="Volexity Exchange Marauder March 2021"><sup><a href="https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities/" target="_blank" data-hasqtip="27" aria-describedby="qtip-27">[28]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0278"> S0278 </a> </td> <td> <a href="/versions/v9/software/S0278"> iKitten </a> </td> <td> <p><a href="/versions/v9/software/S0278">iKitten</a> will zip up the /Library/Keychains directory before exfiltrating it.<span onclick=scrollToRef('scite-29') id="scite-ref-29-a" class="scite-citeref-number" data-reference="objsee mac malware 2017"><sup><a href="https://objective-see.com/blog/blog_0x25.html" target="_blank" data-hasqtip="28" aria-describedby="qtip-28">[29]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0260"> S0260 </a> </td> <td> <a href="/versions/v9/software/S0260"> InvisiMole </a> </td> <td> <p><a href="/versions/v9/software/S0260">InvisiMole</a> uses WinRAR to compress data that is intended to be exfiltrated.<span onclick=scrollToRef('scite-30') id="scite-ref-30-a" class="scite-citeref-number" data-reference="ESET InvisiMole June 2018"><sup><a href="https://www.welivesecurity.com/2018/06/07/invisimole-equipped-spyware-undercover/" target="_blank" data-hasqtip="29" aria-describedby="qtip-29">[30]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v9/groups/G0004"> G0004 </a> </td> <td> <a href="/versions/v9/groups/G0004"> Ke3chang </a> </td> <td> <p><a href="/versions/v9/groups/G0004">Ke3chang</a> is known to use RAR with passwords to encrypt data prior to exfiltration.<span onclick=scrollToRef('scite-31') id="scite-ref-31-a" class="scite-citeref-number" data-reference="Villeneuve et al 2014"><sup><a href="https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/wp-operation-ke3chang.pdf" target="_blank" data-hasqtip="30" aria-describedby="qtip-30">[31]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v9/groups/G0059"> G0059 </a> </td> <td> <a href="/versions/v9/groups/G0059"> Magic Hound </a> </td> <td> <p><a href="/versions/v9/groups/G0059">Magic Hound</a> has used RAR to stage and compress local folders.<span onclick=scrollToRef('scite-32') id="scite-ref-32-a" class="scite-citeref-number" data-reference="FireEye APT35 2018"><sup><a href="https://www.fireeye.com/content/dam/collateral/en/mtrends-2018.pdf" target="_blank" data-hasqtip="31" aria-describedby="qtip-31">[32]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v9/groups/G0045"> G0045 </a> </td> <td> <a href="/versions/v9/groups/G0045"> menuPass </a> </td> <td> <p><a href="/versions/v9/groups/G0045">menuPass</a> has compressed files before exfiltration using TAR and RAR.<span onclick=scrollToRef('scite-33') id="scite-ref-33-a" class="scite-citeref-number" data-reference="PWC Cloud Hopper April 2017"><sup><a href="https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-report-final-v4.pdf" target="_blank" data-hasqtip="32" aria-describedby="qtip-32">[33]</a></sup></span><span onclick=scrollToRef('scite-34') id="scite-ref-34-a" class="scite-citeref-number" data-reference="PWC Cloud Hopper Technical Annex April 2017"><sup><a href="https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf" target="_blank" data-hasqtip="33" aria-describedby="qtip-33">[34]</a></sup></span><span onclick=scrollToRef('scite-35') id="scite-ref-35-a" class="scite-citeref-number" data-reference="Symantec Cicada November 2020"><sup><a href="https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/cicada-apt10-japan-espionage" target="_blank" data-hasqtip="34" aria-describedby="qtip-34">[35]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0339"> S0339 </a> </td> <td> <a href="/versions/v9/software/S0339"> Micropsia </a> </td> <td> <p><a href="/versions/v9/software/S0339">Micropsia</a> creates a RAR archive based on collected files on the victim's machine.<span onclick=scrollToRef('scite-36') id="scite-ref-36-a" class="scite-citeref-number" data-reference="Radware Micropsia July 2018"><sup><a href="https://blog.radware.com/security/2018/07/micropsia-malware/" target="_blank" data-hasqtip="35" aria-describedby="qtip-35">[36]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v9/groups/G0069"> G0069 </a> </td> <td> <a href="/versions/v9/groups/G0069"> MuddyWater </a> </td> <td> <p><a href="/versions/v9/groups/G0069">MuddyWater</a> has used the native Windows cabinet creation tool, makecab.exe, likely to compress stolen data to be uploaded.<span onclick=scrollToRef('scite-37') id="scite-ref-37-a" class="scite-citeref-number" data-reference="Symantec MuddyWater Dec 2018"><sup><a href="https://www.symantec.com/blogs/threat-intelligence/seedworm-espionage-group" target="_blank" data-hasqtip="36" aria-describedby="qtip-36">[37]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v9/groups/G0129"> G0129 </a> </td> <td> <a href="/versions/v9/groups/G0129"> Mustang Panda </a> </td> <td> <p><a href="/versions/v9/groups/G0129">Mustang Panda</a> has used RAR to create password-protected archives of collected documents prior to exfiltration.<span onclick=scrollToRef('scite-38') id="scite-ref-38-a" class="scite-citeref-number" data-reference="Secureworks BRONZE PRESIDENT December 2019"><sup><a href="https://www.secureworks.com/research/bronze-president-targets-ngos" target="_blank" data-hasqtip="37" aria-describedby="qtip-37">[38]</a></sup></span><span onclick=scrollToRef('scite-39') id="scite-ref-39-a" class="scite-citeref-number" data-reference="Avira Mustang Panda January 2020"><sup><a href="https://www.avira.com/en/blog/new-wave-of-plugx-targets-hong-kong" target="_blank" data-hasqtip="38" aria-describedby="qtip-38">[39]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0439"> S0439 </a> </td> <td> <a href="/versions/v9/software/S0439"> Okrum </a> </td> <td> <p><a href="/versions/v9/software/S0439">Okrum</a> was seen using a RAR archiver tool to compress/decompress data.<span onclick=scrollToRef('scite-40') id="scite-ref-40-a" class="scite-citeref-number" data-reference="ESET Okrum July 2019"><sup><a href="https://www.welivesecurity.com/wp-content/uploads/2019/07/ESET_Okrum_and_Ketrican.pdf" target="_blank" data-hasqtip="39" aria-describedby="qtip-39">[40]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0264"> S0264 </a> </td> <td> <a href="/versions/v9/software/S0264"> OopsIE </a> </td> <td> <p><a href="/versions/v9/software/S0264">OopsIE</a> compresses collected files with GZipStream before sending them to its C2 server.<span onclick=scrollToRef('scite-41') id="scite-ref-41-a" class="scite-citeref-number" data-reference="Unit 42 OopsIE! Feb 2018"><sup><a href="https://researchcenter.paloaltonetworks.com/2018/02/unit42-oopsie-oilrig-uses-threedollars-deliver-new-trojan/" target="_blank" data-hasqtip="40" aria-describedby="qtip-40">[41]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v9/groups/G0116"> G0116 </a> </td> <td> <a href="/versions/v9/groups/G0116"> Operation Wocao </a> </td> <td> <p><a href="/versions/v9/groups/G0116">Operation Wocao</a> has archived collected files with WinRAR, prior to exfiltration.<span onclick=scrollToRef('scite-42') id="scite-ref-42-a" class="scite-citeref-number" data-reference="FoxIT Wocao December 2019"><sup><a href="https://resources.fox-it.com/rs/170-CAK-271/images/201912_Report_Operation_Wocao.pdf" target="_blank" data-hasqtip="41" aria-describedby="qtip-41">[42]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0428"> S0428 </a> </td> <td> <a href="/versions/v9/software/S0428"> PoetRAT </a> </td> <td> <p><a href="/versions/v9/software/S0428">PoetRAT</a> has the ability to compress files with zip.<span onclick=scrollToRef('scite-43') id="scite-ref-43-a" class="scite-citeref-number" data-reference="Talos PoetRAT April 2020"><sup><a href="https://blog.talosintelligence.com/2020/04/poetrat-covid-19-lures.html" target="_blank" data-hasqtip="42" aria-describedby="qtip-42">[43]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0378"> S0378 </a> </td> <td> <a href="/versions/v9/software/S0378"> PoshC2 </a> </td> <td> <p><a href="/versions/v9/software/S0378">PoshC2</a> contains a module for compressing data using ZIP.<span onclick=scrollToRef('scite-44') id="scite-ref-44-a" class="scite-citeref-number" data-reference="GitHub PoshC2"><sup><a href="https://github.com/nettitude/PoshC2_Python" target="_blank" data-hasqtip="43" aria-describedby="qtip-43">[44]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0441"> S0441 </a> </td> <td> <a href="/versions/v9/software/S0441"> PowerShower </a> </td> <td> <p><a href="/versions/v9/software/S0441">PowerShower</a> has used 7Zip to compress .txt, .pdf, .xls or .doc files prior to exfiltration.<span onclick=scrollToRef('scite-45') id="scite-ref-45-a" class="scite-citeref-number" data-reference="Kaspersky Cloud Atlas August 2019"><sup><a href="https://securelist.com/recent-cloud-atlas-activity/92016/" target="_blank" data-hasqtip="44" aria-describedby="qtip-44">[45]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0196"> S0196 </a> </td> <td> <a href="/versions/v9/software/S0196"> PUNCHBUGGY </a> </td> <td> <p><a href="/versions/v9/software/S0196">PUNCHBUGGY</a> has Gzipped information and saved it to a random temp file before exfil.<span onclick=scrollToRef('scite-46') id="scite-ref-46-a" class="scite-citeref-number" data-reference="Morphisec ShellTea June 2019"><sup><a href="http://blog.morphisec.com/security-alert-fin8-is-back" target="_blank" data-hasqtip="45" aria-describedby="qtip-45">[46]</a></sup></span> </p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0192"> S0192 </a> </td> <td> <a href="/versions/v9/software/S0192"> Pupy </a> </td> <td> <p><a href="/versions/v9/software/S0192">Pupy</a> can compress data with Zip before sending it over C2.<span onclick=scrollToRef('scite-47') id="scite-ref-47-a" class="scite-citeref-number" data-reference="GitHub Pupy"><sup><a href="https://github.com/n1nj4sec/pupy" target="_blank" data-hasqtip="46" aria-describedby="qtip-46">[47]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0458"> S0458 </a> </td> <td> <a href="/versions/v9/software/S0458"> Ramsay </a> </td> <td> <p><a href="/versions/v9/software/S0458">Ramsay</a> can compress and archive collected files using WinRAR.<span onclick=scrollToRef('scite-48') id="scite-ref-48-a" class="scite-citeref-number" data-reference="Eset Ramsay May 2020"><sup><a href="https://www.welivesecurity.com/2020/05/13/ramsay-cyberespionage-toolkit-airgapped-networks/" target="_blank" data-hasqtip="47" aria-describedby="qtip-47">[48]</a></sup></span><span onclick=scrollToRef('scite-49') id="scite-ref-49-a" class="scite-citeref-number" data-reference="Antiy CERT Ramsay April 2020"><sup><a href="https://www.programmersought.com/article/62493896999/" target="_blank" data-hasqtip="48" aria-describedby="qtip-48">[49]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v9/groups/G0054"> G0054 </a> </td> <td> <a href="/versions/v9/groups/G0054"> Sowbug </a> </td> <td> <p><a href="/versions/v9/groups/G0054">Sowbug</a> extracted documents and bundled them into a RAR archive.<span onclick=scrollToRef('scite-50') id="scite-ref-50-a" class="scite-citeref-number" data-reference="Symantec Sowbug Nov 2017"><sup><a href="https://www.symantec.com/connect/blogs/sowbug-cyber-espionage-group-targets-south-american-and-southeast-asian-governments" target="_blank" data-hasqtip="49" aria-describedby="qtip-49">[50]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v9/groups/G0010"> G0010 </a> </td> <td> <a href="/versions/v9/groups/G0010"> Turla </a> </td> <td> <p><a href="/versions/v9/groups/G0010">Turla</a> has encrypted files stolen from connected USB drives into a RAR file before exfiltration.<span onclick=scrollToRef('scite-51') id="scite-ref-51-a" class="scite-citeref-number" data-reference="Symantec Waterbug Jun 2019"><sup><a href="https://www.symantec.com/blogs/threat-intelligence/waterbug-espionage-governments" target="_blank" data-hasqtip="50" aria-describedby="qtip-50">[51]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0466"> S0466 </a> </td> <td> <a href="/versions/v9/software/S0466"> WindTail </a> </td> <td> <p><a href="/versions/v9/software/S0466">WindTail</a> has the ability to use the macOS built-in zip utility to archive files.<span onclick=scrollToRef('scite-52') id="scite-ref-52-a" class="scite-citeref-number" data-reference="objective-see windtail2 jan 2019"><sup><a href="https://objective-see.com/blog/blog_0x3D.html" target="_blank" data-hasqtip="51" aria-describedby="qtip-51">[52]</a></sup></span></p> </td> </tr> </tbody> </table> <h2 class="pt-3" id ="mitigations">Mitigations</h2> <table class="table table-bordered table-alternate mt-2"> <thead> <tr> <th scope="col">ID</th> <th scope="col">Mitigation</th> <th scope="col">Description</th> </tr> </thead> <tbody> <tr> <td> <a href="/versions/v9/mitigations/M1047"> M1047 </a> </td> <td> <a href="/versions/v9/mitigations/M1047"> Audit </a> </td> <td> <p>System scans can be performed to identify unauthorized archival utilities.</p> </td> </tr> </tbody> </table> <h2 class="pt-3" id="detection">Detection</h2> <div> <p>Common utilities that may be present on the system or brought in by an adversary may be detectable through process monitoring and monitoring for command-line arguments for known archival utilities. This may yield a significant number of benign events, depending on how systems in the environment are typically used.</p><p>Consider detecting writing of files with extensions and/or headers associated with compressed or encrypted file types. Detection efforts may focus on follow-on exfiltration activity, where compressed or encrypted files can be detected in transit with a network intrusion detection or data loss prevention system analyzing file headers.<span onclick=scrollToRef('scite-53') id="scite-ref-53-a" class="scite-citeref-number" data-reference="Wikipedia File Header Signatures"><sup><a href="https://en.wikipedia.org/wiki/List_of_file_signatures" target="_blank" data-hasqtip="52" aria-describedby="qtip-52">[53]</a></sup></span></p> </div> <h2 class="pt-3" id="references">References</h2> <div class="row"> <div class="col"> <ol> <li> <span id="scite-1" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-1" href="https://www.7-zip.org/" target="_blank"> I. Pavlov. (2019). 7-Zip. Retrieved February 20, 2020. </a> </span> </span> </li> <li> <span id="scite-2" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-2" href="https://www.rarlab.com/" target="_blank"> A. Roshal. (2020). RARLAB. Retrieved February 20, 2020. </a> </span> </span> </li> <li> <span id="scite-3" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-3" href="https://www.winzip.com/win/en/" target="_blank"> Corel Corporation. (2020). WinZip. Retrieved February 20, 2020. </a> </span> </span> </li> <li> <span id="scite-4" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-4" href="https://www.fireeye.com/content/dam/fireeye-www/services/pdfs/mandiant-apt1-report.pdf" target="_blank"> Mandiant. (n.d.). APT1 Exposing One of China’s Cyber Espionage Units. Retrieved July 18, 2016. </a> </span> </span> </li> <li> <span id="scite-5" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-5" href="https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/" target="_blank"> Cash, D. et al. (2020, December 14). Dark Halo Leverages SolarWinds Compromise to Breach Organizations. Retrieved December 29, 2020. </a> </span> </span> </li> <li> <span id="scite-6" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-6" href="https://www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/" target="_blank"> MSTIC, CDOC, 365 Defender Research Team. (2021, January 20). Deep dive into the Solorigate second-stage activation: From SUNBURST to TEARDROP and Raindrop . Retrieved January 22, 2021. </a> </span> </span> </li> <li> <span id="scite-7" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-7" href="http://carnal0wnage.attackresearch.com/2012/09/more-on-aptsim.html" target="_blank"> valsmith. (2012, September 21). More on APTSim. Retrieved September 28, 2017. </a> </span> </span> </li> <li> <span id="scite-8" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-8" href="https://www.symantec.com/blogs/threat-intelligence/elfin-apt33-espionage" target="_blank"> Security Response attack Investigation Team. (2019, March 27). Elfin: Relentless Espionage Group Targets Multiple Organizations in Saudi Arabia and U.S.. Retrieved April 10, 2019. </a> </span> </span> </li> <li> <span id="scite-9" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-9" href="https://www.fireeye.com/blog/threat-research/2019/01/apt39-iranian-cyber-espionage-group-focused-on-personal-information.html" target="_blank"> Hawley et al. (2019, January 29). APT39: An Iranian Cyber Espionage Group Focused on Personal Information. Retrieved February 19, 2019. </a> </span> </span> </li> <li> <span id="scite-10" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-10" href="https://content.fireeye.com/apt-41/rpt-apt41" target="_blank"> Fraser, N., et al. (2019, August 7). Double DragonAPT41, a dual espionage and cyber crime operation APT41. Retrieved September 23, 2019. </a> </span> </span> </li> <li> <span id="scite-11" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-11" href="https://www.secureworks.com/research/bronze-butler-targets-japanese-businesses" target="_blank"> Counter Threat Unit Research Team. (2017, October 12). BRONZE BUTLER Targets Japanese Enterprises. Retrieved January 4, 2018. </a> </span> </span> </li> <li> <span id="scite-12" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-12" href="https://documents.trendmicro.com/assets/pdf/Operation-ENDTRADE-TICK-s-Multi-Stage-Backdoors-for-Attacking-Industries-and-Stealing-Classified-Data.pdf" target="_blank"> Chen, J. et al. (2019, November). Operation ENDTRADE: TICK’s Multi-Stage Backdoors for Attacking Industries and Stealing Classified Data. Retrieved June 9, 2020. </a> </span> </span> </li> <li> <span id="scite-13" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-13" href="https://securelist.com/calisto-trojan-for-macos/86543/" target="_blank"> Kuzin, M., Zelensky S. (2018, July 20). Calisto Trojan for macOS. Retrieved September 7, 2018. </a> </span> </span> </li> <li> <span id="scite-14" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-14" href="https://www.symantec.com/security-center/writeup/2018-073014-2512-99?om_rssid=sr-latestthreats30days" target="_blank"> Pantig, J. (2018, July 30). OSX.Calisto. Retrieved September 7, 2018. </a> </span> </span> </li> <li> <span id="scite-15" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-15" href="https://cycraft.com/download/%5BTLP-White%5D20200415%20Chimera_V4.1.pdf" target="_blank"> Cycraft. (2020, April 15). APT Group Chimera - APT Operation Skeleton key Targets Taiwan Semiconductor Vendors. Retrieved August 24, 2020. </a> </span> </span> </li> <li> <span id="scite-16" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-16" href="https://research.nccgroup.com/2021/01/12/abusing-cloud-services-to-fly-under-the-radar/" target="_blank"> Jansen, W . (2021, January 12). Abusing cloud services to fly under the radar. Retrieved January 19, 2021. </a> </span> </span> </li> <li> <span id="scite-17" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-17" href="http://www.clearskysec.com/wp-content/uploads/2017/07/Operation_Wilted_Tulip.pdf" target="_blank"> ClearSky Cyber Security and Trend Micro. (2017, July). Operation Wilted Tulip: Exposing a cyber espionage apparatus. Retrieved August 21, 2017. </a> </span> </span> </li> <li> <span id="scite-18" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-18" href="https://www2.fireeye.com/rs/848-DID-242/images/rpt_APT37.pdf" target="_blank"> FireEye. (2018, February 20). APT37 (Reaper): The Overlooked North Korean Actor. Retrieved March 1, 2018. </a> </span> </span> </li> <li> <span id="scite-19" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-19" href="https://www.welivesecurity.com/2020/12/02/turla-crutch-keeping-back-door-open/" target="_blank"> Faou, M. (2020, December 2). Turla Crutch: Keeping the “back door” open. Retrieved December 4, 2020. </a> </span> </span> </li> <li> <span id="scite-20" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-20" href="https://www.symantec.com/connect/blogs/tick-cyberespionage-group-zeros-japan" target="_blank"> DiMaggio, J. (2016, April 28). Tick cyberespionage group zeros in on Japan. Retrieved July 16, 2018. </a> </span> </span> </li> <li> <span id="scite-21" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-21" href="https://securelist.com/gaza-cybergang-group1-operation-sneakypastes/90068/" target="_blank"> GReAT. (2019, April 10). Gaza Cybergang Group1, operation SneakyPastes. Retrieved May 13, 2020. </a> </span> </span> </li> <li> <span id="scite-22" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-22" href="https://www2.fireeye.com/WBNR-Know-Your-Enemy-UNC622-Spear-Phishing.html" target="_blank"> Elovitz, S. & Ahl, I. (2016, August 18). Know Your Enemy: New Financially-Motivated & Spear-Phishing Group. Retrieved February 26, 2018. </a> </span> </span> </li> <li> <span id="scite-23" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-23" href="https://us-cert.cisa.gov/ncas/alerts/aa20-259a" target="_blank"> CISA. (2020, September 15). Iran-Based Threat Actor Exploits VPN Vulnerabilities. Retrieved December 21, 2020. </a> </span> </span> </li> <li> <span id="scite-24" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-24" href="https://www.cybereason.com/blog/operation-soft-cell-a-worldwide-campaign-against-telecommunications-providers" target="_blank"> Cybereason Nocturnus. (2019, June 25). Operation Soft Cell: A Worldwide Campaign Against Telecommunications Providers. Retrieved July 18, 2019. </a> </span> </span> </li> <li> <span id="scite-25" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-25" href="https://www.microsoft.com/security/blog/2019/12/12/gallium-targeting-global-telecom/" target="_blank"> MSTIC. (2019, December 12). GALLIUM: Targeting global telecom. Retrieved January 13, 2021. </a> </span> </span> </li> <li> <span id="scite-26" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-26" href="https://www.symantec.com/blogs/threat-intelligence/gallmaker-attack-group" target="_blank"> Symantec Security Response. (2018, October 10). Gallmaker: New Attack Group Eschews Malware to Live off the Land. Retrieved November 27, 2018. </a> </span> </span> </li> <li> <span id="scite-27" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-27" href="https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/" target="_blank"> MSTIC. (2021, March 2). HAFNIUM targeting Exchange Servers with 0-day exploits. Retrieved March 3, 2021. </a> </span> </span> </li> </ol> </div> <div class="col"> <ol start="28.0"> <li> <span id="scite-28" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-28" href="https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities/" target="_blank"> Gruzweig, J. et al. (2021, March 2). Operation Exchange Marauder: Active Exploitation of Multiple Zero-Day Microsoft Exchange Vulnerabilities. Retrieved March 3, 2021. </a> </span> </span> </li> <li> <span id="scite-29" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-29" href="https://objective-see.com/blog/blog_0x25.html" target="_blank"> Patrick Wardle. (n.d.). Mac Malware of 2017. Retrieved September 21, 2018. </a> </span> </span> </li> <li> <span id="scite-30" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-30" href="https://www.welivesecurity.com/2018/06/07/invisimole-equipped-spyware-undercover/" target="_blank"> Hromcová, Z. (2018, June 07). InvisiMole: Surprisingly equipped spyware, undercover since 2013. Retrieved July 10, 2018. </a> </span> </span> </li> <li> <span id="scite-31" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-31" href="https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/wp-operation-ke3chang.pdf" target="_blank"> Villeneuve, N., Bennett, J. T., Moran, N., Haq, T., Scott, M., & Geers, K. (2014). OPERATION “KE3CHANG”: Targeted Attacks Against Ministries of Foreign Affairs. Retrieved November 12, 2014. </a> </span> </span> </li> <li> <span id="scite-32" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-32" href="https://www.fireeye.com/content/dam/collateral/en/mtrends-2018.pdf" target="_blank"> Mandiant. (2018). Mandiant M-Trends 2018. Retrieved July 9, 2018. </a> </span> </span> </li> <li> <span id="scite-33" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-33" href="https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-report-final-v4.pdf" target="_blank"> PwC and BAE Systems. (2017, April). Operation Cloud Hopper. Retrieved April 5, 2017. </a> </span> </span> </li> <li> <span id="scite-34" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-34" href="https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf" target="_blank"> PwC and BAE Systems. (2017, April). Operation Cloud Hopper: Technical Annex. Retrieved April 13, 2017. </a> </span> </span> </li> <li> <span id="scite-35" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-35" href="https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/cicada-apt10-japan-espionage" target="_blank"> Symantec. (2020, November 17). Japan-Linked Organizations Targeted in Long-Running and Sophisticated Attack Campaign. Retrieved December 17, 2020. </a> </span> </span> </li> <li> <span id="scite-36" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-36" href="https://blog.radware.com/security/2018/07/micropsia-malware/" target="_blank"> Tsarfaty, Y. (2018, July 25). Micropsia Malware. Retrieved November 13, 2018. </a> </span> </span> </li> <li> <span id="scite-37" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-37" href="https://www.symantec.com/blogs/threat-intelligence/seedworm-espionage-group" target="_blank"> Symantec DeepSight Adversary Intelligence Team. (2018, December 10). Seedworm: Group Compromises Government Agencies, Oil & Gas, NGOs, Telecoms, and IT Firms. Retrieved December 14, 2018. </a> </span> </span> </li> <li> <span id="scite-38" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-38" href="https://www.secureworks.com/research/bronze-president-targets-ngos" target="_blank"> Counter Threat Unit Research Team. (2019, December 29). BRONZE PRESIDENT Targets NGOs. Retrieved April 13, 2021. </a> </span> </span> </li> <li> <span id="scite-39" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-39" href="https://www.avira.com/en/blog/new-wave-of-plugx-targets-hong-kong" target="_blank"> Hamzeloofard, S. (2020, January 31). New wave of PlugX targets Hong Kong | Avira Blog. Retrieved April 13, 2021. </a> </span> </span> </li> <li> <span id="scite-40" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-40" href="https://www.welivesecurity.com/wp-content/uploads/2019/07/ESET_Okrum_and_Ketrican.pdf" target="_blank"> Hromcova, Z. (2019, July). OKRUM AND KETRICAN: AN OVERVIEW OF RECENT KE3CHANG GROUP ACTIVITY. Retrieved May 6, 2020. </a> </span> </span> </li> <li> <span id="scite-41" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-41" href="https://researchcenter.paloaltonetworks.com/2018/02/unit42-oopsie-oilrig-uses-threedollars-deliver-new-trojan/" target="_blank"> Lee, B., Falcone, R. (2018, February 23). OopsIE! OilRig Uses ThreeDollars to Deliver New Trojan. Retrieved July 16, 2018. </a> </span> </span> </li> <li> <span id="scite-42" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-42" href="https://resources.fox-it.com/rs/170-CAK-271/images/201912_Report_Operation_Wocao.pdf" target="_blank"> Dantzig, M. v., Schamper, E. (2019, December 19). Operation Wocao: Shining a light on one of China’s hidden hacking groups. Retrieved October 8, 2020. </a> </span> </span> </li> <li> <span id="scite-43" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-43" href="https://blog.talosintelligence.com/2020/04/poetrat-covid-19-lures.html" target="_blank"> Mercer, W, et al. (2020, April 16). PoetRAT: Python RAT uses COVID-19 lures to target Azerbaijan public and private sectors. Retrieved April 27, 2020. </a> </span> </span> </li> <li> <span id="scite-44" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-44" href="https://github.com/nettitude/PoshC2_Python" target="_blank"> Nettitude. (2018, July 23). Python Server for PoshC2. Retrieved April 23, 2019. </a> </span> </span> </li> <li> <span id="scite-45" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-45" href="https://securelist.com/recent-cloud-atlas-activity/92016/" target="_blank"> GReAT. (2019, August 12). Recent Cloud Atlas activity. Retrieved May 8, 2020. </a> </span> </span> </li> <li> <span id="scite-46" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-46" href="http://blog.morphisec.com/security-alert-fin8-is-back" target="_blank"> Gorelik, M.. (2019, June 10). SECURITY ALERT: FIN8 IS BACK IN BUSINESS, TARGETING THE HOSPITALITY INDUSTRY. Retrieved June 13, 2019. </a> </span> </span> </li> <li> <span id="scite-47" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-47" href="https://github.com/n1nj4sec/pupy" target="_blank"> Nicolas Verdier. (n.d.). Retrieved January 29, 2018. </a> </span> </span> </li> <li> <span id="scite-48" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-48" href="https://www.welivesecurity.com/2020/05/13/ramsay-cyberespionage-toolkit-airgapped-networks/" target="_blank"> Sanmillan, I.. (2020, May 13). Ramsay: A cyber‑espionage toolkit tailored for air‑gapped networks. Retrieved May 27, 2020. </a> </span> </span> </li> <li> <span id="scite-49" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-49" href="https://www.programmersought.com/article/62493896999/" target="_blank"> Antiy CERT. (2020, April 20). Analysis of Ramsay components of Darkhotel's infiltration and isolation network. Retrieved March 24, 2021. </a> </span> </span> </li> <li> <span id="scite-50" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-50" href="https://www.symantec.com/connect/blogs/sowbug-cyber-espionage-group-targets-south-american-and-southeast-asian-governments" target="_blank"> Symantec Security Response. (2017, November 7). Sowbug: Cyber espionage group targets South American and Southeast Asian governments. Retrieved November 16, 2017. </a> </span> </span> </li> <li> <span id="scite-51" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-51" href="https://www.symantec.com/blogs/threat-intelligence/waterbug-espionage-governments" target="_blank"> Symantec DeepSight Adversary Intelligence Team. (2019, June 20). Waterbug: Espionage Group Rolls Out Brand-New Toolset in Attacks Against Governments. Retrieved July 8, 2019. </a> </span> </span> </li> <li> <span id="scite-52" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-52" href="https://objective-see.com/blog/blog_0x3D.html" target="_blank"> Wardle, Patrick. (2019, January 15). Middle East Cyber-Espionage analyzing WindShift's implant: OSX.WindTail (part 2). Retrieved October 3, 2019. </a> </span> </span> </li> <li> <span id="scite-53" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-53" href="https://en.wikipedia.org/wiki/List_of_file_signatures" target="_blank"> Wikipedia. (2016, March 31). List of file signatures. Retrieved April 22, 2016. </a> </span> </span> </li> </ol> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> <!--stop-indexing-for-search--> <div class="overlay search" id="search-overlay" style="display: none;"> <div class="overlay-inner"> <!-- text input for searching --> <div class="search-header"> <div class="search-input"> <input type="text" id="search-input" placeholder="search"> </div> <div class="search-icons"> <div class="search-parsing-icon spinner-border" style="display: none" id="search-parsing-icon"></div> <div class="close-search-icon" id="close-search-icon">×</div> </div> </div> <!-- results and controls for loading more results --> <div id="search-body" class="search-body"> <div class="results" id="search-results"> <!-- content will be appended here on search --> </div> <div id="load-more-results" class="load-more-results"> <button class="btn btn-default" id="load-more-results-button">load more results</button> </div> </div> </div> </div> </div> <footer class="footer p-3"> <div class="container-fluid"> <div class="row"> <div class="col-4 col-sm-4 col-md-3"> <div class="footer-center-responsive my-auto"> <a href="https://www.mitre.org" target="_blank" rel="noopener" aria-label="MITRE"> <img src="/versions/v9/theme/images/mitrelogowhiteontrans.gif" class="mitre-logo-wtrans"> </a> </div> </div> <div class="col-2 col-sm-2 footer-responsive-break"></div> <div class="col-6 col-sm-6 text-center"> <p> © 2015-2021, The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. </p> <div class="row"> <div class="col text-right"> <small> <a href="/versions/v9/resources/privacy" class="footer-link">Privacy Policy</a> </small> </div> <div class="col text-center"> <small> <a href="/versions/v9/resources/terms-of-use" class="footer-link">Terms of Use</a> </small> </div> <div class="col text-left "> <small> <a href="/versions/v9/resources/changelog.html" class="footer-link" data-toggle="tooltip" data-placement="top" title="ATT&CK content version 9.0
Website version 3.3.1">ATT&CK v9.0</a> </small> </div> </div> </div> <div class="w-100 p-2 footer-responsive-break"></div> <div class="col"> <div class="footer-float-right-responsive-brand"> <div class="mb-1"> <a href="https://twitter.com/MITREattack" class="btn btn-primary w-100"> <!-- <i class="fa fa-twitter"></i> --> <img src="/versions/v9/theme/images/twitter.png" class="mr-1 twitter-icon"> <b>@MITREattack</b> </a> </div> <div class=""> <a href="/versions/v9/contact" class="btn btn-primary w-100"> Contact </a> </div> </div> </div> </div> </div> </div> </footer> </div> <!--SCRIPTS--> <script src="/versions/v9/theme/scripts/jquery-3.5.1.min.js"></script> <script src="/versions/v9/theme/scripts/popper.min.js"></script> <script src="/versions/v9/theme/scripts/bootstrap.bundle.min.js"></script> <script src="/versions/v9/theme/scripts/site.js"></script> <script src="/versions/v9/theme/scripts/flexsearch.es5.js"></script> <script src="/versions/v9/theme/scripts/localforage.min.js"></script> <script src="/versions/v9/theme/scripts/settings.js?1611"></script> <script src="/versions/v9/theme/scripts/search_babelized.js"></script> <!--SCRIPTS--> <script src="/versions/v9/theme/scripts/navigation.js"></script> <script src="/versions/v9/theme/scripts/bootstrap-tourist.js"></script> <script src="/versions/v9/theme/scripts/settings.js"></script> <script src="/versions/v9/theme/scripts/tour/tour-subtechniques.js"></script> </body> </html>