CINXE.COM
Persistence, Tactic TA0003 - Enterprise | MITRE ATT&CK®
<!DOCTYPE html> <html lang='en'> <head> <script async src="https://www.googletagmanager.com/gtag/js?id=UA-62667723-1"></script> <script> window.dataLayer = window.dataLayer || []; function gtag(){dataLayer.push(arguments);} gtag('js', new Date()); gtag('config', 'UA-62667723-1'); </script> <meta name="google-site-verification" content="2oJKLqNN62z6AOCb0A0IXGtbQuj-lev5YPAHFF_cbHQ"/> <meta charset='utf-8'> <meta name='viewport' content='width=device-width, initial-scale=1,shrink-to-fit=no'> <meta http-equiv="X-UA-Compatible" content="IE=edge"> <link rel='shortcut icon' href="/versions/v15/theme/favicon.ico" type='image/x-icon'> <title>Persistence, Tactic TA0003 - Enterprise | MITRE ATT&CK®</title> <!-- USWDS CSS --> <!-- Bootstrap CSS --> <link rel='stylesheet' href="/versions/v15/theme/style/bootstrap.min.css" /> <link rel='stylesheet' href="/versions/v15/theme/style/bootstrap-tourist.css" /> <link rel='stylesheet' href="/versions/v15/theme/style/bootstrap-select.min.css" /> <!-- Fontawesome CSS --> <link rel="stylesheet" href="/versions/v15/theme/style/fontawesome-6.5.1/css/fontawesome.min.css"/> <link rel="stylesheet" href="/versions/v15/theme/style/fontawesome-6.5.1/css/brands.min.css"/> <link rel="stylesheet" href="/versions/v15/theme/style/fontawesome-6.5.1/css/solid.min.css"/> <link rel="stylesheet" type="text/css" href="/versions/v15/theme/style.min.css?6689c2db"> </head> <body> <div class="container-fluid attack-website-wrapper d-flex flex-column h-100"> <div class="row sticky-top flex-grow-0 flex-shrink-1"> <!-- header elements --> <header class="col px-0"> <nav class='navbar navbar-expand-lg navbar-dark position-static'> <a class='navbar-brand' href="/versions/v15/"><img src="/versions/v15/theme/images/mitre_attack_logo.png" class="attack-logo"></a> <button class='navbar-toggler' type='button' data-toggle='collapse' data-target='#navbarCollapse' aria-controls='navbarCollapse' aria-expanded='false' aria-label='Toggle navigation'> <span class='navbar-toggler-icon'></span> </button> <div class='collapse navbar-collapse' id='navbarCollapse'> <ul class='nav nav-tabs ml-auto'> <li class="nav-item dropdown"> <a class="nav-link dropdown-toggle" href="/versions/v15/matrices/" id="navbarDropdown" role="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false"> <b>Matrices</b> </a> <div class="dropdown-menu " aria-labelledby="navbarDropdown"> <a class="dropdown-item" href="/versions/v15/matrices/enterprise/">Enterprise</a> <a class="dropdown-item" href="/versions/v15/matrices/mobile/">Mobile</a> <a class="dropdown-item" href="/versions/v15/matrices/ics/">ICS</a> </div> </li> <li class="nav-item dropdown"> <a class="nav-link dropdown-toggle" href="/versions/v15/tactics/" id="navbarDropdown" role="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false"> <b>Tactics</b> </a> <div class="dropdown-menu " aria-labelledby="navbarDropdown"> <a class="dropdown-item" href="/versions/v15/tactics/enterprise/">Enterprise</a> <a class="dropdown-item" href="/versions/v15/tactics/mobile/">Mobile</a> <a class="dropdown-item" href="/versions/v15/tactics/ics/">ICS</a> </div> </li> <li class="nav-item dropdown"> <a class="nav-link dropdown-toggle" href="/versions/v15/techniques/" id="navbarDropdown" role="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false"> <b>Techniques</b> </a> <div class="dropdown-menu " aria-labelledby="navbarDropdown"> <a class="dropdown-item" href="/versions/v15/techniques/enterprise/">Enterprise</a> <a class="dropdown-item" href="/versions/v15/techniques/mobile/">Mobile</a> <a class="dropdown-item" href="/versions/v15/techniques/ics/">ICS</a> </div> </li> <li class="nav-item dropdown"> <a class="nav-link dropdown-toggle" href="/versions/v15/datasources" id="navbarDropdown" role="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false"> <b>Defenses</b> </a> <div class="dropdown-menu " aria-labelledby="navbarDropdown"> <a class="dropdown-item" href="/versions/v15/datasources">Data Sources</a> <div class="dropright dropdown"> <a class="dropdown-item dropdown-toggle" href="/versions/v15/mitigations/" id="navbarDropdown" role="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false"> <b>Mitigations</b> </a> <div class="dropdown-menu " aria-labelledby="navbarDropdown"> <a class="dropdown-item" href="/versions/v15/mitigations/enterprise/">Enterprise</a> <a class="dropdown-item" href="/versions/v15/mitigations/mobile/">Mobile</a> <a class="dropdown-item" href="/versions/v15/mitigations/ics/">ICS</a> </div> </div> <a class="dropdown-item" href="/versions/v15/assets">Assets</a> </div> </li> <li class="nav-item dropdown"> <a class="nav-link dropdown-toggle" href="/versions/v15/groups" id="navbarDropdown" role="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false"> <b>CTI</b> </a> <div class="dropdown-menu " aria-labelledby="navbarDropdown"> <a class="dropdown-item" href="/versions/v15/groups">Groups</a> <a class="dropdown-item" href="/versions/v15/software">Software</a> <a class="dropdown-item" href="/versions/v15/campaigns">Campaigns</a> </div> </li> <li class="nav-item dropdown"> <a class="nav-link dropdown-toggle" href="/versions/v15/resources/" id="navbarDropdown" role="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false"> <b>Resources</b> </a> <div class="dropdown-menu " aria-labelledby="navbarDropdown"> <a class="dropdown-item" href="/versions/v15/resources/">Get Started</a> <a class="dropdown-item" href="/versions/v15/resources/learn-more-about-attack/">Learn More about ATT&CK</a> <a class="dropdown-item" href="/versions/v15/resources/attackcon/">ATT&CKcon</a> <a class="dropdown-item" href="/versions/v15/resources/attack-data-and-tools/">ATT&CK Data & Tools</a> <a class="dropdown-item" href="/versions/v15/resources/faq/">FAQ</a> <a class="dropdown-item" href="/versions/v15/resources/engage-with-attack/contact/">Engage with ATT&CK</a> <a class="dropdown-item" href="/resources/versions/">Version History</a> <a class="dropdown-item" href="/versions/v15/resources/legal-and-branding/">Legal & Branding</a> </div> </li> <li class="nav-item"> <a href="/versions/v15/resources/engage-with-attack/benefactors/" class="nav-link" ><b>Benefactors</b></a> </li> <li class="nav-item"> <a href="https://medium.com/mitre-attack/" target="_blank" class="nav-link"> <b>Blog</b> <img src="/versions/v15/theme/images/external-site.svg" alt="External site" class="external-icon" /> </a> </li> <li class="nav-item"> <button id="search-button" class="btn search-button">Search <div id="search-icon" class="icon-button search-icon"></div></button> </li> </ul> </div> </nav> </header> </div> <div class="row flex-grow-0 flex-shrink-1"> <!-- banner elements --> <div class="col px-0"> <!-- don't edit or remove the line below even though it's commented out, it gets parsed and replaced by the versioning feature --> <div class="container-fluid version-banner"><div class="icon-inline baseline mr-1"><img src="/versions/v15/theme/images/icon-warning-24px.svg"></div>Currently viewing <a href="https://github.com/mitre/cti/releases/tag/ATT%26CK-v15.1" target="_blank">ATT&CK v15.1</a> which was live between April 23, 2024 and October 30, 2024. <a href="/resources/versions/">Learn more about the versioning system</a> or <a href="/">see the live site</a>.</div> </div> </div> <div class="row flex-grow-1 flex-shrink-0"> <!-- main content elements --> <!--start-indexing-for-search--> <div class="sidebar nav sticky-top flex-column pr-0 pt-4 pb-3 pl-3" id="v-tab" role="tablist" aria-orientation="vertical"> <div class="resizer" id="resizer"></div> <!--stop-indexing-for-search--> <div id="sidebars"></div> <!--start-indexing-for-search--> </div> <div class="tab-content col-xl-9 pt-4" id="v-tabContent"> <div class="tab-pane fade show active" id="v-attckmatrix" role="tabpanel" aria-labelledby="v-attckmatrix-tab"> <ol class="breadcrumb"> <li class="breadcrumb-item"><a href="/versions/v15/">Home</a></li> <li class="breadcrumb-item"><a href="/versions/v15/tactics/enterprise">Tactics</a></li> <li class="breadcrumb-item"><a href="/versions/v15/tactics/enterprise">Enterprise</a></li> <li class="breadcrumb-item">Persistence</li> </ol> <div class="tab-pane fade show active" id="v-" role="tabpanel" aria-labelledby="v--tab"></div> <div class="row"> <div class="col-xl-12"> <div class="jumbotron jumbotron-fluid"> <div class="container-fluid"> <h1> Persistence </h1> <div class="row"> <div class="col-md-8"> <div class="description-body"> <p>The adversary is trying to maintain their foothold.</p><p>Persistence consists of techniques that adversaries use to keep access to systems across restarts, changed credentials, and other interruptions that could cut off their access. Techniques used for persistence include any access, action, or configuration changes that let them maintain their foothold on systems, such as replacing or hijacking legitimate code or adding startup code. </p> </div> </div> <div class="col-md-4"> <div class="card"> <div class="card-body"> <div class="card-data"><span class="h5 card-title">ID:</span> TA0003</div> <div class="card-data"><span class="h5 card-title">Created: </span>17 October 2018</div> <div class="card-data"><span class="h5 card-title">Last Modified: </span>19 July 2019</div> </div> </div> <div class="text-center pt-2 version-button permalink"> <div class="live"> <a data-toggle="tooltip" data-placement="bottom" title="Permalink to this version of TA0003" href="/versions/v15/tactics/TA0003/" data-test-ignore="true">Version Permalink</a> </div> <div class="permalink"> <a data-toggle="tooltip" data-placement="bottom" title="Go to the live version of TA0003" href="/tactics/TA0003/" data-test-ignore="true">Live Version</a><!--do not change this line without also changing versions.py--> </div> </div> </div> </div> <h2 class="pt-3" id ="techniques">Techniques</h2><h6 class="table-object-count">Techniques: 20</h6> <table class="table-techniques"> <thead> <tr> <td colspan="2">ID</td> <td>Name</td> <td>Description</td> </tr> </thead> <tbody> <tr class="technique"> <td colspan="2"> <a href="/versions/v15/techniques/T1098"> T1098 </a> </td> <td> <a href="/versions/v15/techniques/T1098"> Account Manipulation </a> </td> <td> Adversaries may manipulate accounts to maintain and/or elevate access to victim systems. Account manipulation may consist of any action that preserves or modifies adversary access to a compromised account, such as modifying credentials or permission groups. These actions could also include account activity designed to subvert security policies, such as performing iterative password updates to bypass password duration policies and preserve the life of compromised credentials. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v15/techniques/T1098/001"> .001 </a> </td> <td> <a href="/versions/v15/techniques/T1098/001"> Additional Cloud Credentials </a> </td> <td> Adversaries may add adversary-controlled credentials to a cloud account to maintain persistent access to victim accounts and instances within the environment. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v15/techniques/T1098/002"> .002 </a> </td> <td> <a href="/versions/v15/techniques/T1098/002"> Additional Email Delegate Permissions </a> </td> <td> Adversaries may grant additional permission levels to maintain persistent access to an adversary-controlled email account. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v15/techniques/T1098/003"> .003 </a> </td> <td> <a href="/versions/v15/techniques/T1098/003"> Additional Cloud Roles </a> </td> <td> An adversary may add additional roles or permissions to an adversary-controlled cloud account to maintain persistent access to a tenant. For example, adversaries may update IAM policies in cloud-based environments or add a new global administrator in Office 365 environments. With sufficient permissions, a compromised account can gain almost unlimited access to data and settings (including the ability to reset the passwords of other admins). </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v15/techniques/T1098/004"> .004 </a> </td> <td> <a href="/versions/v15/techniques/T1098/004"> SSH Authorized Keys </a> </td> <td> Adversaries may modify the SSH <code>authorized_keys</code> file to maintain persistence on a victim host. Linux distributions and macOS commonly use key-based authentication to secure the authentication process of SSH sessions for remote management. The <code>authorized_keys</code> file in SSH specifies the SSH keys that can be used for logging into the user account for which the file is configured. This file is usually found in the user's home directory under <code><user-home>/.ssh/authorized_keys</code>. Users may edit the system鈥檚 SSH config file to modify the directives PubkeyAuthentication and RSAAuthentication to the value "yes" to ensure public key and RSA authentication are enabled. The SSH config file is usually located under <code>/etc/ssh/sshd_config</code>. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v15/techniques/T1098/005"> .005 </a> </td> <td> <a href="/versions/v15/techniques/T1098/005"> Device Registration </a> </td> <td> Adversaries may register a device to an adversary-controlled account. Devices may be registered in a multifactor authentication (MFA) system, which handles authentication to the network, or in a device management system, which handles device access and compliance. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v15/techniques/T1098/006"> .006 </a> </td> <td> <a href="/versions/v15/techniques/T1098/006"> Additional Container Cluster Roles </a> </td> <td> An adversary may add additional roles or permissions to an adversary-controlled user or service account to maintain persistent access to a container orchestration system. For example, an adversary with sufficient permissions may create a RoleBinding or a ClusterRoleBinding to bind a Role or ClusterRole to a Kubernetes account. Where attribute-based access control (ABAC) is in use, an adversary with sufficient permissions may modify a Kubernetes ABAC policy to give the target account additional permissions. </td> </tr> <tr class="technique"> <td colspan="2"> <a href="/versions/v15/techniques/T1197"> T1197 </a> </td> <td> <a href="/versions/v15/techniques/T1197"> BITS Jobs </a> </td> <td> Adversaries may abuse BITS jobs to persistently execute code and perform various background tasks. Windows Background Intelligent Transfer Service (BITS) is a low-bandwidth, asynchronous file transfer mechanism exposed through <a href="/versions/v15/techniques/T1559/001">Component Object Model</a> (COM). BITS is commonly used by updaters, messengers, and other applications preferred to operate in the background (using available idle bandwidth) without interrupting other networked applications. File transfer tasks are implemented as BITS jobs, which contain a queue of one or more file operations. </td> </tr> <tr class="technique"> <td colspan="2"> <a href="/versions/v15/techniques/T1547"> T1547 </a> </td> <td> <a href="/versions/v15/techniques/T1547"> Boot or Logon Autostart Execution </a> </td> <td> Adversaries may configure system settings to automatically execute a program during system boot or logon to maintain persistence or gain higher-level privileges on compromised systems. Operating systems may have mechanisms for automatically running a program on system boot or account logon. These mechanisms may include automatically executing programs that are placed in specially designated directories or are referenced by repositories that store configuration information, such as the Windows Registry. An adversary may achieve the same goal by modifying or extending features of the kernel. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v15/techniques/T1547/001"> .001 </a> </td> <td> <a href="/versions/v15/techniques/T1547/001"> Registry Run Keys / Startup Folder </a> </td> <td> Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in. These programs will be executed under the context of the user and will have the account's associated permissions level. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v15/techniques/T1547/002"> .002 </a> </td> <td> <a href="/versions/v15/techniques/T1547/002"> Authentication Package </a> </td> <td> Adversaries may abuse authentication packages to execute DLLs when the system boots. Windows authentication package DLLs are loaded by the Local Security Authority (LSA) process at system start. They provide support for multiple logon processes and multiple security protocols to the operating system. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v15/techniques/T1547/003"> .003 </a> </td> <td> <a href="/versions/v15/techniques/T1547/003"> Time Providers </a> </td> <td> Adversaries may abuse time providers to execute DLLs when the system boots. The Windows Time service (W32Time) enables time synchronization across and within domains. W32Time time providers are responsible for retrieving time stamps from hardware/network resources and outputting these values to other network clients. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v15/techniques/T1547/004"> .004 </a> </td> <td> <a href="/versions/v15/techniques/T1547/004"> Winlogon Helper DLL </a> </td> <td> Adversaries may abuse features of Winlogon to execute DLLs and/or executables when a user logs in. Winlogon.exe is a Windows component responsible for actions at logon/logoff as well as the secure attention sequence (SAS) triggered by Ctrl-Alt-Delete. Registry entries in <code>HKLM\Software[\Wow6432Node\]\Microsoft\Windows NT\CurrentVersion\Winlogon\</code> and <code>HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\</code> are used to manage additional helper programs and functionalities that support Winlogon. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v15/techniques/T1547/005"> .005 </a> </td> <td> <a href="/versions/v15/techniques/T1547/005"> Security Support Provider </a> </td> <td> Adversaries may abuse security support providers (SSPs) to execute DLLs when the system boots. Windows SSP DLLs are loaded into the Local Security Authority (LSA) process at system start. Once loaded into the LSA, SSP DLLs have access to encrypted and plaintext passwords that are stored in Windows, such as any logged-on user's Domain password or smart card PINs. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v15/techniques/T1547/006"> .006 </a> </td> <td> <a href="/versions/v15/techniques/T1547/006"> Kernel Modules and Extensions </a> </td> <td> Adversaries may modify the kernel to automatically execute programs on system boot. Loadable Kernel Modules (LKMs) are pieces of code that can be loaded and unloaded into the kernel upon demand. They extend the functionality of the kernel without the need to reboot the system. For example, one type of module is the device driver, which allows the kernel to access hardware connected to the system.聽 </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v15/techniques/T1547/007"> .007 </a> </td> <td> <a href="/versions/v15/techniques/T1547/007"> Re-opened Applications </a> </td> <td> Adversaries may modify plist files to automatically run an application when a user logs in. When a user logs out or restarts via the macOS Graphical User Interface (GUI), a prompt is provided to the user with a checkbox to "Reopen windows when logging back in". When selected, all applications currently open are added to a property list file named <code>com.apple.loginwindow.[UUID].plist</code> within the <code>~/Library/Preferences/ByHost</code> directory. Applications listed in this file are automatically reopened upon the user鈥檚 next logon. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v15/techniques/T1547/008"> .008 </a> </td> <td> <a href="/versions/v15/techniques/T1547/008"> LSASS Driver </a> </td> <td> Adversaries may modify or add LSASS drivers to obtain persistence on compromised systems. The Windows security subsystem is a set of components that manage and enforce the security policy for a computer or domain. The Local Security Authority (LSA) is the main component responsible for local security policy and user authentication. The LSA includes multiple dynamic link libraries (DLLs) associated with various other security functions, all of which run in the context of the LSA Subsystem Service (LSASS) lsass.exe process. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v15/techniques/T1547/009"> .009 </a> </td> <td> <a href="/versions/v15/techniques/T1547/009"> Shortcut Modification </a> </td> <td> Adversaries may create or modify shortcuts that can execute a program during system boot or user login. Shortcuts or symbolic links are used to reference other files or programs that will be opened or executed when the shortcut is clicked or executed by a system startup process. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v15/techniques/T1547/010"> .010 </a> </td> <td> <a href="/versions/v15/techniques/T1547/010"> Port Monitors </a> </td> <td> Adversaries may use port monitors to run an adversary supplied DLL during system boot for persistence or privilege escalation. A port monitor can be set through the <code>AddMonitor</code> API call to set a DLL to be loaded at startup. This DLL can be located in <code>C:\Windows\System32</code> and will be loaded and run by the print spooler service, <code>spoolsv.exe</code>, under SYSTEM level permissions on boot. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v15/techniques/T1547/012"> .012 </a> </td> <td> <a href="/versions/v15/techniques/T1547/012"> Print Processors </a> </td> <td> Adversaries may abuse print processors to run malicious DLLs during system boot for persistence and/or privilege escalation. Print processors are DLLs that are loaded by the print spooler service, <code>spoolsv.exe</code>, during boot. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v15/techniques/T1547/013"> .013 </a> </td> <td> <a href="/versions/v15/techniques/T1547/013"> XDG Autostart Entries </a> </td> <td> Adversaries may add or modify XDG Autostart Entries to execute malicious programs or commands when a user鈥檚 desktop environment is loaded at login. XDG Autostart entries are available for any XDG-compliant Linux system. XDG Autostart entries use Desktop Entry files (<code>.desktop</code>) to configure the user鈥檚 desktop environment upon user login. These configuration files determine what applications launch upon user login, define associated applications to open specific file types, and define applications used to open removable media. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v15/techniques/T1547/014"> .014 </a> </td> <td> <a href="/versions/v15/techniques/T1547/014"> Active Setup </a> </td> <td> Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine. Active Setup is a Windows mechanism that is used to execute programs when a user logs in. The value stored in the Registry key will be executed after a user logs into the computer. These programs will be executed under the context of the user and will have the account's associated permissions level. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v15/techniques/T1547/015"> .015 </a> </td> <td> <a href="/versions/v15/techniques/T1547/015"> Login Items </a> </td> <td> Adversaries may add login items to execute upon user login to gain persistence or escalate privileges. Login items are applications, documents, folders, or server connections that are automatically launched when a user logs in. Login items can be added via a shared file list or Service Management Framework. Shared file list login items can be set using scripting languages such as <a href="/versions/v15/techniques/T1059/002">AppleScript</a>, whereas the Service Management Framework uses the API call <code>SMLoginItemSetEnabled</code>. </td> </tr> <tr class="technique"> <td colspan="2"> <a href="/versions/v15/techniques/T1037"> T1037 </a> </td> <td> <a href="/versions/v15/techniques/T1037"> Boot or Logon Initialization Scripts </a> </td> <td> Adversaries may use scripts automatically executed at boot or logon initialization to establish persistence. Initialization scripts can be used to perform administrative functions, which may often execute other programs or send information to an internal logging server. These scripts can vary based on operating system and whether applied locally or remotely. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v15/techniques/T1037/001"> .001 </a> </td> <td> <a href="/versions/v15/techniques/T1037/001"> Logon Script (Windows) </a> </td> <td> Adversaries may use Windows logon scripts automatically executed at logon initialization to establish persistence. Windows allows logon scripts to be run whenever a specific user or group of users log into a system. This is done via adding a path to a script to the <code>HKCU\Environment\UserInitMprLogonScript</code> Registry key. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v15/techniques/T1037/002"> .002 </a> </td> <td> <a href="/versions/v15/techniques/T1037/002"> Login Hook </a> </td> <td> Adversaries may use a Login Hook to establish persistence executed upon user logon. A login hook is a plist file that points to a specific script to execute with root privileges upon user logon. The plist file is located in the <code>/Library/Preferences/com.apple.loginwindow.plist</code> file and can be modified using the <code>defaults</code> command-line utility. This behavior is the same for logout hooks where a script can be executed upon user logout. All hooks require administrator permissions to modify or create hooks. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v15/techniques/T1037/003"> .003 </a> </td> <td> <a href="/versions/v15/techniques/T1037/003"> Network Logon Script </a> </td> <td> Adversaries may use network logon scripts automatically executed at logon initialization to establish persistence. Network logon scripts can be assigned using Active Directory or Group Policy Objects. These logon scripts run with the privileges of the user they are assigned to. Depending on the systems within the network, initializing one of these scripts could apply to more than one or potentially all systems. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v15/techniques/T1037/004"> .004 </a> </td> <td> <a href="/versions/v15/techniques/T1037/004"> RC Scripts </a> </td> <td> Adversaries may establish persistence by modifying RC scripts which are executed during a Unix-like system鈥檚 startup. These files allow system administrators to map and start custom services at startup for different run levels. RC scripts require root privileges to modify. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v15/techniques/T1037/005"> .005 </a> </td> <td> <a href="/versions/v15/techniques/T1037/005"> Startup Items </a> </td> <td> Adversaries may use startup items automatically executed at boot initialization to establish persistence. Startup items execute during the final phase of the boot process and contain shell scripts or other executable files along with configuration information used by the system to determine the execution order for all startup items. </td> </tr> <tr class="technique"> <td colspan="2"> <a href="/versions/v15/techniques/T1176"> T1176 </a> </td> <td> <a href="/versions/v15/techniques/T1176"> Browser Extensions </a> </td> <td> Adversaries may abuse Internet browser extensions to establish persistent access to victim systems. Browser extensions or plugins are small programs that can add functionality and customize aspects of Internet browsers. They can be installed directly or through a browser's app store and generally have access and permissions to everything that the browser can access. </td> </tr> <tr class="technique"> <td colspan="2"> <a href="/versions/v15/techniques/T1554"> T1554 </a> </td> <td> <a href="/versions/v15/techniques/T1554"> Compromise Host Software Binary </a> </td> <td> Adversaries may modify host software binaries to establish persistent access to systems. Software binaries/executables provide a wide range of system commands or services, programs, and libraries. Common software binaries are SSH clients, FTP clients, email clients, web browsers, and many other user or server applications. </td> </tr> <tr class="technique"> <td colspan="2"> <a href="/versions/v15/techniques/T1136"> T1136 </a> </td> <td> <a href="/versions/v15/techniques/T1136"> Create Account </a> </td> <td> Adversaries may create an account to maintain access to victim systems. With a sufficient level of access, creating such accounts may be used to establish secondary credentialed access that do not require persistent remote access tools to be deployed on the system. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v15/techniques/T1136/001"> .001 </a> </td> <td> <a href="/versions/v15/techniques/T1136/001"> Local Account </a> </td> <td> Adversaries may create a local account to maintain access to victim systems. Local accounts are those configured by an organization for use by users, remote support, services, or for administration on a single system or service. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v15/techniques/T1136/002"> .002 </a> </td> <td> <a href="/versions/v15/techniques/T1136/002"> Domain Account </a> </td> <td> Adversaries may create a domain account to maintain access to victim systems. Domain accounts are those managed by Active Directory Domain Services where access and permissions are configured across systems and services that are part of that domain. Domain accounts can cover user, administrator, and service accounts. With a sufficient level of access, the <code>net user /add /domain</code> command can be used to create a domain account. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v15/techniques/T1136/003"> .003 </a> </td> <td> <a href="/versions/v15/techniques/T1136/003"> Cloud Account </a> </td> <td> Adversaries may create a cloud account to maintain access to victim systems. With a sufficient level of access, such accounts may be used to establish secondary credentialed access that does not require persistent remote access tools to be deployed on the system. </td> </tr> <tr class="technique"> <td colspan="2"> <a href="/versions/v15/techniques/T1543"> T1543 </a> </td> <td> <a href="/versions/v15/techniques/T1543"> Create or Modify System Process </a> </td> <td> Adversaries may create or modify system-level processes to repeatedly execute malicious payloads as part of persistence. When operating systems boot up, they can start processes that perform background system functions. On Windows and Linux, these system processes are referred to as services. On macOS, launchd processes known as <a href="/versions/v15/techniques/T1543/004">Launch Daemon</a> and <a href="/versions/v15/techniques/T1543/001">Launch Agent</a> are run to finish system initialization and load user specific parameters. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v15/techniques/T1543/001"> .001 </a> </td> <td> <a href="/versions/v15/techniques/T1543/001"> Launch Agent </a> </td> <td> Adversaries may create or modify launch agents to repeatedly execute malicious payloads as part of persistence. When a user logs in, a per-user launchd process is started which loads the parameters for each launch-on-demand user agent from the property list (.plist) file found in <code>/System/Library/LaunchAgents</code>, <code>/Library/LaunchAgents</code>, and <code>~/Library/LaunchAgents</code>. Property list files use the <code>Label</code>, <code>ProgramArguments </code>, and <code>RunAtLoad</code> keys to identify the Launch Agent's name, executable location, and execution time. Launch Agents are often installed to perform updates to programs, launch user specified programs at login, or to conduct other developer tasks. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v15/techniques/T1543/002"> .002 </a> </td> <td> <a href="/versions/v15/techniques/T1543/002"> Systemd Service </a> </td> <td> Adversaries may create or modify systemd services to repeatedly execute malicious payloads as part of persistence. Systemd is a system and service manager commonly used for managing background daemon processes (also known as services) and other system resources. Systemd is the default initialization (init) system on many Linux distributions replacing legacy init systems, including SysVinit and Upstart, while remaining backwards compatible. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v15/techniques/T1543/003"> .003 </a> </td> <td> <a href="/versions/v15/techniques/T1543/003"> Windows Service </a> </td> <td> Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions. Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v15/techniques/T1543/004"> .004 </a> </td> <td> <a href="/versions/v15/techniques/T1543/004"> Launch Daemon </a> </td> <td> Adversaries may create or modify Launch Daemons to execute malicious payloads as part of persistence. Launch Daemons are plist files used to interact with Launchd, the service management framework used by macOS. Launch Daemons require elevated privileges to install, are executed for every user on a system prior to login, and run in the background without the need for user interaction. During the macOS initialization startup, the launchd process loads the parameters for launch-on-demand system-level daemons from plist files found in <code>/System/Library/LaunchDaemons/</code> and <code>/Library/LaunchDaemons/</code>. Required Launch Daemons parameters include a <code>Label</code> to identify the task, <code>Program</code> to provide a path to the executable, and <code>RunAtLoad</code> to specify when the task is run. Launch Daemons are often used to provide access to shared resources, updates to software, or conduct automation tasks. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v15/techniques/T1543/005"> .005 </a> </td> <td> <a href="/versions/v15/techniques/T1543/005"> Container Service </a> </td> <td> Adversaries may create or modify container or container cluster management tools that run as daemons, agents, or services on individual hosts. These include software for creating and managing individual containers, such as Docker and Podman, as well as container cluster node-level agents such as kubelet. By modifying these services, an adversary may be able to achieve persistence or escalate their privileges on a host. </td> </tr> <tr class="technique"> <td colspan="2"> <a href="/versions/v15/techniques/T1546"> T1546 </a> </td> <td> <a href="/versions/v15/techniques/T1546"> Event Triggered Execution </a> </td> <td> Adversaries may establish persistence and/or elevate privileges using system mechanisms that trigger execution based on specific events. Various operating systems have means to monitor and subscribe to events such as logons or other user activity such as running specific applications/binaries. Cloud environments may also support various functions and services that monitor and can be invoked in response to specific cloud events. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v15/techniques/T1546/001"> .001 </a> </td> <td> <a href="/versions/v15/techniques/T1546/001"> Change Default File Association </a> </td> <td> Adversaries may establish persistence by executing malicious content triggered by a file type association. When a file is opened, the default program used to open the file (also called the file association or handler) is checked. File association selections are stored in the Windows Registry and can be edited by users, administrators, or programs that have Registry access or by administrators using the built-in assoc utility. Applications can modify the file association for a given file extension to call an arbitrary program when a file with the given extension is opened. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v15/techniques/T1546/002"> .002 </a> </td> <td> <a href="/versions/v15/techniques/T1546/002"> Screensaver </a> </td> <td> Adversaries may establish persistence by executing malicious content triggered by user inactivity. Screensavers are programs that execute after a configurable time of user inactivity and consist of Portable Executable (PE) files with a .scr file extension. The Windows screensaver application scrnsave.scr is located in <code>C:\Windows\System32\</code>, and <code>C:\Windows\sysWOW64\</code> on 64-bit Windows systems, along with screensavers included with base Windows installations. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v15/techniques/T1546/003"> .003 </a> </td> <td> <a href="/versions/v15/techniques/T1546/003"> Windows Management Instrumentation Event Subscription </a> </td> <td> Adversaries may establish persistence and elevate privileges by executing malicious content triggered by a Windows Management Instrumentation (WMI) event subscription. WMI can be used to install event filters, providers, consumers, and bindings that execute code when a defined event occurs. Examples of events that may be subscribed to are the wall clock time, user login, or the computer's uptime. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v15/techniques/T1546/004"> .004 </a> </td> <td> <a href="/versions/v15/techniques/T1546/004"> Unix Shell Configuration Modification </a> </td> <td> Adversaries may establish persistence through executing malicious commands triggered by a user鈥檚 shell. User <a href="/versions/v15/techniques/T1059/004">Unix Shell</a>s execute several configuration scripts at different points throughout the session based on events. For example, when a user opens a command-line interface or remotely logs in (such as via SSH) a login shell is initiated. The login shell executes scripts from the system (<code>/etc</code>) and the user鈥檚 home directory (<code>~/</code>) to configure the environment. All login shells on a system use /etc/profile when initiated. These configuration scripts run at the permission level of their directory and are often used to set environment variables, create aliases, and customize the user鈥檚 environment. When the shell exits or terminates, additional shell scripts are executed to ensure the shell exits appropriately. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v15/techniques/T1546/005"> .005 </a> </td> <td> <a href="/versions/v15/techniques/T1546/005"> Trap </a> </td> <td> Adversaries may establish persistence by executing malicious content triggered by an interrupt signal. The <code>trap</code> command allows programs and shells to specify commands that will be executed upon receiving interrupt signals. A common situation is a script allowing for graceful termination and handling of common keyboard interrupts like <code>ctrl+c</code> and <code>ctrl+d</code>. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v15/techniques/T1546/006"> .006 </a> </td> <td> <a href="/versions/v15/techniques/T1546/006"> LC_LOAD_DYLIB Addition </a> </td> <td> Adversaries may establish persistence by executing malicious content triggered by the execution of tainted binaries. Mach-O binaries have a series of headers that are used to perform certain operations when a binary is loaded. The LC_LOAD_DYLIB header in a Mach-O binary tells macOS and OS X which dynamic libraries (dylibs) to load during execution time. These can be added ad-hoc to the compiled binary as long as adjustments are made to the rest of the fields and dependencies. There are tools available to perform these changes. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v15/techniques/T1546/007"> .007 </a> </td> <td> <a href="/versions/v15/techniques/T1546/007"> Netsh Helper DLL </a> </td> <td> Adversaries may establish persistence by executing malicious content triggered by Netsh Helper DLLs. Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system. It contains functionality to add helper DLLs for extending functionality of the utility. The paths to registered netsh.exe helper DLLs are entered into the Windows Registry at <code>HKLM\SOFTWARE\Microsoft\Netsh</code>. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v15/techniques/T1546/008"> .008 </a> </td> <td> <a href="/versions/v15/techniques/T1546/008"> Accessibility Features </a> </td> <td> Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by accessibility features. Windows contains accessibility features that may be launched with a key combination before a user has logged in (ex: when the user is on the Windows logon screen). An adversary can modify the way these programs are launched to get a command prompt or backdoor without logging in to the system. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v15/techniques/T1546/009"> .009 </a> </td> <td> <a href="/versions/v15/techniques/T1546/009"> AppCert DLLs </a> </td> <td> Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by AppCert DLLs loaded into processes. Dynamic-link libraries (DLLs) that are specified in the <code>AppCertDLLs</code> Registry key under <code>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\</code> are loaded into every process that calls the ubiquitously used application programming interface (API) functions <code>CreateProcess</code>, <code>CreateProcessAsUser</code>, <code>CreateProcessWithLoginW</code>, <code>CreateProcessWithTokenW</code>, or <code>WinExec</code>. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v15/techniques/T1546/010"> .010 </a> </td> <td> <a href="/versions/v15/techniques/T1546/010"> AppInit DLLs </a> </td> <td> Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by AppInit DLLs loaded into processes. Dynamic-link libraries (DLLs) that are specified in the <code>AppInit_DLLs</code> value in the Registry keys <code>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows</code> or <code>HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Windows</code> are loaded by user32.dll into every process that loads user32.dll. In practice this is nearly every program, since user32.dll is a very common library. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v15/techniques/T1546/011"> .011 </a> </td> <td> <a href="/versions/v15/techniques/T1546/011"> Application Shimming </a> </td> <td> Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by application shims. The Microsoft Windows Application Compatibility Infrastructure/Framework (Application Shim) was created to allow for backward compatibility of software as the operating system codebase changes over time. For example, the application shimming feature allows developers to apply fixes to applications (without rewriting code) that were created for Windows XP so that it will work with Windows 10. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v15/techniques/T1546/012"> .012 </a> </td> <td> <a href="/versions/v15/techniques/T1546/012"> Image File Execution Options Injection </a> </td> <td> Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by Image File Execution Options (IFEO) debuggers. IFEOs enable a developer to attach a debugger to an application. When a process is created, a debugger present in an application鈥檚 IFEO will be prepended to the application鈥檚 name, effectively launching the new process under the debugger (e.g., <code>C:\dbg\ntsd.exe -g notepad.exe</code>). </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v15/techniques/T1546/013"> .013 </a> </td> <td> <a href="/versions/v15/techniques/T1546/013"> PowerShell Profile </a> </td> <td> Adversaries may gain persistence and elevate privileges by executing malicious content triggered by PowerShell profiles. A PowerShell profile (<code>profile.ps1</code>) is a script that runs when <a href="/versions/v15/techniques/T1059/001">PowerShell</a> starts and can be used as a logon script to customize user environments. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v15/techniques/T1546/014"> .014 </a> </td> <td> <a href="/versions/v15/techniques/T1546/014"> Emond </a> </td> <td> Adversaries may gain persistence and elevate privileges by executing malicious content triggered by the Event Monitor Daemon (emond). Emond is a <a href="/versions/v15/techniques/T1543/004">Launch Daemon</a> that accepts events from various services, runs them through a simple rules engine, and takes action. The emond binary at <code>/sbin/emond</code> will load any rules from the <code>/etc/emond.d/rules/</code> directory and take action once an explicitly defined event takes place. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v15/techniques/T1546/015"> .015 </a> </td> <td> <a href="/versions/v15/techniques/T1546/015"> Component Object Model Hijacking </a> </td> <td> Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects. COM is a system within Windows to enable interaction between software components through the operating system. References to various COM objects are stored in the Registry. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v15/techniques/T1546/016"> .016 </a> </td> <td> <a href="/versions/v15/techniques/T1546/016"> Installer Packages </a> </td> <td> Adversaries may establish persistence and elevate privileges by using an installer to trigger the execution of malicious content. Installer packages are OS specific and contain the resources an operating system needs to install applications on a system. Installer packages can include scripts that run prior to installation as well as after installation is complete. Installer scripts may inherit elevated permissions when executed. Developers often use these scripts to prepare the environment for installation, check requirements, download dependencies, and remove files after installation. </td> </tr> <tr class="technique"> <td colspan="2"> <a href="/versions/v15/techniques/T1133"> T1133 </a> </td> <td> <a href="/versions/v15/techniques/T1133"> External Remote Services </a> </td> <td> Adversaries may leverage external-facing remote services to initially access and/or persist within a network. Remote services such as VPNs, Citrix, and other access mechanisms allow users to connect to internal enterprise network resources from external locations. There are often remote service gateways that manage connections and credential authentication for these services. Services such as <a href="/versions/v15/techniques/T1021/006">Windows Remote Management</a> and <a href="/versions/v15/techniques/T1021/005">VNC</a> can also be used externally. </td> </tr> <tr class="technique"> <td colspan="2"> <a href="/versions/v15/techniques/T1574"> T1574 </a> </td> <td> <a href="/versions/v15/techniques/T1574"> Hijack Execution Flow </a> </td> <td> Adversaries may execute their own malicious payloads by hijacking the way operating systems run programs. Hijacking execution flow can be for the purposes of persistence, since this hijacked execution may reoccur over time. Adversaries may also use these mechanisms to elevate privileges or evade defenses, such as application control or other restrictions on execution. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v15/techniques/T1574/001"> .001 </a> </td> <td> <a href="/versions/v15/techniques/T1574/001"> DLL Search Order Hijacking </a> </td> <td> Adversaries may execute their own malicious payloads by hijacking the search order used to load DLLs. Windows systems use a common method to look for required DLLs to load into a program. Hijacking DLL loads may be for the purpose of establishing persistence as well as elevating privileges and/or evading restrictions on file execution. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v15/techniques/T1574/002"> .002 </a> </td> <td> <a href="/versions/v15/techniques/T1574/002"> DLL Side-Loading </a> </td> <td> Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to <a href="/versions/v15/techniques/T1574/001">DLL Search Order Hijacking</a>, side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s). </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v15/techniques/T1574/004"> .004 </a> </td> <td> <a href="/versions/v15/techniques/T1574/004"> Dylib Hijacking </a> </td> <td> Adversaries may execute their own payloads by placing a malicious dynamic library (dylib) with an expected name in a path a victim application searches at runtime. The dynamic loader will try to find the dylibs based on the sequential order of the search paths. Paths to dylibs may be prefixed with <code>@rpath</code>, which allows developers to use relative paths to specify an array of search paths used at runtime based on the location of the executable. Additionally, if weak linking is used, such as the <code>LC_LOAD_WEAK_DYLIB</code> function, an application will still execute even if an expected dylib is not present. Weak linking enables developers to run an application on multiple macOS versions as new APIs are added. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v15/techniques/T1574/005"> .005 </a> </td> <td> <a href="/versions/v15/techniques/T1574/005"> Executable Installer File Permissions Weakness </a> </td> <td> Adversaries may execute their own malicious payloads by hijacking the binaries used by an installer. These processes may automatically execute specific binaries as part of their functionality or to perform other actions. If the permissions on the file system directory containing a target binary, or permissions on the binary itself, are improperly set, then the target binary may be overwritten with another binary using user-level permissions and executed by the original process. If the original process and thread are running under a higher permissions level, then the replaced binary will also execute under higher-level permissions, which could include SYSTEM. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v15/techniques/T1574/006"> .006 </a> </td> <td> <a href="/versions/v15/techniques/T1574/006"> Dynamic Linker Hijacking </a> </td> <td> Adversaries may execute their own malicious payloads by hijacking environment variables the dynamic linker uses to load shared libraries. During the execution preparation phase of a program, the dynamic linker loads specified absolute paths of shared libraries from environment variables and files, such as <code>LD_PRELOAD</code> on Linux or <code>DYLD_INSERT_LIBRARIES</code> on macOS. Libraries specified in environment variables are loaded first, taking precedence over system libraries with the same function name. These variables are often used by developers to debug binaries without needing to recompile, deconflict mapped symbols, and implement custom functions without changing the original library. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v15/techniques/T1574/007"> .007 </a> </td> <td> <a href="/versions/v15/techniques/T1574/007"> Path Interception by PATH Environment Variable </a> </td> <td> Adversaries may execute their own malicious payloads by hijacking environment variables used to load libraries. The PATH environment variable contains a list of directories (User and System) that the OS searches sequentially through in search of the binary that was called from a script or the command line. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v15/techniques/T1574/008"> .008 </a> </td> <td> <a href="/versions/v15/techniques/T1574/008"> Path Interception by Search Order Hijacking </a> </td> <td> Adversaries may execute their own malicious payloads by hijacking the search order used to load other programs. Because some programs do not call other programs using the full path, adversaries may place their own file in the directory where the calling program is located, causing the operating system to launch their malicious software at the request of the calling program. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v15/techniques/T1574/009"> .009 </a> </td> <td> <a href="/versions/v15/techniques/T1574/009"> Path Interception by Unquoted Path </a> </td> <td> Adversaries may execute their own malicious payloads by hijacking vulnerable file path references. Adversaries can take advantage of paths that lack surrounding quotations by placing an executable in a higher level directory within the path, so that Windows will choose the adversary's executable to launch. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v15/techniques/T1574/010"> .010 </a> </td> <td> <a href="/versions/v15/techniques/T1574/010"> Services File Permissions Weakness </a> </td> <td> Adversaries may execute their own malicious payloads by hijacking the binaries used by services. Adversaries may use flaws in the permissions of Windows services to replace the binary that is executed upon service start. These service processes may automatically execute specific binaries as part of their functionality or to perform other actions. If the permissions on the file system directory containing a target binary, or permissions on the binary itself are improperly set, then the target binary may be overwritten with another binary using user-level permissions and executed by the original process. If the original process and thread are running under a higher permissions level, then the replaced binary will also execute under higher-level permissions, which could include SYSTEM. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v15/techniques/T1574/011"> .011 </a> </td> <td> <a href="/versions/v15/techniques/T1574/011"> Services Registry Permissions Weakness </a> </td> <td> Adversaries may execute their own malicious payloads by hijacking the Registry entries used by services. Adversaries may use flaws in the permissions for Registry keys related to services to redirect from the originally specified executable to one that they control, in order to launch their own code when a service starts. Windows stores local service configuration information in the Registry under <code>HKLM\SYSTEM\CurrentControlSet\Services</code>. The information stored under a service's Registry keys can be manipulated to modify a service's execution parameters through tools such as the service controller, sc.exe, <a href="/versions/v15/techniques/T1059/001">PowerShell</a>, or <a href="/versions/v15/software/S0075">Reg</a>. Access to Registry keys is controlled through access control lists and user permissions. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v15/techniques/T1574/012"> .012 </a> </td> <td> <a href="/versions/v15/techniques/T1574/012"> COR_PROFILER </a> </td> <td> Adversaries may leverage the COR_PROFILER environment variable to hijack the execution flow of programs that load the .NET CLR. The COR_PROFILER is a .NET Framework feature which allows developers to specify an unmanaged (or external of .NET) profiling DLL to be loaded into each .NET process that loads the Common Language Runtime (CLR). These profilers are designed to monitor, troubleshoot, and debug managed code executed by the .NET CLR. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v15/techniques/T1574/013"> .013 </a> </td> <td> <a href="/versions/v15/techniques/T1574/013"> KernelCallbackTable </a> </td> <td> Adversaries may abuse the <code>KernelCallbackTable</code> of a process to hijack its execution flow in order to run their own payloads. The <code>KernelCallbackTable</code> can be found in the Process Environment Block (PEB) and is initialized to an array of graphic functions available to a GUI process once <code>user32.dll</code> is loaded. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v15/techniques/T1574/014"> .014 </a> </td> <td> <a href="/versions/v15/techniques/T1574/014"> AppDomainManager </a> </td> <td> Adversaries may execute their own malicious payloads by hijacking how the .NET <code>AppDomainManager</code> loads assemblies. The .NET framework uses the <code>AppDomainManager</code> class to create and manage one or more isolated runtime environments (called application domains) inside a process to host the execution of .NET applications. Assemblies (<code>.exe</code> or <code>.dll</code> binaries compiled to run as .NET code) may be loaded into an application domain as executable code. </td> </tr> <tr class="technique"> <td colspan="2"> <a href="/versions/v15/techniques/T1525"> T1525 </a> </td> <td> <a href="/versions/v15/techniques/T1525"> Implant Internal Image </a> </td> <td> Adversaries may implant cloud or container images with malicious code to establish persistence after gaining access to an environment. Amazon Web Services (AWS) Amazon Machine Images (AMIs), Google Cloud Platform (GCP) Images, and Azure Images as well as popular container runtimes such as Docker can be implanted or backdoored. Unlike <a href="/versions/v15/techniques/T1608/001">Upload Malware</a>, this technique focuses on adversaries implanting an image in a registry within a victim鈥檚 environment. Depending on how the infrastructure is provisioned, this could provide persistent access if the infrastructure provisioning tool is instructed to always use the latest image. </td> </tr> <tr class="technique"> <td colspan="2"> <a href="/versions/v15/techniques/T1556"> T1556 </a> </td> <td> <a href="/versions/v15/techniques/T1556"> Modify Authentication Process </a> </td> <td> Adversaries may modify authentication mechanisms and processes to access user credentials or enable otherwise unwarranted access to accounts. The authentication process is handled by mechanisms, such as the Local Security Authentication Server (LSASS) process and the Security Accounts Manager (SAM) on Windows, pluggable authentication modules (PAM) on Unix-based systems, and authorization plugins on MacOS systems, responsible for gathering, storing, and validating credentials. By modifying an authentication process, an adversary may be able to authenticate to a service or system without using <a href="/versions/v15/techniques/T1078">Valid Accounts</a>. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v15/techniques/T1556/001"> .001 </a> </td> <td> <a href="/versions/v15/techniques/T1556/001"> Domain Controller Authentication </a> </td> <td> Adversaries may patch the authentication process on a domain controller to bypass the typical authentication mechanisms and enable access to accounts. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v15/techniques/T1556/002"> .002 </a> </td> <td> <a href="/versions/v15/techniques/T1556/002"> Password Filter DLL </a> </td> <td> Adversaries may register malicious password filter dynamic link libraries (DLLs) into the authentication process to acquire user credentials as they are validated. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v15/techniques/T1556/003"> .003 </a> </td> <td> <a href="/versions/v15/techniques/T1556/003"> Pluggable Authentication Modules </a> </td> <td> Adversaries may modify pluggable authentication modules (PAM) to access user credentials or enable otherwise unwarranted access to accounts. PAM is a modular system of configuration files, libraries, and executable files which guide authentication for many services. The most common authentication module is <code>pam_unix.so</code>, which retrieves, sets, and verifies account authentication information in <code>/etc/passwd</code> and <code>/etc/shadow</code>. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v15/techniques/T1556/004"> .004 </a> </td> <td> <a href="/versions/v15/techniques/T1556/004"> Network Device Authentication </a> </td> <td> Adversaries may use <a href="/versions/v15/techniques/T1601/001">Patch System Image</a> to hard code a password in the operating system, thus bypassing of native authentication mechanisms for local accounts on network devices. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v15/techniques/T1556/005"> .005 </a> </td> <td> <a href="/versions/v15/techniques/T1556/005"> Reversible Encryption </a> </td> <td> An adversary may abuse Active Directory authentication encryption properties to gain access to credentials on Windows systems. The <code>AllowReversiblePasswordEncryption</code> property specifies whether reversible password encryption for an account is enabled or disabled. By default this property is disabled (instead storing user credentials as the output of one-way hashing functions) and should not be enabled unless legacy or other software require it. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v15/techniques/T1556/006"> .006 </a> </td> <td> <a href="/versions/v15/techniques/T1556/006"> Multi-Factor Authentication </a> </td> <td> Adversaries may disable or modify multi-factor authentication (MFA) mechanisms to enable persistent access to compromised accounts. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v15/techniques/T1556/007"> .007 </a> </td> <td> <a href="/versions/v15/techniques/T1556/007"> Hybrid Identity </a> </td> <td> Adversaries may patch, modify, or otherwise backdoor cloud authentication processes that are tied to on-premises user identities in order to bypass typical authentication mechanisms, access credentials, and enable persistent access to accounts. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v15/techniques/T1556/008"> .008 </a> </td> <td> <a href="/versions/v15/techniques/T1556/008"> Network Provider DLL </a> </td> <td> Adversaries may register malicious network provider dynamic link libraries (DLLs) to capture cleartext user credentials during the authentication process. Network provider DLLs allow Windows to interface with specific network protocols and can also support add-on credential management functions. During the logon process, Winlogon (the interactive logon module) sends credentials to the local <code>mpnotify.exe</code> process via RPC. The <code>mpnotify.exe</code> process then shares the credentials in cleartext with registered credential managers when notifying that a logon event is happening. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v15/techniques/T1556/009"> .009 </a> </td> <td> <a href="/versions/v15/techniques/T1556/009"> Conditional Access Policies </a> </td> <td> Adversaries may disable or modify conditional access policies to enable persistent access to compromised accounts. Conditional access policies are additional verifications used by identity providers and identity and access management systems to determine whether a user should be granted access to a resource. </td> </tr> <tr class="technique"> <td colspan="2"> <a href="/versions/v15/techniques/T1137"> T1137 </a> </td> <td> <a href="/versions/v15/techniques/T1137"> Office Application Startup </a> </td> <td> Adversaries may leverage Microsoft Office-based applications for persistence between startups. Microsoft Office is a fairly common application suite on Windows-based operating systems within an enterprise network. There are multiple mechanisms that can be used with Office for persistence when an Office-based application is started; this can include the use of Office Template Macros and add-ins. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v15/techniques/T1137/001"> .001 </a> </td> <td> <a href="/versions/v15/techniques/T1137/001"> Office Template Macros </a> </td> <td> Adversaries may abuse Microsoft Office templates to obtain persistence on a compromised system. Microsoft Office contains templates that are part of common Office applications and are used to customize styles. The base templates within the application are used each time an application starts. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v15/techniques/T1137/002"> .002 </a> </td> <td> <a href="/versions/v15/techniques/T1137/002"> Office Test </a> </td> <td> Adversaries may abuse the Microsoft Office "Office Test" Registry key to obtain persistence on a compromised system. An Office Test Registry location exists that allows a user to specify an arbitrary DLL that will be executed every time an Office application is started. This Registry key is thought to be used by Microsoft to load DLLs for testing and debugging purposes while developing Office applications. This Registry key is not created by default during an Office installation. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v15/techniques/T1137/003"> .003 </a> </td> <td> <a href="/versions/v15/techniques/T1137/003"> Outlook Forms </a> </td> <td> Adversaries may abuse Microsoft Outlook forms to obtain persistence on a compromised system. Outlook forms are used as templates for presentation and functionality in Outlook messages. Custom Outlook forms can be created that will execute code when a specifically crafted email is sent by an adversary utilizing the same custom Outlook form. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v15/techniques/T1137/004"> .004 </a> </td> <td> <a href="/versions/v15/techniques/T1137/004"> Outlook Home Page </a> </td> <td> Adversaries may abuse Microsoft Outlook's Home Page feature to obtain persistence on a compromised system. Outlook Home Page is a legacy feature used to customize the presentation of Outlook folders. This feature allows for an internal or external URL to be loaded and presented whenever a folder is opened. A malicious HTML page can be crafted that will execute code when loaded by Outlook Home Page. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v15/techniques/T1137/005"> .005 </a> </td> <td> <a href="/versions/v15/techniques/T1137/005"> Outlook Rules </a> </td> <td> Adversaries may abuse Microsoft Outlook rules to obtain persistence on a compromised system. Outlook rules allow a user to define automated behavior to manage email messages. A benign rule might, for example, automatically move an email to a particular folder in Outlook if it contains specific words from a specific sender. Malicious Outlook rules can be created that can trigger code execution when an adversary sends a specifically crafted email to that user. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v15/techniques/T1137/006"> .006 </a> </td> <td> <a href="/versions/v15/techniques/T1137/006"> Add-ins </a> </td> <td> Adversaries may abuse Microsoft Office add-ins to obtain persistence on a compromised system. Office add-ins can be used to add functionality to Office programs. There are different types of add-ins that can be used by the various Office products; including Word/Excel add-in Libraries (WLL/XLL), VBA add-ins, Office Component Object Model (COM) add-ins, automation add-ins, VBA Editor (VBE), Visual Studio Tools for Office (VSTO) add-ins, and Outlook add-ins. </td> </tr> <tr class="technique"> <td colspan="2"> <a href="/versions/v15/techniques/T1653"> T1653 </a> </td> <td> <a href="/versions/v15/techniques/T1653"> Power Settings </a> </td> <td> Adversaries may impair a system's ability to hibernate, reboot, or shut down in order to extend access to infected machines. When a computer enters a dormant state, some or all software and hardware may cease to operate which can disrupt malicious activity. </td> </tr> <tr class="technique"> <td colspan="2"> <a href="/versions/v15/techniques/T1542"> T1542 </a> </td> <td> <a href="/versions/v15/techniques/T1542"> Pre-OS Boot </a> </td> <td> Adversaries may abuse Pre-OS Boot mechanisms as a way to establish persistence on a system. During the booting process of a computer, firmware and various startup services are loaded before the operating system. These programs control flow of execution before the operating system takes control. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v15/techniques/T1542/001"> .001 </a> </td> <td> <a href="/versions/v15/techniques/T1542/001"> System Firmware </a> </td> <td> Adversaries may modify system firmware to persist on systems.The BIOS (Basic Input/Output System) and The Unified Extensible Firmware Interface (UEFI) or Extensible Firmware Interface (EFI) are examples of system firmware that operate as the software interface between the operating system and hardware of a computer. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v15/techniques/T1542/002"> .002 </a> </td> <td> <a href="/versions/v15/techniques/T1542/002"> Component Firmware </a> </td> <td> Adversaries may modify component firmware to persist on systems. Some adversaries may employ sophisticated means to compromise computer components and install malicious firmware that will execute adversary code outside of the operating system and main system firmware or BIOS. This technique may be similar to <a href="/versions/v15/techniques/T1542/001">System Firmware</a> but conducted upon other system components/devices that may not have the same capability or level of integrity checking. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v15/techniques/T1542/003"> .003 </a> </td> <td> <a href="/versions/v15/techniques/T1542/003"> Bootkit </a> </td> <td> Adversaries may use bootkits to persist on systems. Bootkits reside at a layer below the operating system and may make it difficult to perform full remediation unless an organization suspects one was used and can act accordingly. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v15/techniques/T1542/004"> .004 </a> </td> <td> <a href="/versions/v15/techniques/T1542/004"> ROMMONkit </a> </td> <td> Adversaries may abuse the ROM Monitor (ROMMON) by loading an unauthorized firmware with adversary code to provide persistent access and manipulate device behavior that is difficult to detect. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v15/techniques/T1542/005"> .005 </a> </td> <td> <a href="/versions/v15/techniques/T1542/005"> TFTP Boot </a> </td> <td> Adversaries may abuse netbooting to load an unauthorized network device operating system from a Trivial File Transfer Protocol (TFTP) server. TFTP boot (netbooting) is commonly used by network administrators to load configuration-controlled network device images from a centralized management server. Netbooting is one option in the boot sequence and can be used to centralize, manage, and control device images. </td> </tr> <tr class="technique"> <td colspan="2"> <a href="/versions/v15/techniques/T1053"> T1053 </a> </td> <td> <a href="/versions/v15/techniques/T1053"> Scheduled Task/Job </a> </td> <td> Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v15/techniques/T1053/002"> .002 </a> </td> <td> <a href="/versions/v15/techniques/T1053/002"> At </a> </td> <td> Adversaries may abuse the <a href="/versions/v15/software/S0110">at</a> utility to perform task scheduling for initial or recurring execution of malicious code. The <a href="/versions/v15/software/S0110">at</a> utility exists as an executable within Windows, Linux, and macOS for scheduling tasks at a specified time and date. Although deprecated in favor of <a href="/versions/v15/techniques/T1053/005">Scheduled Task</a>'s <a href="/versions/v15/software/S0111">schtasks</a> in Windows environments, using <a href="/versions/v15/software/S0110">at</a> requires that the Task Scheduler service be running, and the user to be logged on as a member of the local Administrators group. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v15/techniques/T1053/003"> .003 </a> </td> <td> <a href="/versions/v15/techniques/T1053/003"> Cron </a> </td> <td> Adversaries may abuse the <code>cron</code> utility to perform task scheduling for initial or recurring execution of malicious code. The <code>cron</code> utility is a time-based job scheduler for Unix-like operating systems. The <code> crontab</code> file contains the schedule of cron entries to be run and the specified times for execution. Any <code>crontab</code> files are stored in operating system-specific file paths. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v15/techniques/T1053/005"> .005 </a> </td> <td> <a href="/versions/v15/techniques/T1053/005"> Scheduled Task </a> </td> <td> Adversaries may abuse the Windows Task Scheduler to perform task scheduling for initial or recurring execution of malicious code. There are multiple ways to access the Task Scheduler in Windows. The <a href="/versions/v15/software/S0111">schtasks</a> utility can be run directly on the command line, or the Task Scheduler can be opened through the GUI within the Administrator Tools section of the Control Panel. In some cases, adversaries have used a .NET wrapper for the Windows Task Scheduler, and alternatively, adversaries have used the Windows netapi32 library to create a scheduled task. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v15/techniques/T1053/006"> .006 </a> </td> <td> <a href="/versions/v15/techniques/T1053/006"> Systemd Timers </a> </td> <td> Adversaries may abuse systemd timers to perform task scheduling for initial or recurring execution of malicious code. Systemd timers are unit files with file extension <code>.timer</code> that control services. Timers can be set to run on a calendar event or after a time span relative to a starting point. They can be used as an alternative to <a href="/versions/v15/techniques/T1053/003">Cron</a> in Linux environments. Systemd timers may be activated remotely via the <code>systemctl</code> command line utility, which operates over <a href="/versions/v15/techniques/T1021/004">SSH</a>. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v15/techniques/T1053/007"> .007 </a> </td> <td> <a href="/versions/v15/techniques/T1053/007"> Container Orchestration Job </a> </td> <td> Adversaries may abuse task scheduling functionality provided by container orchestration tools such as Kubernetes to schedule deployment of containers configured to execute malicious code. Container orchestration jobs run these automated tasks at a specific date and time, similar to cron jobs on a Linux system. Deployments of this type can also be configured to maintain a quantity of containers over time, automating the process of maintaining persistence within a cluster. </td> </tr> <tr class="technique"> <td colspan="2"> <a href="/versions/v15/techniques/T1505"> T1505 </a> </td> <td> <a href="/versions/v15/techniques/T1505"> Server Software Component </a> </td> <td> Adversaries may abuse legitimate extensible development features of servers to establish persistent access to systems. Enterprise server applications may include features that allow developers to write and install software or scripts to extend the functionality of the main application. Adversaries may install malicious components to extend and abuse server applications. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v15/techniques/T1505/001"> .001 </a> </td> <td> <a href="/versions/v15/techniques/T1505/001"> SQL Stored Procedures </a> </td> <td> Adversaries may abuse SQL stored procedures to establish persistent access to systems. SQL Stored Procedures are code that can be saved and reused so that database users do not waste time rewriting frequently used SQL queries. Stored procedures can be invoked via SQL statements to the database using the procedure name or via defined events (e.g. when a SQL server application is started/restarted). </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v15/techniques/T1505/002"> .002 </a> </td> <td> <a href="/versions/v15/techniques/T1505/002"> Transport Agent </a> </td> <td> Adversaries may abuse Microsoft transport agents to establish persistent access to systems. Microsoft Exchange transport agents can operate on email messages passing through the transport pipeline to perform various tasks such as filtering spam, filtering malicious attachments, journaling, or adding a corporate signature to the end of all outgoing emails. Transport agents can be written by application developers and then compiled to .NET assemblies that are subsequently registered with the Exchange server. Transport agents will be invoked during a specified stage of email processing and carry out developer defined tasks. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v15/techniques/T1505/003"> .003 </a> </td> <td> <a href="/versions/v15/techniques/T1505/003"> Web Shell </a> </td> <td> Adversaries may backdoor web servers with web shells to establish persistent access to systems. A Web shell is a Web script that is placed on an openly accessible Web server to allow an adversary to access the Web server as a gateway into a network. A Web shell may provide a set of functions to execute or a command-line interface on the system that hosts the Web server. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v15/techniques/T1505/004"> .004 </a> </td> <td> <a href="/versions/v15/techniques/T1505/004"> IIS Components </a> </td> <td> Adversaries may install malicious components that run on Internet Information Services (IIS) web servers to establish persistence. IIS provides several mechanisms to extend the functionality of the web servers. For example, Internet Server Application Programming Interface (ISAPI) extensions and filters can be installed to examine and/or modify incoming and outgoing IIS web requests. Extensions and filters are deployed as DLL files that export three functions: <code>Get{Extension/Filter}Version</code>, <code>Http{Extension/Filter}Proc</code>, and (optionally) <code>Terminate{Extension/Filter}</code>. IIS modules may also be installed to extend IIS web servers. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v15/techniques/T1505/005"> .005 </a> </td> <td> <a href="/versions/v15/techniques/T1505/005"> Terminal Services DLL </a> </td> <td> Adversaries may abuse components of Terminal Services to enable persistent access to systems. Microsoft Terminal Services, renamed to Remote Desktop Services in some Windows Server OSs as of 2022, enable remote terminal connections to hosts. Terminal Services allows servers to transmit a full, interactive, graphical user interface to clients via RDP. </td> </tr> <tr class="technique"> <td colspan="2"> <a href="/versions/v15/techniques/T1205"> T1205 </a> </td> <td> <a href="/versions/v15/techniques/T1205"> Traffic Signaling </a> </td> <td> Adversaries may use traffic signaling to hide open ports or other malicious functionality used for persistence or command and control. Traffic signaling involves the use of a magic value or sequence that must be sent to a system to trigger a special response, such as opening a closed port or executing a malicious task. This may take the form of sending a series of packets with certain characteristics before a port will be opened that the adversary can use for command and control. Usually this series of packets consists of attempted connections to a predefined sequence of closed ports (i.e. <a href="/versions/v15/techniques/T1205/001">Port Knocking</a>), but can involve unusual flags, specific strings, or other unique characteristics. After the sequence is completed, opening a port may be accomplished by the host-based firewall, but could also be implemented by custom software. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v15/techniques/T1205/001"> .001 </a> </td> <td> <a href="/versions/v15/techniques/T1205/001"> Port Knocking </a> </td> <td> Adversaries may use port knocking to hide open ports used for persistence or command and control. To enable a port, an adversary sends a series of attempted connections to a predefined sequence of closed ports. After the sequence is completed, opening a port is often accomplished by the host based firewall, but could also be implemented by custom software. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v15/techniques/T1205/002"> .002 </a> </td> <td> <a href="/versions/v15/techniques/T1205/002"> Socket Filters </a> </td> <td> Adversaries may attach filters to a network socket to monitor then activate backdoors used for persistence or command and control. With elevated permissions, adversaries can use features such as the <code>libpcap</code> library to open sockets and install filters to allow or disallow certain types of data to come through the socket. The filter may apply to all traffic passing through the specified network interface (or every interface if not specified). When the network interface receives a packet matching the filter criteria, additional actions can be triggered on the host, such as activation of a reverse shell. </td> </tr> <tr class="technique"> <td colspan="2"> <a href="/versions/v15/techniques/T1078"> T1078 </a> </td> <td> <a href="/versions/v15/techniques/T1078"> Valid Accounts </a> </td> <td> Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop. Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v15/techniques/T1078/001"> .001 </a> </td> <td> <a href="/versions/v15/techniques/T1078/001"> Default Accounts </a> </td> <td> Adversaries may obtain and abuse credentials of a default account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Default accounts are those that are built-into an OS, such as the Guest or Administrator accounts on Windows systems. Default accounts also include default factory/provider set accounts on other types of systems, software, or devices, including the root user account in AWS and the default service account in Kubernetes. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v15/techniques/T1078/002"> .002 </a> </td> <td> <a href="/versions/v15/techniques/T1078/002"> Domain Accounts </a> </td> <td> Adversaries may obtain and abuse credentials of a domain account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Domain accounts are those managed by Active Directory Domain Services where access and permissions are configured across systems and services that are part of that domain. Domain accounts can cover users, administrators, and services. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v15/techniques/T1078/003"> .003 </a> </td> <td> <a href="/versions/v15/techniques/T1078/003"> Local Accounts </a> </td> <td> Adversaries may obtain and abuse credentials of a local account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Local accounts are those configured by an organization for use by users, remote support, services, or for administration on a single system or service. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v15/techniques/T1078/004"> .004 </a> </td> <td> <a href="/versions/v15/techniques/T1078/004"> Cloud Accounts </a> </td> <td> Valid accounts in cloud environments may allow adversaries to perform actions to achieve Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Cloud accounts are those created and configured by an organization for use by users, remote support, services, or for administration of resources within a cloud service provider or SaaS application. Cloud Accounts can exist solely in the cloud; alternatively, they may be hybrid-joined between on-premises systems and the cloud through syncing or federation with other identity sources such as Windows Active Directory. </td> </tr> </tbody> </table> </div> </div> </div> </div> </div> </div> <!--stop-indexing-for-search--> <!-- search overlay for entire page -- not displayed inline --> <div class="overlay search" id="search-overlay" style="display: none;"> <div class="overlay-inner"> <!-- text input for searching --> <div class="search-header"> <div class="search-input"> <input type="text" id="search-input" placeholder="search"> </div> <div class="search-icons"> <div class="search-parsing-icon spinner-border" style="display: none" id="search-parsing-icon"></div> <div class="close-search-icon" id="close-search-icon">×</div> </div> </div> <!-- results and controls for loading more results --> <div id="search-body" class="search-body"> <div class="results" id="search-results"> <!-- content will be appended here on search --> </div> <div id="load-more-results" class="load-more-results"> <button class="btn btn-default" id="load-more-results-button">load more results</button> </div> </div> </div> </div> </div> <div class="row flex-grow-0 flex-shrink-1"> <!-- footer elements --> <footer class="col footer"> <div class="container-fluid"> <div class="row row-footer"> <div class="col-2 col-sm-2 col-md-2"> <div class="footer-center-responsive my-auto"> <a href="https://www.mitre.org" target="_blank" rel="noopener" aria-label="MITRE"> <img src="/versions/v15/theme/images/mitrelogowhiteontrans.gif" class="mitre-logo-wtrans"> </a> </div> </div> <div class="col-2 col-sm-2 footer-responsive-break"></div> <div class="footer-link-group"> <div class="row row-footer"> <div class="px-3 col-footer"> <u class="footer-link"><a href="/versions/v15/resources/engage-with-attack/contact" class="footer-link">Contact Us</a></u> </div> <div class="px-3 col-footer"> <u class="footer-link"><a href="/versions/v15/resources/legal-and-branding/terms-of-use" class="footer-link">Terms of Use</a></u> </div> <div class="px-3 col-footer"> <u class="footer-link"><a href="/versions/v15/resources/legal-and-branding/privacy" class="footer-link">Privacy Policy</a></u> </div> <div class="px-3"> <u class="footer-link"><a href="/versions/v15/resources/changelog.html" class="footer-link" data-toggle="tooltip" data-placement="top" data-html="true" title="ATT&CK content v15.1
Website v4.1.6">Website Changelog</a></u> </div> </div> <div class="row"> <small class="px-3"> © 2015 - 2024, The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. </small> </div> </div> <div class="w-100 p-2 footer-responsive-break"></div> <div class="col pr-4"> <div class="footer-float-right-responsive-brand"> <div class="row row-footer row-footer-icon"> <div class="mb-1"> <a href="https://twitter.com/MITREattack" class="btn btn-footer"> <i class="fa-brands fa-x-twitter fa-lg"></i> </a> <a href="https://github.com/mitre-attack" class="btn btn-footer"> <i class="fa-brands fa-github fa-lg"></i> </a> </div> </div> </div> </div> </div> </div> </div> </footer> </div> </div> <!--stopindex--> </div> <!--SCRIPTS--> <script src="/versions/v15/theme/scripts/jquery-3.5.1.min.js"></script> <script src="/versions/v15/theme/scripts/popper.min.js"></script> <script src="/versions/v15/theme/scripts/bootstrap-select.min.js"></script> <script src="/versions/v15/theme/scripts/bootstrap.bundle.min.js"></script> <script src="/versions/v15/theme/scripts/site.js?4682"></script> <script src="/versions/v15/theme/scripts/settings.js?4253"></script> <script src="/versions/v15/theme/scripts/search_bundle.js"></script> <!--SCRIPTS--> <script src="/versions/v15/theme/scripts/resizer.js"></script> <!--SCRIPTS--> <script src="/versions/v15/theme/scripts/sidebar-load-all.js"></script> </body> </html>