Defense Evasion, Tactic TA0005 - Enterprise

<!DOCTYPE html> <html lang='en'> <head> <script async src="https://www.googletagmanager.com/gtag/js?id=UA-62667723-1"></script> <script> window.dataLayer = window.dataLayer || []; function gtag(){dataLayer.push(arguments);} gtag('js', new Date()); gtag('config', 'UA-62667723-1'); </script> <meta name="google-site-verification" content="2oJKLqNN62z6AOCb0A0IXGtbQuj-lev5YPAHFF_cbHQ"/> <meta charset='utf-8'> <meta name='viewport' content='width=device-width, initial-scale=1, shrink-to-fit=no'> <meta http-equiv="X-UA-Compatible" content="IE=edge"> <link rel='shortcut icon' href="/versions/v9/theme/favicon.ico" type='image/x-icon'> <title>Defense Evasion, Tactic TA0005 - Enterprise | MITRE ATT&CK®</title>  <link rel='stylesheet' href="/versions/v9/theme/style/bootstrap.min.css" /> <link rel='stylesheet' href="/versions/v9/theme/style/bootstrap-glyphicon.min.css" /> <link rel='stylesheet' href="/versions/v9/theme/style/bootstrap-tourist.css" /> <link rel="stylesheet" type="text/css" href="/versions/v9/theme/style.min.css?426cc53a"> </head> <body>  <header> <nav class='navbar navbar-expand-lg navbar-dark fixed-top'> <a class='navbar-brand' href="/versions/v9/"><img src="/versions/v9/theme/images/mitre_attack_logo.png" class="attack-logo"></a> <button class='navbar-toggler' type='button' data-toggle='collapse' data-target='#navbarCollapse' aria-controls='navbarCollapse' aria-expanded='false' aria-label='Toggle navigation'> <span class='navbar-toggler-icon'></span> </button> <div class='collapse navbar-collapse' id='navbarCollapse'> <ul class='nav nav-tabs ml-auto'> <li class="nav-item"> <a href="/versions/v9/matrices/" class="nav-link" ><b>Matrices</b></a> </li> <li class="nav-item dropdown"> <a class="nav-link dropdown-toggle" href="/versions/v9/tactics/" id="navbarDropdown" role="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false"> <b>Tactics</b> </a> <div class="dropdown-menu " aria-labelledby="navbarDropdown"> <a class="dropdown-item" href="/versions/v9/tactics/enterprise/">Enterprise</a> <a class="dropdown-item" href="/versions/v9/tactics/mobile/">Mobile</a> </div> </li> <li class="nav-item dropdown"> <a class="nav-link dropdown-toggle" href="/versions/v9/techniques/" id="navbarDropdown" role="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false"> <b>Techniques</b> </a> <div class="dropdown-menu " aria-labelledby="navbarDropdown"> <a class="dropdown-item" href="/versions/v9/techniques/enterprise/">Enterprise</a> <a class="dropdown-item" href="/versions/v9/techniques/mobile/">Mobile</a> </div> </li> <li class="nav-item dropdown"> <a class="nav-link dropdown-toggle" href="/versions/v9/mitigations/" id="navbarDropdown" role="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false"> <b>Mitigations</b> </a> <div class="dropdown-menu " aria-labelledby="navbarDropdown"> <a class="dropdown-item" href="/versions/v9/mitigations/enterprise/">Enterprise</a> <a class="dropdown-item" href="/versions/v9/mitigations/mobile/">Mobile</a> </div> </li> <li class="nav-item"> <a href="/versions/v9/groups" class="nav-link" ><b>Groups</b></a> </li> <li class="nav-item"> <a href="/versions/v9/software/" class="nav-link" ><b>Software</b></a> </li> <li class="nav-item dropdown"> <a class="nav-link dropdown-toggle" href="/versions/v9/resources/" id="navbarDropdown" role="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false"> <b>Resources</b> </a> <div class="dropdown-menu " aria-labelledby="navbarDropdown"> <a class="dropdown-item" href="/versions/v9/resources/">General Information</a> <a class="dropdown-item" href="/versions/v9/resources/getting-started/">Getting Started</a> <a class="dropdown-item" href="/versions/v9/resources/training/">Training</a> <a class="dropdown-item" href="/versions/v9/resources/attackcon/">ATT&CKcon</a> <a class="dropdown-item" href="/versions/v9/resources/working-with-attack/">Working with ATT&CK</a> <a class="dropdown-item" href="/versions/v9/resources/faq/">FAQ</a> <a class="dropdown-item" href="/resources/updates/">Updates</a> <a class="dropdown-item" href="/resources/versions/">Versions of ATT&CK</a> <a class="dropdown-item" href="/versions/v9/resources/related-projects/">Related Projects</a> </div> </li> <li class="nav-item"> <a href="https://medium.com/mitre-attack/" target="_blank" class="nav-link"> <b>Blog</b>  <img src="/versions/v9/theme/images/external-site.svg" alt="External site" class="external-icon" /> </a> </li> <li class="nav-item"> <a href="/versions/v9/resources/contribute/" class="nav-link" ><b>Contribute</b></a> </li> <li class="nav-item"> <button id="search-button" class="btn search-button">Search <div class="search-icon"></div></button> </li> </ul> </div> </nav> </header>  <div class="container-fluid version-banner"><div class="icon-inline baseline mr-1"><img src="/versions/v9/theme/images/icon-warning-24px.svg"></div>Currently viewing <a href="https://github.com/mitre/cti/releases/tag/ATT%26CK-v9.0" target="_blank">ATT&CK v9.0</a> which was live between April 29, 2021 and October 20, 2021. <a href="/resources/versions/">Learn more about the versioning system</a> or <a href="/">see the live site</a>.</div> <div id='content' class="maincontent">  <div class='container-fluid h-100'> <div class='row h-100'> <div class="nav flex-column col-xl-2 col-lg-3 col-md-3 sidebar nav pt-5 pb-3 pl-3 border-right" id="v-tab" role="tablist" aria-orientation="vertical">  <div class="group-nav-desktop-view"> <span class="heading" id="v-home-tab" aria-selected="false">TACTICS</span> <div class="sidenav"> <div class="sidenav-head " id="enterprise"> <a href="/versions/v9/tactics/enterprise/"> Enterprise </a> <div class="expand-button collapsed" id="enterprise-header" data-toggle="collapse" data-target="#enterprise-body" aria-expanded="false" aria-controls="#enterprise-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-body" aria-labelledby="enterprise-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-Reconnaissance"> <a href="/versions/v9/tactics/TA0043/"> Reconnaissance </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-Resource Development"> <a href="/versions/v9/tactics/TA0042/"> Resource Development </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-Initial Access"> <a href="/versions/v9/tactics/TA0001/"> Initial Access </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-Execution"> <a href="/versions/v9/tactics/TA0002/"> Execution </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-Persistence"> <a href="/versions/v9/tactics/TA0003/"> Persistence </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-Privilege Escalation"> <a href="/versions/v9/tactics/TA0004/"> Privilege Escalation </a> </div> </div> <div class="sidenav"> <div class="sidenav-head active" id="enterprise-Defense Evasion"> <a href="/versions/v9/tactics/TA0005/"> Defense Evasion </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-Credential Access"> <a href="/versions/v9/tactics/TA0006/"> Credential Access </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-Discovery"> <a href="/versions/v9/tactics/TA0007/"> Discovery </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-Lateral Movement"> <a href="/versions/v9/tactics/TA0008/"> Lateral Movement </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-Collection"> <a href="/versions/v9/tactics/TA0009/"> Collection </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-Command and Control"> <a href="/versions/v9/tactics/TA0011/"> Command and Control </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-Exfiltration"> <a href="/versions/v9/tactics/TA0010/"> Exfiltration </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-Impact"> <a href="/versions/v9/tactics/TA0040/"> Impact </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="mobile"> <a href="/versions/v9/tactics/mobile/"> Mobile </a> <div class="expand-button collapsed" id="mobile-header" data-toggle="collapse" data-target="#mobile-body" aria-expanded="false" aria-controls="#mobile-body"></div> </div> <div class="sidenav-body collapse" id="mobile-body" aria-labelledby="mobile-header"> <div class="sidenav"> <div class="sidenav-head" id="mobile-Initial Access"> <a href="/versions/v9/tactics/TA0027/"> Initial Access </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-Execution"> <a href="/versions/v9/tactics/TA0041/"> Execution </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-Persistence"> <a href="/versions/v9/tactics/TA0028/"> Persistence </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-Privilege Escalation"> <a href="/versions/v9/tactics/TA0029/"> Privilege Escalation </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-Defense Evasion"> <a href="/versions/v9/tactics/TA0030/"> Defense Evasion </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-Credential Access"> <a href="/versions/v9/tactics/TA0031/"> Credential Access </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-Discovery"> <a href="/versions/v9/tactics/TA0032/"> Discovery </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-Lateral Movement"> <a href="/versions/v9/tactics/TA0033/"> Lateral Movement </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-Collection"> <a href="/versions/v9/tactics/TA0035/"> Collection </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-Command and Control"> <a href="/versions/v9/tactics/TA0037/"> Command and Control </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-Exfiltration"> <a href="/versions/v9/tactics/TA0036/"> Exfiltration </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-Impact"> <a href="/versions/v9/tactics/TA0034/"> Impact </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-Network Effects"> <a href="/versions/v9/tactics/TA0038/"> Network Effects </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-Remote Service Effects"> <a href="/versions/v9/tactics/TA0039/"> Remote Service Effects </a> </div> </div> </div> </div> </div>  </div> <div class="tab-content col-xl-10 col-lg-9 col-md-9 pt-4" id="v-tabContent"> <div class="tab-pane fade show active" id="v-attckmatrix" role="tabpanel" aria-labelledby="v-attckmatrix-tab"> <ol class="breadcrumb"> <li class="breadcrumb-item"><a href="/versions/v9/">Home</a></li> <li class="breadcrumb-item"><a href="/versions/v9/tactics/enterprise">Tactics</a></li> <li class="breadcrumb-item"><a href="/versions/v9/tactics/enterprise">Enterprise</a></li> <li class="breadcrumb-item">Defense Evasion</li> </ol> <div class="tab-pane fade show active" id="v-" role="tabpanel" aria-labelledby="v--tab"></div> <div class="row"> <div class="col-xl-12"> <div class="jumbotron jumbotron-fluid"> <div class="container-fluid"> <h1> Defense Evasion </h1> <div class="row"> <div class="col-md-8"> <div class="description-body"> <p>The adversary is trying to avoid being detected.</p><p>Defense Evasion consists of techniques that adversaries use to avoid detection throughout their compromise. Techniques used for defense evasion include uninstalling/disabling security software or obfuscating/encrypting data and scripts. Adversaries also leverage and abuse trusted processes to hide and masquerade their malware. Other tactics’ techniques are cross-listed here when those techniques include the added benefit of subverting defenses. </p> </div> </div> <div class="col-md-4"> <div class="card"> <div class="card-body"> <div class="card-data"><span class="h5 card-title">ID:</span> TA0005</div> <div class="card-data"><span class="h5 card-title">Created: </span>17 October 2018</div> <div class="card-data"><span class="h5 card-title">Last Modified: </span>19 July 2019</div> </div> </div> <div class="text-center pt-2 version-button permalink"> <div class="live"> <a data-toggle="tooltip" data-placement="bottom" title="Permalink to this version of TA0005" href="/versions/v9/tactics/TA0005/" data-test-ignore="true">Version Permalink</a> </div> <div class="permalink"> <a data-toggle="tooltip" data-placement="bottom" title="Go to the live version of TA0005" href="/tactics/TA0005/" data-test-ignore="true">Live Version</a> </div> </div> </div> </div> <h2 class="pt-3" id ="techniques">Techniques</h2><h6 class="table-object-count">Techniques: 39</h6> <table class="table-techniques"> <thead> <tr> <td colspan="2">ID</td> <td>Name</td> <td>Description</td> </tr> </thead> <tbody> <tr class="technique"> <td colspan="2"> <a href="/versions/v9/techniques/T1548"> T1548 </a> </td> <td> <a href="/versions/v9/techniques/T1548"> Abuse Elevation Control Mechanism </a> </td> <td> Adversaries may circumvent mechanisms designed to control elevate privileges to gain higher-level permissions. Most modern systems contain native elevation control mechanisms that are intended to limit privileges that a user can perform on a machine. Authorization has to be granted to specific users in order to perform tasks that can be considered of higher risk. An adversary can perform several methods to take advantage of built-in control mechanisms in order to escalate privileges on a system. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1548/001"> .001 </a> </td> <td> <a href="/versions/v9/techniques/T1548/001"> Setuid and Setgid </a> </td> <td> An adversary may perform shell escapes or exploit vulnerabilities in an application with the setsuid or setgid bits to get code running in a different user’s context. On Linux or macOS, when the setuid or setgid bits are set for an application, the application will run with the privileges of the owning user or group respectively. . Normally an application is run in the current user’s context, regardless of which user or group owns the application. However, there are instances where programs need to be executed in an elevated context to function properly, but the user running them doesn’t need the elevated privileges. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1548/002"> .002 </a> </td> <td> <a href="/versions/v9/techniques/T1548/002"> Bypass User Account Control </a> </td> <td> Adversaries may bypass UAC mechanisms to elevate process privileges on system. Windows User Account Control (UAC) allows a program to elevate its privileges (tracked as integrity levels ranging from low to high) to perform a task under administrator-level permissions, possibly by prompting the user for confirmation. The impact to the user ranges from denying the operation under high enforcement to allowing the user to perform the action if they are in the local administrators group and click through the prompt or allowing them to enter an administrator password to complete the action. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1548/003"> .003 </a> </td> <td> <a href="/versions/v9/techniques/T1548/003"> Sudo and Sudo Caching </a> </td> <td> Adversaries may perform sudo caching and/or use the suoders file to elevate privileges. Adversaries may do this to execute commands as other users or spawn processes with higher privileges. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1548/004"> .004 </a> </td> <td> <a href="/versions/v9/techniques/T1548/004"> Elevated Execution with Prompt </a> </td> <td> Adversaries may leverage the <code>AuthorizationExecuteWithPrivileges</code> API to escalate privileges by prompting the user for credentials. The purpose of this API is to give application developers an easy way to perform operations with root privileges, such as for application installation or updating. This API does not validate that the program requesting root privileges comes from a reputable source or has been maliciously modified. </td> </tr> <tr class="technique"> <td colspan="2"> <a href="/versions/v9/techniques/T1134"> T1134 </a> </td> <td> <a href="/versions/v9/techniques/T1134"> Access Token Manipulation </a> </td> <td> Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1134/001"> .001 </a> </td> <td> <a href="/versions/v9/techniques/T1134/001"> Token Impersonation/Theft </a> </td> <td> Adversaries may duplicate then impersonate another user's token to escalate privileges and bypass access controls. An adversary can create a new access token that duplicates an existing token using <code>DuplicateToken(Ex)</code>. The token can then be used with <code>ImpersonateLoggedOnUser</code> to allow the calling thread to impersonate a logged on user's security context, or with <code>SetThreadToken</code> to assign the impersonated token to a thread. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1134/002"> .002 </a> </td> <td> <a href="/versions/v9/techniques/T1134/002"> Create Process with Token </a> </td> <td> Adversaries may create a new process with a duplicated token to escalate privileges and bypass access controls. An adversary can duplicate a desired access token with <code>DuplicateToken(Ex)</code> and use it with <code>CreateProcessWithTokenW</code> to create a new process running under the security context of the impersonated user. This is useful for creating a new process under the security context of a different user. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1134/003"> .003 </a> </td> <td> <a href="/versions/v9/techniques/T1134/003"> Make and Impersonate Token </a> </td> <td> Adversaries may make and impersonate tokens to escalate privileges and bypass access controls. If an adversary has a username and password but the user is not logged onto the system, the adversary can then create a logon session for the user using the <code>LogonUser</code> function. The function will return a copy of the new session's access token and the adversary can use <code>SetThreadToken</code> to assign the token to a thread. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1134/004"> .004 </a> </td> <td> <a href="/versions/v9/techniques/T1134/004"> Parent PID Spoofing </a> </td> <td> Adversaries may spoof the parent process identifier (PPID) of a new process to evade process-monitoring defenses or to elevate privileges. New processes are typically spawned directly from their parent, or calling, process unless explicitly specified. One way of explicitly assigning the PPID of a new process is via the <code>CreateProcess</code> API call, which supports a parameter that defines the PPID to use. This functionality is used by Windows features such as User Account Control (UAC) to correctly set the PPID after a requested elevated process is spawned by SYSTEM (typically via <code>svchost.exe</code> or <code>consent.exe</code>) rather than the current user context. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1134/005"> .005 </a> </td> <td> <a href="/versions/v9/techniques/T1134/005"> SID-History Injection </a> </td> <td> Adversaries may use SID-History Injection to escalate privileges and bypass access controls. The Windows security identifier (SID) is a unique value that identifies a user or group account. SIDs are used by Windows security in both security descriptors and access tokens. An account can hold additional SIDs in the SID-History Active Directory attribute , allowing inter-operable account migration between domains (e.g., all values in SID-History are included in access tokens). </td> </tr> <tr class="technique"> <td colspan="2"> <a href="/versions/v9/techniques/T1197"> T1197 </a> </td> <td> <a href="/versions/v9/techniques/T1197"> BITS Jobs </a> </td> <td> Adversaries may abuse BITS jobs to persistently execute or clean up after malicious payloads. Windows Background Intelligent Transfer Service (BITS) is a low-bandwidth, asynchronous file transfer mechanism exposed through <a href="/versions/v9/techniques/T1559/001">Component Object Model</a> (COM). BITS is commonly used by updaters, messengers, and other applications preferred to operate in the background (using available idle bandwidth) without interrupting other networked applications. File transfer tasks are implemented as BITS jobs, which contain a queue of one or more file operations. </td> </tr> <tr class="technique"> <td colspan="2"> <a href="/versions/v9/techniques/T1612"> T1612 </a> </td> <td> <a href="/versions/v9/techniques/T1612"> Build Image on Host </a> </td> <td> Adversaries may build a container image directly on a host to bypass defenses that monitor for the retrieval of malicious images from a public registry. A remote <code>build</code> request may be sent to the Docker API that includes a Dockerfile that pulls a vanilla base image, such as alpine, from a public or local registry and then builds a custom image upon it. </td> </tr> <tr class="technique"> <td colspan="2"> <a href="/versions/v9/techniques/T1140"> T1140 </a> </td> <td> <a href="/versions/v9/techniques/T1140"> Deobfuscate/Decode Files or Information </a> </td> <td> Adversaries may use <a href="/versions/v9/techniques/T1027">Obfuscated Files or Information</a> to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system. </td> </tr> <tr class="technique"> <td colspan="2"> <a href="/versions/v9/techniques/T1610"> T1610 </a> </td> <td> <a href="/versions/v9/techniques/T1610"> Deploy Container </a> </td> <td> Adversaries may deploy a container into an environment to facilitate execution or evade defenses. In some cases, adversaries may deploy a new container to execute processes associated with a particular image or deployment, such as processes that execute or download malware. In others, an adversary may deploy a new container configured without network rules, user limitations, etc. to bypass existing defenses within the environment. </td> </tr> <tr class="technique"> <td colspan="2"> <a href="/versions/v9/techniques/T1006"> T1006 </a> </td> <td> <a href="/versions/v9/techniques/T1006"> Direct Volume Access </a> </td> <td> Adversaries may directly access a volume to bypass file access controls and file system monitoring. Windows allows programs to have direct access to logical volumes. Programs with direct access may read and write files directly from the drive by analyzing file system data structures. This technique bypasses Windows file access controls as well as file system monitoring tools. </td> </tr> <tr class="technique"> <td colspan="2"> <a href="/versions/v9/techniques/T1484"> T1484 </a> </td> <td> <a href="/versions/v9/techniques/T1484"> Domain Policy Modification </a> </td> <td> Adversaries may modify the configuration settings of a domain to evade defenses and/or escalate privileges in domain environments. Domains provide a centralized means of managing how computer resources (ex: computers, user accounts) can act, and interact with each other, on a network. The policy of the domain also includes configuration settings that may apply between domains in a multi-domain/forest environment. Modifications to domain settings may include altering domain Group Policy Objects (GPOs) or changing trust settings for domains, including federation trusts. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1484/001"> .001 </a> </td> <td> <a href="/versions/v9/techniques/T1484/001"> Group Policy Modification </a> </td> <td> Adversaries may modify Group Policy Objects (GPOs) to subvert the intended discretionary access controls for a domain, usually with the intention of escalating privileges on the domain. Group policy allows for centralized management of user and computer settings in Active Directory (AD). GPOs are containers for group policy settings made up of files stored within a predicable network path <code>\<DOMAIN>\SYSVOL\<DOMAIN>\Policies\</code>. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1484/002"> .002 </a> </td> <td> <a href="/versions/v9/techniques/T1484/002"> Domain Trust Modification </a> </td> <td> Adversaries may add new domain trusts or modify the properties of existing domain trusts to evade defenses and/or elevate privileges. Domain trust details, such as whether or not a domain is federated, allow authentication and authorization properties to apply between domains for the purpose of accessing shared resources. These trust objects may include accounts, credentials, and other authentication material applied to servers, tokens, and domains. </td> </tr> <tr class="technique"> <td colspan="2"> <a href="/versions/v9/techniques/T1480"> T1480 </a> </td> <td> <a href="/versions/v9/techniques/T1480"> Execution Guardrails </a> </td> <td> Adversaries may use execution guardrails to constrain execution or actions based on adversary supplied and environment specific conditions that are expected to be present on the target. Guardrails ensure that a payload only executes against an intended target and reduces collateral damage from an adversary’s campaign. Values an adversary can provide about a target system or environment to use as guardrails may include specific network share names, attached physical devices, files, joined Active Directory (AD) domains, and local/external IP addresses. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1480/001"> .001 </a> </td> <td> <a href="/versions/v9/techniques/T1480/001"> Environmental Keying </a> </td> <td> Adversaries may environmentally key payloads or other features of malware to evade defenses and constraint execution to a specific target environment. Environmental keying uses cryptography to constrain execution or actions based on adversary supplied environment specific conditions that are expected to be present on the target. Environmental keying is an implementation of <a href="/versions/v9/techniques/T1480">Execution Guardrails</a> that utilizes cryptographic techniques for deriving encryption/decryption keys from specific types of values in a given computing environment. </td> </tr> <tr class="technique"> <td colspan="2"> <a href="/versions/v9/techniques/T1211"> T1211 </a> </td> <td> <a href="/versions/v9/techniques/T1211"> Exploitation for Defense Evasion </a> </td> <td> Adversaries may exploit a system or application vulnerability to bypass security features. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Vulnerabilities may exist in defensive security software that can be used to disable or circumvent them. </td> </tr> <tr class="technique"> <td colspan="2"> <a href="/versions/v9/techniques/T1222"> T1222 </a> </td> <td> <a href="/versions/v9/techniques/T1222"> File and Directory Permissions Modification </a> </td> <td> Adversaries may modify file or directory permissions/attributes to evade access control lists (ACLs) and access protected files. File and directory permissions are commonly managed by ACLs configured by the file or directory owner, or users with the appropriate permissions. File and directory ACL implementations vary by platform, but generally explicitly designate which users or groups can perform which actions (read, write, execute, etc.). </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1222/001"> .001 </a> </td> <td> <a href="/versions/v9/techniques/T1222/001"> Windows File and Directory Permissions Modification </a> </td> <td> Adversaries may modify file or directory permissions/attributes to evade access control lists (ACLs) and access protected files. File and directory permissions are commonly managed by ACLs configured by the file or directory owner, or users with the appropriate permissions. File and directory ACL implementations vary by platform, but generally explicitly designate which users or groups can perform which actions (read, write, execute, etc.). </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1222/002"> .002 </a> </td> <td> <a href="/versions/v9/techniques/T1222/002"> Linux and Mac File and Directory Permissions Modification </a> </td> <td> Adversaries may modify file or directory permissions/attributes to evade access control lists (ACLs) and access protected files. File and directory permissions are commonly managed by ACLs configured by the file or directory owner, or users with the appropriate permissions. File and directory ACL implementations vary by platform, but generally explicitly designate which users or groups can perform which actions (read, write, execute, etc.). </td> </tr> <tr class="technique"> <td colspan="2"> <a href="/versions/v9/techniques/T1564"> T1564 </a> </td> <td> <a href="/versions/v9/techniques/T1564"> Hide Artifacts </a> </td> <td> Adversaries may attempt to hide artifacts associated with their behaviors to evade detection. Operating systems may have features to hide various artifacts, such as important system files and administrative task execution, to avoid disrupting user work environments and prevent users from changing files or features on the system. Adversaries may abuse these features to hide artifacts such as files, directories, user accounts, or other system activity to evade detection. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1564/001"> .001 </a> </td> <td> <a href="/versions/v9/techniques/T1564/001"> Hidden Files and Directories </a> </td> <td> Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches (<code>dir /a</code> for Windows and <code>ls –a</code> for Linux and macOS). </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1564/002"> .002 </a> </td> <td> <a href="/versions/v9/techniques/T1564/002"> Hidden Users </a> </td> <td> Adversaries may use hidden users to mask the presence of user accounts they create. Every user account in macOS has a userID associated with it. When creating a user, you can specify the userID for that account. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1564/003"> .003 </a> </td> <td> <a href="/versions/v9/techniques/T1564/003"> Hidden Window </a> </td> <td> Adversaries may use hidden windows to conceal malicious activity from the plain sight of users. In some cases, windows that would typically be displayed when an application carries out an operation can be hidden. This may be utilized by system administrators to avoid disrupting user work environments when carrying out administrative tasks. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1564/004"> .004 </a> </td> <td> <a href="/versions/v9/techniques/T1564/004"> NTFS File Attributes </a> </td> <td> Adversaries may use NTFS file attributes to hide their malicious data in order to evade detection. Every New Technology File System (NTFS) formatted partition contains a Master File Table (MFT) that maintains a record for every file/directory on the partition. Within MFT entries are file attributes, such as Extended Attributes (EA) and Data [known as Alternate Data Streams (ADSs) when more than one Data attribute is present], that can be used to store arbitrary data (and even complete files). </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1564/005"> .005 </a> </td> <td> <a href="/versions/v9/techniques/T1564/005"> Hidden File System </a> </td> <td> Adversaries may use a hidden file system to conceal malicious activity from users and security tools. File systems provide a structure to store and access data from physical storage. Typically, a user engages with a file system through applications that allow them to access files and directories, which are an abstraction from their physical location (ex: disk sector). Standard file systems include FAT, NTFS, ext4, and APFS. File systems can also contain other structures, such as the Volume Boot Record (VBR) and Master File Table (MFT) in NTFS. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1564/006"> .006 </a> </td> <td> <a href="/versions/v9/techniques/T1564/006"> Run Virtual Instance </a> </td> <td> Adversaries may carry out malicious operations using a virtual instance to avoid detection. A wide variety of virtualization technologies exist that allow for the emulation of a computer or computing environment. By running malicious code inside of a virtual instance, adversaries can hide artifacts associated with their behavior from security tools that are unable to monitor activity inside the virtual instance. Additionally, depending on the virtual networking implementation (ex: bridged adapter), network traffic generated by the virtual instance can be difficult to trace back to the compromised host as the IP address and hostname might not match known values. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1564/007"> .007 </a> </td> <td> <a href="/versions/v9/techniques/T1564/007"> VBA Stomping </a> </td> <td> Adversaries may hide malicious Visual Basic for Applications (VBA) payloads embedded within MS Office documents by replacing the VBA source code with benign data. </td> </tr> <tr class="technique"> <td colspan="2"> <a href="/versions/v9/techniques/T1574"> T1574 </a> </td> <td> <a href="/versions/v9/techniques/T1574"> Hijack Execution Flow </a> </td> <td> Adversaries may execute their own malicious payloads by hijacking the way operating systems run programs. Hijacking execution flow can be for the purposes of persistence, since this hijacked execution may reoccur over time. Adversaries may also use these mechanisms to elevate privileges or evade defenses, such as application control or other restrictions on execution. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1574/001"> .001 </a> </td> <td> <a href="/versions/v9/techniques/T1574/001"> DLL Search Order Hijacking </a> </td> <td> Adversaries may execute their own malicious payloads by hijacking the search order used to load DLLs. Windows systems use a common method to look for required DLLs to load into a program. Hijacking DLL loads may be for the purpose of establishing persistence as well as elevating privileges and/or evading restrictions on file execution. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1574/002"> .002 </a> </td> <td> <a href="/versions/v9/techniques/T1574/002"> DLL Side-Loading </a> </td> <td> Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to <a href="/versions/v9/techniques/T1574/001">DLL Search Order Hijacking</a>, side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s). </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1574/004"> .004 </a> </td> <td> <a href="/versions/v9/techniques/T1574/004"> Dylib Hijacking </a> </td> <td> Adversaries may execute their own payloads by placing a malicious dynamic library (dylib) with an expected name in a path a victim application searches at runtime. The dynamic loader will try to find the dylibs based on the sequential order of the search paths. Paths to dylibs may be prefixed with <code>@rpath</code>, which allows developers to use relative paths to specify an array of search paths used at runtime based on the location of the executable. Additionally, if weak linking is used, such as the <code>LC_LOAD_WEAK_DYLIB</code> function, an application will still execute even if an expected dylib is not present. Weak linking enables developers to run an application on multiple macOS versions as new APIs are added. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1574/005"> .005 </a> </td> <td> <a href="/versions/v9/techniques/T1574/005"> Executable Installer File Permissions Weakness </a> </td> <td> Adversaries may execute their own malicious payloads by hijacking the binaries used by an installer. These processes may automatically execute specific binaries as part of their functionality or to perform other actions. If the permissions on the file system directory containing a target binary, or permissions on the binary itself, are improperly set, then the target binary may be overwritten with another binary using user-level permissions and executed by the original process. If the original process and thread are running under a higher permissions level, then the replaced binary will also execute under higher-level permissions, which could include SYSTEM. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1574/006"> .006 </a> </td> <td> <a href="/versions/v9/techniques/T1574/006"> Dynamic Linker Hijacking </a> </td> <td> Adversaries may execute their own malicious payloads by hijacking environment variables the dynamic linker uses to load shared libraries. During the execution preparation phase of a program, the dynamic linker loads specified absolute paths of shared libraries from environment variables and files, such as <code>LD_PRELOAD</code> on Linux or <code>DYLD_INSERT_LIBRARIES</code> on macOS. Libraries specified in environment variables are loaded first, taking precedence over system libraries with the same function name. These variables are often used by developers to debug binaries without needing to recompile, deconflict mapped symbols, and implement custom functions without changing the original library. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1574/007"> .007 </a> </td> <td> <a href="/versions/v9/techniques/T1574/007"> Path Interception by PATH Environment Variable </a> </td> <td> Adversaries may execute their own malicious payloads by hijacking environment variables used to load libraries. Adversaries may place a program in an earlier entry in the list of directories stored in the PATH environment variable, which Windows will then execute when it searches sequentially through that PATH listing in search of the binary that was called from a script or the command line. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1574/008"> .008 </a> </td> <td> <a href="/versions/v9/techniques/T1574/008"> Path Interception by Search Order Hijacking </a> </td> <td> Adversaries may execute their own malicious payloads by hijacking the search order used to load other programs. Because some programs do not call other programs using the full path, adversaries may place their own file in the directory where the calling program is located, causing the operating system to launch their malicious software at the request of the calling program. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1574/009"> .009 </a> </td> <td> <a href="/versions/v9/techniques/T1574/009"> Path Interception by Unquoted Path </a> </td> <td> Adversaries may execute their own malicious payloads by hijacking vulnerable file path references. Adversaries can take advantage of paths that lack surrounding quotations by placing an executable in a higher level directory within the path, so that Windows will choose the adversary's executable to launch. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1574/010"> .010 </a> </td> <td> <a href="/versions/v9/techniques/T1574/010"> Services File Permissions Weakness </a> </td> <td> Adversaries may execute their own malicious payloads by hijacking the binaries used by services. Adversaries may use flaws in the permissions of Windows services to replace the binary that is executed upon service start. These service processes may automatically execute specific binaries as part of their functionality or to perform other actions. If the permissions on the file system directory containing a target binary, or permissions on the binary itself are improperly set, then the target binary may be overwritten with another binary using user-level permissions and executed by the original process. If the original process and thread are running under a higher permissions level, then the replaced binary will also execute under higher-level permissions, which could include SYSTEM. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1574/011"> .011 </a> </td> <td> <a href="/versions/v9/techniques/T1574/011"> Services Registry Permissions Weakness </a> </td> <td> Adversaries may execute their own malicious payloads by hijacking the Registry entries used by services. Adversaries may use flaws in the permissions for registry to redirect from the originally specified executable to one that they control, in order to launch their own code at Service start. Windows stores local service configuration information in the Registry under <code>HKLM\SYSTEM\CurrentControlSet\Services</code>. The information stored under a service's Registry keys can be manipulated to modify a service's execution parameters through tools such as the service controller, sc.exe, <a href="/versions/v9/techniques/T1059/001">PowerShell</a>, or <a href="/versions/v9/software/S0075">Reg</a>. Access to Registry keys is controlled through Access Control Lists and permissions. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1574/012"> .012 </a> </td> <td> <a href="/versions/v9/techniques/T1574/012"> COR_PROFILER </a> </td> <td> Adversaries may leverage the COR_PROFILER environment variable to hijack the execution flow of programs that load the .NET CLR. The COR_PROFILER is a .NET Framework feature which allows developers to specify an unmanaged (or external of .NET) profiling DLL to be loaded into each .NET process that loads the Common Language Runtime (CLR). These profiliers are designed to monitor, troubleshoot, and debug managed code executed by the .NET CLR. </td> </tr> <tr class="technique"> <td colspan="2"> <a href="/versions/v9/techniques/T1562"> T1562 </a> </td> <td> <a href="/versions/v9/techniques/T1562"> Impair Defenses </a> </td> <td> Adversaries may maliciously modify components of a victim environment in order to hinder or disable defensive mechanisms. This not only involves impairing preventative defenses, such as firewalls and anti-virus, but also detection capabilities that defenders can use to audit activity and identify malicious behavior. This may also span both native defenses as well as supplemental capabilities installed by users and administrators. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1562/001"> .001 </a> </td> <td> <a href="/versions/v9/techniques/T1562/001"> Disable or Modify Tools </a> </td> <td> Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1562/002"> .002 </a> </td> <td> <a href="/versions/v9/techniques/T1562/002"> Disable Windows Event Logging </a> </td> <td> Adversaries may disable Windows event logging to limit data that can be leveraged for detections and audits. Windows event logs record user and system activity such as login attempts, process creation, and much more. This data is used by security tools and analysts to generate detections. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1562/003"> .003 </a> </td> <td> <a href="/versions/v9/techniques/T1562/003"> Impair Command History Logging </a> </td> <td> Adversaries may impair command history logging to hide commands they run on a compromised system. Various command interpreters keep track of the commands users type in their terminal so that users can retrace what they've done. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1562/004"> .004 </a> </td> <td> <a href="/versions/v9/techniques/T1562/004"> Disable or Modify System Firewall </a> </td> <td> Adversaries may disable or modify system firewalls in order to bypass controls limiting network usage. Changes could be disabling the entire mechanism as well as adding, deleting, or modifying particular rules. This can be done numerous ways depending on the operating system, including via command-line, editing Windows Registry keys, and Windows Control Panel. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1562/006"> .006 </a> </td> <td> <a href="/versions/v9/techniques/T1562/006"> Indicator Blocking </a> </td> <td> An adversary may attempt to block indicators or events typically captured by sensors from being gathered and analyzed. This could include maliciously redirecting or even disabling host-based sensors, such as Event Tracing for Windows (ETW), by tampering settings that control the collection and flow of event telemetry. These settings may be stored on the system in configuration files and/or in the Registry as well as being accessible via administrative utilities such as <a href="/versions/v9/techniques/T1059/001">PowerShell</a> or <a href="/versions/v9/techniques/T1047">Windows Management Instrumentation</a>. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1562/007"> .007 </a> </td> <td> <a href="/versions/v9/techniques/T1562/007"> Disable or Modify Cloud Firewall </a> </td> <td> Adversaries may disable or modify a firewall within a cloud environment to bypass controls that limit access to cloud resources. Cloud firewalls are separate from system firewalls that are described in <a href="/versions/v9/techniques/T1562/004">Disable or Modify System Firewall</a>. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1562/008"> .008 </a> </td> <td> <a href="/versions/v9/techniques/T1562/008"> Disable Cloud Logs </a> </td> <td> An adversary may disable cloud logging capabilities and integrations to limit what data is collected on their activities and avoid detection. </td> </tr> <tr class="technique"> <td colspan="2"> <a href="/versions/v9/techniques/T1070"> T1070 </a> </td> <td> <a href="/versions/v9/techniques/T1070"> Indicator Removal on Host </a> </td> <td> Adversaries may delete or alter generated artifacts on a host system, including logs or captured files such as quarantined malware. Locations and format of logs are platform or product-specific, however standard operating system logs are captured as Windows events or Linux/macOS files such as <a href="/versions/v9/techniques/T1552/003">Bash History</a> and /var/log/*. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1070/001"> .001 </a> </td> <td> <a href="/versions/v9/techniques/T1070/001"> Clear Windows Event Logs </a> </td> <td> Adversaries may clear Windows Event Logs to hide the activity of an intrusion. Windows Event Logs are a record of a computer's alerts and notifications. There are three system-defined sources of events: System, Application, and Security, with five event types: Error, Warning, Information, Success Audit, and Failure Audit. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1070/002"> .002 </a> </td> <td> <a href="/versions/v9/techniques/T1070/002"> Clear Linux or Mac System Logs </a> </td> <td> Adversaries may clear system logs to hide evidence of an intrusion. macOS and Linux both keep track of system or user-initiated actions via system logs. The majority of native system logging is stored under the <code>/var/log/</code> directory. Subfolders in this directory categorize logs by their related functions, such as: </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1070/003"> .003 </a> </td> <td> <a href="/versions/v9/techniques/T1070/003"> Clear Command History </a> </td> <td> In addition to clearing system logs, an adversary may clear the command history of a compromised account to conceal the actions undertaken during an intrusion. Various command interpreters keep track of the commands users type in their terminal so that users can retrace what they've done. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1070/004"> .004 </a> </td> <td> <a href="/versions/v9/techniques/T1070/004"> File Deletion </a> </td> <td> Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1070/005"> .005 </a> </td> <td> <a href="/versions/v9/techniques/T1070/005"> Network Share Connection Removal </a> </td> <td> Adversaries may remove share connections that are no longer useful in order to clean up traces of their operation. Windows shared drive and <a href="/versions/v9/techniques/T1021/002">SMB/Windows Admin Shares</a> connections can be removed when no longer needed. <a href="/versions/v9/software/S0039">Net</a> is an example utility that can be used to remove network share connections with the <code>net use \system\share /delete</code> command. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1070/006"> .006 </a> </td> <td> <a href="/versions/v9/techniques/T1070/006"> Timestomp </a> </td> <td> Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools. </td> </tr> <tr class="technique"> <td colspan="2"> <a href="/versions/v9/techniques/T1202"> T1202 </a> </td> <td> <a href="/versions/v9/techniques/T1202"> Indirect Command Execution </a> </td> <td> Adversaries may abuse utilities that allow for command execution to bypass security restrictions that limit the use of command-line interpreters. Various Windows utilities may be used to execute commands, possibly without invoking <a href="/versions/v9/software/S0106">cmd</a>. For example, <a href="/versions/v9/software/S0193">Forfiles</a>, the Program Compatibility Assistant (pcalua.exe), components of the Windows Subsystem for Linux (WSL), as well as other utilities may invoke the execution of programs and commands from a <a href="/versions/v9/techniques/T1059">Command and Scripting Interpreter</a>, Run window, or via scripts. </td> </tr> <tr class="technique"> <td colspan="2"> <a href="/versions/v9/techniques/T1036"> T1036 </a> </td> <td> <a href="/versions/v9/techniques/T1036"> Masquerading </a> </td> <td> Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1036/001"> .001 </a> </td> <td> <a href="/versions/v9/techniques/T1036/001"> Invalid Code Signature </a> </td> <td> Adversaries may attempt to mimic features of valid code signatures to increase the chance of deceiving a user, analyst, or tool. Code signing provides a level of authenticity on a binary from the developer and a guarantee that the binary has not been tampered with. Adversaries can copy the metadata and signature information from a signed program, then use it as a template for an unsigned program. Files with invalid code signatures will fail digital signature validation checks, but they may appear more legitimate to users and security tools may improperly handle these files. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1036/002"> .002 </a> </td> <td> <a href="/versions/v9/techniques/T1036/002"> Right-to-Left Override </a> </td> <td> Adversaries may use the right-to-left override (RTLO or RLO) character (U+202E) as a means of tricking a user into executing what they think is a benign file type but is actually executable code. RTLO is a non-printing character that causes the text that follows it to be displayed in reverse. For example, a Windows screensaver executable named <code>March 25 \u202Excod.scr</code> will display as <code>March 25 rcs.docx</code>. A JavaScript file named <code>photo_high_re\u202Egnp.js</code> will be displayed as <code>photo_high_resj.png</code>. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1036/003"> .003 </a> </td> <td> <a href="/versions/v9/techniques/T1036/003"> Rename System Utilities </a> </td> <td> Adversaries may rename legitimate system utilities to try to evade security mechanisms concerning the usage of those utilities. Security monitoring and control mechanisms may be in place for system utilities adversaries are capable of abusing. It may be possible to bypass those security mechanisms by renaming the utility prior to utilization (ex: rename <code>rundll32.exe</code>). An alternative case occurs when a legitimate utility is copied or moved to a different directory and renamed to avoid detections based on system utilities executing from non-standard paths. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1036/004"> .004 </a> </td> <td> <a href="/versions/v9/techniques/T1036/004"> Masquerade Task or Service </a> </td> <td> Adversaries may attempt to manipulate the name of a task or service to make it appear legitimate or benign. Tasks/services executed by the Task Scheduler or systemd will typically be given a name and/or description. Windows services will have a service name as well as a display name. Many benign tasks and services exist that have commonly associated names. Adversaries may give tasks or services names that are similar or identical to those of legitimate ones. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1036/005"> .005 </a> </td> <td> <a href="/versions/v9/techniques/T1036/005"> Match Legitimate Name or Location </a> </td> <td> Adversaries may match or approximate the name or location of legitimate files or resources when naming/placing them. This is done for the sake of evading defenses and observation. This may be done by placing an executable in a commonly trusted directory (ex: under System32) or giving it the name of a legitimate, trusted program (ex: svchost.exe). In containerized environments, this may also be done by creating a resource in a namespace that matches the naming convention of a container pod or cluster. Alternatively, a file or container image name given may be a close approximation to legitimate programs/images or something innocuous. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1036/006"> .006 </a> </td> <td> <a href="/versions/v9/techniques/T1036/006"> Space after Filename </a> </td> <td> Adversaries can hide a program's true filetype by changing the extension of a file. With certain file types (specifically this does not work with .app extensions), appending a space to the end of a filename will change how the file is processed by the operating system. </td> </tr> <tr class="technique"> <td colspan="2"> <a href="/versions/v9/techniques/T1556"> T1556 </a> </td> <td> <a href="/versions/v9/techniques/T1556"> Modify Authentication Process </a> </td> <td> Adversaries may modify authentication mechanisms and processes to access user credentials or enable otherwise unwarranted access to accounts. The authentication process is handled by mechanisms, such as the Local Security Authentication Server (LSASS) process and the Security Accounts Manager (SAM) on Windows, pluggable authentication modules (PAM) on Unix-based systems, and authorization plugins on MacOS systems, responsible for gathering, storing, and validating credentials. By modifying an authentication process, an adversary may be able to authenticate to a service or system without using <a href="/versions/v9/techniques/T1078">Valid Accounts</a>. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1556/001"> .001 </a> </td> <td> <a href="/versions/v9/techniques/T1556/001"> Domain Controller Authentication </a> </td> <td> Adversaries may patch the authentication process on a domain controller to bypass the typical authentication mechanisms and enable access to accounts. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1556/002"> .002 </a> </td> <td> <a href="/versions/v9/techniques/T1556/002"> Password Filter DLL </a> </td> <td> Adversaries may register malicious password filter dynamic link libraries (DLLs) into the authentication process to acquire user credentials as they are validated. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1556/003"> .003 </a> </td> <td> <a href="/versions/v9/techniques/T1556/003"> Pluggable Authentication Modules </a> </td> <td> Adversaries may modify pluggable authentication modules (PAM) to access user credentials or enable otherwise unwarranted access to accounts. PAM is a modular system of configuration files, libraries, and executable files which guide authentication for many services. The most common authentication module is <code>pam_unix.so</code>, which retrieves, sets, and verifies account authentication information in <code>/etc/passwd</code> and <code>/etc/shadow</code>. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1556/004"> .004 </a> </td> <td> <a href="/versions/v9/techniques/T1556/004"> Network Device Authentication </a> </td> <td> Adversaries may use <a href="/versions/v9/techniques/T1601/001">Patch System Image</a> to hard code a password in the operating system, thus bypassing of native authentication mechanisms for local accounts on network devices. </td> </tr> <tr class="technique"> <td colspan="2"> <a href="/versions/v9/techniques/T1578"> T1578 </a> </td> <td> <a href="/versions/v9/techniques/T1578"> Modify Cloud Compute Infrastructure </a> </td> <td> An adversary may attempt to modify a cloud account's compute service infrastructure to evade defenses. A modification to the compute service infrastructure can include the creation, deletion, or modification of one or more components such as compute instances, virtual machines, and snapshots. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1578/001"> .001 </a> </td> <td> <a href="/versions/v9/techniques/T1578/001"> Create Snapshot </a> </td> <td> An adversary may create a snapshot or data backup within a cloud account to evade defenses. A snapshot is a point-in-time copy of an existing cloud compute component such as a virtual machine (VM), virtual hard drive, or volume. An adversary may leverage permissions to create a snapshot in order to bypass restrictions that prevent access to existing compute service infrastructure, unlike in <a href="/versions/v9/techniques/T1578/004">Revert Cloud Instance</a> where an adversary may revert to a snapshot to evade detection and remove evidence of their presence. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1578/002"> .002 </a> </td> <td> <a href="/versions/v9/techniques/T1578/002"> Create Cloud Instance </a> </td> <td> An adversary may create a new instance or virtual machine (VM) within the compute service of a cloud account to evade defenses. Creating a new instance may allow an adversary to bypass firewall rules and permissions that exist on instances currently residing within an account. An adversary may <a href="/versions/v9/techniques/T1578/001">Create Snapshot</a> of one or more volumes in an account, create a new instance, mount the snapshots, and then apply a less restrictive security policy to collect <a href="/versions/v9/techniques/T1005">Data from Local System</a> or for <a href="/versions/v9/techniques/T1074/002">Remote Data Staging</a>. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1578/003"> .003 </a> </td> <td> <a href="/versions/v9/techniques/T1578/003"> Delete Cloud Instance </a> </td> <td> An adversary may delete a cloud instance after they have performed malicious activities in an attempt to evade detection and remove evidence of their presence. Deleting an instance or virtual machine can remove valuable forensic artifacts and other evidence of suspicious behavior if the instance is not recoverable. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1578/004"> .004 </a> </td> <td> <a href="/versions/v9/techniques/T1578/004"> Revert Cloud Instance </a> </td> <td> An adversary may revert changes made to a cloud instance after they have performed malicious activities in attempt to evade detection and remove evidence of their presence. In highly virtualized environments, such as cloud-based infrastructure, this may be accomplished by restoring virtual machine (VM) or data storage snapshots through the cloud management dashboard or cloud APIs. </td> </tr> <tr class="technique"> <td colspan="2"> <a href="/versions/v9/techniques/T1112"> T1112 </a> </td> <td> <a href="/versions/v9/techniques/T1112"> Modify Registry </a> </td> <td> Adversaries may interact with the Windows Registry to hide configuration information within Registry keys, remove information as part of cleaning up, or as part of other techniques to aid in persistence and execution. </td> </tr> <tr class="technique"> <td colspan="2"> <a href="/versions/v9/techniques/T1601"> T1601 </a> </td> <td> <a href="/versions/v9/techniques/T1601"> Modify System Image </a> </td> <td> Adversaries may make changes to the operating system of embedded network devices to weaken defenses and provide new capabilities for themselves. On such devices, the operating systems are typically monolithic and most of the device functionality and capabilities are contained within a single file. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1601/001"> .001 </a> </td> <td> <a href="/versions/v9/techniques/T1601/001"> Patch System Image </a> </td> <td> Adversaries may modify the operating system of a network device to introduce new capabilities or weaken existing defenses. Some network devices are built with a monolithic architecture, where the entire operating system and most of the functionality of the device is contained within a single file. Adversaries may change this file in storage, to be loaded in a future boot, or in memory during runtime. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1601/002"> .002 </a> </td> <td> <a href="/versions/v9/techniques/T1601/002"> Downgrade System Image </a> </td> <td> Adversaries may install an older version of the operating system of a network device to weaken security. Older operating system versions on network devices often have weaker encryption ciphers and, in general, fewer/less updated defensive features. </td> </tr> <tr class="technique"> <td colspan="2"> <a href="/versions/v9/techniques/T1599"> T1599 </a> </td> <td> <a href="/versions/v9/techniques/T1599"> Network Boundary Bridging </a> </td> <td> Adversaries may bridge network boundaries by compromising perimeter network devices. Breaching these devices may enable an adversary to bypass restrictions on traffic routing that otherwise separate trusted and untrusted networks. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1599/001"> .001 </a> </td> <td> <a href="/versions/v9/techniques/T1599/001"> Network Address Translation Traversal </a> </td> <td> Adversaries may bridge network boundaries by modifying a network device’s Network Address Translation (NAT) configuration. Malicious modifications to NAT may enable an adversary to bypass restrictions on traffic routing that otherwise separate trusted and untrusted networks. </td> </tr> <tr class="technique"> <td colspan="2"> <a href="/versions/v9/techniques/T1027"> T1027 </a> </td> <td> <a href="/versions/v9/techniques/T1027"> Obfuscated Files or Information </a> </td> <td> Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1027/001"> .001 </a> </td> <td> <a href="/versions/v9/techniques/T1027/001"> Binary Padding </a> </td> <td> Adversaries may use binary padding to add junk data and change the on-disk representation of malware. This can be done without affecting the functionality or behavior of a binary, but can increase the size of the binary beyond what some security tools are capable of handling due to file size limitations. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1027/002"> .002 </a> </td> <td> <a href="/versions/v9/techniques/T1027/002"> Software Packing </a> </td> <td> Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1027/003"> .003 </a> </td> <td> <a href="/versions/v9/techniques/T1027/003"> Steganography </a> </td> <td> Adversaries may use steganography techniques in order to prevent the detection of hidden information. Steganographic techniques can be used to hide data in digital media such as images, audio tracks, video clips, or text files. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1027/004"> .004 </a> </td> <td> <a href="/versions/v9/techniques/T1027/004"> Compile After Delivery </a> </td> <td> Adversaries may attempt to make payloads difficult to discover and analyze by delivering files to victims as uncompiled code. Text-based source code files may subvert analysis and scrutiny from protections targeting executables/binaries. These payloads will need to be compiled before execution; typically via native utilities such as csc.exe or GCC/MinGW. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1027/005"> .005 </a> </td> <td> <a href="/versions/v9/techniques/T1027/005"> Indicator Removal from Tools </a> </td> <td> Adversaries may remove indicators from tools if they believe their malicious tool was detected, quarantined, or otherwise curtailed. They can modify the tool by removing the indicator and using the updated version that is no longer detected by the target's defensive systems or subsequent targets that may use similar systems. </td> </tr> <tr class="technique"> <td colspan="2"> <a href="/versions/v9/techniques/T1542"> T1542 </a> </td> <td> <a href="/versions/v9/techniques/T1542"> Pre-OS Boot </a> </td> <td> Adversaries may abuse Pre-OS Boot mechanisms as a way to establish persistence on a system. During the booting process of a computer, firmware and various startup services are loaded before the operating system. These programs control flow of execution before the operating system takes control. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1542/001"> .001 </a> </td> <td> <a href="/versions/v9/techniques/T1542/001"> System Firmware </a> </td> <td> Adversaries may modify system firmware to persist on systems.The BIOS (Basic Input/Output System) and The Unified Extensible Firmware Interface (UEFI) or Extensible Firmware Interface (EFI) are examples of system firmware that operate as the software interface between the operating system and hardware of a computer. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1542/002"> .002 </a> </td> <td> <a href="/versions/v9/techniques/T1542/002"> Component Firmware </a> </td> <td> Adversaries may modify component firmware to persist on systems. Some adversaries may employ sophisticated means to compromise computer components and install malicious firmware that will execute adversary code outside of the operating system and main system firmware or BIOS. This technique may be similar to <a href="/versions/v9/techniques/T1542/001">System Firmware</a> but conducted upon other system components/devices that may not have the same capability or level of integrity checking. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1542/003"> .003 </a> </td> <td> <a href="/versions/v9/techniques/T1542/003"> Bootkit </a> </td> <td> Adversaries may use bootkits to persist on systems. Bootkits reside at a layer below the operating system and may make it difficult to perform full remediation unless an organization suspects one was used and can act accordingly. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1542/004"> .004 </a> </td> <td> <a href="/versions/v9/techniques/T1542/004"> ROMMONkit </a> </td> <td> Adversaries may abuse the ROM Monitor (ROMMON) by loading an unauthorized firmware with adversary code to provide persistent access and manipulate device behavior that is difficult to detect. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1542/005"> .005 </a> </td> <td> <a href="/versions/v9/techniques/T1542/005"> TFTP Boot </a> </td> <td> Adversaries may abuse netbooting to load an unauthorized network device operating system from a Trivial File Transfer Protocol (TFTP) server. TFTP boot (netbooting) is commonly used by network administrators to load configuration-controlled network device images from a centralized management server. Netbooting is one option in the boot sequence and can be used to centralize, manage, and control device images. </td> </tr> <tr class="technique"> <td colspan="2"> <a href="/versions/v9/techniques/T1055"> T1055 </a> </td> <td> <a href="/versions/v9/techniques/T1055"> Process Injection </a> </td> <td> Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1055/001"> .001 </a> </td> <td> <a href="/versions/v9/techniques/T1055/001"> Dynamic-link Library Injection </a> </td> <td> Adversaries may inject dynamic-link libraries (DLLs) into processes in order to evade process-based defenses as well as possibly elevate privileges. DLL injection is a method of executing arbitrary code in the address space of a separate live process. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1055/002"> .002 </a> </td> <td> <a href="/versions/v9/techniques/T1055/002"> Portable Executable Injection </a> </td> <td> Adversaries may inject portable executables (PE) into processes in order to evade process-based defenses as well as possibly elevate privileges. PE injection is a method of executing arbitrary code in the address space of a separate live process. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1055/003"> .003 </a> </td> <td> <a href="/versions/v9/techniques/T1055/003"> Thread Execution Hijacking </a> </td> <td> Adversaries may inject malicious code into hijacked processes in order to evade process-based defenses as well as possibly elevate privileges. Thread Execution Hijacking is a method of executing arbitrary code in the address space of a separate live process. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1055/004"> .004 </a> </td> <td> <a href="/versions/v9/techniques/T1055/004"> Asynchronous Procedure Call </a> </td> <td> Adversaries may inject malicious code into processes via the asynchronous procedure call (APC) queue in order to evade process-based defenses as well as possibly elevate privileges. APC injection is a method of executing arbitrary code in the address space of a separate live process. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1055/005"> .005 </a> </td> <td> <a href="/versions/v9/techniques/T1055/005"> Thread Local Storage </a> </td> <td> Adversaries may inject malicious code into processes via thread local storage (TLS) callbacks in order to evade process-based defenses as well as possibly elevate privileges. TLS callback injection is a method of executing arbitrary code in the address space of a separate live process. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1055/008"> .008 </a> </td> <td> <a href="/versions/v9/techniques/T1055/008"> Ptrace System Calls </a> </td> <td> Adversaries may inject malicious code into processes via ptrace (process trace) system calls in order to evade process-based defenses as well as possibly elevate privileges. Ptrace system call injection is a method of executing arbitrary code in the address space of a separate live process. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1055/009"> .009 </a> </td> <td> <a href="/versions/v9/techniques/T1055/009"> Proc Memory </a> </td> <td> Adversaries may inject malicious code into processes via the /proc filesystem in order to evade process-based defenses as well as possibly elevate privileges. Proc memory injection is a method of executing arbitrary code in the address space of a separate live process. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1055/011"> .011 </a> </td> <td> <a href="/versions/v9/techniques/T1055/011"> Extra Window Memory Injection </a> </td> <td> Adversaries may inject malicious code into process via Extra Window Memory (EWM) in order to evade process-based defenses as well as possibly elevate privileges. EWM injection is a method of executing arbitrary code in the address space of a separate live process. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1055/012"> .012 </a> </td> <td> <a href="/versions/v9/techniques/T1055/012"> Process Hollowing </a> </td> <td> Adversaries may inject malicious code into suspended and hollowed processes in order to evade process-based defenses. Process hollowing is a method of executing arbitrary code in the address space of a separate live process. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1055/013"> .013 </a> </td> <td> <a href="/versions/v9/techniques/T1055/013"> Process Doppelgänging </a> </td> <td> Adversaries may inject malicious code into process via process doppelgänging in order to evade process-based defenses as well as possibly elevate privileges. Process doppelgänging is a method of executing arbitrary code in the address space of a separate live process. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1055/014"> .014 </a> </td> <td> <a href="/versions/v9/techniques/T1055/014"> VDSO Hijacking </a> </td> <td> Adversaries may inject malicious code into processes via VDSO hijacking in order to evade process-based defenses as well as possibly elevate privileges. Virtual dynamic shared object (vdso) hijacking is a method of executing arbitrary code in the address space of a separate live process. </td> </tr> <tr class="technique"> <td colspan="2"> <a href="/versions/v9/techniques/T1207"> T1207 </a> </td> <td> <a href="/versions/v9/techniques/T1207"> Rogue Domain Controller </a> </td> <td> Adversaries may register a rogue Domain Controller to enable manipulation of Active Directory data. DCShadow may be used to create a rogue Domain Controller (DC). DCShadow is a method of manipulating Active Directory (AD) data, including objects and schemas, by registering (or reusing an inactive registration) and simulating the behavior of a DC. Once registered, a rogue DC may be able to inject and replicate changes into AD infrastructure for any domain object, including credentials and keys. </td> </tr> <tr class="technique"> <td colspan="2"> <a href="/versions/v9/techniques/T1014"> T1014 </a> </td> <td> <a href="/versions/v9/techniques/T1014"> Rootkit </a> </td> <td> Adversaries may use rootkits to hide the presence of programs, files, network connections, services, drivers, and other system components. Rootkits are programs that hide the existence of malware by intercepting/hooking and modifying operating system API calls that supply system information. </td> </tr> <tr class="technique"> <td colspan="2"> <a href="/versions/v9/techniques/T1218"> T1218 </a> </td> <td> <a href="/versions/v9/techniques/T1218"> Signed Binary Proxy Execution </a> </td> <td> Adversaries may bypass process and/or signature-based defenses by proxying execution of malicious content with signed binaries. Binaries signed with trusted digital certificates can execute on Windows systems protected by digital signature validation. Several Microsoft signed binaries that are default on Windows installations can be used to proxy execution of other files. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1218/001"> .001 </a> </td> <td> <a href="/versions/v9/techniques/T1218/001"> Compiled HTML File </a> </td> <td> Adversaries may abuse Compiled HTML files (.chm) to conceal malicious code. CHM files are commonly distributed as part of the Microsoft HTML Help system. CHM files are compressed compilations of various content such as HTML documents, images, and scripting/web related programming languages such VBA, JScript, Java, and ActiveX. CHM content is displayed using underlying components of the Internet Explorer browser loaded by the HTML Help executable program (hh.exe). </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1218/002"> .002 </a> </td> <td> <a href="/versions/v9/techniques/T1218/002"> Control Panel </a> </td> <td> Adversaries may abuse control.exe to proxy execution of malicious payloads. The Windows Control Panel process binary (control.exe) handles execution of Control Panel items, which are utilities that allow users to view and adjust computer settings. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1218/003"> .003 </a> </td> <td> <a href="/versions/v9/techniques/T1218/003"> CMSTP </a> </td> <td> Adversaries may abuse CMSTP to proxy execution of malicious code. The Microsoft Connection Manager Profile Installer (CMSTP.exe) is a command-line program used to install Connection Manager service profiles. CMSTP.exe accepts an installation information file (INF) as a parameter and installs a service profile leveraged for remote access connections. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1218/004"> .004 </a> </td> <td> <a href="/versions/v9/techniques/T1218/004"> InstallUtil </a> </td> <td> Adversaries may use InstallUtil to proxy execution of code through a trusted Windows utility. InstallUtil is a command-line utility that allows for installation and uninstallation of resources by executing specific installer components specified in .NET binaries. InstallUtil is digitally signed by Microsoft and located in the .NET directories on a Windows system: <code>C:\Windows\Microsoft.NET\Framework\v<version>\InstallUtil.exe</code> and <code>C:\Windows\Microsoft.NET\Framework64\v<version>\InstallUtil.exe</code>. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1218/005"> .005 </a> </td> <td> <a href="/versions/v9/techniques/T1218/005"> Mshta </a> </td> <td> Adversaries may abuse mshta.exe to proxy execution of malicious .hta files and Javascript or VBScript through a trusted Windows utility. There are several examples of different types of threats leveraging mshta.exe during initial compromise and for execution of code </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1218/007"> .007 </a> </td> <td> <a href="/versions/v9/techniques/T1218/007"> Msiexec </a> </td> <td> Adversaries may abuse msiexec.exe to proxy execution of malicious payloads. Msiexec.exe is the command-line utility for the Windows Installer and is thus commonly associated with executing installation packages (.msi). Msiexec.exe is digitally signed by Microsoft. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1218/008"> .008 </a> </td> <td> <a href="/versions/v9/techniques/T1218/008"> Odbcconf </a> </td> <td> Adversaries may abuse odbcconf.exe to proxy execution of malicious payloads. Odbcconf.exe is a Windows utility that allows you to configure Open Database Connectivity (ODBC) drivers and data source names. Odbcconf.exe is digitally signed by Microsoft. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1218/009"> .009 </a> </td> <td> <a href="/versions/v9/techniques/T1218/009"> Regsvcs/Regasm </a> </td> <td> Adversaries may abuse Regsvcs and Regasm to proxy execution of code through a trusted Windows utility. Regsvcs and Regasm are Windows command-line utilities that are used to register .NET <a href="/versions/v9/techniques/T1559/001">Component Object Model</a> (COM) assemblies. Both are digitally signed by Microsoft. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1218/010"> .010 </a> </td> <td> <a href="/versions/v9/techniques/T1218/010"> Regsvr32 </a> </td> <td> Adversaries may abuse Regsvr32.exe to proxy execution of malicious code. Regsvr32.exe is a command-line program used to register and unregister object linking and embedding controls, including dynamic link libraries (DLLs), on Windows systems. Regsvr32.exe is also a Microsoft signed binary. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1218/011"> .011 </a> </td> <td> <a href="/versions/v9/techniques/T1218/011"> Rundll32 </a> </td> <td> Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe, vice executing directly (i.e. <a href="/versions/v9/techniques/T1129">Shared Modules</a>), may avoid triggering security tools that may not monitor execution of the rundll32.exe process because of allowlists or false positives from normal operations. Rundll32.exe is commonly associated with executing DLL payloads. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1218/012"> .012 </a> </td> <td> <a href="/versions/v9/techniques/T1218/012"> Verclsid </a> </td> <td> Adversaries may abuse verclsid.exe to proxy execution of malicious code. Verclsid.exe is known as the Extension CLSID Verification Host and is responsible for verifying each shell extension before they are used by Windows Explorer or the Windows Shell. </td> </tr> <tr class="technique"> <td colspan="2"> <a href="/versions/v9/techniques/T1216"> T1216 </a> </td> <td> <a href="/versions/v9/techniques/T1216"> Signed Script Proxy Execution </a> </td> <td> Adversaries may use scripts signed with trusted certificates to proxy execution of malicious files. Several Microsoft signed scripts that are default on Windows installations can be used to proxy execution of other files. This behavior may be abused by adversaries to execute malicious files that could bypass application control and signature validation on systems. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1216/001"> .001 </a> </td> <td> <a href="/versions/v9/techniques/T1216/001"> PubPrn </a> </td> <td> Adversaries may use the trusted PubPrn script to proxy execution of malicious files. This behavior may bypass signature validation restrictions and application control solutions that do not account for use of these scripts. </td> </tr> <tr class="technique"> <td colspan="2"> <a href="/versions/v9/techniques/T1553"> T1553 </a> </td> <td> <a href="/versions/v9/techniques/T1553"> Subvert Trust Controls </a> </td> <td> Adversaries may undermine security controls that will either warn users of untrusted activity or prevent execution of untrusted programs. Operating systems and security products may contain mechanisms to identify programs or websites as possessing some level of trust. Examples of such features would include a program being allowed to run because it is signed by a valid code signing certificate, a program prompting the user with a warning because it has an attribute set from being downloaded from the Internet, or getting an indication that you are about to connect to an untrusted site. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1553/001"> .001 </a> </td> <td> <a href="/versions/v9/techniques/T1553/001"> Gatekeeper Bypass </a> </td> <td> Adversaries may modify file attributes that signify programs are from untrusted sources to subvert Gatekeeper controls. In macOS and OS X, when applications or programs are downloaded from the internet, there is a special attribute set on the file called <code>com.apple.quarantine</code>. This attribute is read by Apple's Gatekeeper defense program at execution time and provides a prompt to the user to allow or deny execution. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1553/002"> .002 </a> </td> <td> <a href="/versions/v9/techniques/T1553/002"> Code Signing </a> </td> <td> Adversaries may create, acquire, or steal code signing materials to sign their malware or tools. Code signing provides a level of authenticity on a binary from the developer and a guarantee that the binary has not been tampered with. The certificates used during an operation may be created, acquired, or stolen by the adversary. Unlike <a href="/versions/v9/techniques/T1036/001">Invalid Code Signature</a>, this activity will result in a valid signature. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1553/003"> .003 </a> </td> <td> <a href="/versions/v9/techniques/T1553/003"> SIP and Trust Provider Hijacking </a> </td> <td> Adversaries may tamper with SIP and trust provider components to mislead the operating system and application control tools when conducting signature validation checks. In user mode, Windows Authenticode digital signatures are used to verify a file's origin and integrity, variables that may be used to establish trust in signed code (ex: a driver with a valid Microsoft signature may be handled as safe). The signature validation process is handled via the WinVerifyTrust application programming interface (API) function, which accepts an inquiry and coordinates with the appropriate trust provider, which is responsible for validating parameters of a signature. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1553/004"> .004 </a> </td> <td> <a href="/versions/v9/techniques/T1553/004"> Install Root Certificate </a> </td> <td> Adversaries may install a root certificate on a compromised system to avoid warnings when connecting to adversary controlled web servers. Root certificates are used in public key cryptography to identify a root certificate authority (CA). When a root certificate is installed, the system or application will trust certificates in the root's chain of trust that have been signed by the root certificate. Certificates are commonly used for establishing secure TLS/SSL communications within a web browser. When a user attempts to browse a website that presents a certificate that is not trusted an error message will be displayed to warn the user of the security risk. Depending on the security settings, the browser may not allow the user to establish a connection to the website. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1553/005"> .005 </a> </td> <td> <a href="/versions/v9/techniques/T1553/005"> Mark-of-the-Web Bypass </a> </td> <td> Adversaries may abuse specific file formats to subvert Mark-of-the-Web (MOTW) controls. In Windows, when files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named <code>Zone.Identifier</code> with a specific value known as the MOTW. Files that are tagged with MOTW are protected and cannot perform certain actions. For example, starting in MS Office 10, if a MS Office file has the MOTW, it will open in Protected View. Executables tagged with the MOTW will be processed by Windows Defender SmartScreen that compares files with an allowlist of well-known executables. If the file in not known/trusted, SmartScreen will prevent the execution and warn the user not to run it. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1553/006"> .006 </a> </td> <td> <a href="/versions/v9/techniques/T1553/006"> Code Signing Policy Modification </a> </td> <td> Adversaries may modify code signing policies to enable execution of unsigned or self-signed code. Code signing provides a level of authenticity on a program from a developer and a guarantee that the program has not been tampered with. Security controls can include enforcement mechanisms to ensure that only valid, signed code can be run on an operating system. </td> </tr> <tr class="technique"> <td colspan="2"> <a href="/versions/v9/techniques/T1221"> T1221 </a> </td> <td> <a href="/versions/v9/techniques/T1221"> Template Injection </a> </td> <td> Adversaries may create or modify references in Office document templates to conceal malicious code or force authentication attempts. Microsoft’s Office Open XML (OOXML) specification defines an XML-based format for Office documents (.docx, xlsx, .pptx) to replace older binary formats (.doc, .xls, .ppt). OOXML files are packed together ZIP archives compromised of various XML files, referred to as parts, containing properties that collectively define how a document is rendered. </td> </tr> <tr class="technique"> <td colspan="2"> <a href="/versions/v9/techniques/T1205"> T1205 </a> </td> <td> <a href="/versions/v9/techniques/T1205"> Traffic Signaling </a> </td> <td> Adversaries may use traffic signaling to hide open ports or other malicious functionality used for persistence or command and control. Traffic signaling involves the use of a magic value or sequence that must be sent to a system to trigger a special response, such as opening a closed port or executing a malicious task. This may take the form of sending a series of packets with certain characteristics before a port will be opened that the adversary can use for command and control. Usually this series of packets consists of attempted connections to a predefined sequence of closed ports (i.e. <a href="/versions/v9/techniques/T1205/001">Port Knocking</a>), but can involve unusual flags, specific strings, or other unique characteristics. After the sequence is completed, opening a port may be accomplished by the host-based firewall, but could also be implemented by custom software. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1205/001"> .001 </a> </td> <td> <a href="/versions/v9/techniques/T1205/001"> Port Knocking </a> </td> <td> Adversaries may use port knocking to hide open ports used for persistence or command and control. To enable a port, an adversary sends a series of attempted connections to a predefined sequence of closed ports. After the sequence is completed, opening a port is often accomplished by the host based firewall, but could also be implemented by custom software. </td> </tr> <tr class="technique"> <td colspan="2"> <a href="/versions/v9/techniques/T1127"> T1127 </a> </td> <td> <a href="/versions/v9/techniques/T1127"> Trusted Developer Utilities Proxy Execution </a> </td> <td> Adversaries may take advantage of trusted developer utilities to proxy execution of malicious payloads. There are many utilities used for software development related tasks that can be used to execute code in various forms to assist in development, debugging, and reverse engineering. These utilities may often be signed with legitimate certificates that allow them to execute on a system and proxy execution of malicious code through a trusted process that effectively bypasses application control solutions. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1127/001"> .001 </a> </td> <td> <a href="/versions/v9/techniques/T1127/001"> MSBuild </a> </td> <td> Adversaries may use MSBuild to proxy execution of code through a trusted Windows utility. MSBuild.exe (Microsoft Build Engine) is a software build platform used by Visual Studio. It handles XML formatted project files that define requirements for loading and building various platforms and configurations. </td> </tr> <tr class="technique"> <td colspan="2"> <a href="/versions/v9/techniques/T1535"> T1535 </a> </td> <td> <a href="/versions/v9/techniques/T1535"> Unused/Unsupported Cloud Regions </a> </td> <td> Adversaries may create cloud instances in unused geographic service regions in order to evade detection. Access is usually obtained through compromising accounts used to manage cloud infrastructure. </td> </tr> <tr class="technique"> <td colspan="2"> <a href="/versions/v9/techniques/T1550"> T1550 </a> </td> <td> <a href="/versions/v9/techniques/T1550"> Use Alternate Authentication Material </a> </td> <td> Adversaries may use alternate authentication material, such as password hashes, Kerberos tickets, and application access tokens, in order to move laterally within an environment and bypass normal system access controls. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1550/001"> .001 </a> </td> <td> <a href="/versions/v9/techniques/T1550/001"> Application Access Token </a> </td> <td> Adversaries may use stolen application access tokens to bypass the typical authentication process and access restricted accounts, information, or services on remote systems. These tokens are typically stolen from users and used in lieu of login credentials. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1550/002"> .002 </a> </td> <td> <a href="/versions/v9/techniques/T1550/002"> Pass the Hash </a> </td> <td> Adversaries may "pass the hash" using stolen password hashes to move laterally within an environment, bypassing normal system access controls. Pass the hash (PtH) is a method of authenticating as a user without having access to the user's cleartext password. This method bypasses standard authentication steps that require a cleartext password, moving directly into the portion of the authentication that uses the password hash. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1550/003"> .003 </a> </td> <td> <a href="/versions/v9/techniques/T1550/003"> Pass the Ticket </a> </td> <td> Adversaries may "pass the ticket" using stolen Kerberos tickets to move laterally within an environment, bypassing normal system access controls. Pass the ticket (PtT) is a method of authenticating to a system using Kerberos tickets without having access to an account's password. Kerberos authentication can be used as the first step to lateral movement to a remote system. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1550/004"> .004 </a> </td> <td> <a href="/versions/v9/techniques/T1550/004"> Web Session Cookie </a> </td> <td> Adversaries can use stolen session cookies to authenticate to web applications and services. This technique bypasses some multi-factor authentication protocols since the session is already authenticated. </td> </tr> <tr class="technique"> <td colspan="2"> <a href="/versions/v9/techniques/T1078"> T1078 </a> </td> <td> <a href="/versions/v9/techniques/T1078"> Valid Accounts </a> </td> <td> Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access and remote desktop. Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1078/001"> .001 </a> </td> <td> <a href="/versions/v9/techniques/T1078/001"> Default Accounts </a> </td> <td> Adversaries may obtain and abuse credentials of a default account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Default accounts are those that are built-into an OS, such as the Guest or Administrator accounts on Windows systems. Default accounts also include default factory/provider set accounts on other types of systems, software, or devices, including the root user account in AWS and the default service account in Kubernetes. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1078/002"> .002 </a> </td> <td> <a href="/versions/v9/techniques/T1078/002"> Domain Accounts </a> </td> <td> Adversaries may obtain and abuse credentials of a domain account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Domain accounts are those managed by Active Directory Domain Services where access and permissions are configured across systems and services that are part of that domain. Domain accounts can cover users, administrators, and services. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1078/003"> .003 </a> </td> <td> <a href="/versions/v9/techniques/T1078/003"> Local Accounts </a> </td> <td> Adversaries may obtain and abuse credentials of a local account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Local accounts are those configured by an organization for use by users, remote support, services, or for administration on a single system or service. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1078/004"> .004 </a> </td> <td> <a href="/versions/v9/techniques/T1078/004"> Cloud Accounts </a> </td> <td> Adversaries may obtain and abuse credentials of a cloud account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Cloud accounts are those created and configured by an organization for use by users, remote support, services, or for administration of resources within a cloud service provider or SaaS application. In some cases, cloud accounts may be federated with traditional identity management system, such as Window Active Directory. </td> </tr> <tr class="technique"> <td colspan="2"> <a href="/versions/v9/techniques/T1497"> T1497 </a> </td> <td> <a href="/versions/v9/techniques/T1497"> Virtualization/Sandbox Evasion </a> </td> <td> Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from <a href="/versions/v9/techniques/T1497">Virtualization/Sandbox Evasion</a> during automated discovery to shape follow-on behaviors. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1497/001"> .001 </a> </td> <td> <a href="/versions/v9/techniques/T1497/001"> System Checks </a> </td> <td> Adversaries may employ various system checks to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from <a href="/versions/v9/techniques/T1497">Virtualization/Sandbox Evasion</a> during automated discovery to shape follow-on behaviors. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1497/002"> .002 </a> </td> <td> <a href="/versions/v9/techniques/T1497/002"> User Activity Based Checks </a> </td> <td> Adversaries may employ various user activity checks to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from <a href="/versions/v9/techniques/T1497">Virtualization/Sandbox Evasion</a> during automated discovery to shape follow-on behaviors. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1497/003"> .003 </a> </td> <td> <a href="/versions/v9/techniques/T1497/003"> Time Based Evasion </a> </td> <td> Adversaries may employ various time-based methods to detect and avoid virtualization and analysis environments. This may include enumerating time-based properties, such as uptime or the system clock, as well as the use of timers or other triggers to avoid a virtual machine environment (VME) or sandbox, specifically those that are automated or only operate for a limited amount of time. </td> </tr> <tr class="technique"> <td colspan="2"> <a href="/versions/v9/techniques/T1600"> T1600 </a> </td> <td> <a href="/versions/v9/techniques/T1600"> Weaken Encryption </a> </td> <td> Adversaries may compromise a network device’s encryption capability in order to bypass encryption that would otherwise protect data communications. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1600/001"> .001 </a> </td> <td> <a href="/versions/v9/techniques/T1600/001"> Reduce Key Space </a> </td> <td> Adversaries may reduce the level of effort required to decrypt data transmitted over the network by reducing the cipher strength of encrypted communications. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1600/002"> .002 </a> </td> <td> <a href="/versions/v9/techniques/T1600/002"> Disable Crypto Hardware </a> </td> <td> Adversaries disable a network device’s dedicated hardware encryption, which may enable them to leverage weaknesses in software encryption in order to reduce the effort involved in collecting, manipulating, and exfiltrating transmitted data. </td> </tr> <tr class="technique"> <td colspan="2"> <a href="/versions/v9/techniques/T1220"> T1220 </a> </td> <td> <a href="/versions/v9/techniques/T1220"> XSL Script Processing </a> </td> <td> Adversaries may bypass application control and obscure execution of code by embedding scripts inside XSL files. Extensible Stylesheet Language (XSL) files are commonly used to describe the processing and rendering of data within XML files. To support complex operations, the XSL standard includes support for embedded scripting in various languages. </td> </tr> </tbody> </table> </div> </div> </div> </div> </div> </div> </div> </div>  <div class="overlay search" id="search-overlay" style="display: none;"> <div class="overlay-inner">  <div class="search-header"> <div class="search-input"> <input type="text" id="search-input" placeholder="search"> </div> <div class="search-icons"> <div class="search-parsing-icon spinner-border" style="display: none" id="search-parsing-icon"></div> <div class="close-search-icon" id="close-search-icon">×</div> </div> </div>  <div id="search-body" class="search-body"> <div class="results" id="search-results">  </div> <div id="load-more-results" class="load-more-results"> <button class="btn btn-default" id="load-more-results-button">load more results</button> </div> </div> </div> </div> </div> <footer class="footer p-3"> <div class="container-fluid"> <div class="row"> <div class="col-4 col-sm-4 col-md-3"> <div class="footer-center-responsive my-auto"> <a href="https://www.mitre.org" target="_blank" rel="noopener" aria-label="MITRE"> <img src="/versions/v9/theme/images/mitrelogowhiteontrans.gif" class="mitre-logo-wtrans"> </a> </div> </div> <div class="col-2 col-sm-2 footer-responsive-break"></div> <div class="col-6 col-sm-6 text-center"> <p> © 2015-2021, The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. </p> <div class="row"> <div class="col text-right"> <small> <a href="/versions/v9/resources/privacy" class="footer-link">Privacy Policy</a> </small> </div> <div class="col text-center"> <small> <a href="/versions/v9/resources/terms-of-use" class="footer-link">Terms of Use</a> </small> </div> <div class="col text-left "> <small> <a href="/versions/v9/resources/changelog.html" class="footer-link" data-toggle="tooltip" data-placement="top" title="ATT&CK content version 9.0Website version 3.3.1">ATT&CK v9.0</a> </small> </div> </div> </div> <div class="w-100 p-2 footer-responsive-break"></div> <div class="col"> <div class="footer-float-right-responsive-brand"> <div class="mb-1"> <a href="https://twitter.com/MITREattack" class="btn btn-primary w-100">  <img src="/versions/v9/theme/images/twitter.png" class="mr-1 twitter-icon"> <b>@MITREattack</b> </a> </div> <div class=""> <a href="/versions/v9/contact" class="btn btn-primary w-100"> Contact </a> </div> </div> </div> </div> </div> </div> </footer> </div>  <script src="/versions/v9/theme/scripts/jquery-3.5.1.min.js"></script> <script src="/versions/v9/theme/scripts/popper.min.js"></script> <script src="/versions/v9/theme/scripts/bootstrap.bundle.min.js"></script> <script src="/versions/v9/theme/scripts/site.js"></script> <script src="/versions/v9/theme/scripts/flexsearch.es5.js"></script> <script src="/versions/v9/theme/scripts/localforage.min.js"></script> <script src="/versions/v9/theme/scripts/settings.js?2049"></script> <script src="/versions/v9/theme/scripts/search_babelized.js"></script>  <script src="/versions/v9/theme/scripts/navigation.js"></script> </body> </html>

CINXE.COM

Defense Evasion, Tactic TA0005 - Enterprise | MITRE ATT&CK®