diff --git a/.gitattributes b/.gitattributes
new file mode 100644
index 000000000..1dcc57668
--- /dev/null
+++ b/.gitattributes
@@ -0,0 +1,21 @@
+# Set the default behavior, in case people don't have core.autocrlf set.
+* text=lf
+
+# Explicitly declare text files you want to always be normalized and converted
+# to native line endings on checkout.
+*.c text
+*.h text
+*.csv text
+*.sh text
+*.py text
+
+
+# Declare files that will always have CRLF line endings on checkout.
+*.sln text eol=crlf
+
+# Denote all files that are truly binary and should not be modified.
+*.png binary
+*.jpg binary
+
+# Sigma rule
+*.yml text 
diff --git a/tools/config/fortisiem/MITRE-Attack-matrix.csv b/tools/config/fortisiem/MITRE-Attack-matrix.csv
index 22eea7fef..a3ebaf7e3 100644
--- a/tools/config/fortisiem/MITRE-Attack-matrix.csv
+++ b/tools/config/fortisiem/MITRE-Attack-matrix.csv
@@ -1,460 +1,460 @@
-Technique ID,Technique Name,Tactics,Technique Description,Platform,Link,Changed
-T1001.001,Data Obfuscation: Junk Data,Command And Control,"Adversaries may add junk data to protocols used for command and control to make detection more difficult. By adding random or meaningless data to the protocols used for command and control, adversaries can prevent trivial methods for decoding, deciphering, or otherwise analyzing the traffic. Examples may include appending/prepending data with junk characters or writing junk characters between significant characters.","Linux,Windows,macOS",https://attack.mitre.org/techniques/T1001/001,No
-T1001.002,Data Obfuscation: Steganography,Command And Control,"Adversaries may use steganographic techniques to hide command and control traffic to make detection efforts more difficult. Steganographic techniques can be used to hide data in digital messages that are transferred between systems. This hidden information can be used for command and control of compromised systems. In some cases, the passing of files embedded using steganography, such as image or document files, can be used for command and control.","Linux,Windows,macOS",https://attack.mitre.org/techniques/T1001/002,No
-T1001.003,Data Obfuscation: Protocol Impersonation,Command And Control,"Adversaries may impersonate legitimate protocols or web service traffic to disguise command and control activity and thwart analysis efforts. By impersonating legitimate protocols or web services, adversaries can make their command and control traffic blend in with legitimate network traffic.","Linux,Windows,macOS",https://attack.mitre.org/techniques/T1001/003,No
-T1003.001,OS Credential Dumping: LSASS Memory,Credential Access,Adversaries may attempt to access credential material stored in the process memory of the Local Security Authority Subsystem Service (LSASS).,Windows,https://attack.mitre.org/techniques/T1003/001,No
-T1003.002,OS Credential Dumping: Security Account Manager,Credential Access,Adversaries may attempt to extract credential material from the Security Account Manager (SAM) database either through in-memory techniques or through the Windows Registry where the SAM database is stored.,Windows,https://attack.mitre.org/techniques/T1003/002,No
-T1003.003,OS Credential Dumping: NTDS,Credential Access,"Adversaries may attempt to access or create a copy of the Active Directory domain database in order to steal credential information, as well as obtain other information about domain members such as devices, users, and access rights.",Windows,https://attack.mitre.org/techniques/T1003/003,No
-T1003.004,OS Credential Dumping: LSA Secrets,Credential Access,"Adversaries with SYSTEM access to a host may attempt to access Local Security Authority (LSA) secrets, which can contain a variety of different credential materials, such as credentials for service accounts",Windows,https://attack.mitre.org/techniques/T1003/004,No
-T1003.005,OS Credential Dumping: Cached Domain Credentials,Credential Access,Adversaries may attempt to access cached domain credentials used to allow authentication to occur in the event a domain controller is unavailable.,Windows,https://attack.mitre.org/techniques/T1003/005,No
-T1003.006,OS Credential Dumping: DCSync,Credential Access,Adversaries may attempt to access credentials and other sensitive information by abusing a Windows Domain Controller's application programming interface to simulate the replication process from a remote domain controller using a technique called DCSync.,Windows,https://attack.mitre.org/techniques/T1003/006,No
-T1003.007,OS Credential Dumping: Proc Filesystem,Credential Access,Adversaries may gather credentials from information stored in the Proc filesystem. The Proc filesystem on Linux contains a great deal of information regarding the state of the running operating system.,Linux,https://attack.mitre.org/techniques/T1003/007,No
-T1003.008,OS Credential Dumping: /etc/passwd and /etc/shadow,Credential Access,Adversaries may attempt to dump the contents of /etc/passwd and /etc/shadow to enable offline password cracking.,Linux,https://attack.mitre.org/techniques/T1003/008,No
-T1005,Data from Local System,Collection,"Adversaries may search local system sources, such as file systems or local databases, to find files of interest and sensitive data prior to Exfiltration.","Linux,Windows,macOS",https://attack.mitre.org/techniques/T1005,No
-T1006,Direct Volume Access,Defense Evasion,Adversaries may directly access a volume to bypass file access controls and file system monitoring.,Windows,https://attack.mitre.org/techniques/T1006,No
-T1007,System Service Discovery,Discovery,Adversaries may try to get information about registered services.,Windows,https://attack.mitre.org/techniques/T1007,No
-T1008,Fallback Channels,Command And Control,Adversaries may use fallback or alternate communication channels if the primary channel is compromised or inaccessible in order to maintain reliable command and control and to avoid data transfer thresholds.,"Linux,Windows,macOS",https://attack.mitre.org/techniques/T1008,No
-T1010,Application Window Discovery,Discovery,Adversaries may attempt to get a listing of open application windows. Window listings could convey information about how the system is used or give context to information collected by a keylogger.,"Windows,macOS",https://attack.mitre.org/techniques/T1010,No
-T1011.001,Exfiltration Over Other Network Medium: Exfiltration Over Bluetooth,Exfiltration,"Adversaries may attempt to exfiltrate data over Bluetooth rather than the command and control channel. If the command and control network is a wired Internet connection, an attacker may opt to exfiltrate data using a Bluetooth communication channel.","Linux,Windows,macOS",https://attack.mitre.org/techniques/T1011/001,No
-T1012,Query Registry,Discovery,"Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software. Adversaries may use the information from Query Registry during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.",Windows,https://attack.mitre.org/techniques/T1012,No
-T1014,Rootkit,Defense Evasion,"Adversaries may use rootkits to hide the presence of programs, files, network connections, services, drivers, and other system components. Rootkits are programs that hide the existence of malware by intercepting/hooking and modifying operating system API calls that supply system information.","Linux,Windows,macOS",https://attack.mitre.org/techniques/T1014,No
-T1016.001,System Network Configuration Discovery: Internet Connection Discovery,Discovery,"Adversaries may check for Internet connectivity on compromised systems. This may be performed during automated discovery and can be accomplished in numerous ways such as using [Ping](https://attack.mitre.org/software/S0097), <code>tracert</code>, and GET requests to websites.","Linux,Windows,macOS",https://attack.mitre.org/techniques/T1016/001,Yes
-T1018,Remote System Discovery,Discovery,"Adversaries may attempt to get a listing of other systems by IP address, hostname, or other logical identifier on a network that may be used for Lateral Movement from the current system. Functionality could exist within remote access tools to enable this, but utilities available on the operating system could also be used such as  Ping, net view, bonjour etc.","Linux,Windows,macOS",https://attack.mitre.org/techniques/T1018,No
-T1020.001,Automated Exfiltration: Traffic Duplication,Exfiltration,"Adversaries may leverage traffic mirroring in order to automate data exfiltration over compromised network infrastructure.  Traffic mirroring is a native feature for some network devices and used for network analysis and may be configured to duplicate traffic and forward to one or more destinations for analysis by a network analyzer or other monitoring device. Adversaries may use traffic duplication in conjunction with Network Sniffing, Input Capture or Man-in-the-Middle to achieve their objective.",Network,https://attack.mitre.org/techniques/T1020/001,No
-T1021.001,Remote Services: Remote Desktop Protocol,Lateral Movement,Adversaries may use Valid Accounts to log into a computer using the Remote Desktop Protocol (RDP). The adversary may then perform actions as the logged-on user. Remote desktop allows a user to log into an interactive session with a system desktop graphical user interface on a remote system. Adversaries may connect to a remote system over RDP to expand access if the service is enabled and allows access to accounts with known credentials. Adversaries will likely use Credential Access techniques to acquire credentials to use with RDP. Adversaries may also use RDP in conjunction with the Accessibility Features technique for Persistence.,Windows,https://attack.mitre.org/techniques/T1021/001,No
-T1021.002,Remote Services: SMB/Windows Admin Shares,Lateral Movement,Adversaries may use Valid Accounts to interact with a remote network share using Server Message Block (SMB). The adversary may then perform actions as the logged-on user.,Windows,https://attack.mitre.org/techniques/T1021/002,No
-T1021.003,Remote Services: Distributed Component Object Model,Lateral Movement,"Adversaries may use Valid Accounts to interact with remote machines by taking advantage of Distributed Component Object Model (DCOM). The adversary may then perform actions as the logged-on user. Permissions to interact with local and remote server COM objects are specified by access control lists (ACL) in the Registry. By default, only Administrators may remotely activate and launch COM objects through DCOM. Through DCOM, adversaries operating in the context of an appropriately privileged user can remotely obtain arbitrary and even direct shellcode execution through Office applications as well as other Windows objects that contain insecure methods. DCOM can also execute macros in existing documents and may also invoke Dynamic Data Exchange (DDE) execution directly through a COM created instance of a Microsoft Office application, bypassing the need for a malicious document.",Windows,https://attack.mitre.org/techniques/T1021/003,No
-T1021.004,Remote Services: SSH,Lateral Movement,Adversaries may use Valid Accounts to log into remote machines using Secure Shell (SSH). The adversary may then perform actions as the logged-on user.,"Linux,macOS",https://attack.mitre.org/techniques/T1021/004,No
-T1021.005,Remote Services: VNC,Lateral Movement,Adversaries may use Valid Accounts to remotely control machines using Virtual Network Computing (VNC). The adversary may then perform actions as the logged-on user.,"Linux,Windows,macOS",https://attack.mitre.org/techniques/T1021/005,No
-T1021.006,Remote Services: Windows Remote Management,Lateral Movement,Adversaries may use Valid Accounts to interact with remote systems using Windows Remote Management (WinRM). The adversary may then perform actions as the logged-on user.,Windows,https://attack.mitre.org/techniques/T1021/006,No
-T1025,Data from Removable Media,Collection,"Adversaries may search connected removable media on computers they have compromised to find files of interest. Sensitive data can be collected from any removable media (optical disk drive, USB memory, etc.) connected to the compromised system prior to Exfiltration. Interactive command shells may be in use.","Linux,Windows,macOS",https://attack.mitre.org/techniques/T1025,No
-T1027.001,Obfuscated Files or Information: Binary Padding,Defense Evasion,"Adversaries may use binary padding to add junk data and change the on-disk representation of malware. This can be done without affecting the functionality or behavior of a binary, but can increase the size of the binary beyond what some security tools are capable of handling due to file size limitations.","Linux,Windows,macOS",https://attack.mitre.org/techniques/T1027/001,No
-T1027.002,Obfuscated Files or Information: Software Packing,Defense Evasion,Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable.?adversaries may create their own packing techniques that do not leave the same artifacts as well-known packers to evade defenses.,"Windows,macOS",https://attack.mitre.org/techniques/T1027/002,No
-T1027.003,Obfuscated Files or Information: Steganography,Defense Evasion,"Adversaries may use steganography techniques in order to prevent the detection of hidden information. Steganographic techniques can be used to hide data in digital media such as images, audio tracks, video clips, or text files.","Linux,Windows,macOS",https://attack.mitre.org/techniques/T1027/003,No
-T1027.004,Obfuscated Files or Information: Compile After Delivery,Defense Evasion,Adversaries may attempt to make payloads difficult to discover and analyze by delivering files to victims as uncompiled code. Text-based source code files may subvert analysis and scrutiny from protections targeting executables/binaries. These payloads will need to be compiled before execution; typically via native utilities such as csc.exe or GCC/MinGW.,"Linux,Windows,macOS",https://attack.mitre.org/techniques/T1027/004,No
-T1027.005,Obfuscated Files or Information: Indicator Removal from Tools,Defense Evasion,"Adversaries may remove indicators from tools if they believe their malicious tool was detected, quarantined, or otherwise curtailed. They can modify the tool by removing the indicator and using the updated version that is no longer detected by the target's defensive systems or subsequent targets that may use similar systems.","Linux,Windows,macOS",https://attack.mitre.org/techniques/T1027/005,No
-T1029,Scheduled Transfer,Exfiltration,Adversaries may schedule data exfiltration to be performed only at certain times of day or at certain intervals. This could be done to blend traffic patterns with normal activity or availability.,"Linux,Windows,macOS",https://attack.mitre.org/techniques/T1029,No
-T1030,Data Transfer Size Limits,Exfiltration,An adversary may exfiltrate data in fixed size chunks instead of whole files or limit packet sizes below certain thresholds. This approach may be used to avoid triggering network data transfer threshold alerts.,"Linux,Windows,macOS",https://attack.mitre.org/techniques/T1030,No
-T1033,System Owner/User Discovery,Discovery,"Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using Credential Dumping].","Linux,Windows,macOS",https://attack.mitre.org/techniques/T1033,No
-T1036.001,Masquerading: Invalid Code Signature,Defense Evasion,"Adversaries may attempt to mimic features of valid code signatures to increase the chance of deceiving a user, analyst, or tool. Code signing provides a level of authenticity on a binary from the developer and a guarantee that the binary has not been tampered with.","Windows,macOS",https://attack.mitre.org/techniques/T1036/001,No
-T1036.002,Masquerading: Right-to-Left Override,Defense Evasion,Adversaries may use the right-to-left override (RTLO or RLO) character (U+202E) as a means of tricking a user into executing what they think is a benign file type but is actually executable code. RTLO is a non-printing character that causes the text that follows it to be displayed in reverse.,"Linux,Windows,macOS",https://attack.mitre.org/techniques/T1036/002,No
-T1036.003,Masquerading: Rename System Utilities,Defense Evasion,Adversaries may rename legitimate system utilities to try to evade security mechanisms concerning the usage of those utilities. Security monitoring and control mechanisms may be in place for system utilities adversaries are capable of abusing.,"Linux,Windows,macOS",https://attack.mitre.org/techniques/T1036/003,No
-T1036.004,Masquerading: Masquerade Task or Service,Defense Evasion,Adversaries may attempt to manipulate the name of a task or service to make it appear legitimate or benign. Adversaries may give tasks or services names that are similar or identical to those of legitimate ones.,"Linux,Windows",https://attack.mitre.org/techniques/T1036/004,No
-T1036.005,Masquerading: Match Legitimate Name or Location,Defense Evasion,Adversaries may match or approximate the name or location of legitimate files when naming/placing their files. This is done for the sake of evading defenses and observation.,"Containers,Linux,Windows,macOS",https://attack.mitre.org/techniques/T1036/005,Yes
-T1036.006,Masquerading: Space after Filename,Defense Evasion,"Adversaries can hide a program's true filetype by changing the extension of a file. With certain file types (specifically this does not work with .app extensions), appending a space to the end of a filename will change how the file is processed by the operating system.","Linux,macOS",https://attack.mitre.org/techniques/T1036/006,No
-T1037.001,Boot or Logon Initialization Scripts: Logon Script (Windows),"Persistence,Privilege Escalation",Adversaries may use Windows logon scripts automatically executed at logon initialization to establish persistence. Windows allows logon scripts to be run whenever a specific user or group of users log into a system.,Windows,https://attack.mitre.org/techniques/T1037/001,No
-T1037.002,Boot or Logon Initialization Scripts: Logon Script (Mac),"Persistence,Privilege Escalation","Adversaries may use macOS logon scripts automatically executed at logon initialization to establish persistence. macOS allows logon scripts (known as login hooks) to be executed whenever a specific user logs into a system. A login hook tells Mac OS X to execute a certain script when a user logs in, but unlike Startup Items, a login hook executes as the elevated root user.",macOS,https://attack.mitre.org/techniques/T1037/002,No
-T1037.003,Boot or Logon Initialization Scripts: Network Logon Script,"Persistence,Privilege Escalation",Adversaries may use network logon scripts automatically executed at logon initialization to establish persistence. Network logon scripts can be assigned using Active Directory or Group Policy Objects.,Windows,https://attack.mitre.org/techniques/T1037/003,No
-T1037.004,Boot or Logon Initialization Scripts: RC Scripts,"Persistence,Privilege Escalation",Adversaries may use rc.common automatically executed at boot initialization to establish persistence.,"Linux,macOS",https://attack.mitre.org/techniques/T1037/004,Yes
-T1037.005,Boot or Logon Initialization Scripts: Startup Items,"Persistence,Privilege Escalation",Adversaries may use startup items automatically executed at boot initialization to establish persistence.,macOS,https://attack.mitre.org/techniques/T1037/005,No
-T1039,Data from Network Shared Drive,Collection,Adversaries may search network shares on computers they have compromised to find files of interest.,"Linux,Windows,macOS",https://attack.mitre.org/techniques/T1039,No
-T1040,Network Sniffing,"Credential Access,Discovery","Adversaries may sniff network traffic to capture information about an environment, including authentication material passed over the network. Network sniffing may also reveal configuration details, such as running services, version numbers, and other network characteristics necessary for subsequent Lateral Movement and/or Defense Evasion activities.","Linux,Network,Windows,macOS",https://attack.mitre.org/techniques/T1040,Yes
-T1041,Exfiltration Over C2 Channel,Exfiltration,Adversaries may steal data by exfiltrating it over an existing command and control channel. Stolen data is encoded into the normal communications channel using the same protocol as command and control communications.,"Linux,Windows,macOS",https://attack.mitre.org/techniques/T1041,No
-T1046,Network Service Scanning,Discovery,"Adversaries may attempt to get a listing of services running on remote hosts, including those that may be vulnerable to remote software exploitation. Methods to acquire this information include port scans and vulnerability scans using tools that are brought onto a system.","Containers,IaaS,Linux,Windows,macOS",https://attack.mitre.org/techniques/T1046,Yes
-T1047,Windows Management Instrumentation,Execution,"Adversaries may abuse Windows Management Instrumentation (WMI) to achieve execution.  An adversary can use WMI to interact with local and remote systems and use it as a means to perform many tactic functions, such as gathering information for Discovery and remote Execution of files as part of Lateral Movement.",Windows,https://attack.mitre.org/techniques/T1047,No
-T1048.001,Exfiltration Over Alternative Protocol: Exfiltration Over Symmetric Encrypted Non-C2 Protocol,Exfiltration,Adversaries may steal data by exfiltrating it over a symmetrically encrypted network protocol other than that of the existing command and control channel. The data may also be sent to an alternate network location from the main command and control server.,"Linux,Windows,macOS",https://attack.mitre.org/techniques/T1048/001,No
-T1048.002,Exfiltration Over Alternative Protocol: Exfiltration Over Asymmetric Encrypted Non-C2 Protocol,Exfiltration,Adversaries may steal data by exfiltrating it over an asymmetrically encrypted network protocol other than that of the existing command and control channel. The data may also be sent to an alternate network location from the main command and control server.,"Linux,Windows,macOS",https://attack.mitre.org/techniques/T1048/002,No
-T1048.003,Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol,Exfiltration,Adversaries may steal data by exfiltrating it over an un-encrypted network protocol other than that of the existing command and control channel. The data may also be sent to an alternate network location from the main command and control server.,"Linux,Windows,macOS",https://attack.mitre.org/techniques/T1048/003,No
-T1049,System Network Connections Discovery,Discovery,"Adversaries may attempt to get a listing of network connections to or from the compromised system they are currently accessing or from remote systems by querying for information over the network. Utilities and commands that acquire this information include netstat, net use, net session, netstat, lsof, who -a and w.","IaaS,Linux,Windows,macOS",https://attack.mitre.org/techniques/T1049,Yes
-T1052.001,Exfiltration Over Physical Medium: Exfiltration over USB,Exfiltration,"Adversaries may attempt to exfiltrate data over a USB connected physical device. In certain circumstances, such as an air-gapped network compromise, exfiltration could occur via a USB device introduced by a user. The USB device could be used as the final exfiltration point or to hop between otherwise disconnected systems.","Linux,Windows,macOS",https://attack.mitre.org/techniques/T1052/001,No
-T1053.001,Scheduled Task/Job: At (Linux),"Execution,Persistence,Privilege Escalation",Adversaries may abuse the at utility to perform task scheduling for initial or recurring execution of malicious code. This command within Linux operating systems enables administrators to schedule tasks. An adversary may be able to execute programs at system startup or on a scheduled basis for persistence.,Linux,https://attack.mitre.org/techniques/T1053/001,No
-T1053.002,Scheduled Task/Job: At (Windows),"Execution,Persistence,Privilege Escalation",Adversaries may abuse the at.exe utility to perform task scheduling for initial or recurring execution of malicious code. The at.exe command line utility has been deprecated in current versions of Windows in favor of schtasks.,Windows,https://attack.mitre.org/techniques/T1053/002,No
-T1053.003,Scheduled Task/Job: Cron,"Execution,Persistence,Privilege Escalation",Adversaries may abuse the cron utility to perform task scheduling for initial or recurring execution of malicious code. The cron utility is a time-based job scheduler for Unix-like operating systems.  An adversary may use cron in Linux or Unix environments to execute programs at system startup or on a scheduled basis for persistence.,"Linux,macOS",https://attack.mitre.org/techniques/T1053/003,No
-T1053.004,Scheduled Task/Job: Launchd,"Execution,Persistence,Privilege Escalation","Adversaries may abuse the Launchd daemon, native to macOS, to perform task scheduling for initial or recurring execution of malicious code. An adversary may be able to schedule new executables to run at system startup or on a scheduled basis for persistence.",macOS,https://attack.mitre.org/techniques/T1053/004,No
-T1053.005,Scheduled Task/Job: Scheduled Task,"Execution,Persistence,Privilege Escalation",Adversaries may abuse the Windows Task Scheduler to perform task scheduling for initial or recurring execution of malicious code for persistence.  The Windows Task Scheduler can also be abused to conduct remote Execution as part of Lateral Movement and or to run a process under the context of a specified account (such as SYSTEM).,Windows,https://attack.mitre.org/techniques/T1053/005,No
-T1053.006,Scheduled Task/Job: Systemd Timers,"Execution,Persistence,Privilege Escalation",Adversaries may abuse systemd timers to perform task scheduling for initial or recurring execution of malicious code. Systemd timers are unit files with file extension timer that control services. Timers can be set to run on a calendar event or after a time span relative to a starting point. An adversary may use systemd timers to execute malicious code at system startup or on a scheduled basis for persistence. Timers installed using privileged paths may be used to maintain root level persistence. Adversaries may also install user level timers to achieve user level persistence.,Linux,https://attack.mitre.org/techniques/T1053/006,No
-T1053.007,Scheduled Task/Job: Container Orchestration Job,"Execution,Persistence,Privilege Escalation","Adversaries may abuse task scheduling functionality provided by container orchestration tools such as Kubernetes to schedule deployment of containers configured to execute malicious code. Container orchestration jobs run these automated tasks at a specific date and time, similar to cron jobs on a Linux system. Deployments of this type can also be configured to maintain a quantity of containers over time, automating the process of maintaining persistence within a cluster.",Containers,https://attack.mitre.org/techniques/T1053/007,Yes
-T1055.001,Process Injection: Dynamic-link Library Injection,"Defense Evasion,Privilege Escalation",Adversaries may inject dynamic-link libraries (DLLs) into processes in order to evade process-based defenses as well as possibly elevate privileges. DLL injection is a method of executing arbitrary code in the address space of a separate live process.,Windows,https://attack.mitre.org/techniques/T1055/001,No
-T1055.002,Process Injection: Portable Executable Injection,"Defense Evasion,Privilege Escalation",Adversaries may inject portable executables (PE) into processes in order to evade process-based defenses as well as possibly elevate privileges. PE injection is a method of executing arbitrary code in the address space of a separate live process.,Windows,https://attack.mitre.org/techniques/T1055/002,No
-T1055.003,Process Injection: Thread Execution Hijacking,"Defense Evasion,Privilege Escalation",Adversaries may inject malicious code into hijacked processes in order to evade process-based defenses as well as possibly elevate privileges. Thread Execution Hijacking is a method of executing arbitrary code in the address space of a separate live process.,Windows,https://attack.mitre.org/techniques/T1055/003,No
-T1055.004,Process Injection: Asynchronous Procedure Call,"Defense Evasion,Privilege Escalation",Adversaries may inject malicious code into processes via the asynchronous procedure call (APC) queue in order to evade process-based defenses as well as possibly elevate privileges. APC injection is a method of executing arbitrary code in the address space of a separate live process.,Windows,https://attack.mitre.org/techniques/T1055/004,No
-T1055.005,Process Injection: Thread Local Storage,"Defense Evasion,Privilege Escalation",Adversaries may inject malicious code into processes via thread local storage (TLS) callbacks in order to evade process-based defenses as well as possibly elevate privileges. TLS callback injection is a method of executing arbitrary code in the address space of a separate live process.,Windows,https://attack.mitre.org/techniques/T1055/005,No
-T1055.008,Process Injection: Ptrace System Calls,"Defense Evasion,Privilege Escalation",Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.,Linux,https://attack.mitre.org/techniques/T1055/008,No
-T1055.009,Process Injection: Proc Memory,"Defense Evasion,Privilege Escalation",Adversaries may inject malicious code into processes via the /proc filesystem in order to evade process-based defenses as well as possibly elevate privileges. Proc memory injection is a method of executing arbitrary code in the address space of a separate live process.,Linux,https://attack.mitre.org/techniques/T1055/009,No
-T1055.011,Process Injection: Extra Window Memory Injection,"Defense Evasion,Privilege Escalation",Adversaries may inject malicious code into process via Extra Window Memory (EWM) in order to evade process-based defenses as well as possibly elevate privileges. EWM injection is a method of executing arbitrary code in the address space of a separate live process.,Windows,https://attack.mitre.org/techniques/T1055/011,No
-T1055.012,Process Injection: Process Hollowing,"Defense Evasion,Privilege Escalation",Adversaries may inject malicious code into suspended and hollowed processes in order to evade process-based defenses. Process hollowing is a method of executing arbitrary code in the address space of a separate live process.,Windows,https://attack.mitre.org/techniques/T1055/012,No
-T1055.013,Process Injection: Process Doppelgänging,"Defense Evasion,Privilege Escalation",Adversaries may inject malicious code into process via process Doppelganging in order to evade process-based defenses as well as possibly elevate privileges. Process Doppelganging is a method of executing arbitrary code in the address space of a separate live process.,Windows,https://attack.mitre.org/techniques/T1055/013,No
-T1055.014,Process Injection: VDSO Hijacking,"Defense Evasion,Privilege Escalation",Adversaries may inject malicious code into processes via VDSO hijacking in order to evade process-based defenses as well as possibly elevate privileges. Virtual dynamic shared object (vdso) hijacking is a method of executing arbitrary code in the address space of a separate live process.,Linux,https://attack.mitre.org/techniques/T1055/014,No
-T1056.001,Input Capture: Keylogging,"Collection,Credential Access","Adversaries may log user keystrokes to intercept credentials as the user types them. Keylogging is likely to be used to acquire credentials for new access opportunities when OS Credential Dumping efforts are not effective, and may require an adversary to intercept keystrokes on a system for a substantial period of time before credentials can be successfully captured.","Linux,Network,Windows,macOS",https://attack.mitre.org/techniques/T1056/001,No
-T1056.002,Input Capture: GUI Input Capture,"Collection,Credential Access","Adversaries may mimic common operating system GUI components to prompt users for credentials with a seemingly legitimate prompt. When programs are executed that need additional privileges than are present in the current user context, it is common for the operating system to prompt the user for proper credentials to authorize the elevated privileges for the task. Adversaries may mimic this functionality to prompt users for credentials with a seemingly legitimate prompt for a number of reasons that mimic normal usage, such as a fake installer requiring additional access or a fake malware removal suite.","Windows,macOS",https://attack.mitre.org/techniques/T1056/002,No
-T1056.003,Input Capture: Web Portal Capture,"Collection,Credential Access","Adversaries may install code on externally facing portals, such as a VPN login page, to capture and transmit credentials of users who attempt to log into the service. For example, a compromised login page may log provided user credentials before logging the user in to the service.","Linux,Windows,macOS",https://attack.mitre.org/techniques/T1056/003,No
-T1056.004,Input Capture: Credential API Hooking,"Collection,Credential Access",Adversaries may hook into Windows application programming interface (API) functions to collect user credentials. Malicious hooking mechanisms may capture API calls that include parameters that reveal user authentication credentials.,Windows,https://attack.mitre.org/techniques/T1056/004,No
-T1057,Process Discovery,Discovery,"Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.","Linux,Windows,macOS",https://attack.mitre.org/techniques/T1057,No
-T1059.001,Command and Scripting Interpreter: PowerShell,Execution,"Adversaries may abuse PowerShell commands and scripts for execution. Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code.",Windows,https://attack.mitre.org/techniques/T1059/001,No
-T1059.002,Command and Scripting Interpreter: AppleScript,Execution,"Adversaries may abuse AppleScript for execution. AppleScript is a macOS scripting language designed to control applications and parts of the OS via inter-application messages called AppleEvents. Adversaries can use osascrip to execute various behaviors, such as interacting with an open SSH connection, moving to remote machines, and even presenting users with fake dialog boxes.",macOS,https://attack.mitre.org/techniques/T1059/002,No
-T1059.003,Command and Scripting Interpreter: Windows Command Shell,Execution,"Adversaries may abuse the Windows command shell for execution. Batch files (ex: .bat or .cmd) also provide the shell with a list of sequential commands to run, as well as normal scripting operations such as conditionals and loops. Adversaries may leverage cmd.exe to execute various commands and payloads.",Windows,https://attack.mitre.org/techniques/T1059/003,No
-T1059.004,Command and Scripting Interpreter: Unix Shell,Execution,"Adversaries may abuse Unix shell commands and scripts for execution. Unix shells are the primary command prompt on Linux and macOS systems. Unix shells can control every aspect of a system, with certain commands requiring elevated privileges. Adversaries may abuse Unix shells to execute various commands or payloads. Interactive shells may be accessed through command and control channels or during lateral movement. Adversaries may also leverage shell scripts to deliver and execute multiple commands on victims or as part of payloads used for persistence.","Linux,macOS",https://attack.mitre.org/techniques/T1059/004,No
-T1059.005,Command and Scripting Interpreter: Visual Basic,Execution,Adversaries may abuse Visual Basic (VB) for execution. VB is a programming language created by Microsoft with interoperability with many Windows technologies. Adversaries may use VB payloads to execute malicious commands. Common malicious usage includes automating execution of behaviors with VBScript or embedding VBA content into Spearphishing Attachments.,"Linux,Windows,macOS",https://attack.mitre.org/techniques/T1059/005,No
-T1059.006,Command and Scripting Interpreter: Python,Execution,Adversaries may abuse Python commands and scripts for execution. Adversaries can use these libraries to download and execute commands or other scripts as well as perform various malicious behaviors.,"Linux,Windows,macOS",https://attack.mitre.org/techniques/T1059/006,No
-T1059.007,Command and Scripting Interpreter: JavaScript,Execution,Adversaries may abuse JavaScript and/or JScript for execution. JavaScript (JS) is a platform-agnostic scripting language commonly associated with scripts in webpages. Adversaries may abuse JavaScript / JScript to execute various behaviors. Common uses include hosting malicious scripts on websites as part of a Drive-by Compromise or downloading and executing these script files as secondary payloads.,"Linux,Windows,macOS",https://attack.mitre.org/techniques/T1059/007,Yes
-T1059.008,Command and Scripting Interpreter: Network Device CLI,Execution,"Adversaries may abuse scripting or built-in command line interpreters (CLI) on network devices to execute malicious command and payloads. The CLI is the primary means through which users and administrators interact with the device in order to view system information, modify device operations, or perform diagnostic and administrative functions. CLIs typically contain various permission levels required for different commands. Adversaries can use the network CLI to change how network devices behave and operate. The CLI may be used to manipulate traffic flows to intercept or manipulate data, modify startup configuration parameters to load malicious system software, or to disable security features or logging to avoid detection.",Network,https://attack.mitre.org/techniques/T1059/008,No
-T1068,Exploitation for Privilege Escalation,Privilege Escalation,"Adversaries may exploit software vulnerabilities in an attempt to collect elevate privileges. An adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. They will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.","Containers,Linux,Windows,macOS",https://attack.mitre.org/techniques/T1068,Yes
-T1069.001,Permission Groups Discovery: Local Groups,Discovery,"Adversaries may attempt to find local system groups and permission settings via tools such as net localgroup, dscl . -list /Groups, groups. This knowledge can help adversaries determine which groups exist and which users belong to a particular group. Adversaries may use this information to determine which users have elevated permissions, such as the users found within the local administrators group.","Linux,Windows,macOS",https://attack.mitre.org/techniques/T1069/001,No
-T1069.002,Permission Groups Discovery: Domain Groups,Discovery,"Adversaries may attempt to find domain-level groups and permission settings. The knowledge of domain-level permission groups can help adversaries determine which groups exist and which users belong to a particular group. Adversaries may use this information to determine which users have elevated permissions, such as domain administrators.","Linux,Windows,macOS",https://attack.mitre.org/techniques/T1069/002,No
-T1069.003,Permission Groups Discovery: Cloud Groups,Discovery,"Adversaries may attempt to find cloud groups and permission settings via toools such as Get-MsolRole, az ad user get-member-groups etc. This knowledge can help adversaries determine the particular roles of users and groups within an environment, as well as which users are associated with a particular group.","Azure AD,Google Workspace,IaaS,Office 365,SaaS",https://attack.mitre.org/techniques/T1069/003,Yes
-T1070.001,Indicator Removal on Host: Clear Windows Event Logs,Defense Evasion,"Adversaries may clear Windows Event Logs to hide the activity of an intrusion. These logs may also be cleared through other mechanisms, such as the event viewer GUI or PowerShell",Windows,https://attack.mitre.org/techniques/T1070/001,No
-T1070.002,Indicator Removal on Host: Clear Linux or Mac System Logs,Defense Evasion,Adversaries may clear system logs to hide evidence of an intrusion. macOS and Linux both keep track of system or user-initiated actions via system logs.,"Linux,macOS",https://attack.mitre.org/techniques/T1070/002,No
-T1070.003,Indicator Removal on Host: Clear Command History,Defense Evasion,An adversary may clear the command history of a compromised account to conceal the actions undertaken during an intrusion.,"Linux,Windows,macOS",https://attack.mitre.org/techniques/T1070/003,No
-T1070.004,Indicator Removal on Host: File Deletion,Defense Evasion,"Adversaries may delete files left behind by the actions of their intrusion activity to minimize the adversary's footprint. Tools such as cmd functions such as DEL, secure deletion tools such as Windows Sysinternals SDelete, or other third-party file deletion tools can be used.","Linux,Windows,macOS",https://attack.mitre.org/techniques/T1070/004,No
-T1070.005,Indicator Removal on Host: Network Share Connection Removal,Defense Evasion,Adversaries may remove shared connections that are no longer useful in order to clean up traces of their operation. Windows shared drive and[Windows Admin Shares connections can be removed when no longer needed.,Windows,https://attack.mitre.org/techniques/T1070/005,No
-T1070.006,Indicator Removal on Host: Timestomp,Defense Evasion,"Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder.","Linux,Windows,macOS",https://attack.mitre.org/techniques/T1070/006,No
-T1071.001,Application Layer Protocol: Web Protocols,Command And Control,"Adversaries may communicate by concealing their data inside application layer protocols associated with web traffic to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.","Linux,Windows,macOS",https://attack.mitre.org/techniques/T1071/001,No
-T1071.002,Application Layer Protocol: File Transfer Protocols,Command And Control,"Adversaries may communicate by concealing their data insideapplication layer protocols such as FTP, FTPS, and TFPT associated with transferring files to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.","Linux,Windows,macOS",https://attack.mitre.org/techniques/T1071/002,No
-T1071.003,Application Layer Protocol: Mail Protocols,Command And Control,"Adversaries may communicate by concealing their data inside application layer protocols  such as SMTP/S, POP3/S, and IMAP associated with electronic map delivery to avoid detection/network filtering by blending in with existing traffic.","Linux,Windows,macOS",https://attack.mitre.org/techniques/T1071/003,No
-T1071.004,Application Layer Protocol: DNS,Command And Control,"Adversaries may communicate using the Domain Name System (DNS) application layer protocol to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.","Linux,Windows,macOS",https://attack.mitre.org/techniques/T1071/004,No
-T1072,Software Deployment Tools,"Execution,Lateral Movement","Adversaries may gain access to and use third-party software suites installed within an enterprise network, such as administration, monitoring, and deployment systems, to move laterally through the network. Third-party applications and software deployment systems may be in use in the network environment for administration purposes (e.g., SCCM, VNC, HBSS, Altiris, etc.).","Linux,Windows,macOS",https://attack.mitre.org/techniques/T1072,No
-T1074.001,Data Staged: Local Data Staging,Collection,"Adversaries may stage collected data in a central location or directory on the local system prior to Exfiltration. Data may be kept in separate files or combined into one file. Interactive command shells may be used, and common functionality within cmd and bash may be used to copy data into a staging location.","Linux,Windows,macOS",https://attack.mitre.org/techniques/T1074/001,No
-T1074.002,Data Staged: Remote Data Staging,Collection,"Adversaries may stage data collected from multiple systems in a central location or directory on one system prior to Exfiltration. Data may be kept in separate files or combined into one file through techniques such as Archive Collected Data. In cloud environments, adversaries may stage data within a particular instance or virtual machine before exfiltration. An adversary may Create Cloud Instance and stage data in that instance.","IaaS,Linux,Windows,macOS",https://attack.mitre.org/techniques/T1074/002,Yes
-T1078.001,Valid Accounts: Default Accounts,"Defense Evasion,Initial Access,Persistence,Privilege Escalation","Adversaries may obtain and abuse credentials of a default account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Default accounts are those that are built-into an OS, such as the Guest or Administrator accounts on Windows systems or default factory/provider set accounts on other types of systems, software, or devices.","Azure AD,Containers,Google Workspace,IaaS,Linux,Office 365,SaaS,Windows,macOS",https://attack.mitre.org/techniques/T1078/001,Yes
-T1078.002,Valid Accounts: Domain Accounts,"Defense Evasion,Initial Access,Persistence,Privilege Escalation","Adversaries may obtain and abuse credentials of a domain account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion.Domain accounts are those managed by Active Directory Domain Services where access and permissions are configured across systems and services that are part of that domain. Domain accounts can cover users, administrators, and services.","Linux,Windows,macOS",https://attack.mitre.org/techniques/T1078/002,No
-T1078.003,Valid Accounts: Local Accounts,"Defense Evasion,Initial Access,Persistence,Privilege Escalation","Adversaries may obtain and abuse credentials of a local account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Local accounts are those configured by an organization for use by users, remote support, services, or for administration on a single system or service. Local Accounts may also be abused to elevate privileges and harvest credentials through [OS Credential Dumping.","Containers,Linux,Windows,macOS",https://attack.mitre.org/techniques/T1078/003,Yes
-T1078.004,Valid Accounts: Cloud Accounts,"Defense Evasion,Initial Access,Persistence,Privilege Escalation","Adversaries may obtain and abuse credentials of a cloud account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Cloud accounts are those created and configured by an organization for use by users, remote support, services, or for administration of resources within a cloud service provider or SaaS application. In some cases, cloud accounts may be federated with traditional identity management system, such as Window Active Directory. Compromised credentials for cloud accounts can be used to harvest sensitive data from online storage accounts and databases.","Azure AD,Google Workspace,IaaS,Office 365,SaaS",https://attack.mitre.org/techniques/T1078/004,Yes
-T1080,Taint Shared Content,Lateral Movement,"Adversaries may deliver payloads to remote systems by adding content to shared storage locations, such as network drives or internal code repositories. Content stored on network drives or in other shared locations may be tainted by adding malicious programs, scripts, or exploit code to otherwise valid files. Once a user opens the shared tainted content, the malicious portion can be executed to run the adversary's code on a remote system. Adversaries may use tainted shared content to move laterally. Adversaries may also compromise shared network directories through binary infections by appending or prepending its code to the healthy binary on the shared network directory. The malware may modify the original entry point (OEP) of the healthy binary to ensure that it is executed before the legitimate code. The infection could continue to spread via the newly infected file when it is executed by a remote system. These infections may target both binary and non-binary formats that end with extensions including, but not limited to, .EXE, .DLL, .SCR, .BAT, and/or .VBS",Windows,https://attack.mitre.org/techniques/T1080,No
-T1082,System Information Discovery,Discovery,"An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions. Tools such as Systeminfo can be used to gather detailed system information. A breakdown of system data can also be gathered through the macOS ""systemsetup""  command, but it requires administrative privileges. Infrastructure as a Service (IaaS) cloud providers such as AWS, GCP, and Azure allow access to instance and virtual machine information via APIs. Successful authenticated API calls can return data such as the operating system platform and status of a particular instance or the model view of a virtual machine.","IaaS,Linux,Windows,macOS",https://attack.mitre.org/techniques/T1082,Yes
-T1083,File and Directory Discovery,Discovery,"Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use this information  during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.","Linux,Windows,macOS",https://attack.mitre.org/techniques/T1083,No
-T1087.001,Account Discovery: Local Account,Discovery,Adversaries may attempt to get a listing of local system accounts. This information can help adversaries determine which local accounts exist on a system to aid in follow-on behavior.,"Linux,Windows,macOS",https://attack.mitre.org/techniques/T1087/001,No
-T1087.002,Account Discovery: Domain Account,Discovery,Adversaries may attempt to get a listing of domain accounts. This information can help adversaries determine which domain accounts exist to aid in follow-on behavior.,"Linux,Windows,macOS",https://attack.mitre.org/techniques/T1087/002,No
-T1087.003,Account Discovery: Email Account,Discovery,Adversaries may attempt to get a listing of email addresses and accounts. Adversaries may try to dump Exchange address lists such as global address lists.,"Google Workspace,Office 365,Windows",https://attack.mitre.org/techniques/T1087/003,Yes
-T1087.004,Account Discovery: Cloud Account,Discovery,"Detecting the events leading up to sniffing network traffic may be the best method of detection. From the host level, an adversary would likely need to perform a man-in-the-middle attack against other devices on a wired network in order to capture traffic that was not to or from the current compromised system. This change in the flow of information is detectable at the enclave network level. Monitor for ARP spoofing and gratuitous ARP broadcasts. Detecting compromised network devices is a bit more challenging. Auditing administrator logins, configuration changes, and device images is required to detect malicious changes.","Azure AD,Google Workspace,IaaS,Office 365,SaaS",https://attack.mitre.org/techniques/T1087/004,Yes
-T1090.001,Proxy: Internal Proxy,Command And Control,"Adversaries may use an internal proxy to direct command and control traffic between two or more systems in a compromised environment. Many tools exist that enable traffic redirection through proxies or port redirection, including HTRAN, ZXProxy, and ZXPortMap. Adversaries use internal proxies to manage command and control communications inside a compromised environment, to reduce the number of simultaneous outbound network connections, to provide resiliency in the face of connection loss, or to ride over existing trusted communications paths between infected systems to avoid suspicion. Internal proxy connections may use common peer-to-peer (p2p) networking protocols, such as SMB, to better blend in with the environment.","Linux,Windows,macOS",https://attack.mitre.org/techniques/T1090/001,No
-T1090.002,Proxy: External Proxy,Command And Control,"Adversaries may use an external proxy to act as an intermediary for network communications to a command and control server to avoid direct connections to their infrastructure. Many tools exist that enable traffic redirection through proxies or port redirection, including HTRAN, ZXProxy, and ZXPortMap. Adversaries use these types of proxies to manage command and control communications, to provide resiliency in the face of connection loss, or to ride over existing trusted communications paths to avoid suspicion. External connection proxies are used to mask the destination of C2 traffic and are typically implemented with port redirectors. Compromised systems outside of the victim environment may be used for these purposes, as well as purchased infrastructure such as cloud-based resources or virtual private servers.","Linux,Windows,macOS",https://attack.mitre.org/techniques/T1090/002,No
-T1090.003,Proxy: Multi-hop Proxy,Command And Control,"To disguise the source of malicious traffic, adversaries may chain together multiple proxies. Typically, a defender will be able to identify the last proxy traffic traversed before it enters their network; the defender may or may not be able to identify any previous proxies before the last-hop proxy. This technique makes identifying the original source of the malicious traffic even more difficult by requiring the defender to trace malicious traffic through several proxies to identify its source.","Linux,Network,Windows,macOS",https://attack.mitre.org/techniques/T1090/003,No
-T1090.004,Proxy: Domain Fronting,Command And Control,Adversaries may take advantage of routing schemes in Content Delivery Networks (CDNs) and other services which host multiple domains to obfuscate the intended destination of HTTPS traffic or traffic tunneled through HTTPS. Domain fronting involves using different domain names in the SNI field of the TLS header and the Host field of the HTTP header.,"Linux,Windows,macOS",https://attack.mitre.org/techniques/T1090/004,No
-T1091,Replication Through Removable Media,"Initial Access,Lateral Movement","Adversaries may move onto systems, possibly those on disconnected or air-gapped networks, by copying malware to removable media and taking advantage of Autorun features when the media is inserted into a system and executes. In the case of Lateral Movement, this may occur through modification of executable files stored on removable media or by copying malware and renaming it to look like a legitimate file to trick users into executing it on a separate system. In the case of Initial Access, this may occur through manual manipulation of the media, modification of systems used to initially format the media, or modification to the media's firmware itself.",Windows,https://attack.mitre.org/techniques/T1091,No
-T1092,Communication Through Removable Media,Command And Control,"Adversaries can perform command and control between compromised hosts on potentially disconnected networks using removable media to transfer commands from system to system. Both systems would need to be compromised, with the likelihood that an Internet-connected system was compromised first and the second through lateral movement by Replication Through Removable Media. Commands and files would be relayed from the disconnected system to the Internet-connected system to which the adversary has direct access.","Linux,Windows,macOS",https://attack.mitre.org/techniques/T1092,No
-T1095,Non-Application Layer Protocol,Command And Control,"Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive but Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).","Linux,Network,Windows,macOS",https://attack.mitre.org/techniques/T1095,No
-T1098.001,Account Manipulation: Additional Cloud Credentials,Persistence,"Adversaries may add adversary-controlled credentials for Azure Service Principals in addition to existing legitimate credentials to maintain persistent access to victim Azure accounts. Azure Service Principals support both password and certificate credentials. With sufficient permissions, there are a variety of ways to add credentials including the Azure Portal, Azure command line interface, and Azure powershell.","Azure AD,IaaS",https://attack.mitre.org/techniques/T1098/001,Yes
-T1098.002,Account Manipulation: Exchange Email Delegate Permissions,Persistence,"Adversaries may grant additional permission levels, such as ReadPermission or FullAccess, to maintain persistent access to an adversary-controlled email account. This may be used in persistent threat incidents as well as Business Email Compromise incidents where an adversary can assign more access rights to the accounts they wish to compromise. This may further enable use of additional techniques for gaining access to systems.","Office 365,Windows",https://attack.mitre.org/techniques/T1098/002,No
-T1098.003,Account Manipulation: Add Office 365 Global Administrator Role,Persistence,"An adversary may add the Global Administrator role to an adversary-controlled account to maintain persistent access to an Office 365 tenant. With sufficient permissions, a compromised account can gain almost unlimited access to data and settings (including the ability to reset the passwords of other admins) via the global admin role. This account modification may immediately follow  or other malicious account activity.",Office 365,https://attack.mitre.org/techniques/T1098/003,No
-T1098.004,Account Manipulation: SSH Authorized Keys,Persistence,Adversaries may modify the SSH authorized_keys file to maintain persistence on a victim host. Linux distributions and macOS commonly use key-based authentication to secure the authentication process of SSH sessions for remote management. The authorized_keys< file in SSH specifies the SSH keys that can be used for logging into the user account for which the file is configured.  Adversaries may modify SSH authorized_keys files directly with scripts or shell commands to add their own adversary-supplied public keys. This ensures that an adversary possessing the corresponding private key may log in as an existing user via SSH.,"Linux,macOS",https://attack.mitre.org/techniques/T1098/004,No
-T1102.001,Web Service: Dead Drop Resolver,Command And Control,"Adversaries may use an existing, legitimate external Web service to host information that points to additional command and control (C2) infrastructure. Adversaries may post content, known as a dead drop resolver, on Web services with embedded (and often obfuscated/encoded) domains or IP addresses. Once infected, victims will reach out to and be redirected by these resolvers. Use of a dead drop resolver may also protect back-end C2 infrastructure from discovery through malware binary analysis while also enabling operational resiliency (since this infrastructure may be dynamically changed).","Linux,Windows,macOS",https://attack.mitre.org/techniques/T1102/001,No
-T1102.002,Web Service: Bidirectional Communication,Command And Control,"Adversaries may use an existing, legitimate external Web service as a means for sending commands to and receiving output from a compromised system over the Web service channel such as Google and Twitter. Compromised systems may leverage popular websites and social media to host command and control (C2) instructions. Those infected systems can then send the output from those commands back over that Web service channel.","Linux,Windows,macOS",https://attack.mitre.org/techniques/T1102/002,No
-T1102.003,Web Service: One-Way Communication,Command And Control,"Adversaries may use an existing, legitimate external Web service as a means for sending commands to a compromised system without receiving return output over the Web service channel such as Google and Twitter. Compromised systems may leverage popular websites and social media to host command and control (C2) instructions. Those infected systems may opt to send the output from those commands back over a different C2 channel, including to another distinct Web service.","Linux,Windows,macOS",https://attack.mitre.org/techniques/T1102/003,No
-T1104,Multi-Stage Channels,Command And Control,"Adversaries may create multiple stages for command and control that are employed under different conditions or for certain functions.  Remote access tools will call back to the first-stage command and control server for instructions. The first stage may have automated capabilities to collect basic host information, update tools, and upload additional files. A second remote access tool (RAT) could be uploaded at that point to redirect the host to the second-stage command and control server. Use of multiple stages may obfuscate the command and control channel to make detection more difficult.","Linux,Windows,macOS",https://attack.mitre.org/techniques/T1104,No
-T1105,Ingress Tool Transfer,Command And Control,"Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.","Linux,Windows,macOS",https://attack.mitre.org/techniques/T1105,No
-T1106,Native API,Execution,"Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes. These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations. Adversaries may abuse these native API functions as a means of executing behaviors.","Linux,Windows,macOS",https://attack.mitre.org/techniques/T1106,No
-T1110.001,Brute Force: Password Guessing,Credential Access,Adversaries with no prior knowledge of legitimate credentials within the system or environment may guess passwords to attempt access to accounts.,"Azure AD,Containers,Google Workspace,IaaS,Linux,Office 365,SaaS,Windows,macOS",https://attack.mitre.org/techniques/T1110/001,Yes
-T1110.002,Brute Force: Password Cracking,Credential Access,"Adversaries may use password cracking to attempt to recover usable credentials, such as plaintext passwords, when credential material such as password hashes are obtained. [OS Credential Dumping](https://attack.mitre.org/techniques/T1003) is used to obtain password hashes, this may only get an adversary so far when [Pass the Hash](https://attack.mitre.org/techniques/T1550/002) is not an option. Techniques to systematically guess the passwords used to compute hashes are available, or the adversary may use a pre-computed rainbow table to crack hashes. Cracking hashes is usually done on adversary-controlled systems outside of the target network.(Citation: Wikipedia Password cracking) The resulting plaintext password resulting from a successfully cracked hash may be used to log into systems, resources, and services in which the account has access.","Azure AD,Linux,Office 365,Windows,macOS",https://attack.mitre.org/techniques/T1110/002,No
-T1110.003,Brute Force: Password Spraying,Credential Access,Adversaries may use a single or small list of commonly used passwords against many different accounts to attempt to acquire valid account credentials.,"Azure AD,Containers,Google Workspace,IaaS,Linux,Office 365,SaaS,Windows,macOS",https://attack.mitre.org/techniques/T1110/003,Yes
-T1110.004,Brute Force: Credential Stuffing,Credential Access,"Adversaries may use credentials obtained from breach dumps of unrelated accounts to gain access to target accounts through credential overlap. Occasionally, large numbers of username and password pairs are dumped online when a website or service is compromised and the user account credentials accessed. The information may be useful to an adversary attempting to compromise accounts by taking advantage of the tendency for users to use the same passwords across personal and business accounts.","Azure AD,Containers,Google Workspace,IaaS,Linux,Office 365,SaaS,Windows,macOS",https://attack.mitre.org/techniques/T1110/004,Yes
-T1111,Two-Factor Authentication Interception,Credential Access,"Adversaries may target two-factor authentication mechanisms, such as smart cards, to gain access to credentials that can be used to access systems, services, and network resources.","Linux,Windows,macOS",https://attack.mitre.org/techniques/T1111,No
-T1112,Modify Registry,Defense Evasion,"Adversaries may interact with the Windows Registry to hide configuration information within Registry keys, remove information as part of cleaning up, or as part of other techniques to aid in persistence and execution.",Windows,https://attack.mitre.org/techniques/T1112,No
-T1113,Screen Capture,Collection,"Adversaries may attempt to take screen captures of the desktop to gather information over the course of an operation. Screen capturing functionality may be included as a feature of a remote access tool used in post-compromise operations. Taking a screenshot is also typically possible through native utilities or API calls, such as CopyFromScreen, xwd, or screencapture.","Linux,Windows,macOS",https://attack.mitre.org/techniques/T1113,No
-T1114.001,Email Collection: Local Email Collection,Collection,"Adversaries may sniff network traffic to capture information about an environment, including authentication material passed over the network. Network sniffing refers to using the network interface on a system to monitor or capture information sent over a wired or wireless connection. An adversary may place a network interface into promiscuous mode to passively access data in transit over the network, or use span ports to capture a larger amount of data.",Windows,https://attack.mitre.org/techniques/T1114/001,No
-T1114.002,Email Collection: Remote Email Collection,Collection,Adversaries may target an Exchange server or Office 365 to collect sensitive information. Adversaries may leverage a user's credentials and interact directly with the Exchange server to acquire information from within a network. Adversaries may also access externally facing Exchange services or Office 365 to access email using credentials or access tokens. Tools such as [MailSniper](https://attack.mitre.org/software/S0413) can be used to automate searches for specific keywords.,"Google Workspace,Office 365,Windows",https://attack.mitre.org/techniques/T1114/002,Yes
-T1114.003,Email Collection: Email Forwarding Rule,Collection,"Adversaries may setup email forwarding rules to collect sensitive information. Adversaries may abuse email-forwarding rules to monitor the activities of a victim, steal information, and further gain intelligence on the victim or the victim's organization to use as part of further exploits or operations. Any user or administrator within the organization (or adversary with valid credentials) can create rules to automatically forward all received messages to another recipient, forward emails to different locations based on the sender, and more.","Google Workspace,Office 365,Windows",https://attack.mitre.org/techniques/T1114/003,Yes
-T1115,Clipboard Data,Collection,"Adversaries may collect data stored in the clipboard from users copying information within or between applications. In Windows, Applications can access clipboard data by using the Windows API. OSX provides a native command, pbpaste to grab clipboard contents.","Linux,Windows,macOS",https://attack.mitre.org/techniques/T1115,No
-T1119,Automated Collection,Collection,"Once established within a system or network, an adversary may use automated techniques for collecting internal data. Methods for performing this technique could include use of a Command and Scripting Interpreter to search for and copy information fitting set criteria such as file type, location, or name at specific time intervals. This functionality could also be built into remote access tools.","Linux,Windows,macOS",https://attack.mitre.org/techniques/T1119,No
-T1120,Peripheral Device Discovery,Discovery,"Adversaries may attempt to gather information about attached peripheral devices and components connected to a computer system. Peripheral devices could include auxiliary resources that support a variety of functionalities such as keyboards, printers, cameras, smart card readers, or removable storage. The information may be used to enhance their awareness of the system and network environment or may be used for further actions.","Windows,macOS",https://attack.mitre.org/techniques/T1120,No
-T1123,Audio Capture,Collection,"An adversary can leverage a computer's peripheral devices (e.g., microphones and webcams) or applications (e.g., voice and video call services) to capture audio recordings for the purpose of listening into sensitive conversations to gather information. Malware or scripts may be used to interact with the devices through an available API provided by the operating system or an application to capture audio. Audio files may be written to disk and exfiltrated later.","Linux,Windows,macOS",https://attack.mitre.org/techniques/T1123,No
-T1124,System Time Discovery,Discovery,An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.,Windows,https://attack.mitre.org/techniques/T1124,No
-T1125,Video Capture,Collection,"An adversary can leverage a computer's peripheral devices (e.g., integrated cameras or webcams) or applications (e.g., video call services) to capture video recordings for the purpose of gathering information. Images may also be captured from devices or applications, potentially in specified intervals, in lieu of video files. Malware or scripts may be used to interact with the devices through an available API provided by the operating system or an application to capture video or images.","Windows,macOS",https://attack.mitre.org/techniques/T1125,No
-T1127.001,Trusted Developer Utilities Proxy Execution: MSBuild,Defense Evasion,Adversaries may use MSBuild to proxy execution of code through a trusted Windows utility. MSBuild.exe (Microsoft Build Engine) is a software build platform used by Visual Studio. It handles XML formatted project files that define requirements for loading and building various platforms and configurations.,Windows,https://attack.mitre.org/techniques/T1127/001,No
-T1129,Shared Modules,Execution,Adversaries may abuse shared modules to execute malicious payloads. The Windows module loader can be instructed to load DLLs from arbitrary local paths and arbitrary Universal Naming Convention (UNC) network paths. Adversaries may use this functionality as a way to execute arbitrary code on a victim system.,Windows,https://attack.mitre.org/techniques/T1129,No
-T1132.001,Data Encoding: Standard Encoding,Command And Control,"Adversaries may encode data with a standard data encoding system to make the content of command and control traffic more difficult to detect.  Common data encoding schemes include ASCII, Unicode, hexadecimal, Base64, and MIME. Some data encoding systems may also result in data compression, such as gzip.","Linux,Windows,macOS",https://attack.mitre.org/techniques/T1132/001,No
-T1132.002,Data Encoding: Non-Standard Encoding,Command And Control,"Adversaries may encode data with a non-standard data encoding system to make the content of command and control traffic more difficult to detect.  Non-standard data encoding schemes may be based on or related to standard data encoding schemes, such as a modified Base64 encoding for the message body of an HTTP request.","Linux,Windows,macOS",https://attack.mitre.org/techniques/T1132/002,No
-T1133,External Remote Services,"Initial Access,Persistence","Adversaries may leverage external-facing remote services to initially access and/or persist within a network. Remote services such as VPNs, Citrix, and other access mechanisms allow users to connect to internal enterprise network resources from external locations. Access to Valid Accounts to use the service is often a requirement, which could be obtained through credential pharming or by obtaining the credentials from users after compromising the enterprise network.","Containers,Linux,Windows",https://attack.mitre.org/techniques/T1133,Yes
-T1134.001,Access Token Manipulation: Token Impersonation/Theft,"Defense Evasion,Privilege Escalation","Adversaries may duplicate then impersonate another user's token to escalate privileges and bypass access controls. An adversary can create a new access token that duplicates an existing token using ""DuplicateToken(Ex)"".  An adversary may do this when they have a specific, existing process they want to assign the new token to. For example, this may be useful for when the target user has a non-network logon session on the system.",Windows,https://attack.mitre.org/techniques/T1134/001,No
-T1134.002,Access Token Manipulation: Create Process with Token,"Defense Evasion,Privilege Escalation","Adversaries may create a new process with a duplicated token to escalate privileges and bypass access controls. An adversary can duplicate a desired access token with ""DuplicateToken(Ex)"" and use it with ""CreateProcessWithTokenW"" to create a new process running under the security context of the impersonated user. This is useful for creating a new process under the security context of a different user.",Windows,https://attack.mitre.org/techniques/T1134/002,No
-T1134.003,Access Token Manipulation: Make and Impersonate Token,"Defense Evasion,Privilege Escalation","Adversaries may make and impersonate tokens to escalate privileges and bypass access controls. If an adversary has a username and password but the user is not logged onto the system, the adversary can then create a logon session for the user using the ""LogonUser"" function. The function will return a copy of the new session's access token and the adversary can use ""SetThreadToken"" to assign the token to a thread.",Windows,https://attack.mitre.org/techniques/T1134/003,No
-T1134.004,Access Token Manipulation: Parent PID Spoofing,"Defense Evasion,Privilege Escalation","Adversaries may spoof the parent process identifier (PPID) of a new process to evade process-monitoring defenses or to elevate privileges. New processes are typically spawned directly from their parent, or calling, process unless explicitly specified. Adversaries may abuse these mechanisms to evade defenses, such as those blocking processes spawning directly from Office documents, and analysis targeting unusual/potentially malicious parent-child process relationships, such as spoofing the PPID of PowerShell/Rundll32 to be explorer.exe",Windows,https://attack.mitre.org/techniques/T1134/004,No
-T1134.005,Access Token Manipulation: SID-History Injection,"Defense Evasion,Privilege Escalation","Adversaries may use SID-History Injection to escalate privileges and bypass access controls. The Windows security identifier (SID) is a unique value that identifies a user or group account. SIDs are used by Windows security in both security descriptors and access tokens. An account can hold additional SIDs in the SID-History Active Directory attribute, allowing inter-operable account migration between domains (e.g., all values in SID-History are included in access tokens).",Windows,https://attack.mitre.org/techniques/T1134/005,No
-T1135,Network Share Discovery,Discovery,Adversaries may look for folders and drives shared on remote systems as a means of identifying sources of information to gather as a precursor for Collection and to identify potential systems of interest for Lateral Movement.,"Linux,Windows,macOS",https://attack.mitre.org/techniques/T1135,No
-T1136.001,Create Account: Local Account,Persistence,"Adversaries may create a local account to maintain access to victim systems. Local accounts are those configured by an organization for use by users, remote support, services, or for administration on a single system or service. With a sufficient level of access, the <code>net user /add</code> command can be used to create a local account. Such accounts may be used to establish secondary credentialed access that do not require persistent remote access tools to be deployed on the system.","Linux,Windows,macOS",https://attack.mitre.org/techniques/T1136/001,No
-T1136.002,Create Account: Domain Account,Persistence,"Adversaries may create a domain account to maintain access to victim systems. Domain accounts are those managed by Active Directory Domain Services where access and permissions are configured across systems and services that are part of that domain. Domain accounts can cover user, administrator, and service accounts. With a sufficient level of access, the ?net user /add /domain? command can be used to create a domain account. Such accounts may be used to establish secondary credentialed access that do not require persistent remote access tools to be deployed on the system.","Linux,Windows,macOS",https://attack.mitre.org/techniques/T1136/002,No
-T1136.003,Create Account: Cloud Account,Persistence,"Adversaries may create a cloud account to maintain access to victim systems. With a sufficient level of access, such accounts may be used to establish secondary credentialed access that does not require persistent remote access tools to be deployed on the system. Adversaries may create accounts that only have access to specific cloud services, which can reduce the chance of detection.","Azure AD,Google Workspace,IaaS,Office 365",https://attack.mitre.org/techniques/T1136/003,Yes
-T1137.001,Office Application Startup: Office Template Macros,Persistence,Adversaries may abuse Microsoft Office templates to obtain persistence on a compromised system. Microsoft Office contains templates that are part of common Office applications and are used to customize styles. The base templates within the application are used each time an application starts.,"Office 365,Windows",https://attack.mitre.org/techniques/T1137/001,No
-T1137.002,Office Application Startup: Office Test,Persistence,"Adversaries may abuse the Microsoft Office ""Office Test"" Registry key to obtain persistence on a compromised system. An Office Test Registry location exists that allows a user to specify an arbitrary DLL that will be executed every time an Office application is started. This Registry key is thought to be used by Microsoft to load DLLs for testing and debugging purposes while developing Office applications. This Registry key is not created by default during an Office installation.","Office 365,Windows",https://attack.mitre.org/techniques/T1137/002,No
-T1137.003,Office Application Startup: Outlook Forms,Persistence,"Adversaries may abuse Microsoft Outlook forms to obtain persistence on a compromised system. Outlook forms are used as templates for presentation and functionality in Outlook messages. Custom Outlook forms can be created that will execute code when a specifically crafted email is sent by an adversary utilizing the same custom Outlook form. Once malicious forms have been added to the user's mailbox, they will be loaded when Outlook is started. Malicious forms will execute when an adversary sends a specifically crafted email to the user.","Office 365,Windows",https://attack.mitre.org/techniques/T1137/003,No
-T1137.004,Office Application Startup: Outlook Home Page,Persistence,Adversaries may abuse Microsoft Outlook's Home Page feature to obtain persistence on a compromised system. Outlook Home Page is a legacy feature used to customize the presentation of Outlook folders. This feature allows for an internal or external URL to be loaded and presented whenever a folder is opened. A malicious HTML page can be crafted that will execute code when loaded by Outlook Home Page.,"Office 365,Windows",https://attack.mitre.org/techniques/T1137/004,No
-T1137.005,Office Application Startup: Outlook Rules,Persistence,"Adversaries may abuse Microsoft Outlook rules to obtain persistence on a compromised system. Outlook rules allow a user to define automated behavior to manage email messages. Once malicious rules have been added to the user's mailbox, they will be loaded when Outlook is started. Malicious rules will execute when an adversary sends a specifically crafted email to the user.","Office 365,Windows",https://attack.mitre.org/techniques/T1137/005,No
-T1137.006,Office Application Startup: Add-ins,Persistence,"Adversaries may abuse Microsoft Office add-ins to obtain persistence on a compromised system. Office add-ins can be used to add functionality to Office programs. There are different types of add-ins that can be used by the various Office products; including Word/Excel add-in Libraries (WLL/XLL), VBA add-ins, Office Component Object Model (COM) add-ins, automation add-ins, VBA Editor (VBE), Visual Studio Tools for Office (VSTO) add-ins, and Outlook add-ins. Add-ins can be used to obtain persistence because they can be set to execute code when an Office application starts.","Office 365,Windows",https://attack.mitre.org/techniques/T1137/006,No
-T1140,Deobfuscate/Decode Files or Information,Defense Evasion,Adversaries may use [Obfuscated Files or Information](https://attack.mitre.org/techniques/T1027) to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.  One such example is use of [certutil](https://attack.mitre.org/software/S0160) to decode a remote access tool portable executable file that has been hidden inside a certificate file. (Citation: Malwarebytes Targeted Attack against Saudi Arabia) Another example is using the Windows <code>copy /b</code> command to reassemble binary fragments into a malicious payload. (Citation: Carbon Black Obfuscation Sept 2016) Sometimes a user's action may be required to open it for deobfuscation or decryption as part of [User Execution](https://attack.mitre.org/techniques/T1204). The user may also be required to input a password to open a password protected compressed/encrypted file that was provided by the adversary. (Citation: Volexity PowerDuke November 2016),"Linux,Windows,macOS",https://attack.mitre.org/techniques/T1140,No
-T1176,Browser Extensions,Persistence,"Adversaries may abuse Internet browser extensions to establish persistence access to victim systems. Malicious extensions can be installed into a browser through malicious app store downloads masquerading as legitimate extensions, through social engineering, or by an adversary that has already compromised a system. Security can be limited on browser app stores so it may not be difficult for malicious extensions to defeat automated scanners.","Linux,Windows,macOS",https://attack.mitre.org/techniques/T1176,No
-T1185,Man in the Browser,Collection,"Adversaries can take advantage of security vulnerabilities and inherent functionality in browser software to change content, modify behavior, and intercept information as part of various man in the browser techniques.  A specific example is when an adversary injects software into a browser that allows an them to inherit cookies, HTTP sessions, and SSL client certificates of a user and use the browser as a way to pivot into an authenticated intranet. Browser pivoting requires the SeDebugPrivilege and a high-integrity process to execute. Browser traffic is pivoted from the adversary's browser through the user's browser by setting up an HTTP proxy which will redirect any HTTP and HTTPS traffic.",Windows,https://attack.mitre.org/techniques/T1185,No
-T1187,Forced Authentication,Credential Access,Adversaries may gather credential material by invoking or forcing a user to automatically provide authentication information through a mechanism in which they can intercept.The Server Message Block (SMB) protocol is commonly used in Windows networks for authentication and communication between systems for access to resources and file sharing. When a Windows system attempts to connect to an SMB resource it will automatically attempt to authenticate and send credential information for the current user to the remote system.,Windows,https://attack.mitre.org/techniques/T1187,No
-T1189,Drive-by Compromise,Initial Access,"Adversaries may gain access to a system through a user visiting a website over the normal course of browsing. With this technique, the user's web browser is typically targeted for exploitation, but adversaries may also use compromised websites for non-exploitation behavior such as acquiring Application Access Token. The focus of this technique is to exploit software on a client endpoint upon visiting a website. This will commonly give an adversary access to systems on the internal network instead of external systems that may be in a DMZ. Adversaries may also use compromised websites to deliver a user to a malicious application designed to Steal Application Access Token","Linux,SaaS,Windows,macOS",https://attack.mitre.org/techniques/T1189,No
-T1190,Exploit Public-Facing Application,Initial Access,"Adversaries may attempt to take advantage of a weakness in an Internet-facing computer or program using software, data, or commands in order to cause unintended or unanticipated behavior. The weakness in the system can be a bug, a glitch, or a design vulnerability. These applications are often websites, but can include databases, standard services, and any other applications with Internet accessible open sockets, such as web servers and related services. Depending on the flaw being exploited this may include Exploitation for Defense Evasion.","Containers,IaaS,Linux,Network,Windows,macOS",https://attack.mitre.org/techniques/T1190,Yes
-T1195.001,Supply Chain Compromise: Compromise Software Dependencies and Development Tools,Initial Access,Adversaries may manipulate software dependencies and development tools prior to receipt by a final consumer for the purpose of data or system compromise. Applications often depend on external software to function properly. Popular open source projects that are used as dependencies in many applications may be targeted as a means to add malicious code to users of the dependency. Targeting may be specific to a desired victim set or may be distributed to a broad set of consumers but only move on to additional tactics on specific victims.,"Linux,Windows,macOS",https://attack.mitre.org/techniques/T1195/001,No
-T1195.002,Supply Chain Compromise: Compromise Software Supply Chain,Initial Access,"Adversaries may manipulate application software prior to receipt by a final consumer for the purpose of data or system compromise. Supply chain compromise of software can take place in a number of ways, including manipulation of the application source code, manipulation of the update/distribution mechanism for that software, or replacing compiled releases with a modified version. Targeting may be specific to a desired victim set or may be distributed to a broad set of consumers but only move on to additional tactics on specific victims.","Linux,Windows,macOS",https://attack.mitre.org/techniques/T1195/002,No
-T1195.003,Supply Chain Compromise: Compromise Hardware Supply Chain,Initial Access,"Adversaries may manipulate hardware components in products prior to receipt by a final consumer for the purpose of data or system compromise. By modifying hardware or firmware in the supply chain, adversaries can insert a backdoor into consumer networks that may be difficult to detect and give the adversary a high degree of control over the system. Hardware backdoors may be inserted into various devices, such as servers, workstations, network infrastructure, or peripherals.","Linux,Windows,macOS",https://attack.mitre.org/techniques/T1195/003,No
-T1197,BITS Jobs,"Defense Evasion,Persistence","Adversaries may abuse Windows Background Intelligent Transfer Service (BITS) jobs to persistently execute or clean up after malicious payloads. BITS is a low-bandwidth, asynchronous file transfer mechanism exposed through Component Object Model. BITS is commonly used by updaters, messengers, and other applications preferred to operate in the background. The interface to create and manage BITS jobs is accessible through PowerShell. Adversaries may abuse BITS to download, execute, and even clean up after running malicious code. BITS upload functionalities can also be used to perform Exfiltration Over Alternative Protocol.",Windows,https://attack.mitre.org/techniques/T1197,No
-T1199,Trusted Relationship,Initial Access,"Adversaries may breach or otherwise leverage organizations who have access to intended victims. Access through trusted third party relationship exploits an existing connection that may not be protected or receives less scrutiny than standard mechanisms of gaining access to a network. Organizations often grant elevated access to second or third-party external providers in order to allow them to manage internal systems as well as cloud-based environments.  As such, Valid Accounts used by the other party for access to internal network systems may be compromised and used.","IaaS,Linux,SaaS,Windows,macOS",https://attack.mitre.org/techniques/T1199,Yes
-T1200,Hardware Additions,Initial Access,"Adversaries may introduce computer accessories, computers, or networking hardware into a system or network that can be used as a vector to gain access. Many penetration testers leverage hardware additions for initial access. Commercial and open source products are leveraged with capabilities such as passive network tapping, man-in-the middle encryption breaking, keystroke injection, kernel memory reading via DMA, adding new wireless access to an existing network, and others.","Linux,Windows,macOS",https://attack.mitre.org/techniques/T1200,No
-T1201,Password Policy Discovery,Discovery,Adversaries may attempt to access detailed information about the password policy used within an enterprise network. Password policies for networks are a way to enforce complex passwords that are difficult to guess or crack through. This would help the adversary to create a list of common passwords and launch dictionary and/or brute force attacks which adheres to the policy.,"Linux,Windows,macOS",https://attack.mitre.org/techniques/T1201,No
-T1202,Indirect Command Execution,Defense Evasion,"Adversaries may abuse utilities that allow for command execution to bypass security restrictions that limit the use of command-line interpreters. Various Windows utilities may be used to execute commands, possibly without invoking cmd. Adversaries may abuse these features for Defense Evasion, specifically to perform arbitrary execution while subverting detections and/or mitigation controls (such as Group Policy) that limit/prevent the usage of cmd or file extensions more commonly associated with malicious payloads.",Windows,https://attack.mitre.org/techniques/T1202,No
-T1203,Exploitation for Client Execution,Execution,"Adversaries may exploit software vulnerabilities in client applications to execute code. Vulnerabilities can exist in software due to unsecure coding practices that can lead to unanticipated behavior. Adversaries can take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution.  Several types exist: Browser-based Exploitation, Office Applications and Common Third-party Applications.","Linux,Windows,macOS",https://attack.mitre.org/techniques/T1203,No
-T1204.001,User Execution: Malicious Link,Execution,An adversary may rely upon a user clicking a malicious link in order to gain execution. Users may be subjected to social engineering to get them to click on a link that will lead to code execution. Clicking on a link may also lead to other execution techniques such as exploitation of a browser or application vulnerability via Exploitation for Client Execution. Links may also lead users to download files that require execution via Malicious File.,"Linux,Windows,macOS",https://attack.mitre.org/techniques/T1204/001,No
-T1204.002,User Execution: Malicious File,Execution,"An adversary may rely upon a user opening a malicious file in order to gain execution. Users may be subjected to social engineering to get them to open a file that will lead to code execution. This user action will typically be observed as follow-on behavior from Spearphishing Attachment. Adversaries may use several types of files that require a user to execute them, including .doc, .pdf, .xls, .rtf, .scr, .exe, .lnk, .pif, and .cpl.","Linux,Windows,macOS",https://attack.mitre.org/techniques/T1204/002,No
-T1204.003,User Execution: Malicious Image,Execution,"Adversaries may rely on a user running a malicious image to facilitate execution. Amazon Web Services (AWS) Amazon Machine Images (AMIs), Google Cloud Platform (GCP) Images, and Azure Images as well as popular container runtimes such as Docker can be backdoored. Backdoored images may be uploaded to a public repository via [Upload Malware](https://attack.mitre.org/techniques/T1608/001), and users may then download and deploy an instance or container from the image without realizing the image is malicious, thus bypassing techniques that specifically achieve Initial Access. This can lead to the execution of malicious code, such as code that executes cryptocurrency mining, in the instance or container.(Citation: Summit Route Malicious AMIs)","Containers,IaaS",https://attack.mitre.org/techniques/T1204/003,Yes
-T1205.001,Traffic Signaling: Port Knocking,"Command And Control,Defense Evasion,Persistence","Adversaries may use port knocking to hide open ports used for persistence or command and control. To enable a port, an adversary sends a series of attempted connections to a predefined sequence of closed ports. After the sequence is completed, opening a port is often accomplished by the host based firewall, but could also be implemented by custom software. This technique has been observed to both for the dynamic opening of a listening port as well as the initiating of a connection to a listening server on a different system.","Linux,Network,Windows,macOS",https://attack.mitre.org/techniques/T1205/001,No
-T1207,Rogue Domain Controller,Defense Evasion,"Adversaries may register a rogue Domain Controller to enable manipulation of Active Directory data. DCShadow may be used to create a rogue Domain Controller (DC). DCShadow is a method of manipulating Active Directory (AD) data, including objects and schemas, by registering (or reusing an inactive registration) and simulating the behavior of a DC. Once registered, a rogue DC may be able to inject and replicate changes into AD infrastructure for any domain object, including credentials and keys.",Windows,https://attack.mitre.org/techniques/T1207,No
-T1210,Exploitation of Remote Services,Lateral Movement,"Adversaries may exploit remote services to gain unauthorized access to internal systems once inside of a network. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. A common goal for post-compromise exploitation of remote services is for lateral movement to enable access to a remote system.","Linux,Windows,macOS",https://attack.mitre.org/techniques/T1210,No
-T1211,Exploitation for Defense Evasion,Defense Evasion,"Adversaries may exploit a system or application vulnerability to bypass security features. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code.??Vulnerabilities may exist in defensive security software that can be used to disable or circumvent them.Adversaries may have prior knowledge through reconnaissance that security software exists within an environment or they may perform checks during or shortly after the system is compromised for [Security Software Discovery](https://attack.mitre.org/techniques/T1518/001). The security software will likely be targeted directly for exploitation. There are examples of antivirus software being targeted by persistent threat groups to avoid detection.","Linux,Windows,macOS",https://attack.mitre.org/techniques/T1211,No
-T1212,Exploitation for Credential Access,Credential Access,"Adversaries may exploit software vulnerabilities in an attempt to collect credentials. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Credentialing and authentication mechanisms may be targeted for exploitation by adversaries as a means to gain access to useful credentials or circumvent the process to gain access to systems.","Linux,Windows,macOS",https://attack.mitre.org/techniques/T1212,No
-T1213.001,Data from Information Repositories: Confluence,Collection,"Adversaries may leverage Confluence repositories to mine valuable information. Often found in development environments alongside Atlassian JIRA, Confluence is generally used to store development-related documentation, however, in general may contain more diverse categories of useful information, such as: Policies, procedures, and standards; Physical / logical network diagrams; System architecture diagrams; Source code snippets; Links to network shares and other internal resources etc.",SaaS,https://attack.mitre.org/techniques/T1213/001,No
-T1213.002,Data from Information Repositories: Sharepoint,Collection,"Adversaries may leverage the SharePoint repository as a source to mine valuable information. SharePoint will often contain useful information for an adversary to learn about the structure and functionality of the internal network and systems. For example, the following is a list of example information that may hold potential value to an adversary and may also be found on SharePoint: such as:  Policies, procedures, and standards, Physical / logical network diagrams, System architecture diagrams, Technical system documentation, Testing / development credentials, Work / project schedules, Source code snippet and Links to network shares and other internal resources.","Office 365,Windows",https://attack.mitre.org/techniques/T1213/002,No
-T1216.001,Signed Script Proxy Execution: PubPrn,Defense Evasion,Adversaries may use scripts signed with trusted certificates to proxy execution of malicious files. Several Microsoft signed scripts that are default on Windows installations can be used to proxy execution of other files. This behavior may be abused by adversaries to execute malicious files that could bypass application control and signature validation on systems,Windows,https://attack.mitre.org/techniques/T1216/001,No
-T1217,Browser Bookmark Discovery,Discovery,"Adversaries may enumerate browser bookmarks to learn more about compromised hosts. Browser bookmarks may reveal personal information about users (ex: banking sites, interests, social media, etc.) as well as details about internal network resources such as servers, tools/dashboards, or other related infrastructure.","Linux,Windows,macOS",https://attack.mitre.org/techniques/T1217,No
-T1218.001,Signed Binary Proxy Execution: Compiled HTML File,Defense Evasion,Adversaries may abuse Compiled HTML files (.chm) to conceal malicious code. CHM files are commonly distributed as part of the Microsoft HTML Help system. A custom CHM file containing embedded payloads could be delivered to a victim then triggered by User Execution.,Windows,https://attack.mitre.org/techniques/T1218/001,No
-T1218.002,Signed Binary Proxy Execution: Control Panel,Defense Evasion,"Adversaries may abuse control.exe to proxy execution of malicious payloads. The Windows Control Panel process binary (control.exe) handles execution of Control Panel items, which are utilities that allow users to view and adjust computer settings. Control Panel items are registered executable (.exe) or Control Panel (.cpl) files, the latter are actually renamed dynamic-link library (.dll) files that export a CPlApplet function. Malicious Control Panel items can be delivered via Phishing campaigns or executed as part of multi-stage malware.  Control Panel items, specifically CPL files, may also bypass application and/or file extension allow lists.",Windows,https://attack.mitre.org/techniques/T1218/002,No
-T1218.003,Signed Binary Proxy Execution: CMSTP,Defense Evasion,"Adversaries may abuse CMSTP to proxy execution of malicious code. The Microsoft Connection Manager Profile Installer (CMSTP.exe) is a command-line program used to install Connection Manager service profiles.  CMSTP.exe accepts an installation information file (INF) as a parameter and installs a service profile leveraged for remote access connections. Adversaries may supply CMSTP.exe with INF files infected with malicious commands. CMSTP.exe may be abused to load and execute DLLs  and/or COM scriptlets (SCT) from remote servers. This execution may also bypass AppLocker and other application control defenses since CMSTP.exe is a legitimate, signed Microsoft application.",Windows,https://attack.mitre.org/techniques/T1218/003,No
-T1218.004,Signed Binary Proxy Execution: InstallUtil,Defense Evasion,"Adversaries may use InstallUtil to proxy execution of code through a trusted Windows utility. InstallUtil is a command-line utility that allows for installation and uninstallation of resources by executing specific installer components specified in .NET binaries. InstallUtil may also be used to bypass application control through use of attributes within the binary that execute the class decorated with the attribute ""System.ComponentModel.RunInstaller(true)""",Windows,https://attack.mitre.org/techniques/T1218/004,No
-T1218.005,Signed Binary Proxy Execution: Mshta,Defense Evasion,"Adversaries may abuse mshta.exe to proxy execution of malicious .hta files and Javascript or VBScript through a trusted Windows utility. There are several examples of different types of threats leveraging mshta.exe during initial compromise and for execution of code. Mshta.exe can be used to bypass application control solutions that do not account for its potential use. Since mshta.exe executes outside of the Internet Explorer's security context, it also bypasses browser security settings.",Windows,https://attack.mitre.org/techniques/T1218/005,No
-T1218.007,Signed Binary Proxy Execution: Msiexec,Defense Evasion,Adversaries may abuse msiexec.exe to proxy execution of malicious payloads. Msiexec.exe is the command-line utility for the Windows Installer and is thus commonly associated with executing installation packages (.msi). Adversaries may abuse msiexec.exe to launch local or network accessible MSI files. Msiexec.exe can also execute DLLs.[,Windows,https://attack.mitre.org/techniques/T1218/007,No
-T1218.008,Signed Binary Proxy Execution: Odbcconf,Defense Evasion,Adversaries may abuse odbcconf.exe to proxy execution of malicious payloads. Odbcconf.exe is a Windows utility that allows you to configure Open Database Connectivity (ODBC) drivers and data source names. Adversaries may abuse odbcconf.exe to bypass application control solutions that do not account for its potential abuse.,Windows,https://attack.mitre.org/techniques/T1218/008,No
-T1218.009,Signed Binary Proxy Execution: Regsvcs/Regasm,Defense Evasion,Adversaries may abuse Regsvcs and Regasm to proxy execution of code through a trusted Windows utility. Regsvcs and Regasm are Windows command-line utilities that are used to register .NET [Component Object Model](https://attack.mitre.org/techniques/T1559/001) (COM) assemblies. Both are digitally signed by Microsoft. (Citation: MSDN Regsvcs) (Citation: MSDN Regasm),Windows,https://attack.mitre.org/techniques/T1218/009,No
-T1218.010,Signed Binary Proxy Execution: Regsvr32,Defense Evasion,"Adversaries may abuse Regsvr32.exe to proxy execution of malicious code. Regsvr32.exe is a command-line program used to register and unregister object linking and embedding controls, including dynamic link libraries (DLLs), on Windows systems. Regsvr32.exe can also be used to specifically bypass application control using functionality to load COM scriptlets to execute DLLs under user permissions.",Windows,https://attack.mitre.org/techniques/T1218/010,No
-T1218.011,Signed Binary Proxy Execution: Rundll32,Defense Evasion,"Adversaries may abuse rundll32.exe to proxy execution of malicious code. Rundll32.exe is commonly associated with executing DLL payloads. However, Rundll32.exe can also be used to execute Control Panel Item files (.cpl) through the undocumented shell32.dll functions.",Windows,https://attack.mitre.org/techniques/T1218/011,No
-T1218.012,Signed Binary Proxy Execution: Verclsid,Defense Evasion,Adversaries may abuse verclsid.exe to proxy execution of malicious code. Verclsid.exe is known as the Extension CLSID Verification Host and is responsible for verifying each shell extension before they are used by Windows Explorer or the Windows Shell.(Citation: WinOSBite verclsid.exe). Adversaries may abuse verclsid.exe to execute malicious payloads.,Windows,https://attack.mitre.org/techniques/T1218/012,No
-T1219,Remote Access Software,Command And Control,"An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks. These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment.","Linux,Windows,macOS",https://attack.mitre.org/techniques/T1219,No
-T1220,XSL Script Processing,Defense Evasion,"Adversaries may bypass application control and obscure execution of code by embedding scripts inside XSL files. Extensible Stylesheet Language (XSL) files are commonly used to describe the processing and rendering of data within XML files. To support complex operations, the XSL standard includes support for embedded scripting in various languages. Adversaries may abuse this functionality to execute arbitrary files while potentially bypassing application control.",Windows,https://attack.mitre.org/techniques/T1220,No
-T1221,Template Injection,Defense Evasion,Adversaries may create or modify references in Office document templates to conceal malicious code or force authentication attempts. Template references injected into a document may enable malicious payloads to be fetched and executed when the document is loaded. This technique may also enable Forced Authentication by injecting a SMB/HTTPS (or other credential prompting) URL and triggering an authentication attempt.,Windows,https://attack.mitre.org/techniques/T1221,No
-T1222.001,File and Directory Permissions Modification: Windows File and Directory Permissions Modification,Defense Evasion,"Adversaries may modify file or directory permissions/attributes to evade access control lists (ACLs) and access protected files. Specific file and directory modifications may be a required step for many techniques, such as establishing Persistence via Accessibility Features, Boot or Logon Initialization Scripts, or tainting/hijacking other instrumental binary/configuration files via Hijack Execution Flow.",Windows,https://attack.mitre.org/techniques/T1222/001,No
-T1222.002,File and Directory Permissions Modification: Linux and Mac File and Directory Permissions Modification,Defense Evasion,"Adversaries may modify file or directory permissions/attributes to evade access control lists (ACLs) and access protected files. Adversaries may use these commands to make themselves the owner of files and directories or change the mode if current permissions allow it. They could subsequently lock others out of the file. Specific file and directory modifications may be a required step for many techniques, such as establishing Persistence via .bash_profile and .bashrc or tainting/hijacking other instrumental binary/configuration files via Hijack Execution Flow.","Linux,macOS",https://attack.mitre.org/techniques/T1222/002,No
-T1480.001,Execution Guardrails: Environmental Keying,Defense Evasion,Adversaries may environmentally key payloads or other features of malware to evade defenses and constraint execution to a specific target environment. Environmental keying uses cryptography to constrain execution or actions based on adversary supplied environment specific conditions that are expected to be present on the target. Adversaries may use environmental keying to help protect their TTPs and evade detection. Environmental keying may be used to deliver an encrypted payload to the target that will use target-specific values to decrypt the payload before execution. Environmental keying can also be used to prevent exposure of capabilities in environments that are not intended to be compromised or operated within.,"Linux,Windows,macOS",https://attack.mitre.org/techniques/T1480/001,No
-T1482,Domain Trust Discovery,Discovery,"Adversaries may attempt to gather information on domain trust relationships that may be used to identify lateral movement opportunities in Windows multi-domain/forest environments. Domain trusts provide a mechanism for a domain to allow access to resources based on the authentication procedures of another domain. Domain trusts allow the users of the trusted domain to access resources in the trusting domain. The information discovered may help the adversary conduct SID-History Injection, Pass the Ticket, and Kerberoasting.",Windows,https://attack.mitre.org/techniques/T1482,No
-T1484.001,Domain Policy Modification: Group Policy Modification,"Defense Evasion,Privilege Escalation","Adversaries may modify Group Policy Objects (GPOs) to subvert the intended discretionary access controls for a domain, usually with the intention of escalating privileges on the domain. Group policy allows for centralized management of user and computer settings in Active Directory (AD). GPOs are containers for group policy settings made up of files stored within a predicable network path <code>\\&lt;DOMAIN&gt;\SYSVOL\&lt;DOMAIN&gt;\Policies\</code>.(Citation: TechNet Group Policy Basics)(Citation: ADSecurity GPO Persistence 2016)",Windows,https://attack.mitre.org/techniques/T1484/001,Yes
-T1484.002,Domain Policy Modification: Domain Trust Modification,"Defense Evasion,Privilege Escalation","Adversaries may add new domain trusts or modify the properties of existing domain trusts to evade defenses and/or elevate privileges. Domain trust details, such as whether or not a domain is federated, allow authentication and authorization properties to apply between domains for the purpose of accessing shared resources.(Citation: Microsoft - Azure AD Federation) These trust objects may include accounts, credentials, and other authentication material applied to servers, tokens, and domains.","Azure AD,Windows",https://attack.mitre.org/techniques/T1484/002,Yes
-T1485,Data Destruction,Impact,"Adversaries may destroy data and files on specific systems or in large numbers on a network to interrupt availability to systems, services, and network resources. Data destruction is likely to render stored data irrecoverable by forensic techniques through overwriting files or data on local and remote drives.","IaaS,Linux,Windows,macOS",https://attack.mitre.org/techniques/T1485,Yes
-T1486,Data Encrypted for Impact,Impact,Adversaries may encrypt data on target systems or on large numbers of systems in a network to interrupt availability to system and network resources. They can attempt to render stored data inaccessible by encrypting files or data on local and remote drives and withholding access to a decryption key. This may be done in order to extract monetary compensation from a victim in exchange for decryption or a decryption key (ransomware) or to render data permanently inaccessible in cases where the key is not saved or transmitted.,"IaaS,Linux,Windows,macOS",https://attack.mitre.org/techniques/T1486,Yes
-T1489,Service Stop,Impact,"Adversaries may stop or disable services on a system to render those services unavailable to legitimate users. Stopping critical services can inhibit or stop response to an incident or aid in the adversary's overall objectives to cause damage to the environment. Adversaries may accomplish this by disabling individual services of high importance to an organization, such as MSExchangeIS, which will make Exchange content inaccessible.","Linux,Windows,macOS",https://attack.mitre.org/techniques/T1489,No
-T1490,Inhibit System Recovery,Impact,"Adversaries may delete or remove built-in operating system data and turn off services designed to aid in the recovery of a corrupted system to prevent recovery. Operating systems may contain features that can help fix corrupted systems, such as a backup catalog, volume shadow copies, and automatic repair features. Adversaries may disable or delete these system recovery features.","Linux,Windows,macOS",https://attack.mitre.org/techniques/T1490,No
-T1491.001,Defacement: Internal Defacement,Impact,"An adversary may deface systems internal to an organization in an attempt to intimidate or mislead users. This may take the form of modifications to internal websites, or directly to user systems with the replacement of the desktop wallpaper. Since internally defacing systems exposes an adversary's presence, it often takes place after other intrusion goals have been accomplished.","Linux,Windows,macOS",https://attack.mitre.org/techniques/T1491/001,No
-T1491.002,Defacement: External Defacement,Impact,"An adversary may deface systems external to an organization in an attempt to deliver messaging, intimidate, or otherwise mislead an organization or users. Externally-facing websites are a common victim of defacement; often targeted by adversary and hacktivist groups in order to push a political message or spread propaganda. Website defacement may also be used as setup, or a precursor, for future attacks such as Drive-by Compromise.","IaaS,Linux,Windows,macOS",https://attack.mitre.org/techniques/T1491/002,Yes
-T1495,Firmware Corruption,Impact,"Adversaries may overwrite or corrupt the flash memory contents of system BIOS or other firmware in devices attached to a system in order to render them inoperable or unable to boot. Firmware is software that is loaded and executed from non-volatile memory on hardware devices in order to initialize and manage device functionality. These devices could include the motherboard, hard drive, or video cards.","Linux,Windows,macOS",https://attack.mitre.org/techniques/T1495,No
-T1496,Resource Hijacking,Impact,"Adversaries may leverage the resources of co-opted systems in order to solve resource intensive problems which may impact system and/or hosted service availability. One common purpose for Resource Hijacking is to validate transactions of cryptocurrency networks and earn virtual currency. Adversaries may consume enough system resources to negatively impact and/or cause affected machines to become unresponsive.(Citation: Kaspersky Lazarus Under The Hood Blog 2017) Servers and cloud-based(Citation: CloudSploit - Unused AWS Regions) systems are common targets because of the high potential for available resources, but user endpoint systems may also be compromised and used for Resource Hijacking and cryptocurrency mining.","Containers,IaaS,Linux,Windows,macOS",https://attack.mitre.org/techniques/T1496,Yes
-T1497.001,Virtualization/Sandbox Evasion: System Checks,"Defense Evasion,Discovery","Adversaries may employ various system checks to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from Virtualization/Sandbox Evasion during automated discovery to shape follow-on behaviors.","Linux,Windows,macOS",https://attack.mitre.org/techniques/T1497/001,No
-T1497.002,Virtualization/Sandbox Evasion: User Activity Based Checks,"Defense Evasion,Discovery","Adversaries may employ various user activity checks to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from Virtualization/Sandbox Evasion during automated discovery to shape follow-on behaviors.","Linux,Windows,macOS",https://attack.mitre.org/techniques/T1497/002,No
-T1497.003,Virtualization/Sandbox Evasion: Time Based Evasion,"Defense Evasion,Discovery",Adversaries may steal data by exfiltrating it over an asymmetrically encrypted network protocol other than that of the existing command and control channel. The data may also be sent to an alternate network location from the main command and control server. Asymmetric encryption algorithms ( also known as public-key cryptography) are those that use different keys on each end of the channel.,"Linux,Windows,macOS",https://attack.mitre.org/techniques/T1497/003,No
-T1498.001,Network Denial of Service: Direct Network Flood,Impact,"Adversaries may attempt to cause a denial of service (DoS) by directly sending a high-volume of network traffic to a target. Almost any network protocol may be used for flooding. Stateless protocols such as UDP or ICMP are commonly used but stateful protocols such as TCP can be used as well. Botnets are commonly used to conduct network flooding attacks against networks and services. Large botnets can generate a significant amount of traffic from systems spread across the global Internet.  In some of the worst cases for distributed DoS (DDoS), so many systems are used to generate the flood that each one only needs to send out a small amount of traffic to produce enough volume to saturate the target network. In such circumstances, distinguishing DDoS traffic from legitimate clients becomes exceedingly difficult.","Azure AD,Google Workspace,IaaS,Linux,Office 365,SaaS,Windows,macOS",https://attack.mitre.org/techniques/T1498/001,Yes
-T1498.002,Network Denial of Service: Reflection Amplification,Impact,"Adversaries may attempt to cause a denial of service by reflecting a high-volume of network traffic to a target. This type of Network DoS takes advantage of a third-party server intermediary that hosts and will respond to a given spoofed source IP address. This third-party server is commonly termed a reflector. An adversary accomplishes a reflection attack by sending packets to reflectors with the spoofed address of the victim. Similar to Direct Network Floods, more than one system may be used to conduct the attack, or a botnet may be used. Likewise, one or more reflector may be used to focus traffic on the target. Reflection attacks often take advantage of protocols with larger responses than requests in order to amplify their traffic, commonly known as a Reflection Amplification attack. Adversaries may be able to generate an increase in volume of attack traffic that is several orders of magnitude greater than the requests sent to the amplifiers.","Azure AD,Google Workspace,IaaS,Linux,Office 365,SaaS,Windows,macOS",https://attack.mitre.org/techniques/T1498/002,Yes
-T1499.001,Endpoint Denial of Service: OS Exhaustion Flood,Impact,"Adversaries may target the operating system (OS) for a DoS attack, since the (OS) is responsible for managing the finite resources on a system. These attacks do not need to exhaust the actual resources on a system since they can simply exhaust the limits that an OS self-imposes to prevent the entire system from being overwhelmed by excessive demands on its capacity.","Linux,Windows,macOS",https://attack.mitre.org/techniques/T1499/001,No
-T1499.002,Endpoint Denial of Service: Service Exhaustion Flood,Impact,"Adversaries may target the different network services provided by systems to conduct a DoS. Adversaries often target DNS and web services, however others have been targeted as well. One example of this type of attack is known as a simple HTTP flood, where an adversary sends a large number of HTTP requests to a web server to overwhelm it and/or an application that runs on top of it. Another variation, known as a SSL renegotiation attack, the adversary establishes a SSL/TLS connection and then proceeds to make a series of renegotiation requests. Because the cryptographic renegotiation has a meaningful cost in computation cycles, this can cause an impact to the availability of the service when done in volume.","Azure AD,Google Workspace,IaaS,Linux,Office 365,SaaS,Windows,macOS",https://attack.mitre.org/techniques/T1499/002,Yes
-T1499.003,Endpoint Denial of Service: Application Exhaustion Flood,Impact,Adversaries may target resource intensive features of web applications to cause a denial of service (DoS). Specific features in web applications may be highly resource intensive. Repeated requests to those features may be able to exhaust system resources and deny access to the application or the server itself.,"Azure AD,Google Workspace,IaaS,Linux,Office 365,SaaS,Windows,macOS",https://attack.mitre.org/techniques/T1499/003,Yes
-T1499.004,Endpoint Denial of Service: Application or System Exploitation,Impact,"Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users. (Citation: Sucuri BIND9 August 2015) Some systems may automatically restart critical applications and services when crashes occur, but they can likely be re-exploited to cause a persistent DoS condition.","Azure AD,Google Workspace,IaaS,Linux,Office 365,SaaS,Windows,macOS",https://attack.mitre.org/techniques/T1499/004,Yes
-T1505.001,Server Software Component: SQL Stored Procedures,Persistence,Adversaries may abuse SQL stored procedures to establish persistent access to systems. Adversaries may craft malicious stored procedures that can provide a persistence mechanism in SQL database servers. Adversaries may craft or modify common language runtime (CLR) assemblies that are linked to stored procedures since these CLR assemblies can be made to execute arbitrary commands.,"Linux,Windows",https://attack.mitre.org/techniques/T1505/001,No
-T1505.002,Server Software Component: Transport Agent,Persistence,"Adversaries may abuse Microsoft transport agents to establish persistent access to systems. Microsoft Exchange transport agents can operate on email messages passing through the transport pipeline to perform various tasks such as filtering spam, filtering malicious attachments, journaling, or adding a corporate signature to the end of all outgoing emails. Adversaries may register a malicious transport agent to provide a persistence mechanism in Exchange Server. The malicious transport agent may only carry out an action like copying in-transit attachments and saving them for later exfiltration if the recipient email address matches an entry on a list provided by the adversary.","Linux,Windows",https://attack.mitre.org/techniques/T1505/002,No
-T1505.003,Server Software Component: Web Shell,Persistence,Adversaries may backdoor web servers with web shells to establish persistent access to systems. A Web shell is a Web script that is placed on an openly accessible Web server to allow an adversary to use the Web server as a gateway into a network. A Web shell may provide a set of functions to execute or a command-line interface on the system that hosts the Web server.,"Linux,Windows,macOS",https://attack.mitre.org/techniques/T1505/003,No
-T1518.001,Software Discovery: Security Software Discovery,Discovery,"Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.","Azure AD,Google Workspace,IaaS,Linux,Office 365,SaaS,Windows,macOS",https://attack.mitre.org/techniques/T1518/001,Yes
-T1525,Implant Internal Image,Persistence,"Adversaries may implant cloud container images with malicious code to establish persistence. Amazon Web Service (AWS) Amazon Machine Images (AMI), Google Cloud Platform (GCP) Images, and Azure Images as well as popular container runtimes such as Docker can be implanted or backdoored. Depending on how the infrastructure is provisioned, this could provide persistent access if the infrastructure provisioning tool is instructed to always use the latest image.","Containers,IaaS",https://attack.mitre.org/techniques/T1525,Yes
-T1526,Cloud Service Discovery,Discovery,"An adversary may attempt to enumerate the cloud services running on a system after gaining access. Many services exist throughout the various cloud providers and can include Continuous Integration and Continuous Delivery (CI/CD), Lambda Functions, Azure AD, etc. Adversaries may attempt to discover information about the services enabled throughout the environment. Azure tools and APIs, such as the Azure AD Graph API and Azure Resource Manager API, can enumerate resources and services, including applications, management groups, resources and policy definitions, and their relationships that are accessible by an identity.","Azure AD,Google Workspace,IaaS,Office 365,SaaS",https://attack.mitre.org/techniques/T1526,Yes
-T1528,Steal Application Access Token,Credential Access,Adversaries can steal user application access tokens as a means of acquiring credentials to access remote systems and resources. This can occur through social engineering and typically requires user action to grant access.,"Azure AD,Google Workspace,Office 365,SaaS",https://attack.mitre.org/techniques/T1528,Yes
-T1529,System Shutdown/Reboot,Impact,"Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems.","Linux,Windows,macOS",https://attack.mitre.org/techniques/T1529,No
-T1530,Data from Cloud Storage Object,Collection,"Adversaries may access data objects from improperly secured cloud storage. Many cloud service providers offer solutions for online data storage such as Amazon S3, Azure Storage, and Google Cloud Storage. These solutions differ from other storage solutions (such as SQL or Elasticsearch) in that there is no overarching application. Data from these solutions can be retrieved directly using the cloud provider's APIs.",IaaS,https://attack.mitre.org/techniques/T1530,Yes
-T1531,Account Access Removal,Impact,"Adversaries may interrupt availability of system and network resources by inhibiting access to accounts utilized by legitimate users. Accounts may be deleted, locked, or manipulated (ex: changed credentials) to remove access to accounts.","Linux,Windows,macOS",https://attack.mitre.org/techniques/T1531,No
-T1534,Internal Spearphishing,Lateral Movement,Adversaries may use internal spearphishing to gain access to additional information or exploit other users within the same organization after they already have access to accounts or systems within the environment. Internal spearphishing is multi-staged attack where an email account is owned either by controlling the user's device with previously installed malware or by compromising the account credentials of the user. Adversaries attempt to take advantage of a trusted internal account to increase the likelihood of tricking the target into falling for the phish attempt.,"Google Workspace,Linux,Office 365,SaaS,Windows,macOS",https://attack.mitre.org/techniques/T1534,Yes
-T1535,Unused/Unsupported Cloud Regions,Defense Evasion,Adversaries may create cloud instances in unused geographic service regions in order to evade detection. Access is usually obtained through compromising accounts used to manage cloud infrastructure.,IaaS,https://attack.mitre.org/techniques/T1535,Yes
-T1537,Transfer Data to Cloud Account,Exfiltration,"Adversaries may exfiltrate data by transferring the data, including backups of cloud environments, to another cloud account they control on the same service to avoid typical file transfers/downloads and network-based exfiltration detection.",IaaS,https://attack.mitre.org/techniques/T1537,Yes
-T1538,Cloud Service Dashboard,Discovery,"An adversary may use a cloud service dashboard GUI with stolen credentials to gain useful information from an operational cloud environment, such as specific services, resources, and features. For example, the GCP Command Center can be used to view all assets, findings of potential security risks, and to run additional queries, such as finding public IP addresses and open ports.(","Azure AD,Google Workspace,IaaS,Office 365",https://attack.mitre.org/techniques/T1538,Yes
-T1539,Steal Web Session Cookie,Credential Access,"An adversary may steal web application or service session cookies and use them to gain access web applications or Internet services as an authenticated user without needing credentials. Web applications and services often use session cookies as an authentication token after a user has authenticated to a website. Cookies are often valid for an extended period of time, even if the web application is not actively used.  There are also open source frameworks such as Evilginx 2 and Muraena that can gather session cookies through a man-in-the-middle proxy that can be set up by an adversary and used in phishing campaigns. After an adversary acquires a valid cookie, they can then perform a Web Session Cookie technique to login to the corresponding web application.","Google Workspace,Linux,Office 365,SaaS,Windows,macOS",https://attack.mitre.org/techniques/T1539,Yes
-T1542.001,Pre-OS Boot: System Firmware,"Defense Evasion,Persistence",Adversaries may modify system firmware to persist on systems.The BIOS (Basic Input/Output System) and The Unified Extensible Firmware Interface (UEFI) or Extensible Firmware Interface (EFI) are examples of system firmware that operate as the software interface between the operating system and hardware of a computer. System firmware like BIOS and (U)EFI underly the functionality of a computer and may be modified by an adversary to perform or assist in malicious activity.,Windows,https://attack.mitre.org/techniques/T1542/001,No
-T1542.002,Pre-OS Boot: Component Firmware,"Defense Evasion,Persistence","Adversaries may modify component firmware to persist on systems. Some adversaries may employ sophisticated means to compromise computer components and install malicious firmware that will execute adversary code outside of the operating system and main system firmware or BIOS. Malicious component firmware could provide both a persistent level of access to systems despite potential typical failures to maintain access and hard disk re-images, as well as a way to evade host software-based defenses and integrity checks.",Windows,https://attack.mitre.org/techniques/T1542/002,No
-T1542.003,Pre-OS Boot: Bootkit,"Defense Evasion,Persistence","Adversaries may use bootkits to persist on systems. Bootkits reside at a layer below the operating system and may make it difficult to perform full remediation unless an organization suspects one was used and can act accordingly. A bootkit is a malware variant that modifies the boot sectors of a hard drive, including the Master Boot Record (MBR) and Volume Boot Record (VBR).","Linux,Windows",https://attack.mitre.org/techniques/T1542/003,No
-T1542.004,Pre-OS Boot: ROMMONkit,"Defense Evasion,Persistence","Adversaries may abuse the ROM Monitor (ROMMON) by loading an unauthorized firmware with adversary code to provide persistent access and manipulate device behavior that is difficult to detect. ROMMON is a Cisco network device firmware that functions as a boot loader, boot image, or boot helper to initialize hardware and software when the platform is powered on or reset. An adversary may upgrade the ROMMON image locally or remotely (for example, through TFTP) with adversary code and restart the device in order to overwrite the existing ROMMON image. This provides adversaries with the means to update the ROMMON to gain persistence on a system in a way that may be difficult to detect.",Network,https://attack.mitre.org/techniques/T1542/004,No
-T1542.005,Pre-OS Boot: TFTP Boot,"Defense Evasion,Persistence","Adversaries may abuse netbooting to load an unauthorized network device operating system from a Trivial File Transfer Protocol (TFTP) server. TFTP boot (netbooting) is commonly used by network administrators to load configuration-controlled network device images from a centralized management server. Netbooting is one option in the boot sequence and can be used to centralize, manage, and control device images. Adversaries may manipulate the configuration on the network device specifying use of a malicious TFTP server, which may be used in conjunction with ?Modify System Image? to load a modified image on device startup or reset. The unauthorized image allows adversaries to modify device configuration, add malicious capabilities to the device, and introduce backdoors to maintain control of the network device while minimizing detection through use of a standard functionality.",Network,https://attack.mitre.org/techniques/T1542/005,No
-T1543.001,Create or Modify System Process: Launch Agent,"Persistence,Privilege Escalation","Adversaries may create or modify launch agents to repeatedly execute malicious payloads as part of persistence. When a user logs in, a per-user launchd process is started which loads the parameters for each launch-on-demand user agent.  These launch agents have property list files which point to the executables that will be launched. Adversaries may install a new launch agent that can be configured to execute at login by using launchd or launchctl to load a plist into the appropriate directories  The agent name may be disguised by using a name from a related operating system or benign software. Launch Agents are created with user level privileges and are executed with the privileges of the user when they log in.",macOS,https://attack.mitre.org/techniques/T1543/001,No
-T1543.002,Create or Modify System Process: Systemd Service,"Persistence,Privilege Escalation","Adversaries may create or modify systemd services to repeatedly execute malicious payloads as part of persistence. The systemd service manager is commonly used for managing background daemon processes (also known as services) and other system resources. Adversaries have used systemd functionality to establish persistent access to victim systems by creating and/or modifying service unit files that cause systemd to execute malicious commands at recurring intervals, such as at system boot.",Linux,https://attack.mitre.org/techniques/T1543/002,No
-T1543.003,Create or Modify System Process: Windows Service,"Persistence,Privilege Escalation","Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions. Adversaries may install a new service or modify an existing service by using system utilities to interact with services, by directly modifying the Registry, or by using custom tools to interact with the Windows API. Adversaries may configure services to execute at startup in order to persist on a system. An adversary may also incorporate Masquerading by using a service name from a related operating system or benign software, or by modifying existing services to make detection analysis more challenging. Modifying existing services may interrupt their functionality or may enable services that are disabled or otherwise not commonly used.  Services may be created with administrator privileges but are executed under SYSTEM privileges, so an adversary may also use a service to escalate privileges from administrator to SYSTEM.",Windows,https://attack.mitre.org/techniques/T1543/003,No
-T1543.004,Create or Modify System Process: Launch Daemon,"Persistence,Privilege Escalation","Adversaries may create or modify launch daemons to repeatedly execute malicious payloads as part of persistence. When macOS and OS X boot up, launchd is run to finish system initialization. This process loads the parameters for each launch-on-demand system-level daemon from the property list (plist) files. Adversaries may install a new launch daemon that can be configured to execute at startup by using launchd or launchctl to load a plist into the appropriate directories  (Citation: OSX Malware Detection). The daemon name may be disguised by using a name from a related operating system or benign software (Citation: WireLurker). Launch Daemons may be created with administrator privileges, but are executed under root privileges, so an adversary may also use a service to escalate privileges from administrator to root.",macOS,https://attack.mitre.org/techniques/T1543/004,No
-T1546.001,Event Triggered Execution: Change Default File Association,"Persistence,Privilege Escalation","Adversaries may establish persistence by executing malicious content triggered by a file type association. When a file is opened, the default program used to open the file (also called the file association or handler) is checked. File association selections are stored in the Windows Registry and can be edited by users, administrators, or programs that have Registry access The values of the keys listed are commands that are executed when the handler opens the file extension. Adversaries can modify these values to continually execute arbitrary commands.",Windows,https://attack.mitre.org/techniques/T1546/001,No
-T1546.002,Event Triggered Execution: Screensaver,"Persistence,Privilege Escalation",Adversaries may establish persistence by executing malicious content triggered by user inactivity. Screensavers are programs that execute after a configurable time of user inactivity and consist of Portable Executable (PE) files with a .scr file extension. The screensaver settings are stored in the Registry.  Adversaries can use screensaver settings to maintain persistence by setting the screensaver to run malware after a certain timeframe of user inactivity.,Windows,https://attack.mitre.org/techniques/T1546/002,No
-T1546.003,Event Triggered Execution: Windows Management Instrumentation Event Subscription,"Persistence,Privilege Escalation","Adversaries may establish persistence and elevate privileges by executing malicious content triggered by a Windows Management Instrumentation (WMI) event subscription. Adversaries may use the capabilities of WMI to subscribe to an event and execute arbitrary code when that event occurs, providing persistence on a system.  Adversaries may also compile WMI scripts into Windows Management Object (MOF) files (.mof extension) that can be used to create a malicious subscription.",Windows,https://attack.mitre.org/techniques/T1546/003,No
-T1546.004,Event Triggered Execution: Unix Shell Configuration Modification,"Persistence,Privilege Escalation",Adversaries may establish persistence by executing malicious content triggered by a user's shell.?~/.bash_profile?and?~/.bashrc?are shell scripts that contain shell commands. These files are executed in a user's context when a new shell opens or when a user logs in so that their environment is set correctly. Adversaries may abuse these shell scripts by inserting arbitrary shell commands that may be used to execute other binaries to gain persistence.,"Linux,macOS",https://attack.mitre.org/techniques/T1546/004,Yes
-T1546.005,Event Triggered Execution: Trap,"Persistence,Privilege Escalation","Adversaries may establish persistence by executing malicious content triggered by an interrupt signal. The trap command allows programs and shells to specify commands that will be executed upon receiving interrupt signals. A common situation is a script allowing for graceful termination and handling of common keyboard interrupts like ctrl+c and ctrl+d. Adversaries can use this to register code to be executed when the shell encounters specific interrupts as a persistence mechanism. Trap commands are of the following format trap 'command list' signals where ""command list"" will be executed when ""signals"" are received","Linux,macOS",https://attack.mitre.org/techniques/T1546/005,No
-T1546.006,Event Triggered Execution: LC_LOAD_DYLIB Addition,"Persistence,Privilege Escalation","Adversaries may establish persistence by executing malicious content triggered by the execution of tainted binaries. Mach-O binaries have a series of headers that are used to perform certain operations when a binary is loaded. The LC_LOAD_DYLIB header in a Mach-O binary tells macOS and OS X which dynamic libraries (dylibs) to load during execution time.  Adversaries may modify Mach-O binary headers to load and execute malicious dylibs every time the binary is executed. Although any changes will invalidate digital signatures on binaries because the binary is being modified, this can be remediated by simply removing the LC_CODE_SIGNATURE command from the binary so that the signature isn't checked at load time.",macOS,https://attack.mitre.org/techniques/T1546/006,No
-T1546.007,Event Triggered Execution: Netsh Helper DLL,"Persistence,Privilege Escalation","Adversaries may establish persistence by executing malicious content triggered by Netsh Helper DLLs. Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system. It contains functionality to add helper DLLs for extending functionality of the utility. Adversaries can use netsh.exe helper DLLs to trigger execution of arbitrary code in a persistent manner. This execution would take place anytime netsh.exe is executed, which could happen automatically, with another persistence technique, or if other software (ex: VPN) is present on the system that executes netsh.exe as part of its normal functionality.",Windows,https://attack.mitre.org/techniques/T1546/007,No
-T1546.008,Event Triggered Execution: Accessibility Features,"Persistence,Privilege Escalation",Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by accessibility features. Windows contains accessibility features that may be launched with a key combination before a user has logged in (ex: when the user is on the Windows logon screen). An adversary can modify the way these programs are launched to get a command prompt or backdoor without logging in to the system.,Windows,https://attack.mitre.org/techniques/T1546/008,No
-T1546.009,Event Triggered Execution: AppCert DLLs,"Persistence,Privilege Escalation",Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by AppCert DLLs loaded into processes. Dynamic-link libraries (DLLs) that are specified in the AppCertDLLs Registry key are loaded into every process that calls the ubiquitously used application programming interface (API) functions. This value can be abused to obtain elevated privileges by causing a malicious DLL to be loaded and run in the context of separate processes on the computer.,Windows,https://attack.mitre.org/techniques/T1546/009,No
-T1546.010,Event Triggered Execution: AppInit DLLs,"Persistence,Privilege Escalation","Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by AppInit DLLs loaded into processes. Dynamic-link libraries (DLLs) that are specified in the AppInit_DLLs value in the Registry keys, are loaded by user32.dll into every process that loads user32.dll. In practice this is nearly every program, since user32.dll is a very common library. These values can be abused to obtain elevated privileges by causing a malicious DLL to be loaded and run in the context of separate processes on the computer.",Windows,https://attack.mitre.org/techniques/T1546/010,No
-T1546.011,Event Triggered Execution: Application Shimming,"Persistence,Privilege Escalation","Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by application shims. The Microsoft Windows Application Compatibility Infrastructure/Framework (Application Shim) was created to allow for backward compatibility of software as the operating system codebase changes over time. To keep shims secure, Windows designed them to run in user mode so they cannot modify the kernel and you must have administrator privileges to install a shim. Utilizing these shims may allow an adversary to perform several malicious acts such as elevate privileges, install backdoors, disable defenses like Windows Defender, etc. Shims can also be abused to establish persistence by continuously being invoked by affected programs.",Windows,https://attack.mitre.org/techniques/T1546/011,No
-T1546.012,Event Triggered Execution: Image File Execution Options Injection,"Persistence,Privilege Escalation",Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by Image File Execution Options (IEFO) debuggers. IEFOs enable a developer to attach a debugger to an application.?IEFO can be abused to obtain privilege escalation by causing a malicious executable to be loaded and run in the context of separate processes on the computer. Installing IFEO mechanisms may also provide Persistence via continuous triggered invocation. Malware may also use IFEO to Impair Defenses by registering invalid debuggers that redirect and effectively disable various system and security applications.,Windows,https://attack.mitre.org/techniques/T1546/012,No
-T1546.013,Event Triggered Execution: PowerShell Profile,"Persistence,Privilege Escalation","Adversaries may gain persistence and elevate privileges by executing malicious content triggered by PowerShell profiles. A PowerShell profile is a script that runs when PowerShell starts and can be used as a logon script to customize user environments. Adversaries may modify these profiles to include arbitrary commands, functions, modules to gain persistence. Every time a user opens a PowerShell session, the modified script will be executed.  An adversary may also be able to escalate privileges if a script in a PowerShell profile is loaded and executed by an account with higher privileges, such as a domain administrator. (Citation: Wits End and Shady PowerShell Profiles)",Windows,https://attack.mitre.org/techniques/T1546/013,No
-T1546.014,Event Triggered Execution: Emond,"Persistence,Privilege Escalation","Adversaries may gain persistence and elevate privileges by executing malicious content triggered by the Event Monitor Daemon (emond). Emond is a Launch Daemon that accepts events from various services, runs them through a simple rules engine, and takes action. Adversaries may abuse this service by writing a rule to execute commands when a defined event occurs, such as system start up or user authentication. Adversaries may also be able to escalate privileges from administrator to root as the emond service is executed with root privileges by the Launch Daemon service.",macOS,https://attack.mitre.org/techniques/T1546/014,No
-T1546.015,Event Triggered Execution: Component Object Model Hijacking,"Persistence,Privilege Escalation",Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects. COM is a system within Windows to enable interaction between software components through the operating system. Adversaries can use the COM system to insert malicious code that can be executed in place of legitimate software through hijacking the COM references and relationships as a means for persistence.,Windows,https://attack.mitre.org/techniques/T1546/015,No
-T1547.001,Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder,"Persistence,Privilege Escalation","Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the ""run keys"" in the Registry or startup folder will cause the program referenced to be executed when a user logs in. Adversaries can use these configuration locations to execute malware, such as remote access tools, to maintain persistence through system reboots. Adversaries may also use Masquerading to make the Registry entries look as if they are associated with legitimate programs.",Windows,https://attack.mitre.org/techniques/T1547/001,No
-T1547.002,Boot or Logon Autostart Execution: Authentication Package,"Persistence,Privilege Escalation",Adversaries may abuse authentication packages to execute DLLs when the system boots. Windows authentication package DLLs are loaded by the Local Security Authority (LSA) process at system start. Adversaries can use the autostart mechanism provided by LSA authentication packages for persistence by placing a reference to a binary in the Windows Registry.,Windows,https://attack.mitre.org/techniques/T1547/002,No
-T1547.003,Boot or Logon Autostart Execution: Time Providers,"Persistence,Privilege Escalation","Adversaries may abuse time providers to execute DLLs when the system boots. The Windows Time service (W32Time) enables time synchronization across and within domains. Time providers are implemented as dynamic-link libraries (DLLs) that can be found in the registry. Adversaries may abuse this architecture to establish persistence, specifically by registering and enabling a malicious DLL as a time provider.",Windows,https://attack.mitre.org/techniques/T1547/003,No
-T1547.004,Boot or Logon Autostart Execution: Winlogon Helper DLL,"Persistence,Privilege Escalation",Adversaries may abuse features of Winlogon to execute DLLs and/or executables when a user logs in. Winlogon.exe is a Windows component responsible for actions at logon/logoff as well as the secure attention sequence (SAS) triggered by Ctrl-Alt-Delete. Malicious modifications to these Registry keys may cause Winlogon to load and execute malicious DLLs and/or executables.,Windows,https://attack.mitre.org/techniques/T1547/004,No
-T1547.005,Boot or Logon Autostart Execution: Security Support Provider,"Persistence,Privilege Escalation","Adversaries may abuse security support providers (SSPs) to execute DLLs when the system boots. Windows SSP DLLs are loaded into the Local Security Authority (LSA) process at system start. Once loaded into the LSA, SSP DLLs have access to encrypted and plaintext passwords that are stored in Windows, such as any logged-on user's Domain password or smart card PINs.",Windows,https://attack.mitre.org/techniques/T1547/005,No
-T1547.006,Boot or Logon Autostart Execution: Kernel Modules and Extensions,"Persistence,Privilege Escalation","Adversaries may modify the kernel to automatically execute programs on system boot. Loadable Kernel Modules (LKMs) are pieces of code that can be loaded and unloaded into the kernel upon demand. They extend the functionality of the kernel without the need to reboot the system. When used maliciously, LKMs can be a type of kernel-mode [Rootkit](https://attack.mitre.org/techniques/T1014) that run with the highest operating system privilege. Adversaries can use LKMs and Kernel Extensions to covertly persist on a system and elevate privileges.","Linux,macOS",https://attack.mitre.org/techniques/T1547/006,No
-T1547.007,Boot or Logon Autostart Execution: Re-opened Applications,"Persistence,Privilege Escalation","Adversaries may modify plist files to automatically run an application when a user logs in. Starting in Mac OS X 10.7 (Lion), users can specify certain applications to be re-opened when a user logs into their machine after reboot. There are property list files (plist) that contain this information.  An adversary can modify one of these files directly to include a link to their malicious executable to provide a persistence mechanism each time the user reboots their machine.",macOS,https://attack.mitre.org/techniques/T1547/007,No
-T1547.008,Boot or Logon Autostart Execution: LSASS Driver,"Persistence,Privilege Escalation","Adversaries may modify or add LSASS drivers to obtain persistence on compromised systems. The Windows security subsystem is a set of components that manage and enforce the security policy for a computer or domain. The Local Security Authority (LSA) is the main component responsible for local security policy and user authentication. Adversaries may target LSASS drivers to obtain persistence. By either replacing or adding illegitimate drivers (e.g., Hijack Execution Flow), an adversary can use LSA operations to continuously execute malicious payloads.",Windows,https://attack.mitre.org/techniques/T1547/008,No
-T1547.009,Boot or Logon Autostart Execution: Shortcut Modification,"Persistence,Privilege Escalation",Adversaries may create or edit shortcuts to run a program during system boot or user login. Shortcuts or symbolic links are ways of referencing other files or programs that will be opened or executed when the shortcut is clicked or executed by a system startup process.,Windows,https://attack.mitre.org/techniques/T1547/009,No
-T1547.010,Boot or Logon Autostart Execution: Port Monitors,"Persistence,Privilege Escalation",Adversaries may use port monitors to run an attacker supplied DLL during system boot for persistence or privilege escalation. A port monitor can be set through the AddMonitor API call to set a DLL to be loaded at startup. Adversaries can use this technique to load malicious code at startup that will persist on system reboot and execute as SYSTEM.,Windows,https://attack.mitre.org/techniques/T1547/010,No
-T1547.011,Boot or Logon Autostart Execution: Plist Modification,"Persistence,Privilege Escalation",Adversaries may modify plist files to run a program during system boot or user login. Property list (plist) files contain all of the information that macOS and OS X uses to configure applications and services. Adversaries can modify plist files to execute their code as part of establishing persistence. plists may also be used to elevate privileges since they may execute in the context of another user.,macOS,https://attack.mitre.org/techniques/T1547/011,No
-T1547.012,Boot or Logon Autostart Execution: Print Processors,"Persistence,Privilege Escalation","Adversaries may abuse print processors to run malicious DLLs during system boot for persistence and/or privilege escalation. Print processors are DLLs that are loaded by the print spooler service, spoolsv.exe, during boot. Adversaries may abuse the print spooler service by adding print processors that load malicious DLLs at startup. One way the print processor can be installed through the ?AddPrintProcessor? API call with an account that has ?SeLoadDriverPrivilege? enabled. The print spooler service runs under SYSTEM level permissions, therefore print processors installed by an adversary may run under elevated privileges.",Windows,https://attack.mitre.org/techniques/T1547/012,No
-T1547.013,Boot or Logon Autostart Execution: XDG Autostart Entries,"Persistence,Privilege Escalation","Adversaries may modify XDG autostart entries to execute programs or commands during system boot. Linux desktop environments that are XDG compliant implement functionality for XDG autostart entries. These entries will allow an application to automatically start during the startup of a desktop environment after user logon. By default, XDG autostart entries are stored within the <code>/etc/xdg/autostart</code> or <code>~/.config/autostart</code> directories and have a .desktop file extension.(Citation: Free Desktop Application Autostart Feb 2006)",Linux,https://attack.mitre.org/techniques/T1547/013,Yes
-T1547.014,Boot or Logon Autostart Execution: Active Setup,"Persistence,Privilege Escalation",Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine. Active Setup is a Windows mechanism that is used to execute programs when a user logs in. The value stored in the Registry key will be executed after a user logs into the computer.(Citation: Klein Active Setup 2010) These programs will be executed under the context of the user and will have the account's associated permissions level.,Windows,https://attack.mitre.org/techniques/T1547/014,Yes
-T1548.001,Abuse Elevation Control Mechanism: Setuid and Setgid,"Defense Evasion,Privilege Escalation","An adversary may perform shell escapes or exploit vulnerabilities in an application with the setsuid or setgid bits to get code running in a different user's context. On Linux or macOS, when the setuid or setgid bits are set for an application, the application will run with the privileges of the owning user or group respectively. When programs need to be executed in an elevated context to function properly, the user can specify the setuid or setgid flag to be set for their own applications. Adversaries can use this mechanism on their own malware to make sure they're able to execute in elevated contexts in the future.","Linux,macOS",https://attack.mitre.org/techniques/T1548/001,No
-T1548.002,Abuse Elevation Control Mechanism: Bypass User Account Control,"Defense Evasion,Privilege Escalation","Adversaries may bypass UAC mechanisms to elevate process privileges on system. Windows User Account Control (UAC) allows a program to elevate its privileges (tracked as integrity levels ranging from low to high) to perform a task under administrator-level permissions, possibly by prompting the user for confirmation.",Windows,https://attack.mitre.org/techniques/T1548/002,No
-T1548.003,Abuse Elevation Control Mechanism: Sudo and Sudo Caching,"Defense Evasion,Privilege Escalation",Adversaries may perform sudo caching and/or use the suoders file to elevate privileges. Adversaries may do this to execute commands as other users or spawn processes with higher privileges.,"Linux,macOS",https://attack.mitre.org/techniques/T1548/003,No
-T1548.004,Abuse Elevation Control Mechanism: Elevated Execution with Prompt,"Defense Evasion,Privilege Escalation","Adversaries may leverage the ""AuthorizationExecuteWithPrivileges"" API to escalate privileges by prompting the user for credentials.",macOS,https://attack.mitre.org/techniques/T1548/004,No
-T1550.001,Use Alternate Authentication Material: Application Access Token,"Defense Evasion,Lateral Movement","Adversaries may use stolen application access tokens to bypass the typical authentication process and access restricted accounts, information, or services on remote systems. These tokens are typically stolen from users and used in lieu of login credentials. Application access tokens are used to make authorized API requests on behalf of a user and are commonly used as a way to access resources in cloud-based applications and software-as-a-service (SaaS). With a cloud-based email service once an OAuth access token is granted to a malicious application, it can potentially gain long-term access to features of the user account if a ""refresh"" token enabling background access is awarded. Compromised access tokens may be used as an initial step in compromising other services.","Google Workspace,Office 365,SaaS",https://attack.mitre.org/techniques/T1550/001,Yes
-T1550.002,Use Alternate Authentication Material: Pass the Hash,"Defense Evasion,Lateral Movement","Adversaries may ""Pass the hash"" using stolen password hashes to move laterally within an environment, bypassing normal system access controls. Pass the hash (PtH) is a method of authenticating as a user without having access to the user's cleartext password. Valid password hashes for an account are captured using a Credential Access technique and can be used with PtH to authenticate as that user. Once authenticated, PtH may be used to perform actions on local or remote systems.",Windows,https://attack.mitre.org/techniques/T1550/002,No
-T1550.003,Use Alternate Authentication Material: Pass the Ticket,"Defense Evasion,Lateral Movement","Adversaries may ""pass the ticket"" using stolen Kerberos tickets to move laterally within an environment, bypassing normal system access controls. Pass the ticket (PtT) is a method of authenticating to a system using Kerberos tickets without having access to an account's password. Valid Kerberos tickets for Valid Accounts are captured by OS Credential Dumping. A user's service tickets or ticket granting ticket (TGT) may be obtained, depending on the level of access.",Windows,https://attack.mitre.org/techniques/T1550/003,No
-T1550.004,Use Alternate Authentication Material: Web Session Cookie,"Defense Evasion,Lateral Movement","Adversaries can use stolen session cookies to authenticate to web applications and services. Authentication cookies are commonly used in web applications, including cloud-based services, after a user has authenticated to the service so credentials are not passed and re-authentication does not need to occur as frequently. Cookies are often valid for an extended period of time, even if the web application is not actively used. After the cookie is obtained through Steal Web Session Cookie, the adversary may then import the cookie into a browser they control and is then able to use the site or application as the user for as long as the session cookie is active. Once logged into the site, an adversary can access sensitive information, read email, or perform actions that the victim account has permissions to perform.","Google Workspace,Office 365,SaaS",https://attack.mitre.org/techniques/T1550/004,Yes
-T1552.001,Unsecured Credentials: Credentials In Files,Credential Access,Adversaries may search local file systems and remote file shares for files containing insecurely stored credentials. It is possible to extract passwords from backups or saved virtual machines through OS Credential Dumping. Passwords may also be obtained from Group Policy Preferences stored on the Windows Domain Controller.,"Containers,IaaS,Linux,Windows,macOS",https://attack.mitre.org/techniques/T1552/001,Yes
-T1552.002,Unsecured Credentials: Credentials in Registry,Credential Access,Adversaries may search the Registry on compromised systems for insecurely stored credentials. The Windows Registry stores configuration information that can be used by the system or other programs. Adversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services. Sometimes these credentials are used for automatic logons.,Windows,https://attack.mitre.org/techniques/T1552/002,No
-T1552.003,Unsecured Credentials: Bash History,Credential Access,"Adversaries may search the bash command history on compromised systems for insecurely stored credentials. Bash keeps track of the commands users type on the command-line with the ""history"" utility. Users often type usernames and passwords on the command-line as parameters to programs, which then get saved to this file when they log out. Attackers can abuse this by looking through the file for potential credentials.","Linux,macOS",https://attack.mitre.org/techniques/T1552/003,No
-T1552.004,Unsecured Credentials: Private Keys,Credential Access,"Adversaries may search for private key certificate files on compromised systems for insecurely stored credentials. Private cryptographic keys and certificates are used for authentication, encryption/decryption, and digital signatures. Common key and certificate file extensions include: .key, .pgp, .gpg, .ppk., .p12, .pem, .pfx, .cer, .p7b, .asc. Some private keys require a password or passphrase for operation, so an adversary may also use Input Capture for keylogging or attempt to Brute Force the passphrase off-line.","Linux,Windows,macOS",https://attack.mitre.org/techniques/T1552/004,No
-T1552.005,Unsecured Credentials: Cloud Instance Metadata API,Credential Access,"Adversaries may attempt to access the Cloud Instance Metadata API to collect credentials and other sensitive data. Available information generally includes name, security group, and additional metadata including sensitive data such as credentials and UserData scripts that may contain additional secrets. Attackers may exploit a Server-Side Request Forgery (SSRF) vulnerability in a public facing web proxy that allows the attacker to gain access to the sensitive information via a request to the Instance Metadata API.",IaaS,https://attack.mitre.org/techniques/T1552/005,Yes
-T1552.006,Unsecured Credentials: Group Policy Preferences,Credential Access,Adversaries may attempt to find unsecured credentials in Group Policy Preferences (GPP). GPP are tools that allow administrators to create domain policies with embedded credentials. These policies allow administrators to set local accounts.,Windows,https://attack.mitre.org/techniques/T1552/006,No
-T1552.007,Unsecured Credentials: Container API,Credential Access,"Adversaries may gather credentials via APIs within a containers environment. APIs in these environments, such as the Docker API and Kubernetes APIs, allow a user to remotely manage their container resources and cluster components.(Citation: Docker API)(Citation: Kubernetes API)",Containers,https://attack.mitre.org/techniques/T1552/007,Yes
-T1553.001,Subvert Trust Controls: Gatekeeper Bypass,Defense Evasion,"Adversaries may modify file attributes that signify programs are from untrusted sources to subvert Gatekeeper controls. Apple's Gatekeeper defense program prompts user to allow or deny execution of programs downloaded from the Internet.Apps loaded onto the system from USB flash drive, optical disk, external hard drive, or even from a drive shared over the local network won't set this flag. Additionally, it is possible to avoid setting this flag using Drive-by Compromise.",macOS,https://attack.mitre.org/techniques/T1553/001,No
-T1553.002,Subvert Trust Controls: Code Signing,Defense Evasion,"Adversaries may create, acquire, or steal code signing materials to sign their malware or tools. Code signing provides a level of authenticity on a binary from the developer and a guarantee that the binary has not been tampered with.?The certificates used during an operation may be created, acquired, or stolen by the adversary.","Windows,macOS",https://attack.mitre.org/techniques/T1553/002,No
-T1553.003,Subvert Trust Controls: SIP and Trust Provider Hijacking,Defense Evasion,"Adversaries may tamper with Subject Interface Packages (SIP) and trust provider components to mislead the operating system and application control tools when conducting signature validation checks. Microsoft created software components called Subject Interface Packages (SIPs) [4] to provide a layer of abstraction between API functions and files. SIPs are responsible for enabling API functions to create, retrieve, calculate, and verify signatures. Adversaries may abuse this architecture to subvert trust controls and bypass security policies that allow only legitimately signed code to execute on a system.",Windows,https://attack.mitre.org/techniques/T1553/003,No
-T1553.004,Subvert Trust Controls: Install Root Certificate,Defense Evasion,Adversaries may install a root certificate on a compromised system to avoid warnings when connecting to adversary controlled web servers. Root certificates are used in public key cryptography to identify a root certificate authority (CA). Certificates are commonly used for establishing secure TLS/SSL communications within a web browser.,"Linux,Windows,macOS",https://attack.mitre.org/techniques/T1553/004,No
-T1553.005,Subvert Trust Controls: Mark-of-the-Web Bypass,Defense Evasion,"Adversaries may abuse specific file formats to subvert Mark-of-the-Web (MOTW) controls. In Windows, when files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named <code>Zone.Identifier</code> with a specific value known as the MOTW.(Citation: Microsoft Zone.Identifier 2020) Files that are tagged with MOTW are protected and cannot perform certain actions. For example, starting in MS Office 10, if a MS Office file has the MOTW, it will open in Protected View. Executables tagged with the MOTW will be processed by Windows Defender SmartScreen that compares files with an allowlist of well-known executables. If the file in not known/trusted, SmartScreen will prevent the execution and warn the user not to run it.(Citation: Beek Use of VHD Dec 2020)(Citation: Outflank MotW 2020)(Citation: Intezer Russian APT Dec 2020)",Windows,https://attack.mitre.org/techniques/T1553/005,Yes
-T1553.006,Subvert Trust Controls: Code Signing Policy Modification,Defense Evasion,"Adversaries may modify code signing policies to enable execution of unsigned or self-signed code. Code signing provides a level of authenticity on a program from a developer and a guarantee that the program has not been tampered with. Security controls can include enforcement mechanisms to ensure that only valid, signed code can be run on an operating system.","Windows,macOS",https://attack.mitre.org/techniques/T1553/006,Yes
-T1554,Compromise Client Software Binary,Persistence,"Adversaries may modify client software binaries to establish persistent access to systems. Client software enables users to access services provided by a server. Common client software types are SSH clients, FTP clients, email clients, and web browsers. Adversaries may make modifications to client software binaries to carry out malicious tasks when those applications are in use.","Linux,Windows,macOS",https://attack.mitre.org/techniques/T1554,No
-T1555.001,Credentials from Password Stores: Keychain,Credential Access,"Adversaries may collect the keychain storage data from a system to acquire credentials. Keychains are the built-in way for macOS to keep track of users' passwords and credentials for many services and features. users have to use additional credentials to access their keychain. If an adversary knows the credentials for the login keychain, then they can get access to all the other credentials stored in this vault. By default, the passphrase for the keychain is the user's logon credentials.",macOS,https://attack.mitre.org/techniques/T1555/001,No
-T1555.002,Credentials from Password Stores: Securityd Memory,Credential Access,"An adversary may obtain root access (allowing them to read securityd's memory), then they can scan through memory to find the correct sequence of keys in relatively few tries to decrypt the user's logon keychain. This provides the adversary with all the plaintext passwords for users, WiFi, mail, browsers, certificates, secure notes","Linux,macOS",https://attack.mitre.org/techniques/T1555/002,No
-T1555.003,Credentials from Password Stores: Credentials from Web Browsers,Credential Access,"Adversaries may acquire credentials from web browsers by reading files specific to the target browser. Web browsers commonly save credentials such as website usernames and passwords so that they do not need to be entered manually in the future. Web browsers typically store the credentials in an encrypted format within a credential store; however, methods exist to extract plaintext credentials from web browsers.","Linux,Windows,macOS",https://attack.mitre.org/techniques/T1555/003,No
-T1555.004,Credentials from Password Stores: Windows Credential Manager,Credential Access,"Adversaries may acquire credentials from the Windows Credential Manager. The Credential Manager stores credentials for signing into websites, applications, and/or devices that request authentication through NTLM or Kerberos in Credential Lockers (previously known as Windows Vaults).(Citation: Microsoft Credential Manager store)(Citation: Microsoft Credential Locker)",Windows,https://attack.mitre.org/techniques/T1555/004,Yes
-T1555.005,Credentials from Password Stores: Password Managers,Credential Access,"Adversaries may acquire user credentials from third-party password managers.(Citation: ise Password Manager February 2019) Password managers are applications designed to store user credentials, normally in an encrypted database. Credentials are typically accessible after a user provides a master password that unlocks the database. After the database is unlocked, these credentials may be copied to memory. These databases can be stored as files on disk.(Citation: ise Password Manager February 2019)","Linux,Windows,macOS",https://attack.mitre.org/techniques/T1555/005,Yes
-T1556.001,Modify Authentication Process: Domain Controller Authentication,"Credential Access,Defense Evasion,Persistence",Adversaries may patch the authentication process on a domain control to bypass the typical authentication mechanisms and enable access to accounts. Malware may be used to inject false credentials into the authentication process on a domain control with the intent of creating a backdoor used to access any user's account and/or credentials. Authenticated access may enable unfettered access to hosts and/or resources within single-factor authentication environments.,Windows,https://attack.mitre.org/techniques/T1556/001,Yes
-T1556.002,Modify Authentication Process: Password Filter DLL,"Credential Access,Defense Evasion,Persistence",Adversaries may register malicious password filter dynamic link libraries (DLLs) into the authentication process to acquire user credentials as they are validated. Windows password filters are password policy enforcement mechanisms for both domain and local accounts. Filters are implemented as DLLs containing a method to validate potential passwords against password policies. Adversaries can register malicious password filters to harvest credentials from local computers and/or entire domains.,Windows,https://attack.mitre.org/techniques/T1556/002,Yes
-T1556.003,Modify Authentication Process: Pluggable Authentication Modules,"Credential Access,Defense Evasion,Persistence","Adversaries may modify pluggable authentication modules (PAM) to access user credentials or enable otherwise unwarranted access to accounts. PAM is a modular system of configuration files, libraries, and executable files which guide authentication for many services. Adversaries may modify components of the PAM system to create backdoors. Malicious modifications to the PAM system may also be abused to steal credentials. Adversaries may infect PAM resources with code to harvest user credentials, since the values exchanged with PAM components may be plain-text.","Linux,macOS",https://attack.mitre.org/techniques/T1556/003,Yes
-T1556.004,Modify Authentication Process: Network Device Authentication,"Credential Access,Defense Evasion,Persistence","Adversaries may use ?Patch System Image? to hard code a password in the operating system, thus bypassing of native authentication mechanisms for local accounts on network devices.",Network,https://attack.mitre.org/techniques/T1556/004,Yes
-T1557.001,Man-in-the-Middle: LLMNR/NBT-NS Poisoning and SMB Relay,"Collection,Credential Access","Adversaries may attempt to position themselves between two or more networked devices using a man-in-the-middle (MiTM) technique to support follow-on behaviors such as Network Sniffing or Transmitted Data Manipulation. By responding to Link-Local Multicast Name Resolution (LLMNR) and NetBIOS Name Service (NBT-NS) network traffic, adversaries may spoof an authoritative source for name resolution to force communication with an adversary controlled system. This activity may be used to collect or relay authentication materials.",Windows,https://attack.mitre.org/techniques/T1557/001,No
-T1557.002,Man-in-the-Middle: ARP Cache Poisoning,"Collection,Credential Access","Adversaries may poison Address Resolution Protocol (ARP) caches to position themselves between the communication of two or more networked devices. This activity may be used to enable follow-on behaviors such as Network Sniffing or Transmitted Data Manipulation. An adversary may passively wait for an ARP request to poison the ARP cache of the requesting device. The adversary may reply with their MAC address, thus deceiving the victim by making them believe that they are communicating with the intended networked device. For the adversary to poison the ARP cache, their reply must be faster than the one made by the legitimate IP address owner. Adversaries may also send a gratuitous ARP reply that maliciously announces the ownership of a particular IP address to all the devices in the local network segment. Adversaries may use ARP cache poisoning as a means to man-in-the-middle (MiTM) network traffic. This activity may be used to collect and/or relay data such as credentials, especially those sent over an insecure, unencrypted protocol.","Linux,Windows,macOS",https://attack.mitre.org/techniques/T1557/002,No
-T1558.001,Steal or Forge Kerberos Tickets: Golden Ticket,Credential Access,"Adversaries may attempt to subvert Kerberos authentication by stealing or forging Kerberos tickets to enable Pass the Ticket. Adversaries who have the KRBTGT account password hash may forge Kerberos ticket-granting tickets (TGT), also known as a golden ticket. Golden tickets enable adversaries to generate authentication material for any account in Active Directory.",Windows,https://attack.mitre.org/techniques/T1558/001,No
-T1558.002,Steal or Forge Kerberos Tickets: Silver Ticket,Credential Access,"Adversaries may attempt to subvert Kerberos authentication by stealing or forging Kerberos tickets to enable Pass the Ticket. Adversaries who have the password hash of a target service account (e.g. SharePoint, MSSQL) may forge Kerberos ticket granting service (TGS) tickets, also known as silver tickets. Kerberos TGS tickets are also known as service tickets.",Windows,https://attack.mitre.org/techniques/T1558/002,No
-T1558.003,Steal or Forge Kerberos Tickets: Kerberoasting,Credential Access,"Adversaries may attempt to subvert Kerberos authentication by stealing or forging Kerberos tickets to enable Pass the Ticket. Adversaries may abuse a valid Kerberos ticket-granting ticket (TGT) or sniff network traffic to obtain a ticket-granting service (TGS) ticket that may be vulnerable to Brute Force. Cracked hashes may enable Persistence, Privilege Escalation, and Lateral Movement via access to Valid Accounts.",Windows,https://attack.mitre.org/techniques/T1558/003,No
-T1558.004,Steal or Forge Kerberos Tickets: AS-REP Roasting,Credential Access,"Adversaries may reveal credentials of accounts that have disabled Kerberos Preauthentication by Password Cracking Kerberos messages. Preauthentication offers protection against offline Password Cracking. For each account found without preauthentication, an adversary may send an AS-REQ message without the encrypted timestamp and receive an AS-REP message with TGT data which may be encrypted with an insecure algorithm such as RC4. The recovered encrypted data may be vulnerable to offline Password Cracking attacks similarly to Kerberoasting and expose plaintext credentials. Cracked hashes may enable Persistence, Privilege Escalation, and Lateral Movement via access to Valid Accounts.",Windows,https://attack.mitre.org/techniques/T1558/004,No
-T1559.001,Inter-Process Communication: Component Object Model,Execution,"Adversaries may use the Windows Component Object Model (COM) for local code execution.  Through COM, a client object can call methods of server objects, which are typically binary Dynamic Link Libraries (DLL) or executables (EXE).",Windows,https://attack.mitre.org/techniques/T1559/001,No
-T1559.002,Inter-Process Communication: Dynamic Data Exchange,Execution,Adversaries may use Windows Dynamic Data Exchange (DDE) to execute arbitrary commands. DDE is a client-server protocol for one-time and/or continuous inter-process communication (IPC) between applications.,Windows,https://attack.mitre.org/techniques/T1559/002,No
-T1560.001,Archive Collected Data: Archive via Utility,Collection,"An adversary may compress or encrypt data that is collected prior to exfiltration using 3rd party utilities. Many utilities exist that can archive data, including 7-Zip, WinRAR, and WinZip. Most utilities include functionality to encrypt and/or compress data.","Linux,Windows,macOS",https://attack.mitre.org/techniques/T1560/001,No
-T1560.002,Archive Collected Data: Archive via Library,Collection,"An adversary may compress or encrypt data that is collected prior to exfiltration using 3rd party libraries. Many libraries exist that can archive data, including Python rarfile, libzip, and zlib. Most libraries include functionality to encrypt and/or compress data.","Linux,Windows,macOS",https://attack.mitre.org/techniques/T1560/002,No
-T1560.003,Archive Collected Data: Archive via Custom Method,Collection,"An adversary may compress or encrypt data that is collected prior to exfiltration using a custom method. Adversaries may choose to use custom archival methods, such as encryption with XOR or stream ciphers implemented with no external library or utility references. Custom implementations of well-known compression algorithms have also been used.(Citation: ESET Sednit Part 2)","Linux,Windows,macOS",https://attack.mitre.org/techniques/T1560/003,No
-T1561.001,Disk Wipe: Disk Content Wipe,Impact,"Adversaries may erase the contents of storage devices on specific systems or in large numbers in a network to interrupt availability to system and network resources. Examples include Novetta Blockbuster Destructive Malware. To maximize impact on the target organization in operations where network-wide availability interruption is the goal, malware used for wiping disk content may have worm-like features to propagate across a network by leveraging additional techniques.","Linux,Windows,macOS",https://attack.mitre.org/techniques/T1561/001,No
-T1561.002,Disk Wipe: Disk Structure Wipe,Impact,Adversaries may corrupt or wipe the disk data structures on a hard drive necessary to boot a system; targeting specific critical systems or in large numbers in a network to interrupt availability to system and network resources.,"Linux,Windows,macOS",https://attack.mitre.org/techniques/T1561/002,No
-T1562.001,Impair Defenses: Disable or Modify Tools,Defense Evasion,"Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.","Containers,IaaS,Linux,Windows,macOS",https://attack.mitre.org/techniques/T1562/001,Yes
-T1562.002,Impair Defenses: Disable Windows Event Logging,Defense Evasion,Adversaries may disable Windows event logging to limit data that can be leveraged for detections and audits.,Windows,https://attack.mitre.org/techniques/T1562/002,No
-T1562.003,Impair Defenses: Impair Command History Logging,Defense Evasion,"Adversaries may configure HISTCONTROL to not log all command history. The HISTCONTROL environment variable keeps track of what should be saved by the ""history"" command and eventually into the ""~/.bash_history"" file when a user logs out. Adversaries can abuse this to operate without leaving traces by simply prepending a space to all of their terminal commands.","Linux,Windows,macOS",https://attack.mitre.org/techniques/T1562/003,No
-T1562.004,Impair Defenses: Disable or Modify System Firewall,Defense Evasion,"Adversaries may disable or modify system firewalls in order to bypass controls limiting network usage. Changes could be disabling the entire mechanism as well as adding, deleting, or modifying particular rules. This can be done numerous ways depending on the operating system, including via command-line, editing Windows Registry keys, and Windows Control Panel. Modifying or disabling a system firewall may enable adversary C2 communications, lateral movement, and/or data exfiltration that would otherwise not be allowed.","Linux,Windows,macOS",https://attack.mitre.org/techniques/T1562/004,No
-T1562.006,Impair Defenses: Indicator Blocking,Defense Evasion,"An adversary may attempt to block indicators or events typically captured by sensors from being gathered and analyzed. This could include maliciously redirecting or even disabling host-based sensors, such as Event Tracing for Windows (ETW), by tampering settings that control the collection and flow of event telemetry. In the case of network-based reporting of indicators, an adversary may block traffic associated with reporting to prevent central analysis.","Linux,Windows,macOS",https://attack.mitre.org/techniques/T1562/006,No
-T1562.007,Impair Defenses: Disable or Modify Cloud Firewall,Defense Evasion,"Adversaries may disable or modify a firewall within a cloud environment to bypass controls that limit access to cloud resources. Cloud firewalls are separate from system firewalls. Modifying or disabling a cloud firewall may enable adversary C2 communications, lateral movement, and/or data exfiltration that would otherwise not be allowed.",IaaS,https://attack.mitre.org/techniques/T1562/007,Yes
-T1562.008,Impair Defenses: Disable Cloud Logs,Defense Evasion,"An adversary may disable cloud logging capabilities and integrations to limit what data is collected on their activities and avoid detection. Cloud environments allow for collection and analysis of audit and application logs that provide insight into what activities a user does within the environment. If an attacker has sufficient permissions, they can disable logging to avoid detection of their activities.",IaaS,https://attack.mitre.org/techniques/T1562/008,Yes
-T1563.001,Remote Service Session Hijacking: SSH Hijacking,Lateral Movement,"Adversaries may hijack a legitimate user's SSH session to move laterally within an environment. It allows a user to connect to another system via an encrypted tunnel, commonly authenticating through a password, certificate or the use of an asymmetric encryption key pair.","Linux,macOS",https://attack.mitre.org/techniques/T1563/001,No
-T1563.002,Remote Service Session Hijacking: RDP Hijacking,Lateral Movement,"Adversaries may hijack a legitimate user's remote desktop session to move laterally within an environment. Remote desktop allows a user to log into an interactive session with a system desktop graphical user interface on a remote system. With System permissions and using Terminal Services Console, `c:\windows\system32\tscon.exe [session number to be stolen]`, an adversary can hijack a session without the need for credentials or prompts to the user. This can be done remotely or locally and with active or disconnected sessions. All of this can be done by using native Windows commands",Windows,https://attack.mitre.org/techniques/T1563/002,No
-T1564.001,Hide Artifacts: Hidden Files and Directories,Defense Evasion,Adversaries may set files and directories to be hidden to evade detection mechanisms. These files don't show up when a user browses the file system with a GUI or when using normal commands on the command line. Adversaries can use this to their advantage to hide files and folders anywhere on the system and evading a typical user or system analysis that does not incorporate investigation of hidden files.,"Linux,Windows,macOS",https://attack.mitre.org/techniques/T1564/001,No
-T1564.002,Hide Artifacts: Hidden Users,Defense Evasion,Adversaries may use hidden users in macOS to mask the presence of user accounts they create by setting the priperty value of Hide500Users to Yes. This enables adversaries to conceal user accounts.,macOS,https://attack.mitre.org/techniques/T1564/002,No
-T1564.003,Hide Artifacts: Hidden Window,Defense Evasion,"Adversaries may use hidden windows to conceal malicious activity from the plain sight of users. In some cases, windows that would typically be displayed when an application carries out an operation can be hidden. This may be utilized by system administrators to avoid disrupting user work environments when carrying out administrative tasks. Adversaries may abuse these functionalities to hide otherwise visible windows from users so as not to alert the user to adversary activity on the system.","Windows,macOS",https://attack.mitre.org/techniques/T1564/003,No
-T1564.004,Hide Artifacts: NTFS File Attributes,Defense Evasion,"Adversaries may use New Technology File System (NTFS) file attributes to hide their malicious data in order to evade detection. Every  NTFS formatted partition contains a Master File Table (MFT) that maintains a record for every file/directory on the partition. Within MFT entries are file attributes,  such as Extended Attributes (EA) and Data, that can be used to store arbitrary data (and even complete files).  Adversaries may store malicious data or binaries in file attribute metadata instead of directly in files. This may be done to evade some defenses, such as static indicator scanning tools and anti-virus.",Windows,https://attack.mitre.org/techniques/T1564/004,No
-T1564.005,Hide Artifacts: Hidden File System,Defense Evasion,"Adversaries may use a hidden file system to conceal malicious activity from users and security tools. File systems provide a structure to store and access data from physical storage. Adversaries may use their own abstracted file system, separate from the standard file system present on the infected system. In doing so, adversaries can hide the presence of malicious components and file input/output from security tools.","Linux,Windows,macOS",https://attack.mitre.org/techniques/T1564/005,No
-T1564.006,Hide Artifacts: Run Virtual Instance,Defense Evasion,"Adversaries may carry out malicious operations using a virtual instance to avoid detection.?By running malicious code inside of a virtual instance, adversaries can hide artifacts associated with their behavior from security tools that are unable to monitor activity inside the virtual instance.","Linux,Windows,macOS",https://attack.mitre.org/techniques/T1564/006,No
-T1564.007,Hide Artifacts: VBA Stomping,Defense Evasion,"Adversaries may hide malicious Visual Basic for Applications (VBA) payloads embedded within MS Office documents by replacing the VBA source code with benign data. MS Office documents with embedded VBA content store source code inside of module streams. Each module stream has a PerformanceCache that stores a separate compiled version of the VBA source code known as p-code. The p-code is executed when the MS Office version specified in the VBA_PROJECT stream matches the version of the host MS Office application. An adversary may hide malicious VBA code by overwriting the VBA source code location with zero's, benign code, or random bytes while leaving the previously compiled malicious p-code. Tools that scan for malicious VBA source code may be bypassed as the unwanted code is hidden in the compiled p-code. If there is a version match between the VBA_PROJECT stream and host MS Office application, the p-code will be executed.","Linux,Windows,macOS",https://attack.mitre.org/techniques/T1564/007,No
-T1565.001,Data Manipulation: Stored Data Manipulation,Impact,"Adversaries may insert, delete, or manipulate data at rest in order to manipulate external outcomes or hide activity. Stored data could include a variety of file formats, such as Office files, databases, stored emails, and custom file formats. By manipulating stored data, adversaries may attempt to affect a business process, organizational understanding, and decision making.","Linux,Windows,macOS",https://attack.mitre.org/techniques/T1565/001,No
-T1565.002,Data Manipulation: Transmitted Data Manipulation,Impact,"Adversaries may alter data en route to storage or other systems in order to manipulate external outcomes or hide activity. Manipulation may be possible over a network connection or between system processes where there is an opportunity deploy a tool that will intercept and change information.By manipulating transmitted data, adversaries may attempt to affect a business process, organizational understanding, and decision making.","Linux,Windows,macOS",https://attack.mitre.org/techniques/T1565/002,No
-T1565.003,Data Manipulation: Runtime Data Manipulation,Impact,"Adversaries may modify systems in order to manipulate the data as it is accessed and displayed to an end user. Adversaries may alter application binaries used to display data in order to cause runtime manipulations. By manipulating runtime data, adversaries may attempt to affect a business process, organizational understanding, and decision making.","Linux,Windows,macOS",https://attack.mitre.org/techniques/T1565/003,No
-T1566.001,Phishing: Spearphishing Attachment,Initial Access,"Adversaries may send spearphishing emails with a malicious attachment in an attempt to elicit sensitive information and/or gain access to victim systems. Spearphishing attachment is different from other forms of spearphishing in that it employs the use of malware attached to an email. Upon opening the attachment (and potentially clicking past protections), the adversary's payload exploits a vulnerability or directly executes on the user's system. Adversaries frequently manipulate file extensions and icons in order to make attached executables appear to be document files, or files exploiting one application appear to be a file for a different one.","Linux,Windows,macOS",https://attack.mitre.org/techniques/T1566/001,No
-T1566.002,Phishing: Spearphishing Link,Initial Access,"Adversaries may send spearphishing emails with a malicious link in an attempt to elicit sensitive information and/or gain access to victim systems. Spearphishing with a link employs the use of links to download malware contained in email, instead of attaching malicious files to the email itself, to avoid defenses that may inspect email attachments. Generally, the links will be accompanied by social engineering text and require the user to actively click or copy and paste a URL into a browser. The visited website may compromise the web browser using an exploit, or the user will be prompted to download applications, documents, zip files, or even executables depending on the pretext for the email in the first place.","Google Workspace,Linux,Office 365,SaaS,Windows,macOS",https://attack.mitre.org/techniques/T1566/002,Yes
-T1566.003,Phishing: Spearphishing via Service,Initial Access,"Adversaries may send spearphishing messages via third-party services in an attempt to elicit sensitive information and/or gain access to victim systems. Spearphishing via service employs the use of third party services rather than directly via enterprise email channels. Adversaries send messages through various social media services, personal webmail, and other non-enterprise controlled services. These services are more likely to have a less-strict security policy than an enterprise.  After building rapport with a target via social media, adversaries send content to a personal webmail service that the target uses on their work computer. This allows an adversary to bypass some email restrictions on the work account, and the target is more likely to open the file since it's something they were expecting.","Linux,Windows,macOS",https://attack.mitre.org/techniques/T1566/003,No
-T1567.001,Exfiltration Over Web Service: Exfiltration to Code Repository,Exfiltration,"Adversaries may exfiltrate data to a code repository rather than over their primary command and control channel. Code repositories are often accessible via an API. Access to these APIs are often over HTTPS, which gives the adversary an additional level of protection. Exfiltration to a code repository can also provide a significant amount of cover to the adversary if it is a popular service already used by hosts within the network.","Linux,Windows,macOS",https://attack.mitre.org/techniques/T1567/001,No
-T1567.002,Exfiltration Over Web Service: Exfiltration to Cloud Storage,Exfiltration,"Adversaries may exfiltrate data to a cloud storage service rather than over their primary command and control channel. Cloud storage services allow for the storage, edit, and retrieval of data from a remote cloud storage server over the Internet.","Linux,Windows,macOS",https://attack.mitre.org/techniques/T1567/002,No
-T1568.001,Dynamic Resolution: Fast Flux DNS,Command And Control,"Adversaries may use Fast Flux DNS to hide a command and control channel behind an array of rapidly changing IP addresses linked to a single domain resolution. This technique uses a fully qualified domain name, with multiple IP addresses assigned to it which are swapped with high frequency, using a combination of round robin IP addressing and short Time-To-Live (TTL) for a DNS resource record.","Linux,Windows,macOS",https://attack.mitre.org/techniques/T1568/001,No
-T1568.002,Dynamic Resolution: Domain Generation Algorithms,Command And Control,"Adversaries may make use of Domain Generation Algorithms (DGAs) to dynamically identify a destination domain for command and control traffic rather than relying on a list of static IP addresses or domains. This has the advantage of making it much harder for defenders block, track, or take over the command and control channel, as there potentially could be thousands of domains that malware can check for instructions. Adversaries may use DGAs for the purpose of Fallback Channels. When contact is lost with the primary command and control server malware may employ a DGA as a means to reestablishing command and control.","Linux,Windows,macOS",https://attack.mitre.org/techniques/T1568/002,No
-T1568.003,Dynamic Resolution: DNS Calculation,Command And Control,"Adversaries may perform calculations on addresses returned in DNS results to determine which port and IP address to use for command and control, rather than relying on a predetermined port number or the actual returned IP address. A IP and/or port number calculation can be used to bypass egress filtering on a C2 channel.","Linux,Windows,macOS",https://attack.mitre.org/techniques/T1568/003,No
-T1569.001,System Services: Launchctl,Execution,"Adversaries may abuse launchctl to execute commands or programs. Launchctl controls the macOS launchd process, which handles things like Launch Agent and Launch Daemon, but can execute other commands or programs itself. Launchctl supports taking subcommands on the command-line, interactively, or even redirected from standard input. Running a command from launchctl is simple and adversaries can abuse this functionality to execute code or even bypass application control if launchctl is an allowed process.",macOS,https://attack.mitre.org/techniques/T1569/001,No
-T1569.002,System Services: Service Execution,Execution,Adversaries may abuse the Windows service control manager to execute malicious commands or payloads. The Windows service control manager is an interface to manage and manipulate services. The service control manager is accessible to users via GUI components as well as system utilities such as sc.exe. PsExec can also be used to execute commands or payloads via a temporary Windows service created through the service control manager API. Adversaries may execute malicious content by either executing a new or modified service. This technique is the execution used in conjunction with Windows Service during service persistence or privilege escalation.,Windows,https://attack.mitre.org/techniques/T1569/002,No
-T1570,Lateral Tool Transfer,Lateral Movement,Adversaries may transfer tools or other files between systems in a compromised environment. Files may be copied from one system to another to stage adversary tools or other files over the course of an operation. Adversaries may copy files laterally between internal victim systems to support lateral movement using inherent file sharing protocols such as file sharing over SMB to connected network shares or with authenticated connections with SMB/Windows Admin Shares.,"Linux,Windows,macOS",https://attack.mitre.org/techniques/T1570,No
-T1571,Non-Standard Port,Command And Control,"Adversaries may communicate using a protocol and port paring that are typically not associated. For example, HTTPS over port 8088 or port 587, as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.","Linux,Windows,macOS",https://attack.mitre.org/techniques/T1571,No
-T1572,Protocol Tunneling,Command And Control,"Adversaries may tunnel network communications to and from a victim system within a separate protocol to avoid detection/network filtering and/or enable access to otherwise unreachable systems. This behavior may conceal malicious traffic by blending in with existing traffic and/or provide an outer layer of encryption (similar to a VPN). Tunneling could also enable routing of network packets that would otherwise not reach their intended destination, such as SMB, RDP, or other traffic that would be filtered by network appliances or not routed over the Internet. Adversaries may perform SSH tunneling (also known as SSH port forwarding),  DNS over HTTPS (DoH), queries to resolve C2 communications and infrastructure.","Linux,Windows,macOS",https://attack.mitre.org/techniques/T1572,No
-T1573.001,Encrypted Channel: Symmetric Cryptography,Command And Control,"Adversaries may employ a known symmetric encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Symmetric encryption algorithms use the same key for plaintext encryption and ciphertext decryption. Common symmetric encryption algorithms include AES, DES, 3DES, Blowfish, and RC4.","Linux,Windows,macOS",https://attack.mitre.org/techniques/T1573/001,No
-T1573.002,Encrypted Channel: Asymmetric Cryptography,Command And Control,"Adversaries may employ a known asymmetric encryption algorithm (also known as public key cryptography) to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Due to how the keys are generated, the sender encrypts data with the receiver's public key and the receiver decrypts the data with their private key. This ensures that only the intended recipient can read the encrypted data.","Linux,Windows,macOS",https://attack.mitre.org/techniques/T1573/002,No
-T1574.001,Hijack Execution Flow: DLL Search Order Hijacking,"Defense Evasion,Persistence,Privilege Escalation","Adversaries may execute their own malicious payloads by hijacking the search order used to load DLLs. Windows systems use a common method to look for required DLLs to load into a program. Hijacking DLL loads may be for the purpose of establishing persistence as well as elevating privileges and/or evading restrictions on file execution. If a search order-vulnerable program is configured to run at a higher privilege level, then the adversary-controlled DLL that is loaded will also be executed at the higher level. In this case, the technique could be used for privilege escalation from user to administrator or SYSTEM or from administrator to SYSTEM, depending on the program.",Windows,https://attack.mitre.org/techniques/T1574/001,No
-T1574.002,Hijack Execution Flow: DLL Side-Loading,"Defense Evasion,Persistence,Privilege Escalation","Adversaries may execute their own malicious payloads by hijacking the library manifest used to load DLLs. Adversaries may take advantage of vague references in the library manifest of a program by replacing a legitimate library with a malicious one, causing the operating system to load their malicious library when it is called for by the victim program. Adversaries likely use this technique as a means of masking actions they perform under a legitimate, trusted system or software process.",Windows,https://attack.mitre.org/techniques/T1574/002,No
-T1574.004,Hijack Execution Flow: Dylib Hijacking,"Defense Evasion,Persistence,Privilege Escalation","Adversaries may execute their own malicious payloads by hijacking ambiguous paths  used to load libraries. Adversaries may plant trojan dynamic libraries, in a directory that will be searched by the operating system before the legitimate library specified by the victim program, so that their malicious library will be loaded into the victim program instead.  MacOS and OS X use a common method to look for required dynamic libraries (dylib) to load into a program based on search paths. If the program is configured to run at a higher privilege level than the current user, then when the dylib is loaded into the application, the dylib will also run at that elevated level.",macOS,https://attack.mitre.org/techniques/T1574/004,No
-T1574.005,Hijack Execution Flow: Executable Installer File Permissions Weakness,"Defense Evasion,Persistence,Privilege Escalation","Adversaries may execute their own malicious payloads by hijacking the binaries used by an installer. These processes may automatically execute specific binaries as part of their functionality or to perform other actions. If the permissions on the file system directory containing a target binary, or permissions on the binary itself, are improperly set, then the target binary may be overwritten with another binary using user-level permissions and executed by the original process. If the original process and thread are running under a higher permissions level, then the replaced binary will also execute under higher-level permissions, which could include SYSTEM.If the executing process is set to run at a specific time or during a certain event (e.g., system bootup) then this technique can also be used for persistence.",Windows,https://attack.mitre.org/techniques/T1574/005,No
-T1574.006,Hijack Execution Flow: Dynamic Linker Hijacking,"Defense Evasion,Persistence,Privilege Escalation","Adversaries may execute their own malicious payloads by hijacking the dynamic linker used to load libraries. The dynamic linker is used to load shared library dependencies needed by an executing program. The dynamic linker will typically check provided absolute paths and common directories for these dependencies, but can be overridden by shared objects specified by LD_PRELOAD to be loaded before all others. Adversaries may set LD_PRELOAD to point to malicious libraries that match the name of legitimate libraries which are requested by a victim program, causing the operating system to load the adversary's malicious code upon execution of the victim program. LD_PRELOAD hijacking may grant access to the victim process's memory, system/network resources, and possibly elevated privileges. Execution via LD_PRELOAD hijacking may also evade detection from security products since the execution is masked under a legitimate process.","Linux,macOS",https://attack.mitre.org/techniques/T1574/006,Yes
-T1574.007,Hijack Execution Flow: Path Interception by PATH Environment Variable,"Defense Evasion,Persistence,Privilege Escalation","Adversaries may execute their own malicious payloads by hijacking environment variables used to load libraries. Adversaries may place a program in an earlier entry in the list of directories stored in the PATH environment variable, which Windows will then execute when it searches sequentially through that PATH listing in search of the binary that was called from a script or the command line.",Windows,https://attack.mitre.org/techniques/T1574/007,No
-T1574.008,Hijack Execution Flow: Path Interception by Search Order Hijacking,"Defense Evasion,Persistence,Privilege Escalation","Adversaries may execute their own malicious payloads by hijacking the search order used to load other programs. Because some programs do not call other programs using the full path, adversaries may place their own file in the directory where the calling program is located, causing the operating system to launch their malicious software at the request of the calling program.",Windows,https://attack.mitre.org/techniques/T1574/008,No
-T1574.009,Hijack Execution Flow: Path Interception by Unquoted Path,"Defense Evasion,Persistence,Privilege Escalation","Adversaries may execute their own malicious payloads by hijacking vulnerable file path references. Adversaries can take advantage of paths that lack surrounding quotations by placing an executable in a higher level directory within the path, so that Windows will choose the adversary's executable to launch. This technique can be used for persistence if executables are called on a regular basis, as well as privilege escalation if intercepted executables are started by a higher privileged process.",Windows,https://attack.mitre.org/techniques/T1574/009,No
-T1574.010,Hijack Execution Flow: Services File Permissions Weakness,"Defense Evasion,Persistence,Privilege Escalation","Adversaries may execute their own malicious payloads by hijacking the binaries used by services. Adversaries may use flaws in the permissions of Windows services to replace the binary that is executed upon service start. These service processes may automatically execute specific binaries as part of their functionality or to perform other actions. If the permissions on the file system directory containing a target binary, or permissions on the binary itself are improperly set, then the target binary may be overwritten with another binary using user-level permissions and executed by the original process. If the original process and thread are running under a higher permissions level, then the replaced binary will also execute under higher-level permissions, which could include SYSTEM. Adversaries may use this technique to replace legitimate binaries with malicious ones as a means of executing code at a higher permissions level. If the executing process is set to run at a specific time or during a certain event (e.g., system bootup) then this technique can also be used for persistence.",Windows,https://attack.mitre.org/techniques/T1574/010,No
-T1574.011,Hijack Execution Flow: Services Registry Permissions Weakness,"Defense Evasion,Persistence,Privilege Escalation","Adversaries may execute their own malicious payloads by hijacking the Registry entries used by services. Adversaries may use flaws in the permissions for registry to redirect from the originally specified executable to one that they control, in order to launch their own code at Service start.  The information stored under a service's Registry keys can be manipulated to modify a service's execution parameters through tools such as the service controller, sc.exe or Reg.",Windows,https://attack.mitre.org/techniques/T1574/011,No
-T1574.012,Hijack Execution Flow: COR_PROFILER,"Defense Evasion,Persistence,Privilege Escalation",Adversaries may leverage the COR_PROFILER environment variable to hijack the execution flow of programs that load the .NET CLR. The COR_PROFILER is a .NET Framework feature which allows developers to specify an unmanaged (or external of .NET) profiling DLL to be loaded into each .NET process that loads the Common Language Runtime (CLR).  Adversaries may abuse COR_PROFILER to establish persistence that executes a malicious DLL in the context of all .NET processes every time the CLR is invoked. The COR_PROFILER can also be used to elevate privileges.,Windows,https://attack.mitre.org/techniques/T1574/012,No
-T1578.001,Modify Cloud Compute Infrastructure: Create Snapshot,Defense Evasion,"An adversary may create a snapshot or data backup within a cloud account to evade defenses. By first Creating a Cloud Instance, mounting one or more created snapshots to that instance, and then applying a firewall policy that allows the adversary access to the created instance, an adversary can gain inbound and outbound SSH access.",IaaS,https://attack.mitre.org/techniques/T1578/001,Yes
-T1578.002,Modify Cloud Compute Infrastructure: Create Cloud Instance,Defense Evasion,An adversary may create a new instance or virtual machine (VM) within the compute service of a cloud account to evade defenses. Creating a new instance may allow an adversary to bypass firewall rules and permissions that exist on instances currently residing within an account. Creating a new instance may also allow an adversary to carry out malicious activity within an environment without affecting the execution of current running instances.,IaaS,https://attack.mitre.org/techniques/T1578/002,Yes
-T1578.003,Modify Cloud Compute Infrastructure: Delete Cloud Instance,Defense Evasion,An adversary may delete a cloud instance after they have performed malicious activities in an attempt to evade detection and remove evidence of their presence. Deleting an instance or virtual machine can remove valuable forensic artifacts and other evidence of suspicious behavior if the instance is not recoverable.,IaaS,https://attack.mitre.org/techniques/T1578/003,Yes
-T1578.004,Modify Cloud Compute Infrastructure: Revert Cloud Instance,Defense Evasion,"An adversary may revert changes made to a cloud instance after they have performed malicious activities in attempt to evade detection and remove evidence of their presence. In highly virtualized environments, such as cloud-based infrastructure, this may be accomplished by restoring virtual machine (VM) or data storage snapshots through the cloud management dashboard or cloud APIs. Another variation of this technique is to utilize temporary storage attached to the compute instance, which often reset upon stop/restart of the VM.",IaaS,https://attack.mitre.org/techniques/T1578/004,Yes
-T1580,Cloud Infrastructure Discovery,Discovery,"An adversary may attempt to discover resources that are available within an infrastructure-as-a-service (IaaS) environment. This includes compute service resources such as instances, virtual machines, and snapshots as well as resources of other services including the storage and database services. An adversary may enumerate resources using a compromised user's access keys to determine which are available to that user. The discovery of these available resources may help adversaries determine their next steps in the Cloud environment, such as establishing Persistence. This technique focuses on the discovery of components of the provided services rather than the services themselves.",IaaS,https://attack.mitre.org/techniques/T1580,Yes
-T1583.001,Acquire Infrastructure: Domains,Resource Development,"Before compromising a victim, adversaries may purchase domains that can be used during targeting. Adversaries can use purchased domains for a variety of purposes, including for Phishing, Drive-by Compromise, and Command and Control. Adversaries may choose domains that are similar to legitimate domains, including through use of homoglyphs or use of a different top-level domain (TLD). Typosquatting may be used to aid in delivery of payloads via Drive-by Compromise. Adversaries can also use internationalized domain names (IDNs) to create visually similar lookalike domains for use in operations.",,https://attack.mitre.org/techniques/T1583/001,No
-T1583.002,Acquire Infrastructure: DNS Server,Resource Development,"Before compromising a victim, adversaries may set up their own Domain Name System (DNS) servers that can be used during targeting. During post-compromise activity, adversaries may utilize DNS traffic for various tasks, including for Command and Control. Instead of hijacking existing DNS servers, adversaries may opt to configure and run their own DNS servers in support of operations. By running their own DNS servers, adversaries can have more control over how they administer server-side DNS C2 traffic. With control over a DNS server, adversaries can configure DNS applications to provide conditional responses to malware and, generally, have more flexibility in the structure of the DNS-based C2 channel.",,https://attack.mitre.org/techniques/T1583/002,No
-T1583.003,Acquire Infrastructure: Virtual Private Server,Resource Development,"Before compromising a victim, adversaries may rent Virtual Private Servers (VPSs)?that can be used during targeting. There exist a variety of cloud service providers that will sell virtual machines/containers as a service. By utilizing a VPS, adversaries can make it difficult to physically tie back operations to them. The use of cloud infrastructure can also make it easier for adversaries to rapidly provision, modify, and shut down their infrastructure. Acquiring a VPS for use in later stages of the adversary lifecycle, such as Command and Control, can allow adversaries to benefit from the ubiquity and trust associated with higher reputation cloud service providers. Adversaries may also acquire infrastructure from VPS service providers that are known for renting VPSs with minimal registration information, allowing for more anonymous acquisitions of infrastructure.",,https://attack.mitre.org/techniques/T1583/003,No
-T1583.004,Acquire Infrastructure: Server,Resource Development,"Before compromising a victim, adversaries may buy, lease, or rent physical servers?that can be used during targeting. Use of servers allows an adversary to stage, launch, and execute an operation. During post-compromise activity, adversaries may utilize servers for various tasks, including for Command and Control. Instead of compromising a third-party or renting a Virtual Private Server, adversaries may opt to configure and run their own servers in support of operations.",,https://attack.mitre.org/techniques/T1583/004,No
-T1583.005,Acquire Infrastructure: Botnet,Resource Development,"Before compromising a victim, adversaries may buy, lease, or rent a network of compromised systems?that can be used during targeting. A botnet is a network of compromised systems that can be instructed to perform coordinated tasks. Adversaries may purchase a subscription to use an existing botnet from a booter/stressor service. With a botnet at their disposal, adversaries may perform follow-on activity such as large-scale Phishing or Distributed Denial of Service (DDoS).",,https://attack.mitre.org/techniques/T1583/005,No
-T1583.006,Acquire Infrastructure: Web Services,Resource Development,"Before compromising a victim, adversaries may register for web services?that can be used during targeting. A variety of popular websites exist for adversaries to register for a web-based service that can be abused during later stages of the adversary lifecycle, such as during Command and Control or Exfiltration Over Web Service. Using common services, such as those offered by Google or Twitter, makes it easier for adversaries to hide in expected noise. By utilizing a web service, adversaries can make it difficult to physically tie back operations to them.",,https://attack.mitre.org/techniques/T1583/006,No
-T1584.001,Compromise Infrastructure: Domains,Resource Development,"Before compromising a victim, adversaries may hijack domains and/or subdomains that can be used during targeting. Domain registration hijacking is the act of changing the registration of a domain name without the permission of the original registrant. An adversary may gain access to an email account for the person listed as the owner of the domain. The adversary can then claim that they forgot their password in order to make changes to the domain registration. Other possibilities include social engineering a domain registration help desk to gain access to an account or taking advantage of renewal process gaps. Subdomain hijacking can also occur when organizations have DNS entries that point to non-existent or de-provisioned resources. In such cases, an adversary may take control of a subdomain to conduct operations with the benefit of the trust associated with that domain.",,https://attack.mitre.org/techniques/T1584/001,No
-T1584.002,Compromise Infrastructure: DNS Server,Resource Development,"Before compromising a victim, adversaries may compromise third-party DNS servers that can be used during targeting. During post-compromise activity, adversaries may utilize DNS traffic for various tasks, including for Command and Control. Instead of setting up their own DNS servers, adversaries may compromise third-party DNS servers in support of operations. By compromising DNS servers, adversaries can alter DNS records. Such control can allow for redirection of an organization's traffic, facilitating Collection and Credential Access efforts for the adversary. Adversaries may also be able to silently create subdomains pointed at malicious servers without tipping off the actual owner of the DNS server.",,https://attack.mitre.org/techniques/T1584/002,No
-T1584.003,Compromise Infrastructure: Virtual Private Server,Resource Development,"Before compromising a victim, adversaries may compromise third-party Virtual Private Servers (VPSs) that can be used during targeting. There exist a variety of cloud service providers that will sell virtual machines/containers as a service. Adversaries may compromise VPSs purchased by third-party entities. By compromising a VPS to use as infrastructure, adversaries can make it difficult to physically tie back operations to themselves. Compromising a VPS for use in later stages of the adversary lifecycle, such as Command and Control, can allow adversaries to benefit from the ubiquity and trust associated with higher reputation cloud service providers.",,https://attack.mitre.org/techniques/T1584/003,No
-T1584.004,Compromise Infrastructure: Server,Resource Development,"Before compromising a victim, adversaries may compromise third-party servers that can be used during targeting. Use of servers allows an adversary to stage, launch, and execute an operation. During post-compromise activity, adversaries may utilize servers for various tasks, including for Command and Control. Instead of purchasing a Server or Virtual Private Server, adversaries may compromise third-party servers in support of operations. Adversaries may also compromise web servers to support watering hole operations.",,https://attack.mitre.org/techniques/T1584/004,No
-T1584.005,Compromise Infrastructure: Botnet,Resource Development,"Before compromising a victim, adversaries may compromise numerous third-party systems to form a botnet?that can be used during targeting. A botnet is a network of compromised systems that can be instructed to perform coordinated tasks. Instead of purchasing/renting a botnet from a booter/stressor service, adversaries may build their own botnet by compromising numerous third-party systems. Adversaries may also conduct a takeover of an existing botnet, such as redirecting bots to adversary-controlled C2 servers. With a botnet at their disposal, adversaries may perform follow-on activity such as large-scale Phishing or Distributed Denial of Service (DDoS).",,https://attack.mitre.org/techniques/T1584/005,No
-T1584.006,Compromise Infrastructure: Web Services,Resource Development,"Before compromising a victim, adversaries may compromise access to third-party web services?that can be used during targeting. A variety of popular websites exist for legitimate users to register for web-based services, such as GitHub, Twitter, Dropbox, Google, etc. Adversaries may try to take ownership of a legitimate user's access to a web service and use that web service as infrastructure in support of cyber operations. Such web services can be abused during later stages of the adversary lifecycle, such as during Command and Control or Exfiltration Over Web Service. Using common services, such as those offered by Google or Twitter, makes it easier for adversaries to hide in expected noise. By utilizing a web service, particularly when access is stolen from legitimate users, adversaries can make it difficult to physically tie back operations to them.",,https://attack.mitre.org/techniques/T1584/006,No
-T1585.001,Establish Accounts: Social Media Accounts,Resource Development,"Before compromising a victim, adversaries may create and cultivate social media accounts that can be used during targeting. Adversaries can create social media accounts that can be used to build a persona to further operations. Persona development consists of the development of public information, presence, history and appropriate affiliations. Once a persona has been developed an adversary can use it to create connections to targets of interest. These connections may be direct or may include trying to connect through others. These accounts may be leveraged during other phases of the adversary lifecycle, such as during Initial Access.",,https://attack.mitre.org/techniques/T1585/001,No
-T1585.002,Establish Accounts: Email Accounts,Resource Development,"Before compromising a victim, adversaries may create email accounts that can be used during targeting. Adversaries can use accounts created with email providers to further their operations, such as leveraging them to conduct Phishing for Information or Phishing. Adversaries may also take steps to cultivate a persona around the email account, such as through use of Social Media Accounts, to increase the chance of success of follow-on behaviors. Created email accounts can also be used in the acquisition of infrastructure.  To decrease the chance of physically tying back operations to themselves, adversaries may make use of disposable email services.",,https://attack.mitre.org/techniques/T1585/002,No
-T1586.001,Compromise Accounts: Social Media Accounts,Resource Development,"Before compromising a victim, adversaries may compromise social media accounts that can be used during targeting. For operations incorporating social engineering, the utilization of an online persona may be important. Rather than creating and cultivating social media profiles, adversaries may compromise existing social media accounts. Utilizing an existing persona may engender a level of trust in a potential victim if they have a relationship, or knowledge of, the compromised persona. Adversaries can use a compromised social media profile to create new, or hijack existing, connections to targets of interest. These connections may be direct or may include trying to connect through others. Compromised profiles may be leveraged during other phases of the adversary lifecycle, such as during Initial Access.",,https://attack.mitre.org/techniques/T1586/001,No
-T1586.002,Compromise Accounts: Email Accounts,Resource Development,"Before compromising a victim, adversaries may compromise email accounts that can be used during targeting. Adversaries can use compromised email accounts to further their operations, such as leveraging them to conduct Phishing. Utilizing an existing persona with a compromised email account may engender a level of trust in a potential victim if they have a relationship, or knowledge of, the compromised persona. Compromised email accounts can also be used in the acquisition of infrastructure",,https://attack.mitre.org/techniques/T1586/002,No
-T1587.001,Develop Capabilities: Malware,Resource Development,"Before compromising a victim, adversaries may develop malware and malware components that can be used during targeting. Building malicious software can include the development of payloads, droppers, post-compromise tools, backdoors, packers, C2 protocols, and the creation of infected removable media. Adversaries may develop malware to support their operations, creating a means for maintaining control of remote machines, evading defenses, and executing post-compromise behaviors.",,https://attack.mitre.org/techniques/T1587/001,No
-T1587.002,Develop Capabilities: Code Signing Certificates,Resource Development,"Before compromising a victim, adversaries may create self-signed code signing certificates that can be used during targeting. Code signing is the process of digitally signing executables and scripts to confirm the software author and guarantee that the code has not been altered or corrupted. Code signing provides a level of authenticity for a program from the developer and a guarantee that the program has not been tampered with.",,https://attack.mitre.org/techniques/T1587/002,No
-T1587.003,Develop Capabilities: Digital Certificates,Resource Development,"Before compromising a victim, adversaries may create self-signed SSL/TLS certificates that can be used during targeting. Adversaries may create self-signed SSL/TLS certificates that can be used to further their operations, such as encrypting C2 traffic or even enabling Man-in-the-Middle if added to the root of trust.",,https://attack.mitre.org/techniques/T1587/003,No
-T1587.004,Develop Capabilities: Exploits,Resource Development,"Before compromising a victim, adversaries may develop exploits that can be used during targeting. An exploit takes advantage of a bug or vulnerability in order to cause unintended or unanticipated behavior to occur on computer hardware or software. An adversary may develop their own exploits. Adversaries may use exploits during various phases of the adversary lifecycle.",,https://attack.mitre.org/techniques/T1587/004,No
-T1588.001,Obtain Capabilities: Malware,Resource Development,"Before compromising a victim, adversaries may buy, steal, or download malware that can be used during targeting. Malicious software can include payloads, droppers, post-compromise tools, backdoors, packers, and C2 protocols. Adversaries may acquire malware to support their operations, obtaining a means for maintaining control of remote machines, evading defenses, and executing post-compromise behaviors.",,https://attack.mitre.org/techniques/T1588/001,No
-T1588.002,Obtain Capabilities: Tool,Resource Development,"Before compromising a victim, adversaries may buy, steal, or download software tools that can be used during targeting. A tool can be used for malicious purposes by an adversary, but (unlike malware) were not intended to be used for those purposes. Tool acquisition can involve the procurement of commercial software licenses, including for red teaming tools such as Cobalt Strike. Commercial software may be obtained through purchase, stealing licenses (or licensed copies of the software), or cracking trial versions. Adversaries may obtain tools to support their operations, including to support execution of post-compromise behaviors.",,https://attack.mitre.org/techniques/T1588/002,No
-T1588.003,Obtain Capabilities: Code Signing Certificates,Resource Development,"Before compromising a victim, adversaries may buy and/or steal code signing certificates that can be used during targeting. Code signing is the process of digitally signing executables and scripts to confirm the software author and guarantee that the code has not been altered or corrupted. Code signing provides a level of authenticity for a program from the developer and a guarantee that the program has not been tampered with.",,https://attack.mitre.org/techniques/T1588/003,No
-T1588.004,Obtain Capabilities: Digital Certificates,Resource Development,"Before compromising a victim, adversaries may buy and/or steal SSL/TLS certificates that can be used during targeting. Adversaries may purchase or steal SSL/TLS certificates to further their operations, such as encrypting C2 traffic or even enabling Man-in-the-Middle if the certificate is trusted or otherwise added to the root of trust.",,https://attack.mitre.org/techniques/T1588/004,No
-T1588.005,Obtain Capabilities: Exploits,Resource Development,"Before compromising a victim, adversaries may buy, steal, or download exploits that can be used during targeting. An exploit takes advantage of a bug or vulnerability in order to cause unintended or unanticipated behavior to occur on computer hardware or software. Adversaries may use exploits during various phases of the adversary lifecycle.",,https://attack.mitre.org/techniques/T1588/005,No
-T1588.006,Obtain Capabilities: Vulnerabilities,Resource Development,"Before compromising a victim, adversaries may acquire information about vulnerabilities that can be used during targeting. A vulnerability is a weakness in computer hardware or software that can, potentially, be exploited by an adversary to cause unintended or unanticipated behavior to occur.",,https://attack.mitre.org/techniques/T1588/006,No
-T1589.001,Gather Victim Identity Information: Credentials,Reconnaissance,"Before compromising a victim, adversaries may gather credentials that can be used during targeting. Account credentials gathered by adversaries may be those directly associated with the target victim organization or attempt to take advantage of the tendency for users to use the same passwords across personal and business accounts.",,https://attack.mitre.org/techniques/T1589/001,No
-T1589.002,Gather Victim Identity Information: Email Addresses,Reconnaissance,"Before compromising a victim, adversaries may gather email addresses that can be used during targeting. Even if internal instances exist, organizations may have public-facing email infrastructure and addresses for employees.",,https://attack.mitre.org/techniques/T1589/002,No
-T1589.003,Gather Victim Identity Information: Employee Names,Reconnaissance,"Before compromising a victim, adversaries may gather employee names that can be used during targeting. Employee names be used to derive email addresses as well as to help guide other reconnaissance efforts and/or craft more-believable lures. Adversaries may easily gather employee names, since they may be readily available and exposed via online or other accessible data sets such as Social Media or Victim-Owned Websites.",,https://attack.mitre.org/techniques/T1589/003,No
-T1590.001,Gather Victim Network Information: Domain Properties,Reconnaissance,"Before compromising a victim, adversaries may gather information about the victim's network domain(s) that can be used during targeting. Information about domains and their properties may include a variety of details, including what domain(s) the victim owns as well as administrative data (ex: name, registrar, etc.) and more directly actionable information such as contacts (email addresses and phone numbers), business addresses, and name servers. Adversaries may gather this information in various ways, such as direct collection actions via Active Scanning or Phishing for Information.",,https://attack.mitre.org/techniques/T1590/001,No
-T1590.002,Gather Victim Network Information: DNS,Reconnaissance,"Before compromising a victim, adversaries may gather information about the victim's DNS that can be used during targeting. DNS information may include a variety of details, including registered name servers as well as records that outline addressing for a target's subdomains, mail servers, and other hosts.",,https://attack.mitre.org/techniques/T1590/002,No
-T1590.003,Gather Victim Network Information: Network Trust Dependencies,Reconnaissance,"Before compromising a victim, adversaries may gather information about the victim's network trust dependencies that can be used during targeting. Information about network trusts may include a variety of details, including second or third-party organizations/domains (ex: managed service providers, contractors, etc.) that have connected (and potentially elevated) network access.",,https://attack.mitre.org/techniques/T1590/003,No
-T1590.004,Gather Victim Network Information: Network Topology,Reconnaissance,"Before compromising a victim, adversaries may gather information about the victim's network topology that can be used during targeting. Information about network topologies may include a variety of details, including the physical and/or logical arrangement of both external-facing and internal network environments. This information may also include specifics regarding network devices (gateways, routers, etc.) and other infrastructure.",,https://attack.mitre.org/techniques/T1590/004,No
-T1590.005,Gather Victim Network Information: IP Addresses,Reconnaissance,"Before compromising a victim, adversaries may gather the victim's IP addresses that can be used during targeting. Public IP addresses may be allocated to organizations by block, or a range of sequential addresses. Information about assigned IP addresses may include a variety of details, such as which IP addresses are in use. IP addresses may also enable an adversary to derive other details about a victim, such as organizational size, physical location(s), Internet service provider, and or where/how their publicly-facing infrastructure is hosted.",,https://attack.mitre.org/techniques/T1590/005,No
-T1590.006,Gather Victim Network Information: Network Security Appliances,Reconnaissance,"Before compromising a victim, adversaries may gather information about the victim's network security appliances that can be used during targeting. Information about network security appliances may include a variety of details, such as the existence and specifics of deployed firewalls, content filters, and proxies/bastion hosts. Adversaries may also target information about victim network-based intrusion detection systems (NIDS) or other appliances related to defensive cybersecurity operations.",,https://attack.mitre.org/techniques/T1590/006,No
-T1591.001,Gather Victim Org Information: Determine Physical Locations,Reconnaissance,"Before compromising a victim, adversaries may gather the victim's physical location(s) that can be used during targeting. Information about physical locations of a target organization may include a variety of details, including where key resources and infrastructure are housed. Physical locations may also indicate what legal jurisdiction and/or authorities the victim operates within.",,https://attack.mitre.org/techniques/T1591/001,No
-T1591.002,Gather Victim Org Information: Business Relationships,Reconnaissance,"Before compromising a victim, adversaries may gather information about the victim's business relationships that can be used during targeting. Information about an organization's business relationships may include a variety of details, including second or third-party organizations/domains (ex: managed service providers, contractors, etc.) that have connected (and potentially elevated) network access. This information may also reveal supply chains and shipment paths for the victim's hardware and software resources.",,https://attack.mitre.org/techniques/T1591/002,No
-T1591.003,Gather Victim Org Information: Identify Business Tempo,Reconnaissance,"Before compromising a victim, adversaries may gather information about the victim's business tempo that can be used during targeting. Information about an organization's business tempo may include a variety of details, including operational hours/days of the week. This information may also reveal times/dates of purchases and shipments of the victim's hardware and software resources.",,https://attack.mitre.org/techniques/T1591/003,No
-T1591.004,Gather Victim Org Information: Identify Roles,Reconnaissance,"Before compromising a victim, adversaries may gather information about identities and roles within the victim organization that can be used during targeting. Information about business roles may reveal a variety of targetable details, including identifiable information for key personnel as well as what data/resources they have access to.",,https://attack.mitre.org/techniques/T1591/004,No
-T1592.001,Gather Victim Host Information: Hardware,Reconnaissance,"Before compromising a victim, adversaries may gather information about the victim's host hardware that can be used during targeting. Information about hardware infrastructure may include a variety of details such as types and versions on specific hosts, as well as the presence of additional components that might be indicative of added defensive protections (ex: card/biometric readers, dedicated encryption hardware, etc.).",,https://attack.mitre.org/techniques/T1592/001,No
-T1592.002,Gather Victim Host Information: Software,Reconnaissance,"Before compromising a victim, adversaries may gather information about the victim's host software that can be used during targeting. Information about installed software may include a variety of details such as types and versions on specific hosts, as well as the presence of additional components that might be indicative of added defensive protections (ex: antivirus, SIEMs, etc.).",,https://attack.mitre.org/techniques/T1592/002,No
-T1592.003,Gather Victim Host Information: Firmware,Reconnaissance,"Before compromising a victim, adversaries may gather information about the victim's host firmware that can be used during targeting. Information about host firmware may include a variety of details such as type and versions on specific hosts, which may be used to infer more information about hosts in the environment (ex: configuration, purpose, age/patch level, etc.).",,https://attack.mitre.org/techniques/T1592/003,No
-T1592.004,Gather Victim Host Information: Client Configurations,Reconnaissance,"Before compromising a victim, adversaries may gather information about the victim's client configurations that can be used during targeting. Information about client configurations may include a variety of details and settings, including operating system/version, virtualization, architecture (ex: 32 or 64 bit), language, and/or time zone.",,https://attack.mitre.org/techniques/T1592/004,No
-T1593.001,Search Open Websites/Domains: Social Media,Reconnaissance,"Before compromising a victim, adversaries may search social media for information about victims that can be used during targeting. Social media sites may contain various information about a victim organization, such as business announcements as well as information about the roles, locations, and interests of staff.",,https://attack.mitre.org/techniques/T1593/001,No
-T1593.002,Search Open Websites/Domains: Search Engines,Reconnaissance,"Before compromising a victim, adversaries may use search engines to collect information about victims that can be used during targeting. Search engine services typical crawl online sites to index context and may provide users with specialized syntax to search for specific keywords or specific types of content (i.e. filetypes).",,https://attack.mitre.org/techniques/T1593/002,No
-T1594,Search Victim-Owned Websites,Reconnaissance,"Before compromising a victim, adversaries may search websites owned by the victim for information that can be used during targeting. Victim-owned websites may contain a variety of details, including names of departments/divisions, physical locations, and data about key employees such as names, roles, and contact info. These sites may also have details highlighting business operations and relationships.",,https://attack.mitre.org/techniques/T1594,No
-T1595.001,Active Scanning: Scanning IP Blocks,Reconnaissance,"Before compromising a victim, adversaries may scan victim IP blocks to gather information that can be used during targeting. Public IP addresses may be allocated to organizations by block, or a range of sequential addresses.",,https://attack.mitre.org/techniques/T1595/001,No
-T1595.002,Active Scanning: Vulnerability Scanning,Reconnaissance,"Before compromising a victim, adversaries may scan victims for vulnerabilities that can be used during targeting. Vulnerability scans typically check if the configuration of a target host/application (ex: software and version) potentially aligns with the target of a specific exploit the adversary may seek to use.",,https://attack.mitre.org/techniques/T1595/002,No
-T1596.001,Search Open Technical Databases: DNS/Passive DNS,Reconnaissance,"Before compromising a victim, adversaries may search DNS data for information about victims that can be used during targeting. DNS information may include a variety of details, including registered name servers as well as records that outline addressing for a target's subdomains, mail servers, and other hosts.",,https://attack.mitre.org/techniques/T1596/001,No
-T1596.002,Search Open Technical Databases: WHOIS,Reconnaissance,"Before compromising a victim, adversaries may search public WHOIS data for information about victims that can be used during targeting. WHOIS data is stored by regional Internet registries (RIR) responsible for allocating and assigning Internet resources such as domain names. Anyone can query WHOIS servers for information about a registered domain, such as assigned IP blocks, contact information, and DNS nameservers.(Citation: W",,https://attack.mitre.org/techniques/T1596/002,No
-T1596.003,Search Open Technical Databases: Digital Certificates,Reconnaissance,"Before compromising a victim, adversaries may search public digital certificate data for information about victims that can be used during targeting. Digital certificates are issued by a certificate authority (CA) in order to cryptographically verify the origin of signed content. These certificates, such as those used for encrypted web traffic (HTTPS SSL/TLS communications), contain information about the registered organization such as name and location.",,https://attack.mitre.org/techniques/T1596/003,No
-T1596.004,Search Open Technical Databases: CDNs,Reconnaissance,"Before compromising a victim, adversaries may search content delivery network (CDN) data about victims that can be used during targeting. CDNs allow an organization to host content from a distributed, load balanced array of servers. CDNs may also allow organizations to customize content delivery based on the requestor's geographical region.",,https://attack.mitre.org/techniques/T1596/004,No
-T1596.005,Search Open Technical Databases: Scan Databases,Reconnaissance,"Before compromising a victim, adversaries may search within public scan databases for information about victims that can be used during targeting. Various online services continuously publish the results of Internet scans/surveys, often harvesting information such as active IP addresses, hostnames, open ports, certificates, and even server banners.(Citation: Shodan)",,https://attack.mitre.org/techniques/T1596/005,No
-T1597.001,Search Closed Sources: Threat Intel Vendors,Reconnaissance,"Before compromising a victim, adversaries may search private data from threat intelligence vendors for information that can be used during targeting. Threat intelligence vendors may offer paid feeds or portals that offer more data than what is publicly reported. Although sensitive details (such as customer names and other identifiers) may be redacted, this information may contain trends regarding breaches such as target industries, attribution claims, and successful TTPs/countermeasures.",,https://attack.mitre.org/techniques/T1597/001,No
-T1597.002,Search Closed Sources: Purchase Technical Data,Reconnaissance,"Before compromising a victim, adversaries may purchase technical information about victims that can be used during targeting. Information about victims may be available for purchase within reputable private sources and databases, such as paid subscriptions to feeds of scan databases or other data aggregation services. Adversaries may also purchase information from less-reputable sources such as dark web or cybercrime blackmarkets.",,https://attack.mitre.org/techniques/T1597/002,No
-T1598.001,Phishing for Information: Spearphishing Service,Reconnaissance,"Before compromising a victim, adversaries may send spearphishing messages via third-party services to elicit sensitive information that can be used during targeting. Spearphishing for information is an attempt to trick targets into divulging information, frequently credentials or other actionable information. Spearphishing for information frequently involves social engineering techniques, such as posing as a source with a reason to collect information (ex: [Establish Accounts](https://attack.mitre.org/techniques/T1585) or [Compromise Accounts](https://attack.mitre.org/techniques/T1586)) and/or sending multiple, seemingly urgent messages.",,https://attack.mitre.org/techniques/T1598/001,No
-T1598.002,Phishing for Information: Spearphishing Attachment,Reconnaissance,"Before compromising a victim, adversaries may send spearphishing messages with a malicious attachment to elicit sensitive information that can be used during targeting. Spearphishing for information is an attempt to trick targets into divulging information, frequently credentials or other actionable information. Spearphishing for information frequently involves social engineering techniques, such as posing as a source with a reason to collect information (ex: Establish Accounts or Compromise Accounts and/or sending multiple, seemingly urgent messages.",,https://attack.mitre.org/techniques/T1598/002,No
-T1598.003,Phishing for Information: Spearphishing Link,Reconnaissance,"Before compromising a victim, adversaries may send spearphishing messages with a malicious link to elicit sensitive information that can be used during targeting. Spearphishing for information is an attempt to trick targets into divulging information, frequently credentials or other actionable information. Spearphishing for information frequently involves social engineering techniques, such as posing as a source with a reason to collect information (ex: Establish Accounts or Compromise Accounts and/or sending multiple, seemingly urgent messages.",,https://attack.mitre.org/techniques/T1598/003,No
-T1599.001,Network Boundary Bridging: Network Address Translation Traversal,Defense Evasion,"Adversaries may bridge network boundaries by modifying a network device's Network Address Translation (NAT) configuration. Malicious modifications to NAT may enable an adversary to bypass restrictions on traffic routing that otherwise separate trusted and untrusted networks. When an adversary gains control of a network boundary device, they can either leverage existing NAT configurations to send traffic between two separated networks, or they can implement NAT configurations of their own design. Adversaries may use Patch System Image to change the operating system of a network device, implementing their own custom NAT mechanisms to further obscure their activities.",Network,https://attack.mitre.org/techniques/T1599/001,No
-T1600.001,Weaken Encryption: Reduce Key Space,Defense Evasion,"Adversaries may reduce the level of effort required to decrypt data transmitted over the network by reducing the cipher strength of encrypted communications. Adversaries can weaken the encryption software on a compromised network device by reducing the key size used by the software to convert plaintext to ciphertext (e.g., from hundreds or thousands of bytes to just a couple of bytes). As a result, adversaries dramatically reduce the amount of effort needed to decrypt the protected information without the key. Adversaries may modify the key size used and other encryption parameters using specialized commands in a Network Device CLI introduced to the system through Modify System Image to change the configuration of the device.",Network,https://attack.mitre.org/techniques/T1600/001,No
-T1600.002,Weaken Encryption: Disable Crypto Hardware,Defense Evasion,"Adversaries disable a network device's dedicated hardware encryption, which may enable them to leverage weaknesses in software encryption in order to reduce the effort involved in collecting, manipulating, and exfiltrating transmitted data.",Network,https://attack.mitre.org/techniques/T1600/002,No
-T1601.001,Modify System Image: Patch System Image,Defense Evasion,"Adversaries may modify the operating system of a network device to introduce new capabilities or weaken existing defenses. Some network devices are built with a monolithic architecture, where the entire operating system and most of the functionality of the device is contained within a single file.  Adversaries may change this file in storage, to be loaded in a future boot, or in memory during runtime.",Network,https://attack.mitre.org/techniques/T1601/001,No
-T1601.002,Modify System Image: Downgrade System Image,Defense Evasion,"Adversaries may install an older version of the operating system of a network device to weaken security.  Older operating system versions on network devices often have weaker encryption ciphers and, in general, fewer/less updated defensive features.",Network,https://attack.mitre.org/techniques/T1601/002,No
-T1602.001,Data from Configuration Repository: SNMP (MIB Dump),Collection,Adversaries may target the Management Information Base (MIB) to collect and/or mine valuable information in a network managed using Simple Network Management Protocol (SNMP).,Network,https://attack.mitre.org/techniques/T1602/001,No
-T1602.002,Data from Configuration Repository: Network Device Configuration Dump,Collection,"Adversaries may access network configuration files to collect sensitive data about the device and the network. The network configuration is a file containing parameters that determine the operation of the device. The device typically stores an in-memory copy of the configuration while operating, and a separate configuration on non-volatile storage to load after device reset. Adversaries can inspect the configuration files to reveal information about the target network and its layout, the network device and its software, or identifying legitimate accounts and credentials for later use.",Network,https://attack.mitre.org/techniques/T1602/002,No
-T1606.001,Forge Web Credentials: Web Cookies,Credential Access,Adversaries may forge web cookies that can be used to gain access to web applications or Internet services. Web applications and services (hosted in cloud SaaS environments or on-premise servers) often use session cookies to authenticate and authorize user access.,"Linux,SaaS,Windows,macOS",https://attack.mitre.org/techniques/T1606/001,No
-T1606.002,Forge Web Credentials: SAML Tokens,Credential Access,An adversary may forge SAML tokens with any permissions claims and lifetimes if they possess a valid SAML token-signing certificate.,"Azure AD,Google Workspace,Office 365,SaaS,Windows",https://attack.mitre.org/techniques/T1606/002,No
-T1608.001,Stage Capabilities: Upload Malware,Resource Development,"Adversaries may upload malware to third-party or adversary controlled infrastructure to make it accessible during targeting. Malicious software can include payloads, droppers, post-compromise tools, backdoors, and a variety of other malicious content. Adversaries may upload malware to support their operations, such as making a payload available to a victim network to enable [Ingress Tool Transfer](https://attack.mitre.org/techniques/T1105) by placing it on an Internet accessible web server.",,https://attack.mitre.org/techniques/T1608/001,Yes
-T1608.002,Stage Capabilities: Upload Tool,Resource Development,"Adversaries may upload tools to third-party or adversary controlled infrastructure to make it accessible during targeting. Tools can be open or closed source, free or commercial. Tools can be used for malicious purposes by an adversary, but (unlike malware) were not intended to be used for those purposes (ex: [PsExec](https://attack.mitre.org/software/S0029)). Adversaries may upload tools to support their operations, such as making a tool available to a victim network to enable [Ingress Tool Transfer](https://attack.mitre.org/techniques/T1105) by placing it on an Internet accessible web server.",,https://attack.mitre.org/techniques/T1608/002,Yes
-T1608.003,Stage Capabilities: Install Digital Certificate,Resource Development,"Adversaries may install SSL/TLS certificates that can be used during targeting. SSL/TLS certificates are files that can be installed on servers to enable secure communications between systems. Digital certificates include information about the key, information about its owner's identity, and the digital signature of an entity that has verified the certificate's contents are correct. If the signature is valid, and the person examining the certificate trusts the signer, then they know they can use that key to communicate securely with its owner. Certificates can be uploaded to a server, then the server can be configured to use the certificate to enable encrypted communication with it.(Citation: DigiCert Install SSL Cert)",,https://attack.mitre.org/techniques/T1608/003,Yes
-T1608.004,Stage Capabilities: Drive-by Target,Resource Development,"Adversaries may prepare an operational environment to infect systems that visit a website over the normal course of browsing. Endpoint systems may be compromised through browsing to adversary controlled sites, as in [Drive-by Compromise](https://attack.mitre.org/techniques/T1189). In such cases, the user's web browser is typically targeted for exploitation (often not requiring any extra user interaction once landing on the site), but adversaries may also set up websites for non-exploitation behavior such as [Application Access Token](https://attack.mitre.org/techniques/T1550/001). Prior to [Drive-by Compromise](https://attack.mitre.org/techniques/T1189), adversaries must stage resources needed to deliver that exploit to users who browse to an adversary controlled site. Drive-by content can be staged on adversary controlled infrastructure that has been acquired ([Acquire Infrastructure](https://attack.mitre.org/techniques/T1583)) or previously compromised ([Compromise Infrastructure](https://attack.mitre.org/techniques/T1584)).",,https://attack.mitre.org/techniques/T1608/004,Yes
-T1608.005,Stage Capabilities: Link Target,Resource Development,"Adversaries may put in place resources that are referenced by a link that can be used during targeting. An adversary may rely upon a user clicking a malicious link in order to divulge information (including credentials) or to gain execution, as in [Malicious Link](https://attack.mitre.org/techniques/T1204/001). Links can be used for spearphishing, such as sending an email accompanied by social engineering text to coax the user to actively click or copy and paste a URL into a browser. Prior to a phish for information (as in [Spearphishing Link](https://attack.mitre.org/techniques/T1598/003)) or a phish to gain initial access to a system (as in [Spearphishing Link](https://attack.mitre.org/techniques/T1566/002)), an adversary must set up the resources for a link target for the spearphishing link.",,https://attack.mitre.org/techniques/T1608/005,Yes
-T1609,Container Administration Command,Execution,"Adversaries may abuse a container administration service to execute commands within a container. A container administration service such as the Docker daemon, the Kubernetes API server, or the kubelet may allow remote management of containers within an environment.(Citation: Docker Daemon CLI)(Citation: Kubernetes API)(Citation: Kubernetes Kubelet)",Containers,https://attack.mitre.org/techniques/T1609,Yes
-T1610,Deploy Container,"Defense Evasion,Execution","Adversaries may deploy a container into an environment to facilitate execution or evade defenses. In some cases, adversaries may deploy a new container to execute processes associated with a particular image or deployment, such as processes that execute or download malware. In others, an adversary may deploy a new container configured without network rules, user limitations, etc. to bypass existing defenses within the environment.",Containers,https://attack.mitre.org/techniques/T1610,Yes
-T1611,Escape to Host,Privilege Escalation,"Adversaries may break out of a container to gain access to the underlying host. This can allow an adversary access to other containerized resources from the host level or to the host itself. In principle, containerized resources should provide a clear separation of application functionality and be isolated from the host environment.(Citation: Docker Overview)","Containers,Linux,Windows",https://attack.mitre.org/techniques/T1611,Yes
-T1612,Build Image on Host,Defense Evasion,"Adversaries may build a container image directly on a host to bypass defenses that monitor for the retrieval of malicious images from a public registry. A remote <code>build</code> request may be sent to the Docker API that includes a Dockerfile that pulls a vanilla base image, such as alpine, from a public or local registry and then builds a custom image upon it.(Citation: Docker Build Image)",Containers,https://attack.mitre.org/techniques/T1612,Yes
-T1613,Container and Resource Discovery,Discovery,"Adversaries may attempt to discover containers and other resources that are available within a containers environment. Other resources may include images, deployments, pods, nodes, and other information such as the status of a cluster.",Containers,https://attack.mitre.org/techniques/T1613,Yes
-T1614,System Location Discovery,Discovery,,"IaaS,Linux,Windows,macOS",https://attack.mitre.org/techniques/T1614,Yes
+Technique ID,Technique Name,Tactics,Technique Description,Platform,Link,Changed
+T1001.001,Data Obfuscation: Junk Data,Command And Control,"Adversaries may add junk data to protocols used for command and control to make detection more difficult. By adding random or meaningless data to the protocols used for command and control, adversaries can prevent trivial methods for decoding, deciphering, or otherwise analyzing the traffic. Examples may include appending/prepending data with junk characters or writing junk characters between significant characters.","Linux,Windows,macOS",https://attack.mitre.org/techniques/T1001/001,No
+T1001.002,Data Obfuscation: Steganography,Command And Control,"Adversaries may use steganographic techniques to hide command and control traffic to make detection efforts more difficult. Steganographic techniques can be used to hide data in digital messages that are transferred between systems. This hidden information can be used for command and control of compromised systems. In some cases, the passing of files embedded using steganography, such as image or document files, can be used for command and control.","Linux,Windows,macOS",https://attack.mitre.org/techniques/T1001/002,No
+T1001.003,Data Obfuscation: Protocol Impersonation,Command And Control,"Adversaries may impersonate legitimate protocols or web service traffic to disguise command and control activity and thwart analysis efforts. By impersonating legitimate protocols or web services, adversaries can make their command and control traffic blend in with legitimate network traffic.","Linux,Windows,macOS",https://attack.mitre.org/techniques/T1001/003,No
+T1003.001,OS Credential Dumping: LSASS Memory,Credential Access,Adversaries may attempt to access credential material stored in the process memory of the Local Security Authority Subsystem Service (LSASS).,Windows,https://attack.mitre.org/techniques/T1003/001,No
+T1003.002,OS Credential Dumping: Security Account Manager,Credential Access,Adversaries may attempt to extract credential material from the Security Account Manager (SAM) database either through in-memory techniques or through the Windows Registry where the SAM database is stored.,Windows,https://attack.mitre.org/techniques/T1003/002,No
+T1003.003,OS Credential Dumping: NTDS,Credential Access,"Adversaries may attempt to access or create a copy of the Active Directory domain database in order to steal credential information, as well as obtain other information about domain members such as devices, users, and access rights.",Windows,https://attack.mitre.org/techniques/T1003/003,No
+T1003.004,OS Credential Dumping: LSA Secrets,Credential Access,"Adversaries with SYSTEM access to a host may attempt to access Local Security Authority (LSA) secrets, which can contain a variety of different credential materials, such as credentials for service accounts",Windows,https://attack.mitre.org/techniques/T1003/004,No
+T1003.005,OS Credential Dumping: Cached Domain Credentials,Credential Access,Adversaries may attempt to access cached domain credentials used to allow authentication to occur in the event a domain controller is unavailable.,Windows,https://attack.mitre.org/techniques/T1003/005,No
+T1003.006,OS Credential Dumping: DCSync,Credential Access,Adversaries may attempt to access credentials and other sensitive information by abusing a Windows Domain Controller's application programming interface to simulate the replication process from a remote domain controller using a technique called DCSync.,Windows,https://attack.mitre.org/techniques/T1003/006,No
+T1003.007,OS Credential Dumping: Proc Filesystem,Credential Access,Adversaries may gather credentials from information stored in the Proc filesystem. The Proc filesystem on Linux contains a great deal of information regarding the state of the running operating system.,Linux,https://attack.mitre.org/techniques/T1003/007,No
+T1003.008,OS Credential Dumping: /etc/passwd and /etc/shadow,Credential Access,Adversaries may attempt to dump the contents of /etc/passwd and /etc/shadow to enable offline password cracking.,Linux,https://attack.mitre.org/techniques/T1003/008,No
+T1005,Data from Local System,Collection,"Adversaries may search local system sources, such as file systems or local databases, to find files of interest and sensitive data prior to Exfiltration.","Linux,Windows,macOS",https://attack.mitre.org/techniques/T1005,No
+T1006,Direct Volume Access,Defense Evasion,Adversaries may directly access a volume to bypass file access controls and file system monitoring.,Windows,https://attack.mitre.org/techniques/T1006,No
+T1007,System Service Discovery,Discovery,Adversaries may try to get information about registered services.,Windows,https://attack.mitre.org/techniques/T1007,No
+T1008,Fallback Channels,Command And Control,Adversaries may use fallback or alternate communication channels if the primary channel is compromised or inaccessible in order to maintain reliable command and control and to avoid data transfer thresholds.,"Linux,Windows,macOS",https://attack.mitre.org/techniques/T1008,No
+T1010,Application Window Discovery,Discovery,Adversaries may attempt to get a listing of open application windows. Window listings could convey information about how the system is used or give context to information collected by a keylogger.,"Windows,macOS",https://attack.mitre.org/techniques/T1010,No
+T1011.001,Exfiltration Over Other Network Medium: Exfiltration Over Bluetooth,Exfiltration,"Adversaries may attempt to exfiltrate data over Bluetooth rather than the command and control channel. If the command and control network is a wired Internet connection, an attacker may opt to exfiltrate data using a Bluetooth communication channel.","Linux,Windows,macOS",https://attack.mitre.org/techniques/T1011/001,No
+T1012,Query Registry,Discovery,"Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software. Adversaries may use the information from Query Registry during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.",Windows,https://attack.mitre.org/techniques/T1012,No
+T1014,Rootkit,Defense Evasion,"Adversaries may use rootkits to hide the presence of programs, files, network connections, services, drivers, and other system components. Rootkits are programs that hide the existence of malware by intercepting/hooking and modifying operating system API calls that supply system information.","Linux,Windows,macOS",https://attack.mitre.org/techniques/T1014,No
+T1016.001,System Network Configuration Discovery: Internet Connection Discovery,Discovery,"Adversaries may check for Internet connectivity on compromised systems. This may be performed during automated discovery and can be accomplished in numerous ways such as using [Ping](https://attack.mitre.org/software/S0097), <code>tracert</code>, and GET requests to websites.","Linux,Windows,macOS",https://attack.mitre.org/techniques/T1016/001,Yes
+T1018,Remote System Discovery,Discovery,"Adversaries may attempt to get a listing of other systems by IP address, hostname, or other logical identifier on a network that may be used for Lateral Movement from the current system. Functionality could exist within remote access tools to enable this, but utilities available on the operating system could also be used such as  Ping, net view, bonjour etc.","Linux,Windows,macOS",https://attack.mitre.org/techniques/T1018,No
+T1020.001,Automated Exfiltration: Traffic Duplication,Exfiltration,"Adversaries may leverage traffic mirroring in order to automate data exfiltration over compromised network infrastructure.  Traffic mirroring is a native feature for some network devices and used for network analysis and may be configured to duplicate traffic and forward to one or more destinations for analysis by a network analyzer or other monitoring device. Adversaries may use traffic duplication in conjunction with Network Sniffing, Input Capture or Man-in-the-Middle to achieve their objective.",Network,https://attack.mitre.org/techniques/T1020/001,No
+T1021.001,Remote Services: Remote Desktop Protocol,Lateral Movement,Adversaries may use Valid Accounts to log into a computer using the Remote Desktop Protocol (RDP). The adversary may then perform actions as the logged-on user. Remote desktop allows a user to log into an interactive session with a system desktop graphical user interface on a remote system. Adversaries may connect to a remote system over RDP to expand access if the service is enabled and allows access to accounts with known credentials. Adversaries will likely use Credential Access techniques to acquire credentials to use with RDP. Adversaries may also use RDP in conjunction with the Accessibility Features technique for Persistence.,Windows,https://attack.mitre.org/techniques/T1021/001,No
+T1021.002,Remote Services: SMB/Windows Admin Shares,Lateral Movement,Adversaries may use Valid Accounts to interact with a remote network share using Server Message Block (SMB). The adversary may then perform actions as the logged-on user.,Windows,https://attack.mitre.org/techniques/T1021/002,No
+T1021.003,Remote Services: Distributed Component Object Model,Lateral Movement,"Adversaries may use Valid Accounts to interact with remote machines by taking advantage of Distributed Component Object Model (DCOM). The adversary may then perform actions as the logged-on user. Permissions to interact with local and remote server COM objects are specified by access control lists (ACL) in the Registry. By default, only Administrators may remotely activate and launch COM objects through DCOM. Through DCOM, adversaries operating in the context of an appropriately privileged user can remotely obtain arbitrary and even direct shellcode execution through Office applications as well as other Windows objects that contain insecure methods. DCOM can also execute macros in existing documents and may also invoke Dynamic Data Exchange (DDE) execution directly through a COM created instance of a Microsoft Office application, bypassing the need for a malicious document.",Windows,https://attack.mitre.org/techniques/T1021/003,No
+T1021.004,Remote Services: SSH,Lateral Movement,Adversaries may use Valid Accounts to log into remote machines using Secure Shell (SSH). The adversary may then perform actions as the logged-on user.,"Linux,macOS",https://attack.mitre.org/techniques/T1021/004,No
+T1021.005,Remote Services: VNC,Lateral Movement,Adversaries may use Valid Accounts to remotely control machines using Virtual Network Computing (VNC). The adversary may then perform actions as the logged-on user.,"Linux,Windows,macOS",https://attack.mitre.org/techniques/T1021/005,No
+T1021.006,Remote Services: Windows Remote Management,Lateral Movement,Adversaries may use Valid Accounts to interact with remote systems using Windows Remote Management (WinRM). The adversary may then perform actions as the logged-on user.,Windows,https://attack.mitre.org/techniques/T1021/006,No
+T1025,Data from Removable Media,Collection,"Adversaries may search connected removable media on computers they have compromised to find files of interest. Sensitive data can be collected from any removable media (optical disk drive, USB memory, etc.) connected to the compromised system prior to Exfiltration. Interactive command shells may be in use.","Linux,Windows,macOS",https://attack.mitre.org/techniques/T1025,No
+T1027.001,Obfuscated Files or Information: Binary Padding,Defense Evasion,"Adversaries may use binary padding to add junk data and change the on-disk representation of malware. This can be done without affecting the functionality or behavior of a binary, but can increase the size of the binary beyond what some security tools are capable of handling due to file size limitations.","Linux,Windows,macOS",https://attack.mitre.org/techniques/T1027/001,No
+T1027.002,Obfuscated Files or Information: Software Packing,Defense Evasion,Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable.?adversaries may create their own packing techniques that do not leave the same artifacts as well-known packers to evade defenses.,"Windows,macOS",https://attack.mitre.org/techniques/T1027/002,No
+T1027.003,Obfuscated Files or Information: Steganography,Defense Evasion,"Adversaries may use steganography techniques in order to prevent the detection of hidden information. Steganographic techniques can be used to hide data in digital media such as images, audio tracks, video clips, or text files.","Linux,Windows,macOS",https://attack.mitre.org/techniques/T1027/003,No
+T1027.004,Obfuscated Files or Information: Compile After Delivery,Defense Evasion,Adversaries may attempt to make payloads difficult to discover and analyze by delivering files to victims as uncompiled code. Text-based source code files may subvert analysis and scrutiny from protections targeting executables/binaries. These payloads will need to be compiled before execution; typically via native utilities such as csc.exe or GCC/MinGW.,"Linux,Windows,macOS",https://attack.mitre.org/techniques/T1027/004,No
+T1027.005,Obfuscated Files or Information: Indicator Removal from Tools,Defense Evasion,"Adversaries may remove indicators from tools if they believe their malicious tool was detected, quarantined, or otherwise curtailed. They can modify the tool by removing the indicator and using the updated version that is no longer detected by the target's defensive systems or subsequent targets that may use similar systems.","Linux,Windows,macOS",https://attack.mitre.org/techniques/T1027/005,No
+T1029,Scheduled Transfer,Exfiltration,Adversaries may schedule data exfiltration to be performed only at certain times of day or at certain intervals. This could be done to blend traffic patterns with normal activity or availability.,"Linux,Windows,macOS",https://attack.mitre.org/techniques/T1029,No
+T1030,Data Transfer Size Limits,Exfiltration,An adversary may exfiltrate data in fixed size chunks instead of whole files or limit packet sizes below certain thresholds. This approach may be used to avoid triggering network data transfer threshold alerts.,"Linux,Windows,macOS",https://attack.mitre.org/techniques/T1030,No
+T1033,System Owner/User Discovery,Discovery,"Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using Credential Dumping].","Linux,Windows,macOS",https://attack.mitre.org/techniques/T1033,No
+T1036.001,Masquerading: Invalid Code Signature,Defense Evasion,"Adversaries may attempt to mimic features of valid code signatures to increase the chance of deceiving a user, analyst, or tool. Code signing provides a level of authenticity on a binary from the developer and a guarantee that the binary has not been tampered with.","Windows,macOS",https://attack.mitre.org/techniques/T1036/001,No
+T1036.002,Masquerading: Right-to-Left Override,Defense Evasion,Adversaries may use the right-to-left override (RTLO or RLO) character (U+202E) as a means of tricking a user into executing what they think is a benign file type but is actually executable code. RTLO is a non-printing character that causes the text that follows it to be displayed in reverse.,"Linux,Windows,macOS",https://attack.mitre.org/techniques/T1036/002,No
+T1036.003,Masquerading: Rename System Utilities,Defense Evasion,Adversaries may rename legitimate system utilities to try to evade security mechanisms concerning the usage of those utilities. Security monitoring and control mechanisms may be in place for system utilities adversaries are capable of abusing.,"Linux,Windows,macOS",https://attack.mitre.org/techniques/T1036/003,No
+T1036.004,Masquerading: Masquerade Task or Service,Defense Evasion,Adversaries may attempt to manipulate the name of a task or service to make it appear legitimate or benign. Adversaries may give tasks or services names that are similar or identical to those of legitimate ones.,"Linux,Windows",https://attack.mitre.org/techniques/T1036/004,No
+T1036.005,Masquerading: Match Legitimate Name or Location,Defense Evasion,Adversaries may match or approximate the name or location of legitimate files when naming/placing their files. This is done for the sake of evading defenses and observation.,"Containers,Linux,Windows,macOS",https://attack.mitre.org/techniques/T1036/005,Yes
+T1036.006,Masquerading: Space after Filename,Defense Evasion,"Adversaries can hide a program's true filetype by changing the extension of a file. With certain file types (specifically this does not work with .app extensions), appending a space to the end of a filename will change how the file is processed by the operating system.","Linux,macOS",https://attack.mitre.org/techniques/T1036/006,No
+T1037.001,Boot or Logon Initialization Scripts: Logon Script (Windows),"Persistence,Privilege Escalation",Adversaries may use Windows logon scripts automatically executed at logon initialization to establish persistence. Windows allows logon scripts to be run whenever a specific user or group of users log into a system.,Windows,https://attack.mitre.org/techniques/T1037/001,No
+T1037.002,Boot or Logon Initialization Scripts: Logon Script (Mac),"Persistence,Privilege Escalation","Adversaries may use macOS logon scripts automatically executed at logon initialization to establish persistence. macOS allows logon scripts (known as login hooks) to be executed whenever a specific user logs into a system. A login hook tells Mac OS X to execute a certain script when a user logs in, but unlike Startup Items, a login hook executes as the elevated root user.",macOS,https://attack.mitre.org/techniques/T1037/002,No
+T1037.003,Boot or Logon Initialization Scripts: Network Logon Script,"Persistence,Privilege Escalation",Adversaries may use network logon scripts automatically executed at logon initialization to establish persistence. Network logon scripts can be assigned using Active Directory or Group Policy Objects.,Windows,https://attack.mitre.org/techniques/T1037/003,No
+T1037.004,Boot or Logon Initialization Scripts: RC Scripts,"Persistence,Privilege Escalation",Adversaries may use rc.common automatically executed at boot initialization to establish persistence.,"Linux,macOS",https://attack.mitre.org/techniques/T1037/004,Yes
+T1037.005,Boot or Logon Initialization Scripts: Startup Items,"Persistence,Privilege Escalation",Adversaries may use startup items automatically executed at boot initialization to establish persistence.,macOS,https://attack.mitre.org/techniques/T1037/005,No
+T1039,Data from Network Shared Drive,Collection,Adversaries may search network shares on computers they have compromised to find files of interest.,"Linux,Windows,macOS",https://attack.mitre.org/techniques/T1039,No
+T1040,Network Sniffing,"Credential Access,Discovery","Adversaries may sniff network traffic to capture information about an environment, including authentication material passed over the network. Network sniffing may also reveal configuration details, such as running services, version numbers, and other network characteristics necessary for subsequent Lateral Movement and/or Defense Evasion activities.","Linux,Network,Windows,macOS",https://attack.mitre.org/techniques/T1040,Yes
+T1041,Exfiltration Over C2 Channel,Exfiltration,Adversaries may steal data by exfiltrating it over an existing command and control channel. Stolen data is encoded into the normal communications channel using the same protocol as command and control communications.,"Linux,Windows,macOS",https://attack.mitre.org/techniques/T1041,No
+T1046,Network Service Scanning,Discovery,"Adversaries may attempt to get a listing of services running on remote hosts, including those that may be vulnerable to remote software exploitation. Methods to acquire this information include port scans and vulnerability scans using tools that are brought onto a system.","Containers,IaaS,Linux,Windows,macOS",https://attack.mitre.org/techniques/T1046,Yes
+T1047,Windows Management Instrumentation,Execution,"Adversaries may abuse Windows Management Instrumentation (WMI) to achieve execution.  An adversary can use WMI to interact with local and remote systems and use it as a means to perform many tactic functions, such as gathering information for Discovery and remote Execution of files as part of Lateral Movement.",Windows,https://attack.mitre.org/techniques/T1047,No
+T1048.001,Exfiltration Over Alternative Protocol: Exfiltration Over Symmetric Encrypted Non-C2 Protocol,Exfiltration,Adversaries may steal data by exfiltrating it over a symmetrically encrypted network protocol other than that of the existing command and control channel. The data may also be sent to an alternate network location from the main command and control server.,"Linux,Windows,macOS",https://attack.mitre.org/techniques/T1048/001,No
+T1048.002,Exfiltration Over Alternative Protocol: Exfiltration Over Asymmetric Encrypted Non-C2 Protocol,Exfiltration,Adversaries may steal data by exfiltrating it over an asymmetrically encrypted network protocol other than that of the existing command and control channel. The data may also be sent to an alternate network location from the main command and control server.,"Linux,Windows,macOS",https://attack.mitre.org/techniques/T1048/002,No
+T1048.003,Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol,Exfiltration,Adversaries may steal data by exfiltrating it over an un-encrypted network protocol other than that of the existing command and control channel. The data may also be sent to an alternate network location from the main command and control server.,"Linux,Windows,macOS",https://attack.mitre.org/techniques/T1048/003,No
+T1049,System Network Connections Discovery,Discovery,"Adversaries may attempt to get a listing of network connections to or from the compromised system they are currently accessing or from remote systems by querying for information over the network. Utilities and commands that acquire this information include netstat, net use, net session, netstat, lsof, who -a and w.","IaaS,Linux,Windows,macOS",https://attack.mitre.org/techniques/T1049,Yes
+T1052.001,Exfiltration Over Physical Medium: Exfiltration over USB,Exfiltration,"Adversaries may attempt to exfiltrate data over a USB connected physical device. In certain circumstances, such as an air-gapped network compromise, exfiltration could occur via a USB device introduced by a user. The USB device could be used as the final exfiltration point or to hop between otherwise disconnected systems.","Linux,Windows,macOS",https://attack.mitre.org/techniques/T1052/001,No
+T1053.001,Scheduled Task/Job: At (Linux),"Execution,Persistence,Privilege Escalation",Adversaries may abuse the at utility to perform task scheduling for initial or recurring execution of malicious code. This command within Linux operating systems enables administrators to schedule tasks. An adversary may be able to execute programs at system startup or on a scheduled basis for persistence.,Linux,https://attack.mitre.org/techniques/T1053/001,No
+T1053.002,Scheduled Task/Job: At (Windows),"Execution,Persistence,Privilege Escalation",Adversaries may abuse the at.exe utility to perform task scheduling for initial or recurring execution of malicious code. The at.exe command line utility has been deprecated in current versions of Windows in favor of schtasks.,Windows,https://attack.mitre.org/techniques/T1053/002,No
+T1053.003,Scheduled Task/Job: Cron,"Execution,Persistence,Privilege Escalation",Adversaries may abuse the cron utility to perform task scheduling for initial or recurring execution of malicious code. The cron utility is a time-based job scheduler for Unix-like operating systems.  An adversary may use cron in Linux or Unix environments to execute programs at system startup or on a scheduled basis for persistence.,"Linux,macOS",https://attack.mitre.org/techniques/T1053/003,No
+T1053.004,Scheduled Task/Job: Launchd,"Execution,Persistence,Privilege Escalation","Adversaries may abuse the Launchd daemon, native to macOS, to perform task scheduling for initial or recurring execution of malicious code. An adversary may be able to schedule new executables to run at system startup or on a scheduled basis for persistence.",macOS,https://attack.mitre.org/techniques/T1053/004,No
+T1053.005,Scheduled Task/Job: Scheduled Task,"Execution,Persistence,Privilege Escalation",Adversaries may abuse the Windows Task Scheduler to perform task scheduling for initial or recurring execution of malicious code for persistence.  The Windows Task Scheduler can also be abused to conduct remote Execution as part of Lateral Movement and or to run a process under the context of a specified account (such as SYSTEM).,Windows,https://attack.mitre.org/techniques/T1053/005,No
+T1053.006,Scheduled Task/Job: Systemd Timers,"Execution,Persistence,Privilege Escalation",Adversaries may abuse systemd timers to perform task scheduling for initial or recurring execution of malicious code. Systemd timers are unit files with file extension timer that control services. Timers can be set to run on a calendar event or after a time span relative to a starting point. An adversary may use systemd timers to execute malicious code at system startup or on a scheduled basis for persistence. Timers installed using privileged paths may be used to maintain root level persistence. Adversaries may also install user level timers to achieve user level persistence.,Linux,https://attack.mitre.org/techniques/T1053/006,No
+T1053.007,Scheduled Task/Job: Container Orchestration Job,"Execution,Persistence,Privilege Escalation","Adversaries may abuse task scheduling functionality provided by container orchestration tools such as Kubernetes to schedule deployment of containers configured to execute malicious code. Container orchestration jobs run these automated tasks at a specific date and time, similar to cron jobs on a Linux system. Deployments of this type can also be configured to maintain a quantity of containers over time, automating the process of maintaining persistence within a cluster.",Containers,https://attack.mitre.org/techniques/T1053/007,Yes
+T1055.001,Process Injection: Dynamic-link Library Injection,"Defense Evasion,Privilege Escalation",Adversaries may inject dynamic-link libraries (DLLs) into processes in order to evade process-based defenses as well as possibly elevate privileges. DLL injection is a method of executing arbitrary code in the address space of a separate live process.,Windows,https://attack.mitre.org/techniques/T1055/001,No
+T1055.002,Process Injection: Portable Executable Injection,"Defense Evasion,Privilege Escalation",Adversaries may inject portable executables (PE) into processes in order to evade process-based defenses as well as possibly elevate privileges. PE injection is a method of executing arbitrary code in the address space of a separate live process.,Windows,https://attack.mitre.org/techniques/T1055/002,No
+T1055.003,Process Injection: Thread Execution Hijacking,"Defense Evasion,Privilege Escalation",Adversaries may inject malicious code into hijacked processes in order to evade process-based defenses as well as possibly elevate privileges. Thread Execution Hijacking is a method of executing arbitrary code in the address space of a separate live process.,Windows,https://attack.mitre.org/techniques/T1055/003,No
+T1055.004,Process Injection: Asynchronous Procedure Call,"Defense Evasion,Privilege Escalation",Adversaries may inject malicious code into processes via the asynchronous procedure call (APC) queue in order to evade process-based defenses as well as possibly elevate privileges. APC injection is a method of executing arbitrary code in the address space of a separate live process.,Windows,https://attack.mitre.org/techniques/T1055/004,No
+T1055.005,Process Injection: Thread Local Storage,"Defense Evasion,Privilege Escalation",Adversaries may inject malicious code into processes via thread local storage (TLS) callbacks in order to evade process-based defenses as well as possibly elevate privileges. TLS callback injection is a method of executing arbitrary code in the address space of a separate live process.,Windows,https://attack.mitre.org/techniques/T1055/005,No
+T1055.008,Process Injection: Ptrace System Calls,"Defense Evasion,Privilege Escalation",Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.,Linux,https://attack.mitre.org/techniques/T1055/008,No
+T1055.009,Process Injection: Proc Memory,"Defense Evasion,Privilege Escalation",Adversaries may inject malicious code into processes via the /proc filesystem in order to evade process-based defenses as well as possibly elevate privileges. Proc memory injection is a method of executing arbitrary code in the address space of a separate live process.,Linux,https://attack.mitre.org/techniques/T1055/009,No
+T1055.011,Process Injection: Extra Window Memory Injection,"Defense Evasion,Privilege Escalation",Adversaries may inject malicious code into process via Extra Window Memory (EWM) in order to evade process-based defenses as well as possibly elevate privileges. EWM injection is a method of executing arbitrary code in the address space of a separate live process.,Windows,https://attack.mitre.org/techniques/T1055/011,No
+T1055.012,Process Injection: Process Hollowing,"Defense Evasion,Privilege Escalation",Adversaries may inject malicious code into suspended and hollowed processes in order to evade process-based defenses. Process hollowing is a method of executing arbitrary code in the address space of a separate live process.,Windows,https://attack.mitre.org/techniques/T1055/012,No
+T1055.013,Process Injection: Process Doppelgänging,"Defense Evasion,Privilege Escalation",Adversaries may inject malicious code into process via process Doppelganging in order to evade process-based defenses as well as possibly elevate privileges. Process Doppelganging is a method of executing arbitrary code in the address space of a separate live process.,Windows,https://attack.mitre.org/techniques/T1055/013,No
+T1055.014,Process Injection: VDSO Hijacking,"Defense Evasion,Privilege Escalation",Adversaries may inject malicious code into processes via VDSO hijacking in order to evade process-based defenses as well as possibly elevate privileges. Virtual dynamic shared object (vdso) hijacking is a method of executing arbitrary code in the address space of a separate live process.,Linux,https://attack.mitre.org/techniques/T1055/014,No
+T1056.001,Input Capture: Keylogging,"Collection,Credential Access","Adversaries may log user keystrokes to intercept credentials as the user types them. Keylogging is likely to be used to acquire credentials for new access opportunities when OS Credential Dumping efforts are not effective, and may require an adversary to intercept keystrokes on a system for a substantial period of time before credentials can be successfully captured.","Linux,Network,Windows,macOS",https://attack.mitre.org/techniques/T1056/001,No
+T1056.002,Input Capture: GUI Input Capture,"Collection,Credential Access","Adversaries may mimic common operating system GUI components to prompt users for credentials with a seemingly legitimate prompt. When programs are executed that need additional privileges than are present in the current user context, it is common for the operating system to prompt the user for proper credentials to authorize the elevated privileges for the task. Adversaries may mimic this functionality to prompt users for credentials with a seemingly legitimate prompt for a number of reasons that mimic normal usage, such as a fake installer requiring additional access or a fake malware removal suite.","Windows,macOS",https://attack.mitre.org/techniques/T1056/002,No
+T1056.003,Input Capture: Web Portal Capture,"Collection,Credential Access","Adversaries may install code on externally facing portals, such as a VPN login page, to capture and transmit credentials of users who attempt to log into the service. For example, a compromised login page may log provided user credentials before logging the user in to the service.","Linux,Windows,macOS",https://attack.mitre.org/techniques/T1056/003,No
+T1056.004,Input Capture: Credential API Hooking,"Collection,Credential Access",Adversaries may hook into Windows application programming interface (API) functions to collect user credentials. Malicious hooking mechanisms may capture API calls that include parameters that reveal user authentication credentials.,Windows,https://attack.mitre.org/techniques/T1056/004,No
+T1057,Process Discovery,Discovery,"Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.","Linux,Windows,macOS",https://attack.mitre.org/techniques/T1057,No
+T1059.001,Command and Scripting Interpreter: PowerShell,Execution,"Adversaries may abuse PowerShell commands and scripts for execution. Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code.",Windows,https://attack.mitre.org/techniques/T1059/001,No
+T1059.002,Command and Scripting Interpreter: AppleScript,Execution,"Adversaries may abuse AppleScript for execution. AppleScript is a macOS scripting language designed to control applications and parts of the OS via inter-application messages called AppleEvents. Adversaries can use osascrip to execute various behaviors, such as interacting with an open SSH connection, moving to remote machines, and even presenting users with fake dialog boxes.",macOS,https://attack.mitre.org/techniques/T1059/002,No
+T1059.003,Command and Scripting Interpreter: Windows Command Shell,Execution,"Adversaries may abuse the Windows command shell for execution. Batch files (ex: .bat or .cmd) also provide the shell with a list of sequential commands to run, as well as normal scripting operations such as conditionals and loops. Adversaries may leverage cmd.exe to execute various commands and payloads.",Windows,https://attack.mitre.org/techniques/T1059/003,No
+T1059.004,Command and Scripting Interpreter: Unix Shell,Execution,"Adversaries may abuse Unix shell commands and scripts for execution. Unix shells are the primary command prompt on Linux and macOS systems. Unix shells can control every aspect of a system, with certain commands requiring elevated privileges. Adversaries may abuse Unix shells to execute various commands or payloads. Interactive shells may be accessed through command and control channels or during lateral movement. Adversaries may also leverage shell scripts to deliver and execute multiple commands on victims or as part of payloads used for persistence.","Linux,macOS",https://attack.mitre.org/techniques/T1059/004,No
+T1059.005,Command and Scripting Interpreter: Visual Basic,Execution,Adversaries may abuse Visual Basic (VB) for execution. VB is a programming language created by Microsoft with interoperability with many Windows technologies. Adversaries may use VB payloads to execute malicious commands. Common malicious usage includes automating execution of behaviors with VBScript or embedding VBA content into Spearphishing Attachments.,"Linux,Windows,macOS",https://attack.mitre.org/techniques/T1059/005,No
+T1059.006,Command and Scripting Interpreter: Python,Execution,Adversaries may abuse Python commands and scripts for execution. Adversaries can use these libraries to download and execute commands or other scripts as well as perform various malicious behaviors.,"Linux,Windows,macOS",https://attack.mitre.org/techniques/T1059/006,No
+T1059.007,Command and Scripting Interpreter: JavaScript,Execution,Adversaries may abuse JavaScript and/or JScript for execution. JavaScript (JS) is a platform-agnostic scripting language commonly associated with scripts in webpages. Adversaries may abuse JavaScript / JScript to execute various behaviors. Common uses include hosting malicious scripts on websites as part of a Drive-by Compromise or downloading and executing these script files as secondary payloads.,"Linux,Windows,macOS",https://attack.mitre.org/techniques/T1059/007,Yes
+T1059.008,Command and Scripting Interpreter: Network Device CLI,Execution,"Adversaries may abuse scripting or built-in command line interpreters (CLI) on network devices to execute malicious command and payloads. The CLI is the primary means through which users and administrators interact with the device in order to view system information, modify device operations, or perform diagnostic and administrative functions. CLIs typically contain various permission levels required for different commands. Adversaries can use the network CLI to change how network devices behave and operate. The CLI may be used to manipulate traffic flows to intercept or manipulate data, modify startup configuration parameters to load malicious system software, or to disable security features or logging to avoid detection.",Network,https://attack.mitre.org/techniques/T1059/008,No
+T1068,Exploitation for Privilege Escalation,Privilege Escalation,"Adversaries may exploit software vulnerabilities in an attempt to collect elevate privileges. An adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. They will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.","Containers,Linux,Windows,macOS",https://attack.mitre.org/techniques/T1068,Yes
+T1069.001,Permission Groups Discovery: Local Groups,Discovery,"Adversaries may attempt to find local system groups and permission settings via tools such as net localgroup, dscl . -list /Groups, groups. This knowledge can help adversaries determine which groups exist and which users belong to a particular group. Adversaries may use this information to determine which users have elevated permissions, such as the users found within the local administrators group.","Linux,Windows,macOS",https://attack.mitre.org/techniques/T1069/001,No
+T1069.002,Permission Groups Discovery: Domain Groups,Discovery,"Adversaries may attempt to find domain-level groups and permission settings. The knowledge of domain-level permission groups can help adversaries determine which groups exist and which users belong to a particular group. Adversaries may use this information to determine which users have elevated permissions, such as domain administrators.","Linux,Windows,macOS",https://attack.mitre.org/techniques/T1069/002,No
+T1069.003,Permission Groups Discovery: Cloud Groups,Discovery,"Adversaries may attempt to find cloud groups and permission settings via toools such as Get-MsolRole, az ad user get-member-groups etc. This knowledge can help adversaries determine the particular roles of users and groups within an environment, as well as which users are associated with a particular group.","Azure AD,Google Workspace,IaaS,Office 365,SaaS",https://attack.mitre.org/techniques/T1069/003,Yes
+T1070.001,Indicator Removal on Host: Clear Windows Event Logs,Defense Evasion,"Adversaries may clear Windows Event Logs to hide the activity of an intrusion. These logs may also be cleared through other mechanisms, such as the event viewer GUI or PowerShell",Windows,https://attack.mitre.org/techniques/T1070/001,No
+T1070.002,Indicator Removal on Host: Clear Linux or Mac System Logs,Defense Evasion,Adversaries may clear system logs to hide evidence of an intrusion. macOS and Linux both keep track of system or user-initiated actions via system logs.,"Linux,macOS",https://attack.mitre.org/techniques/T1070/002,No
+T1070.003,Indicator Removal on Host: Clear Command History,Defense Evasion,An adversary may clear the command history of a compromised account to conceal the actions undertaken during an intrusion.,"Linux,Windows,macOS",https://attack.mitre.org/techniques/T1070/003,No
+T1070.004,Indicator Removal on Host: File Deletion,Defense Evasion,"Adversaries may delete files left behind by the actions of their intrusion activity to minimize the adversary's footprint. Tools such as cmd functions such as DEL, secure deletion tools such as Windows Sysinternals SDelete, or other third-party file deletion tools can be used.","Linux,Windows,macOS",https://attack.mitre.org/techniques/T1070/004,No
+T1070.005,Indicator Removal on Host: Network Share Connection Removal,Defense Evasion,Adversaries may remove shared connections that are no longer useful in order to clean up traces of their operation. Windows shared drive and[Windows Admin Shares connections can be removed when no longer needed.,Windows,https://attack.mitre.org/techniques/T1070/005,No
+T1070.006,Indicator Removal on Host: Timestomp,Defense Evasion,"Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder.","Linux,Windows,macOS",https://attack.mitre.org/techniques/T1070/006,No
+T1071.001,Application Layer Protocol: Web Protocols,Command And Control,"Adversaries may communicate by concealing their data inside application layer protocols associated with web traffic to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.","Linux,Windows,macOS",https://attack.mitre.org/techniques/T1071/001,No
+T1071.002,Application Layer Protocol: File Transfer Protocols,Command And Control,"Adversaries may communicate by concealing their data insideapplication layer protocols such as FTP, FTPS, and TFPT associated with transferring files to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.","Linux,Windows,macOS",https://attack.mitre.org/techniques/T1071/002,No
+T1071.003,Application Layer Protocol: Mail Protocols,Command And Control,"Adversaries may communicate by concealing their data inside application layer protocols  such as SMTP/S, POP3/S, and IMAP associated with electronic map delivery to avoid detection/network filtering by blending in with existing traffic.","Linux,Windows,macOS",https://attack.mitre.org/techniques/T1071/003,No
+T1071.004,Application Layer Protocol: DNS,Command And Control,"Adversaries may communicate using the Domain Name System (DNS) application layer protocol to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.","Linux,Windows,macOS",https://attack.mitre.org/techniques/T1071/004,No
+T1072,Software Deployment Tools,"Execution,Lateral Movement","Adversaries may gain access to and use third-party software suites installed within an enterprise network, such as administration, monitoring, and deployment systems, to move laterally through the network. Third-party applications and software deployment systems may be in use in the network environment for administration purposes (e.g., SCCM, VNC, HBSS, Altiris, etc.).","Linux,Windows,macOS",https://attack.mitre.org/techniques/T1072,No
+T1074.001,Data Staged: Local Data Staging,Collection,"Adversaries may stage collected data in a central location or directory on the local system prior to Exfiltration. Data may be kept in separate files or combined into one file. Interactive command shells may be used, and common functionality within cmd and bash may be used to copy data into a staging location.","Linux,Windows,macOS",https://attack.mitre.org/techniques/T1074/001,No
+T1074.002,Data Staged: Remote Data Staging,Collection,"Adversaries may stage data collected from multiple systems in a central location or directory on one system prior to Exfiltration. Data may be kept in separate files or combined into one file through techniques such as Archive Collected Data. In cloud environments, adversaries may stage data within a particular instance or virtual machine before exfiltration. An adversary may Create Cloud Instance and stage data in that instance.","IaaS,Linux,Windows,macOS",https://attack.mitre.org/techniques/T1074/002,Yes
+T1078.001,Valid Accounts: Default Accounts,"Defense Evasion,Initial Access,Persistence,Privilege Escalation","Adversaries may obtain and abuse credentials of a default account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Default accounts are those that are built-into an OS, such as the Guest or Administrator accounts on Windows systems or default factory/provider set accounts on other types of systems, software, or devices.","Azure AD,Containers,Google Workspace,IaaS,Linux,Office 365,SaaS,Windows,macOS",https://attack.mitre.org/techniques/T1078/001,Yes
+T1078.002,Valid Accounts: Domain Accounts,"Defense Evasion,Initial Access,Persistence,Privilege Escalation","Adversaries may obtain and abuse credentials of a domain account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion.Domain accounts are those managed by Active Directory Domain Services where access and permissions are configured across systems and services that are part of that domain. Domain accounts can cover users, administrators, and services.","Linux,Windows,macOS",https://attack.mitre.org/techniques/T1078/002,No
+T1078.003,Valid Accounts: Local Accounts,"Defense Evasion,Initial Access,Persistence,Privilege Escalation","Adversaries may obtain and abuse credentials of a local account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Local accounts are those configured by an organization for use by users, remote support, services, or for administration on a single system or service. Local Accounts may also be abused to elevate privileges and harvest credentials through [OS Credential Dumping.","Containers,Linux,Windows,macOS",https://attack.mitre.org/techniques/T1078/003,Yes
+T1078.004,Valid Accounts: Cloud Accounts,"Defense Evasion,Initial Access,Persistence,Privilege Escalation","Adversaries may obtain and abuse credentials of a cloud account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Cloud accounts are those created and configured by an organization for use by users, remote support, services, or for administration of resources within a cloud service provider or SaaS application. In some cases, cloud accounts may be federated with traditional identity management system, such as Window Active Directory. Compromised credentials for cloud accounts can be used to harvest sensitive data from online storage accounts and databases.","Azure AD,Google Workspace,IaaS,Office 365,SaaS",https://attack.mitre.org/techniques/T1078/004,Yes
+T1080,Taint Shared Content,Lateral Movement,"Adversaries may deliver payloads to remote systems by adding content to shared storage locations, such as network drives or internal code repositories. Content stored on network drives or in other shared locations may be tainted by adding malicious programs, scripts, or exploit code to otherwise valid files. Once a user opens the shared tainted content, the malicious portion can be executed to run the adversary's code on a remote system. Adversaries may use tainted shared content to move laterally. Adversaries may also compromise shared network directories through binary infections by appending or prepending its code to the healthy binary on the shared network directory. The malware may modify the original entry point (OEP) of the healthy binary to ensure that it is executed before the legitimate code. The infection could continue to spread via the newly infected file when it is executed by a remote system. These infections may target both binary and non-binary formats that end with extensions including, but not limited to, .EXE, .DLL, .SCR, .BAT, and/or .VBS",Windows,https://attack.mitre.org/techniques/T1080,No
+T1082,System Information Discovery,Discovery,"An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions. Tools such as Systeminfo can be used to gather detailed system information. A breakdown of system data can also be gathered through the macOS ""systemsetup""  command, but it requires administrative privileges. Infrastructure as a Service (IaaS) cloud providers such as AWS, GCP, and Azure allow access to instance and virtual machine information via APIs. Successful authenticated API calls can return data such as the operating system platform and status of a particular instance or the model view of a virtual machine.","IaaS,Linux,Windows,macOS",https://attack.mitre.org/techniques/T1082,Yes
+T1083,File and Directory Discovery,Discovery,"Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use this information  during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.","Linux,Windows,macOS",https://attack.mitre.org/techniques/T1083,No
+T1087.001,Account Discovery: Local Account,Discovery,Adversaries may attempt to get a listing of local system accounts. This information can help adversaries determine which local accounts exist on a system to aid in follow-on behavior.,"Linux,Windows,macOS",https://attack.mitre.org/techniques/T1087/001,No
+T1087.002,Account Discovery: Domain Account,Discovery,Adversaries may attempt to get a listing of domain accounts. This information can help adversaries determine which domain accounts exist to aid in follow-on behavior.,"Linux,Windows,macOS",https://attack.mitre.org/techniques/T1087/002,No
+T1087.003,Account Discovery: Email Account,Discovery,Adversaries may attempt to get a listing of email addresses and accounts. Adversaries may try to dump Exchange address lists such as global address lists.,"Google Workspace,Office 365,Windows",https://attack.mitre.org/techniques/T1087/003,Yes
+T1087.004,Account Discovery: Cloud Account,Discovery,"Detecting the events leading up to sniffing network traffic may be the best method of detection. From the host level, an adversary would likely need to perform a man-in-the-middle attack against other devices on a wired network in order to capture traffic that was not to or from the current compromised system. This change in the flow of information is detectable at the enclave network level. Monitor for ARP spoofing and gratuitous ARP broadcasts. Detecting compromised network devices is a bit more challenging. Auditing administrator logins, configuration changes, and device images is required to detect malicious changes.","Azure AD,Google Workspace,IaaS,Office 365,SaaS",https://attack.mitre.org/techniques/T1087/004,Yes
+T1090.001,Proxy: Internal Proxy,Command And Control,"Adversaries may use an internal proxy to direct command and control traffic between two or more systems in a compromised environment. Many tools exist that enable traffic redirection through proxies or port redirection, including HTRAN, ZXProxy, and ZXPortMap. Adversaries use internal proxies to manage command and control communications inside a compromised environment, to reduce the number of simultaneous outbound network connections, to provide resiliency in the face of connection loss, or to ride over existing trusted communications paths between infected systems to avoid suspicion. Internal proxy connections may use common peer-to-peer (p2p) networking protocols, such as SMB, to better blend in with the environment.","Linux,Windows,macOS",https://attack.mitre.org/techniques/T1090/001,No
+T1090.002,Proxy: External Proxy,Command And Control,"Adversaries may use an external proxy to act as an intermediary for network communications to a command and control server to avoid direct connections to their infrastructure. Many tools exist that enable traffic redirection through proxies or port redirection, including HTRAN, ZXProxy, and ZXPortMap. Adversaries use these types of proxies to manage command and control communications, to provide resiliency in the face of connection loss, or to ride over existing trusted communications paths to avoid suspicion. External connection proxies are used to mask the destination of C2 traffic and are typically implemented with port redirectors. Compromised systems outside of the victim environment may be used for these purposes, as well as purchased infrastructure such as cloud-based resources or virtual private servers.","Linux,Windows,macOS",https://attack.mitre.org/techniques/T1090/002,No
+T1090.003,Proxy: Multi-hop Proxy,Command And Control,"To disguise the source of malicious traffic, adversaries may chain together multiple proxies. Typically, a defender will be able to identify the last proxy traffic traversed before it enters their network; the defender may or may not be able to identify any previous proxies before the last-hop proxy. This technique makes identifying the original source of the malicious traffic even more difficult by requiring the defender to trace malicious traffic through several proxies to identify its source.","Linux,Network,Windows,macOS",https://attack.mitre.org/techniques/T1090/003,No
+T1090.004,Proxy: Domain Fronting,Command And Control,Adversaries may take advantage of routing schemes in Content Delivery Networks (CDNs) and other services which host multiple domains to obfuscate the intended destination of HTTPS traffic or traffic tunneled through HTTPS. Domain fronting involves using different domain names in the SNI field of the TLS header and the Host field of the HTTP header.,"Linux,Windows,macOS",https://attack.mitre.org/techniques/T1090/004,No
+T1091,Replication Through Removable Media,"Initial Access,Lateral Movement","Adversaries may move onto systems, possibly those on disconnected or air-gapped networks, by copying malware to removable media and taking advantage of Autorun features when the media is inserted into a system and executes. In the case of Lateral Movement, this may occur through modification of executable files stored on removable media or by copying malware and renaming it to look like a legitimate file to trick users into executing it on a separate system. In the case of Initial Access, this may occur through manual manipulation of the media, modification of systems used to initially format the media, or modification to the media's firmware itself.",Windows,https://attack.mitre.org/techniques/T1091,No
+T1092,Communication Through Removable Media,Command And Control,"Adversaries can perform command and control between compromised hosts on potentially disconnected networks using removable media to transfer commands from system to system. Both systems would need to be compromised, with the likelihood that an Internet-connected system was compromised first and the second through lateral movement by Replication Through Removable Media. Commands and files would be relayed from the disconnected system to the Internet-connected system to which the adversary has direct access.","Linux,Windows,macOS",https://attack.mitre.org/techniques/T1092,No
+T1095,Non-Application Layer Protocol,Command And Control,"Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive but Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).","Linux,Network,Windows,macOS",https://attack.mitre.org/techniques/T1095,No
+T1098.001,Account Manipulation: Additional Cloud Credentials,Persistence,"Adversaries may add adversary-controlled credentials for Azure Service Principals in addition to existing legitimate credentials to maintain persistent access to victim Azure accounts. Azure Service Principals support both password and certificate credentials. With sufficient permissions, there are a variety of ways to add credentials including the Azure Portal, Azure command line interface, and Azure powershell.","Azure AD,IaaS",https://attack.mitre.org/techniques/T1098/001,Yes
+T1098.002,Account Manipulation: Exchange Email Delegate Permissions,Persistence,"Adversaries may grant additional permission levels, such as ReadPermission or FullAccess, to maintain persistent access to an adversary-controlled email account. This may be used in persistent threat incidents as well as Business Email Compromise incidents where an adversary can assign more access rights to the accounts they wish to compromise. This may further enable use of additional techniques for gaining access to systems.","Office 365,Windows",https://attack.mitre.org/techniques/T1098/002,No
+T1098.003,Account Manipulation: Add Office 365 Global Administrator Role,Persistence,"An adversary may add the Global Administrator role to an adversary-controlled account to maintain persistent access to an Office 365 tenant. With sufficient permissions, a compromised account can gain almost unlimited access to data and settings (including the ability to reset the passwords of other admins) via the global admin role. This account modification may immediately follow  or other malicious account activity.",Office 365,https://attack.mitre.org/techniques/T1098/003,No
+T1098.004,Account Manipulation: SSH Authorized Keys,Persistence,Adversaries may modify the SSH authorized_keys file to maintain persistence on a victim host. Linux distributions and macOS commonly use key-based authentication to secure the authentication process of SSH sessions for remote management. The authorized_keys< file in SSH specifies the SSH keys that can be used for logging into the user account for which the file is configured.  Adversaries may modify SSH authorized_keys files directly with scripts or shell commands to add their own adversary-supplied public keys. This ensures that an adversary possessing the corresponding private key may log in as an existing user via SSH.,"Linux,macOS",https://attack.mitre.org/techniques/T1098/004,No
+T1102.001,Web Service: Dead Drop Resolver,Command And Control,"Adversaries may use an existing, legitimate external Web service to host information that points to additional command and control (C2) infrastructure. Adversaries may post content, known as a dead drop resolver, on Web services with embedded (and often obfuscated/encoded) domains or IP addresses. Once infected, victims will reach out to and be redirected by these resolvers. Use of a dead drop resolver may also protect back-end C2 infrastructure from discovery through malware binary analysis while also enabling operational resiliency (since this infrastructure may be dynamically changed).","Linux,Windows,macOS",https://attack.mitre.org/techniques/T1102/001,No
+T1102.002,Web Service: Bidirectional Communication,Command And Control,"Adversaries may use an existing, legitimate external Web service as a means for sending commands to and receiving output from a compromised system over the Web service channel such as Google and Twitter. Compromised systems may leverage popular websites and social media to host command and control (C2) instructions. Those infected systems can then send the output from those commands back over that Web service channel.","Linux,Windows,macOS",https://attack.mitre.org/techniques/T1102/002,No
+T1102.003,Web Service: One-Way Communication,Command And Control,"Adversaries may use an existing, legitimate external Web service as a means for sending commands to a compromised system without receiving return output over the Web service channel such as Google and Twitter. Compromised systems may leverage popular websites and social media to host command and control (C2) instructions. Those infected systems may opt to send the output from those commands back over a different C2 channel, including to another distinct Web service.","Linux,Windows,macOS",https://attack.mitre.org/techniques/T1102/003,No
+T1104,Multi-Stage Channels,Command And Control,"Adversaries may create multiple stages for command and control that are employed under different conditions or for certain functions.  Remote access tools will call back to the first-stage command and control server for instructions. The first stage may have automated capabilities to collect basic host information, update tools, and upload additional files. A second remote access tool (RAT) could be uploaded at that point to redirect the host to the second-stage command and control server. Use of multiple stages may obfuscate the command and control channel to make detection more difficult.","Linux,Windows,macOS",https://attack.mitre.org/techniques/T1104,No
+T1105,Ingress Tool Transfer,Command And Control,"Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.","Linux,Windows,macOS",https://attack.mitre.org/techniques/T1105,No
+T1106,Native API,Execution,"Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes. These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations. Adversaries may abuse these native API functions as a means of executing behaviors.","Linux,Windows,macOS",https://attack.mitre.org/techniques/T1106,No
+T1110.001,Brute Force: Password Guessing,Credential Access,Adversaries with no prior knowledge of legitimate credentials within the system or environment may guess passwords to attempt access to accounts.,"Azure AD,Containers,Google Workspace,IaaS,Linux,Office 365,SaaS,Windows,macOS",https://attack.mitre.org/techniques/T1110/001,Yes
+T1110.002,Brute Force: Password Cracking,Credential Access,"Adversaries may use password cracking to attempt to recover usable credentials, such as plaintext passwords, when credential material such as password hashes are obtained. [OS Credential Dumping](https://attack.mitre.org/techniques/T1003) is used to obtain password hashes, this may only get an adversary so far when [Pass the Hash](https://attack.mitre.org/techniques/T1550/002) is not an option. Techniques to systematically guess the passwords used to compute hashes are available, or the adversary may use a pre-computed rainbow table to crack hashes. Cracking hashes is usually done on adversary-controlled systems outside of the target network.(Citation: Wikipedia Password cracking) The resulting plaintext password resulting from a successfully cracked hash may be used to log into systems, resources, and services in which the account has access.","Azure AD,Linux,Office 365,Windows,macOS",https://attack.mitre.org/techniques/T1110/002,No
+T1110.003,Brute Force: Password Spraying,Credential Access,Adversaries may use a single or small list of commonly used passwords against many different accounts to attempt to acquire valid account credentials.,"Azure AD,Containers,Google Workspace,IaaS,Linux,Office 365,SaaS,Windows,macOS",https://attack.mitre.org/techniques/T1110/003,Yes
+T1110.004,Brute Force: Credential Stuffing,Credential Access,"Adversaries may use credentials obtained from breach dumps of unrelated accounts to gain access to target accounts through credential overlap. Occasionally, large numbers of username and password pairs are dumped online when a website or service is compromised and the user account credentials accessed. The information may be useful to an adversary attempting to compromise accounts by taking advantage of the tendency for users to use the same passwords across personal and business accounts.","Azure AD,Containers,Google Workspace,IaaS,Linux,Office 365,SaaS,Windows,macOS",https://attack.mitre.org/techniques/T1110/004,Yes
+T1111,Two-Factor Authentication Interception,Credential Access,"Adversaries may target two-factor authentication mechanisms, such as smart cards, to gain access to credentials that can be used to access systems, services, and network resources.","Linux,Windows,macOS",https://attack.mitre.org/techniques/T1111,No
+T1112,Modify Registry,Defense Evasion,"Adversaries may interact with the Windows Registry to hide configuration information within Registry keys, remove information as part of cleaning up, or as part of other techniques to aid in persistence and execution.",Windows,https://attack.mitre.org/techniques/T1112,No
+T1113,Screen Capture,Collection,"Adversaries may attempt to take screen captures of the desktop to gather information over the course of an operation. Screen capturing functionality may be included as a feature of a remote access tool used in post-compromise operations. Taking a screenshot is also typically possible through native utilities or API calls, such as CopyFromScreen, xwd, or screencapture.","Linux,Windows,macOS",https://attack.mitre.org/techniques/T1113,No
+T1114.001,Email Collection: Local Email Collection,Collection,"Adversaries may sniff network traffic to capture information about an environment, including authentication material passed over the network. Network sniffing refers to using the network interface on a system to monitor or capture information sent over a wired or wireless connection. An adversary may place a network interface into promiscuous mode to passively access data in transit over the network, or use span ports to capture a larger amount of data.",Windows,https://attack.mitre.org/techniques/T1114/001,No
+T1114.002,Email Collection: Remote Email Collection,Collection,Adversaries may target an Exchange server or Office 365 to collect sensitive information. Adversaries may leverage a user's credentials and interact directly with the Exchange server to acquire information from within a network. Adversaries may also access externally facing Exchange services or Office 365 to access email using credentials or access tokens. Tools such as [MailSniper](https://attack.mitre.org/software/S0413) can be used to automate searches for specific keywords.,"Google Workspace,Office 365,Windows",https://attack.mitre.org/techniques/T1114/002,Yes
+T1114.003,Email Collection: Email Forwarding Rule,Collection,"Adversaries may setup email forwarding rules to collect sensitive information. Adversaries may abuse email-forwarding rules to monitor the activities of a victim, steal information, and further gain intelligence on the victim or the victim's organization to use as part of further exploits or operations. Any user or administrator within the organization (or adversary with valid credentials) can create rules to automatically forward all received messages to another recipient, forward emails to different locations based on the sender, and more.","Google Workspace,Office 365,Windows",https://attack.mitre.org/techniques/T1114/003,Yes
+T1115,Clipboard Data,Collection,"Adversaries may collect data stored in the clipboard from users copying information within or between applications. In Windows, Applications can access clipboard data by using the Windows API. OSX provides a native command, pbpaste to grab clipboard contents.","Linux,Windows,macOS",https://attack.mitre.org/techniques/T1115,No
+T1119,Automated Collection,Collection,"Once established within a system or network, an adversary may use automated techniques for collecting internal data. Methods for performing this technique could include use of a Command and Scripting Interpreter to search for and copy information fitting set criteria such as file type, location, or name at specific time intervals. This functionality could also be built into remote access tools.","Linux,Windows,macOS",https://attack.mitre.org/techniques/T1119,No
+T1120,Peripheral Device Discovery,Discovery,"Adversaries may attempt to gather information about attached peripheral devices and components connected to a computer system. Peripheral devices could include auxiliary resources that support a variety of functionalities such as keyboards, printers, cameras, smart card readers, or removable storage. The information may be used to enhance their awareness of the system and network environment or may be used for further actions.","Windows,macOS",https://attack.mitre.org/techniques/T1120,No
+T1123,Audio Capture,Collection,"An adversary can leverage a computer's peripheral devices (e.g., microphones and webcams) or applications (e.g., voice and video call services) to capture audio recordings for the purpose of listening into sensitive conversations to gather information. Malware or scripts may be used to interact with the devices through an available API provided by the operating system or an application to capture audio. Audio files may be written to disk and exfiltrated later.","Linux,Windows,macOS",https://attack.mitre.org/techniques/T1123,No
+T1124,System Time Discovery,Discovery,An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.,Windows,https://attack.mitre.org/techniques/T1124,No
+T1125,Video Capture,Collection,"An adversary can leverage a computer's peripheral devices (e.g., integrated cameras or webcams) or applications (e.g., video call services) to capture video recordings for the purpose of gathering information. Images may also be captured from devices or applications, potentially in specified intervals, in lieu of video files. Malware or scripts may be used to interact with the devices through an available API provided by the operating system or an application to capture video or images.","Windows,macOS",https://attack.mitre.org/techniques/T1125,No
+T1127.001,Trusted Developer Utilities Proxy Execution: MSBuild,Defense Evasion,Adversaries may use MSBuild to proxy execution of code through a trusted Windows utility. MSBuild.exe (Microsoft Build Engine) is a software build platform used by Visual Studio. It handles XML formatted project files that define requirements for loading and building various platforms and configurations.,Windows,https://attack.mitre.org/techniques/T1127/001,No
+T1129,Shared Modules,Execution,Adversaries may abuse shared modules to execute malicious payloads. The Windows module loader can be instructed to load DLLs from arbitrary local paths and arbitrary Universal Naming Convention (UNC) network paths. Adversaries may use this functionality as a way to execute arbitrary code on a victim system.,Windows,https://attack.mitre.org/techniques/T1129,No
+T1132.001,Data Encoding: Standard Encoding,Command And Control,"Adversaries may encode data with a standard data encoding system to make the content of command and control traffic more difficult to detect.  Common data encoding schemes include ASCII, Unicode, hexadecimal, Base64, and MIME. Some data encoding systems may also result in data compression, such as gzip.","Linux,Windows,macOS",https://attack.mitre.org/techniques/T1132/001,No
+T1132.002,Data Encoding: Non-Standard Encoding,Command And Control,"Adversaries may encode data with a non-standard data encoding system to make the content of command and control traffic more difficult to detect.  Non-standard data encoding schemes may be based on or related to standard data encoding schemes, such as a modified Base64 encoding for the message body of an HTTP request.","Linux,Windows,macOS",https://attack.mitre.org/techniques/T1132/002,No
+T1133,External Remote Services,"Initial Access,Persistence","Adversaries may leverage external-facing remote services to initially access and/or persist within a network. Remote services such as VPNs, Citrix, and other access mechanisms allow users to connect to internal enterprise network resources from external locations. Access to Valid Accounts to use the service is often a requirement, which could be obtained through credential pharming or by obtaining the credentials from users after compromising the enterprise network.","Containers,Linux,Windows",https://attack.mitre.org/techniques/T1133,Yes
+T1134.001,Access Token Manipulation: Token Impersonation/Theft,"Defense Evasion,Privilege Escalation","Adversaries may duplicate then impersonate another user's token to escalate privileges and bypass access controls. An adversary can create a new access token that duplicates an existing token using ""DuplicateToken(Ex)"".  An adversary may do this when they have a specific, existing process they want to assign the new token to. For example, this may be useful for when the target user has a non-network logon session on the system.",Windows,https://attack.mitre.org/techniques/T1134/001,No
+T1134.002,Access Token Manipulation: Create Process with Token,"Defense Evasion,Privilege Escalation","Adversaries may create a new process with a duplicated token to escalate privileges and bypass access controls. An adversary can duplicate a desired access token with ""DuplicateToken(Ex)"" and use it with ""CreateProcessWithTokenW"" to create a new process running under the security context of the impersonated user. This is useful for creating a new process under the security context of a different user.",Windows,https://attack.mitre.org/techniques/T1134/002,No
+T1134.003,Access Token Manipulation: Make and Impersonate Token,"Defense Evasion,Privilege Escalation","Adversaries may make and impersonate tokens to escalate privileges and bypass access controls. If an adversary has a username and password but the user is not logged onto the system, the adversary can then create a logon session for the user using the ""LogonUser"" function. The function will return a copy of the new session's access token and the adversary can use ""SetThreadToken"" to assign the token to a thread.",Windows,https://attack.mitre.org/techniques/T1134/003,No
+T1134.004,Access Token Manipulation: Parent PID Spoofing,"Defense Evasion,Privilege Escalation","Adversaries may spoof the parent process identifier (PPID) of a new process to evade process-monitoring defenses or to elevate privileges. New processes are typically spawned directly from their parent, or calling, process unless explicitly specified. Adversaries may abuse these mechanisms to evade defenses, such as those blocking processes spawning directly from Office documents, and analysis targeting unusual/potentially malicious parent-child process relationships, such as spoofing the PPID of PowerShell/Rundll32 to be explorer.exe",Windows,https://attack.mitre.org/techniques/T1134/004,No
+T1134.005,Access Token Manipulation: SID-History Injection,"Defense Evasion,Privilege Escalation","Adversaries may use SID-History Injection to escalate privileges and bypass access controls. The Windows security identifier (SID) is a unique value that identifies a user or group account. SIDs are used by Windows security in both security descriptors and access tokens. An account can hold additional SIDs in the SID-History Active Directory attribute, allowing inter-operable account migration between domains (e.g., all values in SID-History are included in access tokens).",Windows,https://attack.mitre.org/techniques/T1134/005,No
+T1135,Network Share Discovery,Discovery,Adversaries may look for folders and drives shared on remote systems as a means of identifying sources of information to gather as a precursor for Collection and to identify potential systems of interest for Lateral Movement.,"Linux,Windows,macOS",https://attack.mitre.org/techniques/T1135,No
+T1136.001,Create Account: Local Account,Persistence,"Adversaries may create a local account to maintain access to victim systems. Local accounts are those configured by an organization for use by users, remote support, services, or for administration on a single system or service. With a sufficient level of access, the <code>net user /add</code> command can be used to create a local account. Such accounts may be used to establish secondary credentialed access that do not require persistent remote access tools to be deployed on the system.","Linux,Windows,macOS",https://attack.mitre.org/techniques/T1136/001,No
+T1136.002,Create Account: Domain Account,Persistence,"Adversaries may create a domain account to maintain access to victim systems. Domain accounts are those managed by Active Directory Domain Services where access and permissions are configured across systems and services that are part of that domain. Domain accounts can cover user, administrator, and service accounts. With a sufficient level of access, the ?net user /add /domain? command can be used to create a domain account. Such accounts may be used to establish secondary credentialed access that do not require persistent remote access tools to be deployed on the system.","Linux,Windows,macOS",https://attack.mitre.org/techniques/T1136/002,No
+T1136.003,Create Account: Cloud Account,Persistence,"Adversaries may create a cloud account to maintain access to victim systems. With a sufficient level of access, such accounts may be used to establish secondary credentialed access that does not require persistent remote access tools to be deployed on the system. Adversaries may create accounts that only have access to specific cloud services, which can reduce the chance of detection.","Azure AD,Google Workspace,IaaS,Office 365",https://attack.mitre.org/techniques/T1136/003,Yes
+T1137.001,Office Application Startup: Office Template Macros,Persistence,Adversaries may abuse Microsoft Office templates to obtain persistence on a compromised system. Microsoft Office contains templates that are part of common Office applications and are used to customize styles. The base templates within the application are used each time an application starts.,"Office 365,Windows",https://attack.mitre.org/techniques/T1137/001,No
+T1137.002,Office Application Startup: Office Test,Persistence,"Adversaries may abuse the Microsoft Office ""Office Test"" Registry key to obtain persistence on a compromised system. An Office Test Registry location exists that allows a user to specify an arbitrary DLL that will be executed every time an Office application is started. This Registry key is thought to be used by Microsoft to load DLLs for testing and debugging purposes while developing Office applications. This Registry key is not created by default during an Office installation.","Office 365,Windows",https://attack.mitre.org/techniques/T1137/002,No
+T1137.003,Office Application Startup: Outlook Forms,Persistence,"Adversaries may abuse Microsoft Outlook forms to obtain persistence on a compromised system. Outlook forms are used as templates for presentation and functionality in Outlook messages. Custom Outlook forms can be created that will execute code when a specifically crafted email is sent by an adversary utilizing the same custom Outlook form. Once malicious forms have been added to the user's mailbox, they will be loaded when Outlook is started. Malicious forms will execute when an adversary sends a specifically crafted email to the user.","Office 365,Windows",https://attack.mitre.org/techniques/T1137/003,No
+T1137.004,Office Application Startup: Outlook Home Page,Persistence,Adversaries may abuse Microsoft Outlook's Home Page feature to obtain persistence on a compromised system. Outlook Home Page is a legacy feature used to customize the presentation of Outlook folders. This feature allows for an internal or external URL to be loaded and presented whenever a folder is opened. A malicious HTML page can be crafted that will execute code when loaded by Outlook Home Page.,"Office 365,Windows",https://attack.mitre.org/techniques/T1137/004,No
+T1137.005,Office Application Startup: Outlook Rules,Persistence,"Adversaries may abuse Microsoft Outlook rules to obtain persistence on a compromised system. Outlook rules allow a user to define automated behavior to manage email messages. Once malicious rules have been added to the user's mailbox, they will be loaded when Outlook is started. Malicious rules will execute when an adversary sends a specifically crafted email to the user.","Office 365,Windows",https://attack.mitre.org/techniques/T1137/005,No
+T1137.006,Office Application Startup: Add-ins,Persistence,"Adversaries may abuse Microsoft Office add-ins to obtain persistence on a compromised system. Office add-ins can be used to add functionality to Office programs. There are different types of add-ins that can be used by the various Office products; including Word/Excel add-in Libraries (WLL/XLL), VBA add-ins, Office Component Object Model (COM) add-ins, automation add-ins, VBA Editor (VBE), Visual Studio Tools for Office (VSTO) add-ins, and Outlook add-ins. Add-ins can be used to obtain persistence because they can be set to execute code when an Office application starts.","Office 365,Windows",https://attack.mitre.org/techniques/T1137/006,No
+T1140,Deobfuscate/Decode Files or Information,Defense Evasion,Adversaries may use [Obfuscated Files or Information](https://attack.mitre.org/techniques/T1027) to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.  One such example is use of [certutil](https://attack.mitre.org/software/S0160) to decode a remote access tool portable executable file that has been hidden inside a certificate file. (Citation: Malwarebytes Targeted Attack against Saudi Arabia) Another example is using the Windows <code>copy /b</code> command to reassemble binary fragments into a malicious payload. (Citation: Carbon Black Obfuscation Sept 2016) Sometimes a user's action may be required to open it for deobfuscation or decryption as part of [User Execution](https://attack.mitre.org/techniques/T1204). The user may also be required to input a password to open a password protected compressed/encrypted file that was provided by the adversary. (Citation: Volexity PowerDuke November 2016),"Linux,Windows,macOS",https://attack.mitre.org/techniques/T1140,No
+T1176,Browser Extensions,Persistence,"Adversaries may abuse Internet browser extensions to establish persistence access to victim systems. Malicious extensions can be installed into a browser through malicious app store downloads masquerading as legitimate extensions, through social engineering, or by an adversary that has already compromised a system. Security can be limited on browser app stores so it may not be difficult for malicious extensions to defeat automated scanners.","Linux,Windows,macOS",https://attack.mitre.org/techniques/T1176,No
+T1185,Man in the Browser,Collection,"Adversaries can take advantage of security vulnerabilities and inherent functionality in browser software to change content, modify behavior, and intercept information as part of various man in the browser techniques.  A specific example is when an adversary injects software into a browser that allows an them to inherit cookies, HTTP sessions, and SSL client certificates of a user and use the browser as a way to pivot into an authenticated intranet. Browser pivoting requires the SeDebugPrivilege and a high-integrity process to execute. Browser traffic is pivoted from the adversary's browser through the user's browser by setting up an HTTP proxy which will redirect any HTTP and HTTPS traffic.",Windows,https://attack.mitre.org/techniques/T1185,No
+T1187,Forced Authentication,Credential Access,Adversaries may gather credential material by invoking or forcing a user to automatically provide authentication information through a mechanism in which they can intercept.The Server Message Block (SMB) protocol is commonly used in Windows networks for authentication and communication between systems for access to resources and file sharing. When a Windows system attempts to connect to an SMB resource it will automatically attempt to authenticate and send credential information for the current user to the remote system.,Windows,https://attack.mitre.org/techniques/T1187,No
+T1189,Drive-by Compromise,Initial Access,"Adversaries may gain access to a system through a user visiting a website over the normal course of browsing. With this technique, the user's web browser is typically targeted for exploitation, but adversaries may also use compromised websites for non-exploitation behavior such as acquiring Application Access Token. The focus of this technique is to exploit software on a client endpoint upon visiting a website. This will commonly give an adversary access to systems on the internal network instead of external systems that may be in a DMZ. Adversaries may also use compromised websites to deliver a user to a malicious application designed to Steal Application Access Token","Linux,SaaS,Windows,macOS",https://attack.mitre.org/techniques/T1189,No
+T1190,Exploit Public-Facing Application,Initial Access,"Adversaries may attempt to take advantage of a weakness in an Internet-facing computer or program using software, data, or commands in order to cause unintended or unanticipated behavior. The weakness in the system can be a bug, a glitch, or a design vulnerability. These applications are often websites, but can include databases, standard services, and any other applications with Internet accessible open sockets, such as web servers and related services. Depending on the flaw being exploited this may include Exploitation for Defense Evasion.","Containers,IaaS,Linux,Network,Windows,macOS",https://attack.mitre.org/techniques/T1190,Yes
+T1195.001,Supply Chain Compromise: Compromise Software Dependencies and Development Tools,Initial Access,Adversaries may manipulate software dependencies and development tools prior to receipt by a final consumer for the purpose of data or system compromise. Applications often depend on external software to function properly. Popular open source projects that are used as dependencies in many applications may be targeted as a means to add malicious code to users of the dependency. Targeting may be specific to a desired victim set or may be distributed to a broad set of consumers but only move on to additional tactics on specific victims.,"Linux,Windows,macOS",https://attack.mitre.org/techniques/T1195/001,No
+T1195.002,Supply Chain Compromise: Compromise Software Supply Chain,Initial Access,"Adversaries may manipulate application software prior to receipt by a final consumer for the purpose of data or system compromise. Supply chain compromise of software can take place in a number of ways, including manipulation of the application source code, manipulation of the update/distribution mechanism for that software, or replacing compiled releases with a modified version. Targeting may be specific to a desired victim set or may be distributed to a broad set of consumers but only move on to additional tactics on specific victims.","Linux,Windows,macOS",https://attack.mitre.org/techniques/T1195/002,No
+T1195.003,Supply Chain Compromise: Compromise Hardware Supply Chain,Initial Access,"Adversaries may manipulate hardware components in products prior to receipt by a final consumer for the purpose of data or system compromise. By modifying hardware or firmware in the supply chain, adversaries can insert a backdoor into consumer networks that may be difficult to detect and give the adversary a high degree of control over the system. Hardware backdoors may be inserted into various devices, such as servers, workstations, network infrastructure, or peripherals.","Linux,Windows,macOS",https://attack.mitre.org/techniques/T1195/003,No
+T1197,BITS Jobs,"Defense Evasion,Persistence","Adversaries may abuse Windows Background Intelligent Transfer Service (BITS) jobs to persistently execute or clean up after malicious payloads. BITS is a low-bandwidth, asynchronous file transfer mechanism exposed through Component Object Model. BITS is commonly used by updaters, messengers, and other applications preferred to operate in the background. The interface to create and manage BITS jobs is accessible through PowerShell. Adversaries may abuse BITS to download, execute, and even clean up after running malicious code. BITS upload functionalities can also be used to perform Exfiltration Over Alternative Protocol.",Windows,https://attack.mitre.org/techniques/T1197,No
+T1199,Trusted Relationship,Initial Access,"Adversaries may breach or otherwise leverage organizations who have access to intended victims. Access through trusted third party relationship exploits an existing connection that may not be protected or receives less scrutiny than standard mechanisms of gaining access to a network. Organizations often grant elevated access to second or third-party external providers in order to allow them to manage internal systems as well as cloud-based environments.  As such, Valid Accounts used by the other party for access to internal network systems may be compromised and used.","IaaS,Linux,SaaS,Windows,macOS",https://attack.mitre.org/techniques/T1199,Yes
+T1200,Hardware Additions,Initial Access,"Adversaries may introduce computer accessories, computers, or networking hardware into a system or network that can be used as a vector to gain access. Many penetration testers leverage hardware additions for initial access. Commercial and open source products are leveraged with capabilities such as passive network tapping, man-in-the middle encryption breaking, keystroke injection, kernel memory reading via DMA, adding new wireless access to an existing network, and others.","Linux,Windows,macOS",https://attack.mitre.org/techniques/T1200,No
+T1201,Password Policy Discovery,Discovery,Adversaries may attempt to access detailed information about the password policy used within an enterprise network. Password policies for networks are a way to enforce complex passwords that are difficult to guess or crack through. This would help the adversary to create a list of common passwords and launch dictionary and/or brute force attacks which adheres to the policy.,"Linux,Windows,macOS",https://attack.mitre.org/techniques/T1201,No
+T1202,Indirect Command Execution,Defense Evasion,"Adversaries may abuse utilities that allow for command execution to bypass security restrictions that limit the use of command-line interpreters. Various Windows utilities may be used to execute commands, possibly without invoking cmd. Adversaries may abuse these features for Defense Evasion, specifically to perform arbitrary execution while subverting detections and/or mitigation controls (such as Group Policy) that limit/prevent the usage of cmd or file extensions more commonly associated with malicious payloads.",Windows,https://attack.mitre.org/techniques/T1202,No
+T1203,Exploitation for Client Execution,Execution,"Adversaries may exploit software vulnerabilities in client applications to execute code. Vulnerabilities can exist in software due to unsecure coding practices that can lead to unanticipated behavior. Adversaries can take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution.  Several types exist: Browser-based Exploitation, Office Applications and Common Third-party Applications.","Linux,Windows,macOS",https://attack.mitre.org/techniques/T1203,No
+T1204.001,User Execution: Malicious Link,Execution,An adversary may rely upon a user clicking a malicious link in order to gain execution. Users may be subjected to social engineering to get them to click on a link that will lead to code execution. Clicking on a link may also lead to other execution techniques such as exploitation of a browser or application vulnerability via Exploitation for Client Execution. Links may also lead users to download files that require execution via Malicious File.,"Linux,Windows,macOS",https://attack.mitre.org/techniques/T1204/001,No
+T1204.002,User Execution: Malicious File,Execution,"An adversary may rely upon a user opening a malicious file in order to gain execution. Users may be subjected to social engineering to get them to open a file that will lead to code execution. This user action will typically be observed as follow-on behavior from Spearphishing Attachment. Adversaries may use several types of files that require a user to execute them, including .doc, .pdf, .xls, .rtf, .scr, .exe, .lnk, .pif, and .cpl.","Linux,Windows,macOS",https://attack.mitre.org/techniques/T1204/002,No
+T1204.003,User Execution: Malicious Image,Execution,"Adversaries may rely on a user running a malicious image to facilitate execution. Amazon Web Services (AWS) Amazon Machine Images (AMIs), Google Cloud Platform (GCP) Images, and Azure Images as well as popular container runtimes such as Docker can be backdoored. Backdoored images may be uploaded to a public repository via [Upload Malware](https://attack.mitre.org/techniques/T1608/001), and users may then download and deploy an instance or container from the image without realizing the image is malicious, thus bypassing techniques that specifically achieve Initial Access. This can lead to the execution of malicious code, such as code that executes cryptocurrency mining, in the instance or container.(Citation: Summit Route Malicious AMIs)","Containers,IaaS",https://attack.mitre.org/techniques/T1204/003,Yes
+T1205.001,Traffic Signaling: Port Knocking,"Command And Control,Defense Evasion,Persistence","Adversaries may use port knocking to hide open ports used for persistence or command and control. To enable a port, an adversary sends a series of attempted connections to a predefined sequence of closed ports. After the sequence is completed, opening a port is often accomplished by the host based firewall, but could also be implemented by custom software. This technique has been observed to both for the dynamic opening of a listening port as well as the initiating of a connection to a listening server on a different system.","Linux,Network,Windows,macOS",https://attack.mitre.org/techniques/T1205/001,No
+T1207,Rogue Domain Controller,Defense Evasion,"Adversaries may register a rogue Domain Controller to enable manipulation of Active Directory data. DCShadow may be used to create a rogue Domain Controller (DC). DCShadow is a method of manipulating Active Directory (AD) data, including objects and schemas, by registering (or reusing an inactive registration) and simulating the behavior of a DC. Once registered, a rogue DC may be able to inject and replicate changes into AD infrastructure for any domain object, including credentials and keys.",Windows,https://attack.mitre.org/techniques/T1207,No
+T1210,Exploitation of Remote Services,Lateral Movement,"Adversaries may exploit remote services to gain unauthorized access to internal systems once inside of a network. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. A common goal for post-compromise exploitation of remote services is for lateral movement to enable access to a remote system.","Linux,Windows,macOS",https://attack.mitre.org/techniques/T1210,No
+T1211,Exploitation for Defense Evasion,Defense Evasion,"Adversaries may exploit a system or application vulnerability to bypass security features. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code.??Vulnerabilities may exist in defensive security software that can be used to disable or circumvent them.Adversaries may have prior knowledge through reconnaissance that security software exists within an environment or they may perform checks during or shortly after the system is compromised for [Security Software Discovery](https://attack.mitre.org/techniques/T1518/001). The security software will likely be targeted directly for exploitation. There are examples of antivirus software being targeted by persistent threat groups to avoid detection.","Linux,Windows,macOS",https://attack.mitre.org/techniques/T1211,No
+T1212,Exploitation for Credential Access,Credential Access,"Adversaries may exploit software vulnerabilities in an attempt to collect credentials. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Credentialing and authentication mechanisms may be targeted for exploitation by adversaries as a means to gain access to useful credentials or circumvent the process to gain access to systems.","Linux,Windows,macOS",https://attack.mitre.org/techniques/T1212,No
+T1213.001,Data from Information Repositories: Confluence,Collection,"Adversaries may leverage Confluence repositories to mine valuable information. Often found in development environments alongside Atlassian JIRA, Confluence is generally used to store development-related documentation, however, in general may contain more diverse categories of useful information, such as: Policies, procedures, and standards; Physical / logical network diagrams; System architecture diagrams; Source code snippets; Links to network shares and other internal resources etc.",SaaS,https://attack.mitre.org/techniques/T1213/001,No
+T1213.002,Data from Information Repositories: Sharepoint,Collection,"Adversaries may leverage the SharePoint repository as a source to mine valuable information. SharePoint will often contain useful information for an adversary to learn about the structure and functionality of the internal network and systems. For example, the following is a list of example information that may hold potential value to an adversary and may also be found on SharePoint: such as:  Policies, procedures, and standards, Physical / logical network diagrams, System architecture diagrams, Technical system documentation, Testing / development credentials, Work / project schedules, Source code snippet and Links to network shares and other internal resources.","Office 365,Windows",https://attack.mitre.org/techniques/T1213/002,No
+T1216.001,Signed Script Proxy Execution: PubPrn,Defense Evasion,Adversaries may use scripts signed with trusted certificates to proxy execution of malicious files. Several Microsoft signed scripts that are default on Windows installations can be used to proxy execution of other files. This behavior may be abused by adversaries to execute malicious files that could bypass application control and signature validation on systems,Windows,https://attack.mitre.org/techniques/T1216/001,No
+T1217,Browser Bookmark Discovery,Discovery,"Adversaries may enumerate browser bookmarks to learn more about compromised hosts. Browser bookmarks may reveal personal information about users (ex: banking sites, interests, social media, etc.) as well as details about internal network resources such as servers, tools/dashboards, or other related infrastructure.","Linux,Windows,macOS",https://attack.mitre.org/techniques/T1217,No
+T1218.001,Signed Binary Proxy Execution: Compiled HTML File,Defense Evasion,Adversaries may abuse Compiled HTML files (.chm) to conceal malicious code. CHM files are commonly distributed as part of the Microsoft HTML Help system. A custom CHM file containing embedded payloads could be delivered to a victim then triggered by User Execution.,Windows,https://attack.mitre.org/techniques/T1218/001,No
+T1218.002,Signed Binary Proxy Execution: Control Panel,Defense Evasion,"Adversaries may abuse control.exe to proxy execution of malicious payloads. The Windows Control Panel process binary (control.exe) handles execution of Control Panel items, which are utilities that allow users to view and adjust computer settings. Control Panel items are registered executable (.exe) or Control Panel (.cpl) files, the latter are actually renamed dynamic-link library (.dll) files that export a CPlApplet function. Malicious Control Panel items can be delivered via Phishing campaigns or executed as part of multi-stage malware.  Control Panel items, specifically CPL files, may also bypass application and/or file extension allow lists.",Windows,https://attack.mitre.org/techniques/T1218/002,No
+T1218.003,Signed Binary Proxy Execution: CMSTP,Defense Evasion,"Adversaries may abuse CMSTP to proxy execution of malicious code. The Microsoft Connection Manager Profile Installer (CMSTP.exe) is a command-line program used to install Connection Manager service profiles.  CMSTP.exe accepts an installation information file (INF) as a parameter and installs a service profile leveraged for remote access connections. Adversaries may supply CMSTP.exe with INF files infected with malicious commands. CMSTP.exe may be abused to load and execute DLLs  and/or COM scriptlets (SCT) from remote servers. This execution may also bypass AppLocker and other application control defenses since CMSTP.exe is a legitimate, signed Microsoft application.",Windows,https://attack.mitre.org/techniques/T1218/003,No
+T1218.004,Signed Binary Proxy Execution: InstallUtil,Defense Evasion,"Adversaries may use InstallUtil to proxy execution of code through a trusted Windows utility. InstallUtil is a command-line utility that allows for installation and uninstallation of resources by executing specific installer components specified in .NET binaries. InstallUtil may also be used to bypass application control through use of attributes within the binary that execute the class decorated with the attribute ""System.ComponentModel.RunInstaller(true)""",Windows,https://attack.mitre.org/techniques/T1218/004,No
+T1218.005,Signed Binary Proxy Execution: Mshta,Defense Evasion,"Adversaries may abuse mshta.exe to proxy execution of malicious .hta files and Javascript or VBScript through a trusted Windows utility. There are several examples of different types of threats leveraging mshta.exe during initial compromise and for execution of code. Mshta.exe can be used to bypass application control solutions that do not account for its potential use. Since mshta.exe executes outside of the Internet Explorer's security context, it also bypasses browser security settings.",Windows,https://attack.mitre.org/techniques/T1218/005,No
+T1218.007,Signed Binary Proxy Execution: Msiexec,Defense Evasion,Adversaries may abuse msiexec.exe to proxy execution of malicious payloads. Msiexec.exe is the command-line utility for the Windows Installer and is thus commonly associated with executing installation packages (.msi). Adversaries may abuse msiexec.exe to launch local or network accessible MSI files. Msiexec.exe can also execute DLLs.[,Windows,https://attack.mitre.org/techniques/T1218/007,No
+T1218.008,Signed Binary Proxy Execution: Odbcconf,Defense Evasion,Adversaries may abuse odbcconf.exe to proxy execution of malicious payloads. Odbcconf.exe is a Windows utility that allows you to configure Open Database Connectivity (ODBC) drivers and data source names. Adversaries may abuse odbcconf.exe to bypass application control solutions that do not account for its potential abuse.,Windows,https://attack.mitre.org/techniques/T1218/008,No
+T1218.009,Signed Binary Proxy Execution: Regsvcs/Regasm,Defense Evasion,Adversaries may abuse Regsvcs and Regasm to proxy execution of code through a trusted Windows utility. Regsvcs and Regasm are Windows command-line utilities that are used to register .NET [Component Object Model](https://attack.mitre.org/techniques/T1559/001) (COM) assemblies. Both are digitally signed by Microsoft. (Citation: MSDN Regsvcs) (Citation: MSDN Regasm),Windows,https://attack.mitre.org/techniques/T1218/009,No
+T1218.010,Signed Binary Proxy Execution: Regsvr32,Defense Evasion,"Adversaries may abuse Regsvr32.exe to proxy execution of malicious code. Regsvr32.exe is a command-line program used to register and unregister object linking and embedding controls, including dynamic link libraries (DLLs), on Windows systems. Regsvr32.exe can also be used to specifically bypass application control using functionality to load COM scriptlets to execute DLLs under user permissions.",Windows,https://attack.mitre.org/techniques/T1218/010,No
+T1218.011,Signed Binary Proxy Execution: Rundll32,Defense Evasion,"Adversaries may abuse rundll32.exe to proxy execution of malicious code. Rundll32.exe is commonly associated with executing DLL payloads. However, Rundll32.exe can also be used to execute Control Panel Item files (.cpl) through the undocumented shell32.dll functions.",Windows,https://attack.mitre.org/techniques/T1218/011,No
+T1218.012,Signed Binary Proxy Execution: Verclsid,Defense Evasion,Adversaries may abuse verclsid.exe to proxy execution of malicious code. Verclsid.exe is known as the Extension CLSID Verification Host and is responsible for verifying each shell extension before they are used by Windows Explorer or the Windows Shell.(Citation: WinOSBite verclsid.exe). Adversaries may abuse verclsid.exe to execute malicious payloads.,Windows,https://attack.mitre.org/techniques/T1218/012,No
+T1219,Remote Access Software,Command And Control,"An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks. These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment.","Linux,Windows,macOS",https://attack.mitre.org/techniques/T1219,No
+T1220,XSL Script Processing,Defense Evasion,"Adversaries may bypass application control and obscure execution of code by embedding scripts inside XSL files. Extensible Stylesheet Language (XSL) files are commonly used to describe the processing and rendering of data within XML files. To support complex operations, the XSL standard includes support for embedded scripting in various languages. Adversaries may abuse this functionality to execute arbitrary files while potentially bypassing application control.",Windows,https://attack.mitre.org/techniques/T1220,No
+T1221,Template Injection,Defense Evasion,Adversaries may create or modify references in Office document templates to conceal malicious code or force authentication attempts. Template references injected into a document may enable malicious payloads to be fetched and executed when the document is loaded. This technique may also enable Forced Authentication by injecting a SMB/HTTPS (or other credential prompting) URL and triggering an authentication attempt.,Windows,https://attack.mitre.org/techniques/T1221,No
+T1222.001,File and Directory Permissions Modification: Windows File and Directory Permissions Modification,Defense Evasion,"Adversaries may modify file or directory permissions/attributes to evade access control lists (ACLs) and access protected files. Specific file and directory modifications may be a required step for many techniques, such as establishing Persistence via Accessibility Features, Boot or Logon Initialization Scripts, or tainting/hijacking other instrumental binary/configuration files via Hijack Execution Flow.",Windows,https://attack.mitre.org/techniques/T1222/001,No
+T1222.002,File and Directory Permissions Modification: Linux and Mac File and Directory Permissions Modification,Defense Evasion,"Adversaries may modify file or directory permissions/attributes to evade access control lists (ACLs) and access protected files. Adversaries may use these commands to make themselves the owner of files and directories or change the mode if current permissions allow it. They could subsequently lock others out of the file. Specific file and directory modifications may be a required step for many techniques, such as establishing Persistence via .bash_profile and .bashrc or tainting/hijacking other instrumental binary/configuration files via Hijack Execution Flow.","Linux,macOS",https://attack.mitre.org/techniques/T1222/002,No
+T1480.001,Execution Guardrails: Environmental Keying,Defense Evasion,Adversaries may environmentally key payloads or other features of malware to evade defenses and constraint execution to a specific target environment. Environmental keying uses cryptography to constrain execution or actions based on adversary supplied environment specific conditions that are expected to be present on the target. Adversaries may use environmental keying to help protect their TTPs and evade detection. Environmental keying may be used to deliver an encrypted payload to the target that will use target-specific values to decrypt the payload before execution. Environmental keying can also be used to prevent exposure of capabilities in environments that are not intended to be compromised or operated within.,"Linux,Windows,macOS",https://attack.mitre.org/techniques/T1480/001,No
+T1482,Domain Trust Discovery,Discovery,"Adversaries may attempt to gather information on domain trust relationships that may be used to identify lateral movement opportunities in Windows multi-domain/forest environments. Domain trusts provide a mechanism for a domain to allow access to resources based on the authentication procedures of another domain. Domain trusts allow the users of the trusted domain to access resources in the trusting domain. The information discovered may help the adversary conduct SID-History Injection, Pass the Ticket, and Kerberoasting.",Windows,https://attack.mitre.org/techniques/T1482,No
+T1484.001,Domain Policy Modification: Group Policy Modification,"Defense Evasion,Privilege Escalation","Adversaries may modify Group Policy Objects (GPOs) to subvert the intended discretionary access controls for a domain, usually with the intention of escalating privileges on the domain. Group policy allows for centralized management of user and computer settings in Active Directory (AD). GPOs are containers for group policy settings made up of files stored within a predicable network path <code>\\&lt;DOMAIN&gt;\SYSVOL\&lt;DOMAIN&gt;\Policies\</code>.(Citation: TechNet Group Policy Basics)(Citation: ADSecurity GPO Persistence 2016)",Windows,https://attack.mitre.org/techniques/T1484/001,Yes
+T1484.002,Domain Policy Modification: Domain Trust Modification,"Defense Evasion,Privilege Escalation","Adversaries may add new domain trusts or modify the properties of existing domain trusts to evade defenses and/or elevate privileges. Domain trust details, such as whether or not a domain is federated, allow authentication and authorization properties to apply between domains for the purpose of accessing shared resources.(Citation: Microsoft - Azure AD Federation) These trust objects may include accounts, credentials, and other authentication material applied to servers, tokens, and domains.","Azure AD,Windows",https://attack.mitre.org/techniques/T1484/002,Yes
+T1485,Data Destruction,Impact,"Adversaries may destroy data and files on specific systems or in large numbers on a network to interrupt availability to systems, services, and network resources. Data destruction is likely to render stored data irrecoverable by forensic techniques through overwriting files or data on local and remote drives.","IaaS,Linux,Windows,macOS",https://attack.mitre.org/techniques/T1485,Yes
+T1486,Data Encrypted for Impact,Impact,Adversaries may encrypt data on target systems or on large numbers of systems in a network to interrupt availability to system and network resources. They can attempt to render stored data inaccessible by encrypting files or data on local and remote drives and withholding access to a decryption key. This may be done in order to extract monetary compensation from a victim in exchange for decryption or a decryption key (ransomware) or to render data permanently inaccessible in cases where the key is not saved or transmitted.,"IaaS,Linux,Windows,macOS",https://attack.mitre.org/techniques/T1486,Yes
+T1489,Service Stop,Impact,"Adversaries may stop or disable services on a system to render those services unavailable to legitimate users. Stopping critical services can inhibit or stop response to an incident or aid in the adversary's overall objectives to cause damage to the environment. Adversaries may accomplish this by disabling individual services of high importance to an organization, such as MSExchangeIS, which will make Exchange content inaccessible.","Linux,Windows,macOS",https://attack.mitre.org/techniques/T1489,No
+T1490,Inhibit System Recovery,Impact,"Adversaries may delete or remove built-in operating system data and turn off services designed to aid in the recovery of a corrupted system to prevent recovery. Operating systems may contain features that can help fix corrupted systems, such as a backup catalog, volume shadow copies, and automatic repair features. Adversaries may disable or delete these system recovery features.","Linux,Windows,macOS",https://attack.mitre.org/techniques/T1490,No
+T1491.001,Defacement: Internal Defacement,Impact,"An adversary may deface systems internal to an organization in an attempt to intimidate or mislead users. This may take the form of modifications to internal websites, or directly to user systems with the replacement of the desktop wallpaper. Since internally defacing systems exposes an adversary's presence, it often takes place after other intrusion goals have been accomplished.","Linux,Windows,macOS",https://attack.mitre.org/techniques/T1491/001,No
+T1491.002,Defacement: External Defacement,Impact,"An adversary may deface systems external to an organization in an attempt to deliver messaging, intimidate, or otherwise mislead an organization or users. Externally-facing websites are a common victim of defacement; often targeted by adversary and hacktivist groups in order to push a political message or spread propaganda. Website defacement may also be used as setup, or a precursor, for future attacks such as Drive-by Compromise.","IaaS,Linux,Windows,macOS",https://attack.mitre.org/techniques/T1491/002,Yes
+T1495,Firmware Corruption,Impact,"Adversaries may overwrite or corrupt the flash memory contents of system BIOS or other firmware in devices attached to a system in order to render them inoperable or unable to boot. Firmware is software that is loaded and executed from non-volatile memory on hardware devices in order to initialize and manage device functionality. These devices could include the motherboard, hard drive, or video cards.","Linux,Windows,macOS",https://attack.mitre.org/techniques/T1495,No
+T1496,Resource Hijacking,Impact,"Adversaries may leverage the resources of co-opted systems in order to solve resource intensive problems which may impact system and/or hosted service availability. One common purpose for Resource Hijacking is to validate transactions of cryptocurrency networks and earn virtual currency. Adversaries may consume enough system resources to negatively impact and/or cause affected machines to become unresponsive.(Citation: Kaspersky Lazarus Under The Hood Blog 2017) Servers and cloud-based(Citation: CloudSploit - Unused AWS Regions) systems are common targets because of the high potential for available resources, but user endpoint systems may also be compromised and used for Resource Hijacking and cryptocurrency mining.","Containers,IaaS,Linux,Windows,macOS",https://attack.mitre.org/techniques/T1496,Yes
+T1497.001,Virtualization/Sandbox Evasion: System Checks,"Defense Evasion,Discovery","Adversaries may employ various system checks to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from Virtualization/Sandbox Evasion during automated discovery to shape follow-on behaviors.","Linux,Windows,macOS",https://attack.mitre.org/techniques/T1497/001,No
+T1497.002,Virtualization/Sandbox Evasion: User Activity Based Checks,"Defense Evasion,Discovery","Adversaries may employ various user activity checks to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from Virtualization/Sandbox Evasion during automated discovery to shape follow-on behaviors.","Linux,Windows,macOS",https://attack.mitre.org/techniques/T1497/002,No
+T1497.003,Virtualization/Sandbox Evasion: Time Based Evasion,"Defense Evasion,Discovery",Adversaries may steal data by exfiltrating it over an asymmetrically encrypted network protocol other than that of the existing command and control channel. The data may also be sent to an alternate network location from the main command and control server. Asymmetric encryption algorithms ( also known as public-key cryptography) are those that use different keys on each end of the channel.,"Linux,Windows,macOS",https://attack.mitre.org/techniques/T1497/003,No
+T1498.001,Network Denial of Service: Direct Network Flood,Impact,"Adversaries may attempt to cause a denial of service (DoS) by directly sending a high-volume of network traffic to a target. Almost any network protocol may be used for flooding. Stateless protocols such as UDP or ICMP are commonly used but stateful protocols such as TCP can be used as well. Botnets are commonly used to conduct network flooding attacks against networks and services. Large botnets can generate a significant amount of traffic from systems spread across the global Internet.  In some of the worst cases for distributed DoS (DDoS), so many systems are used to generate the flood that each one only needs to send out a small amount of traffic to produce enough volume to saturate the target network. In such circumstances, distinguishing DDoS traffic from legitimate clients becomes exceedingly difficult.","Azure AD,Google Workspace,IaaS,Linux,Office 365,SaaS,Windows,macOS",https://attack.mitre.org/techniques/T1498/001,Yes
+T1498.002,Network Denial of Service: Reflection Amplification,Impact,"Adversaries may attempt to cause a denial of service by reflecting a high-volume of network traffic to a target. This type of Network DoS takes advantage of a third-party server intermediary that hosts and will respond to a given spoofed source IP address. This third-party server is commonly termed a reflector. An adversary accomplishes a reflection attack by sending packets to reflectors with the spoofed address of the victim. Similar to Direct Network Floods, more than one system may be used to conduct the attack, or a botnet may be used. Likewise, one or more reflector may be used to focus traffic on the target. Reflection attacks often take advantage of protocols with larger responses than requests in order to amplify their traffic, commonly known as a Reflection Amplification attack. Adversaries may be able to generate an increase in volume of attack traffic that is several orders of magnitude greater than the requests sent to the amplifiers.","Azure AD,Google Workspace,IaaS,Linux,Office 365,SaaS,Windows,macOS",https://attack.mitre.org/techniques/T1498/002,Yes
+T1499.001,Endpoint Denial of Service: OS Exhaustion Flood,Impact,"Adversaries may target the operating system (OS) for a DoS attack, since the (OS) is responsible for managing the finite resources on a system. These attacks do not need to exhaust the actual resources on a system since they can simply exhaust the limits that an OS self-imposes to prevent the entire system from being overwhelmed by excessive demands on its capacity.","Linux,Windows,macOS",https://attack.mitre.org/techniques/T1499/001,No
+T1499.002,Endpoint Denial of Service: Service Exhaustion Flood,Impact,"Adversaries may target the different network services provided by systems to conduct a DoS. Adversaries often target DNS and web services, however others have been targeted as well. One example of this type of attack is known as a simple HTTP flood, where an adversary sends a large number of HTTP requests to a web server to overwhelm it and/or an application that runs on top of it. Another variation, known as a SSL renegotiation attack, the adversary establishes a SSL/TLS connection and then proceeds to make a series of renegotiation requests. Because the cryptographic renegotiation has a meaningful cost in computation cycles, this can cause an impact to the availability of the service when done in volume.","Azure AD,Google Workspace,IaaS,Linux,Office 365,SaaS,Windows,macOS",https://attack.mitre.org/techniques/T1499/002,Yes
+T1499.003,Endpoint Denial of Service: Application Exhaustion Flood,Impact,Adversaries may target resource intensive features of web applications to cause a denial of service (DoS). Specific features in web applications may be highly resource intensive. Repeated requests to those features may be able to exhaust system resources and deny access to the application or the server itself.,"Azure AD,Google Workspace,IaaS,Linux,Office 365,SaaS,Windows,macOS",https://attack.mitre.org/techniques/T1499/003,Yes
+T1499.004,Endpoint Denial of Service: Application or System Exploitation,Impact,"Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users. (Citation: Sucuri BIND9 August 2015) Some systems may automatically restart critical applications and services when crashes occur, but they can likely be re-exploited to cause a persistent DoS condition.","Azure AD,Google Workspace,IaaS,Linux,Office 365,SaaS,Windows,macOS",https://attack.mitre.org/techniques/T1499/004,Yes
+T1505.001,Server Software Component: SQL Stored Procedures,Persistence,Adversaries may abuse SQL stored procedures to establish persistent access to systems. Adversaries may craft malicious stored procedures that can provide a persistence mechanism in SQL database servers. Adversaries may craft or modify common language runtime (CLR) assemblies that are linked to stored procedures since these CLR assemblies can be made to execute arbitrary commands.,"Linux,Windows",https://attack.mitre.org/techniques/T1505/001,No
+T1505.002,Server Software Component: Transport Agent,Persistence,"Adversaries may abuse Microsoft transport agents to establish persistent access to systems. Microsoft Exchange transport agents can operate on email messages passing through the transport pipeline to perform various tasks such as filtering spam, filtering malicious attachments, journaling, or adding a corporate signature to the end of all outgoing emails. Adversaries may register a malicious transport agent to provide a persistence mechanism in Exchange Server. The malicious transport agent may only carry out an action like copying in-transit attachments and saving them for later exfiltration if the recipient email address matches an entry on a list provided by the adversary.","Linux,Windows",https://attack.mitre.org/techniques/T1505/002,No
+T1505.003,Server Software Component: Web Shell,Persistence,Adversaries may backdoor web servers with web shells to establish persistent access to systems. A Web shell is a Web script that is placed on an openly accessible Web server to allow an adversary to use the Web server as a gateway into a network. A Web shell may provide a set of functions to execute or a command-line interface on the system that hosts the Web server.,"Linux,Windows,macOS",https://attack.mitre.org/techniques/T1505/003,No
+T1518.001,Software Discovery: Security Software Discovery,Discovery,"Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.","Azure AD,Google Workspace,IaaS,Linux,Office 365,SaaS,Windows,macOS",https://attack.mitre.org/techniques/T1518/001,Yes
+T1525,Implant Internal Image,Persistence,"Adversaries may implant cloud container images with malicious code to establish persistence. Amazon Web Service (AWS) Amazon Machine Images (AMI), Google Cloud Platform (GCP) Images, and Azure Images as well as popular container runtimes such as Docker can be implanted or backdoored. Depending on how the infrastructure is provisioned, this could provide persistent access if the infrastructure provisioning tool is instructed to always use the latest image.","Containers,IaaS",https://attack.mitre.org/techniques/T1525,Yes
+T1526,Cloud Service Discovery,Discovery,"An adversary may attempt to enumerate the cloud services running on a system after gaining access. Many services exist throughout the various cloud providers and can include Continuous Integration and Continuous Delivery (CI/CD), Lambda Functions, Azure AD, etc. Adversaries may attempt to discover information about the services enabled throughout the environment. Azure tools and APIs, such as the Azure AD Graph API and Azure Resource Manager API, can enumerate resources and services, including applications, management groups, resources and policy definitions, and their relationships that are accessible by an identity.","Azure AD,Google Workspace,IaaS,Office 365,SaaS",https://attack.mitre.org/techniques/T1526,Yes
+T1528,Steal Application Access Token,Credential Access,Adversaries can steal user application access tokens as a means of acquiring credentials to access remote systems and resources. This can occur through social engineering and typically requires user action to grant access.,"Azure AD,Google Workspace,Office 365,SaaS",https://attack.mitre.org/techniques/T1528,Yes
+T1529,System Shutdown/Reboot,Impact,"Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems.","Linux,Windows,macOS",https://attack.mitre.org/techniques/T1529,No
+T1530,Data from Cloud Storage Object,Collection,"Adversaries may access data objects from improperly secured cloud storage. Many cloud service providers offer solutions for online data storage such as Amazon S3, Azure Storage, and Google Cloud Storage. These solutions differ from other storage solutions (such as SQL or Elasticsearch) in that there is no overarching application. Data from these solutions can be retrieved directly using the cloud provider's APIs.",IaaS,https://attack.mitre.org/techniques/T1530,Yes
+T1531,Account Access Removal,Impact,"Adversaries may interrupt availability of system and network resources by inhibiting access to accounts utilized by legitimate users. Accounts may be deleted, locked, or manipulated (ex: changed credentials) to remove access to accounts.","Linux,Windows,macOS",https://attack.mitre.org/techniques/T1531,No
+T1534,Internal Spearphishing,Lateral Movement,Adversaries may use internal spearphishing to gain access to additional information or exploit other users within the same organization after they already have access to accounts or systems within the environment. Internal spearphishing is multi-staged attack where an email account is owned either by controlling the user's device with previously installed malware or by compromising the account credentials of the user. Adversaries attempt to take advantage of a trusted internal account to increase the likelihood of tricking the target into falling for the phish attempt.,"Google Workspace,Linux,Office 365,SaaS,Windows,macOS",https://attack.mitre.org/techniques/T1534,Yes
+T1535,Unused/Unsupported Cloud Regions,Defense Evasion,Adversaries may create cloud instances in unused geographic service regions in order to evade detection. Access is usually obtained through compromising accounts used to manage cloud infrastructure.,IaaS,https://attack.mitre.org/techniques/T1535,Yes
+T1537,Transfer Data to Cloud Account,Exfiltration,"Adversaries may exfiltrate data by transferring the data, including backups of cloud environments, to another cloud account they control on the same service to avoid typical file transfers/downloads and network-based exfiltration detection.",IaaS,https://attack.mitre.org/techniques/T1537,Yes
+T1538,Cloud Service Dashboard,Discovery,"An adversary may use a cloud service dashboard GUI with stolen credentials to gain useful information from an operational cloud environment, such as specific services, resources, and features. For example, the GCP Command Center can be used to view all assets, findings of potential security risks, and to run additional queries, such as finding public IP addresses and open ports.(","Azure AD,Google Workspace,IaaS,Office 365",https://attack.mitre.org/techniques/T1538,Yes
+T1539,Steal Web Session Cookie,Credential Access,"An adversary may steal web application or service session cookies and use them to gain access web applications or Internet services as an authenticated user without needing credentials. Web applications and services often use session cookies as an authentication token after a user has authenticated to a website. Cookies are often valid for an extended period of time, even if the web application is not actively used.  There are also open source frameworks such as Evilginx 2 and Muraena that can gather session cookies through a man-in-the-middle proxy that can be set up by an adversary and used in phishing campaigns. After an adversary acquires a valid cookie, they can then perform a Web Session Cookie technique to login to the corresponding web application.","Google Workspace,Linux,Office 365,SaaS,Windows,macOS",https://attack.mitre.org/techniques/T1539,Yes
+T1542.001,Pre-OS Boot: System Firmware,"Defense Evasion,Persistence",Adversaries may modify system firmware to persist on systems.The BIOS (Basic Input/Output System) and The Unified Extensible Firmware Interface (UEFI) or Extensible Firmware Interface (EFI) are examples of system firmware that operate as the software interface between the operating system and hardware of a computer. System firmware like BIOS and (U)EFI underly the functionality of a computer and may be modified by an adversary to perform or assist in malicious activity.,Windows,https://attack.mitre.org/techniques/T1542/001,No
+T1542.002,Pre-OS Boot: Component Firmware,"Defense Evasion,Persistence","Adversaries may modify component firmware to persist on systems. Some adversaries may employ sophisticated means to compromise computer components and install malicious firmware that will execute adversary code outside of the operating system and main system firmware or BIOS. Malicious component firmware could provide both a persistent level of access to systems despite potential typical failures to maintain access and hard disk re-images, as well as a way to evade host software-based defenses and integrity checks.",Windows,https://attack.mitre.org/techniques/T1542/002,No
+T1542.003,Pre-OS Boot: Bootkit,"Defense Evasion,Persistence","Adversaries may use bootkits to persist on systems. Bootkits reside at a layer below the operating system and may make it difficult to perform full remediation unless an organization suspects one was used and can act accordingly. A bootkit is a malware variant that modifies the boot sectors of a hard drive, including the Master Boot Record (MBR) and Volume Boot Record (VBR).","Linux,Windows",https://attack.mitre.org/techniques/T1542/003,No
+T1542.004,Pre-OS Boot: ROMMONkit,"Defense Evasion,Persistence","Adversaries may abuse the ROM Monitor (ROMMON) by loading an unauthorized firmware with adversary code to provide persistent access and manipulate device behavior that is difficult to detect. ROMMON is a Cisco network device firmware that functions as a boot loader, boot image, or boot helper to initialize hardware and software when the platform is powered on or reset. An adversary may upgrade the ROMMON image locally or remotely (for example, through TFTP) with adversary code and restart the device in order to overwrite the existing ROMMON image. This provides adversaries with the means to update the ROMMON to gain persistence on a system in a way that may be difficult to detect.",Network,https://attack.mitre.org/techniques/T1542/004,No
+T1542.005,Pre-OS Boot: TFTP Boot,"Defense Evasion,Persistence","Adversaries may abuse netbooting to load an unauthorized network device operating system from a Trivial File Transfer Protocol (TFTP) server. TFTP boot (netbooting) is commonly used by network administrators to load configuration-controlled network device images from a centralized management server. Netbooting is one option in the boot sequence and can be used to centralize, manage, and control device images. Adversaries may manipulate the configuration on the network device specifying use of a malicious TFTP server, which may be used in conjunction with ?Modify System Image? to load a modified image on device startup or reset. The unauthorized image allows adversaries to modify device configuration, add malicious capabilities to the device, and introduce backdoors to maintain control of the network device while minimizing detection through use of a standard functionality.",Network,https://attack.mitre.org/techniques/T1542/005,No
+T1543.001,Create or Modify System Process: Launch Agent,"Persistence,Privilege Escalation","Adversaries may create or modify launch agents to repeatedly execute malicious payloads as part of persistence. When a user logs in, a per-user launchd process is started which loads the parameters for each launch-on-demand user agent.  These launch agents have property list files which point to the executables that will be launched. Adversaries may install a new launch agent that can be configured to execute at login by using launchd or launchctl to load a plist into the appropriate directories  The agent name may be disguised by using a name from a related operating system or benign software. Launch Agents are created with user level privileges and are executed with the privileges of the user when they log in.",macOS,https://attack.mitre.org/techniques/T1543/001,No
+T1543.002,Create or Modify System Process: Systemd Service,"Persistence,Privilege Escalation","Adversaries may create or modify systemd services to repeatedly execute malicious payloads as part of persistence. The systemd service manager is commonly used for managing background daemon processes (also known as services) and other system resources. Adversaries have used systemd functionality to establish persistent access to victim systems by creating and/or modifying service unit files that cause systemd to execute malicious commands at recurring intervals, such as at system boot.",Linux,https://attack.mitre.org/techniques/T1543/002,No
+T1543.003,Create or Modify System Process: Windows Service,"Persistence,Privilege Escalation","Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions. Adversaries may install a new service or modify an existing service by using system utilities to interact with services, by directly modifying the Registry, or by using custom tools to interact with the Windows API. Adversaries may configure services to execute at startup in order to persist on a system. An adversary may also incorporate Masquerading by using a service name from a related operating system or benign software, or by modifying existing services to make detection analysis more challenging. Modifying existing services may interrupt their functionality or may enable services that are disabled or otherwise not commonly used.  Services may be created with administrator privileges but are executed under SYSTEM privileges, so an adversary may also use a service to escalate privileges from administrator to SYSTEM.",Windows,https://attack.mitre.org/techniques/T1543/003,No
+T1543.004,Create or Modify System Process: Launch Daemon,"Persistence,Privilege Escalation","Adversaries may create or modify launch daemons to repeatedly execute malicious payloads as part of persistence. When macOS and OS X boot up, launchd is run to finish system initialization. This process loads the parameters for each launch-on-demand system-level daemon from the property list (plist) files. Adversaries may install a new launch daemon that can be configured to execute at startup by using launchd or launchctl to load a plist into the appropriate directories  (Citation: OSX Malware Detection). The daemon name may be disguised by using a name from a related operating system or benign software (Citation: WireLurker). Launch Daemons may be created with administrator privileges, but are executed under root privileges, so an adversary may also use a service to escalate privileges from administrator to root.",macOS,https://attack.mitre.org/techniques/T1543/004,No
+T1546.001,Event Triggered Execution: Change Default File Association,"Persistence,Privilege Escalation","Adversaries may establish persistence by executing malicious content triggered by a file type association. When a file is opened, the default program used to open the file (also called the file association or handler) is checked. File association selections are stored in the Windows Registry and can be edited by users, administrators, or programs that have Registry access The values of the keys listed are commands that are executed when the handler opens the file extension. Adversaries can modify these values to continually execute arbitrary commands.",Windows,https://attack.mitre.org/techniques/T1546/001,No
+T1546.002,Event Triggered Execution: Screensaver,"Persistence,Privilege Escalation",Adversaries may establish persistence by executing malicious content triggered by user inactivity. Screensavers are programs that execute after a configurable time of user inactivity and consist of Portable Executable (PE) files with a .scr file extension. The screensaver settings are stored in the Registry.  Adversaries can use screensaver settings to maintain persistence by setting the screensaver to run malware after a certain timeframe of user inactivity.,Windows,https://attack.mitre.org/techniques/T1546/002,No
+T1546.003,Event Triggered Execution: Windows Management Instrumentation Event Subscription,"Persistence,Privilege Escalation","Adversaries may establish persistence and elevate privileges by executing malicious content triggered by a Windows Management Instrumentation (WMI) event subscription. Adversaries may use the capabilities of WMI to subscribe to an event and execute arbitrary code when that event occurs, providing persistence on a system.  Adversaries may also compile WMI scripts into Windows Management Object (MOF) files (.mof extension) that can be used to create a malicious subscription.",Windows,https://attack.mitre.org/techniques/T1546/003,No
+T1546.004,Event Triggered Execution: Unix Shell Configuration Modification,"Persistence,Privilege Escalation",Adversaries may establish persistence by executing malicious content triggered by a user's shell.?~/.bash_profile?and?~/.bashrc?are shell scripts that contain shell commands. These files are executed in a user's context when a new shell opens or when a user logs in so that their environment is set correctly. Adversaries may abuse these shell scripts by inserting arbitrary shell commands that may be used to execute other binaries to gain persistence.,"Linux,macOS",https://attack.mitre.org/techniques/T1546/004,Yes
+T1546.005,Event Triggered Execution: Trap,"Persistence,Privilege Escalation","Adversaries may establish persistence by executing malicious content triggered by an interrupt signal. The trap command allows programs and shells to specify commands that will be executed upon receiving interrupt signals. A common situation is a script allowing for graceful termination and handling of common keyboard interrupts like ctrl+c and ctrl+d. Adversaries can use this to register code to be executed when the shell encounters specific interrupts as a persistence mechanism. Trap commands are of the following format trap 'command list' signals where ""command list"" will be executed when ""signals"" are received","Linux,macOS",https://attack.mitre.org/techniques/T1546/005,No
+T1546.006,Event Triggered Execution: LC_LOAD_DYLIB Addition,"Persistence,Privilege Escalation","Adversaries may establish persistence by executing malicious content triggered by the execution of tainted binaries. Mach-O binaries have a series of headers that are used to perform certain operations when a binary is loaded. The LC_LOAD_DYLIB header in a Mach-O binary tells macOS and OS X which dynamic libraries (dylibs) to load during execution time.  Adversaries may modify Mach-O binary headers to load and execute malicious dylibs every time the binary is executed. Although any changes will invalidate digital signatures on binaries because the binary is being modified, this can be remediated by simply removing the LC_CODE_SIGNATURE command from the binary so that the signature isn't checked at load time.",macOS,https://attack.mitre.org/techniques/T1546/006,No
+T1546.007,Event Triggered Execution: Netsh Helper DLL,"Persistence,Privilege Escalation","Adversaries may establish persistence by executing malicious content triggered by Netsh Helper DLLs. Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system. It contains functionality to add helper DLLs for extending functionality of the utility. Adversaries can use netsh.exe helper DLLs to trigger execution of arbitrary code in a persistent manner. This execution would take place anytime netsh.exe is executed, which could happen automatically, with another persistence technique, or if other software (ex: VPN) is present on the system that executes netsh.exe as part of its normal functionality.",Windows,https://attack.mitre.org/techniques/T1546/007,No
+T1546.008,Event Triggered Execution: Accessibility Features,"Persistence,Privilege Escalation",Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by accessibility features. Windows contains accessibility features that may be launched with a key combination before a user has logged in (ex: when the user is on the Windows logon screen). An adversary can modify the way these programs are launched to get a command prompt or backdoor without logging in to the system.,Windows,https://attack.mitre.org/techniques/T1546/008,No
+T1546.009,Event Triggered Execution: AppCert DLLs,"Persistence,Privilege Escalation",Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by AppCert DLLs loaded into processes. Dynamic-link libraries (DLLs) that are specified in the AppCertDLLs Registry key are loaded into every process that calls the ubiquitously used application programming interface (API) functions. This value can be abused to obtain elevated privileges by causing a malicious DLL to be loaded and run in the context of separate processes on the computer.,Windows,https://attack.mitre.org/techniques/T1546/009,No
+T1546.010,Event Triggered Execution: AppInit DLLs,"Persistence,Privilege Escalation","Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by AppInit DLLs loaded into processes. Dynamic-link libraries (DLLs) that are specified in the AppInit_DLLs value in the Registry keys, are loaded by user32.dll into every process that loads user32.dll. In practice this is nearly every program, since user32.dll is a very common library. These values can be abused to obtain elevated privileges by causing a malicious DLL to be loaded and run in the context of separate processes on the computer.",Windows,https://attack.mitre.org/techniques/T1546/010,No
+T1546.011,Event Triggered Execution: Application Shimming,"Persistence,Privilege Escalation","Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by application shims. The Microsoft Windows Application Compatibility Infrastructure/Framework (Application Shim) was created to allow for backward compatibility of software as the operating system codebase changes over time. To keep shims secure, Windows designed them to run in user mode so they cannot modify the kernel and you must have administrator privileges to install a shim. Utilizing these shims may allow an adversary to perform several malicious acts such as elevate privileges, install backdoors, disable defenses like Windows Defender, etc. Shims can also be abused to establish persistence by continuously being invoked by affected programs.",Windows,https://attack.mitre.org/techniques/T1546/011,No
+T1546.012,Event Triggered Execution: Image File Execution Options Injection,"Persistence,Privilege Escalation",Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by Image File Execution Options (IEFO) debuggers. IEFOs enable a developer to attach a debugger to an application.?IEFO can be abused to obtain privilege escalation by causing a malicious executable to be loaded and run in the context of separate processes on the computer. Installing IFEO mechanisms may also provide Persistence via continuous triggered invocation. Malware may also use IFEO to Impair Defenses by registering invalid debuggers that redirect and effectively disable various system and security applications.,Windows,https://attack.mitre.org/techniques/T1546/012,No
+T1546.013,Event Triggered Execution: PowerShell Profile,"Persistence,Privilege Escalation","Adversaries may gain persistence and elevate privileges by executing malicious content triggered by PowerShell profiles. A PowerShell profile is a script that runs when PowerShell starts and can be used as a logon script to customize user environments. Adversaries may modify these profiles to include arbitrary commands, functions, modules to gain persistence. Every time a user opens a PowerShell session, the modified script will be executed.  An adversary may also be able to escalate privileges if a script in a PowerShell profile is loaded and executed by an account with higher privileges, such as a domain administrator. (Citation: Wits End and Shady PowerShell Profiles)",Windows,https://attack.mitre.org/techniques/T1546/013,No
+T1546.014,Event Triggered Execution: Emond,"Persistence,Privilege Escalation","Adversaries may gain persistence and elevate privileges by executing malicious content triggered by the Event Monitor Daemon (emond). Emond is a Launch Daemon that accepts events from various services, runs them through a simple rules engine, and takes action. Adversaries may abuse this service by writing a rule to execute commands when a defined event occurs, such as system start up or user authentication. Adversaries may also be able to escalate privileges from administrator to root as the emond service is executed with root privileges by the Launch Daemon service.",macOS,https://attack.mitre.org/techniques/T1546/014,No
+T1546.015,Event Triggered Execution: Component Object Model Hijacking,"Persistence,Privilege Escalation",Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects. COM is a system within Windows to enable interaction between software components through the operating system. Adversaries can use the COM system to insert malicious code that can be executed in place of legitimate software through hijacking the COM references and relationships as a means for persistence.,Windows,https://attack.mitre.org/techniques/T1546/015,No
+T1547.001,Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder,"Persistence,Privilege Escalation","Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the ""run keys"" in the Registry or startup folder will cause the program referenced to be executed when a user logs in. Adversaries can use these configuration locations to execute malware, such as remote access tools, to maintain persistence through system reboots. Adversaries may also use Masquerading to make the Registry entries look as if they are associated with legitimate programs.",Windows,https://attack.mitre.org/techniques/T1547/001,No
+T1547.002,Boot or Logon Autostart Execution: Authentication Package,"Persistence,Privilege Escalation",Adversaries may abuse authentication packages to execute DLLs when the system boots. Windows authentication package DLLs are loaded by the Local Security Authority (LSA) process at system start. Adversaries can use the autostart mechanism provided by LSA authentication packages for persistence by placing a reference to a binary in the Windows Registry.,Windows,https://attack.mitre.org/techniques/T1547/002,No
+T1547.003,Boot or Logon Autostart Execution: Time Providers,"Persistence,Privilege Escalation","Adversaries may abuse time providers to execute DLLs when the system boots. The Windows Time service (W32Time) enables time synchronization across and within domains. Time providers are implemented as dynamic-link libraries (DLLs) that can be found in the registry. Adversaries may abuse this architecture to establish persistence, specifically by registering and enabling a malicious DLL as a time provider.",Windows,https://attack.mitre.org/techniques/T1547/003,No
+T1547.004,Boot or Logon Autostart Execution: Winlogon Helper DLL,"Persistence,Privilege Escalation",Adversaries may abuse features of Winlogon to execute DLLs and/or executables when a user logs in. Winlogon.exe is a Windows component responsible for actions at logon/logoff as well as the secure attention sequence (SAS) triggered by Ctrl-Alt-Delete. Malicious modifications to these Registry keys may cause Winlogon to load and execute malicious DLLs and/or executables.,Windows,https://attack.mitre.org/techniques/T1547/004,No
+T1547.005,Boot or Logon Autostart Execution: Security Support Provider,"Persistence,Privilege Escalation","Adversaries may abuse security support providers (SSPs) to execute DLLs when the system boots. Windows SSP DLLs are loaded into the Local Security Authority (LSA) process at system start. Once loaded into the LSA, SSP DLLs have access to encrypted and plaintext passwords that are stored in Windows, such as any logged-on user's Domain password or smart card PINs.",Windows,https://attack.mitre.org/techniques/T1547/005,No
+T1547.006,Boot or Logon Autostart Execution: Kernel Modules and Extensions,"Persistence,Privilege Escalation","Adversaries may modify the kernel to automatically execute programs on system boot. Loadable Kernel Modules (LKMs) are pieces of code that can be loaded and unloaded into the kernel upon demand. They extend the functionality of the kernel without the need to reboot the system. When used maliciously, LKMs can be a type of kernel-mode [Rootkit](https://attack.mitre.org/techniques/T1014) that run with the highest operating system privilege. Adversaries can use LKMs and Kernel Extensions to covertly persist on a system and elevate privileges.","Linux,macOS",https://attack.mitre.org/techniques/T1547/006,No
+T1547.007,Boot or Logon Autostart Execution: Re-opened Applications,"Persistence,Privilege Escalation","Adversaries may modify plist files to automatically run an application when a user logs in. Starting in Mac OS X 10.7 (Lion), users can specify certain applications to be re-opened when a user logs into their machine after reboot. There are property list files (plist) that contain this information.  An adversary can modify one of these files directly to include a link to their malicious executable to provide a persistence mechanism each time the user reboots their machine.",macOS,https://attack.mitre.org/techniques/T1547/007,No
+T1547.008,Boot or Logon Autostart Execution: LSASS Driver,"Persistence,Privilege Escalation","Adversaries may modify or add LSASS drivers to obtain persistence on compromised systems. The Windows security subsystem is a set of components that manage and enforce the security policy for a computer or domain. The Local Security Authority (LSA) is the main component responsible for local security policy and user authentication. Adversaries may target LSASS drivers to obtain persistence. By either replacing or adding illegitimate drivers (e.g., Hijack Execution Flow), an adversary can use LSA operations to continuously execute malicious payloads.",Windows,https://attack.mitre.org/techniques/T1547/008,No
+T1547.009,Boot or Logon Autostart Execution: Shortcut Modification,"Persistence,Privilege Escalation",Adversaries may create or edit shortcuts to run a program during system boot or user login. Shortcuts or symbolic links are ways of referencing other files or programs that will be opened or executed when the shortcut is clicked or executed by a system startup process.,Windows,https://attack.mitre.org/techniques/T1547/009,No
+T1547.010,Boot or Logon Autostart Execution: Port Monitors,"Persistence,Privilege Escalation",Adversaries may use port monitors to run an attacker supplied DLL during system boot for persistence or privilege escalation. A port monitor can be set through the AddMonitor API call to set a DLL to be loaded at startup. Adversaries can use this technique to load malicious code at startup that will persist on system reboot and execute as SYSTEM.,Windows,https://attack.mitre.org/techniques/T1547/010,No
+T1547.011,Boot or Logon Autostart Execution: Plist Modification,"Persistence,Privilege Escalation",Adversaries may modify plist files to run a program during system boot or user login. Property list (plist) files contain all of the information that macOS and OS X uses to configure applications and services. Adversaries can modify plist files to execute their code as part of establishing persistence. plists may also be used to elevate privileges since they may execute in the context of another user.,macOS,https://attack.mitre.org/techniques/T1547/011,No
+T1547.012,Boot or Logon Autostart Execution: Print Processors,"Persistence,Privilege Escalation","Adversaries may abuse print processors to run malicious DLLs during system boot for persistence and/or privilege escalation. Print processors are DLLs that are loaded by the print spooler service, spoolsv.exe, during boot. Adversaries may abuse the print spooler service by adding print processors that load malicious DLLs at startup. One way the print processor can be installed through the ?AddPrintProcessor? API call with an account that has ?SeLoadDriverPrivilege? enabled. The print spooler service runs under SYSTEM level permissions, therefore print processors installed by an adversary may run under elevated privileges.",Windows,https://attack.mitre.org/techniques/T1547/012,No
+T1547.013,Boot or Logon Autostart Execution: XDG Autostart Entries,"Persistence,Privilege Escalation","Adversaries may modify XDG autostart entries to execute programs or commands during system boot. Linux desktop environments that are XDG compliant implement functionality for XDG autostart entries. These entries will allow an application to automatically start during the startup of a desktop environment after user logon. By default, XDG autostart entries are stored within the <code>/etc/xdg/autostart</code> or <code>~/.config/autostart</code> directories and have a .desktop file extension.(Citation: Free Desktop Application Autostart Feb 2006)",Linux,https://attack.mitre.org/techniques/T1547/013,Yes
+T1547.014,Boot or Logon Autostart Execution: Active Setup,"Persistence,Privilege Escalation",Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine. Active Setup is a Windows mechanism that is used to execute programs when a user logs in. The value stored in the Registry key will be executed after a user logs into the computer.(Citation: Klein Active Setup 2010) These programs will be executed under the context of the user and will have the account's associated permissions level.,Windows,https://attack.mitre.org/techniques/T1547/014,Yes
+T1548.001,Abuse Elevation Control Mechanism: Setuid and Setgid,"Defense Evasion,Privilege Escalation","An adversary may perform shell escapes or exploit vulnerabilities in an application with the setsuid or setgid bits to get code running in a different user's context. On Linux or macOS, when the setuid or setgid bits are set for an application, the application will run with the privileges of the owning user or group respectively. When programs need to be executed in an elevated context to function properly, the user can specify the setuid or setgid flag to be set for their own applications. Adversaries can use this mechanism on their own malware to make sure they're able to execute in elevated contexts in the future.","Linux,macOS",https://attack.mitre.org/techniques/T1548/001,No
+T1548.002,Abuse Elevation Control Mechanism: Bypass User Account Control,"Defense Evasion,Privilege Escalation","Adversaries may bypass UAC mechanisms to elevate process privileges on system. Windows User Account Control (UAC) allows a program to elevate its privileges (tracked as integrity levels ranging from low to high) to perform a task under administrator-level permissions, possibly by prompting the user for confirmation.",Windows,https://attack.mitre.org/techniques/T1548/002,No
+T1548.003,Abuse Elevation Control Mechanism: Sudo and Sudo Caching,"Defense Evasion,Privilege Escalation",Adversaries may perform sudo caching and/or use the suoders file to elevate privileges. Adversaries may do this to execute commands as other users or spawn processes with higher privileges.,"Linux,macOS",https://attack.mitre.org/techniques/T1548/003,No
+T1548.004,Abuse Elevation Control Mechanism: Elevated Execution with Prompt,"Defense Evasion,Privilege Escalation","Adversaries may leverage the ""AuthorizationExecuteWithPrivileges"" API to escalate privileges by prompting the user for credentials.",macOS,https://attack.mitre.org/techniques/T1548/004,No
+T1550.001,Use Alternate Authentication Material: Application Access Token,"Defense Evasion,Lateral Movement","Adversaries may use stolen application access tokens to bypass the typical authentication process and access restricted accounts, information, or services on remote systems. These tokens are typically stolen from users and used in lieu of login credentials. Application access tokens are used to make authorized API requests on behalf of a user and are commonly used as a way to access resources in cloud-based applications and software-as-a-service (SaaS). With a cloud-based email service once an OAuth access token is granted to a malicious application, it can potentially gain long-term access to features of the user account if a ""refresh"" token enabling background access is awarded. Compromised access tokens may be used as an initial step in compromising other services.","Google Workspace,Office 365,SaaS",https://attack.mitre.org/techniques/T1550/001,Yes
+T1550.002,Use Alternate Authentication Material: Pass the Hash,"Defense Evasion,Lateral Movement","Adversaries may ""Pass the hash"" using stolen password hashes to move laterally within an environment, bypassing normal system access controls. Pass the hash (PtH) is a method of authenticating as a user without having access to the user's cleartext password. Valid password hashes for an account are captured using a Credential Access technique and can be used with PtH to authenticate as that user. Once authenticated, PtH may be used to perform actions on local or remote systems.",Windows,https://attack.mitre.org/techniques/T1550/002,No
+T1550.003,Use Alternate Authentication Material: Pass the Ticket,"Defense Evasion,Lateral Movement","Adversaries may ""pass the ticket"" using stolen Kerberos tickets to move laterally within an environment, bypassing normal system access controls. Pass the ticket (PtT) is a method of authenticating to a system using Kerberos tickets without having access to an account's password. Valid Kerberos tickets for Valid Accounts are captured by OS Credential Dumping. A user's service tickets or ticket granting ticket (TGT) may be obtained, depending on the level of access.",Windows,https://attack.mitre.org/techniques/T1550/003,No
+T1550.004,Use Alternate Authentication Material: Web Session Cookie,"Defense Evasion,Lateral Movement","Adversaries can use stolen session cookies to authenticate to web applications and services. Authentication cookies are commonly used in web applications, including cloud-based services, after a user has authenticated to the service so credentials are not passed and re-authentication does not need to occur as frequently. Cookies are often valid for an extended period of time, even if the web application is not actively used. After the cookie is obtained through Steal Web Session Cookie, the adversary may then import the cookie into a browser they control and is then able to use the site or application as the user for as long as the session cookie is active. Once logged into the site, an adversary can access sensitive information, read email, or perform actions that the victim account has permissions to perform.","Google Workspace,Office 365,SaaS",https://attack.mitre.org/techniques/T1550/004,Yes
+T1552.001,Unsecured Credentials: Credentials In Files,Credential Access,Adversaries may search local file systems and remote file shares for files containing insecurely stored credentials. It is possible to extract passwords from backups or saved virtual machines through OS Credential Dumping. Passwords may also be obtained from Group Policy Preferences stored on the Windows Domain Controller.,"Containers,IaaS,Linux,Windows,macOS",https://attack.mitre.org/techniques/T1552/001,Yes
+T1552.002,Unsecured Credentials: Credentials in Registry,Credential Access,Adversaries may search the Registry on compromised systems for insecurely stored credentials. The Windows Registry stores configuration information that can be used by the system or other programs. Adversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services. Sometimes these credentials are used for automatic logons.,Windows,https://attack.mitre.org/techniques/T1552/002,No
+T1552.003,Unsecured Credentials: Bash History,Credential Access,"Adversaries may search the bash command history on compromised systems for insecurely stored credentials. Bash keeps track of the commands users type on the command-line with the ""history"" utility. Users often type usernames and passwords on the command-line as parameters to programs, which then get saved to this file when they log out. Attackers can abuse this by looking through the file for potential credentials.","Linux,macOS",https://attack.mitre.org/techniques/T1552/003,No
+T1552.004,Unsecured Credentials: Private Keys,Credential Access,"Adversaries may search for private key certificate files on compromised systems for insecurely stored credentials. Private cryptographic keys and certificates are used for authentication, encryption/decryption, and digital signatures. Common key and certificate file extensions include: .key, .pgp, .gpg, .ppk., .p12, .pem, .pfx, .cer, .p7b, .asc. Some private keys require a password or passphrase for operation, so an adversary may also use Input Capture for keylogging or attempt to Brute Force the passphrase off-line.","Linux,Windows,macOS",https://attack.mitre.org/techniques/T1552/004,No
+T1552.005,Unsecured Credentials: Cloud Instance Metadata API,Credential Access,"Adversaries may attempt to access the Cloud Instance Metadata API to collect credentials and other sensitive data. Available information generally includes name, security group, and additional metadata including sensitive data such as credentials and UserData scripts that may contain additional secrets. Attackers may exploit a Server-Side Request Forgery (SSRF) vulnerability in a public facing web proxy that allows the attacker to gain access to the sensitive information via a request to the Instance Metadata API.",IaaS,https://attack.mitre.org/techniques/T1552/005,Yes
+T1552.006,Unsecured Credentials: Group Policy Preferences,Credential Access,Adversaries may attempt to find unsecured credentials in Group Policy Preferences (GPP). GPP are tools that allow administrators to create domain policies with embedded credentials. These policies allow administrators to set local accounts.,Windows,https://attack.mitre.org/techniques/T1552/006,No
+T1552.007,Unsecured Credentials: Container API,Credential Access,"Adversaries may gather credentials via APIs within a containers environment. APIs in these environments, such as the Docker API and Kubernetes APIs, allow a user to remotely manage their container resources and cluster components.(Citation: Docker API)(Citation: Kubernetes API)",Containers,https://attack.mitre.org/techniques/T1552/007,Yes
+T1553.001,Subvert Trust Controls: Gatekeeper Bypass,Defense Evasion,"Adversaries may modify file attributes that signify programs are from untrusted sources to subvert Gatekeeper controls. Apple's Gatekeeper defense program prompts user to allow or deny execution of programs downloaded from the Internet.Apps loaded onto the system from USB flash drive, optical disk, external hard drive, or even from a drive shared over the local network won't set this flag. Additionally, it is possible to avoid setting this flag using Drive-by Compromise.",macOS,https://attack.mitre.org/techniques/T1553/001,No
+T1553.002,Subvert Trust Controls: Code Signing,Defense Evasion,"Adversaries may create, acquire, or steal code signing materials to sign their malware or tools. Code signing provides a level of authenticity on a binary from the developer and a guarantee that the binary has not been tampered with.?The certificates used during an operation may be created, acquired, or stolen by the adversary.","Windows,macOS",https://attack.mitre.org/techniques/T1553/002,No
+T1553.003,Subvert Trust Controls: SIP and Trust Provider Hijacking,Defense Evasion,"Adversaries may tamper with Subject Interface Packages (SIP) and trust provider components to mislead the operating system and application control tools when conducting signature validation checks. Microsoft created software components called Subject Interface Packages (SIPs) [4] to provide a layer of abstraction between API functions and files. SIPs are responsible for enabling API functions to create, retrieve, calculate, and verify signatures. Adversaries may abuse this architecture to subvert trust controls and bypass security policies that allow only legitimately signed code to execute on a system.",Windows,https://attack.mitre.org/techniques/T1553/003,No
+T1553.004,Subvert Trust Controls: Install Root Certificate,Defense Evasion,Adversaries may install a root certificate on a compromised system to avoid warnings when connecting to adversary controlled web servers. Root certificates are used in public key cryptography to identify a root certificate authority (CA). Certificates are commonly used for establishing secure TLS/SSL communications within a web browser.,"Linux,Windows,macOS",https://attack.mitre.org/techniques/T1553/004,No
+T1553.005,Subvert Trust Controls: Mark-of-the-Web Bypass,Defense Evasion,"Adversaries may abuse specific file formats to subvert Mark-of-the-Web (MOTW) controls. In Windows, when files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named <code>Zone.Identifier</code> with a specific value known as the MOTW.(Citation: Microsoft Zone.Identifier 2020) Files that are tagged with MOTW are protected and cannot perform certain actions. For example, starting in MS Office 10, if a MS Office file has the MOTW, it will open in Protected View. Executables tagged with the MOTW will be processed by Windows Defender SmartScreen that compares files with an allowlist of well-known executables. If the file in not known/trusted, SmartScreen will prevent the execution and warn the user not to run it.(Citation: Beek Use of VHD Dec 2020)(Citation: Outflank MotW 2020)(Citation: Intezer Russian APT Dec 2020)",Windows,https://attack.mitre.org/techniques/T1553/005,Yes
+T1553.006,Subvert Trust Controls: Code Signing Policy Modification,Defense Evasion,"Adversaries may modify code signing policies to enable execution of unsigned or self-signed code. Code signing provides a level of authenticity on a program from a developer and a guarantee that the program has not been tampered with. Security controls can include enforcement mechanisms to ensure that only valid, signed code can be run on an operating system.","Windows,macOS",https://attack.mitre.org/techniques/T1553/006,Yes
+T1554,Compromise Client Software Binary,Persistence,"Adversaries may modify client software binaries to establish persistent access to systems. Client software enables users to access services provided by a server. Common client software types are SSH clients, FTP clients, email clients, and web browsers. Adversaries may make modifications to client software binaries to carry out malicious tasks when those applications are in use.","Linux,Windows,macOS",https://attack.mitre.org/techniques/T1554,No
+T1555.001,Credentials from Password Stores: Keychain,Credential Access,"Adversaries may collect the keychain storage data from a system to acquire credentials. Keychains are the built-in way for macOS to keep track of users' passwords and credentials for many services and features. users have to use additional credentials to access their keychain. If an adversary knows the credentials for the login keychain, then they can get access to all the other credentials stored in this vault. By default, the passphrase for the keychain is the user's logon credentials.",macOS,https://attack.mitre.org/techniques/T1555/001,No
+T1555.002,Credentials from Password Stores: Securityd Memory,Credential Access,"An adversary may obtain root access (allowing them to read securityd's memory), then they can scan through memory to find the correct sequence of keys in relatively few tries to decrypt the user's logon keychain. This provides the adversary with all the plaintext passwords for users, WiFi, mail, browsers, certificates, secure notes","Linux,macOS",https://attack.mitre.org/techniques/T1555/002,No
+T1555.003,Credentials from Password Stores: Credentials from Web Browsers,Credential Access,"Adversaries may acquire credentials from web browsers by reading files specific to the target browser. Web browsers commonly save credentials such as website usernames and passwords so that they do not need to be entered manually in the future. Web browsers typically store the credentials in an encrypted format within a credential store; however, methods exist to extract plaintext credentials from web browsers.","Linux,Windows,macOS",https://attack.mitre.org/techniques/T1555/003,No
+T1555.004,Credentials from Password Stores: Windows Credential Manager,Credential Access,"Adversaries may acquire credentials from the Windows Credential Manager. The Credential Manager stores credentials for signing into websites, applications, and/or devices that request authentication through NTLM or Kerberos in Credential Lockers (previously known as Windows Vaults).(Citation: Microsoft Credential Manager store)(Citation: Microsoft Credential Locker)",Windows,https://attack.mitre.org/techniques/T1555/004,Yes
+T1555.005,Credentials from Password Stores: Password Managers,Credential Access,"Adversaries may acquire user credentials from third-party password managers.(Citation: ise Password Manager February 2019) Password managers are applications designed to store user credentials, normally in an encrypted database. Credentials are typically accessible after a user provides a master password that unlocks the database. After the database is unlocked, these credentials may be copied to memory. These databases can be stored as files on disk.(Citation: ise Password Manager February 2019)","Linux,Windows,macOS",https://attack.mitre.org/techniques/T1555/005,Yes
+T1556.001,Modify Authentication Process: Domain Controller Authentication,"Credential Access,Defense Evasion,Persistence",Adversaries may patch the authentication process on a domain control to bypass the typical authentication mechanisms and enable access to accounts. Malware may be used to inject false credentials into the authentication process on a domain control with the intent of creating a backdoor used to access any user's account and/or credentials. Authenticated access may enable unfettered access to hosts and/or resources within single-factor authentication environments.,Windows,https://attack.mitre.org/techniques/T1556/001,Yes
+T1556.002,Modify Authentication Process: Password Filter DLL,"Credential Access,Defense Evasion,Persistence",Adversaries may register malicious password filter dynamic link libraries (DLLs) into the authentication process to acquire user credentials as they are validated. Windows password filters are password policy enforcement mechanisms for both domain and local accounts. Filters are implemented as DLLs containing a method to validate potential passwords against password policies. Adversaries can register malicious password filters to harvest credentials from local computers and/or entire domains.,Windows,https://attack.mitre.org/techniques/T1556/002,Yes
+T1556.003,Modify Authentication Process: Pluggable Authentication Modules,"Credential Access,Defense Evasion,Persistence","Adversaries may modify pluggable authentication modules (PAM) to access user credentials or enable otherwise unwarranted access to accounts. PAM is a modular system of configuration files, libraries, and executable files which guide authentication for many services. Adversaries may modify components of the PAM system to create backdoors. Malicious modifications to the PAM system may also be abused to steal credentials. Adversaries may infect PAM resources with code to harvest user credentials, since the values exchanged with PAM components may be plain-text.","Linux,macOS",https://attack.mitre.org/techniques/T1556/003,Yes
+T1556.004,Modify Authentication Process: Network Device Authentication,"Credential Access,Defense Evasion,Persistence","Adversaries may use ?Patch System Image? to hard code a password in the operating system, thus bypassing of native authentication mechanisms for local accounts on network devices.",Network,https://attack.mitre.org/techniques/T1556/004,Yes
+T1557.001,Man-in-the-Middle: LLMNR/NBT-NS Poisoning and SMB Relay,"Collection,Credential Access","Adversaries may attempt to position themselves between two or more networked devices using a man-in-the-middle (MiTM) technique to support follow-on behaviors such as Network Sniffing or Transmitted Data Manipulation. By responding to Link-Local Multicast Name Resolution (LLMNR) and NetBIOS Name Service (NBT-NS) network traffic, adversaries may spoof an authoritative source for name resolution to force communication with an adversary controlled system. This activity may be used to collect or relay authentication materials.",Windows,https://attack.mitre.org/techniques/T1557/001,No
+T1557.002,Man-in-the-Middle: ARP Cache Poisoning,"Collection,Credential Access","Adversaries may poison Address Resolution Protocol (ARP) caches to position themselves between the communication of two or more networked devices. This activity may be used to enable follow-on behaviors such as Network Sniffing or Transmitted Data Manipulation. An adversary may passively wait for an ARP request to poison the ARP cache of the requesting device. The adversary may reply with their MAC address, thus deceiving the victim by making them believe that they are communicating with the intended networked device. For the adversary to poison the ARP cache, their reply must be faster than the one made by the legitimate IP address owner. Adversaries may also send a gratuitous ARP reply that maliciously announces the ownership of a particular IP address to all the devices in the local network segment. Adversaries may use ARP cache poisoning as a means to man-in-the-middle (MiTM) network traffic. This activity may be used to collect and/or relay data such as credentials, especially those sent over an insecure, unencrypted protocol.","Linux,Windows,macOS",https://attack.mitre.org/techniques/T1557/002,No
+T1558.001,Steal or Forge Kerberos Tickets: Golden Ticket,Credential Access,"Adversaries may attempt to subvert Kerberos authentication by stealing or forging Kerberos tickets to enable Pass the Ticket. Adversaries who have the KRBTGT account password hash may forge Kerberos ticket-granting tickets (TGT), also known as a golden ticket. Golden tickets enable adversaries to generate authentication material for any account in Active Directory.",Windows,https://attack.mitre.org/techniques/T1558/001,No
+T1558.002,Steal or Forge Kerberos Tickets: Silver Ticket,Credential Access,"Adversaries may attempt to subvert Kerberos authentication by stealing or forging Kerberos tickets to enable Pass the Ticket. Adversaries who have the password hash of a target service account (e.g. SharePoint, MSSQL) may forge Kerberos ticket granting service (TGS) tickets, also known as silver tickets. Kerberos TGS tickets are also known as service tickets.",Windows,https://attack.mitre.org/techniques/T1558/002,No
+T1558.003,Steal or Forge Kerberos Tickets: Kerberoasting,Credential Access,"Adversaries may attempt to subvert Kerberos authentication by stealing or forging Kerberos tickets to enable Pass the Ticket. Adversaries may abuse a valid Kerberos ticket-granting ticket (TGT) or sniff network traffic to obtain a ticket-granting service (TGS) ticket that may be vulnerable to Brute Force. Cracked hashes may enable Persistence, Privilege Escalation, and Lateral Movement via access to Valid Accounts.",Windows,https://attack.mitre.org/techniques/T1558/003,No
+T1558.004,Steal or Forge Kerberos Tickets: AS-REP Roasting,Credential Access,"Adversaries may reveal credentials of accounts that have disabled Kerberos Preauthentication by Password Cracking Kerberos messages. Preauthentication offers protection against offline Password Cracking. For each account found without preauthentication, an adversary may send an AS-REQ message without the encrypted timestamp and receive an AS-REP message with TGT data which may be encrypted with an insecure algorithm such as RC4. The recovered encrypted data may be vulnerable to offline Password Cracking attacks similarly to Kerberoasting and expose plaintext credentials. Cracked hashes may enable Persistence, Privilege Escalation, and Lateral Movement via access to Valid Accounts.",Windows,https://attack.mitre.org/techniques/T1558/004,No
+T1559.001,Inter-Process Communication: Component Object Model,Execution,"Adversaries may use the Windows Component Object Model (COM) for local code execution.  Through COM, a client object can call methods of server objects, which are typically binary Dynamic Link Libraries (DLL) or executables (EXE).",Windows,https://attack.mitre.org/techniques/T1559/001,No
+T1559.002,Inter-Process Communication: Dynamic Data Exchange,Execution,Adversaries may use Windows Dynamic Data Exchange (DDE) to execute arbitrary commands. DDE is a client-server protocol for one-time and/or continuous inter-process communication (IPC) between applications.,Windows,https://attack.mitre.org/techniques/T1559/002,No
+T1560.001,Archive Collected Data: Archive via Utility,Collection,"An adversary may compress or encrypt data that is collected prior to exfiltration using 3rd party utilities. Many utilities exist that can archive data, including 7-Zip, WinRAR, and WinZip. Most utilities include functionality to encrypt and/or compress data.","Linux,Windows,macOS",https://attack.mitre.org/techniques/T1560/001,No
+T1560.002,Archive Collected Data: Archive via Library,Collection,"An adversary may compress or encrypt data that is collected prior to exfiltration using 3rd party libraries. Many libraries exist that can archive data, including Python rarfile, libzip, and zlib. Most libraries include functionality to encrypt and/or compress data.","Linux,Windows,macOS",https://attack.mitre.org/techniques/T1560/002,No
+T1560.003,Archive Collected Data: Archive via Custom Method,Collection,"An adversary may compress or encrypt data that is collected prior to exfiltration using a custom method. Adversaries may choose to use custom archival methods, such as encryption with XOR or stream ciphers implemented with no external library or utility references. Custom implementations of well-known compression algorithms have also been used.(Citation: ESET Sednit Part 2)","Linux,Windows,macOS",https://attack.mitre.org/techniques/T1560/003,No
+T1561.001,Disk Wipe: Disk Content Wipe,Impact,"Adversaries may erase the contents of storage devices on specific systems or in large numbers in a network to interrupt availability to system and network resources. Examples include Novetta Blockbuster Destructive Malware. To maximize impact on the target organization in operations where network-wide availability interruption is the goal, malware used for wiping disk content may have worm-like features to propagate across a network by leveraging additional techniques.","Linux,Windows,macOS",https://attack.mitre.org/techniques/T1561/001,No
+T1561.002,Disk Wipe: Disk Structure Wipe,Impact,Adversaries may corrupt or wipe the disk data structures on a hard drive necessary to boot a system; targeting specific critical systems or in large numbers in a network to interrupt availability to system and network resources.,"Linux,Windows,macOS",https://attack.mitre.org/techniques/T1561/002,No
+T1562.001,Impair Defenses: Disable or Modify Tools,Defense Evasion,"Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.","Containers,IaaS,Linux,Windows,macOS",https://attack.mitre.org/techniques/T1562/001,Yes
+T1562.002,Impair Defenses: Disable Windows Event Logging,Defense Evasion,Adversaries may disable Windows event logging to limit data that can be leveraged for detections and audits.,Windows,https://attack.mitre.org/techniques/T1562/002,No
+T1562.003,Impair Defenses: Impair Command History Logging,Defense Evasion,"Adversaries may configure HISTCONTROL to not log all command history. The HISTCONTROL environment variable keeps track of what should be saved by the ""history"" command and eventually into the ""~/.bash_history"" file when a user logs out. Adversaries can abuse this to operate without leaving traces by simply prepending a space to all of their terminal commands.","Linux,Windows,macOS",https://attack.mitre.org/techniques/T1562/003,No
+T1562.004,Impair Defenses: Disable or Modify System Firewall,Defense Evasion,"Adversaries may disable or modify system firewalls in order to bypass controls limiting network usage. Changes could be disabling the entire mechanism as well as adding, deleting, or modifying particular rules. This can be done numerous ways depending on the operating system, including via command-line, editing Windows Registry keys, and Windows Control Panel. Modifying or disabling a system firewall may enable adversary C2 communications, lateral movement, and/or data exfiltration that would otherwise not be allowed.","Linux,Windows,macOS",https://attack.mitre.org/techniques/T1562/004,No
+T1562.006,Impair Defenses: Indicator Blocking,Defense Evasion,"An adversary may attempt to block indicators or events typically captured by sensors from being gathered and analyzed. This could include maliciously redirecting or even disabling host-based sensors, such as Event Tracing for Windows (ETW), by tampering settings that control the collection and flow of event telemetry. In the case of network-based reporting of indicators, an adversary may block traffic associated with reporting to prevent central analysis.","Linux,Windows,macOS",https://attack.mitre.org/techniques/T1562/006,No
+T1562.007,Impair Defenses: Disable or Modify Cloud Firewall,Defense Evasion,"Adversaries may disable or modify a firewall within a cloud environment to bypass controls that limit access to cloud resources. Cloud firewalls are separate from system firewalls. Modifying or disabling a cloud firewall may enable adversary C2 communications, lateral movement, and/or data exfiltration that would otherwise not be allowed.",IaaS,https://attack.mitre.org/techniques/T1562/007,Yes
+T1562.008,Impair Defenses: Disable Cloud Logs,Defense Evasion,"An adversary may disable cloud logging capabilities and integrations to limit what data is collected on their activities and avoid detection. Cloud environments allow for collection and analysis of audit and application logs that provide insight into what activities a user does within the environment. If an attacker has sufficient permissions, they can disable logging to avoid detection of their activities.",IaaS,https://attack.mitre.org/techniques/T1562/008,Yes
+T1563.001,Remote Service Session Hijacking: SSH Hijacking,Lateral Movement,"Adversaries may hijack a legitimate user's SSH session to move laterally within an environment. It allows a user to connect to another system via an encrypted tunnel, commonly authenticating through a password, certificate or the use of an asymmetric encryption key pair.","Linux,macOS",https://attack.mitre.org/techniques/T1563/001,No
+T1563.002,Remote Service Session Hijacking: RDP Hijacking,Lateral Movement,"Adversaries may hijack a legitimate user's remote desktop session to move laterally within an environment. Remote desktop allows a user to log into an interactive session with a system desktop graphical user interface on a remote system. With System permissions and using Terminal Services Console, `c:\windows\system32\tscon.exe [session number to be stolen]`, an adversary can hijack a session without the need for credentials or prompts to the user. This can be done remotely or locally and with active or disconnected sessions. All of this can be done by using native Windows commands",Windows,https://attack.mitre.org/techniques/T1563/002,No
+T1564.001,Hide Artifacts: Hidden Files and Directories,Defense Evasion,Adversaries may set files and directories to be hidden to evade detection mechanisms. These files don't show up when a user browses the file system with a GUI or when using normal commands on the command line. Adversaries can use this to their advantage to hide files and folders anywhere on the system and evading a typical user or system analysis that does not incorporate investigation of hidden files.,"Linux,Windows,macOS",https://attack.mitre.org/techniques/T1564/001,No
+T1564.002,Hide Artifacts: Hidden Users,Defense Evasion,Adversaries may use hidden users in macOS to mask the presence of user accounts they create by setting the priperty value of Hide500Users to Yes. This enables adversaries to conceal user accounts.,macOS,https://attack.mitre.org/techniques/T1564/002,No
+T1564.003,Hide Artifacts: Hidden Window,Defense Evasion,"Adversaries may use hidden windows to conceal malicious activity from the plain sight of users. In some cases, windows that would typically be displayed when an application carries out an operation can be hidden. This may be utilized by system administrators to avoid disrupting user work environments when carrying out administrative tasks. Adversaries may abuse these functionalities to hide otherwise visible windows from users so as not to alert the user to adversary activity on the system.","Windows,macOS",https://attack.mitre.org/techniques/T1564/003,No
+T1564.004,Hide Artifacts: NTFS File Attributes,Defense Evasion,"Adversaries may use New Technology File System (NTFS) file attributes to hide their malicious data in order to evade detection. Every  NTFS formatted partition contains a Master File Table (MFT) that maintains a record for every file/directory on the partition. Within MFT entries are file attributes,  such as Extended Attributes (EA) and Data, that can be used to store arbitrary data (and even complete files).  Adversaries may store malicious data or binaries in file attribute metadata instead of directly in files. This may be done to evade some defenses, such as static indicator scanning tools and anti-virus.",Windows,https://attack.mitre.org/techniques/T1564/004,No
+T1564.005,Hide Artifacts: Hidden File System,Defense Evasion,"Adversaries may use a hidden file system to conceal malicious activity from users and security tools. File systems provide a structure to store and access data from physical storage. Adversaries may use their own abstracted file system, separate from the standard file system present on the infected system. In doing so, adversaries can hide the presence of malicious components and file input/output from security tools.","Linux,Windows,macOS",https://attack.mitre.org/techniques/T1564/005,No
+T1564.006,Hide Artifacts: Run Virtual Instance,Defense Evasion,"Adversaries may carry out malicious operations using a virtual instance to avoid detection.?By running malicious code inside of a virtual instance, adversaries can hide artifacts associated with their behavior from security tools that are unable to monitor activity inside the virtual instance.","Linux,Windows,macOS",https://attack.mitre.org/techniques/T1564/006,No
+T1564.007,Hide Artifacts: VBA Stomping,Defense Evasion,"Adversaries may hide malicious Visual Basic for Applications (VBA) payloads embedded within MS Office documents by replacing the VBA source code with benign data. MS Office documents with embedded VBA content store source code inside of module streams. Each module stream has a PerformanceCache that stores a separate compiled version of the VBA source code known as p-code. The p-code is executed when the MS Office version specified in the VBA_PROJECT stream matches the version of the host MS Office application. An adversary may hide malicious VBA code by overwriting the VBA source code location with zero's, benign code, or random bytes while leaving the previously compiled malicious p-code. Tools that scan for malicious VBA source code may be bypassed as the unwanted code is hidden in the compiled p-code. If there is a version match between the VBA_PROJECT stream and host MS Office application, the p-code will be executed.","Linux,Windows,macOS",https://attack.mitre.org/techniques/T1564/007,No
+T1565.001,Data Manipulation: Stored Data Manipulation,Impact,"Adversaries may insert, delete, or manipulate data at rest in order to manipulate external outcomes or hide activity. Stored data could include a variety of file formats, such as Office files, databases, stored emails, and custom file formats. By manipulating stored data, adversaries may attempt to affect a business process, organizational understanding, and decision making.","Linux,Windows,macOS",https://attack.mitre.org/techniques/T1565/001,No
+T1565.002,Data Manipulation: Transmitted Data Manipulation,Impact,"Adversaries may alter data en route to storage or other systems in order to manipulate external outcomes or hide activity. Manipulation may be possible over a network connection or between system processes where there is an opportunity deploy a tool that will intercept and change information.By manipulating transmitted data, adversaries may attempt to affect a business process, organizational understanding, and decision making.","Linux,Windows,macOS",https://attack.mitre.org/techniques/T1565/002,No
+T1565.003,Data Manipulation: Runtime Data Manipulation,Impact,"Adversaries may modify systems in order to manipulate the data as it is accessed and displayed to an end user. Adversaries may alter application binaries used to display data in order to cause runtime manipulations. By manipulating runtime data, adversaries may attempt to affect a business process, organizational understanding, and decision making.","Linux,Windows,macOS",https://attack.mitre.org/techniques/T1565/003,No
+T1566.001,Phishing: Spearphishing Attachment,Initial Access,"Adversaries may send spearphishing emails with a malicious attachment in an attempt to elicit sensitive information and/or gain access to victim systems. Spearphishing attachment is different from other forms of spearphishing in that it employs the use of malware attached to an email. Upon opening the attachment (and potentially clicking past protections), the adversary's payload exploits a vulnerability or directly executes on the user's system. Adversaries frequently manipulate file extensions and icons in order to make attached executables appear to be document files, or files exploiting one application appear to be a file for a different one.","Linux,Windows,macOS",https://attack.mitre.org/techniques/T1566/001,No
+T1566.002,Phishing: Spearphishing Link,Initial Access,"Adversaries may send spearphishing emails with a malicious link in an attempt to elicit sensitive information and/or gain access to victim systems. Spearphishing with a link employs the use of links to download malware contained in email, instead of attaching malicious files to the email itself, to avoid defenses that may inspect email attachments. Generally, the links will be accompanied by social engineering text and require the user to actively click or copy and paste a URL into a browser. The visited website may compromise the web browser using an exploit, or the user will be prompted to download applications, documents, zip files, or even executables depending on the pretext for the email in the first place.","Google Workspace,Linux,Office 365,SaaS,Windows,macOS",https://attack.mitre.org/techniques/T1566/002,Yes
+T1566.003,Phishing: Spearphishing via Service,Initial Access,"Adversaries may send spearphishing messages via third-party services in an attempt to elicit sensitive information and/or gain access to victim systems. Spearphishing via service employs the use of third party services rather than directly via enterprise email channels. Adversaries send messages through various social media services, personal webmail, and other non-enterprise controlled services. These services are more likely to have a less-strict security policy than an enterprise.  After building rapport with a target via social media, adversaries send content to a personal webmail service that the target uses on their work computer. This allows an adversary to bypass some email restrictions on the work account, and the target is more likely to open the file since it's something they were expecting.","Linux,Windows,macOS",https://attack.mitre.org/techniques/T1566/003,No
+T1567.001,Exfiltration Over Web Service: Exfiltration to Code Repository,Exfiltration,"Adversaries may exfiltrate data to a code repository rather than over their primary command and control channel. Code repositories are often accessible via an API. Access to these APIs are often over HTTPS, which gives the adversary an additional level of protection. Exfiltration to a code repository can also provide a significant amount of cover to the adversary if it is a popular service already used by hosts within the network.","Linux,Windows,macOS",https://attack.mitre.org/techniques/T1567/001,No
+T1567.002,Exfiltration Over Web Service: Exfiltration to Cloud Storage,Exfiltration,"Adversaries may exfiltrate data to a cloud storage service rather than over their primary command and control channel. Cloud storage services allow for the storage, edit, and retrieval of data from a remote cloud storage server over the Internet.","Linux,Windows,macOS",https://attack.mitre.org/techniques/T1567/002,No
+T1568.001,Dynamic Resolution: Fast Flux DNS,Command And Control,"Adversaries may use Fast Flux DNS to hide a command and control channel behind an array of rapidly changing IP addresses linked to a single domain resolution. This technique uses a fully qualified domain name, with multiple IP addresses assigned to it which are swapped with high frequency, using a combination of round robin IP addressing and short Time-To-Live (TTL) for a DNS resource record.","Linux,Windows,macOS",https://attack.mitre.org/techniques/T1568/001,No
+T1568.002,Dynamic Resolution: Domain Generation Algorithms,Command And Control,"Adversaries may make use of Domain Generation Algorithms (DGAs) to dynamically identify a destination domain for command and control traffic rather than relying on a list of static IP addresses or domains. This has the advantage of making it much harder for defenders block, track, or take over the command and control channel, as there potentially could be thousands of domains that malware can check for instructions. Adversaries may use DGAs for the purpose of Fallback Channels. When contact is lost with the primary command and control server malware may employ a DGA as a means to reestablishing command and control.","Linux,Windows,macOS",https://attack.mitre.org/techniques/T1568/002,No
+T1568.003,Dynamic Resolution: DNS Calculation,Command And Control,"Adversaries may perform calculations on addresses returned in DNS results to determine which port and IP address to use for command and control, rather than relying on a predetermined port number or the actual returned IP address. A IP and/or port number calculation can be used to bypass egress filtering on a C2 channel.","Linux,Windows,macOS",https://attack.mitre.org/techniques/T1568/003,No
+T1569.001,System Services: Launchctl,Execution,"Adversaries may abuse launchctl to execute commands or programs. Launchctl controls the macOS launchd process, which handles things like Launch Agent and Launch Daemon, but can execute other commands or programs itself. Launchctl supports taking subcommands on the command-line, interactively, or even redirected from standard input. Running a command from launchctl is simple and adversaries can abuse this functionality to execute code or even bypass application control if launchctl is an allowed process.",macOS,https://attack.mitre.org/techniques/T1569/001,No
+T1569.002,System Services: Service Execution,Execution,Adversaries may abuse the Windows service control manager to execute malicious commands or payloads. The Windows service control manager is an interface to manage and manipulate services. The service control manager is accessible to users via GUI components as well as system utilities such as sc.exe. PsExec can also be used to execute commands or payloads via a temporary Windows service created through the service control manager API. Adversaries may execute malicious content by either executing a new or modified service. This technique is the execution used in conjunction with Windows Service during service persistence or privilege escalation.,Windows,https://attack.mitre.org/techniques/T1569/002,No
+T1570,Lateral Tool Transfer,Lateral Movement,Adversaries may transfer tools or other files between systems in a compromised environment. Files may be copied from one system to another to stage adversary tools or other files over the course of an operation. Adversaries may copy files laterally between internal victim systems to support lateral movement using inherent file sharing protocols such as file sharing over SMB to connected network shares or with authenticated connections with SMB/Windows Admin Shares.,"Linux,Windows,macOS",https://attack.mitre.org/techniques/T1570,No
+T1571,Non-Standard Port,Command And Control,"Adversaries may communicate using a protocol and port paring that are typically not associated. For example, HTTPS over port 8088 or port 587, as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.","Linux,Windows,macOS",https://attack.mitre.org/techniques/T1571,No
+T1572,Protocol Tunneling,Command And Control,"Adversaries may tunnel network communications to and from a victim system within a separate protocol to avoid detection/network filtering and/or enable access to otherwise unreachable systems. This behavior may conceal malicious traffic by blending in with existing traffic and/or provide an outer layer of encryption (similar to a VPN). Tunneling could also enable routing of network packets that would otherwise not reach their intended destination, such as SMB, RDP, or other traffic that would be filtered by network appliances or not routed over the Internet. Adversaries may perform SSH tunneling (also known as SSH port forwarding),  DNS over HTTPS (DoH), queries to resolve C2 communications and infrastructure.","Linux,Windows,macOS",https://attack.mitre.org/techniques/T1572,No
+T1573.001,Encrypted Channel: Symmetric Cryptography,Command And Control,"Adversaries may employ a known symmetric encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Symmetric encryption algorithms use the same key for plaintext encryption and ciphertext decryption. Common symmetric encryption algorithms include AES, DES, 3DES, Blowfish, and RC4.","Linux,Windows,macOS",https://attack.mitre.org/techniques/T1573/001,No
+T1573.002,Encrypted Channel: Asymmetric Cryptography,Command And Control,"Adversaries may employ a known asymmetric encryption algorithm (also known as public key cryptography) to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Due to how the keys are generated, the sender encrypts data with the receiver's public key and the receiver decrypts the data with their private key. This ensures that only the intended recipient can read the encrypted data.","Linux,Windows,macOS",https://attack.mitre.org/techniques/T1573/002,No
+T1574.001,Hijack Execution Flow: DLL Search Order Hijacking,"Defense Evasion,Persistence,Privilege Escalation","Adversaries may execute their own malicious payloads by hijacking the search order used to load DLLs. Windows systems use a common method to look for required DLLs to load into a program. Hijacking DLL loads may be for the purpose of establishing persistence as well as elevating privileges and/or evading restrictions on file execution. If a search order-vulnerable program is configured to run at a higher privilege level, then the adversary-controlled DLL that is loaded will also be executed at the higher level. In this case, the technique could be used for privilege escalation from user to administrator or SYSTEM or from administrator to SYSTEM, depending on the program.",Windows,https://attack.mitre.org/techniques/T1574/001,No
+T1574.002,Hijack Execution Flow: DLL Side-Loading,"Defense Evasion,Persistence,Privilege Escalation","Adversaries may execute their own malicious payloads by hijacking the library manifest used to load DLLs. Adversaries may take advantage of vague references in the library manifest of a program by replacing a legitimate library with a malicious one, causing the operating system to load their malicious library when it is called for by the victim program. Adversaries likely use this technique as a means of masking actions they perform under a legitimate, trusted system or software process.",Windows,https://attack.mitre.org/techniques/T1574/002,No
+T1574.004,Hijack Execution Flow: Dylib Hijacking,"Defense Evasion,Persistence,Privilege Escalation","Adversaries may execute their own malicious payloads by hijacking ambiguous paths  used to load libraries. Adversaries may plant trojan dynamic libraries, in a directory that will be searched by the operating system before the legitimate library specified by the victim program, so that their malicious library will be loaded into the victim program instead.  MacOS and OS X use a common method to look for required dynamic libraries (dylib) to load into a program based on search paths. If the program is configured to run at a higher privilege level than the current user, then when the dylib is loaded into the application, the dylib will also run at that elevated level.",macOS,https://attack.mitre.org/techniques/T1574/004,No
+T1574.005,Hijack Execution Flow: Executable Installer File Permissions Weakness,"Defense Evasion,Persistence,Privilege Escalation","Adversaries may execute their own malicious payloads by hijacking the binaries used by an installer. These processes may automatically execute specific binaries as part of their functionality or to perform other actions. If the permissions on the file system directory containing a target binary, or permissions on the binary itself, are improperly set, then the target binary may be overwritten with another binary using user-level permissions and executed by the original process. If the original process and thread are running under a higher permissions level, then the replaced binary will also execute under higher-level permissions, which could include SYSTEM.If the executing process is set to run at a specific time or during a certain event (e.g., system bootup) then this technique can also be used for persistence.",Windows,https://attack.mitre.org/techniques/T1574/005,No
+T1574.006,Hijack Execution Flow: Dynamic Linker Hijacking,"Defense Evasion,Persistence,Privilege Escalation","Adversaries may execute their own malicious payloads by hijacking the dynamic linker used to load libraries. The dynamic linker is used to load shared library dependencies needed by an executing program. The dynamic linker will typically check provided absolute paths and common directories for these dependencies, but can be overridden by shared objects specified by LD_PRELOAD to be loaded before all others. Adversaries may set LD_PRELOAD to point to malicious libraries that match the name of legitimate libraries which are requested by a victim program, causing the operating system to load the adversary's malicious code upon execution of the victim program. LD_PRELOAD hijacking may grant access to the victim process's memory, system/network resources, and possibly elevated privileges. Execution via LD_PRELOAD hijacking may also evade detection from security products since the execution is masked under a legitimate process.","Linux,macOS",https://attack.mitre.org/techniques/T1574/006,Yes
+T1574.007,Hijack Execution Flow: Path Interception by PATH Environment Variable,"Defense Evasion,Persistence,Privilege Escalation","Adversaries may execute their own malicious payloads by hijacking environment variables used to load libraries. Adversaries may place a program in an earlier entry in the list of directories stored in the PATH environment variable, which Windows will then execute when it searches sequentially through that PATH listing in search of the binary that was called from a script or the command line.",Windows,https://attack.mitre.org/techniques/T1574/007,No
+T1574.008,Hijack Execution Flow: Path Interception by Search Order Hijacking,"Defense Evasion,Persistence,Privilege Escalation","Adversaries may execute their own malicious payloads by hijacking the search order used to load other programs. Because some programs do not call other programs using the full path, adversaries may place their own file in the directory where the calling program is located, causing the operating system to launch their malicious software at the request of the calling program.",Windows,https://attack.mitre.org/techniques/T1574/008,No
+T1574.009,Hijack Execution Flow: Path Interception by Unquoted Path,"Defense Evasion,Persistence,Privilege Escalation","Adversaries may execute their own malicious payloads by hijacking vulnerable file path references. Adversaries can take advantage of paths that lack surrounding quotations by placing an executable in a higher level directory within the path, so that Windows will choose the adversary's executable to launch. This technique can be used for persistence if executables are called on a regular basis, as well as privilege escalation if intercepted executables are started by a higher privileged process.",Windows,https://attack.mitre.org/techniques/T1574/009,No
+T1574.010,Hijack Execution Flow: Services File Permissions Weakness,"Defense Evasion,Persistence,Privilege Escalation","Adversaries may execute their own malicious payloads by hijacking the binaries used by services. Adversaries may use flaws in the permissions of Windows services to replace the binary that is executed upon service start. These service processes may automatically execute specific binaries as part of their functionality or to perform other actions. If the permissions on the file system directory containing a target binary, or permissions on the binary itself are improperly set, then the target binary may be overwritten with another binary using user-level permissions and executed by the original process. If the original process and thread are running under a higher permissions level, then the replaced binary will also execute under higher-level permissions, which could include SYSTEM. Adversaries may use this technique to replace legitimate binaries with malicious ones as a means of executing code at a higher permissions level. If the executing process is set to run at a specific time or during a certain event (e.g., system bootup) then this technique can also be used for persistence.",Windows,https://attack.mitre.org/techniques/T1574/010,No
+T1574.011,Hijack Execution Flow: Services Registry Permissions Weakness,"Defense Evasion,Persistence,Privilege Escalation","Adversaries may execute their own malicious payloads by hijacking the Registry entries used by services. Adversaries may use flaws in the permissions for registry to redirect from the originally specified executable to one that they control, in order to launch their own code at Service start.  The information stored under a service's Registry keys can be manipulated to modify a service's execution parameters through tools such as the service controller, sc.exe or Reg.",Windows,https://attack.mitre.org/techniques/T1574/011,No
+T1574.012,Hijack Execution Flow: COR_PROFILER,"Defense Evasion,Persistence,Privilege Escalation",Adversaries may leverage the COR_PROFILER environment variable to hijack the execution flow of programs that load the .NET CLR. The COR_PROFILER is a .NET Framework feature which allows developers to specify an unmanaged (or external of .NET) profiling DLL to be loaded into each .NET process that loads the Common Language Runtime (CLR).  Adversaries may abuse COR_PROFILER to establish persistence that executes a malicious DLL in the context of all .NET processes every time the CLR is invoked. The COR_PROFILER can also be used to elevate privileges.,Windows,https://attack.mitre.org/techniques/T1574/012,No
+T1578.001,Modify Cloud Compute Infrastructure: Create Snapshot,Defense Evasion,"An adversary may create a snapshot or data backup within a cloud account to evade defenses. By first Creating a Cloud Instance, mounting one or more created snapshots to that instance, and then applying a firewall policy that allows the adversary access to the created instance, an adversary can gain inbound and outbound SSH access.",IaaS,https://attack.mitre.org/techniques/T1578/001,Yes
+T1578.002,Modify Cloud Compute Infrastructure: Create Cloud Instance,Defense Evasion,An adversary may create a new instance or virtual machine (VM) within the compute service of a cloud account to evade defenses. Creating a new instance may allow an adversary to bypass firewall rules and permissions that exist on instances currently residing within an account. Creating a new instance may also allow an adversary to carry out malicious activity within an environment without affecting the execution of current running instances.,IaaS,https://attack.mitre.org/techniques/T1578/002,Yes
+T1578.003,Modify Cloud Compute Infrastructure: Delete Cloud Instance,Defense Evasion,An adversary may delete a cloud instance after they have performed malicious activities in an attempt to evade detection and remove evidence of their presence. Deleting an instance or virtual machine can remove valuable forensic artifacts and other evidence of suspicious behavior if the instance is not recoverable.,IaaS,https://attack.mitre.org/techniques/T1578/003,Yes
+T1578.004,Modify Cloud Compute Infrastructure: Revert Cloud Instance,Defense Evasion,"An adversary may revert changes made to a cloud instance after they have performed malicious activities in attempt to evade detection and remove evidence of their presence. In highly virtualized environments, such as cloud-based infrastructure, this may be accomplished by restoring virtual machine (VM) or data storage snapshots through the cloud management dashboard or cloud APIs. Another variation of this technique is to utilize temporary storage attached to the compute instance, which often reset upon stop/restart of the VM.",IaaS,https://attack.mitre.org/techniques/T1578/004,Yes
+T1580,Cloud Infrastructure Discovery,Discovery,"An adversary may attempt to discover resources that are available within an infrastructure-as-a-service (IaaS) environment. This includes compute service resources such as instances, virtual machines, and snapshots as well as resources of other services including the storage and database services. An adversary may enumerate resources using a compromised user's access keys to determine which are available to that user. The discovery of these available resources may help adversaries determine their next steps in the Cloud environment, such as establishing Persistence. This technique focuses on the discovery of components of the provided services rather than the services themselves.",IaaS,https://attack.mitre.org/techniques/T1580,Yes
+T1583.001,Acquire Infrastructure: Domains,Resource Development,"Before compromising a victim, adversaries may purchase domains that can be used during targeting. Adversaries can use purchased domains for a variety of purposes, including for Phishing, Drive-by Compromise, and Command and Control. Adversaries may choose domains that are similar to legitimate domains, including through use of homoglyphs or use of a different top-level domain (TLD). Typosquatting may be used to aid in delivery of payloads via Drive-by Compromise. Adversaries can also use internationalized domain names (IDNs) to create visually similar lookalike domains for use in operations.",,https://attack.mitre.org/techniques/T1583/001,No
+T1583.002,Acquire Infrastructure: DNS Server,Resource Development,"Before compromising a victim, adversaries may set up their own Domain Name System (DNS) servers that can be used during targeting. During post-compromise activity, adversaries may utilize DNS traffic for various tasks, including for Command and Control. Instead of hijacking existing DNS servers, adversaries may opt to configure and run their own DNS servers in support of operations. By running their own DNS servers, adversaries can have more control over how they administer server-side DNS C2 traffic. With control over a DNS server, adversaries can configure DNS applications to provide conditional responses to malware and, generally, have more flexibility in the structure of the DNS-based C2 channel.",,https://attack.mitre.org/techniques/T1583/002,No
+T1583.003,Acquire Infrastructure: Virtual Private Server,Resource Development,"Before compromising a victim, adversaries may rent Virtual Private Servers (VPSs)?that can be used during targeting. There exist a variety of cloud service providers that will sell virtual machines/containers as a service. By utilizing a VPS, adversaries can make it difficult to physically tie back operations to them. The use of cloud infrastructure can also make it easier for adversaries to rapidly provision, modify, and shut down their infrastructure. Acquiring a VPS for use in later stages of the adversary lifecycle, such as Command and Control, can allow adversaries to benefit from the ubiquity and trust associated with higher reputation cloud service providers. Adversaries may also acquire infrastructure from VPS service providers that are known for renting VPSs with minimal registration information, allowing for more anonymous acquisitions of infrastructure.",,https://attack.mitre.org/techniques/T1583/003,No
+T1583.004,Acquire Infrastructure: Server,Resource Development,"Before compromising a victim, adversaries may buy, lease, or rent physical servers?that can be used during targeting. Use of servers allows an adversary to stage, launch, and execute an operation. During post-compromise activity, adversaries may utilize servers for various tasks, including for Command and Control. Instead of compromising a third-party or renting a Virtual Private Server, adversaries may opt to configure and run their own servers in support of operations.",,https://attack.mitre.org/techniques/T1583/004,No
+T1583.005,Acquire Infrastructure: Botnet,Resource Development,"Before compromising a victim, adversaries may buy, lease, or rent a network of compromised systems?that can be used during targeting. A botnet is a network of compromised systems that can be instructed to perform coordinated tasks. Adversaries may purchase a subscription to use an existing botnet from a booter/stressor service. With a botnet at their disposal, adversaries may perform follow-on activity such as large-scale Phishing or Distributed Denial of Service (DDoS).",,https://attack.mitre.org/techniques/T1583/005,No
+T1583.006,Acquire Infrastructure: Web Services,Resource Development,"Before compromising a victim, adversaries may register for web services?that can be used during targeting. A variety of popular websites exist for adversaries to register for a web-based service that can be abused during later stages of the adversary lifecycle, such as during Command and Control or Exfiltration Over Web Service. Using common services, such as those offered by Google or Twitter, makes it easier for adversaries to hide in expected noise. By utilizing a web service, adversaries can make it difficult to physically tie back operations to them.",,https://attack.mitre.org/techniques/T1583/006,No
+T1584.001,Compromise Infrastructure: Domains,Resource Development,"Before compromising a victim, adversaries may hijack domains and/or subdomains that can be used during targeting. Domain registration hijacking is the act of changing the registration of a domain name without the permission of the original registrant. An adversary may gain access to an email account for the person listed as the owner of the domain. The adversary can then claim that they forgot their password in order to make changes to the domain registration. Other possibilities include social engineering a domain registration help desk to gain access to an account or taking advantage of renewal process gaps. Subdomain hijacking can also occur when organizations have DNS entries that point to non-existent or de-provisioned resources. In such cases, an adversary may take control of a subdomain to conduct operations with the benefit of the trust associated with that domain.",,https://attack.mitre.org/techniques/T1584/001,No
+T1584.002,Compromise Infrastructure: DNS Server,Resource Development,"Before compromising a victim, adversaries may compromise third-party DNS servers that can be used during targeting. During post-compromise activity, adversaries may utilize DNS traffic for various tasks, including for Command and Control. Instead of setting up their own DNS servers, adversaries may compromise third-party DNS servers in support of operations. By compromising DNS servers, adversaries can alter DNS records. Such control can allow for redirection of an organization's traffic, facilitating Collection and Credential Access efforts for the adversary. Adversaries may also be able to silently create subdomains pointed at malicious servers without tipping off the actual owner of the DNS server.",,https://attack.mitre.org/techniques/T1584/002,No
+T1584.003,Compromise Infrastructure: Virtual Private Server,Resource Development,"Before compromising a victim, adversaries may compromise third-party Virtual Private Servers (VPSs) that can be used during targeting. There exist a variety of cloud service providers that will sell virtual machines/containers as a service. Adversaries may compromise VPSs purchased by third-party entities. By compromising a VPS to use as infrastructure, adversaries can make it difficult to physically tie back operations to themselves. Compromising a VPS for use in later stages of the adversary lifecycle, such as Command and Control, can allow adversaries to benefit from the ubiquity and trust associated with higher reputation cloud service providers.",,https://attack.mitre.org/techniques/T1584/003,No
+T1584.004,Compromise Infrastructure: Server,Resource Development,"Before compromising a victim, adversaries may compromise third-party servers that can be used during targeting. Use of servers allows an adversary to stage, launch, and execute an operation. During post-compromise activity, adversaries may utilize servers for various tasks, including for Command and Control. Instead of purchasing a Server or Virtual Private Server, adversaries may compromise third-party servers in support of operations. Adversaries may also compromise web servers to support watering hole operations.",,https://attack.mitre.org/techniques/T1584/004,No
+T1584.005,Compromise Infrastructure: Botnet,Resource Development,"Before compromising a victim, adversaries may compromise numerous third-party systems to form a botnet?that can be used during targeting. A botnet is a network of compromised systems that can be instructed to perform coordinated tasks. Instead of purchasing/renting a botnet from a booter/stressor service, adversaries may build their own botnet by compromising numerous third-party systems. Adversaries may also conduct a takeover of an existing botnet, such as redirecting bots to adversary-controlled C2 servers. With a botnet at their disposal, adversaries may perform follow-on activity such as large-scale Phishing or Distributed Denial of Service (DDoS).",,https://attack.mitre.org/techniques/T1584/005,No
+T1584.006,Compromise Infrastructure: Web Services,Resource Development,"Before compromising a victim, adversaries may compromise access to third-party web services?that can be used during targeting. A variety of popular websites exist for legitimate users to register for web-based services, such as GitHub, Twitter, Dropbox, Google, etc. Adversaries may try to take ownership of a legitimate user's access to a web service and use that web service as infrastructure in support of cyber operations. Such web services can be abused during later stages of the adversary lifecycle, such as during Command and Control or Exfiltration Over Web Service. Using common services, such as those offered by Google or Twitter, makes it easier for adversaries to hide in expected noise. By utilizing a web service, particularly when access is stolen from legitimate users, adversaries can make it difficult to physically tie back operations to them.",,https://attack.mitre.org/techniques/T1584/006,No
+T1585.001,Establish Accounts: Social Media Accounts,Resource Development,"Before compromising a victim, adversaries may create and cultivate social media accounts that can be used during targeting. Adversaries can create social media accounts that can be used to build a persona to further operations. Persona development consists of the development of public information, presence, history and appropriate affiliations. Once a persona has been developed an adversary can use it to create connections to targets of interest. These connections may be direct or may include trying to connect through others. These accounts may be leveraged during other phases of the adversary lifecycle, such as during Initial Access.",,https://attack.mitre.org/techniques/T1585/001,No
+T1585.002,Establish Accounts: Email Accounts,Resource Development,"Before compromising a victim, adversaries may create email accounts that can be used during targeting. Adversaries can use accounts created with email providers to further their operations, such as leveraging them to conduct Phishing for Information or Phishing. Adversaries may also take steps to cultivate a persona around the email account, such as through use of Social Media Accounts, to increase the chance of success of follow-on behaviors. Created email accounts can also be used in the acquisition of infrastructure.  To decrease the chance of physically tying back operations to themselves, adversaries may make use of disposable email services.",,https://attack.mitre.org/techniques/T1585/002,No
+T1586.001,Compromise Accounts: Social Media Accounts,Resource Development,"Before compromising a victim, adversaries may compromise social media accounts that can be used during targeting. For operations incorporating social engineering, the utilization of an online persona may be important. Rather than creating and cultivating social media profiles, adversaries may compromise existing social media accounts. Utilizing an existing persona may engender a level of trust in a potential victim if they have a relationship, or knowledge of, the compromised persona. Adversaries can use a compromised social media profile to create new, or hijack existing, connections to targets of interest. These connections may be direct or may include trying to connect through others. Compromised profiles may be leveraged during other phases of the adversary lifecycle, such as during Initial Access.",,https://attack.mitre.org/techniques/T1586/001,No
+T1586.002,Compromise Accounts: Email Accounts,Resource Development,"Before compromising a victim, adversaries may compromise email accounts that can be used during targeting. Adversaries can use compromised email accounts to further their operations, such as leveraging them to conduct Phishing. Utilizing an existing persona with a compromised email account may engender a level of trust in a potential victim if they have a relationship, or knowledge of, the compromised persona. Compromised email accounts can also be used in the acquisition of infrastructure",,https://attack.mitre.org/techniques/T1586/002,No
+T1587.001,Develop Capabilities: Malware,Resource Development,"Before compromising a victim, adversaries may develop malware and malware components that can be used during targeting. Building malicious software can include the development of payloads, droppers, post-compromise tools, backdoors, packers, C2 protocols, and the creation of infected removable media. Adversaries may develop malware to support their operations, creating a means for maintaining control of remote machines, evading defenses, and executing post-compromise behaviors.",,https://attack.mitre.org/techniques/T1587/001,No
+T1587.002,Develop Capabilities: Code Signing Certificates,Resource Development,"Before compromising a victim, adversaries may create self-signed code signing certificates that can be used during targeting. Code signing is the process of digitally signing executables and scripts to confirm the software author and guarantee that the code has not been altered or corrupted. Code signing provides a level of authenticity for a program from the developer and a guarantee that the program has not been tampered with.",,https://attack.mitre.org/techniques/T1587/002,No
+T1587.003,Develop Capabilities: Digital Certificates,Resource Development,"Before compromising a victim, adversaries may create self-signed SSL/TLS certificates that can be used during targeting. Adversaries may create self-signed SSL/TLS certificates that can be used to further their operations, such as encrypting C2 traffic or even enabling Man-in-the-Middle if added to the root of trust.",,https://attack.mitre.org/techniques/T1587/003,No
+T1587.004,Develop Capabilities: Exploits,Resource Development,"Before compromising a victim, adversaries may develop exploits that can be used during targeting. An exploit takes advantage of a bug or vulnerability in order to cause unintended or unanticipated behavior to occur on computer hardware or software. An adversary may develop their own exploits. Adversaries may use exploits during various phases of the adversary lifecycle.",,https://attack.mitre.org/techniques/T1587/004,No
+T1588.001,Obtain Capabilities: Malware,Resource Development,"Before compromising a victim, adversaries may buy, steal, or download malware that can be used during targeting. Malicious software can include payloads, droppers, post-compromise tools, backdoors, packers, and C2 protocols. Adversaries may acquire malware to support their operations, obtaining a means for maintaining control of remote machines, evading defenses, and executing post-compromise behaviors.",,https://attack.mitre.org/techniques/T1588/001,No
+T1588.002,Obtain Capabilities: Tool,Resource Development,"Before compromising a victim, adversaries may buy, steal, or download software tools that can be used during targeting. A tool can be used for malicious purposes by an adversary, but (unlike malware) were not intended to be used for those purposes. Tool acquisition can involve the procurement of commercial software licenses, including for red teaming tools such as Cobalt Strike. Commercial software may be obtained through purchase, stealing licenses (or licensed copies of the software), or cracking trial versions. Adversaries may obtain tools to support their operations, including to support execution of post-compromise behaviors.",,https://attack.mitre.org/techniques/T1588/002,No
+T1588.003,Obtain Capabilities: Code Signing Certificates,Resource Development,"Before compromising a victim, adversaries may buy and/or steal code signing certificates that can be used during targeting. Code signing is the process of digitally signing executables and scripts to confirm the software author and guarantee that the code has not been altered or corrupted. Code signing provides a level of authenticity for a program from the developer and a guarantee that the program has not been tampered with.",,https://attack.mitre.org/techniques/T1588/003,No
+T1588.004,Obtain Capabilities: Digital Certificates,Resource Development,"Before compromising a victim, adversaries may buy and/or steal SSL/TLS certificates that can be used during targeting. Adversaries may purchase or steal SSL/TLS certificates to further their operations, such as encrypting C2 traffic or even enabling Man-in-the-Middle if the certificate is trusted or otherwise added to the root of trust.",,https://attack.mitre.org/techniques/T1588/004,No
+T1588.005,Obtain Capabilities: Exploits,Resource Development,"Before compromising a victim, adversaries may buy, steal, or download exploits that can be used during targeting. An exploit takes advantage of a bug or vulnerability in order to cause unintended or unanticipated behavior to occur on computer hardware or software. Adversaries may use exploits during various phases of the adversary lifecycle.",,https://attack.mitre.org/techniques/T1588/005,No
+T1588.006,Obtain Capabilities: Vulnerabilities,Resource Development,"Before compromising a victim, adversaries may acquire information about vulnerabilities that can be used during targeting. A vulnerability is a weakness in computer hardware or software that can, potentially, be exploited by an adversary to cause unintended or unanticipated behavior to occur.",,https://attack.mitre.org/techniques/T1588/006,No
+T1589.001,Gather Victim Identity Information: Credentials,Reconnaissance,"Before compromising a victim, adversaries may gather credentials that can be used during targeting. Account credentials gathered by adversaries may be those directly associated with the target victim organization or attempt to take advantage of the tendency for users to use the same passwords across personal and business accounts.",,https://attack.mitre.org/techniques/T1589/001,No
+T1589.002,Gather Victim Identity Information: Email Addresses,Reconnaissance,"Before compromising a victim, adversaries may gather email addresses that can be used during targeting. Even if internal instances exist, organizations may have public-facing email infrastructure and addresses for employees.",,https://attack.mitre.org/techniques/T1589/002,No
+T1589.003,Gather Victim Identity Information: Employee Names,Reconnaissance,"Before compromising a victim, adversaries may gather employee names that can be used during targeting. Employee names be used to derive email addresses as well as to help guide other reconnaissance efforts and/or craft more-believable lures. Adversaries may easily gather employee names, since they may be readily available and exposed via online or other accessible data sets such as Social Media or Victim-Owned Websites.",,https://attack.mitre.org/techniques/T1589/003,No
+T1590.001,Gather Victim Network Information: Domain Properties,Reconnaissance,"Before compromising a victim, adversaries may gather information about the victim's network domain(s) that can be used during targeting. Information about domains and their properties may include a variety of details, including what domain(s) the victim owns as well as administrative data (ex: name, registrar, etc.) and more directly actionable information such as contacts (email addresses and phone numbers), business addresses, and name servers. Adversaries may gather this information in various ways, such as direct collection actions via Active Scanning or Phishing for Information.",,https://attack.mitre.org/techniques/T1590/001,No
+T1590.002,Gather Victim Network Information: DNS,Reconnaissance,"Before compromising a victim, adversaries may gather information about the victim's DNS that can be used during targeting. DNS information may include a variety of details, including registered name servers as well as records that outline addressing for a target's subdomains, mail servers, and other hosts.",,https://attack.mitre.org/techniques/T1590/002,No
+T1590.003,Gather Victim Network Information: Network Trust Dependencies,Reconnaissance,"Before compromising a victim, adversaries may gather information about the victim's network trust dependencies that can be used during targeting. Information about network trusts may include a variety of details, including second or third-party organizations/domains (ex: managed service providers, contractors, etc.) that have connected (and potentially elevated) network access.",,https://attack.mitre.org/techniques/T1590/003,No
+T1590.004,Gather Victim Network Information: Network Topology,Reconnaissance,"Before compromising a victim, adversaries may gather information about the victim's network topology that can be used during targeting. Information about network topologies may include a variety of details, including the physical and/or logical arrangement of both external-facing and internal network environments. This information may also include specifics regarding network devices (gateways, routers, etc.) and other infrastructure.",,https://attack.mitre.org/techniques/T1590/004,No
+T1590.005,Gather Victim Network Information: IP Addresses,Reconnaissance,"Before compromising a victim, adversaries may gather the victim's IP addresses that can be used during targeting. Public IP addresses may be allocated to organizations by block, or a range of sequential addresses. Information about assigned IP addresses may include a variety of details, such as which IP addresses are in use. IP addresses may also enable an adversary to derive other details about a victim, such as organizational size, physical location(s), Internet service provider, and or where/how their publicly-facing infrastructure is hosted.",,https://attack.mitre.org/techniques/T1590/005,No
+T1590.006,Gather Victim Network Information: Network Security Appliances,Reconnaissance,"Before compromising a victim, adversaries may gather information about the victim's network security appliances that can be used during targeting. Information about network security appliances may include a variety of details, such as the existence and specifics of deployed firewalls, content filters, and proxies/bastion hosts. Adversaries may also target information about victim network-based intrusion detection systems (NIDS) or other appliances related to defensive cybersecurity operations.",,https://attack.mitre.org/techniques/T1590/006,No
+T1591.001,Gather Victim Org Information: Determine Physical Locations,Reconnaissance,"Before compromising a victim, adversaries may gather the victim's physical location(s) that can be used during targeting. Information about physical locations of a target organization may include a variety of details, including where key resources and infrastructure are housed. Physical locations may also indicate what legal jurisdiction and/or authorities the victim operates within.",,https://attack.mitre.org/techniques/T1591/001,No
+T1591.002,Gather Victim Org Information: Business Relationships,Reconnaissance,"Before compromising a victim, adversaries may gather information about the victim's business relationships that can be used during targeting. Information about an organization's business relationships may include a variety of details, including second or third-party organizations/domains (ex: managed service providers, contractors, etc.) that have connected (and potentially elevated) network access. This information may also reveal supply chains and shipment paths for the victim's hardware and software resources.",,https://attack.mitre.org/techniques/T1591/002,No
+T1591.003,Gather Victim Org Information: Identify Business Tempo,Reconnaissance,"Before compromising a victim, adversaries may gather information about the victim's business tempo that can be used during targeting. Information about an organization's business tempo may include a variety of details, including operational hours/days of the week. This information may also reveal times/dates of purchases and shipments of the victim's hardware and software resources.",,https://attack.mitre.org/techniques/T1591/003,No
+T1591.004,Gather Victim Org Information: Identify Roles,Reconnaissance,"Before compromising a victim, adversaries may gather information about identities and roles within the victim organization that can be used during targeting. Information about business roles may reveal a variety of targetable details, including identifiable information for key personnel as well as what data/resources they have access to.",,https://attack.mitre.org/techniques/T1591/004,No
+T1592.001,Gather Victim Host Information: Hardware,Reconnaissance,"Before compromising a victim, adversaries may gather information about the victim's host hardware that can be used during targeting. Information about hardware infrastructure may include a variety of details such as types and versions on specific hosts, as well as the presence of additional components that might be indicative of added defensive protections (ex: card/biometric readers, dedicated encryption hardware, etc.).",,https://attack.mitre.org/techniques/T1592/001,No
+T1592.002,Gather Victim Host Information: Software,Reconnaissance,"Before compromising a victim, adversaries may gather information about the victim's host software that can be used during targeting. Information about installed software may include a variety of details such as types and versions on specific hosts, as well as the presence of additional components that might be indicative of added defensive protections (ex: antivirus, SIEMs, etc.).",,https://attack.mitre.org/techniques/T1592/002,No
+T1592.003,Gather Victim Host Information: Firmware,Reconnaissance,"Before compromising a victim, adversaries may gather information about the victim's host firmware that can be used during targeting. Information about host firmware may include a variety of details such as type and versions on specific hosts, which may be used to infer more information about hosts in the environment (ex: configuration, purpose, age/patch level, etc.).",,https://attack.mitre.org/techniques/T1592/003,No
+T1592.004,Gather Victim Host Information: Client Configurations,Reconnaissance,"Before compromising a victim, adversaries may gather information about the victim's client configurations that can be used during targeting. Information about client configurations may include a variety of details and settings, including operating system/version, virtualization, architecture (ex: 32 or 64 bit), language, and/or time zone.",,https://attack.mitre.org/techniques/T1592/004,No
+T1593.001,Search Open Websites/Domains: Social Media,Reconnaissance,"Before compromising a victim, adversaries may search social media for information about victims that can be used during targeting. Social media sites may contain various information about a victim organization, such as business announcements as well as information about the roles, locations, and interests of staff.",,https://attack.mitre.org/techniques/T1593/001,No
+T1593.002,Search Open Websites/Domains: Search Engines,Reconnaissance,"Before compromising a victim, adversaries may use search engines to collect information about victims that can be used during targeting. Search engine services typical crawl online sites to index context and may provide users with specialized syntax to search for specific keywords or specific types of content (i.e. filetypes).",,https://attack.mitre.org/techniques/T1593/002,No
+T1594,Search Victim-Owned Websites,Reconnaissance,"Before compromising a victim, adversaries may search websites owned by the victim for information that can be used during targeting. Victim-owned websites may contain a variety of details, including names of departments/divisions, physical locations, and data about key employees such as names, roles, and contact info. These sites may also have details highlighting business operations and relationships.",,https://attack.mitre.org/techniques/T1594,No
+T1595.001,Active Scanning: Scanning IP Blocks,Reconnaissance,"Before compromising a victim, adversaries may scan victim IP blocks to gather information that can be used during targeting. Public IP addresses may be allocated to organizations by block, or a range of sequential addresses.",,https://attack.mitre.org/techniques/T1595/001,No
+T1595.002,Active Scanning: Vulnerability Scanning,Reconnaissance,"Before compromising a victim, adversaries may scan victims for vulnerabilities that can be used during targeting. Vulnerability scans typically check if the configuration of a target host/application (ex: software and version) potentially aligns with the target of a specific exploit the adversary may seek to use.",,https://attack.mitre.org/techniques/T1595/002,No
+T1596.001,Search Open Technical Databases: DNS/Passive DNS,Reconnaissance,"Before compromising a victim, adversaries may search DNS data for information about victims that can be used during targeting. DNS information may include a variety of details, including registered name servers as well as records that outline addressing for a target's subdomains, mail servers, and other hosts.",,https://attack.mitre.org/techniques/T1596/001,No
+T1596.002,Search Open Technical Databases: WHOIS,Reconnaissance,"Before compromising a victim, adversaries may search public WHOIS data for information about victims that can be used during targeting. WHOIS data is stored by regional Internet registries (RIR) responsible for allocating and assigning Internet resources such as domain names. Anyone can query WHOIS servers for information about a registered domain, such as assigned IP blocks, contact information, and DNS nameservers.(Citation: W",,https://attack.mitre.org/techniques/T1596/002,No
+T1596.003,Search Open Technical Databases: Digital Certificates,Reconnaissance,"Before compromising a victim, adversaries may search public digital certificate data for information about victims that can be used during targeting. Digital certificates are issued by a certificate authority (CA) in order to cryptographically verify the origin of signed content. These certificates, such as those used for encrypted web traffic (HTTPS SSL/TLS communications), contain information about the registered organization such as name and location.",,https://attack.mitre.org/techniques/T1596/003,No
+T1596.004,Search Open Technical Databases: CDNs,Reconnaissance,"Before compromising a victim, adversaries may search content delivery network (CDN) data about victims that can be used during targeting. CDNs allow an organization to host content from a distributed, load balanced array of servers. CDNs may also allow organizations to customize content delivery based on the requestor's geographical region.",,https://attack.mitre.org/techniques/T1596/004,No
+T1596.005,Search Open Technical Databases: Scan Databases,Reconnaissance,"Before compromising a victim, adversaries may search within public scan databases for information about victims that can be used during targeting. Various online services continuously publish the results of Internet scans/surveys, often harvesting information such as active IP addresses, hostnames, open ports, certificates, and even server banners.(Citation: Shodan)",,https://attack.mitre.org/techniques/T1596/005,No
+T1597.001,Search Closed Sources: Threat Intel Vendors,Reconnaissance,"Before compromising a victim, adversaries may search private data from threat intelligence vendors for information that can be used during targeting. Threat intelligence vendors may offer paid feeds or portals that offer more data than what is publicly reported. Although sensitive details (such as customer names and other identifiers) may be redacted, this information may contain trends regarding breaches such as target industries, attribution claims, and successful TTPs/countermeasures.",,https://attack.mitre.org/techniques/T1597/001,No
+T1597.002,Search Closed Sources: Purchase Technical Data,Reconnaissance,"Before compromising a victim, adversaries may purchase technical information about victims that can be used during targeting. Information about victims may be available for purchase within reputable private sources and databases, such as paid subscriptions to feeds of scan databases or other data aggregation services. Adversaries may also purchase information from less-reputable sources such as dark web or cybercrime blackmarkets.",,https://attack.mitre.org/techniques/T1597/002,No
+T1598.001,Phishing for Information: Spearphishing Service,Reconnaissance,"Before compromising a victim, adversaries may send spearphishing messages via third-party services to elicit sensitive information that can be used during targeting. Spearphishing for information is an attempt to trick targets into divulging information, frequently credentials or other actionable information. Spearphishing for information frequently involves social engineering techniques, such as posing as a source with a reason to collect information (ex: [Establish Accounts](https://attack.mitre.org/techniques/T1585) or [Compromise Accounts](https://attack.mitre.org/techniques/T1586)) and/or sending multiple, seemingly urgent messages.",,https://attack.mitre.org/techniques/T1598/001,No
+T1598.002,Phishing for Information: Spearphishing Attachment,Reconnaissance,"Before compromising a victim, adversaries may send spearphishing messages with a malicious attachment to elicit sensitive information that can be used during targeting. Spearphishing for information is an attempt to trick targets into divulging information, frequently credentials or other actionable information. Spearphishing for information frequently involves social engineering techniques, such as posing as a source with a reason to collect information (ex: Establish Accounts or Compromise Accounts and/or sending multiple, seemingly urgent messages.",,https://attack.mitre.org/techniques/T1598/002,No
+T1598.003,Phishing for Information: Spearphishing Link,Reconnaissance,"Before compromising a victim, adversaries may send spearphishing messages with a malicious link to elicit sensitive information that can be used during targeting. Spearphishing for information is an attempt to trick targets into divulging information, frequently credentials or other actionable information. Spearphishing for information frequently involves social engineering techniques, such as posing as a source with a reason to collect information (ex: Establish Accounts or Compromise Accounts and/or sending multiple, seemingly urgent messages.",,https://attack.mitre.org/techniques/T1598/003,No
+T1599.001,Network Boundary Bridging: Network Address Translation Traversal,Defense Evasion,"Adversaries may bridge network boundaries by modifying a network device's Network Address Translation (NAT) configuration. Malicious modifications to NAT may enable an adversary to bypass restrictions on traffic routing that otherwise separate trusted and untrusted networks. When an adversary gains control of a network boundary device, they can either leverage existing NAT configurations to send traffic between two separated networks, or they can implement NAT configurations of their own design. Adversaries may use Patch System Image to change the operating system of a network device, implementing their own custom NAT mechanisms to further obscure their activities.",Network,https://attack.mitre.org/techniques/T1599/001,No
+T1600.001,Weaken Encryption: Reduce Key Space,Defense Evasion,"Adversaries may reduce the level of effort required to decrypt data transmitted over the network by reducing the cipher strength of encrypted communications. Adversaries can weaken the encryption software on a compromised network device by reducing the key size used by the software to convert plaintext to ciphertext (e.g., from hundreds or thousands of bytes to just a couple of bytes). As a result, adversaries dramatically reduce the amount of effort needed to decrypt the protected information without the key. Adversaries may modify the key size used and other encryption parameters using specialized commands in a Network Device CLI introduced to the system through Modify System Image to change the configuration of the device.",Network,https://attack.mitre.org/techniques/T1600/001,No
+T1600.002,Weaken Encryption: Disable Crypto Hardware,Defense Evasion,"Adversaries disable a network device's dedicated hardware encryption, which may enable them to leverage weaknesses in software encryption in order to reduce the effort involved in collecting, manipulating, and exfiltrating transmitted data.",Network,https://attack.mitre.org/techniques/T1600/002,No
+T1601.001,Modify System Image: Patch System Image,Defense Evasion,"Adversaries may modify the operating system of a network device to introduce new capabilities or weaken existing defenses. Some network devices are built with a monolithic architecture, where the entire operating system and most of the functionality of the device is contained within a single file.  Adversaries may change this file in storage, to be loaded in a future boot, or in memory during runtime.",Network,https://attack.mitre.org/techniques/T1601/001,No
+T1601.002,Modify System Image: Downgrade System Image,Defense Evasion,"Adversaries may install an older version of the operating system of a network device to weaken security.  Older operating system versions on network devices often have weaker encryption ciphers and, in general, fewer/less updated defensive features.",Network,https://attack.mitre.org/techniques/T1601/002,No
+T1602.001,Data from Configuration Repository: SNMP (MIB Dump),Collection,Adversaries may target the Management Information Base (MIB) to collect and/or mine valuable information in a network managed using Simple Network Management Protocol (SNMP).,Network,https://attack.mitre.org/techniques/T1602/001,No
+T1602.002,Data from Configuration Repository: Network Device Configuration Dump,Collection,"Adversaries may access network configuration files to collect sensitive data about the device and the network. The network configuration is a file containing parameters that determine the operation of the device. The device typically stores an in-memory copy of the configuration while operating, and a separate configuration on non-volatile storage to load after device reset. Adversaries can inspect the configuration files to reveal information about the target network and its layout, the network device and its software, or identifying legitimate accounts and credentials for later use.",Network,https://attack.mitre.org/techniques/T1602/002,No
+T1606.001,Forge Web Credentials: Web Cookies,Credential Access,Adversaries may forge web cookies that can be used to gain access to web applications or Internet services. Web applications and services (hosted in cloud SaaS environments or on-premise servers) often use session cookies to authenticate and authorize user access.,"Linux,SaaS,Windows,macOS",https://attack.mitre.org/techniques/T1606/001,No
+T1606.002,Forge Web Credentials: SAML Tokens,Credential Access,An adversary may forge SAML tokens with any permissions claims and lifetimes if they possess a valid SAML token-signing certificate.,"Azure AD,Google Workspace,Office 365,SaaS,Windows",https://attack.mitre.org/techniques/T1606/002,No
+T1608.001,Stage Capabilities: Upload Malware,Resource Development,"Adversaries may upload malware to third-party or adversary controlled infrastructure to make it accessible during targeting. Malicious software can include payloads, droppers, post-compromise tools, backdoors, and a variety of other malicious content. Adversaries may upload malware to support their operations, such as making a payload available to a victim network to enable [Ingress Tool Transfer](https://attack.mitre.org/techniques/T1105) by placing it on an Internet accessible web server.",,https://attack.mitre.org/techniques/T1608/001,Yes
+T1608.002,Stage Capabilities: Upload Tool,Resource Development,"Adversaries may upload tools to third-party or adversary controlled infrastructure to make it accessible during targeting. Tools can be open or closed source, free or commercial. Tools can be used for malicious purposes by an adversary, but (unlike malware) were not intended to be used for those purposes (ex: [PsExec](https://attack.mitre.org/software/S0029)). Adversaries may upload tools to support their operations, such as making a tool available to a victim network to enable [Ingress Tool Transfer](https://attack.mitre.org/techniques/T1105) by placing it on an Internet accessible web server.",,https://attack.mitre.org/techniques/T1608/002,Yes
+T1608.003,Stage Capabilities: Install Digital Certificate,Resource Development,"Adversaries may install SSL/TLS certificates that can be used during targeting. SSL/TLS certificates are files that can be installed on servers to enable secure communications between systems. Digital certificates include information about the key, information about its owner's identity, and the digital signature of an entity that has verified the certificate's contents are correct. If the signature is valid, and the person examining the certificate trusts the signer, then they know they can use that key to communicate securely with its owner. Certificates can be uploaded to a server, then the server can be configured to use the certificate to enable encrypted communication with it.(Citation: DigiCert Install SSL Cert)",,https://attack.mitre.org/techniques/T1608/003,Yes
+T1608.004,Stage Capabilities: Drive-by Target,Resource Development,"Adversaries may prepare an operational environment to infect systems that visit a website over the normal course of browsing. Endpoint systems may be compromised through browsing to adversary controlled sites, as in [Drive-by Compromise](https://attack.mitre.org/techniques/T1189). In such cases, the user's web browser is typically targeted for exploitation (often not requiring any extra user interaction once landing on the site), but adversaries may also set up websites for non-exploitation behavior such as [Application Access Token](https://attack.mitre.org/techniques/T1550/001). Prior to [Drive-by Compromise](https://attack.mitre.org/techniques/T1189), adversaries must stage resources needed to deliver that exploit to users who browse to an adversary controlled site. Drive-by content can be staged on adversary controlled infrastructure that has been acquired ([Acquire Infrastructure](https://attack.mitre.org/techniques/T1583)) or previously compromised ([Compromise Infrastructure](https://attack.mitre.org/techniques/T1584)).",,https://attack.mitre.org/techniques/T1608/004,Yes
+T1608.005,Stage Capabilities: Link Target,Resource Development,"Adversaries may put in place resources that are referenced by a link that can be used during targeting. An adversary may rely upon a user clicking a malicious link in order to divulge information (including credentials) or to gain execution, as in [Malicious Link](https://attack.mitre.org/techniques/T1204/001). Links can be used for spearphishing, such as sending an email accompanied by social engineering text to coax the user to actively click or copy and paste a URL into a browser. Prior to a phish for information (as in [Spearphishing Link](https://attack.mitre.org/techniques/T1598/003)) or a phish to gain initial access to a system (as in [Spearphishing Link](https://attack.mitre.org/techniques/T1566/002)), an adversary must set up the resources for a link target for the spearphishing link.",,https://attack.mitre.org/techniques/T1608/005,Yes
+T1609,Container Administration Command,Execution,"Adversaries may abuse a container administration service to execute commands within a container. A container administration service such as the Docker daemon, the Kubernetes API server, or the kubelet may allow remote management of containers within an environment.(Citation: Docker Daemon CLI)(Citation: Kubernetes API)(Citation: Kubernetes Kubelet)",Containers,https://attack.mitre.org/techniques/T1609,Yes
+T1610,Deploy Container,"Defense Evasion,Execution","Adversaries may deploy a container into an environment to facilitate execution or evade defenses. In some cases, adversaries may deploy a new container to execute processes associated with a particular image or deployment, such as processes that execute or download malware. In others, an adversary may deploy a new container configured without network rules, user limitations, etc. to bypass existing defenses within the environment.",Containers,https://attack.mitre.org/techniques/T1610,Yes
+T1611,Escape to Host,Privilege Escalation,"Adversaries may break out of a container to gain access to the underlying host. This can allow an adversary access to other containerized resources from the host level or to the host itself. In principle, containerized resources should provide a clear separation of application functionality and be isolated from the host environment.(Citation: Docker Overview)","Containers,Linux,Windows",https://attack.mitre.org/techniques/T1611,Yes
+T1612,Build Image on Host,Defense Evasion,"Adversaries may build a container image directly on a host to bypass defenses that monitor for the retrieval of malicious images from a public registry. A remote <code>build</code> request may be sent to the Docker API that includes a Dockerfile that pulls a vanilla base image, such as alpine, from a public or local registry and then builds a custom image upon it.(Citation: Docker Build Image)",Containers,https://attack.mitre.org/techniques/T1612,Yes
+T1613,Container and Resource Discovery,Discovery,"Adversaries may attempt to discover containers and other resources that are available within a containers environment. Other resources may include images, deployments, pods, nodes, and other information such as the status of a cluster.",Containers,https://attack.mitre.org/techniques/T1613,Yes
+T1614,System Location Discovery,Discovery,,"IaaS,Linux,Windows,macOS",https://attack.mitre.org/techniques/T1614,Yes