[ { "technique_id": "T0800", "technique": "Activate Firmware Update Mode", "url": "https://collaborate.mitre.org/attackics/index.php/Technique/T0800", "tactic": [ "Inhibit Response Function" ], "domain": [ "ICS" ], "platform": [ "Field Controller/RTU/PLC/IED", "Safety Instrumented System/Protection Relay" ] }, { "technique_id": "T0801", "technique": "Monitor Process State", "url": "https://collaborate.mitre.org/attackics/index.php/Technique/T0801", "tactic": [ "Collection" ], "domain": [ "ICS" ], "platform": [ "Human-Machine Interface", "Control Server", "Data Historian", "Field Controller/RTU/PLC/IED", "Safety Instrumented System/Protection Relay" ] }, { "technique_id": "T0802", "technique": "Automated Collection", "url": "https://collaborate.mitre.org/attackics/index.php/Technique/T0802", "tactic": [ "Collection" ], "domain": [ "ICS" ], "platform": [ "Field Controller/RTU/PLC/IED", "Safety Instrumented System/Protection Relay", "Control Server" ] }, { "technique_id": "T0803", "technique": "Block Command Message", "url": "https://collaborate.mitre.org/attackics/index.php/Technique/T0803", "tactic": [ "Inhibit Response Function" ], "domain": [ "ICS" ], "platform": [ "Field Controller/RTU/PLC/IED", "Device Configuration/Parameters" ] }, { "technique_id": "T0804", "technique": "Block Reporting Message", "url": "https://collaborate.mitre.org/attackics/index.php/Technique/T0804", "tactic": [ "Inhibit Response Function" ], "domain": [ "ICS" ], "platform": [ "Field Controller/RTU/PLC/IED", "Input/Output Server", "Device Configuration/Parameters" ] }, { "technique_id": "T0805", "technique": "Block Serial COM", "url": "https://collaborate.mitre.org/attackics/index.php/Technique/T0805", "tactic": [ "Inhibit Response Function" ], "domain": [ "ICS" ], "platform": [ "Field Controller/RTU/PLC/IED", "Input/Output Server", "Device Configuration/Parameters" ] }, { "technique_id": "T0806", "technique": "Brute Force I/O", "url": "https://collaborate.mitre.org/attackics/index.php/Technique/T0806", "tactic": [ "Impair Process Control" ], "domain": [ "ICS" ], "platform": [ "Control Server", "Field Controller/RTU/PLC/IED" ] }, { "technique_id": "T0807", "technique": "Command-Line Interface", "url": "https://collaborate.mitre.org/attackics/index.php/Technique/T0807", "tactic": [ "Execution" ], "domain": [ "ICS" ], "platform": [ "Control Server", "Data Historian", "Field Controller/RTU/PLC/IED", "Human-Machine Interface", "Input/Output Server" ] }, { "technique_id": "T0809", "technique": "Data Destruction", "url": "https://collaborate.mitre.org/attackics/index.php/Technique/T0809", "tactic": [ "Inhibit Response Function" ], "domain": [ "ICS" ], "platform": [ "Control Server", "Human-Machine Interface", "Field Controller/RTU/PLC/IED" ] }, { "technique_id": "T0811", "technique": "Data from Information Repositories", "url": "https://collaborate.mitre.org/attackics/index.php/Technique/T0811", "tactic": [ "Collection" ], "domain": [ "ICS" ], "platform": [ "Control Server", "Data Historian", "Engineering Workstation", "Human-Machine Interface" ] }, { "technique_id": "T0812", "technique": "Default Credentials", "url": "https://collaborate.mitre.org/attackics/index.php/Technique/T0812", "tactic": [ "Lateral Movement" ], "domain": [ "ICS" ], "platform": [ "Human-Machine Interface", "Field Controller/RTU/PLC/IED", "Safety Instrumented System/Protection Relay", "Control Server", "Engineering Workstation" ] }, { "technique_id": "T0813", "technique": "Denial of Control", "url": "https://collaborate.mitre.org/attackics/index.php/Technique/T813", "tactic": [ "Impact" ], "domain": [ "ICS" ], "platform": [ "Windows" ] }, { "technique_id": "T0814", "technique": "Denial of Service", "url": "https://collaborate.mitre.org/attackics/index.php/Technique/T0814", "tactic": [ "Inhibit Response Function" ], "domain": [ "ICS" ], "platform": [ "Field Controller/RTU/PLC/IED", "Safety Instrumented System/Protection Relay" ] }, { "technique_id": "T0815", "technique": "Denial of View", "url": "https://collaborate.mitre.org/attackics/index.php/Technique/T0815", "tactic": [ "Impact" ], "domain": [ "ICS" ], "platform": [ "None" ] }, { "technique_id": "T0816", "technique": "Device Restart/Shutdown", "url": "https://collaborate.mitre.org/attackics/index.php/Technique/T0816", "tactic": [ "Inhibit Response Function" ], "domain": [ "ICS" ], "platform": [ "Field Controller/RTU/PLC/IED" ] }, { "technique_id": "T0817", "technique": "Drive-by Compromise", "url": "https://collaborate.mitre.org/attackics/index.php/Technique/T0817", "tactic": [ "Initial Access" ], "domain": [ "ICS" ], "platform": [ "None" ] }, { "technique_id": "T0819", "technique": "Exploit Public-Facing Application", "url": "https://collaborate.mitre.org/attackics/index.php/Technique/T0819", "tactic": [ "Initial Access" ], "domain": [ "ICS" ], "platform": [ "Human-Machine Interface" ] }, { "technique_id": "T0820", "technique": "Exploitation for Evasion", "url": "https://collaborate.mitre.org/attackics/index.php/Technique/T0820", "tactic": [ "Evasion" ], "domain": [ "ICS" ], "platform": [ "Safety Instrumented System/Protection Relay", "Field Controller/RTU/PLC/IED" ] }, { "technique_id": "T0821", "technique": "Modify Controller Tasking", "url": "https://collaborate.mitre.org/attackics/index.php/Technique/T0821", "tactic": [ "Execution" ], "domain": [ "ICS" ], "platform": [ "Field Controller/RTU/PLC/IED" ] }, { "technique_id": "T0822", "technique": "External Remote Services", "url": "https://collaborate.mitre.org/attackics/index.php/Technique/T0822", "tactic": [ "Initial Access" ], "domain": [ "ICS" ], "platform": [ "Control Server", "Input/Output Server" ] }, { "technique_id": "T0823", "technique": "Graphical User Interface", "url": "https://collaborate.mitre.org/attackics/index.php/Technique/T0823", "tactic": [ "Execution" ], "domain": [ "ICS" ], "platform": [ "Human-Machine Interface" ] }, { "technique_id": "T0826", "technique": "Loss of Availability", "url": "https://collaborate.mitre.org/attackics/index.php/Technique/T0826", "tactic": [ "Impact" ], "domain": [ "ICS" ], "platform": [ "Windows" ] }, { "technique_id": "T0827", "technique": "Loss of Control", "url": "https://collaborate.mitre.org/attackics/index.php/Technique/T0827", "tactic": [ "Impact" ], "domain": [ "ICS" ], "platform": [ "None" ] }, { "technique_id": "T0828", "technique": "Loss of Productivity and Revenue", "url": "https://collaborate.mitre.org/attackics/index.php/Technique/T0828", "tactic": [ "Impact" ], "domain": [ "ICS" ], "platform": [ "None" ] }, { "technique_id": "T0829", "technique": "Loss of View", "url": "https://collaborate.mitre.org/attackics/index.php/Technique/T0829", "tactic": [ "Impact" ], "domain": [ "ICS" ], "platform": [ "Human-Machine Interface", "Engineering Workstation" ] }, { "technique_id": "T0830", "technique": "Man in the Middle", "url": "https://collaborate.mitre.org/attackics/index.php/Technique/T0830", "tactic": [ "Collection" ], "domain": [ "ICS" ], "platform": [ "Control Server", "Field Controller/RTU/PLC/IED", "Human-Machine Interface" ] }, { "technique_id": "T0831", "technique": "Manipulation of Control", "url": "https://collaborate.mitre.org/attackics/index.php/Technique/T0831", "tactic": [ "Impact" ], "domain": [ "ICS" ], "platform": [ "None" ] }, { "technique_id": "T0832", "technique": "Manipulation of View", "url": "https://collaborate.mitre.org/attackics/index.php/Technique/T0832", "tactic": [ "Impact" ], "domain": [ "ICS" ], "platform": [ "Engineering Workstation", "Human-Machine Interface", "Field Controller/RTU/PLC/IED" ] }, { "technique_id": "T0834", "technique": "Native API", "url": "https://collaborate.mitre.org/attackics/index.php/Technique/T0834", "tactic": [ "Execution" ], "domain": [ "ICS" ], "platform": [ "Control Server", "Data Historian", "Field Controller/RTU/PLC/IED", "Human-Machine Interface", "Input/Output Server", "Safety Instrumented System/Protection Relay" ] }, { "technique_id": "T0835", "technique": "Manipulate I/O Image", "url": "https://collaborate.mitre.org/attackics/index.php/Technique/T835", "tactic": [ "Inhibit Response Function" ], "domain": [ "ICS" ], "platform": [ "Field Controller/RTU/PLC/IED" ] }, { "technique_id": "T0836", "technique": "Modify Parameter", "url": "https://collaborate.mitre.org/attackics/index.php/Technique/T0836", "tactic": [ "Impair Process Control" ], "domain": [ "ICS" ], "platform": [ "Control Server", "Field Controller/RTU/PLC/IED", "Safety Instrumented System/Protection Relay", "Human-Machine Interface" ] }, { "technique_id": "T0837", "technique": "Loss of Protection", "url": "https://collaborate.mitre.org/attackics/index.php/Technique/T0837", "tactic": [ "Impact" ], "domain": [ "ICS" ], "platform": [ "None" ] }, { "technique_id": "T0838", "technique": "Modify Alarm Settings", "url": "https://collaborate.mitre.org/attackics/index.php/Technique/T0838", "tactic": [ "Inhibit Response Function" ], "domain": [ "ICS" ], "platform": [ "Human-Machine Interface", "Control Server", "Safety Instrumented System/Protection Relay", "Field Controller/RTU/PLC/IED", "Device Configuration/Parameters" ] }, { "technique_id": "T0839", "technique": "Module Firmware", "url": "https://collaborate.mitre.org/attackics/index.php/Technique/T0839", "tactic": [ "Persistence", "Impair Process Control" ], "domain": [ "ICS" ], "platform": [ "Field Controller/RTU/PLC/IED", "Safety Instrumented System/Protection Relay" ] }, { "technique_id": "T0840", "technique": "Network Connection Enumeration", "url": "https://collaborate.mitre.org/attackics/index.php/Technique/T0840", "tactic": [ "Discovery" ], "domain": [ "ICS" ], "platform": [ "Human-Machine Interface" ] }, { "technique_id": "T0842", "technique": "Network Sniffing", "url": "https://collaborate.mitre.org/attackics/index.php/Technique/T0842", "tactic": [ "Discovery" ], "domain": [ "ICS" ], "platform": [ "Field Controller/RTU/PLC/IED" ] }, { "technique_id": "T0843", "technique": "Program Download", "url": "https://collaborate.mitre.org/attackics/index.php/Technique/T0843", "tactic": [ "Lateral Movement" ], "domain": [ "ICS" ], "platform": [ "Field Controller/RTU/PLC/IED", "Safety Instrumented System/Protection Relay" ] }, { "technique_id": "T0845", "technique": "Program Upload", "url": "https://collaborate.mitre.org/attackics/index.php/Technique/T0845", "tactic": [ "Collection" ], "domain": [ "ICS" ], "platform": [ "Safety Instrumented System/Protection Relay", "Field Controller/RTU/PLC/IED" ] }, { "technique_id": "T0846", "technique": "Remote System Discovery", "url": "https://collaborate.mitre.org/attackics/index.php/Technique/T0846", "tactic": [ "Discovery" ], "domain": [ "ICS" ], "platform": [ "Control Server", "Data Historian", "Safety Instrumented System/Protection Relay", "Field Controller/RTU/PLC/IED", "Human-Machine Interface" ] }, { "technique_id": "T0847", "technique": "Replication Through Removable Media", "url": "https://collaborate.mitre.org/attackics/index.php/Technique/T0847", "tactic": [ "Initial Access" ], "domain": [ "ICS" ], "platform": [ "Human-Machine Interface", "Data Historian", "Control Server" ] }, { "technique_id": "T0848", "technique": "Rogue Master", "url": "https://collaborate.mitre.org/attackics/index.php/Technique/T0848", "tactic": [ "Initial Access" ], "domain": [ "ICS" ], "platform": [ "Human-Machine Interface", "Control Server", "Engineering Workstation" ] }, { "technique_id": "T0849", "technique": "Masquerading", "url": "https://collaborate.mitre.org/attackics/index.php/Technique/T0849", "tactic": [ "Evasion" ], "domain": [ "ICS" ], "platform": [ "Human-Machine Interface", "Control Server" ] }, { "technique_id": "T0851", "technique": "Rootkit", "url": "https://collaborate.mitre.org/attackics/index.php/Technique/T0851", "tactic": [ "Evasion", "Inhibit Response Function" ], "domain": [ "ICS" ], "platform": [ "Field Controller/RTU/PLC/IED" ] }, { "technique_id": "T0852", "technique": "Screen Capture", "url": "https://collaborate.mitre.org/attackics/index.php/Technique/T0852", "tactic": [ "Collection" ], "domain": [ "ICS" ], "platform": [ "Human-Machine Interface" ] }, { "technique_id": "T0853", "technique": "Scripting", "url": "https://collaborate.mitre.org/attackics/index.php/Technique/T0853", "tactic": [ "Execution" ], "domain": [ "ICS" ], "platform": [ "Engineering Workstation" ] }, { "technique_id": "T0855", "technique": "Unauthorized Command Message", "url": "https://collaborate.mitre.org/attackics/index.php/Technique/T0855", "tactic": [ "Impair Process Control" ], "domain": [ "ICS" ], "platform": [ "Field Controller/RTU/PLC/IED" ] }, { "technique_id": "T0856", "technique": "Spoof Reporting Message", "url": "https://collaborate.mitre.org/attackics/index.php/Technique/T0856", "tactic": [ "Evasion", "Impair Process Control" ], "domain": [ "ICS" ], "platform": [ "Control Server" ] }, { "technique_id": "T0857", "technique": "System Firmware", "url": "https://collaborate.mitre.org/attackics/index.php/Technique/T0857", "tactic": [ "Persistence", "Inhibit Response Function" ], "domain": [ "ICS" ], "platform": [ "Safety Instrumented System/Protection Relay", "Field Controller/RTU/PLC/IED", "Input/Output Server" ] }, { "technique_id": "T0858", "technique": "Change Operating Mode", "url": "https://collaborate.mitre.org/attackics/index.php/Technique/T0858", "tactic": [ "Execution", "Evasion" ], "domain": [ "ICS" ], "platform": [ "Safety Instrumented System/Protection Relay", "Field Controller/RTU/PLC/IED" ] }, { "technique_id": "T0859", "technique": "Valid Accounts", "url": "https://collaborate.mitre.org/attackics/index.php/Technique/T0859", "tactic": [ "Persistence", "Lateral Movement" ], "domain": [ "ICS" ], "platform": [ "Control Server", "Data Historian", "Engineering Workstation", "Field Controller/RTU/PLC/IED", "Human-Machine Interface", "Input/Output Server", "Safety Instrumented System/Protection Relay" ] }, { "technique_id": "T0860", "technique": "Wireless Compromise", "url": "https://collaborate.mitre.org/attackics/index.php/Technique/T0860", "tactic": [ "Initial Access" ], "domain": [ "ICS" ], "platform": [ "Control Server", "Field Controller/RTU/PLC/IED", "Input/Output Server" ] }, { "technique_id": "T0861", "technique": "Point & Tag Identification", "url": "https://collaborate.mitre.org/attackics/index.php/Technique/T0861", "tactic": [ "Collection" ], "domain": [ "ICS" ], "platform": [ "Data Historian", "Control Server", "Human-Machine Interface" ] }, { "technique_id": "T0862", "technique": "Supply Chain Compromise", "url": "https://collaborate.mitre.org/attackics/index.php/Technique/T0862", "tactic": [ "Initial Access" ], "domain": [ "ICS" ], "platform": [ "Control Server", "Data Historian", "Field Controller/RTU/PLC/IED", "Human-Machine Interface", "Input/Output Server", "Safety Instrumented System/Protection Relay" ] }, { "technique_id": "T0863", "technique": "User Execution", "url": "https://collaborate.mitre.org/attackics/index.php/Technique/T0863", "tactic": [ "Execution" ], "domain": [ "ICS" ], "platform": [ "Engineering Workstation", "Human-Machine Interface" ] }, { "technique_id": "T0864", "technique": "Transient Cyber Asset", "url": "https://collaborate.mitre.org/attackics/index.php/Technique/T0864", "tactic": [ "Initial Access" ], "domain": [ "ICS" ], "platform": [ "Engineering Workstation" ] }, { "technique_id": "T0865", "technique": "Spearphishing Attachment", "url": "https://collaborate.mitre.org/attackics/index.php/Technique/T0865", "tactic": [ "Initial Access" ], "domain": [ "ICS" ], "platform": [ "Engineering Workstation", "Human-Machine Interface", "Control Server", "Data Historian" ] }, { "technique_id": "T0866", "technique": "Exploitation of Remote Services", "url": "https://collaborate.mitre.org/attackics/index.php/Technique/T0866", "tactic": [ "Lateral Movement", "Initial Access" ], "domain": [ "ICS" ], "platform": [ "Human-Machine Interface", "Data Historian", "Engineering Workstation" ] }, { "technique_id": "T0867", "technique": "Lateral Tool Transfer", "url": "https://collaborate.mitre.org/attackics/index.php/Technique/T0867", "tactic": [ "Lateral Movement" ], "domain": [ "ICS" ], "platform": [ "Human-Machine Interface", "Control Server", "Data Historian" ] }, { "technique_id": "T0868", "technique": "Detect Operating Mode", "url": "https://collaborate.mitre.org/attackics/index.php/Technique/T0868", "tactic": [ "Collection" ], "domain": [ "ICS" ], "platform": [ "Field Controller/RTU/PLC/IED" ] }, { "technique_id": "T0869", "technique": "Standard Application Layer Protocol", "url": "https://collaborate.mitre.org/attackics/index.php/Technique/T0869", "tactic": [ "Command and Control" ], "domain": [ "ICS" ], "platform": [ "Human-Machine Interface", "Control Server", "Data Historian", "Engineering Workstation" ] }, { "technique_id": "T0871", "technique": "Execution through API", "url": "https://collaborate.mitre.org/attackics/index.php/Technique/T0871", "tactic": [ "Execution" ], "domain": [ "ICS" ], "platform": [ "Field Controller/RTU/PLC/IED" ] }, { "technique_id": "T0872", "technique": "Indicator Removal on Host", "url": "https://collaborate.mitre.org/attackics/index.php/Technique/T0872", "tactic": [ "Evasion" ], "domain": [ "ICS" ], "platform": [ "Human-Machine Interface", "Safety Instrumented System/Protection Relay" ] }, { "technique_id": "T0873", "technique": "Project File Infection", "url": "https://collaborate.mitre.org/attackics/index.php/Technique/T0873", "tactic": [ "Persistence" ], "domain": [ "ICS" ], "platform": [ "Engineering Workstation", "Human-Machine Interface" ] }, { "technique_id": "T0874", "technique": "Hooking", "url": "https://collaborate.mitre.org/attackics/index.php/Technique/T0874", "tactic": [ "Execution", "Privilege Escalation" ], "domain": [ "ICS" ], "platform": [ "Engineering Workstation" ] }, { "technique_id": "T0877", "technique": "I/O Image", "url": "https://collaborate.mitre.org/attackics/index.php/Technique/T0877", "tactic": [ "Collection" ], "domain": [ "ICS" ], "platform": [ "Field Controller/RTU/PLC/IED" ] }, { "technique_id": "T0878", "technique": "Alarm Suppression", "url": "https://collaborate.mitre.org/attackics/index.php/Technique/T0878", "tactic": [ "Inhibit Response Function" ], "domain": [ "ICS" ], "platform": [ "Field Controller/RTU/PLC/IED", "Safety Instrumented System/Protection Relay", "Device Configuration/Parameters" ] }, { "technique_id": "T0879", "technique": "Damage to Property", "url": "https://collaborate.mitre.org/attackics/index.php/Technique/T0879", "tactic": [ "Impact" ], "domain": [ "ICS" ], "platform": [ "None" ] }, { "technique_id": "T0880", "technique": "Loss of Safety", "url": "https://collaborate.mitre.org/attackics/index.php/Technique/T0880", "tactic": [ "Impact" ], "domain": [ "ICS" ], "platform": [ "None" ] }, { "technique_id": "T0881", "technique": "Service Stop", "url": "https://collaborate.mitre.org/attackics/index.php/Technique/T0881", "tactic": [ "Inhibit Response Function" ], "domain": [ "ICS" ], "platform": [ "Human-Machine Interface", "Control Server", "Data Historian", "Engineering Workstation" ] }, { "technique_id": "T0882", "technique": "Theft of Operational Information", "url": "https://collaborate.mitre.org/attackics/index.php/Technique/T0882", "tactic": [ "Impact" ], "domain": [ "ICS" ], "platform": [ "None" ] }, { "technique_id": "T0883", "technique": "Internet Accessible Device", "url": "https://collaborate.mitre.org/attackics/index.php/Technique/T0883", "tactic": [ "Initial Access" ], "domain": [ "ICS" ], "platform": [ "Control Server", "Data Historian", "Field Controller/RTU/PLC/IED", "Human-Machine Interface", "Input/Output Server", "Safety Instrumented System/Protection Relay" ] }, { "technique_id": "T0884", "technique": "Connection Proxy", "url": "https://collaborate.mitre.org/attackics/index.php/Technique/T0884", "tactic": [ "Command and Control" ], "domain": [ "ICS" ], "platform": [ "None" ] }, { "technique_id": "T0885", "technique": "Commonly Used Port", "url": "https://collaborate.mitre.org/attackics/index.php/Technique/T0885", "tactic": [ "Command and Control" ], "domain": [ "ICS" ], "platform": [ "Safety Instrumented System/Protection Relay", "Field Controller/RTU/PLC/IED", "Human-Machine Interface", "Control Server", "Engineering Workstation" ] }, { "technique_id": "T0886", "technique": "Remote Services", "url": "https://collaborate.mitre.org/attackics/index.php/Technique/T0886", "tactic": [ "Initial Access", "Lateral Movement" ], "domain": [ "ICS" ], "platform": [ "Human-Machine Interface", "Control Server", "Engineering Workstation" ] }, { "technique_id": "T0887", "technique": "Wireless Sniffing", "url": "https://collaborate.mitre.org/attackics/index.php/Technique/T0887", "tactic": [ "Discovery", "Collection" ], "domain": [ "ICS" ], "platform": [ "None" ] }, { "technique_id": "T0888", "technique": "Remote System Information Discovery", "url": "https://collaborate.mitre.org/attackics/index.php/Technique/T0888", "tactic": [ "Discovery" ], "domain": [ "ICS" ], "platform": [ "Safety Instrumented System/Protection Relay", "Field Controller/RTU/PLC/IED" ] }, { "technique_id": "T0889", "technique": "Modify Program", "url": "https://collaborate.mitre.org/attackics/index.php/Technique/T0889", "tactic": [ "Persistence" ], "domain": [ "ICS" ], "platform": [ "Field Controller/RTU/PLC/IED" ] }, { "technique_id": "T0890", "technique": "Exploitation for Privilege Escalation", "url": "https://collaborate.mitre.org/attackics/index.php/Technique/T0890", "tactic": [ "Privilege Escalation" ], "domain": [ "ICS" ], "platform": [ "Human-Machine Interface", "Safety Instrumented System/Protection Relay" ] }, { "technique_id": "T1001", "technique": "Data Obfuscation", "url": "https://attack.mitre.org/techniques/T1001", "tactic": [ "Command and Control" ], "domain": [ "Enterprise" ], "platform": [ "Linux", "macOS", "Windows" ] }, { "technique_id": "T1001.001", "technique": "Data Obfuscation: Junk Data", "url": "https://attack.mitre.org/techniques/T1001/001", "tactic": [ "Command and Control" ], "domain": [ "Enterprise" ], "platform": [ "Linux", "macOS", "Windows" ] }, { "technique_id": "T1001.002", "technique": "Data Obfuscation: Steganography", "url": "https://attack.mitre.org/techniques/T1001/002", "tactic": [ "Command and Control" ], "domain": [ "Enterprise" ], "platform": [ "Linux", "macOS", "Windows" ] }, { "technique_id": "T1001.003", "technique": "Data Obfuscation: Protocol Impersonation", "url": "https://attack.mitre.org/techniques/T1001/003", "tactic": [ "Command and Control" ], "domain": [ "Enterprise" ], "platform": [ "Linux", "Windows", "macOS" ] }, { "technique_id": "T1003", "technique": "OS Credential Dumping", "url": "https://attack.mitre.org/techniques/T1003", "tactic": [ "Credential Access" ], "domain": [ "Enterprise" ], "platform": [ "Windows", "Linux", "macOS" ] }, { "technique_id": "T1003.001", "technique": "OS Credential Dumping: LSASS Memory", "url": "https://attack.mitre.org/techniques/T1003/001", "tactic": [ "Credential Access" ], "domain": [ "Enterprise" ], "platform": [ "Windows" ] }, { "technique_id": "T1003.002", "technique": "OS Credential Dumping: Security Account Manager", "url": "https://attack.mitre.org/techniques/T1003/002", "tactic": [ "Credential Access" ], "domain": [ "Enterprise" ], "platform": [ "Windows" ] }, { "technique_id": "T1003.003", "technique": "OS Credential Dumping: NTDS", "url": "https://attack.mitre.org/techniques/T1003/003", "tactic": [ "Credential Access" ], "domain": [ "Enterprise" ], "platform": [ "Windows" ] }, { "technique_id": "T1003.004", "technique": "OS Credential Dumping: LSA Secrets", "url": "https://attack.mitre.org/techniques/T1003/004", "tactic": [ "Credential Access" ], "domain": [ "Enterprise" ], "platform": [ "Windows" ] }, { "technique_id": "T1003.005", "technique": "OS Credential Dumping: Cached Domain Credentials", "url": "https://attack.mitre.org/techniques/T1003/005", "tactic": [ "Credential Access" ], "domain": [ "Enterprise" ], "platform": [ "Windows" ] }, { "technique_id": "T1003.006", "technique": "OS Credential Dumping: DCSync", "url": "https://attack.mitre.org/techniques/T1003/006", "tactic": [ "Credential Access" ], "domain": [ "Enterprise" ], "platform": [ "Windows" ] }, { "technique_id": "T1003.007", "technique": "OS Credential Dumping: Proc Filesystem", "url": "https://attack.mitre.org/techniques/T1003/007", "tactic": [ "Credential Access" ], "domain": [ "Enterprise" ], "platform": [ "Linux" ] }, { "technique_id": "T1003.008", "technique": "OS Credential Dumping: /etc/passwd and /etc/shadow", "url": "https://attack.mitre.org/techniques/T1003/008", "tactic": [ "Credential Access" ], "domain": [ "Enterprise" ], "platform": [ "Linux" ] }, { "technique_id": "T1005", "technique": "Data from Local System", "url": "https://attack.mitre.org/techniques/T1005", "tactic": [ "Collection" ], "domain": [ "Enterprise" ], "platform": [ "Linux", "macOS", "Windows" ] }, { "technique_id": "T1006", "technique": "Direct Volume Access", "url": "https://attack.mitre.org/techniques/T1006", "tactic": [ "Defense Evasion" ], "domain": [ "Enterprise" ], "platform": [ "Windows" ] }, { "technique_id": "T1007", "technique": "System Service Discovery", "url": "https://attack.mitre.org/techniques/T1007", "tactic": [ "Discovery" ], "domain": [ "Enterprise" ], "platform": [ "Windows", "macOS" ] }, { "technique_id": "T1008", "technique": "Fallback Channels", "url": "https://attack.mitre.org/techniques/T1008", "tactic": [ "Command and Control" ], "domain": [ "Enterprise" ], "platform": [ "Linux", "Windows", "macOS" ] }, { "technique_id": "T1010", "technique": "Application Window Discovery", "url": "https://attack.mitre.org/techniques/T1010", "tactic": [ "Discovery" ], "domain": [ "Enterprise" ], "platform": [ "macOS", "Windows" ] }, { "technique_id": "T1011", "technique": "Exfiltration Over Other Network Medium", "url": "https://attack.mitre.org/techniques/T1011", "tactic": [ "Exfiltration" ], "domain": [ "Enterprise" ], "platform": [ "Linux", "macOS", "Windows" ] }, { "technique_id": "T1011.001", "technique": "Exfiltration Over Other Network Medium: Exfiltration Over Bluetooth", "url": "https://attack.mitre.org/techniques/T1011/001", "tactic": [ "Exfiltration" ], "domain": [ "Enterprise" ], "platform": [ "Linux", "macOS", "Windows" ] }, { "technique_id": "T1012", "technique": "Query Registry", "url": "https://attack.mitre.org/techniques/T1012", "tactic": [ "Discovery" ], "domain": [ "Enterprise" ], "platform": [ "Windows" ] }, { "technique_id": "T1014", "technique": "Rootkit", "url": "https://attack.mitre.org/techniques/T1014", "tactic": [ "Defense Evasion" ], "domain": [ "Enterprise" ], "platform": [ "Linux", "macOS", "Windows" ] }, { "technique_id": "T1016", "technique": "System Network Configuration Discovery", "url": "https://attack.mitre.org/techniques/T1016", "tactic": [ "Discovery" ], "domain": [ "Enterprise" ], "platform": [ "Linux", "macOS", "Windows" ] }, { "technique_id": "T1016.001", "technique": "System Network Configuration Discovery: Internet Connection Discovery", "url": "https://attack.mitre.org/techniques/T1016/001", "tactic": [ "Discovery" ], "domain": [ "Enterprise" ], "platform": [ "Windows", "Linux", "macOS" ] }, { "technique_id": "T1018", "technique": "Remote System Discovery", "url": "https://attack.mitre.org/techniques/T1018", "tactic": [ "Discovery" ], "domain": [ "Enterprise" ], "platform": [ "Linux", "macOS", "Windows" ] }, { "technique_id": "T1020", "technique": "Automated Exfiltration", "url": "https://attack.mitre.org/techniques/T1020", "tactic": [ "Exfiltration" ], "domain": [ "Enterprise" ], "platform": [ "Linux", "macOS", "Windows", "Network" ] }, { "technique_id": "T1020.001", "technique": "Automated Exfiltration: Traffic Duplication", "url": "https://attack.mitre.org/techniques/T1020/001", "tactic": [ "Exfiltration" ], "domain": [ "Enterprise" ], "platform": [ "Network" ] }, { "technique_id": "T1021", "technique": "Remote Services", "url": "https://attack.mitre.org/techniques/T1021", "tactic": [ "Lateral Movement" ], "domain": [ "Enterprise" ], "platform": [ "Linux", "macOS", "Windows" ] }, { "technique_id": "T1021.001", "technique": "Remote Services: Remote Desktop Protocol", "url": "https://attack.mitre.org/techniques/T1021/001", "tactic": [ "Lateral Movement" ], "domain": [ "Enterprise" ], "platform": [ "Windows" ] }, { "technique_id": "T1021.002", "technique": "Remote Services: SMB/Windows Admin Shares", "url": "https://attack.mitre.org/techniques/T1021/002", "tactic": [ "Lateral Movement" ], "domain": [ "Enterprise" ], "platform": [ "Windows" ] }, { "technique_id": "T1021.003", "technique": "Remote Services: Distributed Component Object Model", "url": "https://attack.mitre.org/techniques/T1021/003", "tactic": [ "Lateral Movement" ], "domain": [ "Enterprise" ], "platform": [ "Windows" ] }, { "technique_id": "T1021.004", "technique": "Remote Services: SSH", "url": "https://attack.mitre.org/techniques/T1021/004", "tactic": [ "Lateral Movement" ], "domain": [ "Enterprise" ], "platform": [ "Linux", "macOS" ] }, { "technique_id": "T1021.005", "technique": "Remote Services: VNC", "url": "https://attack.mitre.org/techniques/T1021/005", "tactic": [ "Lateral Movement" ], "domain": [ "Enterprise" ], "platform": [ "Linux", "macOS", "Windows" ] }, { "technique_id": "T1021.006", "technique": "Remote Services: Windows Remote Management", "url": "https://attack.mitre.org/techniques/T1021/006", "tactic": [ "Lateral Movement" ], "domain": [ "Enterprise" ], "platform": [ "Windows" ] }, { "technique_id": "T1025", "technique": "Data from Removable Media", "url": "https://attack.mitre.org/techniques/T1025", "tactic": [ "Collection" ], "domain": [ "Enterprise" ], "platform": [ "Linux", "macOS", "Windows" ] }, { "technique_id": "T1027", "technique": "Obfuscated Files or Information", "url": "https://attack.mitre.org/techniques/T1027", "tactic": [ "Defense Evasion" ], "domain": [ "Enterprise" ], "platform": [ "Linux", "macOS", "Windows" ] }, { "technique_id": "T1027.001", "technique": "Obfuscated Files or Information: Binary Padding", "url": "https://attack.mitre.org/techniques/T1027/001", "tactic": [ "Defense Evasion" ], "domain": [ "Enterprise" ], "platform": [ "Linux", "macOS", "Windows" ] }, { "technique_id": "T1027.002", "technique": "Obfuscated Files or Information: Software Packing", "url": "https://attack.mitre.org/techniques/T1027/002", "tactic": [ "Defense Evasion" ], "domain": [ "Enterprise" ], "platform": [ "macOS", "Windows" ] }, { "technique_id": "T1027.003", "technique": "Obfuscated Files or Information: Steganography", "url": "https://attack.mitre.org/techniques/T1027/003", "tactic": [ "Defense Evasion" ], "domain": [ "Enterprise" ], "platform": [ "Linux", "macOS", "Windows" ] }, { "technique_id": "T1027.004", "technique": "Obfuscated Files or Information: Compile After Delivery", "url": "https://attack.mitre.org/techniques/T1027/004", "tactic": [ "Defense Evasion" ], "domain": [ "Enterprise" ], "platform": [ "Linux", "macOS", "Windows" ] }, { "technique_id": "T1027.005", "technique": "Obfuscated Files or Information: Indicator Removal from Tools", "url": "https://attack.mitre.org/techniques/T1027/005", "tactic": [ "Defense Evasion" ], "domain": [ "Enterprise" ], "platform": [ "Linux", "macOS", "Windows" ] }, { "technique_id": "T1027.006", "technique": "Obfuscated Files or Information: HTML Smuggling", "url": "https://attack.mitre.org/techniques/T1027/006", "tactic": [ "Defense Evasion" ], "domain": [ "Enterprise" ], "platform": [ "Windows", "Linux", "macOS" ] }, { "technique_id": "T1029", "technique": "Scheduled Transfer", "url": "https://attack.mitre.org/techniques/T1029", "tactic": [ "Exfiltration" ], "domain": [ "Enterprise" ], "platform": [ "Linux", "macOS", "Windows" ] }, { "technique_id": "T1030", "technique": "Data Transfer Size Limits", "url": "https://attack.mitre.org/techniques/T1030", "tactic": [ "Exfiltration" ], "domain": [ "Enterprise" ], "platform": [ "Linux", "macOS", "Windows" ] }, { "technique_id": "T1033", "technique": "System Owner/User Discovery", "url": "https://attack.mitre.org/techniques/T1033", "tactic": [ "Discovery" ], "domain": [ "Enterprise" ], "platform": [ "Linux", "macOS", "Windows" ] }, { "technique_id": "T1036", "technique": "Masquerading", "url": "https://attack.mitre.org/techniques/T1036", "tactic": [ "Defense Evasion" ], "domain": [ "Enterprise" ], "platform": [ "Linux", "macOS", "Windows", "Containers" ] }, { "technique_id": "T1036.001", "technique": "Masquerading: Invalid Code Signature", "url": "https://attack.mitre.org/techniques/T1036/001", "tactic": [ "Defense Evasion" ], "domain": [ "Enterprise" ], "platform": [ "macOS", "Windows" ] }, { "technique_id": "T1036.002", "technique": "Masquerading: Right-to-Left Override", "url": "https://attack.mitre.org/techniques/T1036/002", "tactic": [ "Defense Evasion" ], "domain": [ "Enterprise" ], "platform": [ "Linux", "macOS", "Windows" ] }, { "technique_id": "T1036.003", "technique": "Masquerading: Rename System Utilities", "url": "https://attack.mitre.org/techniques/T1036/003", "tactic": [ "Defense Evasion" ], "domain": [ "Enterprise" ], "platform": [ "Linux", "macOS", "Windows" ] }, { "technique_id": "T1036.004", "technique": "Masquerading: Masquerade Task or Service", "url": "https://attack.mitre.org/techniques/T1036/004", "tactic": [ "Defense Evasion" ], "domain": [ "Enterprise" ], "platform": [ "Windows", "Linux", "macOS" ] }, { "technique_id": "T1036.005", "technique": "Masquerading: Match Legitimate Name or Location", "url": "https://attack.mitre.org/techniques/T1036/005", "tactic": [ "Defense Evasion" ], "domain": [ "Enterprise" ], "platform": [ "Linux", "macOS", "Windows", "Containers" ] }, { "technique_id": "T1036.006", "technique": "Masquerading: Space after Filename", "url": "https://attack.mitre.org/techniques/T1036/006", "tactic": [ "Defense Evasion" ], "domain": [ "Enterprise" ], "platform": [ "Linux", "macOS" ] }, { "technique_id": "T1036.007", "technique": "Masquerading: Double File Extension", "url": "https://attack.mitre.org/techniques/T1036/007", "tactic": [ "Defense Evasion" ], "domain": [ "Enterprise" ], "platform": [ "Windows" ] }, { "technique_id": "T1037", "technique": "Boot or Logon Initialization Scripts", "url": "https://attack.mitre.org/techniques/T1037", "tactic": [ "Persistence", "Privilege Escalation" ], "domain": [ "Enterprise" ], "platform": [ "macOS", "Windows", "Linux" ] }, { "technique_id": "T1037.001", "technique": "Boot or Logon Initialization Scripts: Logon Script (Windows)", "url": "https://attack.mitre.org/techniques/T1037/001", "tactic": [ "Persistence", "Privilege Escalation" ], "domain": [ "Enterprise" ], "platform": [ "Windows" ] }, { "technique_id": "T1037.002", "technique": "Boot or Logon Initialization Scripts: Logon Script (Mac)", "url": "https://attack.mitre.org/techniques/T1037/002", "tactic": [ "Persistence", "Privilege Escalation" ], "domain": [ "Enterprise" ], "platform": [ "macOS" ] }, { "technique_id": "T1037.003", "technique": "Boot or Logon Initialization Scripts: Network Logon Script", "url": "https://attack.mitre.org/techniques/T1037/003", "tactic": [ "Persistence", "Privilege Escalation" ], "domain": [ "Enterprise" ], "platform": [ "Windows" ] }, { "technique_id": "T1037.004", "technique": "Boot or Logon Initialization Scripts: RC Scripts", "url": "https://attack.mitre.org/techniques/T1037/004", "tactic": [ "Persistence", "Privilege Escalation" ], "domain": [ "Enterprise" ], "platform": [ "macOS", "Linux" ] }, { "technique_id": "T1037.005", "technique": "Boot or Logon Initialization Scripts: Startup Items", "url": "https://attack.mitre.org/techniques/T1037/005", "tactic": [ "Persistence", "Privilege Escalation" ], "domain": [ "Enterprise" ], "platform": [ "macOS" ] }, { "technique_id": "T1039", "technique": "Data from Network Shared Drive", "url": "https://attack.mitre.org/techniques/T1039", "tactic": [ "Collection" ], "domain": [ "Enterprise" ], "platform": [ "Linux", "macOS", "Windows" ] }, { "technique_id": "T1040", "technique": "Network Sniffing", "url": "https://attack.mitre.org/techniques/T1040", "tactic": [ "Credential Access", "Discovery" ], "domain": [ "Enterprise" ], "platform": [ "Linux", "macOS", "Windows", "Network" ] }, { "technique_id": "T1041", "technique": "Exfiltration Over C2 Channel", "url": "https://attack.mitre.org/techniques/T1041", "tactic": [ "Exfiltration" ], "domain": [ "Enterprise" ], "platform": [ "Linux", "macOS", "Windows" ] }, { "technique_id": "T1046", "technique": "Network Service Scanning", "url": "https://attack.mitre.org/techniques/T1046", "tactic": [ "Discovery" ], "domain": [ "Enterprise" ], "platform": [ "Windows", "IaaS", "Linux", "macOS", "Containers" ] }, { "technique_id": "T1047", "technique": "Windows Management Instrumentation", "url": "https://attack.mitre.org/techniques/T1047", "tactic": [ "Execution" ], "domain": [ "Enterprise" ], "platform": [ "Windows" ] }, { "technique_id": "T1048", "technique": "Exfiltration Over Alternative Protocol", "url": "https://attack.mitre.org/techniques/T1048", "tactic": [ "Exfiltration" ], "domain": [ "Enterprise" ], "platform": [ "Linux", "macOS", "Windows" ] }, { "technique_id": "T1048.001", "technique": "Exfiltration Over Alternative Protocol: Exfiltration Over Symmetric Encrypted Non-C2 Protocol", "url": "https://attack.mitre.org/techniques/T1048/001", "tactic": [ "Exfiltration" ], "domain": [ "Enterprise" ], "platform": [ "Linux", "macOS", "Windows" ] }, { "technique_id": "T1048.002", "technique": "Exfiltration Over Alternative Protocol: Exfiltration Over Asymmetric Encrypted Non-C2 Protocol", "url": "https://attack.mitre.org/techniques/T1048/002", "tactic": [ "Exfiltration" ], "domain": [ "Enterprise" ], "platform": [ "Linux", "macOS", "Windows" ] }, { "technique_id": "T1048.003", "technique": "Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol", "url": "https://attack.mitre.org/techniques/T1048/003", "tactic": [ "Exfiltration" ], "domain": [ "Enterprise" ], "platform": [ "Linux", "macOS", "Windows" ] }, { "technique_id": "T1049", "technique": "System Network Connections Discovery", "url": "https://attack.mitre.org/techniques/T1049", "tactic": [ "Discovery" ], "domain": [ "Enterprise" ], "platform": [ "Windows", "IaaS", "Linux", "macOS" ] }, { "technique_id": "T1052", "technique": "Exfiltration Over Physical Medium", "url": "https://attack.mitre.org/techniques/T1052", "tactic": [ "Exfiltration" ], "domain": [ "Enterprise" ], "platform": [ "Linux", "macOS", "Windows" ] }, { "technique_id": "T1052.001", "technique": "Exfiltration Over Physical Medium: Exfiltration over USB", "url": "https://attack.mitre.org/techniques/T1052/001", "tactic": [ "Exfiltration" ], "domain": [ "Enterprise" ], "platform": [ "Linux", "macOS", "Windows" ] }, { "technique_id": "T1053", "technique": "Scheduled Task/Job", "url": "https://attack.mitre.org/techniques/T1053", "tactic": [ "Execution", "Persistence", "Privilege Escalation" ], "domain": [ "Enterprise" ], "platform": [ "Windows", "Linux", "macOS", "Containers" ] }, { "technique_id": "T1053.001", "technique": "Scheduled Task/Job: At (Linux)", "url": "https://attack.mitre.org/techniques/T1053/001", "tactic": [ "Execution", "Persistence", "Privilege Escalation" ], "domain": [ "Enterprise" ], "platform": [ "Linux" ] }, { "technique_id": "T1053.002", "technique": "Scheduled Task/Job: At (Windows)", "url": "https://attack.mitre.org/techniques/T1053/002", "tactic": [ "Execution", "Persistence", "Privilege Escalation" ], "domain": [ "Enterprise" ], "platform": [ "Windows" ] }, { "technique_id": "T1053.003", "technique": "Scheduled Task/Job: Cron", "url": "https://attack.mitre.org/techniques/T1053/003", "tactic": [ "Execution", "Persistence", "Privilege Escalation" ], "domain": [ "Enterprise" ], "platform": [ "Linux", "macOS" ] }, { "technique_id": "T1053.005", "technique": "Scheduled Task/Job: Scheduled Task", "url": "https://attack.mitre.org/techniques/T1053/005", "tactic": [ "Execution", "Persistence", "Privilege Escalation" ], "domain": [ "Enterprise" ], "platform": [ "Windows" ] }, { "technique_id": "T1053.006", "technique": "Scheduled Task/Job: Systemd Timers", "url": "https://attack.mitre.org/techniques/T1053/006", "tactic": [ "Execution", "Persistence", "Privilege Escalation" ], "domain": [ "Enterprise" ], "platform": [ "Linux" ] }, { "technique_id": "T1053.007", "technique": "Scheduled Task/Job: Container Orchestration Job", "url": "https://attack.mitre.org/techniques/T1053/007", "tactic": [ "Execution", "Persistence", "Privilege Escalation" ], "domain": [ "Enterprise" ], "platform": [ "Containers" ] }, { "technique_id": "T1055", "technique": "Process Injection", "url": "https://attack.mitre.org/techniques/T1055", "tactic": [ "Defense Evasion", "Privilege Escalation" ], "domain": [ "Enterprise" ], "platform": [ "Linux", "macOS", "Windows" ] }, { "technique_id": "T1055.001", "technique": "Process Injection: Dynamic-link Library Injection", "url": "https://attack.mitre.org/techniques/T1055/001", "tactic": [ "Defense Evasion", "Privilege Escalation" ], "domain": [ "Enterprise" ], "platform": [ "Windows" ] }, { "technique_id": "T1055.002", "technique": "Process Injection: Portable Executable Injection", "url": "https://attack.mitre.org/techniques/T1055/002", "tactic": [ "Defense Evasion", "Privilege Escalation" ], "domain": [ "Enterprise" ], "platform": [ "Windows" ] }, { "technique_id": "T1055.003", "technique": "Process Injection: Thread Execution Hijacking", "url": "https://attack.mitre.org/techniques/T1055/003", "tactic": [ "Defense Evasion", "Privilege Escalation" ], "domain": [ "Enterprise" ], "platform": [ "Windows" ] }, { "technique_id": "T1055.004", "technique": "Process Injection: Asynchronous Procedure Call", "url": "https://attack.mitre.org/techniques/T1055/004", "tactic": [ "Defense Evasion", "Privilege Escalation" ], "domain": [ "Enterprise" ], "platform": [ "Windows" ] }, { "technique_id": "T1055.005", "technique": "Process Injection: Thread Local Storage", "url": "https://attack.mitre.org/techniques/T1055/005", "tactic": [ "Defense Evasion", "Privilege Escalation" ], "domain": [ "Enterprise" ], "platform": [ "Windows" ] }, { "technique_id": "T1055.008", "technique": "Process Injection: Ptrace System Calls", "url": "https://attack.mitre.org/techniques/T1055/008", "tactic": [ "Defense Evasion", "Privilege Escalation" ], "domain": [ "Enterprise" ], "platform": [ "Linux" ] }, { "technique_id": "T1055.009", "technique": "Process Injection: Proc Memory", "url": "https://attack.mitre.org/techniques/T1055/009", "tactic": [ "Defense Evasion", "Privilege Escalation" ], "domain": [ "Enterprise" ], "platform": [ "Linux" ] }, { "technique_id": "T1055.011", "technique": "Process Injection: Extra Window Memory Injection", "url": "https://attack.mitre.org/techniques/T1055/011", "tactic": [ "Defense Evasion", "Privilege Escalation" ], "domain": [ "Enterprise" ], "platform": [ "Windows" ] }, { "technique_id": "T1055.012", "technique": "Process Injection: Process Hollowing", "url": "https://attack.mitre.org/techniques/T1055/012", "tactic": [ "Defense Evasion", "Privilege Escalation" ], "domain": [ "Enterprise" ], "platform": [ "Windows" ] }, { "technique_id": "T1055.013", "technique": "Process Injection: Process Doppelg\u00e4nging", "url": "https://attack.mitre.org/techniques/T1055/013", "tactic": [ "Defense Evasion", "Privilege Escalation" ], "domain": [ "Enterprise" ], "platform": [ "Windows" ] }, { "technique_id": "T1055.014", "technique": "Process Injection: VDSO Hijacking", "url": "https://attack.mitre.org/techniques/T1055/014", "tactic": [ "Defense Evasion", "Privilege Escalation" ], "domain": [ "Enterprise" ], "platform": [ "Linux" ] }, { "technique_id": "T1056", "technique": "Input Capture", "url": "https://attack.mitre.org/techniques/T1056", "tactic": [ "Collection", "Credential Access" ], "domain": [ "Enterprise" ], "platform": [ "Linux", "macOS", "Windows", "Network" ] }, { "technique_id": "T1056.001", "technique": "Input Capture: Keylogging", "url": "https://attack.mitre.org/techniques/T1056/001", "tactic": [ "Collection", "Credential Access" ], "domain": [ "Enterprise" ], "platform": [ "Windows", "macOS", "Linux", "Network" ] }, { "technique_id": "T1056.002", "technique": "Input Capture: GUI Input Capture", "url": "https://attack.mitre.org/techniques/T1056/002", "tactic": [ "Collection", "Credential Access" ], "domain": [ "Enterprise" ], "platform": [ "macOS", "Windows", "Linux" ] }, { "technique_id": "T1056.003", "technique": "Input Capture: Web Portal Capture", "url": "https://attack.mitre.org/techniques/T1056/003", "tactic": [ "Collection", "Credential Access" ], "domain": [ "Enterprise" ], "platform": [ "Linux", "macOS", "Windows" ] }, { "technique_id": "T1056.004", "technique": "Input Capture: Credential API Hooking", "url": "https://attack.mitre.org/techniques/T1056/004", "tactic": [ "Collection", "Credential Access" ], "domain": [ "Enterprise" ], "platform": [ "Windows" ] }, { "technique_id": "T1057", "technique": "Process Discovery", "url": "https://attack.mitre.org/techniques/T1057", "tactic": [ "Discovery" ], "domain": [ "Enterprise" ], "platform": [ "Linux", "macOS", "Windows" ] }, { "technique_id": "T1059", "technique": "Command and Scripting Interpreter", "url": "https://attack.mitre.org/techniques/T1059", "tactic": [ "Execution" ], "domain": [ "Enterprise" ], "platform": [ "Linux", "macOS", "Windows", "Network" ] }, { "technique_id": "T1059.001", "technique": "Command and Scripting Interpreter: PowerShell", "url": "https://attack.mitre.org/techniques/T1059/001", "tactic": [ "Execution" ], "domain": [ "Enterprise" ], "platform": [ "Windows" ] }, { "technique_id": "T1059.002", "technique": "Command and Scripting Interpreter: AppleScript", "url": "https://attack.mitre.org/techniques/T1059/002", "tactic": [ "Execution" ], "domain": [ "Enterprise" ], "platform": [ "macOS" ] }, { "technique_id": "T1059.003", "technique": "Command and Scripting Interpreter: Windows Command Shell", "url": "https://attack.mitre.org/techniques/T1059/003", "tactic": [ "Execution" ], "domain": [ "Enterprise" ], "platform": [ "Windows" ] }, { "technique_id": "T1059.004", "technique": "Command and Scripting Interpreter: Unix Shell", "url": "https://attack.mitre.org/techniques/T1059/004", "tactic": [ "Execution" ], "domain": [ "Enterprise" ], "platform": [ "macOS", "Linux" ] }, { "technique_id": "T1059.005", "technique": "Command and Scripting Interpreter: Visual Basic", "url": "https://attack.mitre.org/techniques/T1059/005", "tactic": [ "Execution" ], "domain": [ "Enterprise" ], "platform": [ "Windows", "macOS", "Linux" ] }, { "technique_id": "T1059.006", "technique": "Command and Scripting Interpreter: Python", "url": "https://attack.mitre.org/techniques/T1059/006", "tactic": [ "Execution" ], "domain": [ "Enterprise" ], "platform": [ "Linux", "Windows", "macOS" ] }, { "technique_id": "T1059.007", "technique": "Command and Scripting Interpreter: JavaScript", "url": "https://attack.mitre.org/techniques/T1059/007", "tactic": [ "Execution" ], "domain": [ "Enterprise" ], "platform": [ "Windows", "macOS", "Linux" ] }, { "technique_id": "T1059.008", "technique": "Command and Scripting Interpreter: Network Device CLI", "url": "https://attack.mitre.org/techniques/T1059/008", "tactic": [ "Execution" ], "domain": [ "Enterprise" ], "platform": [ "Network" ] }, { "technique_id": "T1068", "technique": "Exploitation for Privilege Escalation", "url": "https://attack.mitre.org/techniques/T1068", "tactic": [ "Privilege Escalation" ], "domain": [ "Enterprise" ], "platform": [ "Linux", "macOS", "Windows", "Containers" ] }, { "technique_id": "T1069", "technique": "Permission Groups Discovery", "url": "https://attack.mitre.org/techniques/T1069", "tactic": [ "Discovery" ], "domain": [ "Enterprise" ], "platform": [ "Windows", "Azure AD", "Office 365", "SaaS", "IaaS", "Linux", "macOS", "Google Workspace", "Containers" ] }, { "technique_id": "T1069.001", "technique": "Permission Groups Discovery: Local Groups", "url": "https://attack.mitre.org/techniques/T1069/001", "tactic": [ "Discovery" ], "domain": [ "Enterprise" ], "platform": [ "Linux", "macOS", "Windows" ] }, { "technique_id": "T1069.002", "technique": "Permission Groups Discovery: Domain Groups", "url": "https://attack.mitre.org/techniques/T1069/002", "tactic": [ "Discovery" ], "domain": [ "Enterprise" ], "platform": [ "Linux", "macOS", "Windows" ] }, { "technique_id": "T1069.003", "technique": "Permission Groups Discovery: Cloud Groups", "url": "https://attack.mitre.org/techniques/T1069/003", "tactic": [ "Discovery" ], "domain": [ "Enterprise" ], "platform": [ "Azure AD", "Office 365", "SaaS", "IaaS", "Google Workspace" ] }, { "technique_id": "T1070", "technique": "Indicator Removal on Host", "url": "https://attack.mitre.org/techniques/T1070", "tactic": [ "Defense Evasion" ], "domain": [ "Enterprise" ], "platform": [ "Linux", "macOS", "Windows", "Containers" ] }, { "technique_id": "T1070.001", "technique": "Indicator Removal on Host: Clear Windows Event Logs", "url": "https://attack.mitre.org/techniques/T1070/001", "tactic": [ "Defense Evasion" ], "domain": [ "Enterprise" ], "platform": [ "Windows" ] }, { "technique_id": "T1070.002", "technique": "Indicator Removal on Host: Clear Linux or Mac System Logs", "url": "https://attack.mitre.org/techniques/T1070/002", "tactic": [ "Defense Evasion" ], "domain": [ "Enterprise" ], "platform": [ "Linux", "macOS" ] }, { "technique_id": "T1070.003", "technique": "Indicator Removal on Host: Clear Command History", "url": "https://attack.mitre.org/techniques/T1070/003", "tactic": [ "Defense Evasion" ], "domain": [ "Enterprise" ], "platform": [ "Linux", "macOS", "Windows" ] }, { "technique_id": "T1070.004", "technique": "Indicator Removal on Host: File Deletion", "url": "https://attack.mitre.org/techniques/T1070/004", "tactic": [ "Defense Evasion" ], "domain": [ "Enterprise" ], "platform": [ "Linux", "macOS", "Windows" ] }, { "technique_id": "T1070.005", "technique": "Indicator Removal on Host: Network Share Connection Removal", "url": "https://attack.mitre.org/techniques/T1070/005", "tactic": [ "Defense Evasion" ], "domain": [ "Enterprise" ], "platform": [ "Windows" ] }, { "technique_id": "T1070.006", "technique": "Indicator Removal on Host: Timestomp", "url": "https://attack.mitre.org/techniques/T1070/006", "tactic": [ "Defense Evasion" ], "domain": [ "Enterprise" ], "platform": [ "Linux", "macOS", "Windows" ] }, { "technique_id": "T1071", "technique": "Application Layer Protocol", "url": "https://attack.mitre.org/techniques/T1071", "tactic": [ "Command and Control" ], "domain": [ "Enterprise" ], "platform": [ "Linux", "macOS", "Windows" ] }, { "technique_id": "T1071.001", "technique": "Application Layer Protocol: Web Protocols", "url": "https://attack.mitre.org/techniques/T1071/001", "tactic": [ "Command and Control" ], "domain": [ "Enterprise" ], "platform": [ "Linux", "macOS", "Windows" ] }, { "technique_id": "T1071.002", "technique": "Application Layer Protocol: File Transfer Protocols", "url": "https://attack.mitre.org/techniques/T1071/002", "tactic": [ "Command and Control" ], "domain": [ "Enterprise" ], "platform": [ "Linux", "macOS", "Windows" ] }, { "technique_id": "T1071.003", "technique": "Application Layer Protocol: Mail Protocols", "url": "https://attack.mitre.org/techniques/T1071/003", "tactic": [ "Command and Control" ], "domain": [ "Enterprise" ], "platform": [ "Linux", "macOS", "Windows" ] }, { "technique_id": "T1071.004", "technique": "Application Layer Protocol: DNS", "url": "https://attack.mitre.org/techniques/T1071/004", "tactic": [ "Command and Control" ], "domain": [ "Enterprise" ], "platform": [ "Linux", "macOS", "Windows" ] }, { "technique_id": "T1072", "technique": "Software Deployment Tools", "url": "https://attack.mitre.org/techniques/T1072", "tactic": [ "Execution", "Lateral Movement" ], "domain": [ "Enterprise" ], "platform": [ "Linux", "macOS", "Windows" ] }, { "technique_id": "T1074", "technique": "Data Staged", "url": "https://attack.mitre.org/techniques/T1074", "tactic": [ "Collection" ], "domain": [ "Enterprise" ], "platform": [ "Windows", "IaaS", "Linux", "macOS" ] }, { "technique_id": "T1074.001", "technique": "Data Staged: Local Data Staging", "url": "https://attack.mitre.org/techniques/T1074/001", "tactic": [ "Collection" ], "domain": [ "Enterprise" ], "platform": [ "Linux", "macOS", "Windows" ] }, { "technique_id": "T1074.002", "technique": "Data Staged: Remote Data Staging", "url": "https://attack.mitre.org/techniques/T1074/002", "tactic": [ "Collection" ], "domain": [ "Enterprise" ], "platform": [ "Windows", "IaaS", "Linux", "macOS" ] }, { "technique_id": "T1078", "technique": "Valid Accounts", "url": "https://attack.mitre.org/techniques/T1078", "tactic": [ "Defense Evasion", "Persistence", "Privilege Escalation", "Initial Access" ], "domain": [ "Enterprise" ], "platform": [ "Windows", "Azure AD", "Office 365", "SaaS", "IaaS", "Linux", "macOS", "Google Workspace", "Containers" ] }, { "technique_id": "T1078.001", "technique": "Valid Accounts: Default Accounts", "url": "https://attack.mitre.org/techniques/T1078/001", "tactic": [ "Defense Evasion", "Persistence", "Privilege Escalation", "Initial Access" ], "domain": [ "Enterprise" ], "platform": [ "Windows", "Azure AD", "Office 365", "SaaS", "IaaS", "Linux", "macOS", "Google Workspace", "Containers" ] }, { "technique_id": "T1078.002", "technique": "Valid Accounts: Domain Accounts", "url": "https://attack.mitre.org/techniques/T1078/002", "tactic": [ "Defense Evasion", "Persistence", "Privilege Escalation", "Initial Access" ], "domain": [ "Enterprise" ], "platform": [ "Linux", "macOS", "Windows" ] }, { "technique_id": "T1078.003", "technique": "Valid Accounts: Local Accounts", "url": "https://attack.mitre.org/techniques/T1078/003", "tactic": [ "Defense Evasion", "Persistence", "Privilege Escalation", "Initial Access" ], "domain": [ "Enterprise" ], "platform": [ "Linux", "macOS", "Windows", "Containers" ] }, { "technique_id": "T1078.004", "technique": "Valid Accounts: Cloud Accounts", "url": "https://attack.mitre.org/techniques/T1078/004", "tactic": [ "Defense Evasion", "Persistence", "Privilege Escalation", "Initial Access" ], "domain": [ "Enterprise" ], "platform": [ "Azure AD", "Office 365", "SaaS", "IaaS", "Google Workspace" ] }, { "technique_id": "T1080", "technique": "Taint Shared Content", "url": "https://attack.mitre.org/techniques/T1080", "tactic": [ "Lateral Movement" ], "domain": [ "Enterprise" ], "platform": [ "Windows", "Office 365", "SaaS", "Linux", "macOS" ] }, { "technique_id": "T1082", "technique": "System Information Discovery", "url": "https://attack.mitre.org/techniques/T1082", "tactic": [ "Discovery" ], "domain": [ "Enterprise" ], "platform": [ "Windows", "IaaS", "Linux", "macOS" ] }, { "technique_id": "T1083", "technique": "File and Directory Discovery", "url": "https://attack.mitre.org/techniques/T1083", "tactic": [ "Discovery" ], "domain": [ "Enterprise" ], "platform": [ "Linux", "macOS", "Windows" ] }, { "technique_id": "T1087", "technique": "Account Discovery", "url": "https://attack.mitre.org/techniques/T1087", "tactic": [ "Discovery" ], "domain": [ "Enterprise" ], "platform": [ "Windows", "Azure AD", "Office 365", "SaaS", "IaaS", "Linux", "macOS", "Google Workspace" ] }, { "technique_id": "T1087.001", "technique": "Account Discovery: Local Account", "url": "https://attack.mitre.org/techniques/T1087/001", "tactic": [ "Discovery" ], "domain": [ "Enterprise" ], "platform": [ "Linux", "macOS", "Windows" ] }, { "technique_id": "T1087.002", "technique": "Account Discovery: Domain Account", "url": "https://attack.mitre.org/techniques/T1087/002", "tactic": [ "Discovery" ], "domain": [ "Enterprise" ], "platform": [ "Linux", "macOS", "Windows" ] }, { "technique_id": "T1087.003", "technique": "Account Discovery: Email Account", "url": "https://attack.mitre.org/techniques/T1087/003", "tactic": [ "Discovery" ], "domain": [ "Enterprise" ], "platform": [ "Windows", "Office 365", "Google Workspace" ] }, { "technique_id": "T1087.004", "technique": "Account Discovery: Cloud Account", "url": "https://attack.mitre.org/techniques/T1087/004", "tactic": [ "Discovery" ], "domain": [ "Enterprise" ], "platform": [ "Azure AD", "Office 365", "SaaS", "IaaS", "Google Workspace" ] }, { "technique_id": "T1090", "technique": "Proxy", "url": "https://attack.mitre.org/techniques/T1090", "tactic": [ "Command and Control" ], "domain": [ "Enterprise" ], "platform": [ "Linux", "macOS", "Windows", "Network" ] }, { "technique_id": "T1090.001", "technique": "Proxy: Internal Proxy", "url": "https://attack.mitre.org/techniques/T1090/001", "tactic": [ "Command and Control" ], "domain": [ "Enterprise" ], "platform": [ "Linux", "macOS", "Windows" ] }, { "technique_id": "T1090.002", "technique": "Proxy: External Proxy", "url": "https://attack.mitre.org/techniques/T1090/002", "tactic": [ "Command and Control" ], "domain": [ "Enterprise" ], "platform": [ "Linux", "macOS", "Windows" ] }, { "technique_id": "T1090.003", "technique": "Proxy: Multi-hop Proxy", "url": "https://attack.mitre.org/techniques/T1090/003", "tactic": [ "Command and Control" ], "domain": [ "Enterprise" ], "platform": [ "Linux", "macOS", "Windows", "Network" ] }, { "technique_id": "T1090.004", "technique": "Proxy: Domain Fronting", "url": "https://attack.mitre.org/techniques/T1090/004", "tactic": [ "Command and Control" ], "domain": [ "Enterprise" ], "platform": [ "Linux", "macOS", "Windows" ] }, { "technique_id": "T1091", "technique": "Replication Through Removable Media", "url": "https://attack.mitre.org/techniques/T1091", "tactic": [ "Lateral Movement", "Initial Access" ], "domain": [ "Enterprise" ], "platform": [ "Windows" ] }, { "technique_id": "T1092", "technique": "Communication Through Removable Media", "url": "https://attack.mitre.org/techniques/T1092", "tactic": [ "Command and Control" ], "domain": [ "Enterprise" ], "platform": [ "Linux", "macOS", "Windows" ] }, { "technique_id": "T1095", "technique": "Non-Application Layer Protocol", "url": "https://attack.mitre.org/techniques/T1095", "tactic": [ "Command and Control" ], "domain": [ "Enterprise" ], "platform": [ "Windows", "Linux", "macOS", "Network" ] }, { "technique_id": "T1098", "technique": "Account Manipulation", "url": "https://attack.mitre.org/techniques/T1098", "tactic": [ "Persistence" ], "domain": [ "Enterprise" ], "platform": [ "Windows", "Azure AD", "Office 365", "IaaS", "Linux", "macOS", "Google Workspace" ] }, { "technique_id": "T1098.001", "technique": "Account Manipulation: Additional Cloud Credentials", "url": "https://attack.mitre.org/techniques/T1098/001", "tactic": [ "Persistence" ], "domain": [ "Enterprise" ], "platform": [ "IaaS", "Azure AD" ] }, { "technique_id": "T1098.002", "technique": "Account Manipulation: Exchange Email Delegate Permissions", "url": "https://attack.mitre.org/techniques/T1098/002", "tactic": [ "Persistence" ], "domain": [ "Enterprise" ], "platform": [ "Windows", "Office 365" ] }, { "technique_id": "T1098.003", "technique": "Account Manipulation: Add Office 365 Global Administrator Role", "url": "https://attack.mitre.org/techniques/T1098/003", "tactic": [ "Persistence" ], "domain": [ "Enterprise" ], "platform": [ "Office 365" ] }, { "technique_id": "T1098.004", "technique": "Account Manipulation: SSH Authorized Keys", "url": "https://attack.mitre.org/techniques/T1098/004", "tactic": [ "Persistence" ], "domain": [ "Enterprise" ], "platform": [ "Linux", "macOS" ] }, { "technique_id": "T1102", "technique": "Web Service", "url": "https://attack.mitre.org/techniques/T1102", "tactic": [ "Command and Control" ], "domain": [ "Enterprise" ], "platform": [ "Linux", "macOS", "Windows" ] }, { "technique_id": "T1102.001", "technique": "Web Service: Dead Drop Resolver", "url": "https://attack.mitre.org/techniques/T1102/001", "tactic": [ "Command and Control" ], "domain": [ "Enterprise" ], "platform": [ "Linux", "macOS", "Windows" ] }, { "technique_id": "T1102.002", "technique": "Web Service: Bidirectional Communication", "url": "https://attack.mitre.org/techniques/T1102/002", "tactic": [ "Command and Control" ], "domain": [ "Enterprise" ], "platform": [ "Linux", "macOS", "Windows" ] }, { "technique_id": "T1102.003", "technique": "Web Service: One-Way Communication", "url": "https://attack.mitre.org/techniques/T1102/003", "tactic": [ "Command and Control" ], "domain": [ "Enterprise" ], "platform": [ "Linux", "macOS", "Windows" ] }, { "technique_id": "T1104", "technique": "Multi-Stage Channels", "url": "https://attack.mitre.org/techniques/T1104", "tactic": [ "Command and Control" ], "domain": [ "Enterprise" ], "platform": [ "Linux", "macOS", "Windows" ] }, { "technique_id": "T1105", "technique": "Ingress Tool Transfer", "url": "https://attack.mitre.org/techniques/T1105", "tactic": [ "Command and Control" ], "domain": [ "Enterprise" ], "platform": [ "Linux", "macOS", "Windows" ] }, { "technique_id": "T1106", "technique": "Native API", "url": "https://attack.mitre.org/techniques/T1106", "tactic": [ "Execution" ], "domain": [ "Enterprise" ], "platform": [ "Windows", "macOS", "Linux" ] }, { "technique_id": "T1110", "technique": "Brute Force", "url": "https://attack.mitre.org/techniques/T1110", "tactic": [ "Credential Access" ], "domain": [ "Enterprise" ], "platform": [ "Windows", "Azure AD", "Office 365", "SaaS", "IaaS", "Linux", "macOS", "Google Workspace", "Containers" ] }, { "technique_id": "T1110.001", "technique": "Brute Force: Password Guessing", "url": "https://attack.mitre.org/techniques/T1110/001", "tactic": [ "Credential Access" ], "domain": [ "Enterprise" ], "platform": [ "Windows", "Azure AD", "Office 365", "SaaS", "IaaS", "Linux", "macOS", "Google Workspace", "Containers" ] }, { "technique_id": "T1110.002", "technique": "Brute Force: Password Cracking", "url": "https://attack.mitre.org/techniques/T1110/002", "tactic": [ "Credential Access" ], "domain": [ "Enterprise" ], "platform": [ "Linux", "macOS", "Windows", "Office 365", "Azure AD" ] }, { "technique_id": "T1110.003", "technique": "Brute Force: Password Spraying", "url": "https://attack.mitre.org/techniques/T1110/003", "tactic": [ "Credential Access" ], "domain": [ "Enterprise" ], "platform": [ "Windows", "Azure AD", "Office 365", "SaaS", "IaaS", "Linux", "macOS", "Google Workspace", "Containers" ] }, { "technique_id": "T1110.004", "technique": "Brute Force: Credential Stuffing", "url": "https://attack.mitre.org/techniques/T1110/004", "tactic": [ "Credential Access" ], "domain": [ "Enterprise" ], "platform": [ "Windows", "Azure AD", "Office 365", "SaaS", "IaaS", "Linux", "macOS", "Google Workspace", "Containers" ] }, { "technique_id": "T1111", "technique": "Two-Factor Authentication Interception", "url": "https://attack.mitre.org/techniques/T1111", "tactic": [ "Credential Access" ], "domain": [ "Enterprise" ], "platform": [ "Linux", "Windows", "macOS" ] }, { "technique_id": "T1112", "technique": "Modify Registry", "url": "https://attack.mitre.org/techniques/T1112", "tactic": [ "Defense Evasion" ], "domain": [ "Enterprise" ], "platform": [ "Windows" ] }, { "technique_id": "T1113", "technique": "Screen Capture", "url": "https://attack.mitre.org/techniques/T1113", "tactic": [ "Collection" ], "domain": [ "Enterprise" ], "platform": [ "Linux", "macOS", "Windows" ] }, { "technique_id": "T1114", "technique": "Email Collection", "url": "https://attack.mitre.org/techniques/T1114", "tactic": [ "Collection" ], "domain": [ "Enterprise" ], "platform": [ "Windows", "Office 365", "Google Workspace", "macOS", "Linux" ] }, { "technique_id": "T1114.001", "technique": "Email Collection: Local Email Collection", "url": "https://attack.mitre.org/techniques/T1114/001", "tactic": [ "Collection" ], "domain": [ "Enterprise" ], "platform": [ "Windows" ] }, { "technique_id": "T1114.002", "technique": "Email Collection: Remote Email Collection", "url": "https://attack.mitre.org/techniques/T1114/002", "tactic": [ "Collection" ], "domain": [ "Enterprise" ], "platform": [ "Office 365", "Windows", "Google Workspace" ] }, { "technique_id": "T1114.003", "technique": "Email Collection: Email Forwarding Rule", "url": "https://attack.mitre.org/techniques/T1114/003", "tactic": [ "Collection" ], "domain": [ "Enterprise" ], "platform": [ "Office 365", "Windows", "Google Workspace", "macOS", "Linux" ] }, { "technique_id": "T1115", "technique": "Clipboard Data", "url": "https://attack.mitre.org/techniques/T1115", "tactic": [ "Collection" ], "domain": [ "Enterprise" ], "platform": [ "Linux", "Windows", "macOS" ] }, { "technique_id": "T1119", "technique": "Automated Collection", "url": "https://attack.mitre.org/techniques/T1119", "tactic": [ "Collection" ], "domain": [ "Enterprise" ], "platform": [ "Linux", "macOS", "Windows" ] }, { "technique_id": "T1120", "technique": "Peripheral Device Discovery", "url": "https://attack.mitre.org/techniques/T1120", "tactic": [ "Discovery" ], "domain": [ "Enterprise" ], "platform": [ "Windows", "macOS" ] }, { "technique_id": "T1123", "technique": "Audio Capture", "url": "https://attack.mitre.org/techniques/T1123", "tactic": [ "Collection" ], "domain": [ "Enterprise" ], "platform": [ "Linux", "macOS", "Windows" ] }, { "technique_id": "T1124", "technique": "System Time Discovery", "url": "https://attack.mitre.org/techniques/T1124", "tactic": [ "Discovery" ], "domain": [ "Enterprise" ], "platform": [ "Windows" ] }, { "technique_id": "T1125", "technique": "Video Capture", "url": "https://attack.mitre.org/techniques/T1125", "tactic": [ "Collection" ], "domain": [ "Enterprise" ], "platform": [ "Windows", "macOS" ] }, { "technique_id": "T1127", "technique": "Trusted Developer Utilities Proxy Execution", "url": "https://attack.mitre.org/techniques/T1127", "tactic": [ "Defense Evasion" ], "domain": [ "Enterprise" ], "platform": [ "Windows" ] }, { "technique_id": "T1127.001", "technique": "Trusted Developer Utilities Proxy Execution: MSBuild", "url": "https://attack.mitre.org/techniques/T1127/001", "tactic": [ "Defense Evasion" ], "domain": [ "Enterprise" ], "platform": [ "Windows" ] }, { "technique_id": "T1129", "technique": "Shared Modules", "url": "https://attack.mitre.org/techniques/T1129", "tactic": [ "Execution" ], "domain": [ "Enterprise" ], "platform": [ "Windows" ] }, { "technique_id": "T1132", "technique": "Data Encoding", "url": "https://attack.mitre.org/techniques/T1132", "tactic": [ "Command and Control" ], "domain": [ "Enterprise" ], "platform": [ "Linux", "macOS", "Windows" ] }, { "technique_id": "T1132.001", "technique": "Data Encoding: Standard Encoding", "url": "https://attack.mitre.org/techniques/T1132/001", "tactic": [ "Command and Control" ], "domain": [ "Enterprise" ], "platform": [ "Linux", "macOS", "Windows" ] }, { "technique_id": "T1132.002", "technique": "Data Encoding: Non-Standard Encoding", "url": "https://attack.mitre.org/techniques/T1132/002", "tactic": [ "Command and Control" ], "domain": [ "Enterprise" ], "platform": [ "Linux", "macOS", "Windows" ] }, { "technique_id": "T1133", "technique": "External Remote Services", "url": "https://attack.mitre.org/techniques/T1133", "tactic": [ "Persistence", "Initial Access" ], "domain": [ "Enterprise" ], "platform": [ "Windows", "Linux", "Containers", "macOS" ] }, { "technique_id": "T1134", "technique": "Access Token Manipulation", "url": "https://attack.mitre.org/techniques/T1134", "tactic": [ "Defense Evasion", "Privilege Escalation" ], "domain": [ "Enterprise" ], "platform": [ "Windows" ] }, { "technique_id": "T1134.001", "technique": "Access Token Manipulation: Token Impersonation/Theft", "url": "https://attack.mitre.org/techniques/T1134/001", "tactic": [ "Defense Evasion", "Privilege Escalation" ], "domain": [ "Enterprise" ], "platform": [ "Windows" ] }, { "technique_id": "T1134.002", "technique": "Access Token Manipulation: Create Process with Token", "url": "https://attack.mitre.org/techniques/T1134/002", "tactic": [ "Defense Evasion", "Privilege Escalation" ], "domain": [ "Enterprise" ], "platform": [ "Windows" ] }, { "technique_id": "T1134.003", "technique": "Access Token Manipulation: Make and Impersonate Token", "url": "https://attack.mitre.org/techniques/T1134/003", "tactic": [ "Defense Evasion", "Privilege Escalation" ], "domain": [ "Enterprise" ], "platform": [ "Windows" ] }, { "technique_id": "T1134.004", "technique": "Access Token Manipulation: Parent PID Spoofing", "url": "https://attack.mitre.org/techniques/T1134/004", "tactic": [ "Defense Evasion", "Privilege Escalation" ], "domain": [ "Enterprise" ], "platform": [ "Windows" ] }, { "technique_id": "T1134.005", "technique": "Access Token Manipulation: SID-History Injection", "url": "https://attack.mitre.org/techniques/T1134/005", "tactic": [ "Defense Evasion", "Privilege Escalation" ], "domain": [ "Enterprise" ], "platform": [ "Windows" ] }, { "technique_id": "T1135", "technique": "Network Share Discovery", "url": "https://attack.mitre.org/techniques/T1135", "tactic": [ "Discovery" ], "domain": [ "Enterprise" ], "platform": [ "macOS", "Windows", "Linux" ] }, { "technique_id": "T1136", "technique": "Create Account", "url": "https://attack.mitre.org/techniques/T1136", "tactic": [ "Persistence" ], "domain": [ "Enterprise" ], "platform": [ "Windows", "Azure AD", "Office 365", "IaaS", "Linux", "macOS", "Google Workspace" ] }, { "technique_id": "T1136.001", "technique": "Create Account: Local Account", "url": "https://attack.mitre.org/techniques/T1136/001", "tactic": [ "Persistence" ], "domain": [ "Enterprise" ], "platform": [ "Linux", "macOS", "Windows" ] }, { "technique_id": "T1136.002", "technique": "Create Account: Domain Account", "url": "https://attack.mitre.org/techniques/T1136/002", "tactic": [ "Persistence" ], "domain": [ "Enterprise" ], "platform": [ "Windows", "macOS", "Linux" ] }, { "technique_id": "T1136.003", "technique": "Create Account: Cloud Account", "url": "https://attack.mitre.org/techniques/T1136/003", "tactic": [ "Persistence" ], "domain": [ "Enterprise" ], "platform": [ "Azure AD", "Office 365", "IaaS", "Google Workspace" ] }, { "technique_id": "T1137", "technique": "Office Application Startup", "url": "https://attack.mitre.org/techniques/T1137", "tactic": [ "Persistence" ], "domain": [ "Enterprise" ], "platform": [ "Windows", "Office 365" ] }, { "technique_id": "T1137.001", "technique": "Office Application Startup: Office Template Macros", "url": "https://attack.mitre.org/techniques/T1137/001", "tactic": [ "Persistence" ], "domain": [ "Enterprise" ], "platform": [ "Windows", "Office 365" ] }, { "technique_id": "T1137.002", "technique": "Office Application Startup: Office Test", "url": "https://attack.mitre.org/techniques/T1137/002", "tactic": [ "Persistence" ], "domain": [ "Enterprise" ], "platform": [ "Windows", "Office 365" ] }, { "technique_id": "T1137.003", "technique": "Office Application Startup: Outlook Forms", "url": "https://attack.mitre.org/techniques/T1137/003", "tactic": [ "Persistence" ], "domain": [ "Enterprise" ], "platform": [ "Windows", "Office 365" ] }, { "technique_id": "T1137.004", "technique": "Office Application Startup: Outlook Home Page", "url": "https://attack.mitre.org/techniques/T1137/004", "tactic": [ "Persistence" ], "domain": [ "Enterprise" ], "platform": [ "Windows", "Office 365" ] }, { "technique_id": "T1137.005", "technique": "Office Application Startup: Outlook Rules", "url": "https://attack.mitre.org/techniques/T1137/005", "tactic": [ "Persistence" ], "domain": [ "Enterprise" ], "platform": [ "Windows", "Office 365" ] }, { "technique_id": "T1137.006", "technique": "Office Application Startup: Add-ins", "url": "https://attack.mitre.org/techniques/T1137/006", "tactic": [ "Persistence" ], "domain": [ "Enterprise" ], "platform": [ "Windows", "Office 365" ] }, { "technique_id": "T1140", "technique": "Deobfuscate/Decode Files or Information", "url": "https://attack.mitre.org/techniques/T1140", "tactic": [ "Defense Evasion" ], "domain": [ "Enterprise" ], "platform": [ "Windows", "Linux", "macOS" ] }, { "technique_id": "T1176", "technique": "Browser Extensions", "url": "https://attack.mitre.org/techniques/T1176", "tactic": [ "Persistence" ], "domain": [ "Enterprise" ], "platform": [ "Linux", "macOS", "Windows" ] }, { "technique_id": "T1185", "technique": "Browser Session Hijacking", "url": "https://attack.mitre.org/techniques/T1185", "tactic": [ "Collection" ], "domain": [ "Enterprise" ], "platform": [ "Windows" ] }, { "technique_id": "T1187", "technique": "Forced Authentication", "url": "https://attack.mitre.org/techniques/T1187", "tactic": [ "Credential Access" ], "domain": [ "Enterprise" ], "platform": [ "Windows" ] }, { "technique_id": "T1189", "technique": "Drive-by Compromise", "url": "https://attack.mitre.org/techniques/T1189", "tactic": [ "Initial Access" ], "domain": [ "Enterprise" ], "platform": [ "Windows", "Linux", "macOS", "SaaS" ] }, { "technique_id": "T1190", "technique": "Exploit Public-Facing Application", "url": "https://attack.mitre.org/techniques/T1190", "tactic": [ "Initial Access" ], "domain": [ "Enterprise" ], "platform": [ "Windows", "IaaS", "Network", "Linux", "macOS", "Containers" ] }, { "technique_id": "T1195", "technique": "Supply Chain Compromise", "url": "https://attack.mitre.org/techniques/T1195", "tactic": [ "Initial Access" ], "domain": [ "Enterprise" ], "platform": [ "Linux", "Windows", "macOS" ] }, { "technique_id": "T1195.001", "technique": "Supply Chain Compromise: Compromise Software Dependencies and Development Tools", "url": "https://attack.mitre.org/techniques/T1195/001", "tactic": [ "Initial Access" ], "domain": [ "Enterprise" ], "platform": [ "Linux", "macOS", "Windows" ] }, { "technique_id": "T1195.002", "technique": "Supply Chain Compromise: Compromise Software Supply Chain", "url": "https://attack.mitre.org/techniques/T1195/002", "tactic": [ "Initial Access" ], "domain": [ "Enterprise" ], "platform": [ "Linux", "macOS", "Windows" ] }, { "technique_id": "T1195.003", "technique": "Supply Chain Compromise: Compromise Hardware Supply Chain", "url": "https://attack.mitre.org/techniques/T1195/003", "tactic": [ "Initial Access" ], "domain": [ "Enterprise" ], "platform": [ "Linux", "macOS", "Windows" ] }, { "technique_id": "T1197", "technique": "BITS Jobs", "url": "https://attack.mitre.org/techniques/T1197", "tactic": [ "Defense Evasion", "Persistence" ], "domain": [ "Enterprise" ], "platform": [ "Windows" ] }, { "technique_id": "T1199", "technique": "Trusted Relationship", "url": "https://attack.mitre.org/techniques/T1199", "tactic": [ "Initial Access" ], "domain": [ "Enterprise" ], "platform": [ "Windows", "SaaS", "IaaS", "Linux", "macOS" ] }, { "technique_id": "T1200", "technique": "Hardware Additions", "url": "https://attack.mitre.org/techniques/T1200", "tactic": [ "Initial Access" ], "domain": [ "Enterprise" ], "platform": [ "Windows", "Linux", "macOS" ] }, { "technique_id": "T1201", "technique": "Password Policy Discovery", "url": "https://attack.mitre.org/techniques/T1201", "tactic": [ "Discovery" ], "domain": [ "Enterprise" ], "platform": [ "Windows", "Linux", "macOS", "IaaS" ] }, { "technique_id": "T1202", "technique": "Indirect Command Execution", "url": "https://attack.mitre.org/techniques/T1202", "tactic": [ "Defense Evasion" ], "domain": [ "Enterprise" ], "platform": [ "Windows" ] }, { "technique_id": "T1203", "technique": "Exploitation for Client Execution", "url": "https://attack.mitre.org/techniques/T1203", "tactic": [ "Execution" ], "domain": [ "Enterprise" ], "platform": [ "Linux", "Windows", "macOS" ] }, { "technique_id": "T1204", "technique": "User Execution", "url": "https://attack.mitre.org/techniques/T1204", "tactic": [ "Execution" ], "domain": [ "Enterprise" ], "platform": [ "Linux", "Windows", "macOS", "IaaS", "Containers" ] }, { "technique_id": "T1204.001", "technique": "User Execution: Malicious Link", "url": "https://attack.mitre.org/techniques/T1204/001", "tactic": [ "Execution" ], "domain": [ "Enterprise" ], "platform": [ "Linux", "macOS", "Windows" ] }, { "technique_id": "T1204.002", "technique": "User Execution: Malicious File", "url": "https://attack.mitre.org/techniques/T1204/002", "tactic": [ "Execution" ], "domain": [ "Enterprise" ], "platform": [ "Linux", "macOS", "Windows" ] }, { "technique_id": "T1204.003", "technique": "User Execution: Malicious Image", "url": "https://attack.mitre.org/techniques/T1204/003", "tactic": [ "Execution" ], "domain": [ "Enterprise" ], "platform": [ "IaaS", "Containers" ] }, { "technique_id": "T1205", "technique": "Traffic Signaling", "url": "https://attack.mitre.org/techniques/T1205", "tactic": [ "Defense Evasion", "Persistence", "Command and Control" ], "domain": [ "Enterprise" ], "platform": [ "Linux", "macOS", "Windows", "Network" ] }, { "technique_id": "T1205.001", "technique": "Traffic Signaling: Port Knocking", "url": "https://attack.mitre.org/techniques/T1205/001", "tactic": [ "Defense Evasion", "Persistence", "Command and Control" ], "domain": [ "Enterprise" ], "platform": [ "Linux", "macOS", "Windows", "Network" ] }, { "technique_id": "T1207", "technique": "Rogue Domain Controller", "url": "https://attack.mitre.org/techniques/T1207", "tactic": [ "Defense Evasion" ], "domain": [ "Enterprise" ], "platform": [ "Windows" ] }, { "technique_id": "T1210", "technique": "Exploitation of Remote Services", "url": "https://attack.mitre.org/techniques/T1210", "tactic": [ "Lateral Movement" ], "domain": [ "Enterprise" ], "platform": [ "Linux", "Windows", "macOS" ] }, { "technique_id": "T1211", "technique": "Exploitation for Defense Evasion", "url": "https://attack.mitre.org/techniques/T1211", "tactic": [ "Defense Evasion" ], "domain": [ "Enterprise" ], "platform": [ "Linux", "Windows", "macOS" ] }, { "technique_id": "T1212", "technique": "Exploitation for Credential Access", "url": "https://attack.mitre.org/techniques/T1212", "tactic": [ "Credential Access" ], "domain": [ "Enterprise" ], "platform": [ "Linux", "Windows", "macOS" ] }, { "technique_id": "T1213", "technique": "Data from Information Repositories", "url": "https://attack.mitre.org/techniques/T1213", "tactic": [ "Collection" ], "domain": [ "Enterprise" ], "platform": [ "Linux", "Windows", "macOS", "SaaS", "Office 365", "Google Workspace", "IaaS" ] }, { "technique_id": "T1213.001", "technique": "Data from Information Repositories: Confluence", "url": "https://attack.mitre.org/techniques/T1213/001", "tactic": [ "Collection" ], "domain": [ "Enterprise" ], "platform": [ "SaaS" ] }, { "technique_id": "T1213.002", "technique": "Data from Information Repositories: Sharepoint", "url": "https://attack.mitre.org/techniques/T1213/002", "tactic": [ "Collection" ], "domain": [ "Enterprise" ], "platform": [ "Windows", "Office 365" ] }, { "technique_id": "T1213.003", "technique": "Data from Information Repositories: Code Repositories", "url": "https://attack.mitre.org/techniques/T1213/003", "tactic": [ "Collection" ], "domain": [ "Enterprise" ], "platform": [ "SaaS" ] }, { "technique_id": "T1216", "technique": "Signed Script Proxy Execution", "url": "https://attack.mitre.org/techniques/T1216", "tactic": [ "Defense Evasion" ], "domain": [ "Enterprise" ], "platform": [ "Windows" ] }, { "technique_id": "T1216.001", "technique": "Signed Script Proxy Execution: PubPrn", "url": "https://attack.mitre.org/techniques/T1216/001", "tactic": [ "Defense Evasion" ], "domain": [ "Enterprise" ], "platform": [ "Windows" ] }, { "technique_id": "T1217", "technique": "Browser Bookmark Discovery", "url": "https://attack.mitre.org/techniques/T1217", "tactic": [ "Discovery" ], "domain": [ "Enterprise" ], "platform": [ "Linux", "Windows", "macOS" ] }, { "technique_id": "T1218", "technique": "Signed Binary Proxy Execution", "url": "https://attack.mitre.org/techniques/T1218", "tactic": [ "Defense Evasion" ], "domain": [ "Enterprise" ], "platform": [ "Windows" ] }, { "technique_id": "T1218.001", "technique": "Signed Binary Proxy Execution: Compiled HTML File", "url": "https://attack.mitre.org/techniques/T1218/001", "tactic": [ "Defense Evasion" ], "domain": [ "Enterprise" ], "platform": [ "Windows" ] }, { "technique_id": "T1218.002", "technique": "Signed Binary Proxy Execution: Control Panel", "url": "https://attack.mitre.org/techniques/T1218/002", "tactic": [ "Defense Evasion" ], "domain": [ "Enterprise" ], "platform": [ "Windows" ] }, { "technique_id": "T1218.003", "technique": "Signed Binary Proxy Execution: CMSTP", "url": "https://attack.mitre.org/techniques/T1218/003", "tactic": [ "Defense Evasion" ], "domain": [ "Enterprise" ], "platform": [ "Windows" ] }, { "technique_id": "T1218.004", "technique": "Signed Binary Proxy Execution: InstallUtil", "url": "https://attack.mitre.org/techniques/T1218/004", "tactic": [ "Defense Evasion" ], "domain": [ "Enterprise" ], "platform": [ "Windows" ] }, { "technique_id": "T1218.005", "technique": "Signed Binary Proxy Execution: Mshta", "url": "https://attack.mitre.org/techniques/T1218/005", "tactic": [ "Defense Evasion" ], "domain": [ "Enterprise" ], "platform": [ "Windows" ] }, { "technique_id": "T1218.007", "technique": "Signed Binary Proxy Execution: Msiexec", "url": "https://attack.mitre.org/techniques/T1218/007", "tactic": [ "Defense Evasion" ], "domain": [ "Enterprise" ], "platform": [ "Windows" ] }, { "technique_id": "T1218.008", "technique": "Signed Binary Proxy Execution: Odbcconf", "url": "https://attack.mitre.org/techniques/T1218/008", "tactic": [ "Defense Evasion" ], "domain": [ "Enterprise" ], "platform": [ "Windows" ] }, { "technique_id": "T1218.009", "technique": "Signed Binary Proxy Execution: Regsvcs/Regasm", "url": "https://attack.mitre.org/techniques/T1218/009", "tactic": [ "Defense Evasion" ], "domain": [ "Enterprise" ], "platform": [ "Windows" ] }, { "technique_id": "T1218.010", "technique": "Signed Binary Proxy Execution: Regsvr32", "url": "https://attack.mitre.org/techniques/T1218/010", "tactic": [ "Defense Evasion" ], "domain": [ "Enterprise" ], "platform": [ "Windows" ] }, { "technique_id": "T1218.011", "technique": "Signed Binary Proxy Execution: Rundll32", "url": "https://attack.mitre.org/techniques/T1218/011", "tactic": [ "Defense Evasion" ], "domain": [ "Enterprise" ], "platform": [ "Windows" ] }, { "technique_id": "T1218.012", "technique": "Signed Binary Proxy Execution: Verclsid", "url": "https://attack.mitre.org/techniques/T1218/012", "tactic": [ "Defense Evasion" ], "domain": [ "Enterprise" ], "platform": [ "Windows" ] }, { "technique_id": "T1218.013", "technique": "Signed Binary Proxy Execution: Mavinject", "url": "https://attack.mitre.org/techniques/T1218/013", "tactic": [ "Defense Evasion" ], "domain": [ "Enterprise" ], "platform": [ "Windows" ] }, { "technique_id": "T1218.014", "technique": "Signed Binary Proxy Execution: MMC", "url": "https://attack.mitre.org/techniques/T1218/014", "tactic": [ "Defense Evasion" ], "domain": [ "Enterprise" ], "platform": [ "Windows" ] }, { "technique_id": "T1219", "technique": "Remote Access Software", "url": "https://attack.mitre.org/techniques/T1219", "tactic": [ "Command and Control" ], "domain": [ "Enterprise" ], "platform": [ "Linux", "Windows", "macOS" ] }, { "technique_id": "T1220", "technique": "XSL Script Processing", "url": "https://attack.mitre.org/techniques/T1220", "tactic": [ "Defense Evasion" ], "domain": [ "Enterprise" ], "platform": [ "Windows" ] }, { "technique_id": "T1221", "technique": "Template Injection", "url": "https://attack.mitre.org/techniques/T1221", "tactic": [ "Defense Evasion" ], "domain": [ "Enterprise" ], "platform": [ "Windows" ] }, { "technique_id": "T1222", "technique": "File and Directory Permissions Modification", "url": "https://attack.mitre.org/techniques/T1222", "tactic": [ "Defense Evasion" ], "domain": [ "Enterprise" ], "platform": [ "Linux", "Windows", "macOS" ] }, { "technique_id": "T1222.001", "technique": "File and Directory Permissions Modification: Windows File and Directory Permissions Modification", "url": "https://attack.mitre.org/techniques/T1222/001", "tactic": [ "Defense Evasion" ], "domain": [ "Enterprise" ], "platform": [ "Windows" ] }, { "technique_id": "T1222.002", "technique": "File and Directory Permissions Modification: Linux and Mac File and Directory Permissions Modification", "url": "https://attack.mitre.org/techniques/T1222/002", "tactic": [ "Defense Evasion" ], "domain": [ "Enterprise" ], "platform": [ "macOS", "Linux" ] }, { "technique_id": "T1398", "technique": "Modify OS Kernel or Boot Partition", "url": "https://attack.mitre.org/techniques/T1398", "tactic": [ "Defense Evasion", "Persistence" ], "domain": [ "Mobile" ], "platform": [ "Android", "iOS" ] }, { "technique_id": "T1399", "technique": "Modify Trusted Execution Environment", "url": "https://attack.mitre.org/techniques/T1399", "tactic": [ "Defense Evasion", "Persistence" ], "domain": [ "Mobile" ], "platform": [ "Android" ] }, { "technique_id": "T1400", "technique": "Modify System Partition", "url": "https://attack.mitre.org/techniques/T1400", "tactic": [ "Defense Evasion", "Persistence", "Impact" ], "domain": [ "Mobile" ], "platform": [ "Android", "iOS" ] }, { "technique_id": "T1401", "technique": "Device Administrator Permissions", "url": "https://attack.mitre.org/techniques/T1401", "tactic": [ "Privilege Escalation" ], "domain": [ "Mobile" ], "platform": [ "Android" ] }, { "technique_id": "T1402", "technique": "Broadcast Receivers", "url": "https://attack.mitre.org/techniques/T1402", "tactic": [ "Persistence", "Execution" ], "domain": [ "Mobile" ], "platform": [ "Android" ] }, { "technique_id": "T1403", "technique": "Modify Cached Executable Code", "url": "https://attack.mitre.org/techniques/T1403", "tactic": [ "Persistence" ], "domain": [ "Mobile" ], "platform": [ "Android" ] }, { "technique_id": "T1404", "technique": "Exploit OS Vulnerability", "url": "https://attack.mitre.org/techniques/T1404", "tactic": [ "Privilege Escalation" ], "domain": [ "Mobile" ], "platform": [ "Android", "iOS" ] }, { "technique_id": "T1405", "technique": "Exploit TEE Vulnerability", "url": "https://attack.mitre.org/techniques/T1405", "tactic": [ "Credential Access", "Privilege Escalation" ], "domain": [ "Mobile" ], "platform": [ "Android" ] }, { "technique_id": "T1406", "technique": "Obfuscated Files or Information", "url": "https://attack.mitre.org/techniques/T1406", "tactic": [ "Defense Evasion" ], "domain": [ "Mobile" ], "platform": [ "Android", "iOS" ] }, { "technique_id": "T1407", "technique": "Download New Code at Runtime", "url": "https://attack.mitre.org/techniques/T1407", "tactic": [ "Defense Evasion" ], "domain": [ "Mobile" ], "platform": [ "Android", "iOS" ] }, { "technique_id": "T1408", "technique": "Disguise Root/Jailbreak Indicators", "url": "https://attack.mitre.org/techniques/T1408", "tactic": [ "Defense Evasion" ], "domain": [ "Mobile" ], "platform": [ "Android", "iOS" ] }, { "technique_id": "T1409", "technique": "Access Stored Application Data", "url": "https://attack.mitre.org/techniques/T1409", "tactic": [ "Collection", "Credential Access" ], "domain": [ "Mobile" ], "platform": [ "Android", "iOS" ] }, { "technique_id": "T1410", "technique": "Network Traffic Capture or Redirection", "url": "https://attack.mitre.org/techniques/T1410", "tactic": [ "Collection", "Credential Access" ], "domain": [ "Mobile" ], "platform": [ "Android", "iOS" ] }, { "technique_id": "T1411", "technique": "Input Prompt", "url": "https://attack.mitre.org/techniques/T1411", "tactic": [ "Credential Access" ], "domain": [ "Mobile" ], "platform": [ "Android", "iOS" ] }, { "technique_id": "T1412", "technique": "Capture SMS Messages", "url": "https://attack.mitre.org/techniques/T1412", "tactic": [ "Collection", "Credential Access" ], "domain": [ "Mobile" ], "platform": [ "Android", "iOS" ] }, { "technique_id": "T1413", "technique": "Access Sensitive Data in Device Logs", "url": "https://attack.mitre.org/techniques/T1413", "tactic": [ "Collection", "Credential Access" ], "domain": [ "Mobile" ], "platform": [ "Android" ] }, { "technique_id": "T1414", "technique": "Capture Clipboard Data", "url": "https://attack.mitre.org/techniques/T1414", "tactic": [ "Collection", "Credential Access" ], "domain": [ "Mobile" ], "platform": [ "Android", "iOS" ] }, { "technique_id": "T1416", "technique": "URI Hijacking", "url": "https://attack.mitre.org/techniques/T1416", "tactic": [ "Credential Access" ], "domain": [ "Mobile" ], "platform": [ "Android", "iOS" ] }, { "technique_id": "T1417", "technique": "Input Capture", "url": "https://attack.mitre.org/techniques/T1417", "tactic": [ "Collection", "Credential Access" ], "domain": [ "Mobile" ], "platform": [ "Android", "iOS" ] }, { "technique_id": "T1418", "technique": "Application Discovery", "url": "https://attack.mitre.org/techniques/T1418", "tactic": [ "Defense Evasion", "Discovery" ], "domain": [ "Mobile" ], "platform": [ "Android", "iOS" ] }, { "technique_id": "T1420", "technique": "File and Directory Discovery", "url": "https://attack.mitre.org/techniques/T1420", "tactic": [ "Discovery" ], "domain": [ "Mobile" ], "platform": [ "Android" ] }, { "technique_id": "T1421", "technique": "System Network Connections Discovery", "url": "https://attack.mitre.org/techniques/T1421", "tactic": [ "Discovery" ], "domain": [ "Mobile" ], "platform": [ "Android" ] }, { "technique_id": "T1422", "technique": "System Network Configuration Discovery", "url": "https://attack.mitre.org/techniques/T1422", "tactic": [ "Discovery" ], "domain": [ "Mobile" ], "platform": [ "Android", "iOS" ] }, { "technique_id": "T1423", "technique": "Network Service Scanning", "url": "https://attack.mitre.org/techniques/T1423", "tactic": [ "Discovery" ], "domain": [ "Mobile" ], "platform": [ "Android", "iOS" ] }, { "technique_id": "T1424", "technique": "Process Discovery", "url": "https://attack.mitre.org/techniques/T1424", "tactic": [ "Discovery" ], "domain": [ "Mobile" ], "platform": [ "Android" ] }, { "technique_id": "T1426", "technique": "System Information Discovery", "url": "https://attack.mitre.org/techniques/T1426", "tactic": [ "Discovery" ], "domain": [ "Mobile" ], "platform": [ "Android", "iOS" ] }, { "technique_id": "T1427", "technique": "Attack PC via USB Connection", "url": "https://attack.mitre.org/techniques/T1427", "tactic": [ "Lateral Movement" ], "domain": [ "Mobile" ], "platform": [ "Android" ] }, { "technique_id": "T1428", "technique": "Exploit Enterprise Resources", "url": "https://attack.mitre.org/techniques/T1428", "tactic": [ "Lateral Movement" ], "domain": [ "Mobile" ], "platform": [ "Android", "iOS" ] }, { "technique_id": "T1429", "technique": "Capture Audio", "url": "https://attack.mitre.org/techniques/T1429", "tactic": [ "Collection" ], "domain": [ "Mobile" ], "platform": [ "Android", "iOS" ] }, { "technique_id": "T1430", "technique": "Location Tracking", "url": "https://attack.mitre.org/techniques/T1430", "tactic": [ "Collection", "Discovery" ], "domain": [ "Mobile" ], "platform": [ "Android", "iOS" ] }, { "technique_id": "T1432", "technique": "Access Contact List", "url": "https://attack.mitre.org/techniques/T1432", "tactic": [ "Collection" ], "domain": [ "Mobile" ], "platform": [ "Android", "iOS" ] }, { "technique_id": "T1433", "technique": "Access Call Log", "url": "https://attack.mitre.org/techniques/T1433", "tactic": [ "Collection" ], "domain": [ "Mobile" ], "platform": [ "Android", "iOS" ] }, { "technique_id": "T1435", "technique": "Access Calendar Entries", "url": "https://attack.mitre.org/techniques/T1435", "tactic": [ "Collection" ], "domain": [ "Mobile" ], "platform": [ "Android", "iOS" ] }, { "technique_id": "T1436", "technique": "Commonly Used Port", "url": "https://attack.mitre.org/techniques/T1436", "tactic": [ "Command and Control", "Exfiltration" ], "domain": [ "Mobile" ], "platform": [ "Android", "iOS" ] }, { "technique_id": "T1437", "technique": "Standard Application Layer Protocol", "url": "https://attack.mitre.org/techniques/T1437", "tactic": [ "Command and Control", "Exfiltration" ], "domain": [ "Mobile" ], "platform": [ "Android", "iOS" ] }, { "technique_id": "T1438", "technique": "Alternate Network Mediums", "url": "https://attack.mitre.org/techniques/T1438", "tactic": [ "Command and Control", "Exfiltration" ], "domain": [ "Mobile" ], "platform": [ "Android", "iOS" ] }, { "technique_id": "T1439", "technique": "Eavesdrop on Insecure Network Communication", "url": "https://attack.mitre.org/techniques/T1439", "tactic": [ "Network Effects" ], "domain": [ "Mobile" ], "platform": [ "Android", "iOS" ] }, { "technique_id": "T1444", "technique": "Masquerade as Legitimate Application", "url": "https://attack.mitre.org/techniques/T1444", "tactic": [ "Initial Access", "Defense Evasion" ], "domain": [ "Mobile" ], "platform": [ "Android", "iOS" ] }, { "technique_id": "T1446", "technique": "Device Lockout", "url": "https://attack.mitre.org/techniques/T1446", "tactic": [ "Impact", "Defense Evasion" ], "domain": [ "Mobile" ], "platform": [ "Android", "iOS" ] }, { "technique_id": "T1447", "technique": "Delete Device Data", "url": "https://attack.mitre.org/techniques/T1447", "tactic": [ "Impact", "Defense Evasion" ], "domain": [ "Mobile" ], "platform": [ "Android" ] }, { "technique_id": "T1448", "technique": "Carrier Billing Fraud", "url": "https://attack.mitre.org/techniques/T1448", "tactic": [ "Impact" ], "domain": [ "Mobile" ], "platform": [ "Android" ] }, { "technique_id": "T1449", "technique": "Exploit SS7 to Redirect Phone Calls/SMS", "url": "https://attack.mitre.org/techniques/T1449", "tactic": [ "Network Effects" ], "domain": [ "Mobile" ], "platform": [ "Android", "iOS" ] }, { "technique_id": "T1450", "technique": "Exploit SS7 to Track Device Location", "url": "https://attack.mitre.org/techniques/T1450", "tactic": [ "Network Effects" ], "domain": [ "Mobile" ], "platform": [ "Android", "iOS" ] }, { "technique_id": "T1451", "technique": "SIM Card Swap", "url": "https://attack.mitre.org/techniques/T1451", "tactic": [ "Network Effects" ], "domain": [ "Mobile" ], "platform": [ "Android", "iOS" ] }, { "technique_id": "T1452", "technique": "Manipulate App Store Rankings or Ratings", "url": "https://attack.mitre.org/techniques/T1452", "tactic": [ "Impact" ], "domain": [ "Mobile" ], "platform": [ "Android", "iOS" ] }, { "technique_id": "T1456", "technique": "Drive-by Compromise", "url": "https://attack.mitre.org/techniques/T1456", "tactic": [ "Initial Access" ], "domain": [ "Mobile" ], "platform": [ "Android", "iOS" ] }, { "technique_id": "T1458", "technique": "Exploit via Charging Station or PC", "url": "https://attack.mitre.org/techniques/T1458", "tactic": [ "Initial Access" ], "domain": [ "Mobile" ], "platform": [ "Android", "iOS" ] }, { "technique_id": "T1461", "technique": "Lockscreen Bypass", "url": "https://attack.mitre.org/techniques/T1461", "tactic": [ "Initial Access" ], "domain": [ "Mobile" ], "platform": [ "Android", "iOS" ] }, { "technique_id": "T1463", "technique": "Manipulate Device Communication", "url": "https://attack.mitre.org/techniques/T1463", "tactic": [ "Network Effects" ], "domain": [ "Mobile" ], "platform": [ "Android", "iOS" ] }, { "technique_id": "T1464", "technique": "Jamming or Denial of Service", "url": "https://attack.mitre.org/techniques/T1464", "tactic": [ "Network Effects" ], "domain": [ "Mobile" ], "platform": [ "Android", "iOS" ] }, { "technique_id": "T1465", "technique": "Rogue Wi-Fi Access Points", "url": "https://attack.mitre.org/techniques/T1465", "tactic": [ "Network Effects" ], "domain": [ "Mobile" ], "platform": [ "Android", "iOS" ] }, { "technique_id": "T1466", "technique": "Downgrade to Insecure Protocols", "url": "https://attack.mitre.org/techniques/T1466", "tactic": [ "Network Effects" ], "domain": [ "Mobile" ], "platform": [ "Android", "iOS" ] }, { "technique_id": "T1467", "technique": "Rogue Cellular Base Station", "url": "https://attack.mitre.org/techniques/T1467", "tactic": [ "Network Effects" ], "domain": [ "Mobile" ], "platform": [ "Android", "iOS" ] }, { "technique_id": "T1468", "technique": "Remotely Track Device Without Authorization", "url": "https://attack.mitre.org/techniques/T1468", "tactic": [ "Remote Service Effects" ], "domain": [ "Mobile" ], "platform": [ "Android", "iOS" ] }, { "technique_id": "T1469", "technique": "Remotely Wipe Data Without Authorization", "url": "https://attack.mitre.org/techniques/T1469", "tactic": [ "Remote Service Effects" ], "domain": [ "Mobile" ], "platform": [ "Android", "iOS" ] }, { "technique_id": "T1470", "technique": "Obtain Device Cloud Backups", "url": "https://attack.mitre.org/techniques/T1470", "tactic": [ "Remote Service Effects" ], "domain": [ "Mobile" ], "platform": [ "Android", "iOS" ] }, { "technique_id": "T1471", "technique": "Data Encrypted for Impact", "url": "https://attack.mitre.org/techniques/T1471", "tactic": [ "Impact" ], "domain": [ "Mobile" ], "platform": [ "Android" ] }, { "technique_id": "T1472", "technique": "Generate Fraudulent Advertising Revenue", "url": "https://attack.mitre.org/techniques/T1472", "tactic": [ "Impact" ], "domain": [ "Mobile" ], "platform": [ "Android", "iOS" ] }, { "technique_id": "T1474", "technique": "Supply Chain Compromise", "url": "https://attack.mitre.org/techniques/T1474", "tactic": [ "Initial Access" ], "domain": [ "Mobile" ], "platform": [ "Android", "iOS" ] }, { "technique_id": "T1475", "technique": "Deliver Malicious App via Authorized App Store", "url": "https://attack.mitre.org/techniques/T1475", "tactic": [ "Initial Access" ], "domain": [ "Mobile" ], "platform": [ "Android", "iOS" ] }, { "technique_id": "T1476", "technique": "Deliver Malicious App via Other Means", "url": "https://attack.mitre.org/techniques/T1476", "tactic": [ "Initial Access" ], "domain": [ "Mobile" ], "platform": [ "Android", "iOS" ] }, { "technique_id": "T1477", "technique": "Exploit via Radio Interfaces", "url": "https://attack.mitre.org/techniques/T1477", "tactic": [ "Initial Access" ], "domain": [ "Mobile" ], "platform": [ "Android", "iOS" ] }, { "technique_id": "T1478", "technique": "Install Insecure or Malicious Configuration", "url": "https://attack.mitre.org/techniques/T1478", "tactic": [ "Defense Evasion", "Initial Access" ], "domain": [ "Mobile" ], "platform": [ "Android", "iOS" ] }, { "technique_id": "T1480", "technique": "Execution Guardrails", "url": "https://attack.mitre.org/techniques/T1480", "tactic": [ "Defense Evasion" ], "domain": [ "Enterprise" ], "platform": [ "Linux", "macOS", "Windows" ] }, { "technique_id": "T1480.001", "technique": "Execution Guardrails: Environmental Keying", "url": "https://attack.mitre.org/techniques/T1480/001", "tactic": [ "Defense Evasion" ], "domain": [ "Enterprise" ], "platform": [ "Linux", "macOS", "Windows" ] }, { "technique_id": "T1481", "technique": "Web Service", "url": "https://attack.mitre.org/techniques/T1481", "tactic": [ "Command and Control" ], "domain": [ "Mobile" ], "platform": [ "Android", "iOS" ] }, { "technique_id": "T1482", "technique": "Domain Trust Discovery", "url": "https://attack.mitre.org/techniques/T1482", "tactic": [ "Discovery" ], "domain": [ "Enterprise" ], "platform": [ "Windows" ] }, { "technique_id": "T1484", "technique": "Domain Policy Modification", "url": "https://attack.mitre.org/techniques/T1484", "tactic": [ "Defense Evasion", "Privilege Escalation" ], "domain": [ "Enterprise" ], "platform": [ "Windows", "Azure AD" ] }, { "technique_id": "T1484.001", "technique": "Domain Policy Modification: Group Policy Modification", "url": "https://attack.mitre.org/techniques/T1484/001", "tactic": [ "Defense Evasion", "Privilege Escalation" ], "domain": [ "Enterprise" ], "platform": [ "Windows" ] }, { "technique_id": "T1484.002", "technique": "Domain Policy Modification: Domain Trust Modification", "url": "https://attack.mitre.org/techniques/T1484/002", "tactic": [ "Defense Evasion", "Privilege Escalation" ], "domain": [ "Enterprise" ], "platform": [ "Windows", "Azure AD" ] }, { "technique_id": "T1485", "technique": "Data Destruction", "url": "https://attack.mitre.org/techniques/T1485", "tactic": [ "Impact" ], "domain": [ "Enterprise" ], "platform": [ "Windows", "IaaS", "Linux", "macOS" ] }, { "technique_id": "T1486", "technique": "Data Encrypted for Impact", "url": "https://attack.mitre.org/techniques/T1486", "tactic": [ "Impact" ], "domain": [ "Enterprise" ], "platform": [ "Linux", "macOS", "Windows", "IaaS" ] }, { "technique_id": "T1489", "technique": "Service Stop", "url": "https://attack.mitre.org/techniques/T1489", "tactic": [ "Impact" ], "domain": [ "Enterprise" ], "platform": [ "Windows", "Linux", "macOS" ] }, { "technique_id": "T1490", "technique": "Inhibit System Recovery", "url": "https://attack.mitre.org/techniques/T1490", "tactic": [ "Impact" ], "domain": [ "Enterprise" ], "platform": [ "Windows", "macOS", "Linux" ] }, { "technique_id": "T1491", "technique": "Defacement", "url": "https://attack.mitre.org/techniques/T1491", "tactic": [ "Impact" ], "domain": [ "Enterprise" ], "platform": [ "Windows", "IaaS", "Linux", "macOS" ] }, { "technique_id": "T1491.001", "technique": "Defacement: Internal Defacement", "url": "https://attack.mitre.org/techniques/T1491/001", "tactic": [ "Impact" ], "domain": [ "Enterprise" ], "platform": [ "Linux", "macOS", "Windows" ] }, { "technique_id": "T1491.002", "technique": "Defacement: External Defacement", "url": "https://attack.mitre.org/techniques/T1491/002", "tactic": [ "Impact" ], "domain": [ "Enterprise" ], "platform": [ "Windows", "IaaS", "Linux", "macOS" ] }, { "technique_id": "T1495", "technique": "Firmware Corruption", "url": "https://attack.mitre.org/techniques/T1495", "tactic": [ "Impact" ], "domain": [ "Enterprise" ], "platform": [ "Linux", "macOS", "Windows" ] }, { "technique_id": "T1496", "technique": "Resource Hijacking", "url": "https://attack.mitre.org/techniques/T1496", "tactic": [ "Impact" ], "domain": [ "Enterprise" ], "platform": [ "Windows", "IaaS", "Linux", "macOS", "Containers" ] }, { "technique_id": "T1497", "technique": "Virtualization/Sandbox Evasion", "url": "https://attack.mitre.org/techniques/T1497", "tactic": [ "Defense Evasion", "Discovery" ], "domain": [ "Enterprise" ], "platform": [ "Windows", "macOS", "Linux" ] }, { "technique_id": "T1497.001", "technique": "Virtualization/Sandbox Evasion: System Checks", "url": "https://attack.mitre.org/techniques/T1497/001", "tactic": [ "Defense Evasion", "Discovery" ], "domain": [ "Enterprise" ], "platform": [ "Linux", "macOS", "Windows" ] }, { "technique_id": "T1497.002", "technique": "Virtualization/Sandbox Evasion: User Activity Based Checks", "url": "https://attack.mitre.org/techniques/T1497/002", "tactic": [ "Defense Evasion", "Discovery" ], "domain": [ "Enterprise" ], "platform": [ "Linux", "macOS", "Windows" ] }, { "technique_id": "T1497.003", "technique": "Virtualization/Sandbox Evasion: Time Based Evasion", "url": "https://attack.mitre.org/techniques/T1497/003", "tactic": [ "Defense Evasion", "Discovery" ], "domain": [ "Enterprise" ], "platform": [ "Linux", "macOS", "Windows" ] }, { "technique_id": "T1498", "technique": "Network Denial of Service", "url": "https://attack.mitre.org/techniques/T1498", "tactic": [ "Impact" ], "domain": [ "Enterprise" ], "platform": [ "Windows", "Azure AD", "Office 365", "SaaS", "IaaS", "Linux", "macOS", "Google Workspace", "Containers" ] }, { "technique_id": "T1498.001", "technique": "Network Denial of Service: Direct Network Flood", "url": "https://attack.mitre.org/techniques/T1498/001", "tactic": [ "Impact" ], "domain": [ "Enterprise" ], "platform": [ "Windows", "Azure AD", "Office 365", "SaaS", "IaaS", "Linux", "macOS", "Google Workspace" ] }, { "technique_id": "T1498.002", "technique": "Network Denial of Service: Reflection Amplification", "url": "https://attack.mitre.org/techniques/T1498/002", "tactic": [ "Impact" ], "domain": [ "Enterprise" ], "platform": [ "Windows", "Azure AD", "Office 365", "SaaS", "IaaS", "Linux", "macOS", "Google Workspace" ] }, { "technique_id": "T1499", "technique": "Endpoint Denial of Service", "url": "https://attack.mitre.org/techniques/T1499", "tactic": [ "Impact" ], "domain": [ "Enterprise" ], "platform": [ "Windows", "Azure AD", "Office 365", "SaaS", "IaaS", "Linux", "macOS", "Google Workspace", "Containers" ] }, { "technique_id": "T1499.001", "technique": "Endpoint Denial of Service: OS Exhaustion Flood", "url": "https://attack.mitre.org/techniques/T1499/001", "tactic": [ "Impact" ], "domain": [ "Enterprise" ], "platform": [ "Linux", "macOS", "Windows" ] }, { "technique_id": "T1499.002", "technique": "Endpoint Denial of Service: Service Exhaustion Flood", "url": "https://attack.mitre.org/techniques/T1499/002", "tactic": [ "Impact" ], "domain": [ "Enterprise" ], "platform": [ "Windows", "Azure AD", "Office 365", "SaaS", "IaaS", "Linux", "macOS", "Google Workspace" ] }, { "technique_id": "T1499.003", "technique": "Endpoint Denial of Service: Application Exhaustion Flood", "url": "https://attack.mitre.org/techniques/T1499/003", "tactic": [ "Impact" ], "domain": [ "Enterprise" ], "platform": [ "Windows", "Azure AD", "Office 365", "SaaS", "IaaS", "Linux", "macOS", "Google Workspace" ] }, { "technique_id": "T1499.004", "technique": "Endpoint Denial of Service: Application or System Exploitation", "url": "https://attack.mitre.org/techniques/T1499/004", "tactic": [ "Impact" ], "domain": [ "Enterprise" ], "platform": [ "Windows", "Azure AD", "Office 365", "SaaS", "IaaS", "Linux", "macOS", "Google Workspace" ] }, { "technique_id": "T1505", "technique": "Server Software Component", "url": "https://attack.mitre.org/techniques/T1505", "tactic": [ "Persistence" ], "domain": [ "Enterprise" ], "platform": [ "Windows", "Linux", "macOS" ] }, { "technique_id": "T1505.001", "technique": "Server Software Component: SQL Stored Procedures", "url": "https://attack.mitre.org/techniques/T1505/001", "tactic": [ "Persistence" ], "domain": [ "Enterprise" ], "platform": [ "Windows", "Linux" ] }, { "technique_id": "T1505.002", "technique": "Server Software Component: Transport Agent", "url": "https://attack.mitre.org/techniques/T1505/002", "tactic": [ "Persistence" ], "domain": [ "Enterprise" ], "platform": [ "Linux", "Windows" ] }, { "technique_id": "T1505.003", "technique": "Server Software Component: Web Shell", "url": "https://attack.mitre.org/techniques/T1505/003", "tactic": [ "Persistence" ], "domain": [ "Enterprise" ], "platform": [ "Linux", "Windows", "macOS" ] }, { "technique_id": "T1505.004", "technique": "Server Software Component: IIS Components", "url": "https://attack.mitre.org/techniques/T1505/004", "tactic": [ "Persistence" ], "domain": [ "Enterprise" ], "platform": [ "Windows" ] }, { "technique_id": "T1507", "technique": "Network Information Discovery", "url": "https://attack.mitre.org/techniques/T1507", "tactic": [ "Collection" ], "domain": [ "Mobile" ], "platform": [ "Android" ] }, { "technique_id": "T1508", "technique": "Suppress Application Icon", "url": "https://attack.mitre.org/techniques/T1508", "tactic": [ "Defense Evasion" ], "domain": [ "Mobile" ], "platform": [ "Android" ] }, { "technique_id": "T1509", "technique": "Uncommonly Used Port", "url": "https://attack.mitre.org/techniques/T1509", "tactic": [ "Command and Control" ], "domain": [ "Mobile" ], "platform": [ "Android", "iOS" ] }, { "technique_id": "T1510", "technique": "Clipboard Modification", "url": "https://attack.mitre.org/techniques/T1510", "tactic": [ "Impact" ], "domain": [ "Mobile" ], "platform": [ "Android" ] }, { "technique_id": "T1512", "technique": "Capture Camera", "url": "https://attack.mitre.org/techniques/T1512", "tactic": [ "Collection" ], "domain": [ "Mobile" ], "platform": [ "Android", "iOS" ] }, { "technique_id": "T1513", "technique": "Screen Capture", "url": "https://attack.mitre.org/techniques/T1513", "tactic": [ "Collection" ], "domain": [ "Mobile" ], "platform": [ "Android" ] }, { "technique_id": "T1516", "technique": "Input Injection", "url": "https://attack.mitre.org/techniques/T1516", "tactic": [ "Defense Evasion", "Impact" ], "domain": [ "Mobile" ], "platform": [ "Android" ] }, { "technique_id": "T1517", "technique": "Access Notifications", "url": "https://attack.mitre.org/techniques/T1517", "tactic": [ "Collection", "Credential Access" ], "domain": [ "Mobile" ], "platform": [ "Android" ] }, { "technique_id": "T1518", "technique": "Software Discovery", "url": "https://attack.mitre.org/techniques/T1518", "tactic": [ "Discovery" ], "domain": [ "Enterprise" ], "platform": [ "Windows", "Azure AD", "Office 365", "SaaS", "IaaS", "Linux", "macOS", "Google Workspace" ] }, { "technique_id": "T1518.001", "technique": "Software Discovery: Security Software Discovery", "url": "https://attack.mitre.org/techniques/T1518/001", "tactic": [ "Discovery" ], "domain": [ "Enterprise" ], "platform": [ "Windows", "Azure AD", "Office 365", "SaaS", "IaaS", "Linux", "macOS", "Google Workspace" ] }, { "technique_id": "T1520", "technique": "Domain Generation Algorithms", "url": "https://attack.mitre.org/techniques/T1520", "tactic": [ "Command and Control" ], "domain": [ "Mobile" ], "platform": [ "Android", "iOS" ] }, { "technique_id": "T1521", "technique": "Standard Cryptographic Protocol", "url": "https://attack.mitre.org/techniques/T1521", "tactic": [ "Command and Control" ], "domain": [ "Mobile" ], "platform": [ "Android", "iOS" ] }, { "technique_id": "T1523", "technique": "Evade Analysis Environment", "url": "https://attack.mitre.org/techniques/T1523", "tactic": [ "Defense Evasion", "Discovery" ], "domain": [ "Mobile" ], "platform": [ "Android", "iOS" ] }, { "technique_id": "T1525", "technique": "Implant Internal Image", "url": "https://attack.mitre.org/techniques/T1525", "tactic": [ "Persistence" ], "domain": [ "Enterprise" ], "platform": [ "IaaS", "Containers" ] }, { "technique_id": "T1526", "technique": "Cloud Service Discovery", "url": "https://attack.mitre.org/techniques/T1526", "tactic": [ "Discovery" ], "domain": [ "Enterprise" ], "platform": [ "Azure AD", "Office 365", "SaaS", "IaaS", "Google Workspace" ] }, { "technique_id": "T1528", "technique": "Steal Application Access Token", "url": "https://attack.mitre.org/techniques/T1528", "tactic": [ "Credential Access" ], "domain": [ "Enterprise" ], "platform": [ "SaaS", "Office 365", "Azure AD", "Google Workspace" ] }, { "technique_id": "T1529", "technique": "System Shutdown/Reboot", "url": "https://attack.mitre.org/techniques/T1529", "tactic": [ "Impact" ], "domain": [ "Enterprise" ], "platform": [ "Linux", "macOS", "Windows" ] }, { "technique_id": "T1530", "technique": "Data from Cloud Storage Object", "url": "https://attack.mitre.org/techniques/T1530", "tactic": [ "Collection" ], "domain": [ "Enterprise" ], "platform": [ "IaaS" ] }, { "technique_id": "T1531", "technique": "Account Access Removal", "url": "https://attack.mitre.org/techniques/T1531", "tactic": [ "Impact" ], "domain": [ "Enterprise" ], "platform": [ "Linux", "macOS", "Windows" ] }, { "technique_id": "T1532", "technique": "Data Encrypted", "url": "https://attack.mitre.org/techniques/T1532", "tactic": [ "Exfiltration" ], "domain": [ "Mobile" ], "platform": [ "Android", "iOS" ] }, { "technique_id": "T1533", "technique": "Data from Local System", "url": "https://attack.mitre.org/techniques/T1533", "tactic": [ "Collection" ], "domain": [ "Mobile" ], "platform": [ "Android", "iOS" ] }, { "technique_id": "T1534", "technique": "Internal Spearphishing", "url": "https://attack.mitre.org/techniques/T1534", "tactic": [ "Lateral Movement" ], "domain": [ "Enterprise" ], "platform": [ "Windows", "macOS", "Linux", "Office 365", "SaaS", "Google Workspace" ] }, { "technique_id": "T1535", "technique": "Unused/Unsupported Cloud Regions", "url": "https://attack.mitre.org/techniques/T1535", "tactic": [ "Defense Evasion" ], "domain": [ "Enterprise" ], "platform": [ "IaaS" ] }, { "technique_id": "T1537", "technique": "Transfer Data to Cloud Account", "url": "https://attack.mitre.org/techniques/T1537", "tactic": [ "Exfiltration" ], "domain": [ "Enterprise" ], "platform": [ "IaaS" ] }, { "technique_id": "T1538", "technique": "Cloud Service Dashboard", "url": "https://attack.mitre.org/techniques/T1538", "tactic": [ "Discovery" ], "domain": [ "Enterprise" ], "platform": [ "Azure AD", "Office 365", "IaaS", "Google Workspace" ] }, { "technique_id": "T1539", "technique": "Steal Web Session Cookie", "url": "https://attack.mitre.org/techniques/T1539", "tactic": [ "Credential Access" ], "domain": [ "Enterprise" ], "platform": [ "Linux", "macOS", "Windows", "Office 365", "SaaS", "Google Workspace" ] }, { "technique_id": "T1540", "technique": "Code Injection", "url": "https://attack.mitre.org/techniques/T1540", "tactic": [ "Persistence", "Privilege Escalation", "Defense Evasion" ], "domain": [ "Mobile" ], "platform": [ "Android", "iOS" ] }, { "technique_id": "T1541", "technique": "Foreground Persistence", "url": "https://attack.mitre.org/techniques/T1541", "tactic": [ "Collection", "Persistence" ], "domain": [ "Mobile" ], "platform": [ "Android" ] }, { "technique_id": "T1542", "technique": "Pre-OS Boot", "url": "https://attack.mitre.org/techniques/T1542", "tactic": [ "Defense Evasion", "Persistence" ], "domain": [ "Enterprise" ], "platform": [ "Linux", "Windows", "Network" ] }, { "technique_id": "T1542.001", "technique": "Pre-OS Boot: System Firmware", "url": "https://attack.mitre.org/techniques/T1542/001", "tactic": [ "Persistence", "Defense Evasion" ], "domain": [ "Enterprise" ], "platform": [ "Windows" ] }, { "technique_id": "T1542.002", "technique": "Pre-OS Boot: Component Firmware", "url": "https://attack.mitre.org/techniques/T1542/002", "tactic": [ "Persistence", "Defense Evasion" ], "domain": [ "Enterprise" ], "platform": [ "Windows" ] }, { "technique_id": "T1542.003", "technique": "Pre-OS Boot: Bootkit", "url": "https://attack.mitre.org/techniques/T1542/003", "tactic": [ "Persistence", "Defense Evasion" ], "domain": [ "Enterprise" ], "platform": [ "Linux", "Windows" ] }, { "technique_id": "T1542.004", "technique": "Pre-OS Boot: ROMMONkit", "url": "https://attack.mitre.org/techniques/T1542/004", "tactic": [ "Defense Evasion", "Persistence" ], "domain": [ "Enterprise" ], "platform": [ "Network" ] }, { "technique_id": "T1542.005", "technique": "Pre-OS Boot: TFTP Boot", "url": "https://attack.mitre.org/techniques/T1542/005", "tactic": [ "Defense Evasion", "Persistence" ], "domain": [ "Enterprise" ], "platform": [ "Network" ] }, { "technique_id": "T1543", "technique": "Create or Modify System Process", "url": "https://attack.mitre.org/techniques/T1543", "tactic": [ "Persistence", "Privilege Escalation" ], "domain": [ "Enterprise" ], "platform": [ "Windows", "macOS", "Linux" ] }, { "technique_id": "T1543.001", "technique": "Create or Modify System Process: Launch Agent", "url": "https://attack.mitre.org/techniques/T1543/001", "tactic": [ "Persistence", "Privilege Escalation" ], "domain": [ "Enterprise" ], "platform": [ "macOS" ] }, { "technique_id": "T1543.002", "technique": "Create or Modify System Process: Systemd Service", "url": "https://attack.mitre.org/techniques/T1543/002", "tactic": [ "Persistence", "Privilege Escalation" ], "domain": [ "Enterprise" ], "platform": [ "Linux" ] }, { "technique_id": "T1543.003", "technique": "Create or Modify System Process: Windows Service", "url": "https://attack.mitre.org/techniques/T1543/003", "tactic": [ "Persistence", "Privilege Escalation" ], "domain": [ "Enterprise" ], "platform": [ "Windows" ] }, { "technique_id": "T1543.004", "technique": "Create or Modify System Process: Launch Daemon", "url": "https://attack.mitre.org/techniques/T1543/004", "tactic": [ "Persistence", "Privilege Escalation" ], "domain": [ "Enterprise" ], "platform": [ "macOS" ] }, { "technique_id": "T1544", "technique": "Remote File Copy", "url": "https://attack.mitre.org/techniques/T1544", "tactic": [ "Command and Control" ], "domain": [ "Mobile" ], "platform": [ "Android", "iOS" ] }, { "technique_id": "T1546", "technique": "Event Triggered Execution", "url": "https://attack.mitre.org/techniques/T1546", "tactic": [ "Privilege Escalation", "Persistence" ], "domain": [ "Enterprise" ], "platform": [ "Linux", "macOS", "Windows" ] }, { "technique_id": "T1546.001", "technique": "Event Triggered Execution: Change Default File Association", "url": "https://attack.mitre.org/techniques/T1546/001", "tactic": [ "Privilege Escalation", "Persistence" ], "domain": [ "Enterprise" ], "platform": [ "Windows" ] }, { "technique_id": "T1546.002", "technique": "Event Triggered Execution: Screensaver", "url": "https://attack.mitre.org/techniques/T1546/002", "tactic": [ "Privilege Escalation", "Persistence" ], "domain": [ "Enterprise" ], "platform": [ "Windows" ] }, { "technique_id": "T1546.003", "technique": "Event Triggered Execution: Windows Management Instrumentation Event Subscription", "url": "https://attack.mitre.org/techniques/T1546/003", "tactic": [ "Privilege Escalation", "Persistence" ], "domain": [ "Enterprise" ], "platform": [ "Windows" ] }, { "technique_id": "T1546.004", "technique": "Event Triggered Execution: Unix Shell Configuration Modification", "url": "https://attack.mitre.org/techniques/T1546/004", "tactic": [ "Privilege Escalation", "Persistence" ], "domain": [ "Enterprise" ], "platform": [ "Linux", "macOS" ] }, { "technique_id": "T1546.005", "technique": "Event Triggered Execution: Trap", "url": "https://attack.mitre.org/techniques/T1546/005", "tactic": [ "Privilege Escalation", "Persistence" ], "domain": [ "Enterprise" ], "platform": [ "macOS", "Linux" ] }, { "technique_id": "T1546.006", "technique": "Event Triggered Execution: LC_LOAD_DYLIB Addition", "url": "https://attack.mitre.org/techniques/T1546/006", "tactic": [ "Privilege Escalation", "Persistence" ], "domain": [ "Enterprise" ], "platform": [ "macOS" ] }, { "technique_id": "T1546.007", "technique": "Event Triggered Execution: Netsh Helper DLL", "url": "https://attack.mitre.org/techniques/T1546/007", "tactic": [ "Privilege Escalation", "Persistence" ], "domain": [ "Enterprise" ], "platform": [ "Windows" ] }, { "technique_id": "T1546.008", "technique": "Event Triggered Execution: Accessibility Features", "url": "https://attack.mitre.org/techniques/T1546/008", "tactic": [ "Privilege Escalation", "Persistence" ], "domain": [ "Enterprise" ], "platform": [ "Windows" ] }, { "technique_id": "T1546.009", "technique": "Event Triggered Execution: AppCert DLLs", "url": "https://attack.mitre.org/techniques/T1546/009", "tactic": [ "Privilege Escalation", "Persistence" ], "domain": [ "Enterprise" ], "platform": [ "Windows" ] }, { "technique_id": "T1546.010", "technique": "Event Triggered Execution: AppInit DLLs", "url": "https://attack.mitre.org/techniques/T1546/010", "tactic": [ "Privilege Escalation", "Persistence" ], "domain": [ "Enterprise" ], "platform": [ "Windows" ] }, { "technique_id": "T1546.011", "technique": "Event Triggered Execution: Application Shimming", "url": "https://attack.mitre.org/techniques/T1546/011", "tactic": [ "Privilege Escalation", "Persistence" ], "domain": [ "Enterprise" ], "platform": [ "Windows" ] }, { "technique_id": "T1546.012", "technique": "Event Triggered Execution: Image File Execution Options Injection", "url": "https://attack.mitre.org/techniques/T1546/012", "tactic": [ "Privilege Escalation", "Persistence" ], "domain": [ "Enterprise" ], "platform": [ "Windows" ] }, { "technique_id": "T1546.013", "technique": "Event Triggered Execution: PowerShell Profile", "url": "https://attack.mitre.org/techniques/T1546/013", "tactic": [ "Privilege Escalation", "Persistence" ], "domain": [ "Enterprise" ], "platform": [ "Windows" ] }, { "technique_id": "T1546.014", "technique": "Event Triggered Execution: Emond", "url": "https://attack.mitre.org/techniques/T1546/014", "tactic": [ "Privilege Escalation", "Persistence" ], "domain": [ "Enterprise" ], "platform": [ "macOS" ] }, { "technique_id": "T1546.015", "technique": "Event Triggered Execution: Component Object Model Hijacking", "url": "https://attack.mitre.org/techniques/T1546/015", "tactic": [ "Privilege Escalation", "Persistence" ], "domain": [ "Enterprise" ], "platform": [ "Windows" ] }, { "technique_id": "T1547", "technique": "Boot or Logon Autostart Execution", "url": "https://attack.mitre.org/techniques/T1547", "tactic": [ "Persistence", "Privilege Escalation" ], "domain": [ "Enterprise" ], "platform": [ "Linux", "macOS", "Windows" ] }, { "technique_id": "T1547.001", "technique": "Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder", "url": "https://attack.mitre.org/techniques/T1547/001", "tactic": [ "Persistence", "Privilege Escalation" ], "domain": [ "Enterprise" ], "platform": [ "Windows" ] }, { "technique_id": "T1547.002", "technique": "Boot or Logon Autostart Execution: Authentication Package", "url": "https://attack.mitre.org/techniques/T1547/002", "tactic": [ "Persistence", "Privilege Escalation" ], "domain": [ "Enterprise" ], "platform": [ "Windows" ] }, { "technique_id": "T1547.003", "technique": "Boot or Logon Autostart Execution: Time Providers", "url": "https://attack.mitre.org/techniques/T1547/003", "tactic": [ "Persistence", "Privilege Escalation" ], "domain": [ "Enterprise" ], "platform": [ "Windows" ] }, { "technique_id": "T1547.004", "technique": "Boot or Logon Autostart Execution: Winlogon Helper DLL", "url": "https://attack.mitre.org/techniques/T1547/004", "tactic": [ "Persistence", "Privilege Escalation" ], "domain": [ "Enterprise" ], "platform": [ "Windows" ] }, { "technique_id": "T1547.005", "technique": "Boot or Logon Autostart Execution: Security Support Provider", "url": "https://attack.mitre.org/techniques/T1547/005", "tactic": [ "Persistence", "Privilege Escalation" ], "domain": [ "Enterprise" ], "platform": [ "Windows" ] }, { "technique_id": "T1547.006", "technique": "Boot or Logon Autostart Execution: Kernel Modules and Extensions", "url": "https://attack.mitre.org/techniques/T1547/006", "tactic": [ "Persistence", "Privilege Escalation" ], "domain": [ "Enterprise" ], "platform": [ "macOS", "Linux" ] }, { "technique_id": "T1547.007", "technique": "Boot or Logon Autostart Execution: Re-opened Applications", "url": "https://attack.mitre.org/techniques/T1547/007", "tactic": [ "Persistence", "Privilege Escalation" ], "domain": [ "Enterprise" ], "platform": [ "macOS" ] }, { "technique_id": "T1547.008", "technique": "Boot or Logon Autostart Execution: LSASS Driver", "url": "https://attack.mitre.org/techniques/T1547/008", "tactic": [ "Persistence", "Privilege Escalation" ], "domain": [ "Enterprise" ], "platform": [ "Windows" ] }, { "technique_id": "T1547.009", "technique": "Boot or Logon Autostart Execution: Shortcut Modification", "url": "https://attack.mitre.org/techniques/T1547/009", "tactic": [ "Persistence", "Privilege Escalation" ], "domain": [ "Enterprise" ], "platform": [ "Windows" ] }, { "technique_id": "T1547.010", "technique": "Boot or Logon Autostart Execution: Port Monitors", "url": "https://attack.mitre.org/techniques/T1547/010", "tactic": [ "Persistence", "Privilege Escalation" ], "domain": [ "Enterprise" ], "platform": [ "Windows" ] }, { "technique_id": "T1547.011", "technique": "Boot or Logon Autostart Execution: Plist Modification", "url": "https://attack.mitre.org/techniques/T1547/011", "tactic": [ "Persistence", "Privilege Escalation" ], "domain": [ "Enterprise" ], "platform": [ "macOS" ] }, { "technique_id": "T1547.012", "technique": "Boot or Logon Autostart Execution: Print Processors", "url": "https://attack.mitre.org/techniques/T1547/012", "tactic": [ "Persistence", "Privilege Escalation" ], "domain": [ "Enterprise" ], "platform": [ "Windows" ] }, { "technique_id": "T1547.013", "technique": "Boot or Logon Autostart Execution: XDG Autostart Entries", "url": "https://attack.mitre.org/techniques/T1547/013", "tactic": [ "Persistence", "Privilege Escalation" ], "domain": [ "Enterprise" ], "platform": [ "Linux" ] }, { "technique_id": "T1547.014", "technique": "Boot or Logon Autostart Execution: Active Setup", "url": "https://attack.mitre.org/techniques/T1547/014", "tactic": [ "Persistence", "Privilege Escalation" ], "domain": [ "Enterprise" ], "platform": [ "Windows" ] }, { "technique_id": "T1547.015", "technique": "Boot or Logon Autostart Execution: Login Items", "url": "https://attack.mitre.org/techniques/T1547/015", "tactic": [ "Persistence", "Privilege Escalation" ], "domain": [ "Enterprise" ], "platform": [ "macOS" ] }, { "technique_id": "T1548", "technique": "Abuse Elevation Control Mechanism", "url": "https://attack.mitre.org/techniques/T1548", "tactic": [ "Privilege Escalation", "Defense Evasion" ], "domain": [ "Enterprise" ], "platform": [ "Linux", "macOS", "Windows" ] }, { "technique_id": "T1548.001", "technique": "Abuse Elevation Control Mechanism: Setuid and Setgid", "url": "https://attack.mitre.org/techniques/T1548/001", "tactic": [ "Privilege Escalation", "Defense Evasion" ], "domain": [ "Enterprise" ], "platform": [ "Linux", "macOS" ] }, { "technique_id": "T1548.002", "technique": "Abuse Elevation Control Mechanism: Bypass User Account Control", "url": "https://attack.mitre.org/techniques/T1548/002", "tactic": [ "Privilege Escalation", "Defense Evasion" ], "domain": [ "Enterprise" ], "platform": [ "Windows" ] }, { "technique_id": "T1548.003", "technique": "Abuse Elevation Control Mechanism: Sudo and Sudo Caching", "url": "https://attack.mitre.org/techniques/T1548/003", "tactic": [ "Privilege Escalation", "Defense Evasion" ], "domain": [ "Enterprise" ], "platform": [ "Linux", "macOS" ] }, { "technique_id": "T1548.004", "technique": "Abuse Elevation Control Mechanism: Elevated Execution with Prompt", "url": "https://attack.mitre.org/techniques/T1548/004", "tactic": [ "Privilege Escalation", "Defense Evasion" ], "domain": [ "Enterprise" ], "platform": [ "macOS" ] }, { "technique_id": "T1550", "technique": "Use Alternate Authentication Material", "url": "https://attack.mitre.org/techniques/T1550", "tactic": [ "Defense Evasion", "Lateral Movement" ], "domain": [ "Enterprise" ], "platform": [ "Windows", "Office 365", "SaaS", "Google Workspace", "IaaS" ] }, { "technique_id": "T1550.001", "technique": "Use Alternate Authentication Material: Application Access Token", "url": "https://attack.mitre.org/techniques/T1550/001", "tactic": [ "Defense Evasion", "Lateral Movement" ], "domain": [ "Enterprise" ], "platform": [ "Office 365", "SaaS", "Google Workspace" ] }, { "technique_id": "T1550.002", "technique": "Use Alternate Authentication Material: Pass the Hash", "url": "https://attack.mitre.org/techniques/T1550/002", "tactic": [ "Defense Evasion", "Lateral Movement" ], "domain": [ "Enterprise" ], "platform": [ "Windows" ] }, { "technique_id": "T1550.003", "technique": "Use Alternate Authentication Material: Pass the Ticket", "url": "https://attack.mitre.org/techniques/T1550/003", "tactic": [ "Defense Evasion", "Lateral Movement" ], "domain": [ "Enterprise" ], "platform": [ "Windows" ] }, { "technique_id": "T1550.004", "technique": "Use Alternate Authentication Material: Web Session Cookie", "url": "https://attack.mitre.org/techniques/T1550/004", "tactic": [ "Defense Evasion", "Lateral Movement" ], "domain": [ "Enterprise" ], "platform": [ "Office 365", "SaaS", "Google Workspace", "IaaS" ] }, { "technique_id": "T1552", "technique": "Unsecured Credentials", "url": "https://attack.mitre.org/techniques/T1552", "tactic": [ "Credential Access" ], "domain": [ "Enterprise" ], "platform": [ "Windows", "Azure AD", "Office 365", "SaaS", "IaaS", "Linux", "macOS", "Google Workspace", "Containers" ] }, { "technique_id": "T1552.001", "technique": "Unsecured Credentials: Credentials In Files", "url": "https://attack.mitre.org/techniques/T1552/001", "tactic": [ "Credential Access" ], "domain": [ "Enterprise" ], "platform": [ "Windows", "IaaS", "Linux", "macOS", "Containers" ] }, { "technique_id": "T1552.002", "technique": "Unsecured Credentials: Credentials in Registry", "url": "https://attack.mitre.org/techniques/T1552/002", "tactic": [ "Credential Access" ], "domain": [ "Enterprise" ], "platform": [ "Windows" ] }, { "technique_id": "T1552.003", "technique": "Unsecured Credentials: Bash History", "url": "https://attack.mitre.org/techniques/T1552/003", "tactic": [ "Credential Access" ], "domain": [ "Enterprise" ], "platform": [ "Linux", "macOS" ] }, { "technique_id": "T1552.004", "technique": "Unsecured Credentials: Private Keys", "url": "https://attack.mitre.org/techniques/T1552/004", "tactic": [ "Credential Access" ], "domain": [ "Enterprise" ], "platform": [ "Linux", "macOS", "Windows" ] }, { "technique_id": "T1552.005", "technique": "Unsecured Credentials: Cloud Instance Metadata API", "url": "https://attack.mitre.org/techniques/T1552/005", "tactic": [ "Credential Access" ], "domain": [ "Enterprise" ], "platform": [ "IaaS" ] }, { "technique_id": "T1552.006", "technique": "Unsecured Credentials: Group Policy Preferences", "url": "https://attack.mitre.org/techniques/T1552/006", "tactic": [ "Credential Access" ], "domain": [ "Enterprise" ], "platform": [ "Windows" ] }, { "technique_id": "T1552.007", "technique": "Unsecured Credentials: Container API", "url": "https://attack.mitre.org/techniques/T1552/007", "tactic": [ "Credential Access" ], "domain": [ "Enterprise" ], "platform": [ "Containers" ] }, { "technique_id": "T1553", "technique": "Subvert Trust Controls", "url": "https://attack.mitre.org/techniques/T1553", "tactic": [ "Defense Evasion" ], "domain": [ "Enterprise" ], "platform": [ "Windows", "macOS", "Linux" ] }, { "technique_id": "T1553.001", "technique": "Subvert Trust Controls: Gatekeeper Bypass", "url": "https://attack.mitre.org/techniques/T1553/001", "tactic": [ "Defense Evasion" ], "domain": [ "Enterprise" ], "platform": [ "macOS" ] }, { "technique_id": "T1553.002", "technique": "Subvert Trust Controls: Code Signing", "url": "https://attack.mitre.org/techniques/T1553/002", "tactic": [ "Defense Evasion" ], "domain": [ "Enterprise" ], "platform": [ "macOS", "Windows" ] }, { "technique_id": "T1553.003", "technique": "Subvert Trust Controls: SIP and Trust Provider Hijacking", "url": "https://attack.mitre.org/techniques/T1553/003", "tactic": [ "Defense Evasion" ], "domain": [ "Enterprise" ], "platform": [ "Windows" ] }, { "technique_id": "T1553.004", "technique": "Subvert Trust Controls: Install Root Certificate", "url": "https://attack.mitre.org/techniques/T1553/004", "tactic": [ "Defense Evasion" ], "domain": [ "Enterprise" ], "platform": [ "Linux", "macOS", "Windows" ] }, { "technique_id": "T1553.005", "technique": "Subvert Trust Controls: Mark-of-the-Web Bypass", "url": "https://attack.mitre.org/techniques/T1553/005", "tactic": [ "Defense Evasion" ], "domain": [ "Enterprise" ], "platform": [ "Windows" ] }, { "technique_id": "T1553.006", "technique": "Subvert Trust Controls: Code Signing Policy Modification", "url": "https://attack.mitre.org/techniques/T1553/006", "tactic": [ "Defense Evasion" ], "domain": [ "Enterprise" ], "platform": [ "Windows", "macOS" ] }, { "technique_id": "T1554", "technique": "Compromise Client Software Binary", "url": "https://attack.mitre.org/techniques/T1554", "tactic": [ "Persistence" ], "domain": [ "Enterprise" ], "platform": [ "Linux", "macOS", "Windows" ] }, { "technique_id": "T1555", "technique": "Credentials from Password Stores", "url": "https://attack.mitre.org/techniques/T1555", "tactic": [ "Credential Access" ], "domain": [ "Enterprise" ], "platform": [ "Linux", "macOS", "Windows" ] }, { "technique_id": "T1555.001", "technique": "Credentials from Password Stores: Keychain", "url": "https://attack.mitre.org/techniques/T1555/001", "tactic": [ "Credential Access" ], "domain": [ "Enterprise" ], "platform": [ "macOS" ] }, { "technique_id": "T1555.002", "technique": "Credentials from Password Stores: Securityd Memory", "url": "https://attack.mitre.org/techniques/T1555/002", "tactic": [ "Credential Access" ], "domain": [ "Enterprise" ], "platform": [ "Linux", "macOS" ] }, { "technique_id": "T1555.003", "technique": "Credentials from Password Stores: Credentials from Web Browsers", "url": "https://attack.mitre.org/techniques/T1555/003", "tactic": [ "Credential Access" ], "domain": [ "Enterprise" ], "platform": [ "Linux", "macOS", "Windows" ] }, { "technique_id": "T1555.004", "technique": "Credentials from Password Stores: Windows Credential Manager", "url": "https://attack.mitre.org/techniques/T1555/004", "tactic": [ "Credential Access" ], "domain": [ "Enterprise" ], "platform": [ "Windows" ] }, { "technique_id": "T1555.005", "technique": "Credentials from Password Stores: Password Managers", "url": "https://attack.mitre.org/techniques/T1555/005", "tactic": [ "Credential Access" ], "domain": [ "Enterprise" ], "platform": [ "Linux", "macOS", "Windows" ] }, { "technique_id": "T1556", "technique": "Modify Authentication Process", "url": "https://attack.mitre.org/techniques/T1556", "tactic": [ "Credential Access", "Defense Evasion", "Persistence" ], "domain": [ "Enterprise" ], "platform": [ "Windows", "Linux", "macOS", "Network" ] }, { "technique_id": "T1556.001", "technique": "Modify Authentication Process: Domain Controller Authentication", "url": "https://attack.mitre.org/techniques/T1556/001", "tactic": [ "Credential Access", "Defense Evasion", "Persistence" ], "domain": [ "Enterprise" ], "platform": [ "Windows" ] }, { "technique_id": "T1556.002", "technique": "Modify Authentication Process: Password Filter DLL", "url": "https://attack.mitre.org/techniques/T1556/002", "tactic": [ "Credential Access", "Defense Evasion", "Persistence" ], "domain": [ "Enterprise" ], "platform": [ "Windows" ] }, { "technique_id": "T1556.003", "technique": "Modify Authentication Process: Pluggable Authentication Modules", "url": "https://attack.mitre.org/techniques/T1556/003", "tactic": [ "Credential Access", "Defense Evasion", "Persistence" ], "domain": [ "Enterprise" ], "platform": [ "Linux", "macOS" ] }, { "technique_id": "T1556.004", "technique": "Modify Authentication Process: Network Device Authentication", "url": "https://attack.mitre.org/techniques/T1556/004", "tactic": [ "Credential Access", "Defense Evasion", "Persistence" ], "domain": [ "Enterprise" ], "platform": [ "Network" ] }, { "technique_id": "T1557", "technique": "Adversary-in-the-Middle", "url": "https://attack.mitre.org/techniques/T1557", "tactic": [ "Credential Access", "Collection" ], "domain": [ "Enterprise" ], "platform": [ "Windows", "macOS", "Linux" ] }, { "technique_id": "T1557.001", "technique": "Adversary-in-the-Middle: LLMNR/NBT-NS Poisoning and SMB Relay", "url": "https://attack.mitre.org/techniques/T1557/001", "tactic": [ "Credential Access", "Collection" ], "domain": [ "Enterprise" ], "platform": [ "Windows" ] }, { "technique_id": "T1557.002", "technique": "Adversary-in-the-Middle: ARP Cache Poisoning", "url": "https://attack.mitre.org/techniques/T1557/002", "tactic": [ "Credential Access", "Collection" ], "domain": [ "Enterprise" ], "platform": [ "Linux", "Windows", "macOS" ] }, { "technique_id": "T1558", "technique": "Steal or Forge Kerberos Tickets", "url": "https://attack.mitre.org/techniques/T1558", "tactic": [ "Credential Access" ], "domain": [ "Enterprise" ], "platform": [ "Windows", "Linux", "macOS" ] }, { "technique_id": "T1558.001", "technique": "Steal or Forge Kerberos Tickets: Golden Ticket", "url": "https://attack.mitre.org/techniques/T1558/001", "tactic": [ "Credential Access" ], "domain": [ "Enterprise" ], "platform": [ "Windows" ] }, { "technique_id": "T1558.002", "technique": "Steal or Forge Kerberos Tickets: Silver Ticket", "url": "https://attack.mitre.org/techniques/T1558/002", "tactic": [ "Credential Access" ], "domain": [ "Enterprise" ], "platform": [ "Windows" ] }, { "technique_id": "T1558.003", "technique": "Steal or Forge Kerberos Tickets: Kerberoasting", "url": "https://attack.mitre.org/techniques/T1558/003", "tactic": [ "Credential Access" ], "domain": [ "Enterprise" ], "platform": [ "Windows" ] }, { "technique_id": "T1558.004", "technique": "Steal or Forge Kerberos Tickets: AS-REP Roasting", "url": "https://attack.mitre.org/techniques/T1558/004", "tactic": [ "Credential Access" ], "domain": [ "Enterprise" ], "platform": [ "Windows" ] }, { "technique_id": "T1559", "technique": "Inter-Process Communication", "url": "https://attack.mitre.org/techniques/T1559", "tactic": [ "Execution" ], "domain": [ "Enterprise" ], "platform": [ "Windows", "macOS" ] }, { "technique_id": "T1559.001", "technique": "Inter-Process Communication: Component Object Model", "url": "https://attack.mitre.org/techniques/T1559/001", "tactic": [ "Execution" ], "domain": [ "Enterprise" ], "platform": [ "Windows" ] }, { "technique_id": "T1559.002", "technique": "Inter-Process Communication: Dynamic Data Exchange", "url": "https://attack.mitre.org/techniques/T1559/002", "tactic": [ "Execution" ], "domain": [ "Enterprise" ], "platform": [ "Windows" ] }, { "technique_id": "T1560", "technique": "Archive Collected Data", "url": "https://attack.mitre.org/techniques/T1560", "tactic": [ "Collection" ], "domain": [ "Enterprise" ], "platform": [ "Linux", "macOS", "Windows" ] }, { "technique_id": "T1560.001", "technique": "Archive Collected Data: Archive via Utility", "url": "https://attack.mitre.org/techniques/T1560/001", "tactic": [ "Collection" ], "domain": [ "Enterprise" ], "platform": [ "Linux", "macOS", "Windows" ] }, { "technique_id": "T1560.002", "technique": "Archive Collected Data: Archive via Library", "url": "https://attack.mitre.org/techniques/T1560/002", "tactic": [ "Collection" ], "domain": [ "Enterprise" ], "platform": [ "Linux", "macOS", "Windows" ] }, { "technique_id": "T1560.003", "technique": "Archive Collected Data: Archive via Custom Method", "url": "https://attack.mitre.org/techniques/T1560/003", "tactic": [ "Collection" ], "domain": [ "Enterprise" ], "platform": [ "Linux", "macOS", "Windows" ] }, { "technique_id": "T1561", "technique": "Disk Wipe", "url": "https://attack.mitre.org/techniques/T1561", "tactic": [ "Impact" ], "domain": [ "Enterprise" ], "platform": [ "Linux", "macOS", "Windows" ] }, { "technique_id": "T1561.001", "technique": "Disk Wipe: Disk Content Wipe", "url": "https://attack.mitre.org/techniques/T1561/001", "tactic": [ "Impact" ], "domain": [ "Enterprise" ], "platform": [ "Linux", "macOS", "Windows" ] }, { "technique_id": "T1561.002", "technique": "Disk Wipe: Disk Structure Wipe", "url": "https://attack.mitre.org/techniques/T1561/002", "tactic": [ "Impact" ], "domain": [ "Enterprise" ], "platform": [ "Linux", "macOS", "Windows" ] }, { "technique_id": "T1562", "technique": "Impair Defenses", "url": "https://attack.mitre.org/techniques/T1562", "tactic": [ "Defense Evasion" ], "domain": [ "Enterprise" ], "platform": [ "Windows", "Office 365", "IaaS", "Linux", "macOS", "Containers", "Network" ] }, { "technique_id": "T1562.001", "technique": "Impair Defenses: Disable or Modify Tools", "url": "https://attack.mitre.org/techniques/T1562/001", "tactic": [ "Defense Evasion" ], "domain": [ "Enterprise" ], "platform": [ "Windows", "macOS", "Linux", "Containers", "IaaS" ] }, { "technique_id": "T1562.002", "technique": "Impair Defenses: Disable Windows Event Logging", "url": "https://attack.mitre.org/techniques/T1562/002", "tactic": [ "Defense Evasion" ], "domain": [ "Enterprise" ], "platform": [ "Windows" ] }, { "technique_id": "T1562.003", "technique": "Impair Defenses: Impair Command History Logging", "url": "https://attack.mitre.org/techniques/T1562/003", "tactic": [ "Defense Evasion" ], "domain": [ "Enterprise" ], "platform": [ "Linux", "macOS", "Windows" ] }, { "technique_id": "T1562.004", "technique": "Impair Defenses: Disable or Modify System Firewall", "url": "https://attack.mitre.org/techniques/T1562/004", "tactic": [ "Defense Evasion" ], "domain": [ "Enterprise" ], "platform": [ "Linux", "macOS", "Windows" ] }, { "technique_id": "T1562.006", "technique": "Impair Defenses: Indicator Blocking", "url": "https://attack.mitre.org/techniques/T1562/006", "tactic": [ "Defense Evasion" ], "domain": [ "Enterprise" ], "platform": [ "Windows", "macOS", "Linux" ] }, { "technique_id": "T1562.007", "technique": "Impair Defenses: Disable or Modify Cloud Firewall", "url": "https://attack.mitre.org/techniques/T1562/007", "tactic": [ "Defense Evasion" ], "domain": [ "Enterprise" ], "platform": [ "IaaS" ] }, { "technique_id": "T1562.008", "technique": "Impair Defenses: Disable Cloud Logs", "url": "https://attack.mitre.org/techniques/T1562/008", "tactic": [ "Defense Evasion" ], "domain": [ "Enterprise" ], "platform": [ "IaaS" ] }, { "technique_id": "T1562.009", "technique": "Impair Defenses: Safe Mode Boot", "url": "https://attack.mitre.org/techniques/T1562/009", "tactic": [ "Defense Evasion" ], "domain": [ "Enterprise" ], "platform": [ "Windows" ] }, { "technique_id": "T1562.010", "technique": "Impair Defenses: Downgrade Attack", "url": "https://attack.mitre.org/techniques/T1562/010", "tactic": [ "Defense Evasion" ], "domain": [ "Enterprise" ], "platform": [ "Windows", "Linux", "macOS" ] }, { "technique_id": "T1563", "technique": "Remote Service Session Hijacking", "url": "https://attack.mitre.org/techniques/T1563", "tactic": [ "Lateral Movement" ], "domain": [ "Enterprise" ], "platform": [ "Linux", "macOS", "Windows" ] }, { "technique_id": "T1563.001", "technique": "Remote Service Session Hijacking: SSH Hijacking", "url": "https://attack.mitre.org/techniques/T1563/001", "tactic": [ "Lateral Movement" ], "domain": [ "Enterprise" ], "platform": [ "Linux", "macOS" ] }, { "technique_id": "T1563.002", "technique": "Remote Service Session Hijacking: RDP Hijacking", "url": "https://attack.mitre.org/techniques/T1563/002", "tactic": [ "Lateral Movement" ], "domain": [ "Enterprise" ], "platform": [ "Windows" ] }, { "technique_id": "T1564", "technique": "Hide Artifacts", "url": "https://attack.mitre.org/techniques/T1564", "tactic": [ "Defense Evasion" ], "domain": [ "Enterprise" ], "platform": [ "Linux", "macOS", "Windows", "Office 365" ] }, { "technique_id": "T1564.001", "technique": "Hide Artifacts: Hidden Files and Directories", "url": "https://attack.mitre.org/techniques/T1564/001", "tactic": [ "Defense Evasion" ], "domain": [ "Enterprise" ], "platform": [ "Windows", "macOS", "Linux" ] }, { "technique_id": "T1564.002", "technique": "Hide Artifacts: Hidden Users", "url": "https://attack.mitre.org/techniques/T1564/002", "tactic": [ "Defense Evasion" ], "domain": [ "Enterprise" ], "platform": [ "macOS", "Windows" ] }, { "technique_id": "T1564.003", "technique": "Hide Artifacts: Hidden Window", "url": "https://attack.mitre.org/techniques/T1564/003", "tactic": [ "Defense Evasion" ], "domain": [ "Enterprise" ], "platform": [ "macOS", "Windows" ] }, { "technique_id": "T1564.004", "technique": "Hide Artifacts: NTFS File Attributes", "url": "https://attack.mitre.org/techniques/T1564/004", "tactic": [ "Defense Evasion" ], "domain": [ "Enterprise" ], "platform": [ "Windows" ] }, { "technique_id": "T1564.005", "technique": "Hide Artifacts: Hidden File System", "url": "https://attack.mitre.org/techniques/T1564/005", "tactic": [ "Defense Evasion" ], "domain": [ "Enterprise" ], "platform": [ "Linux", "macOS", "Windows" ] }, { "technique_id": "T1564.006", "technique": "Hide Artifacts: Run Virtual Instance", "url": "https://attack.mitre.org/techniques/T1564/006", "tactic": [ "Defense Evasion" ], "domain": [ "Enterprise" ], "platform": [ "Linux", "macOS", "Windows" ] }, { "technique_id": "T1564.007", "technique": "Hide Artifacts: VBA Stomping", "url": "https://attack.mitre.org/techniques/T1564/007", "tactic": [ "Defense Evasion" ], "domain": [ "Enterprise" ], "platform": [ "Linux", "Windows", "macOS" ] }, { "technique_id": "T1564.008", "technique": "Hide Artifacts: Email Hiding Rules", "url": "https://attack.mitre.org/techniques/T1564/008", "tactic": [ "Defense Evasion" ], "domain": [ "Enterprise" ], "platform": [ "Windows", "Office 365", "Linux", "macOS" ] }, { "technique_id": "T1564.009", "technique": "Hide Artifacts: Resource Forking", "url": "https://attack.mitre.org/techniques/T1564/009", "tactic": [ "Defense Evasion" ], "domain": [ "Enterprise" ], "platform": [ "macOS" ] }, { "technique_id": "T1565", "technique": "Data Manipulation", "url": "https://attack.mitre.org/techniques/T1565", "tactic": [ "Impact" ], "domain": [ "Enterprise" ], "platform": [ "Linux", "macOS", "Windows" ] }, { "technique_id": "T1565.001", "technique": "Data Manipulation: Stored Data Manipulation", "url": "https://attack.mitre.org/techniques/T1565/001", "tactic": [ "Impact" ], "domain": [ "Enterprise" ], "platform": [ "Linux", "macOS", "Windows" ] }, { "technique_id": "T1565.002", "technique": "Data Manipulation: Transmitted Data Manipulation", "url": "https://attack.mitre.org/techniques/T1565/002", "tactic": [ "Impact" ], "domain": [ "Enterprise" ], "platform": [ "Linux", "macOS", "Windows" ] }, { "technique_id": "T1565.003", "technique": "Data Manipulation: Runtime Data Manipulation", "url": "https://attack.mitre.org/techniques/T1565/003", "tactic": [ "Impact" ], "domain": [ "Enterprise" ], "platform": [ "Linux", "macOS", "Windows" ] }, { "technique_id": "T1566", "technique": "Phishing", "url": "https://attack.mitre.org/techniques/T1566", "tactic": [ "Initial Access" ], "domain": [ "Enterprise" ], "platform": [ "Linux", "macOS", "Windows", "SaaS", "Office 365", "Google Workspace" ] }, { "technique_id": "T1566.001", "technique": "Phishing: Spearphishing Attachment", "url": "https://attack.mitre.org/techniques/T1566/001", "tactic": [ "Initial Access" ], "domain": [ "Enterprise" ], "platform": [ "macOS", "Windows", "Linux" ] }, { "technique_id": "T1566.002", "technique": "Phishing: Spearphishing Link", "url": "https://attack.mitre.org/techniques/T1566/002", "tactic": [ "Initial Access" ], "domain": [ "Enterprise" ], "platform": [ "Linux", "macOS", "Windows", "Office 365", "SaaS", "Google Workspace" ] }, { "technique_id": "T1566.003", "technique": "Phishing: Spearphishing via Service", "url": "https://attack.mitre.org/techniques/T1566/003", "tactic": [ "Initial Access" ], "domain": [ "Enterprise" ], "platform": [ "Linux", "macOS", "Windows" ] }, { "technique_id": "T1567", "technique": "Exfiltration Over Web Service", "url": "https://attack.mitre.org/techniques/T1567", "tactic": [ "Exfiltration" ], "domain": [ "Enterprise" ], "platform": [ "Linux", "macOS", "Windows" ] }, { "technique_id": "T1567.001", "technique": "Exfiltration Over Web Service: Exfiltration to Code Repository", "url": "https://attack.mitre.org/techniques/T1567/001", "tactic": [ "Exfiltration" ], "domain": [ "Enterprise" ], "platform": [ "Linux", "macOS", "Windows" ] }, { "technique_id": "T1567.002", "technique": "Exfiltration Over Web Service: Exfiltration to Cloud Storage", "url": "https://attack.mitre.org/techniques/T1567/002", "tactic": [ "Exfiltration" ], "domain": [ "Enterprise" ], "platform": [ "Linux", "macOS", "Windows" ] }, { "technique_id": "T1568", "technique": "Dynamic Resolution", "url": "https://attack.mitre.org/techniques/T1568", "tactic": [ "Command and Control" ], "domain": [ "Enterprise" ], "platform": [ "Linux", "macOS", "Windows" ] }, { "technique_id": "T1568.001", "technique": "Dynamic Resolution: Fast Flux DNS", "url": "https://attack.mitre.org/techniques/T1568/001", "tactic": [ "Command and Control" ], "domain": [ "Enterprise" ], "platform": [ "Linux", "macOS", "Windows" ] }, { "technique_id": "T1568.002", "technique": "Dynamic Resolution: Domain Generation Algorithms", "url": "https://attack.mitre.org/techniques/T1568/002", "tactic": [ "Command and Control" ], "domain": [ "Enterprise" ], "platform": [ "Linux", "macOS", "Windows" ] }, { "technique_id": "T1568.003", "technique": "Dynamic Resolution: DNS Calculation", "url": "https://attack.mitre.org/techniques/T1568/003", "tactic": [ "Command and Control" ], "domain": [ "Enterprise" ], "platform": [ "Linux", "macOS", "Windows" ] }, { "technique_id": "T1569", "technique": "System Services", "url": "https://attack.mitre.org/techniques/T1569", "tactic": [ "Execution" ], "domain": [ "Enterprise" ], "platform": [ "Windows", "macOS" ] }, { "technique_id": "T1569.001", "technique": "System Services: Launchctl", "url": "https://attack.mitre.org/techniques/T1569/001", "tactic": [ "Execution" ], "domain": [ "Enterprise" ], "platform": [ "macOS" ] }, { "technique_id": "T1569.002", "technique": "System Services: Service Execution", "url": "https://attack.mitre.org/techniques/T1569/002", "tactic": [ "Execution" ], "domain": [ "Enterprise" ], "platform": [ "Windows" ] }, { "technique_id": "T1570", "technique": "Lateral Tool Transfer", "url": "https://attack.mitre.org/techniques/T1570", "tactic": [ "Lateral Movement" ], "domain": [ "Enterprise" ], "platform": [ "Linux", "macOS", "Windows" ] }, { "technique_id": "T1571", "technique": "Non-Standard Port", "url": "https://attack.mitre.org/techniques/T1571", "tactic": [ "Command and Control" ], "domain": [ "Enterprise" ], "platform": [ "Linux", "macOS", "Windows" ] }, { "technique_id": "T1572", "technique": "Protocol Tunneling", "url": "https://attack.mitre.org/techniques/T1572", "tactic": [ "Command and Control" ], "domain": [ "Enterprise" ], "platform": [ "Linux", "macOS", "Windows" ] }, { "technique_id": "T1573", "technique": "Encrypted Channel", "url": "https://attack.mitre.org/techniques/T1573", "tactic": [ "Command and Control" ], "domain": [ "Enterprise" ], "platform": [ "Linux", "macOS", "Windows" ] }, { "technique_id": "T1573.001", "technique": "Encrypted Channel: Symmetric Cryptography", "url": "https://attack.mitre.org/techniques/T1573/001", "tactic": [ "Command and Control" ], "domain": [ "Enterprise" ], "platform": [ "Linux", "Windows", "macOS" ] }, { "technique_id": "T1573.002", "technique": "Encrypted Channel: Asymmetric Cryptography", "url": "https://attack.mitre.org/techniques/T1573/002", "tactic": [ "Command and Control" ], "domain": [ "Enterprise" ], "platform": [ "Linux", "macOS", "Windows" ] }, { "technique_id": "T1574", "technique": "Hijack Execution Flow", "url": "https://attack.mitre.org/techniques/T1574", "tactic": [ "Persistence", "Privilege Escalation", "Defense Evasion" ], "domain": [ "Enterprise" ], "platform": [ "Linux", "macOS", "Windows" ] }, { "technique_id": "T1574.001", "technique": "Hijack Execution Flow: DLL Search Order Hijacking", "url": "https://attack.mitre.org/techniques/T1574/001", "tactic": [ "Persistence", "Privilege Escalation", "Defense Evasion" ], "domain": [ "Enterprise" ], "platform": [ "Windows" ] }, { "technique_id": "T1574.002", "technique": "Hijack Execution Flow: DLL Side-Loading", "url": "https://attack.mitre.org/techniques/T1574/002", "tactic": [ "Persistence", "Privilege Escalation", "Defense Evasion" ], "domain": [ "Enterprise" ], "platform": [ "Windows" ] }, { "technique_id": "T1574.004", "technique": "Hijack Execution Flow: Dylib Hijacking", "url": "https://attack.mitre.org/techniques/T1574/004", "tactic": [ "Persistence", "Privilege Escalation", "Defense Evasion" ], "domain": [ "Enterprise" ], "platform": [ "macOS" ] }, { "technique_id": "T1574.005", "technique": "Hijack Execution Flow: Executable Installer File Permissions Weakness", "url": "https://attack.mitre.org/techniques/T1574/005", "tactic": [ "Persistence", "Privilege Escalation", "Defense Evasion" ], "domain": [ "Enterprise" ], "platform": [ "Windows" ] }, { "technique_id": "T1574.006", "technique": "Hijack Execution Flow: Dynamic Linker Hijacking", "url": "https://attack.mitre.org/techniques/T1574/006", "tactic": [ "Persistence", "Privilege Escalation", "Defense Evasion" ], "domain": [ "Enterprise" ], "platform": [ "Linux", "macOS" ] }, { "technique_id": "T1574.007", "technique": "Hijack Execution Flow: Path Interception by PATH Environment Variable", "url": "https://attack.mitre.org/techniques/T1574/007", "tactic": [ "Persistence", "Privilege Escalation", "Defense Evasion" ], "domain": [ "Enterprise" ], "platform": [ "Windows" ] }, { "technique_id": "T1574.008", "technique": "Hijack Execution Flow: Path Interception by Search Order Hijacking", "url": "https://attack.mitre.org/techniques/T1574/008", "tactic": [ "Persistence", "Privilege Escalation", "Defense Evasion" ], "domain": [ "Enterprise" ], "platform": [ "Windows" ] }, { "technique_id": "T1574.009", "technique": "Hijack Execution Flow: Path Interception by Unquoted Path", "url": "https://attack.mitre.org/techniques/T1574/009", "tactic": [ "Persistence", "Privilege Escalation", "Defense Evasion" ], "domain": [ "Enterprise" ], "platform": [ "Windows" ] }, { "technique_id": "T1574.010", "technique": "Hijack Execution Flow: Services File Permissions Weakness", "url": "https://attack.mitre.org/techniques/T1574/010", "tactic": [ "Persistence", "Privilege Escalation", "Defense Evasion" ], "domain": [ "Enterprise" ], "platform": [ "Windows" ] }, { "technique_id": "T1574.011", "technique": "Hijack Execution Flow: Services Registry Permissions Weakness", "url": "https://attack.mitre.org/techniques/T1574/011", "tactic": [ "Persistence", "Privilege Escalation", "Defense Evasion" ], "domain": [ "Enterprise" ], "platform": [ "Windows" ] }, { "technique_id": "T1574.012", "technique": "Hijack Execution Flow: COR_PROFILER", "url": "https://attack.mitre.org/techniques/T1574/012", "tactic": [ "Persistence", "Privilege Escalation", "Defense Evasion" ], "domain": [ "Enterprise" ], "platform": [ "Windows" ] }, { "technique_id": "T1575", "technique": "Native Code", "url": "https://attack.mitre.org/techniques/T1575", "tactic": [ "Defense Evasion", "Execution" ], "domain": [ "Mobile" ], "platform": [ "Android" ] }, { "technique_id": "T1576", "technique": "Uninstall Malicious Application", "url": "https://attack.mitre.org/techniques/T1576", "tactic": [ "Defense Evasion" ], "domain": [ "Mobile" ], "platform": [ "Android" ] }, { "technique_id": "T1577", "technique": "Compromise Application Executable", "url": "https://attack.mitre.org/techniques/T1577", "tactic": [ "Persistence" ], "domain": [ "Mobile" ], "platform": [ "Android" ] }, { "technique_id": "T1578", "technique": "Modify Cloud Compute Infrastructure", "url": "https://attack.mitre.org/techniques/T1578", "tactic": [ "Defense Evasion" ], "domain": [ "Enterprise" ], "platform": [ "IaaS" ] }, { "technique_id": "T1578.001", "technique": "Modify Cloud Compute Infrastructure: Create Snapshot", "url": "https://attack.mitre.org/techniques/T1578/001", "tactic": [ "Defense Evasion" ], "domain": [ "Enterprise" ], "platform": [ "IaaS" ] }, { "technique_id": "T1578.002", "technique": "Modify Cloud Compute Infrastructure: Create Cloud Instance", "url": "https://attack.mitre.org/techniques/T1578/002", "tactic": [ "Defense Evasion" ], "domain": [ "Enterprise" ], "platform": [ "IaaS" ] }, { "technique_id": "T1578.003", "technique": "Modify Cloud Compute Infrastructure: Delete Cloud Instance", "url": "https://attack.mitre.org/techniques/T1578/003", "tactic": [ "Defense Evasion" ], "domain": [ "Enterprise" ], "platform": [ "IaaS" ] }, { "technique_id": "T1578.004", "technique": "Modify Cloud Compute Infrastructure: Revert Cloud Instance", "url": "https://attack.mitre.org/techniques/T1578/004", "tactic": [ "Defense Evasion" ], "domain": [ "Enterprise" ], "platform": [ "IaaS" ] }, { "technique_id": "T1579", "technique": "Keychain", "url": "https://attack.mitre.org/techniques/T1579", "tactic": [ "Credential Access" ], "domain": [ "Mobile" ], "platform": [ "iOS" ] }, { "technique_id": "T1580", "technique": "Cloud Infrastructure Discovery", "url": "https://attack.mitre.org/techniques/T1580", "tactic": [ "Discovery" ], "domain": [ "Enterprise" ], "platform": [ "IaaS" ] }, { "technique_id": "T1581", "technique": "Geofencing", "url": "https://attack.mitre.org/techniques/T1581", "tactic": [ "Defense Evasion" ], "domain": [ "Mobile" ], "platform": [ "Android", "iOS" ] }, { "technique_id": "T1582", "technique": "SMS Control", "url": "https://attack.mitre.org/techniques/T1582", "tactic": [ "Impact" ], "domain": [ "Mobile" ], "platform": [ "Android" ] }, { "technique_id": "T1583", "technique": "Acquire Infrastructure", "url": "https://attack.mitre.org/techniques/T1583", "tactic": [ "Resource Development" ], "domain": [ "Enterprise" ], "platform": [ "PRE" ] }, { "technique_id": "T1583.001", "technique": "Acquire Infrastructure: Domains", "url": "https://attack.mitre.org/techniques/T1583/001", "tactic": [ "Resource Development" ], "domain": [ "Enterprise" ], "platform": [ "PRE" ] }, { "technique_id": "T1583.002", "technique": "Acquire Infrastructure: DNS Server", "url": "https://attack.mitre.org/techniques/T1583/002", "tactic": [ "Resource Development" ], "domain": [ "Enterprise" ], "platform": [ "PRE" ] }, { "technique_id": "T1583.003", "technique": "Acquire Infrastructure: Virtual Private Server", "url": "https://attack.mitre.org/techniques/T1583/003", "tactic": [ "Resource Development" ], "domain": [ "Enterprise" ], "platform": [ "PRE" ] }, { "technique_id": "T1583.004", "technique": "Acquire Infrastructure: Server", "url": "https://attack.mitre.org/techniques/T1583/004", "tactic": [ "Resource Development" ], "domain": [ "Enterprise" ], "platform": [ "PRE" ] }, { "technique_id": "T1583.005", "technique": "Acquire Infrastructure: Botnet", "url": "https://attack.mitre.org/techniques/T1583/005", "tactic": [ "Resource Development" ], "domain": [ "Enterprise" ], "platform": [ "PRE" ] }, { "technique_id": "T1583.006", "technique": "Acquire Infrastructure: Web Services", "url": "https://attack.mitre.org/techniques/T1583/006", "tactic": [ "Resource Development" ], "domain": [ "Enterprise" ], "platform": [ "PRE" ] }, { "technique_id": "T1584", "technique": "Compromise Infrastructure", "url": "https://attack.mitre.org/techniques/T1584", "tactic": [ "Resource Development" ], "domain": [ "Enterprise" ], "platform": [ "PRE" ] }, { "technique_id": "T1584.001", "technique": "Compromise Infrastructure: Domains", "url": "https://attack.mitre.org/techniques/T1584/001", "tactic": [ "Resource Development" ], "domain": [ "Enterprise" ], "platform": [ "PRE" ] }, { "technique_id": "T1584.002", "technique": "Compromise Infrastructure: DNS Server", "url": "https://attack.mitre.org/techniques/T1584/002", "tactic": [ "Resource Development" ], "domain": [ "Enterprise" ], "platform": [ "PRE" ] }, { "technique_id": "T1584.003", "technique": "Compromise Infrastructure: Virtual Private Server", "url": "https://attack.mitre.org/techniques/T1584/003", "tactic": [ "Resource Development" ], "domain": [ "Enterprise" ], "platform": [ "PRE" ] }, { "technique_id": "T1584.004", "technique": "Compromise Infrastructure: Server", "url": "https://attack.mitre.org/techniques/T1584/004", "tactic": [ "Resource Development" ], "domain": [ "Enterprise" ], "platform": [ "PRE" ] }, { "technique_id": "T1584.005", "technique": "Compromise Infrastructure: Botnet", "url": "https://attack.mitre.org/techniques/T1584/005", "tactic": [ "Resource Development" ], "domain": [ "Enterprise" ], "platform": [ "PRE" ] }, { "technique_id": "T1584.006", "technique": "Compromise Infrastructure: Web Services", "url": "https://attack.mitre.org/techniques/T1584/006", "tactic": [ "Resource Development" ], "domain": [ "Enterprise" ], "platform": [ "PRE" ] }, { "technique_id": "T1585", "technique": "Establish Accounts", "url": "https://attack.mitre.org/techniques/T1585", "tactic": [ "Resource Development" ], "domain": [ "Enterprise" ], "platform": [ "PRE" ] }, { "technique_id": "T1585.001", "technique": "Establish Accounts: Social Media Accounts", "url": "https://attack.mitre.org/techniques/T1585/001", "tactic": [ "Resource Development" ], "domain": [ "Enterprise" ], "platform": [ "PRE" ] }, { "technique_id": "T1585.002", "technique": "Establish Accounts: Email Accounts", "url": "https://attack.mitre.org/techniques/T1585/002", "tactic": [ "Resource Development" ], "domain": [ "Enterprise" ], "platform": [ "PRE" ] }, { "technique_id": "T1586", "technique": "Compromise Accounts", "url": "https://attack.mitre.org/techniques/T1586", "tactic": [ "Resource Development" ], "domain": [ "Enterprise" ], "platform": [ "PRE" ] }, { "technique_id": "T1586.001", "technique": "Compromise Accounts: Social Media Accounts", "url": "https://attack.mitre.org/techniques/T1586/001", "tactic": [ "Resource Development" ], "domain": [ "Enterprise" ], "platform": [ "PRE" ] }, { "technique_id": "T1586.002", "technique": "Compromise Accounts: Email Accounts", "url": "https://attack.mitre.org/techniques/T1586/002", "tactic": [ "Resource Development" ], "domain": [ "Enterprise" ], "platform": [ "PRE" ] }, { "technique_id": "T1587", "technique": "Develop Capabilities", "url": "https://attack.mitre.org/techniques/T1587", "tactic": [ "Resource Development" ], "domain": [ "Enterprise" ], "platform": [ "PRE" ] }, { "technique_id": "T1587.001", "technique": "Develop Capabilities: Malware", "url": "https://attack.mitre.org/techniques/T1587/001", "tactic": [ "Resource Development" ], "domain": [ "Enterprise" ], "platform": [ "PRE" ] }, { "technique_id": "T1587.002", "technique": "Develop Capabilities: Code Signing Certificates", "url": "https://attack.mitre.org/techniques/T1587/002", "tactic": [ "Resource Development" ], "domain": [ "Enterprise" ], "platform": [ "PRE" ] }, { "technique_id": "T1587.003", "technique": "Develop Capabilities: Digital Certificates", "url": "https://attack.mitre.org/techniques/T1587/003", "tactic": [ "Resource Development" ], "domain": [ "Enterprise" ], "platform": [ "PRE" ] }, { "technique_id": "T1587.004", "technique": "Develop Capabilities: Exploits", "url": "https://attack.mitre.org/techniques/T1587/004", "tactic": [ "Resource Development" ], "domain": [ "Enterprise" ], "platform": [ "PRE" ] }, { "technique_id": "T1588", "technique": "Obtain Capabilities", "url": "https://attack.mitre.org/techniques/T1588", "tactic": [ "Resource Development" ], "domain": [ "Enterprise" ], "platform": [ "PRE" ] }, { "technique_id": "T1588.001", "technique": "Obtain Capabilities: Malware", "url": "https://attack.mitre.org/techniques/T1588/001", "tactic": [ "Resource Development" ], "domain": [ "Enterprise" ], "platform": [ "PRE" ] }, { "technique_id": "T1588.002", "technique": "Obtain Capabilities: Tool", "url": "https://attack.mitre.org/techniques/T1588/002", "tactic": [ "Resource Development" ], "domain": [ "Enterprise" ], "platform": [ "PRE" ] }, { "technique_id": "T1588.003", "technique": "Obtain Capabilities: Code Signing Certificates", "url": "https://attack.mitre.org/techniques/T1588/003", "tactic": [ "Resource Development" ], "domain": [ "Enterprise" ], "platform": [ "PRE" ] }, { "technique_id": "T1588.004", "technique": "Obtain Capabilities: Digital Certificates", "url": "https://attack.mitre.org/techniques/T1588/004", "tactic": [ "Resource Development" ], "domain": [ "Enterprise" ], "platform": [ "PRE" ] }, { "technique_id": "T1588.005", "technique": "Obtain Capabilities: Exploits", "url": "https://attack.mitre.org/techniques/T1588/005", "tactic": [ "Resource Development" ], "domain": [ "Enterprise" ], "platform": [ "PRE" ] }, { "technique_id": "T1588.006", "technique": "Obtain Capabilities: Vulnerabilities", "url": "https://attack.mitre.org/techniques/T1588/006", "tactic": [ "Resource Development" ], "domain": [ "Enterprise" ], "platform": [ "PRE" ] }, { "technique_id": "T1589", "technique": "Gather Victim Identity Information", "url": "https://attack.mitre.org/techniques/T1589", "tactic": [ "Reconnaissance" ], "domain": [ "Enterprise" ], "platform": [ "PRE" ] }, { "technique_id": "T1589.001", "technique": "Gather Victim Identity Information: Credentials", "url": "https://attack.mitre.org/techniques/T1589/001", "tactic": [ "Reconnaissance" ], "domain": [ "Enterprise" ], "platform": [ "PRE" ] }, { "technique_id": "T1589.002", "technique": "Gather Victim Identity Information: Email Addresses", "url": "https://attack.mitre.org/techniques/T1589/002", "tactic": [ "Reconnaissance" ], "domain": [ "Enterprise" ], "platform": [ "PRE" ] }, { "technique_id": "T1589.003", "technique": "Gather Victim Identity Information: Employee Names", "url": "https://attack.mitre.org/techniques/T1589/003", "tactic": [ "Reconnaissance" ], "domain": [ "Enterprise" ], "platform": [ "PRE" ] }, { "technique_id": "T1590", "technique": "Gather Victim Network Information", "url": "https://attack.mitre.org/techniques/T1590", "tactic": [ "Reconnaissance" ], "domain": [ "Enterprise" ], "platform": [ "PRE" ] }, { "technique_id": "T1590.001", "technique": "Gather Victim Network Information: Domain Properties", "url": "https://attack.mitre.org/techniques/T1590/001", "tactic": [ "Reconnaissance" ], "domain": [ "Enterprise" ], "platform": [ "PRE" ] }, { "technique_id": "T1590.002", "technique": "Gather Victim Network Information: DNS", "url": "https://attack.mitre.org/techniques/T1590/002", "tactic": [ "Reconnaissance" ], "domain": [ "Enterprise" ], "platform": [ "PRE" ] }, { "technique_id": "T1590.003", "technique": "Gather Victim Network Information: Network Trust Dependencies", "url": "https://attack.mitre.org/techniques/T1590/003", "tactic": [ "Reconnaissance" ], "domain": [ "Enterprise" ], "platform": [ "PRE" ] }, { "technique_id": "T1590.004", "technique": "Gather Victim Network Information: Network Topology", "url": "https://attack.mitre.org/techniques/T1590/004", "tactic": [ "Reconnaissance" ], "domain": [ "Enterprise" ], "platform": [ "PRE" ] }, { "technique_id": "T1590.005", "technique": "Gather Victim Network Information: IP Addresses", "url": "https://attack.mitre.org/techniques/T1590/005", "tactic": [ "Reconnaissance" ], "domain": [ "Enterprise" ], "platform": [ "PRE" ] }, { "technique_id": "T1590.006", "technique": "Gather Victim Network Information: Network Security Appliances", "url": "https://attack.mitre.org/techniques/T1590/006", "tactic": [ "Reconnaissance" ], "domain": [ "Enterprise" ], "platform": [ "PRE" ] }, { "technique_id": "T1591", "technique": "Gather Victim Org Information", "url": "https://attack.mitre.org/techniques/T1591", "tactic": [ "Reconnaissance" ], "domain": [ "Enterprise" ], "platform": [ "PRE" ] }, { "technique_id": "T1591.001", "technique": "Gather Victim Org Information: Determine Physical Locations", "url": "https://attack.mitre.org/techniques/T1591/001", "tactic": [ "Reconnaissance" ], "domain": [ "Enterprise" ], "platform": [ "PRE" ] }, { "technique_id": "T1591.002", "technique": "Gather Victim Org Information: Business Relationships", "url": "https://attack.mitre.org/techniques/T1591/002", "tactic": [ "Reconnaissance" ], "domain": [ "Enterprise" ], "platform": [ "PRE" ] }, { "technique_id": "T1591.003", "technique": "Gather Victim Org Information: Identify Business Tempo", "url": "https://attack.mitre.org/techniques/T1591/003", "tactic": [ "Reconnaissance" ], "domain": [ "Enterprise" ], "platform": [ "PRE" ] }, { "technique_id": "T1591.004", "technique": "Gather Victim Org Information: Identify Roles", "url": "https://attack.mitre.org/techniques/T1591/004", "tactic": [ "Reconnaissance" ], "domain": [ "Enterprise" ], "platform": [ "PRE" ] }, { "technique_id": "T1592", "technique": "Gather Victim Host Information", "url": "https://attack.mitre.org/techniques/T1592", "tactic": [ "Reconnaissance" ], "domain": [ "Enterprise" ], "platform": [ "PRE" ] }, { "technique_id": "T1592.001", "technique": "Gather Victim Host Information: Hardware", "url": "https://attack.mitre.org/techniques/T1592/001", "tactic": [ "Reconnaissance" ], "domain": [ "Enterprise" ], "platform": [ "PRE" ] }, { "technique_id": "T1592.002", "technique": "Gather Victim Host Information: Software", "url": "https://attack.mitre.org/techniques/T1592/002", "tactic": [ "Reconnaissance" ], "domain": [ "Enterprise" ], "platform": [ "PRE" ] }, { "technique_id": "T1592.003", "technique": "Gather Victim Host Information: Firmware", "url": "https://attack.mitre.org/techniques/T1592/003", "tactic": [ "Reconnaissance" ], "domain": [ "Enterprise" ], "platform": [ "PRE" ] }, { "technique_id": "T1592.004", "technique": "Gather Victim Host Information: Client Configurations", "url": "https://attack.mitre.org/techniques/T1592/004", "tactic": [ "Reconnaissance" ], "domain": [ "Enterprise" ], "platform": [ "PRE" ] }, { "technique_id": "T1593", "technique": "Search Open Websites/Domains", "url": "https://attack.mitre.org/techniques/T1593", "tactic": [ "Reconnaissance" ], "domain": [ "Enterprise" ], "platform": [ "PRE" ] }, { "technique_id": "T1593.001", "technique": "Search Open Websites/Domains: Social Media", "url": "https://attack.mitre.org/techniques/T1593/001", "tactic": [ "Reconnaissance" ], "domain": [ "Enterprise" ], "platform": [ "PRE" ] }, { "technique_id": "T1593.002", "technique": "Search Open Websites/Domains: Search Engines", "url": "https://attack.mitre.org/techniques/T1593/002", "tactic": [ "Reconnaissance" ], "domain": [ "Enterprise" ], "platform": [ "PRE" ] }, { "technique_id": "T1594", "technique": "Search Victim-Owned Websites", "url": "https://attack.mitre.org/techniques/T1594", "tactic": [ "Reconnaissance" ], "domain": [ "Enterprise" ], "platform": [ "PRE" ] }, { "technique_id": "T1595", "technique": "Active Scanning", "url": "https://attack.mitre.org/techniques/T1595", "tactic": [ "Reconnaissance" ], "domain": [ "Enterprise" ], "platform": [ "PRE" ] }, { "technique_id": "T1595.001", "technique": "Active Scanning: Scanning IP Blocks", "url": "https://attack.mitre.org/techniques/T1595/001", "tactic": [ "Reconnaissance" ], "domain": [ "Enterprise" ], "platform": [ "PRE" ] }, { "technique_id": "T1595.002", "technique": "Active Scanning: Vulnerability Scanning", "url": "https://attack.mitre.org/techniques/T1595/002", "tactic": [ "Reconnaissance" ], "domain": [ "Enterprise" ], "platform": [ "PRE" ] }, { "technique_id": "T1596", "technique": "Search Open Technical Databases", "url": "https://attack.mitre.org/techniques/T1596", "tactic": [ "Reconnaissance" ], "domain": [ "Enterprise" ], "platform": [ "PRE" ] }, { "technique_id": "T1596.001", "technique": "Search Open Technical Databases: DNS/Passive DNS", "url": "https://attack.mitre.org/techniques/T1596/001", "tactic": [ "Reconnaissance" ], "domain": [ "Enterprise" ], "platform": [ "PRE" ] }, { "technique_id": "T1596.002", "technique": "Search Open Technical Databases: WHOIS", "url": "https://attack.mitre.org/techniques/T1596/002", "tactic": [ "Reconnaissance" ], "domain": [ "Enterprise" ], "platform": [ "PRE" ] }, { "technique_id": "T1596.003", "technique": "Search Open Technical Databases: Digital Certificates", "url": "https://attack.mitre.org/techniques/T1596/003", "tactic": [ "Reconnaissance" ], "domain": [ "Enterprise" ], "platform": [ "PRE" ] }, { "technique_id": "T1596.004", "technique": "Search Open Technical Databases: CDNs", "url": "https://attack.mitre.org/techniques/T1596/004", "tactic": [ "Reconnaissance" ], "domain": [ "Enterprise" ], "platform": [ "PRE" ] }, { "technique_id": "T1596.005", "technique": "Search Open Technical Databases: Scan Databases", "url": "https://attack.mitre.org/techniques/T1596/005", "tactic": [ "Reconnaissance" ], "domain": [ "Enterprise" ], "platform": [ "PRE" ] }, { "technique_id": "T1597", "technique": "Search Closed Sources", "url": "https://attack.mitre.org/techniques/T1597", "tactic": [ "Reconnaissance" ], "domain": [ "Enterprise" ], "platform": [ "PRE" ] }, { "technique_id": "T1597.001", "technique": "Search Closed Sources: Threat Intel Vendors", "url": "https://attack.mitre.org/techniques/T1597/001", "tactic": [ "Reconnaissance" ], "domain": [ "Enterprise" ], "platform": [ "PRE" ] }, { "technique_id": "T1597.002", "technique": "Search Closed Sources: Purchase Technical Data", "url": "https://attack.mitre.org/techniques/T1597/002", "tactic": [ "Reconnaissance" ], "domain": [ "Enterprise" ], "platform": [ "PRE" ] }, { "technique_id": "T1598", "technique": "Phishing for Information", "url": "https://attack.mitre.org/techniques/T1598", "tactic": [ "Reconnaissance" ], "domain": [ "Enterprise" ], "platform": [ "PRE" ] }, { "technique_id": "T1598.001", "technique": "Phishing for Information: Spearphishing Service", "url": "https://attack.mitre.org/techniques/T1598/001", "tactic": [ "Reconnaissance" ], "domain": [ "Enterprise" ], "platform": [ "PRE" ] }, { "technique_id": "T1598.002", "technique": "Phishing for Information: Spearphishing Attachment", "url": "https://attack.mitre.org/techniques/T1598/002", "tactic": [ "Reconnaissance" ], "domain": [ "Enterprise" ], "platform": [ "PRE" ] }, { "technique_id": "T1598.003", "technique": "Phishing for Information: Spearphishing Link", "url": "https://attack.mitre.org/techniques/T1598/003", "tactic": [ "Reconnaissance" ], "domain": [ "Enterprise" ], "platform": [ "PRE" ] }, { "technique_id": "T1599", "technique": "Network Boundary Bridging", "url": "https://attack.mitre.org/techniques/T1599", "tactic": [ "Defense Evasion" ], "domain": [ "Enterprise" ], "platform": [ "Network" ] }, { "technique_id": "T1599.001", "technique": "Network Boundary Bridging: Network Address Translation Traversal", "url": "https://attack.mitre.org/techniques/T1599/001", "tactic": [ "Defense Evasion" ], "domain": [ "Enterprise" ], "platform": [ "Network" ] }, { "technique_id": "T1600", "technique": "Weaken Encryption", "url": "https://attack.mitre.org/techniques/T1600", "tactic": [ "Defense Evasion" ], "domain": [ "Enterprise" ], "platform": [ "Network" ] }, { "technique_id": "T1600.001", "technique": "Weaken Encryption: Reduce Key Space", "url": "https://attack.mitre.org/techniques/T1600/001", "tactic": [ "Defense Evasion" ], "domain": [ "Enterprise" ], "platform": [ "Network" ] }, { "technique_id": "T1600.002", "technique": "Weaken Encryption: Disable Crypto Hardware", "url": "https://attack.mitre.org/techniques/T1600/002", "tactic": [ "Defense Evasion" ], "domain": [ "Enterprise" ], "platform": [ "Network" ] }, { "technique_id": "T1601", "technique": "Modify System Image", "url": "https://attack.mitre.org/techniques/T1601", "tactic": [ "Defense Evasion" ], "domain": [ "Enterprise" ], "platform": [ "Network" ] }, { "technique_id": "T1601.001", "technique": "Modify System Image: Patch System Image", "url": "https://attack.mitre.org/techniques/T1601/001", "tactic": [ "Defense Evasion" ], "domain": [ "Enterprise" ], "platform": [ "Network" ] }, { "technique_id": "T1601.002", "technique": "Modify System Image: Downgrade System Image", "url": "https://attack.mitre.org/techniques/T1601/002", "tactic": [ "Defense Evasion" ], "domain": [ "Enterprise" ], "platform": [ "Network" ] }, { "technique_id": "T1602", "technique": "Data from Configuration Repository", "url": "https://attack.mitre.org/techniques/T1602", "tactic": [ "Collection" ], "domain": [ "Enterprise" ], "platform": [ "Network" ] }, { "technique_id": "T1602.001", "technique": "Data from Configuration Repository: SNMP (MIB Dump)", "url": "https://attack.mitre.org/techniques/T1602/001", "tactic": [ "Collection" ], "domain": [ "Enterprise" ], "platform": [ "Network" ] }, { "technique_id": "T1602.002", "technique": "Data from Configuration Repository: Network Device Configuration Dump", "url": "https://attack.mitre.org/techniques/T1602/002", "tactic": [ "Collection" ], "domain": [ "Enterprise" ], "platform": [ "Network" ] }, { "technique_id": "T1603", "technique": "Scheduled Task/Job", "url": "https://attack.mitre.org/techniques/T1603", "tactic": [ "Execution", "Persistence" ], "domain": [ "Mobile" ], "platform": [ "Android", "iOS" ] }, { "technique_id": "T1604", "technique": "Proxy Through Victim", "url": "https://attack.mitre.org/techniques/T1604", "tactic": [ "Defense Evasion" ], "domain": [ "Mobile" ], "platform": [ "Android" ] }, { "technique_id": "T1605", "technique": "Command-Line Interface", "url": "https://attack.mitre.org/techniques/T1605", "tactic": [ "Execution" ], "domain": [ "Mobile" ], "platform": [ "Android", "iOS" ] }, { "technique_id": "T1606", "technique": "Forge Web Credentials", "url": "https://attack.mitre.org/techniques/T1606", "tactic": [ "Credential Access" ], "domain": [ "Enterprise" ], "platform": [ "SaaS", "Windows", "macOS", "Linux", "Azure AD", "Office 365", "Google Workspace", "IaaS" ] }, { "technique_id": "T1606.001", "technique": "Forge Web Credentials: Web Cookies", "url": "https://attack.mitre.org/techniques/T1606/001", "tactic": [ "Credential Access" ], "domain": [ "Enterprise" ], "platform": [ "Linux", "macOS", "Windows", "SaaS", "IaaS" ] }, { "technique_id": "T1606.002", "technique": "Forge Web Credentials: SAML Tokens", "url": "https://attack.mitre.org/techniques/T1606/002", "tactic": [ "Credential Access" ], "domain": [ "Enterprise" ], "platform": [ "Azure AD", "SaaS", "Windows", "Office 365", "Google Workspace", "IaaS" ] }, { "technique_id": "T1608", "technique": "Stage Capabilities", "url": "https://attack.mitre.org/techniques/T1608", "tactic": [ "Resource Development" ], "domain": [ "Enterprise" ], "platform": [ "PRE" ] }, { "technique_id": "T1608.001", "technique": "Stage Capabilities: Upload Malware", "url": "https://attack.mitre.org/techniques/T1608/001", "tactic": [ "Resource Development" ], "domain": [ "Enterprise" ], "platform": [ "PRE" ] }, { "technique_id": "T1608.002", "technique": "Stage Capabilities: Upload Tool", "url": "https://attack.mitre.org/techniques/T1608/002", "tactic": [ "Resource Development" ], "domain": [ "Enterprise" ], "platform": [ "PRE" ] }, { "technique_id": "T1608.003", "technique": "Stage Capabilities: Install Digital Certificate", "url": "https://attack.mitre.org/techniques/T1608/003", "tactic": [ "Resource Development" ], "domain": [ "Enterprise" ], "platform": [ "PRE" ] }, { "technique_id": "T1608.004", "technique": "Stage Capabilities: Drive-by Target", "url": "https://attack.mitre.org/techniques/T1608/004", "tactic": [ "Resource Development" ], "domain": [ "Enterprise" ], "platform": [ "PRE" ] }, { "technique_id": "T1608.005", "technique": "Stage Capabilities: Link Target", "url": "https://attack.mitre.org/techniques/T1608/005", "tactic": [ "Resource Development" ], "domain": [ "Enterprise" ], "platform": [ "PRE" ] }, { "technique_id": "T1609", "technique": "Container Administration Command", "url": "https://attack.mitre.org/techniques/T1609", "tactic": [ "Execution" ], "domain": [ "Enterprise" ], "platform": [ "Containers" ] }, { "technique_id": "T1610", "technique": "Deploy Container", "url": "https://attack.mitre.org/techniques/T1610", "tactic": [ "Defense Evasion", "Execution" ], "domain": [ "Enterprise" ], "platform": [ "Containers" ] }, { "technique_id": "T1611", "technique": "Escape to Host", "url": "https://attack.mitre.org/techniques/T1611", "tactic": [ "Privilege Escalation" ], "domain": [ "Enterprise" ], "platform": [ "Windows", "Linux", "Containers" ] }, { "technique_id": "T1612", "technique": "Build Image on Host", "url": "https://attack.mitre.org/techniques/T1612", "tactic": [ "Defense Evasion" ], "domain": [ "Enterprise" ], "platform": [ "Containers" ] }, { "technique_id": "T1613", "technique": "Container and Resource Discovery", "url": "https://attack.mitre.org/techniques/T1613", "tactic": [ "Discovery" ], "domain": [ "Enterprise" ], "platform": [ "Containers" ] }, { "technique_id": "T1614", "technique": "System Location Discovery", "url": "https://attack.mitre.org/techniques/T1614", "tactic": [ "Discovery" ], "domain": [ "Enterprise" ], "platform": [ "Windows", "Linux", "macOS", "IaaS" ] }, { "technique_id": "T1614.001", "technique": "System Location Discovery: System Language Discovery", "url": "https://attack.mitre.org/techniques/T1614/001", "tactic": [ "Discovery" ], "domain": [ "Enterprise" ], "platform": [ "Windows", "Linux", "macOS" ] }, { "technique_id": "T1615", "technique": "Group Policy Discovery", "url": "https://attack.mitre.org/techniques/T1615", "tactic": [ "Discovery" ], "domain": [ "Enterprise" ], "platform": [ "Windows" ] }, { "technique_id": "T1616", "technique": "Call Control", "url": "https://attack.mitre.org/techniques/T1616", "tactic": [ "Collection", "Impact", "Command and Control" ], "domain": [ "Mobile" ], "platform": [ "Android" ] }, { "technique_id": "T1617", "technique": "Hooking", "url": "https://attack.mitre.org/techniques/T1617", "tactic": [ "Defense Evasion" ], "domain": [ "Mobile" ], "platform": [ "Android" ] }, { "technique_id": "T1618", "technique": "User Evasion", "url": "https://attack.mitre.org/techniques/T1618", "tactic": [ "Defense Evasion" ], "domain": [ "Mobile" ], "platform": [ "Android" ] }, { "technique_id": "T1619", "technique": "Cloud Storage Object Discovery", "url": "https://attack.mitre.org/techniques/T1619", "tactic": [ "Discovery" ], "domain": [ "Enterprise" ], "platform": [ "IaaS" ] }, { "technique_id": "T1620", "technique": "Reflective Code Loading", "url": "https://attack.mitre.org/techniques/T1620", "tactic": [ "Defense Evasion" ], "domain": [ "Enterprise" ], "platform": [ "macOS", "Linux", "Windows" ] } ]