blue-team-tools/tools/config/fortisiem/MITRE-Attack-matrix.csv at e91fc4486e57fc40e30d12253694de4c80a9e4ea

Files

T

Mei Liu 96196454cf -O:

attackMapFile: It's used to set subFunction in XML rule. It's a map of subFunction and tags.attack in YML file.
ruleIndex: It's used to set rule id in XML rule. The format of rule id is PH_Rule_{ruleType}_SIGMA_{ruleIndex}
ruleType: It's used to set rule id in XML rule.

1. Generate rule for one YML file
    a. tools/sigmac -t fortisiem -c fortisiem-windows rules/windows/network_connection/win_net_python.yml
    b. tools/sigmac -t fortisiem -c fortisiem-windows -O attackMapFile=tools/config/fortisiem/MITRE-Attack-matrix.csv -O ruleIndex=0 -O ruleType=Windows rules/windows/network_connection/win_net_python.yml
   Output:
      <Rule group="PH_SYS_RULE_THREAT_HUNTING" id="PH_Rule_Windows_SIGMA_0"  phIncidentCategory="Server" function="Security" subFunction="Discovery" technique="T1046">
         <Name>Python Initiated Connection </Name>
         <IncidentTitle>Python Initiated Connection</IncidentTitle>
         <active>true</active>
         <Description> Adversaries may attempt to get a listing of services running on remote hosts, including those that may be vulnerable to remote software exploitation </Description>
         <SigmaFileName> rules/windows/network_connection/win_net_python.yml </SigmaFileName>
         <CustomerScope groupByEachCustomer="true">
            <Include all="true"/>
           <Exclude/>
         </CustomerScope>
         <IncidentDef eventType="PH_RULE_Python_Initiated_Connection" severity="7">
           <ArgList> compEventType = Filter.eventType,hostName = Filter.hostName,isInitialed = Filter.isInitialed,procName = Filter.procName </ArgList>
         </IncidentDef>
         <PatternClause window="300">
           <SubPattern displayName="Filter" name="Filter">
               <SingleEvtConstr> eventType REGEXP ( "Win-Sysmon-3-Network-Connect.*" ) AND isInitialed="true" AND procName REGEXP ( ".*python.*" ) </SingleEvtConstr>
               <GroupByAttr> eventType,hostName,isInitialed,procName </GroupByAttr>
               <GroupEvtConstr> COUNT(*) &gt;= 1 </GroupEvtConstr>
           </SubPattern>
         </PatternClause>
         <TriggerEventDisplay>
           <AttrList> phRecvTime,hostName,isInitialed,procName,rawEventMsg </AttrList>
         </TriggerEventDisplay>
       </Rule>

2. Generate rules for YML files under rules/windows
   a. tools/sigmac -t fortisiem -c fortisiem-windows -r rules/windows -o rule.xml
   b. tools/sigmac -t fortisiem -c fortisiem-windows -r rules/windows -O attackMapFile=tools/config/fortisiem/MITRE-Attack-matrix.csv -O ruleIndex=0 -O ruleType=Windows -o rule.xml
   Generate rules for YML files under rules/windows

3. Find files that is modified after some date.
  a. tools/sigmac --lists-files-after-date 2020/06/04 rules/windows/wmi_event/sysmon_wmi_susp_scripting.yml
  b. tools/sigmac --lists-files-after-date 2020/06/04 -r rules/windows/
  Output:
     rules/windows/wmi_event/sysmon_wmi_susp_scripting.yml, Updated
     rules/windows/wmi_event/TestFile.yml, No date

2022-03-08 09:36:22 -08:00

257 KiB

Raw Blame History

1	Technique ID	Technique Name	Tactics	Technique Description	Platform	Link	Changed
2	T1001.001	Data Obfuscation: Junk Data	Command And Control	Adversaries may add junk data to protocols used for command and control to make detection more difficult. By adding random or meaningless data to the protocols used for command and control, adversaries can prevent trivial methods for decoding, deciphering, or otherwise analyzing the traffic. Examples may include appending/prepending data with junk characters or writing junk characters between significant characters.	Linux,Windows,macOS	https://attack.mitre.org/techniques/T1001/001	No
3	T1001.002	Data Obfuscation: Steganography	Command And Control	Adversaries may use steganographic techniques to hide command and control traffic to make detection efforts more difficult. Steganographic techniques can be used to hide data in digital messages that are transferred between systems. This hidden information can be used for command and control of compromised systems. In some cases, the passing of files embedded using steganography, such as image or document files, can be used for command and control.	Linux,Windows,macOS	https://attack.mitre.org/techniques/T1001/002	No
4	T1001.003	Data Obfuscation: Protocol Impersonation	Command And Control	Adversaries may impersonate legitimate protocols or web service traffic to disguise command and control activity and thwart analysis efforts. By impersonating legitimate protocols or web services, adversaries can make their command and control traffic blend in with legitimate network traffic.	Linux,Windows,macOS	https://attack.mitre.org/techniques/T1001/003	No
5	T1003.001	OS Credential Dumping: LSASS Memory	Credential Access	Adversaries may attempt to access credential material stored in the process memory of the Local Security Authority Subsystem Service (LSASS).	Windows	https://attack.mitre.org/techniques/T1003/001	No
6	T1003.002	OS Credential Dumping: Security Account Manager	Credential Access	Adversaries may attempt to extract credential material from the Security Account Manager (SAM) database either through in-memory techniques or through the Windows Registry where the SAM database is stored.	Windows	https://attack.mitre.org/techniques/T1003/002	No
7	T1003.003	OS Credential Dumping: NTDS	Credential Access	Adversaries may attempt to access or create a copy of the Active Directory domain database in order to steal credential information, as well as obtain other information about domain members such as devices, users, and access rights.	Windows	https://attack.mitre.org/techniques/T1003/003	No
8	T1003.004	OS Credential Dumping: LSA Secrets	Credential Access	Adversaries with SYSTEM access to a host may attempt to access Local Security Authority (LSA) secrets, which can contain a variety of different credential materials, such as credentials for service accounts	Windows	https://attack.mitre.org/techniques/T1003/004	No
9	T1003.005	OS Credential Dumping: Cached Domain Credentials	Credential Access	Adversaries may attempt to access cached domain credentials used to allow authentication to occur in the event a domain controller is unavailable.	Windows	https://attack.mitre.org/techniques/T1003/005	No
10	T1003.006	OS Credential Dumping: DCSync	Credential Access	Adversaries may attempt to access credentials and other sensitive information by abusing a Windows Domain Controller's application programming interface to simulate the replication process from a remote domain controller using a technique called DCSync.	Windows	https://attack.mitre.org/techniques/T1003/006	No
11	T1003.007	OS Credential Dumping: Proc Filesystem	Credential Access	Adversaries may gather credentials from information stored in the Proc filesystem. The Proc filesystem on Linux contains a great deal of information regarding the state of the running operating system.	Linux	https://attack.mitre.org/techniques/T1003/007	No
12	T1003.008	OS Credential Dumping: /etc/passwd and /etc/shadow	Credential Access	Adversaries may attempt to dump the contents of /etc/passwd and /etc/shadow to enable offline password cracking.	Linux	https://attack.mitre.org/techniques/T1003/008	No
13	T1005	Data from Local System	Collection	Adversaries may search local system sources, such as file systems or local databases, to find files of interest and sensitive data prior to Exfiltration.	Linux,Windows,macOS	https://attack.mitre.org/techniques/T1005	No
14	T1006	Direct Volume Access	Defense Evasion	Adversaries may directly access a volume to bypass file access controls and file system monitoring.	Windows	https://attack.mitre.org/techniques/T1006	No
15	T1007	System Service Discovery	Discovery	Adversaries may try to get information about registered services.	Windows	https://attack.mitre.org/techniques/T1007	No
16	T1008	Fallback Channels	Command And Control	Adversaries may use fallback or alternate communication channels if the primary channel is compromised or inaccessible in order to maintain reliable command and control and to avoid data transfer thresholds.	Linux,Windows,macOS	https://attack.mitre.org/techniques/T1008	No
17	T1010	Application Window Discovery	Discovery	Adversaries may attempt to get a listing of open application windows. Window listings could convey information about how the system is used or give context to information collected by a keylogger.	Windows,macOS	https://attack.mitre.org/techniques/T1010	No
18	T1011.001	Exfiltration Over Other Network Medium: Exfiltration Over Bluetooth	Exfiltration	Adversaries may attempt to exfiltrate data over Bluetooth rather than the command and control channel. If the command and control network is a wired Internet connection, an attacker may opt to exfiltrate data using a Bluetooth communication channel.	Linux,Windows,macOS	https://attack.mitre.org/techniques/T1011/001	No
19	T1012	Query Registry	Discovery	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software. Adversaries may use the information from Query Registry during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.	Windows	https://attack.mitre.org/techniques/T1012	No
20	T1014	Rootkit	Defense Evasion	Adversaries may use rootkits to hide the presence of programs, files, network connections, services, drivers, and other system components. Rootkits are programs that hide the existence of malware by intercepting/hooking and modifying operating system API calls that supply system information.	Linux,Windows,macOS	https://attack.mitre.org/techniques/T1014	No
21	T1016.001	System Network Configuration Discovery: Internet Connection Discovery	Discovery	Adversaries may check for Internet connectivity on compromised systems. This may be performed during automated discovery and can be accomplished in numerous ways such as using [Ping](https://attack.mitre.org/software/S0097), <code>tracert</code>, and GET requests to websites.	Linux,Windows,macOS	https://attack.mitre.org/techniques/T1016/001	Yes
22	T1018	Remote System Discovery	Discovery	Adversaries may attempt to get a listing of other systems by IP address, hostname, or other logical identifier on a network that may be used for Lateral Movement from the current system. Functionality could exist within remote access tools to enable this, but utilities available on the operating system could also be used such as Ping, net view, bonjour etc.	Linux,Windows,macOS	https://attack.mitre.org/techniques/T1018	No
23	T1020.001	Automated Exfiltration: Traffic Duplication	Exfiltration	Adversaries may leverage traffic mirroring in order to automate data exfiltration over compromised network infrastructure. Traffic mirroring is a native feature for some network devices and used for network analysis and may be configured to duplicate traffic and forward to one or more destinations for analysis by a network analyzer or other monitoring device. Adversaries may use traffic duplication in conjunction with Network Sniffing, Input Capture or Man-in-the-Middle to achieve their objective.	Network	https://attack.mitre.org/techniques/T1020/001	No
24	T1021.001	Remote Services: Remote Desktop Protocol	Lateral Movement	Adversaries may use Valid Accounts to log into a computer using the Remote Desktop Protocol (RDP). The adversary may then perform actions as the logged-on user. Remote desktop allows a user to log into an interactive session with a system desktop graphical user interface on a remote system. Adversaries may connect to a remote system over RDP to expand access if the service is enabled and allows access to accounts with known credentials. Adversaries will likely use Credential Access techniques to acquire credentials to use with RDP. Adversaries may also use RDP in conjunction with the Accessibility Features technique for Persistence.	Windows	https://attack.mitre.org/techniques/T1021/001	No
25	T1021.002	Remote Services: SMB/Windows Admin Shares	Lateral Movement	Adversaries may use Valid Accounts to interact with a remote network share using Server Message Block (SMB). The adversary may then perform actions as the logged-on user.	Windows	https://attack.mitre.org/techniques/T1021/002	No
26	T1021.003	Remote Services: Distributed Component Object Model	Lateral Movement	Adversaries may use Valid Accounts to interact with remote machines by taking advantage of Distributed Component Object Model (DCOM). The adversary may then perform actions as the logged-on user. Permissions to interact with local and remote server COM objects are specified by access control lists (ACL) in the Registry. By default, only Administrators may remotely activate and launch COM objects through DCOM. Through DCOM, adversaries operating in the context of an appropriately privileged user can remotely obtain arbitrary and even direct shellcode execution through Office applications as well as other Windows objects that contain insecure methods. DCOM can also execute macros in existing documents and may also invoke Dynamic Data Exchange (DDE) execution directly through a COM created instance of a Microsoft Office application, bypassing the need for a malicious document.	Windows	https://attack.mitre.org/techniques/T1021/003	No
27	T1021.004	Remote Services: SSH	Lateral Movement	Adversaries may use Valid Accounts to log into remote machines using Secure Shell (SSH). The adversary may then perform actions as the logged-on user.	Linux,macOS	https://attack.mitre.org/techniques/T1021/004	No
28	T1021.005	Remote Services: VNC	Lateral Movement	Adversaries may use Valid Accounts to remotely control machines using Virtual Network Computing (VNC). The adversary may then perform actions as the logged-on user.	Linux,Windows,macOS	https://attack.mitre.org/techniques/T1021/005	No
29	T1021.006	Remote Services: Windows Remote Management	Lateral Movement	Adversaries may use Valid Accounts to interact with remote systems using Windows Remote Management (WinRM). The adversary may then perform actions as the logged-on user.	Windows	https://attack.mitre.org/techniques/T1021/006	No
30	T1025	Data from Removable Media	Collection	Adversaries may search connected removable media on computers they have compromised to find files of interest. Sensitive data can be collected from any removable media (optical disk drive, USB memory, etc.) connected to the compromised system prior to Exfiltration. Interactive command shells may be in use.	Linux,Windows,macOS	https://attack.mitre.org/techniques/T1025	No
31	T1027.001	Obfuscated Files or Information: Binary Padding	Defense Evasion	Adversaries may use binary padding to add junk data and change the on-disk representation of malware. This can be done without affecting the functionality or behavior of a binary, but can increase the size of the binary beyond what some security tools are capable of handling due to file size limitations.	Linux,Windows,macOS	https://attack.mitre.org/techniques/T1027/001	No
32	T1027.002	Obfuscated Files or Information: Software Packing	Defense Evasion	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable.?adversaries may create their own packing techniques that do not leave the same artifacts as well-known packers to evade defenses.	Windows,macOS	https://attack.mitre.org/techniques/T1027/002	No
33	T1027.003	Obfuscated Files or Information: Steganography	Defense Evasion	Adversaries may use steganography techniques in order to prevent the detection of hidden information. Steganographic techniques can be used to hide data in digital media such as images, audio tracks, video clips, or text files.	Linux,Windows,macOS	https://attack.mitre.org/techniques/T1027/003	No
34	T1027.004	Obfuscated Files or Information: Compile After Delivery	Defense Evasion	Adversaries may attempt to make payloads difficult to discover and analyze by delivering files to victims as uncompiled code. Text-based source code files may subvert analysis and scrutiny from protections targeting executables/binaries. These payloads will need to be compiled before execution; typically via native utilities such as csc.exe or GCC/MinGW.	Linux,Windows,macOS	https://attack.mitre.org/techniques/T1027/004	No
35	T1027.005	Obfuscated Files or Information: Indicator Removal from Tools	Defense Evasion	Adversaries may remove indicators from tools if they believe their malicious tool was detected, quarantined, or otherwise curtailed. They can modify the tool by removing the indicator and using the updated version that is no longer detected by the target's defensive systems or subsequent targets that may use similar systems.	Linux,Windows,macOS	https://attack.mitre.org/techniques/T1027/005	No
36	T1029	Scheduled Transfer	Exfiltration	Adversaries may schedule data exfiltration to be performed only at certain times of day or at certain intervals. This could be done to blend traffic patterns with normal activity or availability.	Linux,Windows,macOS	https://attack.mitre.org/techniques/T1029	No
37	T1030	Data Transfer Size Limits	Exfiltration	An adversary may exfiltrate data in fixed size chunks instead of whole files or limit packet sizes below certain thresholds. This approach may be used to avoid triggering network data transfer threshold alerts.	Linux,Windows,macOS	https://attack.mitre.org/techniques/T1030	No
38	T1033	System Owner/User Discovery	Discovery	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using Credential Dumping].	Linux,Windows,macOS	https://attack.mitre.org/techniques/T1033	No
39	T1036.001	Masquerading: Invalid Code Signature	Defense Evasion	Adversaries may attempt to mimic features of valid code signatures to increase the chance of deceiving a user, analyst, or tool. Code signing provides a level of authenticity on a binary from the developer and a guarantee that the binary has not been tampered with.	Windows,macOS	https://attack.mitre.org/techniques/T1036/001	No
40	T1036.002	Masquerading: Right-to-Left Override	Defense Evasion	Adversaries may use the right-to-left override (RTLO or RLO) character (U+202E) as a means of tricking a user into executing what they think is a benign file type but is actually executable code. RTLO is a non-printing character that causes the text that follows it to be displayed in reverse.	Linux,Windows,macOS	https://attack.mitre.org/techniques/T1036/002	No
41	T1036.003	Masquerading: Rename System Utilities	Defense Evasion	Adversaries may rename legitimate system utilities to try to evade security mechanisms concerning the usage of those utilities. Security monitoring and control mechanisms may be in place for system utilities adversaries are capable of abusing.	Linux,Windows,macOS	https://attack.mitre.org/techniques/T1036/003	No
42	T1036.004	Masquerading: Masquerade Task or Service	Defense Evasion	Adversaries may attempt to manipulate the name of a task or service to make it appear legitimate or benign. Adversaries may give tasks or services names that are similar or identical to those of legitimate ones.	Linux,Windows	https://attack.mitre.org/techniques/T1036/004	No
43	T1036.005	Masquerading: Match Legitimate Name or Location	Defense Evasion	Adversaries may match or approximate the name or location of legitimate files when naming/placing their files. This is done for the sake of evading defenses and observation.	Containers,Linux,Windows,macOS	https://attack.mitre.org/techniques/T1036/005	Yes
44	T1036.006	Masquerading: Space after Filename	Defense Evasion	Adversaries can hide a program's true filetype by changing the extension of a file. With certain file types (specifically this does not work with .app extensions), appending a space to the end of a filename will change how the file is processed by the operating system.	Linux,macOS	https://attack.mitre.org/techniques/T1036/006	No
45	T1037.001	Boot or Logon Initialization Scripts: Logon Script (Windows)	Persistence,Privilege Escalation	Adversaries may use Windows logon scripts automatically executed at logon initialization to establish persistence. Windows allows logon scripts to be run whenever a specific user or group of users log into a system.	Windows	https://attack.mitre.org/techniques/T1037/001	No
46	T1037.002	Boot or Logon Initialization Scripts: Logon Script (Mac)	Persistence,Privilege Escalation	Adversaries may use macOS logon scripts automatically executed at logon initialization to establish persistence. macOS allows logon scripts (known as login hooks) to be executed whenever a specific user logs into a system. A login hook tells Mac OS X to execute a certain script when a user logs in, but unlike Startup Items, a login hook executes as the elevated root user.	macOS	https://attack.mitre.org/techniques/T1037/002	No
47	T1037.003	Boot or Logon Initialization Scripts: Network Logon Script	Persistence,Privilege Escalation	Adversaries may use network logon scripts automatically executed at logon initialization to establish persistence. Network logon scripts can be assigned using Active Directory or Group Policy Objects.	Windows	https://attack.mitre.org/techniques/T1037/003	No
48	T1037.004	Boot or Logon Initialization Scripts: RC Scripts	Persistence,Privilege Escalation	Adversaries may use rc.common automatically executed at boot initialization to establish persistence.	Linux,macOS	https://attack.mitre.org/techniques/T1037/004	Yes
49	T1037.005	Boot or Logon Initialization Scripts: Startup Items	Persistence,Privilege Escalation	Adversaries may use startup items automatically executed at boot initialization to establish persistence.	macOS	https://attack.mitre.org/techniques/T1037/005	No
50	T1039	Data from Network Shared Drive	Collection	Adversaries may search network shares on computers they have compromised to find files of interest.	Linux,Windows,macOS	https://attack.mitre.org/techniques/T1039	No
51	T1040	Network Sniffing	Credential Access,Discovery	Adversaries may sniff network traffic to capture information about an environment, including authentication material passed over the network. Network sniffing may also reveal configuration details, such as running services, version numbers, and other network characteristics necessary for subsequent Lateral Movement and/or Defense Evasion activities.	Linux,Network,Windows,macOS	https://attack.mitre.org/techniques/T1040	Yes
52	T1041	Exfiltration Over C2 Channel	Exfiltration	Adversaries may steal data by exfiltrating it over an existing command and control channel. Stolen data is encoded into the normal communications channel using the same protocol as command and control communications.	Linux,Windows,macOS	https://attack.mitre.org/techniques/T1041	No
53	T1046	Network Service Scanning	Discovery	Adversaries may attempt to get a listing of services running on remote hosts, including those that may be vulnerable to remote software exploitation. Methods to acquire this information include port scans and vulnerability scans using tools that are brought onto a system.	Containers,IaaS,Linux,Windows,macOS	https://attack.mitre.org/techniques/T1046	Yes
54	T1047	Windows Management Instrumentation	Execution	Adversaries may abuse Windows Management Instrumentation (WMI) to achieve execution. An adversary can use WMI to interact with local and remote systems and use it as a means to perform many tactic functions, such as gathering information for Discovery and remote Execution of files as part of Lateral Movement.	Windows	https://attack.mitre.org/techniques/T1047	No
55	T1048.001	Exfiltration Over Alternative Protocol: Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Exfiltration	Adversaries may steal data by exfiltrating it over a symmetrically encrypted network protocol other than that of the existing command and control channel. The data may also be sent to an alternate network location from the main command and control server.	Linux,Windows,macOS	https://attack.mitre.org/techniques/T1048/001	No
56	T1048.002	Exfiltration Over Alternative Protocol: Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	Exfiltration	Adversaries may steal data by exfiltrating it over an asymmetrically encrypted network protocol other than that of the existing command and control channel. The data may also be sent to an alternate network location from the main command and control server.	Linux,Windows,macOS	https://attack.mitre.org/techniques/T1048/002	No
57	T1048.003	Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol	Exfiltration	Adversaries may steal data by exfiltrating it over an un-encrypted network protocol other than that of the existing command and control channel. The data may also be sent to an alternate network location from the main command and control server.	Linux,Windows,macOS	https://attack.mitre.org/techniques/T1048/003	No
58	T1049	System Network Connections Discovery	Discovery	Adversaries may attempt to get a listing of network connections to or from the compromised system they are currently accessing or from remote systems by querying for information over the network. Utilities and commands that acquire this information include netstat, net use, net session, netstat, lsof, who -a and w.	IaaS,Linux,Windows,macOS	https://attack.mitre.org/techniques/T1049	Yes
59	T1052.001	Exfiltration Over Physical Medium: Exfiltration over USB	Exfiltration	Adversaries may attempt to exfiltrate data over a USB connected physical device. In certain circumstances, such as an air-gapped network compromise, exfiltration could occur via a USB device introduced by a user. The USB device could be used as the final exfiltration point or to hop between otherwise disconnected systems.	Linux,Windows,macOS	https://attack.mitre.org/techniques/T1052/001	No
60	T1053.001	Scheduled Task/Job: At (Linux)	Execution,Persistence,Privilege Escalation	Adversaries may abuse the at utility to perform task scheduling for initial or recurring execution of malicious code. This command within Linux operating systems enables administrators to schedule tasks. An adversary may be able to execute programs at system startup or on a scheduled basis for persistence.	Linux	https://attack.mitre.org/techniques/T1053/001	No
61	T1053.002	Scheduled Task/Job: At (Windows)	Execution,Persistence,Privilege Escalation	Adversaries may abuse the at.exe utility to perform task scheduling for initial or recurring execution of malicious code. The at.exe command line utility has been deprecated in current versions of Windows in favor of schtasks.	Windows	https://attack.mitre.org/techniques/T1053/002	No
62	T1053.003	Scheduled Task/Job: Cron	Execution,Persistence,Privilege Escalation	Adversaries may abuse the cron utility to perform task scheduling for initial or recurring execution of malicious code. The cron utility is a time-based job scheduler for Unix-like operating systems. An adversary may use cron in Linux or Unix environments to execute programs at system startup or on a scheduled basis for persistence.	Linux,macOS	https://attack.mitre.org/techniques/T1053/003	No
63	T1053.004	Scheduled Task/Job: Launchd	Execution,Persistence,Privilege Escalation	Adversaries may abuse the Launchd daemon, native to macOS, to perform task scheduling for initial or recurring execution of malicious code. An adversary may be able to schedule new executables to run at system startup or on a scheduled basis for persistence.	macOS	https://attack.mitre.org/techniques/T1053/004	No
64	T1053.005	Scheduled Task/Job: Scheduled Task	Execution,Persistence,Privilege Escalation	Adversaries may abuse the Windows Task Scheduler to perform task scheduling for initial or recurring execution of malicious code for persistence. The Windows Task Scheduler can also be abused to conduct remote Execution as part of Lateral Movement and or to run a process under the context of a specified account (such as SYSTEM).	Windows	https://attack.mitre.org/techniques/T1053/005	No
65	T1053.006	Scheduled Task/Job: Systemd Timers	Execution,Persistence,Privilege Escalation	Adversaries may abuse systemd timers to perform task scheduling for initial or recurring execution of malicious code. Systemd timers are unit files with file extension timer that control services. Timers can be set to run on a calendar event or after a time span relative to a starting point. An adversary may use systemd timers to execute malicious code at system startup or on a scheduled basis for persistence. Timers installed using privileged paths may be used to maintain root level persistence. Adversaries may also install user level timers to achieve user level persistence.	Linux	https://attack.mitre.org/techniques/T1053/006	No
66	T1053.007	Scheduled Task/Job: Container Orchestration Job	Execution,Persistence,Privilege Escalation	Adversaries may abuse task scheduling functionality provided by container orchestration tools such as Kubernetes to schedule deployment of containers configured to execute malicious code. Container orchestration jobs run these automated tasks at a specific date and time, similar to cron jobs on a Linux system. Deployments of this type can also be configured to maintain a quantity of containers over time, automating the process of maintaining persistence within a cluster.	Containers	https://attack.mitre.org/techniques/T1053/007	Yes
67	T1055.001	Process Injection: Dynamic-link Library Injection	Defense Evasion,Privilege Escalation	Adversaries may inject dynamic-link libraries (DLLs) into processes in order to evade process-based defenses as well as possibly elevate privileges. DLL injection is a method of executing arbitrary code in the address space of a separate live process.	Windows	https://attack.mitre.org/techniques/T1055/001	No
68	T1055.002	Process Injection: Portable Executable Injection	Defense Evasion,Privilege Escalation	Adversaries may inject portable executables (PE) into processes in order to evade process-based defenses as well as possibly elevate privileges. PE injection is a method of executing arbitrary code in the address space of a separate live process.	Windows	https://attack.mitre.org/techniques/T1055/002	No
69	T1055.003	Process Injection: Thread Execution Hijacking	Defense Evasion,Privilege Escalation	Adversaries may inject malicious code into hijacked processes in order to evade process-based defenses as well as possibly elevate privileges. Thread Execution Hijacking is a method of executing arbitrary code in the address space of a separate live process.	Windows	https://attack.mitre.org/techniques/T1055/003	No
70	T1055.004	Process Injection: Asynchronous Procedure Call	Defense Evasion,Privilege Escalation	Adversaries may inject malicious code into processes via the asynchronous procedure call (APC) queue in order to evade process-based defenses as well as possibly elevate privileges. APC injection is a method of executing arbitrary code in the address space of a separate live process.	Windows	https://attack.mitre.org/techniques/T1055/004	No
71	T1055.005	Process Injection: Thread Local Storage	Defense Evasion,Privilege Escalation	Adversaries may inject malicious code into processes via thread local storage (TLS) callbacks in order to evade process-based defenses as well as possibly elevate privileges. TLS callback injection is a method of executing arbitrary code in the address space of a separate live process.	Windows	https://attack.mitre.org/techniques/T1055/005	No
72	T1055.008	Process Injection: Ptrace System Calls	Defense Evasion,Privilege Escalation	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.	Linux	https://attack.mitre.org/techniques/T1055/008	No
73	T1055.009	Process Injection: Proc Memory	Defense Evasion,Privilege Escalation	Adversaries may inject malicious code into processes via the /proc filesystem in order to evade process-based defenses as well as possibly elevate privileges. Proc memory injection is a method of executing arbitrary code in the address space of a separate live process.	Linux	https://attack.mitre.org/techniques/T1055/009	No
74	T1055.011	Process Injection: Extra Window Memory Injection	Defense Evasion,Privilege Escalation	Adversaries may inject malicious code into process via Extra Window Memory (EWM) in order to evade process-based defenses as well as possibly elevate privileges. EWM injection is a method of executing arbitrary code in the address space of a separate live process.	Windows	https://attack.mitre.org/techniques/T1055/011	No
75	T1055.012	Process Injection: Process Hollowing	Defense Evasion,Privilege Escalation	Adversaries may inject malicious code into suspended and hollowed processes in order to evade process-based defenses. Process hollowing is a method of executing arbitrary code in the address space of a separate live process.	Windows	https://attack.mitre.org/techniques/T1055/012	No
76	T1055.013	Process Injection: Process Doppelgänging	Defense Evasion,Privilege Escalation	Adversaries may inject malicious code into process via process Doppelganging in order to evade process-based defenses as well as possibly elevate privileges. Process Doppelganging is a method of executing arbitrary code in the address space of a separate live process.	Windows	https://attack.mitre.org/techniques/T1055/013	No
77	T1055.014	Process Injection: VDSO Hijacking	Defense Evasion,Privilege Escalation	Adversaries may inject malicious code into processes via VDSO hijacking in order to evade process-based defenses as well as possibly elevate privileges. Virtual dynamic shared object (vdso) hijacking is a method of executing arbitrary code in the address space of a separate live process.	Linux	https://attack.mitre.org/techniques/T1055/014	No
78	T1056.001	Input Capture: Keylogging	Collection,Credential Access	Adversaries may log user keystrokes to intercept credentials as the user types them. Keylogging is likely to be used to acquire credentials for new access opportunities when OS Credential Dumping efforts are not effective, and may require an adversary to intercept keystrokes on a system for a substantial period of time before credentials can be successfully captured.	Linux,Network,Windows,macOS	https://attack.mitre.org/techniques/T1056/001	No
79	T1056.002	Input Capture: GUI Input Capture	Collection,Credential Access	Adversaries may mimic common operating system GUI components to prompt users for credentials with a seemingly legitimate prompt. When programs are executed that need additional privileges than are present in the current user context, it is common for the operating system to prompt the user for proper credentials to authorize the elevated privileges for the task. Adversaries may mimic this functionality to prompt users for credentials with a seemingly legitimate prompt for a number of reasons that mimic normal usage, such as a fake installer requiring additional access or a fake malware removal suite.	Windows,macOS	https://attack.mitre.org/techniques/T1056/002	No
80	T1056.003	Input Capture: Web Portal Capture	Collection,Credential Access	Adversaries may install code on externally facing portals, such as a VPN login page, to capture and transmit credentials of users who attempt to log into the service. For example, a compromised login page may log provided user credentials before logging the user in to the service.	Linux,Windows,macOS	https://attack.mitre.org/techniques/T1056/003	No
81	T1056.004	Input Capture: Credential API Hooking	Collection,Credential Access	Adversaries may hook into Windows application programming interface (API) functions to collect user credentials. Malicious hooking mechanisms may capture API calls that include parameters that reveal user authentication credentials.	Windows	https://attack.mitre.org/techniques/T1056/004	No
82	T1057	Process Discovery	Discovery	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.	Linux,Windows,macOS	https://attack.mitre.org/techniques/T1057	No
83	T1059.001	Command and Scripting Interpreter: PowerShell	Execution	Adversaries may abuse PowerShell commands and scripts for execution. Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code.	Windows	https://attack.mitre.org/techniques/T1059/001	No
84	T1059.002	Command and Scripting Interpreter: AppleScript	Execution	Adversaries may abuse AppleScript for execution. AppleScript is a macOS scripting language designed to control applications and parts of the OS via inter-application messages called AppleEvents. Adversaries can use osascrip to execute various behaviors, such as interacting with an open SSH connection, moving to remote machines, and even presenting users with fake dialog boxes.	macOS	https://attack.mitre.org/techniques/T1059/002	No
85	T1059.003	Command and Scripting Interpreter: Windows Command Shell	Execution	Adversaries may abuse the Windows command shell for execution. Batch files (ex: .bat or .cmd) also provide the shell with a list of sequential commands to run, as well as normal scripting operations such as conditionals and loops. Adversaries may leverage cmd.exe to execute various commands and payloads.	Windows	https://attack.mitre.org/techniques/T1059/003	No
86	T1059.004	Command and Scripting Interpreter: Unix Shell	Execution	Adversaries may abuse Unix shell commands and scripts for execution. Unix shells are the primary command prompt on Linux and macOS systems. Unix shells can control every aspect of a system, with certain commands requiring elevated privileges. Adversaries may abuse Unix shells to execute various commands or payloads. Interactive shells may be accessed through command and control channels or during lateral movement. Adversaries may also leverage shell scripts to deliver and execute multiple commands on victims or as part of payloads used for persistence.	Linux,macOS	https://attack.mitre.org/techniques/T1059/004	No
87	T1059.005	Command and Scripting Interpreter: Visual Basic	Execution	Adversaries may abuse Visual Basic (VB) for execution. VB is a programming language created by Microsoft with interoperability with many Windows technologies. Adversaries may use VB payloads to execute malicious commands. Common malicious usage includes automating execution of behaviors with VBScript or embedding VBA content into Spearphishing Attachments.	Linux,Windows,macOS	https://attack.mitre.org/techniques/T1059/005	No
88	T1059.006	Command and Scripting Interpreter: Python	Execution	Adversaries may abuse Python commands and scripts for execution. Adversaries can use these libraries to download and execute commands or other scripts as well as perform various malicious behaviors.	Linux,Windows,macOS	https://attack.mitre.org/techniques/T1059/006	No
89	T1059.007	Command and Scripting Interpreter: JavaScript	Execution	Adversaries may abuse JavaScript and/or JScript for execution. JavaScript (JS) is a platform-agnostic scripting language commonly associated with scripts in webpages. Adversaries may abuse JavaScript / JScript to execute various behaviors. Common uses include hosting malicious scripts on websites as part of a Drive-by Compromise or downloading and executing these script files as secondary payloads.	Linux,Windows,macOS	https://attack.mitre.org/techniques/T1059/007	Yes
90	T1059.008	Command and Scripting Interpreter: Network Device CLI	Execution	Adversaries may abuse scripting or built-in command line interpreters (CLI) on network devices to execute malicious command and payloads. The CLI is the primary means through which users and administrators interact with the device in order to view system information, modify device operations, or perform diagnostic and administrative functions. CLIs typically contain various permission levels required for different commands. Adversaries can use the network CLI to change how network devices behave and operate. The CLI may be used to manipulate traffic flows to intercept or manipulate data, modify startup configuration parameters to load malicious system software, or to disable security features or logging to avoid detection.	Network	https://attack.mitre.org/techniques/T1059/008	No
91	T1068	Exploitation for Privilege Escalation	Privilege Escalation	Adversaries may exploit software vulnerabilities in an attempt to collect elevate privileges. An adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. They will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.	Containers,Linux,Windows,macOS	https://attack.mitre.org/techniques/T1068	Yes
92	T1069.001	Permission Groups Discovery: Local Groups	Discovery	Adversaries may attempt to find local system groups and permission settings via tools such as net localgroup, dscl . -list /Groups, groups. This knowledge can help adversaries determine which groups exist and which users belong to a particular group. Adversaries may use this information to determine which users have elevated permissions, such as the users found within the local administrators group.	Linux,Windows,macOS	https://attack.mitre.org/techniques/T1069/001	No
93	T1069.002	Permission Groups Discovery: Domain Groups	Discovery	Adversaries may attempt to find domain-level groups and permission settings. The knowledge of domain-level permission groups can help adversaries determine which groups exist and which users belong to a particular group. Adversaries may use this information to determine which users have elevated permissions, such as domain administrators.	Linux,Windows,macOS	https://attack.mitre.org/techniques/T1069/002	No
94	T1069.003	Permission Groups Discovery: Cloud Groups	Discovery	Adversaries may attempt to find cloud groups and permission settings via toools such as Get-MsolRole, az ad user get-member-groups etc. This knowledge can help adversaries determine the particular roles of users and groups within an environment, as well as which users are associated with a particular group.	Azure AD,Google Workspace,IaaS,Office 365,SaaS	https://attack.mitre.org/techniques/T1069/003	Yes
95	T1070.001	Indicator Removal on Host: Clear Windows Event Logs	Defense Evasion	Adversaries may clear Windows Event Logs to hide the activity of an intrusion. These logs may also be cleared through other mechanisms, such as the event viewer GUI or PowerShell	Windows	https://attack.mitre.org/techniques/T1070/001	No
96	T1070.002	Indicator Removal on Host: Clear Linux or Mac System Logs	Defense Evasion	Adversaries may clear system logs to hide evidence of an intrusion. macOS and Linux both keep track of system or user-initiated actions via system logs.	Linux,macOS	https://attack.mitre.org/techniques/T1070/002	No
97	T1070.003	Indicator Removal on Host: Clear Command History	Defense Evasion	An adversary may clear the command history of a compromised account to conceal the actions undertaken during an intrusion.	Linux,Windows,macOS	https://attack.mitre.org/techniques/T1070/003	No
98	T1070.004	Indicator Removal on Host: File Deletion	Defense Evasion	Adversaries may delete files left behind by the actions of their intrusion activity to minimize the adversary's footprint. Tools such as cmd functions such as DEL, secure deletion tools such as Windows Sysinternals SDelete, or other third-party file deletion tools can be used.	Linux,Windows,macOS	https://attack.mitre.org/techniques/T1070/004	No
99	T1070.005	Indicator Removal on Host: Network Share Connection Removal	Defense Evasion	Adversaries may remove shared connections that are no longer useful in order to clean up traces of their operation. Windows shared drive and[Windows Admin Shares connections can be removed when no longer needed.	Windows	https://attack.mitre.org/techniques/T1070/005	No
100	T1070.006	Indicator Removal on Host: Timestomp	Defense Evasion	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder.	Linux,Windows,macOS	https://attack.mitre.org/techniques/T1070/006	No
101	T1071.001	Application Layer Protocol: Web Protocols	Command And Control	Adversaries may communicate by concealing their data inside application layer protocols associated with web traffic to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.	Linux,Windows,macOS	https://attack.mitre.org/techniques/T1071/001	No
102	T1071.002	Application Layer Protocol: File Transfer Protocols	Command And Control	Adversaries may communicate by concealing their data insideapplication layer protocols such as FTP, FTPS, and TFPT associated with transferring files to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.	Linux,Windows,macOS	https://attack.mitre.org/techniques/T1071/002	No
103	T1071.003	Application Layer Protocol: Mail Protocols	Command And Control	Adversaries may communicate by concealing their data inside application layer protocols such as SMTP/S, POP3/S, and IMAP associated with electronic map delivery to avoid detection/network filtering by blending in with existing traffic.	Linux,Windows,macOS	https://attack.mitre.org/techniques/T1071/003	No
104	T1071.004	Application Layer Protocol: DNS	Command And Control	Adversaries may communicate using the Domain Name System (DNS) application layer protocol to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.	Linux,Windows,macOS	https://attack.mitre.org/techniques/T1071/004	No
105	T1072	Software Deployment Tools	Execution,Lateral Movement	Adversaries may gain access to and use third-party software suites installed within an enterprise network, such as administration, monitoring, and deployment systems, to move laterally through the network. Third-party applications and software deployment systems may be in use in the network environment for administration purposes (e.g., SCCM, VNC, HBSS, Altiris, etc.).	Linux,Windows,macOS	https://attack.mitre.org/techniques/T1072	No
106	T1074.001	Data Staged: Local Data Staging	Collection	Adversaries may stage collected data in a central location or directory on the local system prior to Exfiltration. Data may be kept in separate files or combined into one file. Interactive command shells may be used, and common functionality within cmd and bash may be used to copy data into a staging location.	Linux,Windows,macOS	https://attack.mitre.org/techniques/T1074/001	No
107	T1074.002	Data Staged: Remote Data Staging	Collection	Adversaries may stage data collected from multiple systems in a central location or directory on one system prior to Exfiltration. Data may be kept in separate files or combined into one file through techniques such as Archive Collected Data. In cloud environments, adversaries may stage data within a particular instance or virtual machine before exfiltration. An adversary may Create Cloud Instance and stage data in that instance.	IaaS,Linux,Windows,macOS	https://attack.mitre.org/techniques/T1074/002	Yes
108	T1078.001	Valid Accounts: Default Accounts	Defense Evasion,Initial Access,Persistence,Privilege Escalation	Adversaries may obtain and abuse credentials of a default account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Default accounts are those that are built-into an OS, such as the Guest or Administrator accounts on Windows systems or default factory/provider set accounts on other types of systems, software, or devices.	Azure AD,Containers,Google Workspace,IaaS,Linux,Office 365,SaaS,Windows,macOS	https://attack.mitre.org/techniques/T1078/001	Yes
109	T1078.002	Valid Accounts: Domain Accounts	Defense Evasion,Initial Access,Persistence,Privilege Escalation	Adversaries may obtain and abuse credentials of a domain account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion.Domain accounts are those managed by Active Directory Domain Services where access and permissions are configured across systems and services that are part of that domain. Domain accounts can cover users, administrators, and services.	Linux,Windows,macOS	https://attack.mitre.org/techniques/T1078/002	No
110	T1078.003	Valid Accounts: Local Accounts	Defense Evasion,Initial Access,Persistence,Privilege Escalation	Adversaries may obtain and abuse credentials of a local account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Local accounts are those configured by an organization for use by users, remote support, services, or for administration on a single system or service. Local Accounts may also be abused to elevate privileges and harvest credentials through [OS Credential Dumping.	Containers,Linux,Windows,macOS	https://attack.mitre.org/techniques/T1078/003	Yes
111	T1078.004	Valid Accounts: Cloud Accounts	Defense Evasion,Initial Access,Persistence,Privilege Escalation	Adversaries may obtain and abuse credentials of a cloud account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Cloud accounts are those created and configured by an organization for use by users, remote support, services, or for administration of resources within a cloud service provider or SaaS application. In some cases, cloud accounts may be federated with traditional identity management system, such as Window Active Directory. Compromised credentials for cloud accounts can be used to harvest sensitive data from online storage accounts and databases.	Azure AD,Google Workspace,IaaS,Office 365,SaaS	https://attack.mitre.org/techniques/T1078/004	Yes
112	T1080	Taint Shared Content	Lateral Movement	Adversaries may deliver payloads to remote systems by adding content to shared storage locations, such as network drives or internal code repositories. Content stored on network drives or in other shared locations may be tainted by adding malicious programs, scripts, or exploit code to otherwise valid files. Once a user opens the shared tainted content, the malicious portion can be executed to run the adversary's code on a remote system. Adversaries may use tainted shared content to move laterally. Adversaries may also compromise shared network directories through binary infections by appending or prepending its code to the healthy binary on the shared network directory. The malware may modify the original entry point (OEP) of the healthy binary to ensure that it is executed before the legitimate code. The infection could continue to spread via the newly infected file when it is executed by a remote system. These infections may target both binary and non-binary formats that end with extensions including, but not limited to, .EXE, .DLL, .SCR, .BAT, and/or .VBS	Windows	https://attack.mitre.org/techniques/T1080	No
113	T1082	System Information Discovery	Discovery	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions. Tools such as Systeminfo can be used to gather detailed system information. A breakdown of system data can also be gathered through the macOS "systemsetup" command, but it requires administrative privileges. Infrastructure as a Service (IaaS) cloud providers such as AWS, GCP, and Azure allow access to instance and virtual machine information via APIs. Successful authenticated API calls can return data such as the operating system platform and status of a particular instance or the model view of a virtual machine.	IaaS,Linux,Windows,macOS	https://attack.mitre.org/techniques/T1082	Yes
114	T1083	File and Directory Discovery	Discovery	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use this information during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.	Linux,Windows,macOS	https://attack.mitre.org/techniques/T1083	No
115	T1087.001	Account Discovery: Local Account	Discovery	Adversaries may attempt to get a listing of local system accounts. This information can help adversaries determine which local accounts exist on a system to aid in follow-on behavior.	Linux,Windows,macOS	https://attack.mitre.org/techniques/T1087/001	No
116	T1087.002	Account Discovery: Domain Account	Discovery	Adversaries may attempt to get a listing of domain accounts. This information can help adversaries determine which domain accounts exist to aid in follow-on behavior.	Linux,Windows,macOS	https://attack.mitre.org/techniques/T1087/002	No
117	T1087.003	Account Discovery: Email Account	Discovery	Adversaries may attempt to get a listing of email addresses and accounts. Adversaries may try to dump Exchange address lists such as global address lists.	Google Workspace,Office 365,Windows	https://attack.mitre.org/techniques/T1087/003	Yes
118	T1087.004	Account Discovery: Cloud Account	Discovery	Detecting the events leading up to sniffing network traffic may be the best method of detection. From the host level, an adversary would likely need to perform a man-in-the-middle attack against other devices on a wired network in order to capture traffic that was not to or from the current compromised system. This change in the flow of information is detectable at the enclave network level. Monitor for ARP spoofing and gratuitous ARP broadcasts. Detecting compromised network devices is a bit more challenging. Auditing administrator logins, configuration changes, and device images is required to detect malicious changes.	Azure AD,Google Workspace,IaaS,Office 365,SaaS	https://attack.mitre.org/techniques/T1087/004	Yes
119	T1090.001	Proxy: Internal Proxy	Command And Control	Adversaries may use an internal proxy to direct command and control traffic between two or more systems in a compromised environment. Many tools exist that enable traffic redirection through proxies or port redirection, including HTRAN, ZXProxy, and ZXPortMap. Adversaries use internal proxies to manage command and control communications inside a compromised environment, to reduce the number of simultaneous outbound network connections, to provide resiliency in the face of connection loss, or to ride over existing trusted communications paths between infected systems to avoid suspicion. Internal proxy connections may use common peer-to-peer (p2p) networking protocols, such as SMB, to better blend in with the environment.	Linux,Windows,macOS	https://attack.mitre.org/techniques/T1090/001	No
120	T1090.002	Proxy: External Proxy	Command And Control	Adversaries may use an external proxy to act as an intermediary for network communications to a command and control server to avoid direct connections to their infrastructure. Many tools exist that enable traffic redirection through proxies or port redirection, including HTRAN, ZXProxy, and ZXPortMap. Adversaries use these types of proxies to manage command and control communications, to provide resiliency in the face of connection loss, or to ride over existing trusted communications paths to avoid suspicion. External connection proxies are used to mask the destination of C2 traffic and are typically implemented with port redirectors. Compromised systems outside of the victim environment may be used for these purposes, as well as purchased infrastructure such as cloud-based resources or virtual private servers.	Linux,Windows,macOS	https://attack.mitre.org/techniques/T1090/002	No
121	T1090.003	Proxy: Multi-hop Proxy	Command And Control	To disguise the source of malicious traffic, adversaries may chain together multiple proxies. Typically, a defender will be able to identify the last proxy traffic traversed before it enters their network; the defender may or may not be able to identify any previous proxies before the last-hop proxy. This technique makes identifying the original source of the malicious traffic even more difficult by requiring the defender to trace malicious traffic through several proxies to identify its source.	Linux,Network,Windows,macOS	https://attack.mitre.org/techniques/T1090/003	No
122	T1090.004	Proxy: Domain Fronting	Command And Control	Adversaries may take advantage of routing schemes in Content Delivery Networks (CDNs) and other services which host multiple domains to obfuscate the intended destination of HTTPS traffic or traffic tunneled through HTTPS. Domain fronting involves using different domain names in the SNI field of the TLS header and the Host field of the HTTP header.	Linux,Windows,macOS	https://attack.mitre.org/techniques/T1090/004	No
123	T1091	Replication Through Removable Media	Initial Access,Lateral Movement	Adversaries may move onto systems, possibly those on disconnected or air-gapped networks, by copying malware to removable media and taking advantage of Autorun features when the media is inserted into a system and executes. In the case of Lateral Movement, this may occur through modification of executable files stored on removable media or by copying malware and renaming it to look like a legitimate file to trick users into executing it on a separate system. In the case of Initial Access, this may occur through manual manipulation of the media, modification of systems used to initially format the media, or modification to the media's firmware itself.	Windows	https://attack.mitre.org/techniques/T1091	No
124	T1092	Communication Through Removable Media	Command And Control	Adversaries can perform command and control between compromised hosts on potentially disconnected networks using removable media to transfer commands from system to system. Both systems would need to be compromised, with the likelihood that an Internet-connected system was compromised first and the second through lateral movement by Replication Through Removable Media. Commands and files would be relayed from the disconnected system to the Internet-connected system to which the adversary has direct access.	Linux,Windows,macOS	https://attack.mitre.org/techniques/T1092	No
125	T1095	Non-Application Layer Protocol	Command And Control	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive but Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).	Linux,Network,Windows,macOS	https://attack.mitre.org/techniques/T1095	No
126	T1098.001	Account Manipulation: Additional Cloud Credentials	Persistence	Adversaries may add adversary-controlled credentials for Azure Service Principals in addition to existing legitimate credentials to maintain persistent access to victim Azure accounts. Azure Service Principals support both password and certificate credentials. With sufficient permissions, there are a variety of ways to add credentials including the Azure Portal, Azure command line interface, and Azure powershell.	Azure AD,IaaS	https://attack.mitre.org/techniques/T1098/001	Yes
127	T1098.002	Account Manipulation: Exchange Email Delegate Permissions	Persistence	Adversaries may grant additional permission levels, such as ReadPermission or FullAccess, to maintain persistent access to an adversary-controlled email account. This may be used in persistent threat incidents as well as Business Email Compromise incidents where an adversary can assign more access rights to the accounts they wish to compromise. This may further enable use of additional techniques for gaining access to systems.	Office 365,Windows	https://attack.mitre.org/techniques/T1098/002	No
128	T1098.003	Account Manipulation: Add Office 365 Global Administrator Role	Persistence	An adversary may add the Global Administrator role to an adversary-controlled account to maintain persistent access to an Office 365 tenant. With sufficient permissions, a compromised account can gain almost unlimited access to data and settings (including the ability to reset the passwords of other admins) via the global admin role. This account modification may immediately follow or other malicious account activity.	Office 365	https://attack.mitre.org/techniques/T1098/003	No
129	T1098.004	Account Manipulation: SSH Authorized Keys	Persistence	Adversaries may modify the SSH authorized_keys file to maintain persistence on a victim host. Linux distributions and macOS commonly use key-based authentication to secure the authentication process of SSH sessions for remote management. The authorized_keys< file in SSH specifies the SSH keys that can be used for logging into the user account for which the file is configured. Adversaries may modify SSH authorized_keys files directly with scripts or shell commands to add their own adversary-supplied public keys. This ensures that an adversary possessing the corresponding private key may log in as an existing user via SSH.	Linux,macOS	https://attack.mitre.org/techniques/T1098/004	No
130	T1102.001	Web Service: Dead Drop Resolver	Command And Control	Adversaries may use an existing, legitimate external Web service to host information that points to additional command and control (C2) infrastructure. Adversaries may post content, known as a dead drop resolver, on Web services with embedded (and often obfuscated/encoded) domains or IP addresses. Once infected, victims will reach out to and be redirected by these resolvers. Use of a dead drop resolver may also protect back-end C2 infrastructure from discovery through malware binary analysis while also enabling operational resiliency (since this infrastructure may be dynamically changed).	Linux,Windows,macOS	https://attack.mitre.org/techniques/T1102/001	No
131	T1102.002	Web Service: Bidirectional Communication	Command And Control	Adversaries may use an existing, legitimate external Web service as a means for sending commands to and receiving output from a compromised system over the Web service channel such as Google and Twitter. Compromised systems may leverage popular websites and social media to host command and control (C2) instructions. Those infected systems can then send the output from those commands back over that Web service channel.	Linux,Windows,macOS	https://attack.mitre.org/techniques/T1102/002	No
132	T1102.003	Web Service: One-Way Communication	Command And Control	Adversaries may use an existing, legitimate external Web service as a means for sending commands to a compromised system without receiving return output over the Web service channel such as Google and Twitter. Compromised systems may leverage popular websites and social media to host command and control (C2) instructions. Those infected systems may opt to send the output from those commands back over a different C2 channel, including to another distinct Web service.	Linux,Windows,macOS	https://attack.mitre.org/techniques/T1102/003	No
133	T1104	Multi-Stage Channels	Command And Control	Adversaries may create multiple stages for command and control that are employed under different conditions or for certain functions. Remote access tools will call back to the first-stage command and control server for instructions. The first stage may have automated capabilities to collect basic host information, update tools, and upload additional files. A second remote access tool (RAT) could be uploaded at that point to redirect the host to the second-stage command and control server. Use of multiple stages may obfuscate the command and control channel to make detection more difficult.	Linux,Windows,macOS	https://attack.mitre.org/techniques/T1104	No
134	T1105	Ingress Tool Transfer	Command And Control	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.	Linux,Windows,macOS	https://attack.mitre.org/techniques/T1105	No
135	T1106	Native API	Execution	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes. These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations. Adversaries may abuse these native API functions as a means of executing behaviors.	Linux,Windows,macOS	https://attack.mitre.org/techniques/T1106	No
136	T1110.001	Brute Force: Password Guessing	Credential Access	Adversaries with no prior knowledge of legitimate credentials within the system or environment may guess passwords to attempt access to accounts.	Azure AD,Containers,Google Workspace,IaaS,Linux,Office 365,SaaS,Windows,macOS	https://attack.mitre.org/techniques/T1110/001	Yes
137	T1110.002	Brute Force: Password Cracking	Credential Access	Adversaries may use password cracking to attempt to recover usable credentials, such as plaintext passwords, when credential material such as password hashes are obtained. [OS Credential Dumping](https://attack.mitre.org/techniques/T1003) is used to obtain password hashes, this may only get an adversary so far when [Pass the Hash](https://attack.mitre.org/techniques/T1550/002) is not an option. Techniques to systematically guess the passwords used to compute hashes are available, or the adversary may use a pre-computed rainbow table to crack hashes. Cracking hashes is usually done on adversary-controlled systems outside of the target network.(Citation: Wikipedia Password cracking) The resulting plaintext password resulting from a successfully cracked hash may be used to log into systems, resources, and services in which the account has access.	Azure AD,Linux,Office 365,Windows,macOS	https://attack.mitre.org/techniques/T1110/002	No
138	T1110.003	Brute Force: Password Spraying	Credential Access	Adversaries may use a single or small list of commonly used passwords against many different accounts to attempt to acquire valid account credentials.	Azure AD,Containers,Google Workspace,IaaS,Linux,Office 365,SaaS,Windows,macOS	https://attack.mitre.org/techniques/T1110/003	Yes
139	T1110.004	Brute Force: Credential Stuffing	Credential Access	Adversaries may use credentials obtained from breach dumps of unrelated accounts to gain access to target accounts through credential overlap. Occasionally, large numbers of username and password pairs are dumped online when a website or service is compromised and the user account credentials accessed. The information may be useful to an adversary attempting to compromise accounts by taking advantage of the tendency for users to use the same passwords across personal and business accounts.	Azure AD,Containers,Google Workspace,IaaS,Linux,Office 365,SaaS,Windows,macOS	https://attack.mitre.org/techniques/T1110/004	Yes
140	T1111	Two-Factor Authentication Interception	Credential Access	Adversaries may target two-factor authentication mechanisms, such as smart cards, to gain access to credentials that can be used to access systems, services, and network resources.	Linux,Windows,macOS	https://attack.mitre.org/techniques/T1111	No
141	T1112	Modify Registry	Defense Evasion	Adversaries may interact with the Windows Registry to hide configuration information within Registry keys, remove information as part of cleaning up, or as part of other techniques to aid in persistence and execution.	Windows	https://attack.mitre.org/techniques/T1112	No
142	T1113	Screen Capture	Collection	Adversaries may attempt to take screen captures of the desktop to gather information over the course of an operation. Screen capturing functionality may be included as a feature of a remote access tool used in post-compromise operations. Taking a screenshot is also typically possible through native utilities or API calls, such as CopyFromScreen, xwd, or screencapture.	Linux,Windows,macOS	https://attack.mitre.org/techniques/T1113	No
143	T1114.001	Email Collection: Local Email Collection	Collection	Adversaries may sniff network traffic to capture information about an environment, including authentication material passed over the network. Network sniffing refers to using the network interface on a system to monitor or capture information sent over a wired or wireless connection. An adversary may place a network interface into promiscuous mode to passively access data in transit over the network, or use span ports to capture a larger amount of data.	Windows	https://attack.mitre.org/techniques/T1114/001	No
144	T1114.002	Email Collection: Remote Email Collection	Collection	Adversaries may target an Exchange server or Office 365 to collect sensitive information. Adversaries may leverage a user's credentials and interact directly with the Exchange server to acquire information from within a network. Adversaries may also access externally facing Exchange services or Office 365 to access email using credentials or access tokens. Tools such as [MailSniper](https://attack.mitre.org/software/S0413) can be used to automate searches for specific keywords.	Google Workspace,Office 365,Windows	https://attack.mitre.org/techniques/T1114/002	Yes
145	T1114.003	Email Collection: Email Forwarding Rule	Collection	Adversaries may setup email forwarding rules to collect sensitive information. Adversaries may abuse email-forwarding rules to monitor the activities of a victim, steal information, and further gain intelligence on the victim or the victim's organization to use as part of further exploits or operations. Any user or administrator within the organization (or adversary with valid credentials) can create rules to automatically forward all received messages to another recipient, forward emails to different locations based on the sender, and more.	Google Workspace,Office 365,Windows	https://attack.mitre.org/techniques/T1114/003	Yes
146	T1115	Clipboard Data	Collection	Adversaries may collect data stored in the clipboard from users copying information within or between applications. In Windows, Applications can access clipboard data by using the Windows API. OSX provides a native command, pbpaste to grab clipboard contents.	Linux,Windows,macOS	https://attack.mitre.org/techniques/T1115	No
147	T1119	Automated Collection	Collection	Once established within a system or network, an adversary may use automated techniques for collecting internal data. Methods for performing this technique could include use of a Command and Scripting Interpreter to search for and copy information fitting set criteria such as file type, location, or name at specific time intervals. This functionality could also be built into remote access tools.	Linux,Windows,macOS	https://attack.mitre.org/techniques/T1119	No
148	T1120	Peripheral Device Discovery	Discovery	Adversaries may attempt to gather information about attached peripheral devices and components connected to a computer system. Peripheral devices could include auxiliary resources that support a variety of functionalities such as keyboards, printers, cameras, smart card readers, or removable storage. The information may be used to enhance their awareness of the system and network environment or may be used for further actions.	Windows,macOS	https://attack.mitre.org/techniques/T1120	No
149	T1123	Audio Capture	Collection	An adversary can leverage a computer's peripheral devices (e.g., microphones and webcams) or applications (e.g., voice and video call services) to capture audio recordings for the purpose of listening into sensitive conversations to gather information. Malware or scripts may be used to interact with the devices through an available API provided by the operating system or an application to capture audio. Audio files may be written to disk and exfiltrated later.	Linux,Windows,macOS	https://attack.mitre.org/techniques/T1123	No
150	T1124	System Time Discovery	Discovery	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.	Windows	https://attack.mitre.org/techniques/T1124	No
151	T1125	Video Capture	Collection	An adversary can leverage a computer's peripheral devices (e.g., integrated cameras or webcams) or applications (e.g., video call services) to capture video recordings for the purpose of gathering information. Images may also be captured from devices or applications, potentially in specified intervals, in lieu of video files. Malware or scripts may be used to interact with the devices through an available API provided by the operating system or an application to capture video or images.	Windows,macOS	https://attack.mitre.org/techniques/T1125	No
152	T1127.001	Trusted Developer Utilities Proxy Execution: MSBuild	Defense Evasion	Adversaries may use MSBuild to proxy execution of code through a trusted Windows utility. MSBuild.exe (Microsoft Build Engine) is a software build platform used by Visual Studio. It handles XML formatted project files that define requirements for loading and building various platforms and configurations.	Windows	https://attack.mitre.org/techniques/T1127/001	No
153	T1129	Shared Modules	Execution	Adversaries may abuse shared modules to execute malicious payloads. The Windows module loader can be instructed to load DLLs from arbitrary local paths and arbitrary Universal Naming Convention (UNC) network paths. Adversaries may use this functionality as a way to execute arbitrary code on a victim system.	Windows	https://attack.mitre.org/techniques/T1129	No
154	T1132.001	Data Encoding: Standard Encoding	Command And Control	Adversaries may encode data with a standard data encoding system to make the content of command and control traffic more difficult to detect. Common data encoding schemes include ASCII, Unicode, hexadecimal, Base64, and MIME. Some data encoding systems may also result in data compression, such as gzip.	Linux,Windows,macOS	https://attack.mitre.org/techniques/T1132/001	No
155	T1132.002	Data Encoding: Non-Standard Encoding	Command And Control	Adversaries may encode data with a non-standard data encoding system to make the content of command and control traffic more difficult to detect. Non-standard data encoding schemes may be based on or related to standard data encoding schemes, such as a modified Base64 encoding for the message body of an HTTP request.	Linux,Windows,macOS	https://attack.mitre.org/techniques/T1132/002	No
156	T1133	External Remote Services	Initial Access,Persistence	Adversaries may leverage external-facing remote services to initially access and/or persist within a network. Remote services such as VPNs, Citrix, and other access mechanisms allow users to connect to internal enterprise network resources from external locations. Access to Valid Accounts to use the service is often a requirement, which could be obtained through credential pharming or by obtaining the credentials from users after compromising the enterprise network.	Containers,Linux,Windows	https://attack.mitre.org/techniques/T1133	Yes
157	T1134.001	Access Token Manipulation: Token Impersonation/Theft	Defense Evasion,Privilege Escalation	Adversaries may duplicate then impersonate another user's token to escalate privileges and bypass access controls. An adversary can create a new access token that duplicates an existing token using "DuplicateToken(Ex)". An adversary may do this when they have a specific, existing process they want to assign the new token to. For example, this may be useful for when the target user has a non-network logon session on the system.	Windows	https://attack.mitre.org/techniques/T1134/001	No
158	T1134.002	Access Token Manipulation: Create Process with Token	Defense Evasion,Privilege Escalation	Adversaries may create a new process with a duplicated token to escalate privileges and bypass access controls. An adversary can duplicate a desired access token with "DuplicateToken(Ex)" and use it with "CreateProcessWithTokenW" to create a new process running under the security context of the impersonated user. This is useful for creating a new process under the security context of a different user.	Windows	https://attack.mitre.org/techniques/T1134/002	No
159	T1134.003	Access Token Manipulation: Make and Impersonate Token	Defense Evasion,Privilege Escalation	Adversaries may make and impersonate tokens to escalate privileges and bypass access controls. If an adversary has a username and password but the user is not logged onto the system, the adversary can then create a logon session for the user using the "LogonUser" function. The function will return a copy of the new session's access token and the adversary can use "SetThreadToken" to assign the token to a thread.	Windows	https://attack.mitre.org/techniques/T1134/003	No
160	T1134.004	Access Token Manipulation: Parent PID Spoofing	Defense Evasion,Privilege Escalation	Adversaries may spoof the parent process identifier (PPID) of a new process to evade process-monitoring defenses or to elevate privileges. New processes are typically spawned directly from their parent, or calling, process unless explicitly specified. Adversaries may abuse these mechanisms to evade defenses, such as those blocking processes spawning directly from Office documents, and analysis targeting unusual/potentially malicious parent-child process relationships, such as spoofing the PPID of PowerShell/Rundll32 to be explorer.exe	Windows	https://attack.mitre.org/techniques/T1134/004	No
161	T1134.005	Access Token Manipulation: SID-History Injection	Defense Evasion,Privilege Escalation	Adversaries may use SID-History Injection to escalate privileges and bypass access controls. The Windows security identifier (SID) is a unique value that identifies a user or group account. SIDs are used by Windows security in both security descriptors and access tokens. An account can hold additional SIDs in the SID-History Active Directory attribute, allowing inter-operable account migration between domains (e.g., all values in SID-History are included in access tokens).	Windows	https://attack.mitre.org/techniques/T1134/005	No
162	T1135	Network Share Discovery	Discovery	Adversaries may look for folders and drives shared on remote systems as a means of identifying sources of information to gather as a precursor for Collection and to identify potential systems of interest for Lateral Movement.	Linux,Windows,macOS	https://attack.mitre.org/techniques/T1135	No
163	T1136.001	Create Account: Local Account	Persistence	Adversaries may create a local account to maintain access to victim systems. Local accounts are those configured by an organization for use by users, remote support, services, or for administration on a single system or service. With a sufficient level of access, the <code>net user /add</code> command can be used to create a local account. Such accounts may be used to establish secondary credentialed access that do not require persistent remote access tools to be deployed on the system.	Linux,Windows,macOS	https://attack.mitre.org/techniques/T1136/001	No
164	T1136.002	Create Account: Domain Account	Persistence	Adversaries may create a domain account to maintain access to victim systems. Domain accounts are those managed by Active Directory Domain Services where access and permissions are configured across systems and services that are part of that domain. Domain accounts can cover user, administrator, and service accounts. With a sufficient level of access, the ?net user /add /domain? command can be used to create a domain account. Such accounts may be used to establish secondary credentialed access that do not require persistent remote access tools to be deployed on the system.	Linux,Windows,macOS	https://attack.mitre.org/techniques/T1136/002	No
165	T1136.003	Create Account: Cloud Account	Persistence	Adversaries may create a cloud account to maintain access to victim systems. With a sufficient level of access, such accounts may be used to establish secondary credentialed access that does not require persistent remote access tools to be deployed on the system. Adversaries may create accounts that only have access to specific cloud services, which can reduce the chance of detection.	Azure AD,Google Workspace,IaaS,Office 365	https://attack.mitre.org/techniques/T1136/003	Yes
166	T1137.001	Office Application Startup: Office Template Macros	Persistence	Adversaries may abuse Microsoft Office templates to obtain persistence on a compromised system. Microsoft Office contains templates that are part of common Office applications and are used to customize styles. The base templates within the application are used each time an application starts.	Office 365,Windows	https://attack.mitre.org/techniques/T1137/001	No
167	T1137.002	Office Application Startup: Office Test	Persistence	Adversaries may abuse the Microsoft Office "Office Test" Registry key to obtain persistence on a compromised system. An Office Test Registry location exists that allows a user to specify an arbitrary DLL that will be executed every time an Office application is started. This Registry key is thought to be used by Microsoft to load DLLs for testing and debugging purposes while developing Office applications. This Registry key is not created by default during an Office installation.	Office 365,Windows	https://attack.mitre.org/techniques/T1137/002	No
168	T1137.003	Office Application Startup: Outlook Forms	Persistence	Adversaries may abuse Microsoft Outlook forms to obtain persistence on a compromised system. Outlook forms are used as templates for presentation and functionality in Outlook messages. Custom Outlook forms can be created that will execute code when a specifically crafted email is sent by an adversary utilizing the same custom Outlook form. Once malicious forms have been added to the user's mailbox, they will be loaded when Outlook is started. Malicious forms will execute when an adversary sends a specifically crafted email to the user.	Office 365,Windows	https://attack.mitre.org/techniques/T1137/003	No
169	T1137.004	Office Application Startup: Outlook Home Page	Persistence	Adversaries may abuse Microsoft Outlook's Home Page feature to obtain persistence on a compromised system. Outlook Home Page is a legacy feature used to customize the presentation of Outlook folders. This feature allows for an internal or external URL to be loaded and presented whenever a folder is opened. A malicious HTML page can be crafted that will execute code when loaded by Outlook Home Page.	Office 365,Windows	https://attack.mitre.org/techniques/T1137/004	No
170	T1137.005	Office Application Startup: Outlook Rules	Persistence	Adversaries may abuse Microsoft Outlook rules to obtain persistence on a compromised system. Outlook rules allow a user to define automated behavior to manage email messages. Once malicious rules have been added to the user's mailbox, they will be loaded when Outlook is started. Malicious rules will execute when an adversary sends a specifically crafted email to the user.	Office 365,Windows	https://attack.mitre.org/techniques/T1137/005	No
171	T1137.006	Office Application Startup: Add-ins	Persistence	Adversaries may abuse Microsoft Office add-ins to obtain persistence on a compromised system. Office add-ins can be used to add functionality to Office programs. There are different types of add-ins that can be used by the various Office products; including Word/Excel add-in Libraries (WLL/XLL), VBA add-ins, Office Component Object Model (COM) add-ins, automation add-ins, VBA Editor (VBE), Visual Studio Tools for Office (VSTO) add-ins, and Outlook add-ins. Add-ins can be used to obtain persistence because they can be set to execute code when an Office application starts.	Office 365,Windows	https://attack.mitre.org/techniques/T1137/006	No
172	T1140	Deobfuscate/Decode Files or Information	Defense Evasion	Adversaries may use [Obfuscated Files or Information](https://attack.mitre.org/techniques/T1027) to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system. One such example is use of [certutil](https://attack.mitre.org/software/S0160) to decode a remote access tool portable executable file that has been hidden inside a certificate file. (Citation: Malwarebytes Targeted Attack against Saudi Arabia) Another example is using the Windows <code>copy /b</code> command to reassemble binary fragments into a malicious payload. (Citation: Carbon Black Obfuscation Sept 2016) Sometimes a user's action may be required to open it for deobfuscation or decryption as part of [User Execution](https://attack.mitre.org/techniques/T1204). The user may also be required to input a password to open a password protected compressed/encrypted file that was provided by the adversary. (Citation: Volexity PowerDuke November 2016)	Linux,Windows,macOS	https://attack.mitre.org/techniques/T1140	No
173	T1176	Browser Extensions	Persistence	Adversaries may abuse Internet browser extensions to establish persistence access to victim systems. Malicious extensions can be installed into a browser through malicious app store downloads masquerading as legitimate extensions, through social engineering, or by an adversary that has already compromised a system. Security can be limited on browser app stores so it may not be difficult for malicious extensions to defeat automated scanners.	Linux,Windows,macOS	https://attack.mitre.org/techniques/T1176	No
174	T1185	Man in the Browser	Collection	Adversaries can take advantage of security vulnerabilities and inherent functionality in browser software to change content, modify behavior, and intercept information as part of various man in the browser techniques. A specific example is when an adversary injects software into a browser that allows an them to inherit cookies, HTTP sessions, and SSL client certificates of a user and use the browser as a way to pivot into an authenticated intranet. Browser pivoting requires the SeDebugPrivilege and a high-integrity process to execute. Browser traffic is pivoted from the adversary's browser through the user's browser by setting up an HTTP proxy which will redirect any HTTP and HTTPS traffic.	Windows	https://attack.mitre.org/techniques/T1185	No
175	T1187	Forced Authentication	Credential Access	Adversaries may gather credential material by invoking or forcing a user to automatically provide authentication information through a mechanism in which they can intercept.The Server Message Block (SMB) protocol is commonly used in Windows networks for authentication and communication between systems for access to resources and file sharing. When a Windows system attempts to connect to an SMB resource it will automatically attempt to authenticate and send credential information for the current user to the remote system.	Windows	https://attack.mitre.org/techniques/T1187	No
176	T1189	Drive-by Compromise	Initial Access	Adversaries may gain access to a system through a user visiting a website over the normal course of browsing. With this technique, the user's web browser is typically targeted for exploitation, but adversaries may also use compromised websites for non-exploitation behavior such as acquiring Application Access Token. The focus of this technique is to exploit software on a client endpoint upon visiting a website. This will commonly give an adversary access to systems on the internal network instead of external systems that may be in a DMZ. Adversaries may also use compromised websites to deliver a user to a malicious application designed to Steal Application Access Token	Linux,SaaS,Windows,macOS	https://attack.mitre.org/techniques/T1189	No
177	T1190	Exploit Public-Facing Application	Initial Access	Adversaries may attempt to take advantage of a weakness in an Internet-facing computer or program using software, data, or commands in order to cause unintended or unanticipated behavior. The weakness in the system can be a bug, a glitch, or a design vulnerability. These applications are often websites, but can include databases, standard services, and any other applications with Internet accessible open sockets, such as web servers and related services. Depending on the flaw being exploited this may include Exploitation for Defense Evasion.	Containers,IaaS,Linux,Network,Windows,macOS	https://attack.mitre.org/techniques/T1190	Yes
178	T1195.001	Supply Chain Compromise: Compromise Software Dependencies and Development Tools	Initial Access	Adversaries may manipulate software dependencies and development tools prior to receipt by a final consumer for the purpose of data or system compromise. Applications often depend on external software to function properly. Popular open source projects that are used as dependencies in many applications may be targeted as a means to add malicious code to users of the dependency. Targeting may be specific to a desired victim set or may be distributed to a broad set of consumers but only move on to additional tactics on specific victims.	Linux,Windows,macOS	https://attack.mitre.org/techniques/T1195/001	No
179	T1195.002	Supply Chain Compromise: Compromise Software Supply Chain	Initial Access	Adversaries may manipulate application software prior to receipt by a final consumer for the purpose of data or system compromise. Supply chain compromise of software can take place in a number of ways, including manipulation of the application source code, manipulation of the update/distribution mechanism for that software, or replacing compiled releases with a modified version. Targeting may be specific to a desired victim set or may be distributed to a broad set of consumers but only move on to additional tactics on specific victims.	Linux,Windows,macOS	https://attack.mitre.org/techniques/T1195/002	No
180	T1195.003	Supply Chain Compromise: Compromise Hardware Supply Chain	Initial Access	Adversaries may manipulate hardware components in products prior to receipt by a final consumer for the purpose of data or system compromise. By modifying hardware or firmware in the supply chain, adversaries can insert a backdoor into consumer networks that may be difficult to detect and give the adversary a high degree of control over the system. Hardware backdoors may be inserted into various devices, such as servers, workstations, network infrastructure, or peripherals.	Linux,Windows,macOS	https://attack.mitre.org/techniques/T1195/003	No
181	T1197	BITS Jobs	Defense Evasion,Persistence	Adversaries may abuse Windows Background Intelligent Transfer Service (BITS) jobs to persistently execute or clean up after malicious payloads. BITS is a low-bandwidth, asynchronous file transfer mechanism exposed through Component Object Model. BITS is commonly used by updaters, messengers, and other applications preferred to operate in the background. The interface to create and manage BITS jobs is accessible through PowerShell. Adversaries may abuse BITS to download, execute, and even clean up after running malicious code. BITS upload functionalities can also be used to perform Exfiltration Over Alternative Protocol.	Windows	https://attack.mitre.org/techniques/T1197	No
182	T1199	Trusted Relationship	Initial Access	Adversaries may breach or otherwise leverage organizations who have access to intended victims. Access through trusted third party relationship exploits an existing connection that may not be protected or receives less scrutiny than standard mechanisms of gaining access to a network. Organizations often grant elevated access to second or third-party external providers in order to allow them to manage internal systems as well as cloud-based environments. As such, Valid Accounts used by the other party for access to internal network systems may be compromised and used.	IaaS,Linux,SaaS,Windows,macOS	https://attack.mitre.org/techniques/T1199	Yes
183	T1200	Hardware Additions	Initial Access	Adversaries may introduce computer accessories, computers, or networking hardware into a system or network that can be used as a vector to gain access. Many penetration testers leverage hardware additions for initial access. Commercial and open source products are leveraged with capabilities such as passive network tapping, man-in-the middle encryption breaking, keystroke injection, kernel memory reading via DMA, adding new wireless access to an existing network, and others.	Linux,Windows,macOS	https://attack.mitre.org/techniques/T1200	No
184	T1201	Password Policy Discovery	Discovery	Adversaries may attempt to access detailed information about the password policy used within an enterprise network. Password policies for networks are a way to enforce complex passwords that are difficult to guess or crack through. This would help the adversary to create a list of common passwords and launch dictionary and/or brute force attacks which adheres to the policy.	Linux,Windows,macOS	https://attack.mitre.org/techniques/T1201	No
185	T1202	Indirect Command Execution	Defense Evasion	Adversaries may abuse utilities that allow for command execution to bypass security restrictions that limit the use of command-line interpreters. Various Windows utilities may be used to execute commands, possibly without invoking cmd. Adversaries may abuse these features for Defense Evasion, specifically to perform arbitrary execution while subverting detections and/or mitigation controls (such as Group Policy) that limit/prevent the usage of cmd or file extensions more commonly associated with malicious payloads.	Windows	https://attack.mitre.org/techniques/T1202	No
186	T1203	Exploitation for Client Execution	Execution	Adversaries may exploit software vulnerabilities in client applications to execute code. Vulnerabilities can exist in software due to unsecure coding practices that can lead to unanticipated behavior. Adversaries can take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Several types exist: Browser-based Exploitation, Office Applications and Common Third-party Applications.	Linux,Windows,macOS	https://attack.mitre.org/techniques/T1203	No
187	T1204.001	User Execution: Malicious Link	Execution	An adversary may rely upon a user clicking a malicious link in order to gain execution. Users may be subjected to social engineering to get them to click on a link that will lead to code execution. Clicking on a link may also lead to other execution techniques such as exploitation of a browser or application vulnerability via Exploitation for Client Execution. Links may also lead users to download files that require execution via Malicious File.	Linux,Windows,macOS	https://attack.mitre.org/techniques/T1204/001	No
188	T1204.002	User Execution: Malicious File	Execution	An adversary may rely upon a user opening a malicious file in order to gain execution. Users may be subjected to social engineering to get them to open a file that will lead to code execution. This user action will typically be observed as follow-on behavior from Spearphishing Attachment. Adversaries may use several types of files that require a user to execute them, including .doc, .pdf, .xls, .rtf, .scr, .exe, .lnk, .pif, and .cpl.	Linux,Windows,macOS	https://attack.mitre.org/techniques/T1204/002	No
189	T1204.003	User Execution: Malicious Image	Execution	Adversaries may rely on a user running a malicious image to facilitate execution. Amazon Web Services (AWS) Amazon Machine Images (AMIs), Google Cloud Platform (GCP) Images, and Azure Images as well as popular container runtimes such as Docker can be backdoored. Backdoored images may be uploaded to a public repository via [Upload Malware](https://attack.mitre.org/techniques/T1608/001), and users may then download and deploy an instance or container from the image without realizing the image is malicious, thus bypassing techniques that specifically achieve Initial Access. This can lead to the execution of malicious code, such as code that executes cryptocurrency mining, in the instance or container.(Citation: Summit Route Malicious AMIs)	Containers,IaaS	https://attack.mitre.org/techniques/T1204/003	Yes
190	T1205.001	Traffic Signaling: Port Knocking	Command And Control,Defense Evasion,Persistence	Adversaries may use port knocking to hide open ports used for persistence or command and control. To enable a port, an adversary sends a series of attempted connections to a predefined sequence of closed ports. After the sequence is completed, opening a port is often accomplished by the host based firewall, but could also be implemented by custom software. This technique has been observed to both for the dynamic opening of a listening port as well as the initiating of a connection to a listening server on a different system.	Linux,Network,Windows,macOS	https://attack.mitre.org/techniques/T1205/001	No
191	T1207	Rogue Domain Controller	Defense Evasion	Adversaries may register a rogue Domain Controller to enable manipulation of Active Directory data. DCShadow may be used to create a rogue Domain Controller (DC). DCShadow is a method of manipulating Active Directory (AD) data, including objects and schemas, by registering (or reusing an inactive registration) and simulating the behavior of a DC. Once registered, a rogue DC may be able to inject and replicate changes into AD infrastructure for any domain object, including credentials and keys.	Windows	https://attack.mitre.org/techniques/T1207	No
192	T1210	Exploitation of Remote Services	Lateral Movement	Adversaries may exploit remote services to gain unauthorized access to internal systems once inside of a network. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. A common goal for post-compromise exploitation of remote services is for lateral movement to enable access to a remote system.	Linux,Windows,macOS	https://attack.mitre.org/techniques/T1210	No
193	T1211	Exploitation for Defense Evasion	Defense Evasion	Adversaries may exploit a system or application vulnerability to bypass security features. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code.??Vulnerabilities may exist in defensive security software that can be used to disable or circumvent them.Adversaries may have prior knowledge through reconnaissance that security software exists within an environment or they may perform checks during or shortly after the system is compromised for [Security Software Discovery](https://attack.mitre.org/techniques/T1518/001). The security software will likely be targeted directly for exploitation. There are examples of antivirus software being targeted by persistent threat groups to avoid detection.	Linux,Windows,macOS	https://attack.mitre.org/techniques/T1211	No
194	T1212	Exploitation for Credential Access	Credential Access	Adversaries may exploit software vulnerabilities in an attempt to collect credentials. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Credentialing and authentication mechanisms may be targeted for exploitation by adversaries as a means to gain access to useful credentials or circumvent the process to gain access to systems.	Linux,Windows,macOS	https://attack.mitre.org/techniques/T1212	No
195	T1213.001	Data from Information Repositories: Confluence	Collection	Adversaries may leverage Confluence repositories to mine valuable information. Often found in development environments alongside Atlassian JIRA, Confluence is generally used to store development-related documentation, however, in general may contain more diverse categories of useful information, such as: Policies, procedures, and standards; Physical / logical network diagrams; System architecture diagrams; Source code snippets; Links to network shares and other internal resources etc.	SaaS	https://attack.mitre.org/techniques/T1213/001	No
196	T1213.002	Data from Information Repositories: Sharepoint	Collection	Adversaries may leverage the SharePoint repository as a source to mine valuable information. SharePoint will often contain useful information for an adversary to learn about the structure and functionality of the internal network and systems. For example, the following is a list of example information that may hold potential value to an adversary and may also be found on SharePoint: such as: Policies, procedures, and standards, Physical / logical network diagrams, System architecture diagrams, Technical system documentation, Testing / development credentials, Work / project schedules, Source code snippet and Links to network shares and other internal resources.	Office 365,Windows	https://attack.mitre.org/techniques/T1213/002	No
197	T1216.001	Signed Script Proxy Execution: PubPrn	Defense Evasion	Adversaries may use scripts signed with trusted certificates to proxy execution of malicious files. Several Microsoft signed scripts that are default on Windows installations can be used to proxy execution of other files. This behavior may be abused by adversaries to execute malicious files that could bypass application control and signature validation on systems	Windows	https://attack.mitre.org/techniques/T1216/001	No
198	T1217	Browser Bookmark Discovery	Discovery	Adversaries may enumerate browser bookmarks to learn more about compromised hosts. Browser bookmarks may reveal personal information about users (ex: banking sites, interests, social media, etc.) as well as details about internal network resources such as servers, tools/dashboards, or other related infrastructure.	Linux,Windows,macOS	https://attack.mitre.org/techniques/T1217	No
199	T1218.001	Signed Binary Proxy Execution: Compiled HTML File	Defense Evasion	Adversaries may abuse Compiled HTML files (.chm) to conceal malicious code. CHM files are commonly distributed as part of the Microsoft HTML Help system. A custom CHM file containing embedded payloads could be delivered to a victim then triggered by User Execution.	Windows	https://attack.mitre.org/techniques/T1218/001	No
200	T1218.002	Signed Binary Proxy Execution: Control Panel	Defense Evasion	Adversaries may abuse control.exe to proxy execution of malicious payloads. The Windows Control Panel process binary (control.exe) handles execution of Control Panel items, which are utilities that allow users to view and adjust computer settings. Control Panel items are registered executable (.exe) or Control Panel (.cpl) files, the latter are actually renamed dynamic-link library (.dll) files that export a CPlApplet function. Malicious Control Panel items can be delivered via Phishing campaigns or executed as part of multi-stage malware. Control Panel items, specifically CPL files, may also bypass application and/or file extension allow lists.	Windows	https://attack.mitre.org/techniques/T1218/002	No
201	T1218.003	Signed Binary Proxy Execution: CMSTP	Defense Evasion	Adversaries may abuse CMSTP to proxy execution of malicious code. The Microsoft Connection Manager Profile Installer (CMSTP.exe) is a command-line program used to install Connection Manager service profiles. CMSTP.exe accepts an installation information file (INF) as a parameter and installs a service profile leveraged for remote access connections. Adversaries may supply CMSTP.exe with INF files infected with malicious commands. CMSTP.exe may be abused to load and execute DLLs and/or COM scriptlets (SCT) from remote servers. This execution may also bypass AppLocker and other application control defenses since CMSTP.exe is a legitimate, signed Microsoft application.	Windows	https://attack.mitre.org/techniques/T1218/003	No
202	T1218.004	Signed Binary Proxy Execution: InstallUtil	Defense Evasion	Adversaries may use InstallUtil to proxy execution of code through a trusted Windows utility. InstallUtil is a command-line utility that allows for installation and uninstallation of resources by executing specific installer components specified in .NET binaries. InstallUtil may also be used to bypass application control through use of attributes within the binary that execute the class decorated with the attribute "System.ComponentModel.RunInstaller(true)"	Windows	https://attack.mitre.org/techniques/T1218/004	No
203	T1218.005	Signed Binary Proxy Execution: Mshta	Defense Evasion	Adversaries may abuse mshta.exe to proxy execution of malicious .hta files and Javascript or VBScript through a trusted Windows utility. There are several examples of different types of threats leveraging mshta.exe during initial compromise and for execution of code. Mshta.exe can be used to bypass application control solutions that do not account for its potential use. Since mshta.exe executes outside of the Internet Explorer's security context, it also bypasses browser security settings.	Windows	https://attack.mitre.org/techniques/T1218/005	No
204	T1218.007	Signed Binary Proxy Execution: Msiexec	Defense Evasion	Adversaries may abuse msiexec.exe to proxy execution of malicious payloads. Msiexec.exe is the command-line utility for the Windows Installer and is thus commonly associated with executing installation packages (.msi). Adversaries may abuse msiexec.exe to launch local or network accessible MSI files. Msiexec.exe can also execute DLLs.[	Windows	https://attack.mitre.org/techniques/T1218/007	No
205	T1218.008	Signed Binary Proxy Execution: Odbcconf	Defense Evasion	Adversaries may abuse odbcconf.exe to proxy execution of malicious payloads. Odbcconf.exe is a Windows utility that allows you to configure Open Database Connectivity (ODBC) drivers and data source names. Adversaries may abuse odbcconf.exe to bypass application control solutions that do not account for its potential abuse.	Windows	https://attack.mitre.org/techniques/T1218/008	No
206	T1218.009	Signed Binary Proxy Execution: Regsvcs/Regasm	Defense Evasion	Adversaries may abuse Regsvcs and Regasm to proxy execution of code through a trusted Windows utility. Regsvcs and Regasm are Windows command-line utilities that are used to register .NET [Component Object Model](https://attack.mitre.org/techniques/T1559/001) (COM) assemblies. Both are digitally signed by Microsoft. (Citation: MSDN Regsvcs) (Citation: MSDN Regasm)	Windows	https://attack.mitre.org/techniques/T1218/009	No
207	T1218.010	Signed Binary Proxy Execution: Regsvr32	Defense Evasion	Adversaries may abuse Regsvr32.exe to proxy execution of malicious code. Regsvr32.exe is a command-line program used to register and unregister object linking and embedding controls, including dynamic link libraries (DLLs), on Windows systems. Regsvr32.exe can also be used to specifically bypass application control using functionality to load COM scriptlets to execute DLLs under user permissions.	Windows	https://attack.mitre.org/techniques/T1218/010	No
208	T1218.011	Signed Binary Proxy Execution: Rundll32	Defense Evasion	Adversaries may abuse rundll32.exe to proxy execution of malicious code. Rundll32.exe is commonly associated with executing DLL payloads. However, Rundll32.exe can also be used to execute Control Panel Item files (.cpl) through the undocumented shell32.dll functions.	Windows	https://attack.mitre.org/techniques/T1218/011	No
209	T1218.012	Signed Binary Proxy Execution: Verclsid	Defense Evasion	Adversaries may abuse verclsid.exe to proxy execution of malicious code. Verclsid.exe is known as the Extension CLSID Verification Host and is responsible for verifying each shell extension before they are used by Windows Explorer or the Windows Shell.(Citation: WinOSBite verclsid.exe). Adversaries may abuse verclsid.exe to execute malicious payloads.	Windows	https://attack.mitre.org/techniques/T1218/012	No
210	T1219	Remote Access Software	Command And Control	An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks. These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment.	Linux,Windows,macOS	https://attack.mitre.org/techniques/T1219	No
211	T1220	XSL Script Processing	Defense Evasion	Adversaries may bypass application control and obscure execution of code by embedding scripts inside XSL files. Extensible Stylesheet Language (XSL) files are commonly used to describe the processing and rendering of data within XML files. To support complex operations, the XSL standard includes support for embedded scripting in various languages. Adversaries may abuse this functionality to execute arbitrary files while potentially bypassing application control.	Windows	https://attack.mitre.org/techniques/T1220	No
212	T1221	Template Injection	Defense Evasion	Adversaries may create or modify references in Office document templates to conceal malicious code or force authentication attempts. Template references injected into a document may enable malicious payloads to be fetched and executed when the document is loaded. This technique may also enable Forced Authentication by injecting a SMB/HTTPS (or other credential prompting) URL and triggering an authentication attempt.	Windows	https://attack.mitre.org/techniques/T1221	No
213	T1222.001	File and Directory Permissions Modification: Windows File and Directory Permissions Modification	Defense Evasion	Adversaries may modify file or directory permissions/attributes to evade access control lists (ACLs) and access protected files. Specific file and directory modifications may be a required step for many techniques, such as establishing Persistence via Accessibility Features, Boot or Logon Initialization Scripts, or tainting/hijacking other instrumental binary/configuration files via Hijack Execution Flow.	Windows	https://attack.mitre.org/techniques/T1222/001	No
214	T1222.002	File and Directory Permissions Modification: Linux and Mac File and Directory Permissions Modification	Defense Evasion	Adversaries may modify file or directory permissions/attributes to evade access control lists (ACLs) and access protected files. Adversaries may use these commands to make themselves the owner of files and directories or change the mode if current permissions allow it. They could subsequently lock others out of the file. Specific file and directory modifications may be a required step for many techniques, such as establishing Persistence via .bash_profile and .bashrc or tainting/hijacking other instrumental binary/configuration files via Hijack Execution Flow.	Linux,macOS	https://attack.mitre.org/techniques/T1222/002	No
215	T1480.001	Execution Guardrails: Environmental Keying	Defense Evasion	Adversaries may environmentally key payloads or other features of malware to evade defenses and constraint execution to a specific target environment. Environmental keying uses cryptography to constrain execution or actions based on adversary supplied environment specific conditions that are expected to be present on the target. Adversaries may use environmental keying to help protect their TTPs and evade detection. Environmental keying may be used to deliver an encrypted payload to the target that will use target-specific values to decrypt the payload before execution. Environmental keying can also be used to prevent exposure of capabilities in environments that are not intended to be compromised or operated within.	Linux,Windows,macOS	https://attack.mitre.org/techniques/T1480/001	No
216	T1482	Domain Trust Discovery	Discovery	Adversaries may attempt to gather information on domain trust relationships that may be used to identify lateral movement opportunities in Windows multi-domain/forest environments. Domain trusts provide a mechanism for a domain to allow access to resources based on the authentication procedures of another domain. Domain trusts allow the users of the trusted domain to access resources in the trusting domain. The information discovered may help the adversary conduct SID-History Injection, Pass the Ticket, and Kerberoasting.	Windows	https://attack.mitre.org/techniques/T1482	No
217	T1484.001	Domain Policy Modification: Group Policy Modification	Defense Evasion,Privilege Escalation	Adversaries may modify Group Policy Objects (GPOs) to subvert the intended discretionary access controls for a domain, usually with the intention of escalating privileges on the domain. Group policy allows for centralized management of user and computer settings in Active Directory (AD). GPOs are containers for group policy settings made up of files stored within a predicable network path <code>\\<DOMAIN>\SYSVOL\<DOMAIN>\Policies\</code>.(Citation: TechNet Group Policy Basics)(Citation: ADSecurity GPO Persistence 2016)	Windows	https://attack.mitre.org/techniques/T1484/001	Yes
218	T1484.002	Domain Policy Modification: Domain Trust Modification	Defense Evasion,Privilege Escalation	Adversaries may add new domain trusts or modify the properties of existing domain trusts to evade defenses and/or elevate privileges. Domain trust details, such as whether or not a domain is federated, allow authentication and authorization properties to apply between domains for the purpose of accessing shared resources.(Citation: Microsoft - Azure AD Federation) These trust objects may include accounts, credentials, and other authentication material applied to servers, tokens, and domains.	Azure AD,Windows	https://attack.mitre.org/techniques/T1484/002	Yes
219	T1485	Data Destruction	Impact	Adversaries may destroy data and files on specific systems or in large numbers on a network to interrupt availability to systems, services, and network resources. Data destruction is likely to render stored data irrecoverable by forensic techniques through overwriting files or data on local and remote drives.	IaaS,Linux,Windows,macOS	https://attack.mitre.org/techniques/T1485	Yes
220	T1486	Data Encrypted for Impact	Impact	Adversaries may encrypt data on target systems or on large numbers of systems in a network to interrupt availability to system and network resources. They can attempt to render stored data inaccessible by encrypting files or data on local and remote drives and withholding access to a decryption key. This may be done in order to extract monetary compensation from a victim in exchange for decryption or a decryption key (ransomware) or to render data permanently inaccessible in cases where the key is not saved or transmitted.	IaaS,Linux,Windows,macOS	https://attack.mitre.org/techniques/T1486	Yes
221	T1489	Service Stop	Impact	Adversaries may stop or disable services on a system to render those services unavailable to legitimate users. Stopping critical services can inhibit or stop response to an incident or aid in the adversary's overall objectives to cause damage to the environment. Adversaries may accomplish this by disabling individual services of high importance to an organization, such as MSExchangeIS, which will make Exchange content inaccessible.	Linux,Windows,macOS	https://attack.mitre.org/techniques/T1489	No
222	T1490	Inhibit System Recovery	Impact	Adversaries may delete or remove built-in operating system data and turn off services designed to aid in the recovery of a corrupted system to prevent recovery. Operating systems may contain features that can help fix corrupted systems, such as a backup catalog, volume shadow copies, and automatic repair features. Adversaries may disable or delete these system recovery features.	Linux,Windows,macOS	https://attack.mitre.org/techniques/T1490	No
223	T1491.001	Defacement: Internal Defacement	Impact	An adversary may deface systems internal to an organization in an attempt to intimidate or mislead users. This may take the form of modifications to internal websites, or directly to user systems with the replacement of the desktop wallpaper. Since internally defacing systems exposes an adversary's presence, it often takes place after other intrusion goals have been accomplished.	Linux,Windows,macOS	https://attack.mitre.org/techniques/T1491/001	No
224	T1491.002	Defacement: External Defacement	Impact	An adversary may deface systems external to an organization in an attempt to deliver messaging, intimidate, or otherwise mislead an organization or users. Externally-facing websites are a common victim of defacement; often targeted by adversary and hacktivist groups in order to push a political message or spread propaganda. Website defacement may also be used as setup, or a precursor, for future attacks such as Drive-by Compromise.	IaaS,Linux,Windows,macOS	https://attack.mitre.org/techniques/T1491/002	Yes
225	T1495	Firmware Corruption	Impact	Adversaries may overwrite or corrupt the flash memory contents of system BIOS or other firmware in devices attached to a system in order to render them inoperable or unable to boot. Firmware is software that is loaded and executed from non-volatile memory on hardware devices in order to initialize and manage device functionality. These devices could include the motherboard, hard drive, or video cards.	Linux,Windows,macOS	https://attack.mitre.org/techniques/T1495	No
226	T1496	Resource Hijacking	Impact	Adversaries may leverage the resources of co-opted systems in order to solve resource intensive problems which may impact system and/or hosted service availability. One common purpose for Resource Hijacking is to validate transactions of cryptocurrency networks and earn virtual currency. Adversaries may consume enough system resources to negatively impact and/or cause affected machines to become unresponsive.(Citation: Kaspersky Lazarus Under The Hood Blog 2017) Servers and cloud-based(Citation: CloudSploit - Unused AWS Regions) systems are common targets because of the high potential for available resources, but user endpoint systems may also be compromised and used for Resource Hijacking and cryptocurrency mining.	Containers,IaaS,Linux,Windows,macOS	https://attack.mitre.org/techniques/T1496	Yes
227	T1497.001	Virtualization/Sandbox Evasion: System Checks	Defense Evasion,Discovery	Adversaries may employ various system checks to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from Virtualization/Sandbox Evasion during automated discovery to shape follow-on behaviors.	Linux,Windows,macOS	https://attack.mitre.org/techniques/T1497/001	No
228	T1497.002	Virtualization/Sandbox Evasion: User Activity Based Checks	Defense Evasion,Discovery	Adversaries may employ various user activity checks to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from Virtualization/Sandbox Evasion during automated discovery to shape follow-on behaviors.	Linux,Windows,macOS	https://attack.mitre.org/techniques/T1497/002	No
229	T1497.003	Virtualization/Sandbox Evasion: Time Based Evasion	Defense Evasion,Discovery	Adversaries may steal data by exfiltrating it over an asymmetrically encrypted network protocol other than that of the existing command and control channel. The data may also be sent to an alternate network location from the main command and control server. Asymmetric encryption algorithms ( also known as public-key cryptography) are those that use different keys on each end of the channel.	Linux,Windows,macOS	https://attack.mitre.org/techniques/T1497/003	No
230	T1498.001	Network Denial of Service: Direct Network Flood	Impact	Adversaries may attempt to cause a denial of service (DoS) by directly sending a high-volume of network traffic to a target. Almost any network protocol may be used for flooding. Stateless protocols such as UDP or ICMP are commonly used but stateful protocols such as TCP can be used as well. Botnets are commonly used to conduct network flooding attacks against networks and services. Large botnets can generate a significant amount of traffic from systems spread across the global Internet. In some of the worst cases for distributed DoS (DDoS), so many systems are used to generate the flood that each one only needs to send out a small amount of traffic to produce enough volume to saturate the target network. In such circumstances, distinguishing DDoS traffic from legitimate clients becomes exceedingly difficult.	Azure AD,Google Workspace,IaaS,Linux,Office 365,SaaS,Windows,macOS	https://attack.mitre.org/techniques/T1498/001	Yes
231	T1498.002	Network Denial of Service: Reflection Amplification	Impact	Adversaries may attempt to cause a denial of service by reflecting a high-volume of network traffic to a target. This type of Network DoS takes advantage of a third-party server intermediary that hosts and will respond to a given spoofed source IP address. This third-party server is commonly termed a reflector. An adversary accomplishes a reflection attack by sending packets to reflectors with the spoofed address of the victim. Similar to Direct Network Floods, more than one system may be used to conduct the attack, or a botnet may be used. Likewise, one or more reflector may be used to focus traffic on the target. Reflection attacks often take advantage of protocols with larger responses than requests in order to amplify their traffic, commonly known as a Reflection Amplification attack. Adversaries may be able to generate an increase in volume of attack traffic that is several orders of magnitude greater than the requests sent to the amplifiers.	Azure AD,Google Workspace,IaaS,Linux,Office 365,SaaS,Windows,macOS	https://attack.mitre.org/techniques/T1498/002	Yes
232	T1499.001	Endpoint Denial of Service: OS Exhaustion Flood	Impact	Adversaries may target the operating system (OS) for a DoS attack, since the (OS) is responsible for managing the finite resources on a system. These attacks do not need to exhaust the actual resources on a system since they can simply exhaust the limits that an OS self-imposes to prevent the entire system from being overwhelmed by excessive demands on its capacity.	Linux,Windows,macOS	https://attack.mitre.org/techniques/T1499/001	No
233	T1499.002	Endpoint Denial of Service: Service Exhaustion Flood	Impact	Adversaries may target the different network services provided by systems to conduct a DoS. Adversaries often target DNS and web services, however others have been targeted as well. One example of this type of attack is known as a simple HTTP flood, where an adversary sends a large number of HTTP requests to a web server to overwhelm it and/or an application that runs on top of it. Another variation, known as a SSL renegotiation attack, the adversary establishes a SSL/TLS connection and then proceeds to make a series of renegotiation requests. Because the cryptographic renegotiation has a meaningful cost in computation cycles, this can cause an impact to the availability of the service when done in volume.	Azure AD,Google Workspace,IaaS,Linux,Office 365,SaaS,Windows,macOS	https://attack.mitre.org/techniques/T1499/002	Yes
234	T1499.003	Endpoint Denial of Service: Application Exhaustion Flood	Impact	Adversaries may target resource intensive features of web applications to cause a denial of service (DoS). Specific features in web applications may be highly resource intensive. Repeated requests to those features may be able to exhaust system resources and deny access to the application or the server itself.	Azure AD,Google Workspace,IaaS,Linux,Office 365,SaaS,Windows,macOS	https://attack.mitre.org/techniques/T1499/003	Yes
235	T1499.004	Endpoint Denial of Service: Application or System Exploitation	Impact	Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users. (Citation: Sucuri BIND9 August 2015) Some systems may automatically restart critical applications and services when crashes occur, but they can likely be re-exploited to cause a persistent DoS condition.	Azure AD,Google Workspace,IaaS,Linux,Office 365,SaaS,Windows,macOS	https://attack.mitre.org/techniques/T1499/004	Yes
236	T1505.001	Server Software Component: SQL Stored Procedures	Persistence	Adversaries may abuse SQL stored procedures to establish persistent access to systems. Adversaries may craft malicious stored procedures that can provide a persistence mechanism in SQL database servers. Adversaries may craft or modify common language runtime (CLR) assemblies that are linked to stored procedures since these CLR assemblies can be made to execute arbitrary commands.	Linux,Windows	https://attack.mitre.org/techniques/T1505/001	No
237	T1505.002	Server Software Component: Transport Agent	Persistence	Adversaries may abuse Microsoft transport agents to establish persistent access to systems. Microsoft Exchange transport agents can operate on email messages passing through the transport pipeline to perform various tasks such as filtering spam, filtering malicious attachments, journaling, or adding a corporate signature to the end of all outgoing emails. Adversaries may register a malicious transport agent to provide a persistence mechanism in Exchange Server. The malicious transport agent may only carry out an action like copying in-transit attachments and saving them for later exfiltration if the recipient email address matches an entry on a list provided by the adversary.	Linux,Windows	https://attack.mitre.org/techniques/T1505/002	No
238	T1505.003	Server Software Component: Web Shell	Persistence	Adversaries may backdoor web servers with web shells to establish persistent access to systems. A Web shell is a Web script that is placed on an openly accessible Web server to allow an adversary to use the Web server as a gateway into a network. A Web shell may provide a set of functions to execute or a command-line interface on the system that hosts the Web server.	Linux,Windows,macOS	https://attack.mitre.org/techniques/T1505/003	No
239	T1518.001	Software Discovery: Security Software Discovery	Discovery	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.	Azure AD,Google Workspace,IaaS,Linux,Office 365,SaaS,Windows,macOS	https://attack.mitre.org/techniques/T1518/001	Yes
240	T1525	Implant Internal Image	Persistence	Adversaries may implant cloud container images with malicious code to establish persistence. Amazon Web Service (AWS) Amazon Machine Images (AMI), Google Cloud Platform (GCP) Images, and Azure Images as well as popular container runtimes such as Docker can be implanted or backdoored. Depending on how the infrastructure is provisioned, this could provide persistent access if the infrastructure provisioning tool is instructed to always use the latest image.	Containers,IaaS	https://attack.mitre.org/techniques/T1525	Yes
241	T1526	Cloud Service Discovery	Discovery	An adversary may attempt to enumerate the cloud services running on a system after gaining access. Many services exist throughout the various cloud providers and can include Continuous Integration and Continuous Delivery (CI/CD), Lambda Functions, Azure AD, etc. Adversaries may attempt to discover information about the services enabled throughout the environment. Azure tools and APIs, such as the Azure AD Graph API and Azure Resource Manager API, can enumerate resources and services, including applications, management groups, resources and policy definitions, and their relationships that are accessible by an identity.	Azure AD,Google Workspace,IaaS,Office 365,SaaS	https://attack.mitre.org/techniques/T1526	Yes
242	T1528	Steal Application Access Token	Credential Access	Adversaries can steal user application access tokens as a means of acquiring credentials to access remote systems and resources. This can occur through social engineering and typically requires user action to grant access.	Azure AD,Google Workspace,Office 365,SaaS	https://attack.mitre.org/techniques/T1528	Yes
243	T1529	System Shutdown/Reboot	Impact	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems.	Linux,Windows,macOS	https://attack.mitre.org/techniques/T1529	No
244	T1530	Data from Cloud Storage Object	Collection	Adversaries may access data objects from improperly secured cloud storage. Many cloud service providers offer solutions for online data storage such as Amazon S3, Azure Storage, and Google Cloud Storage. These solutions differ from other storage solutions (such as SQL or Elasticsearch) in that there is no overarching application. Data from these solutions can be retrieved directly using the cloud provider's APIs.	IaaS	https://attack.mitre.org/techniques/T1530	Yes
245	T1531	Account Access Removal	Impact	Adversaries may interrupt availability of system and network resources by inhibiting access to accounts utilized by legitimate users. Accounts may be deleted, locked, or manipulated (ex: changed credentials) to remove access to accounts.	Linux,Windows,macOS	https://attack.mitre.org/techniques/T1531	No
246	T1534	Internal Spearphishing	Lateral Movement	Adversaries may use internal spearphishing to gain access to additional information or exploit other users within the same organization after they already have access to accounts or systems within the environment. Internal spearphishing is multi-staged attack where an email account is owned either by controlling the user's device with previously installed malware or by compromising the account credentials of the user. Adversaries attempt to take advantage of a trusted internal account to increase the likelihood of tricking the target into falling for the phish attempt.	Google Workspace,Linux,Office 365,SaaS,Windows,macOS	https://attack.mitre.org/techniques/T1534	Yes
247	T1535	Unused/Unsupported Cloud Regions	Defense Evasion	Adversaries may create cloud instances in unused geographic service regions in order to evade detection. Access is usually obtained through compromising accounts used to manage cloud infrastructure.	IaaS	https://attack.mitre.org/techniques/T1535	Yes
248	T1537	Transfer Data to Cloud Account	Exfiltration	Adversaries may exfiltrate data by transferring the data, including backups of cloud environments, to another cloud account they control on the same service to avoid typical file transfers/downloads and network-based exfiltration detection.	IaaS	https://attack.mitre.org/techniques/T1537	Yes
249	T1538	Cloud Service Dashboard	Discovery	An adversary may use a cloud service dashboard GUI with stolen credentials to gain useful information from an operational cloud environment, such as specific services, resources, and features. For example, the GCP Command Center can be used to view all assets, findings of potential security risks, and to run additional queries, such as finding public IP addresses and open ports.(	Azure AD,Google Workspace,IaaS,Office 365	https://attack.mitre.org/techniques/T1538	Yes
250	T1539	Steal Web Session Cookie	Credential Access	An adversary may steal web application or service session cookies and use them to gain access web applications or Internet services as an authenticated user without needing credentials. Web applications and services often use session cookies as an authentication token after a user has authenticated to a website. Cookies are often valid for an extended period of time, even if the web application is not actively used. There are also open source frameworks such as Evilginx 2 and Muraena that can gather session cookies through a man-in-the-middle proxy that can be set up by an adversary and used in phishing campaigns. After an adversary acquires a valid cookie, they can then perform a Web Session Cookie technique to login to the corresponding web application.	Google Workspace,Linux,Office 365,SaaS,Windows,macOS	https://attack.mitre.org/techniques/T1539	Yes
251	T1542.001	Pre-OS Boot: System Firmware	Defense Evasion,Persistence	Adversaries may modify system firmware to persist on systems.The BIOS (Basic Input/Output System) and The Unified Extensible Firmware Interface (UEFI) or Extensible Firmware Interface (EFI) are examples of system firmware that operate as the software interface between the operating system and hardware of a computer. System firmware like BIOS and (U)EFI underly the functionality of a computer and may be modified by an adversary to perform or assist in malicious activity.	Windows	https://attack.mitre.org/techniques/T1542/001	No
252	T1542.002	Pre-OS Boot: Component Firmware	Defense Evasion,Persistence	Adversaries may modify component firmware to persist on systems. Some adversaries may employ sophisticated means to compromise computer components and install malicious firmware that will execute adversary code outside of the operating system and main system firmware or BIOS. Malicious component firmware could provide both a persistent level of access to systems despite potential typical failures to maintain access and hard disk re-images, as well as a way to evade host software-based defenses and integrity checks.	Windows	https://attack.mitre.org/techniques/T1542/002	No
253	T1542.003	Pre-OS Boot: Bootkit	Defense Evasion,Persistence	Adversaries may use bootkits to persist on systems. Bootkits reside at a layer below the operating system and may make it difficult to perform full remediation unless an organization suspects one was used and can act accordingly. A bootkit is a malware variant that modifies the boot sectors of a hard drive, including the Master Boot Record (MBR) and Volume Boot Record (VBR).	Linux,Windows	https://attack.mitre.org/techniques/T1542/003	No
254	T1542.004	Pre-OS Boot: ROMMONkit	Defense Evasion,Persistence	Adversaries may abuse the ROM Monitor (ROMMON) by loading an unauthorized firmware with adversary code to provide persistent access and manipulate device behavior that is difficult to detect. ROMMON is a Cisco network device firmware that functions as a boot loader, boot image, or boot helper to initialize hardware and software when the platform is powered on or reset. An adversary may upgrade the ROMMON image locally or remotely (for example, through TFTP) with adversary code and restart the device in order to overwrite the existing ROMMON image. This provides adversaries with the means to update the ROMMON to gain persistence on a system in a way that may be difficult to detect.	Network	https://attack.mitre.org/techniques/T1542/004	No
255	T1542.005	Pre-OS Boot: TFTP Boot	Defense Evasion,Persistence	Adversaries may abuse netbooting to load an unauthorized network device operating system from a Trivial File Transfer Protocol (TFTP) server. TFTP boot (netbooting) is commonly used by network administrators to load configuration-controlled network device images from a centralized management server. Netbooting is one option in the boot sequence and can be used to centralize, manage, and control device images. Adversaries may manipulate the configuration on the network device specifying use of a malicious TFTP server, which may be used in conjunction with ?Modify System Image? to load a modified image on device startup or reset. The unauthorized image allows adversaries to modify device configuration, add malicious capabilities to the device, and introduce backdoors to maintain control of the network device while minimizing detection through use of a standard functionality.	Network	https://attack.mitre.org/techniques/T1542/005	No
256	T1543.001	Create or Modify System Process: Launch Agent	Persistence,Privilege Escalation	Adversaries may create or modify launch agents to repeatedly execute malicious payloads as part of persistence. When a user logs in, a per-user launchd process is started which loads the parameters for each launch-on-demand user agent. These launch agents have property list files which point to the executables that will be launched. Adversaries may install a new launch agent that can be configured to execute at login by using launchd or launchctl to load a plist into the appropriate directories The agent name may be disguised by using a name from a related operating system or benign software. Launch Agents are created with user level privileges and are executed with the privileges of the user when they log in.	macOS	https://attack.mitre.org/techniques/T1543/001	No
257	T1543.002	Create or Modify System Process: Systemd Service	Persistence,Privilege Escalation	Adversaries may create or modify systemd services to repeatedly execute malicious payloads as part of persistence. The systemd service manager is commonly used for managing background daemon processes (also known as services) and other system resources. Adversaries have used systemd functionality to establish persistent access to victim systems by creating and/or modifying service unit files that cause systemd to execute malicious commands at recurring intervals, such as at system boot.	Linux	https://attack.mitre.org/techniques/T1543/002	No
258	T1543.003	Create or Modify System Process: Windows Service	Persistence,Privilege Escalation	Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions. Adversaries may install a new service or modify an existing service by using system utilities to interact with services, by directly modifying the Registry, or by using custom tools to interact with the Windows API. Adversaries may configure services to execute at startup in order to persist on a system. An adversary may also incorporate Masquerading by using a service name from a related operating system or benign software, or by modifying existing services to make detection analysis more challenging. Modifying existing services may interrupt their functionality or may enable services that are disabled or otherwise not commonly used. Services may be created with administrator privileges but are executed under SYSTEM privileges, so an adversary may also use a service to escalate privileges from administrator to SYSTEM.	Windows	https://attack.mitre.org/techniques/T1543/003	No
259	T1543.004	Create or Modify System Process: Launch Daemon	Persistence,Privilege Escalation	Adversaries may create or modify launch daemons to repeatedly execute malicious payloads as part of persistence. When macOS and OS X boot up, launchd is run to finish system initialization. This process loads the parameters for each launch-on-demand system-level daemon from the property list (plist) files. Adversaries may install a new launch daemon that can be configured to execute at startup by using launchd or launchctl to load a plist into the appropriate directories (Citation: OSX Malware Detection). The daemon name may be disguised by using a name from a related operating system or benign software (Citation: WireLurker). Launch Daemons may be created with administrator privileges, but are executed under root privileges, so an adversary may also use a service to escalate privileges from administrator to root.	macOS	https://attack.mitre.org/techniques/T1543/004	No
260	T1546.001	Event Triggered Execution: Change Default File Association	Persistence,Privilege Escalation	Adversaries may establish persistence by executing malicious content triggered by a file type association. When a file is opened, the default program used to open the file (also called the file association or handler) is checked. File association selections are stored in the Windows Registry and can be edited by users, administrators, or programs that have Registry access The values of the keys listed are commands that are executed when the handler opens the file extension. Adversaries can modify these values to continually execute arbitrary commands.	Windows	https://attack.mitre.org/techniques/T1546/001	No
261	T1546.002	Event Triggered Execution: Screensaver	Persistence,Privilege Escalation	Adversaries may establish persistence by executing malicious content triggered by user inactivity. Screensavers are programs that execute after a configurable time of user inactivity and consist of Portable Executable (PE) files with a .scr file extension. The screensaver settings are stored in the Registry. Adversaries can use screensaver settings to maintain persistence by setting the screensaver to run malware after a certain timeframe of user inactivity.	Windows	https://attack.mitre.org/techniques/T1546/002	No
262	T1546.003	Event Triggered Execution: Windows Management Instrumentation Event Subscription	Persistence,Privilege Escalation	Adversaries may establish persistence and elevate privileges by executing malicious content triggered by a Windows Management Instrumentation (WMI) event subscription. Adversaries may use the capabilities of WMI to subscribe to an event and execute arbitrary code when that event occurs, providing persistence on a system. Adversaries may also compile WMI scripts into Windows Management Object (MOF) files (.mof extension) that can be used to create a malicious subscription.	Windows	https://attack.mitre.org/techniques/T1546/003	No
263	T1546.004	Event Triggered Execution: Unix Shell Configuration Modification	Persistence,Privilege Escalation	Adversaries may establish persistence by executing malicious content triggered by a user's shell.?~/.bash_profile?and?~/.bashrc?are shell scripts that contain shell commands. These files are executed in a user's context when a new shell opens or when a user logs in so that their environment is set correctly. Adversaries may abuse these shell scripts by inserting arbitrary shell commands that may be used to execute other binaries to gain persistence.	Linux,macOS	https://attack.mitre.org/techniques/T1546/004	Yes
264	T1546.005	Event Triggered Execution: Trap	Persistence,Privilege Escalation	Adversaries may establish persistence by executing malicious content triggered by an interrupt signal. The trap command allows programs and shells to specify commands that will be executed upon receiving interrupt signals. A common situation is a script allowing for graceful termination and handling of common keyboard interrupts like ctrl+c and ctrl+d. Adversaries can use this to register code to be executed when the shell encounters specific interrupts as a persistence mechanism. Trap commands are of the following format trap 'command list' signals where "command list" will be executed when "signals" are received	Linux,macOS	https://attack.mitre.org/techniques/T1546/005	No
265	T1546.006	Event Triggered Execution: LC_LOAD_DYLIB Addition	Persistence,Privilege Escalation	Adversaries may establish persistence by executing malicious content triggered by the execution of tainted binaries. Mach-O binaries have a series of headers that are used to perform certain operations when a binary is loaded. The LC_LOAD_DYLIB header in a Mach-O binary tells macOS and OS X which dynamic libraries (dylibs) to load during execution time. Adversaries may modify Mach-O binary headers to load and execute malicious dylibs every time the binary is executed. Although any changes will invalidate digital signatures on binaries because the binary is being modified, this can be remediated by simply removing the LC_CODE_SIGNATURE command from the binary so that the signature isn't checked at load time.	macOS	https://attack.mitre.org/techniques/T1546/006	No
266	T1546.007	Event Triggered Execution: Netsh Helper DLL	Persistence,Privilege Escalation	Adversaries may establish persistence by executing malicious content triggered by Netsh Helper DLLs. Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system. It contains functionality to add helper DLLs for extending functionality of the utility. Adversaries can use netsh.exe helper DLLs to trigger execution of arbitrary code in a persistent manner. This execution would take place anytime netsh.exe is executed, which could happen automatically, with another persistence technique, or if other software (ex: VPN) is present on the system that executes netsh.exe as part of its normal functionality.	Windows	https://attack.mitre.org/techniques/T1546/007	No
267	T1546.008	Event Triggered Execution: Accessibility Features	Persistence,Privilege Escalation	Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by accessibility features. Windows contains accessibility features that may be launched with a key combination before a user has logged in (ex: when the user is on the Windows logon screen). An adversary can modify the way these programs are launched to get a command prompt or backdoor without logging in to the system.	Windows	https://attack.mitre.org/techniques/T1546/008	No
268	T1546.009	Event Triggered Execution: AppCert DLLs	Persistence,Privilege Escalation	Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by AppCert DLLs loaded into processes. Dynamic-link libraries (DLLs) that are specified in the AppCertDLLs Registry key are loaded into every process that calls the ubiquitously used application programming interface (API) functions. This value can be abused to obtain elevated privileges by causing a malicious DLL to be loaded and run in the context of separate processes on the computer.	Windows	https://attack.mitre.org/techniques/T1546/009	No
269	T1546.010	Event Triggered Execution: AppInit DLLs	Persistence,Privilege Escalation	Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by AppInit DLLs loaded into processes. Dynamic-link libraries (DLLs) that are specified in the AppInit_DLLs value in the Registry keys, are loaded by user32.dll into every process that loads user32.dll. In practice this is nearly every program, since user32.dll is a very common library. These values can be abused to obtain elevated privileges by causing a malicious DLL to be loaded and run in the context of separate processes on the computer.	Windows	https://attack.mitre.org/techniques/T1546/010	No
270	T1546.011	Event Triggered Execution: Application Shimming	Persistence,Privilege Escalation	Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by application shims. The Microsoft Windows Application Compatibility Infrastructure/Framework (Application Shim) was created to allow for backward compatibility of software as the operating system codebase changes over time. To keep shims secure, Windows designed them to run in user mode so they cannot modify the kernel and you must have administrator privileges to install a shim. Utilizing these shims may allow an adversary to perform several malicious acts such as elevate privileges, install backdoors, disable defenses like Windows Defender, etc. Shims can also be abused to establish persistence by continuously being invoked by affected programs.	Windows	https://attack.mitre.org/techniques/T1546/011	No
271	T1546.012	Event Triggered Execution: Image File Execution Options Injection	Persistence,Privilege Escalation	Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by Image File Execution Options (IEFO) debuggers. IEFOs enable a developer to attach a debugger to an application.?IEFO can be abused to obtain privilege escalation by causing a malicious executable to be loaded and run in the context of separate processes on the computer. Installing IFEO mechanisms may also provide Persistence via continuous triggered invocation. Malware may also use IFEO to Impair Defenses by registering invalid debuggers that redirect and effectively disable various system and security applications.	Windows	https://attack.mitre.org/techniques/T1546/012	No
272	T1546.013	Event Triggered Execution: PowerShell Profile	Persistence,Privilege Escalation	Adversaries may gain persistence and elevate privileges by executing malicious content triggered by PowerShell profiles. A PowerShell profile is a script that runs when PowerShell starts and can be used as a logon script to customize user environments. Adversaries may modify these profiles to include arbitrary commands, functions, modules to gain persistence. Every time a user opens a PowerShell session, the modified script will be executed. An adversary may also be able to escalate privileges if a script in a PowerShell profile is loaded and executed by an account with higher privileges, such as a domain administrator. (Citation: Wits End and Shady PowerShell Profiles)	Windows	https://attack.mitre.org/techniques/T1546/013	No
273	T1546.014	Event Triggered Execution: Emond	Persistence,Privilege Escalation	Adversaries may gain persistence and elevate privileges by executing malicious content triggered by the Event Monitor Daemon (emond). Emond is a Launch Daemon that accepts events from various services, runs them through a simple rules engine, and takes action. Adversaries may abuse this service by writing a rule to execute commands when a defined event occurs, such as system start up or user authentication. Adversaries may also be able to escalate privileges from administrator to root as the emond service is executed with root privileges by the Launch Daemon service.	macOS	https://attack.mitre.org/techniques/T1546/014	No
274	T1546.015	Event Triggered Execution: Component Object Model Hijacking	Persistence,Privilege Escalation	Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects. COM is a system within Windows to enable interaction between software components through the operating system. Adversaries can use the COM system to insert malicious code that can be executed in place of legitimate software through hijacking the COM references and relationships as a means for persistence.	Windows	https://attack.mitre.org/techniques/T1546/015	No
275	T1547.001	Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder	Persistence,Privilege Escalation	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in. Adversaries can use these configuration locations to execute malware, such as remote access tools, to maintain persistence through system reboots. Adversaries may also use Masquerading to make the Registry entries look as if they are associated with legitimate programs.	Windows	https://attack.mitre.org/techniques/T1547/001	No
276	T1547.002	Boot or Logon Autostart Execution: Authentication Package	Persistence,Privilege Escalation	Adversaries may abuse authentication packages to execute DLLs when the system boots. Windows authentication package DLLs are loaded by the Local Security Authority (LSA) process at system start. Adversaries can use the autostart mechanism provided by LSA authentication packages for persistence by placing a reference to a binary in the Windows Registry.	Windows	https://attack.mitre.org/techniques/T1547/002	No
277	T1547.003	Boot or Logon Autostart Execution: Time Providers	Persistence,Privilege Escalation	Adversaries may abuse time providers to execute DLLs when the system boots. The Windows Time service (W32Time) enables time synchronization across and within domains. Time providers are implemented as dynamic-link libraries (DLLs) that can be found in the registry. Adversaries may abuse this architecture to establish persistence, specifically by registering and enabling a malicious DLL as a time provider.	Windows	https://attack.mitre.org/techniques/T1547/003	No
278	T1547.004	Boot or Logon Autostart Execution: Winlogon Helper DLL	Persistence,Privilege Escalation	Adversaries may abuse features of Winlogon to execute DLLs and/or executables when a user logs in. Winlogon.exe is a Windows component responsible for actions at logon/logoff as well as the secure attention sequence (SAS) triggered by Ctrl-Alt-Delete. Malicious modifications to these Registry keys may cause Winlogon to load and execute malicious DLLs and/or executables.	Windows	https://attack.mitre.org/techniques/T1547/004	No
279	T1547.005	Boot or Logon Autostart Execution: Security Support Provider	Persistence,Privilege Escalation	Adversaries may abuse security support providers (SSPs) to execute DLLs when the system boots. Windows SSP DLLs are loaded into the Local Security Authority (LSA) process at system start. Once loaded into the LSA, SSP DLLs have access to encrypted and plaintext passwords that are stored in Windows, such as any logged-on user's Domain password or smart card PINs.	Windows	https://attack.mitre.org/techniques/T1547/005	No
280	T1547.006	Boot or Logon Autostart Execution: Kernel Modules and Extensions	Persistence,Privilege Escalation	Adversaries may modify the kernel to automatically execute programs on system boot. Loadable Kernel Modules (LKMs) are pieces of code that can be loaded and unloaded into the kernel upon demand. They extend the functionality of the kernel without the need to reboot the system. When used maliciously, LKMs can be a type of kernel-mode [Rootkit](https://attack.mitre.org/techniques/T1014) that run with the highest operating system privilege. Adversaries can use LKMs and Kernel Extensions to covertly persist on a system and elevate privileges.	Linux,macOS	https://attack.mitre.org/techniques/T1547/006	No
281	T1547.007	Boot or Logon Autostart Execution: Re-opened Applications	Persistence,Privilege Escalation	Adversaries may modify plist files to automatically run an application when a user logs in. Starting in Mac OS X 10.7 (Lion), users can specify certain applications to be re-opened when a user logs into their machine after reboot. There are property list files (plist) that contain this information. An adversary can modify one of these files directly to include a link to their malicious executable to provide a persistence mechanism each time the user reboots their machine.	macOS	https://attack.mitre.org/techniques/T1547/007	No
282	T1547.008	Boot or Logon Autostart Execution: LSASS Driver	Persistence,Privilege Escalation	Adversaries may modify or add LSASS drivers to obtain persistence on compromised systems. The Windows security subsystem is a set of components that manage and enforce the security policy for a computer or domain. The Local Security Authority (LSA) is the main component responsible for local security policy and user authentication. Adversaries may target LSASS drivers to obtain persistence. By either replacing or adding illegitimate drivers (e.g., Hijack Execution Flow), an adversary can use LSA operations to continuously execute malicious payloads.	Windows	https://attack.mitre.org/techniques/T1547/008	No
283	T1547.009	Boot or Logon Autostart Execution: Shortcut Modification	Persistence,Privilege Escalation	Adversaries may create or edit shortcuts to run a program during system boot or user login. Shortcuts or symbolic links are ways of referencing other files or programs that will be opened or executed when the shortcut is clicked or executed by a system startup process.	Windows	https://attack.mitre.org/techniques/T1547/009	No
284	T1547.010	Boot or Logon Autostart Execution: Port Monitors	Persistence,Privilege Escalation	Adversaries may use port monitors to run an attacker supplied DLL during system boot for persistence or privilege escalation. A port monitor can be set through the AddMonitor API call to set a DLL to be loaded at startup. Adversaries can use this technique to load malicious code at startup that will persist on system reboot and execute as SYSTEM.	Windows	https://attack.mitre.org/techniques/T1547/010	No
285	T1547.011	Boot or Logon Autostart Execution: Plist Modification	Persistence,Privilege Escalation	Adversaries may modify plist files to run a program during system boot or user login. Property list (plist) files contain all of the information that macOS and OS X uses to configure applications and services. Adversaries can modify plist files to execute their code as part of establishing persistence. plists may also be used to elevate privileges since they may execute in the context of another user.	macOS	https://attack.mitre.org/techniques/T1547/011	No
286	T1547.012	Boot or Logon Autostart Execution: Print Processors	Persistence,Privilege Escalation	Adversaries may abuse print processors to run malicious DLLs during system boot for persistence and/or privilege escalation. Print processors are DLLs that are loaded by the print spooler service, spoolsv.exe, during boot. Adversaries may abuse the print spooler service by adding print processors that load malicious DLLs at startup. One way the print processor can be installed through the ?AddPrintProcessor? API call with an account that has ?SeLoadDriverPrivilege? enabled. The print spooler service runs under SYSTEM level permissions, therefore print processors installed by an adversary may run under elevated privileges.	Windows	https://attack.mitre.org/techniques/T1547/012	No
287	T1547.013	Boot or Logon Autostart Execution: XDG Autostart Entries	Persistence,Privilege Escalation	Adversaries may modify XDG autostart entries to execute programs or commands during system boot. Linux desktop environments that are XDG compliant implement functionality for XDG autostart entries. These entries will allow an application to automatically start during the startup of a desktop environment after user logon. By default, XDG autostart entries are stored within the <code>/etc/xdg/autostart</code> or <code>~/.config/autostart</code> directories and have a .desktop file extension.(Citation: Free Desktop Application Autostart Feb 2006)	Linux	https://attack.mitre.org/techniques/T1547/013	Yes
288	T1547.014	Boot or Logon Autostart Execution: Active Setup	Persistence,Privilege Escalation	Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine. Active Setup is a Windows mechanism that is used to execute programs when a user logs in. The value stored in the Registry key will be executed after a user logs into the computer.(Citation: Klein Active Setup 2010) These programs will be executed under the context of the user and will have the account's associated permissions level.	Windows	https://attack.mitre.org/techniques/T1547/014	Yes
289	T1548.001	Abuse Elevation Control Mechanism: Setuid and Setgid	Defense Evasion,Privilege Escalation	An adversary may perform shell escapes or exploit vulnerabilities in an application with the setsuid or setgid bits to get code running in a different user's context. On Linux or macOS, when the setuid or setgid bits are set for an application, the application will run with the privileges of the owning user or group respectively. When programs need to be executed in an elevated context to function properly, the user can specify the setuid or setgid flag to be set for their own applications. Adversaries can use this mechanism on their own malware to make sure they're able to execute in elevated contexts in the future.	Linux,macOS	https://attack.mitre.org/techniques/T1548/001	No
290	T1548.002	Abuse Elevation Control Mechanism: Bypass User Account Control	Defense Evasion,Privilege Escalation	Adversaries may bypass UAC mechanisms to elevate process privileges on system. Windows User Account Control (UAC) allows a program to elevate its privileges (tracked as integrity levels ranging from low to high) to perform a task under administrator-level permissions, possibly by prompting the user for confirmation.	Windows	https://attack.mitre.org/techniques/T1548/002	No
291	T1548.003	Abuse Elevation Control Mechanism: Sudo and Sudo Caching	Defense Evasion,Privilege Escalation	Adversaries may perform sudo caching and/or use the suoders file to elevate privileges. Adversaries may do this to execute commands as other users or spawn processes with higher privileges.	Linux,macOS	https://attack.mitre.org/techniques/T1548/003	No
292	T1548.004	Abuse Elevation Control Mechanism: Elevated Execution with Prompt	Defense Evasion,Privilege Escalation	Adversaries may leverage the "AuthorizationExecuteWithPrivileges" API to escalate privileges by prompting the user for credentials.	macOS	https://attack.mitre.org/techniques/T1548/004	No
293	T1550.001	Use Alternate Authentication Material: Application Access Token	Defense Evasion,Lateral Movement	Adversaries may use stolen application access tokens to bypass the typical authentication process and access restricted accounts, information, or services on remote systems. These tokens are typically stolen from users and used in lieu of login credentials. Application access tokens are used to make authorized API requests on behalf of a user and are commonly used as a way to access resources in cloud-based applications and software-as-a-service (SaaS). With a cloud-based email service once an OAuth access token is granted to a malicious application, it can potentially gain long-term access to features of the user account if a "refresh" token enabling background access is awarded. Compromised access tokens may be used as an initial step in compromising other services.	Google Workspace,Office 365,SaaS	https://attack.mitre.org/techniques/T1550/001	Yes
294	T1550.002	Use Alternate Authentication Material: Pass the Hash	Defense Evasion,Lateral Movement	Adversaries may "Pass the hash" using stolen password hashes to move laterally within an environment, bypassing normal system access controls. Pass the hash (PtH) is a method of authenticating as a user without having access to the user's cleartext password. Valid password hashes for an account are captured using a Credential Access technique and can be used with PtH to authenticate as that user. Once authenticated, PtH may be used to perform actions on local or remote systems.	Windows	https://attack.mitre.org/techniques/T1550/002	No
295	T1550.003	Use Alternate Authentication Material: Pass the Ticket	Defense Evasion,Lateral Movement	Adversaries may "pass the ticket" using stolen Kerberos tickets to move laterally within an environment, bypassing normal system access controls. Pass the ticket (PtT) is a method of authenticating to a system using Kerberos tickets without having access to an account's password. Valid Kerberos tickets for Valid Accounts are captured by OS Credential Dumping. A user's service tickets or ticket granting ticket (TGT) may be obtained, depending on the level of access.	Windows	https://attack.mitre.org/techniques/T1550/003	No
296	T1550.004	Use Alternate Authentication Material: Web Session Cookie	Defense Evasion,Lateral Movement	Adversaries can use stolen session cookies to authenticate to web applications and services. Authentication cookies are commonly used in web applications, including cloud-based services, after a user has authenticated to the service so credentials are not passed and re-authentication does not need to occur as frequently. Cookies are often valid for an extended period of time, even if the web application is not actively used. After the cookie is obtained through Steal Web Session Cookie, the adversary may then import the cookie into a browser they control and is then able to use the site or application as the user for as long as the session cookie is active. Once logged into the site, an adversary can access sensitive information, read email, or perform actions that the victim account has permissions to perform.	Google Workspace,Office 365,SaaS	https://attack.mitre.org/techniques/T1550/004	Yes
297	T1552.001	Unsecured Credentials: Credentials In Files	Credential Access	Adversaries may search local file systems and remote file shares for files containing insecurely stored credentials. It is possible to extract passwords from backups or saved virtual machines through OS Credential Dumping. Passwords may also be obtained from Group Policy Preferences stored on the Windows Domain Controller.	Containers,IaaS,Linux,Windows,macOS	https://attack.mitre.org/techniques/T1552/001	Yes
298	T1552.002	Unsecured Credentials: Credentials in Registry	Credential Access	Adversaries may search the Registry on compromised systems for insecurely stored credentials. The Windows Registry stores configuration information that can be used by the system or other programs. Adversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services. Sometimes these credentials are used for automatic logons.	Windows	https://attack.mitre.org/techniques/T1552/002	No
299	T1552.003	Unsecured Credentials: Bash History	Credential Access	Adversaries may search the bash command history on compromised systems for insecurely stored credentials. Bash keeps track of the commands users type on the command-line with the "history" utility. Users often type usernames and passwords on the command-line as parameters to programs, which then get saved to this file when they log out. Attackers can abuse this by looking through the file for potential credentials.	Linux,macOS	https://attack.mitre.org/techniques/T1552/003	No
300	T1552.004	Unsecured Credentials: Private Keys	Credential Access	Adversaries may search for private key certificate files on compromised systems for insecurely stored credentials. Private cryptographic keys and certificates are used for authentication, encryption/decryption, and digital signatures. Common key and certificate file extensions include: .key, .pgp, .gpg, .ppk., .p12, .pem, .pfx, .cer, .p7b, .asc. Some private keys require a password or passphrase for operation, so an adversary may also use Input Capture for keylogging or attempt to Brute Force the passphrase off-line.	Linux,Windows,macOS	https://attack.mitre.org/techniques/T1552/004	No
301	T1552.005	Unsecured Credentials: Cloud Instance Metadata API	Credential Access	Adversaries may attempt to access the Cloud Instance Metadata API to collect credentials and other sensitive data. Available information generally includes name, security group, and additional metadata including sensitive data such as credentials and UserData scripts that may contain additional secrets. Attackers may exploit a Server-Side Request Forgery (SSRF) vulnerability in a public facing web proxy that allows the attacker to gain access to the sensitive information via a request to the Instance Metadata API.	IaaS	https://attack.mitre.org/techniques/T1552/005	Yes
302	T1552.006	Unsecured Credentials: Group Policy Preferences	Credential Access	Adversaries may attempt to find unsecured credentials in Group Policy Preferences (GPP). GPP are tools that allow administrators to create domain policies with embedded credentials. These policies allow administrators to set local accounts.	Windows	https://attack.mitre.org/techniques/T1552/006	No
303	T1552.007	Unsecured Credentials: Container API	Credential Access	Adversaries may gather credentials via APIs within a containers environment. APIs in these environments, such as the Docker API and Kubernetes APIs, allow a user to remotely manage their container resources and cluster components.(Citation: Docker API)(Citation: Kubernetes API)	Containers	https://attack.mitre.org/techniques/T1552/007	Yes
304	T1553.001	Subvert Trust Controls: Gatekeeper Bypass	Defense Evasion	Adversaries may modify file attributes that signify programs are from untrusted sources to subvert Gatekeeper controls. Apple's Gatekeeper defense program prompts user to allow or deny execution of programs downloaded from the Internet.Apps loaded onto the system from USB flash drive, optical disk, external hard drive, or even from a drive shared over the local network won't set this flag. Additionally, it is possible to avoid setting this flag using Drive-by Compromise.	macOS	https://attack.mitre.org/techniques/T1553/001	No
305	T1553.002	Subvert Trust Controls: Code Signing	Defense Evasion	Adversaries may create, acquire, or steal code signing materials to sign their malware or tools. Code signing provides a level of authenticity on a binary from the developer and a guarantee that the binary has not been tampered with.?The certificates used during an operation may be created, acquired, or stolen by the adversary.	Windows,macOS	https://attack.mitre.org/techniques/T1553/002	No
306	T1553.003	Subvert Trust Controls: SIP and Trust Provider Hijacking	Defense Evasion	Adversaries may tamper with Subject Interface Packages (SIP) and trust provider components to mislead the operating system and application control tools when conducting signature validation checks. Microsoft created software components called Subject Interface Packages (SIPs) [4] to provide a layer of abstraction between API functions and files. SIPs are responsible for enabling API functions to create, retrieve, calculate, and verify signatures. Adversaries may abuse this architecture to subvert trust controls and bypass security policies that allow only legitimately signed code to execute on a system.	Windows	https://attack.mitre.org/techniques/T1553/003	No
307	T1553.004	Subvert Trust Controls: Install Root Certificate	Defense Evasion	Adversaries may install a root certificate on a compromised system to avoid warnings when connecting to adversary controlled web servers. Root certificates are used in public key cryptography to identify a root certificate authority (CA). Certificates are commonly used for establishing secure TLS/SSL communications within a web browser.	Linux,Windows,macOS	https://attack.mitre.org/techniques/T1553/004	No
308	T1553.005	Subvert Trust Controls: Mark-of-the-Web Bypass	Defense Evasion	Adversaries may abuse specific file formats to subvert Mark-of-the-Web (MOTW) controls. In Windows, when files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named <code>Zone.Identifier</code> with a specific value known as the MOTW.(Citation: Microsoft Zone.Identifier 2020) Files that are tagged with MOTW are protected and cannot perform certain actions. For example, starting in MS Office 10, if a MS Office file has the MOTW, it will open in Protected View. Executables tagged with the MOTW will be processed by Windows Defender SmartScreen that compares files with an allowlist of well-known executables. If the file in not known/trusted, SmartScreen will prevent the execution and warn the user not to run it.(Citation: Beek Use of VHD Dec 2020)(Citation: Outflank MotW 2020)(Citation: Intezer Russian APT Dec 2020)	Windows	https://attack.mitre.org/techniques/T1553/005	Yes
309	T1553.006	Subvert Trust Controls: Code Signing Policy Modification	Defense Evasion	Adversaries may modify code signing policies to enable execution of unsigned or self-signed code. Code signing provides a level of authenticity on a program from a developer and a guarantee that the program has not been tampered with. Security controls can include enforcement mechanisms to ensure that only valid, signed code can be run on an operating system.	Windows,macOS	https://attack.mitre.org/techniques/T1553/006	Yes
310	T1554	Compromise Client Software Binary	Persistence	Adversaries may modify client software binaries to establish persistent access to systems. Client software enables users to access services provided by a server. Common client software types are SSH clients, FTP clients, email clients, and web browsers. Adversaries may make modifications to client software binaries to carry out malicious tasks when those applications are in use.	Linux,Windows,macOS	https://attack.mitre.org/techniques/T1554	No
311	T1555.001	Credentials from Password Stores: Keychain	Credential Access	Adversaries may collect the keychain storage data from a system to acquire credentials. Keychains are the built-in way for macOS to keep track of users' passwords and credentials for many services and features. users have to use additional credentials to access their keychain. If an adversary knows the credentials for the login keychain, then they can get access to all the other credentials stored in this vault. By default, the passphrase for the keychain is the user's logon credentials.	macOS	https://attack.mitre.org/techniques/T1555/001	No
312	T1555.002	Credentials from Password Stores: Securityd Memory	Credential Access	An adversary may obtain root access (allowing them to read securityd's memory), then they can scan through memory to find the correct sequence of keys in relatively few tries to decrypt the user's logon keychain. This provides the adversary with all the plaintext passwords for users, WiFi, mail, browsers, certificates, secure notes	Linux,macOS	https://attack.mitre.org/techniques/T1555/002	No
313	T1555.003	Credentials from Password Stores: Credentials from Web Browsers	Credential Access	Adversaries may acquire credentials from web browsers by reading files specific to the target browser. Web browsers commonly save credentials such as website usernames and passwords so that they do not need to be entered manually in the future. Web browsers typically store the credentials in an encrypted format within a credential store; however, methods exist to extract plaintext credentials from web browsers.	Linux,Windows,macOS	https://attack.mitre.org/techniques/T1555/003	No
314	T1555.004	Credentials from Password Stores: Windows Credential Manager	Credential Access	Adversaries may acquire credentials from the Windows Credential Manager. The Credential Manager stores credentials for signing into websites, applications, and/or devices that request authentication through NTLM or Kerberos in Credential Lockers (previously known as Windows Vaults).(Citation: Microsoft Credential Manager store)(Citation: Microsoft Credential Locker)	Windows	https://attack.mitre.org/techniques/T1555/004	Yes
315	T1555.005	Credentials from Password Stores: Password Managers	Credential Access	Adversaries may acquire user credentials from third-party password managers.(Citation: ise Password Manager February 2019) Password managers are applications designed to store user credentials, normally in an encrypted database. Credentials are typically accessible after a user provides a master password that unlocks the database. After the database is unlocked, these credentials may be copied to memory. These databases can be stored as files on disk.(Citation: ise Password Manager February 2019)	Linux,Windows,macOS	https://attack.mitre.org/techniques/T1555/005	Yes
316	T1556.001	Modify Authentication Process: Domain Controller Authentication	Credential Access,Defense Evasion,Persistence	Adversaries may patch the authentication process on a domain control to bypass the typical authentication mechanisms and enable access to accounts. Malware may be used to inject false credentials into the authentication process on a domain control with the intent of creating a backdoor used to access any user's account and/or credentials. Authenticated access may enable unfettered access to hosts and/or resources within single-factor authentication environments.	Windows	https://attack.mitre.org/techniques/T1556/001	Yes
317	T1556.002	Modify Authentication Process: Password Filter DLL	Credential Access,Defense Evasion,Persistence	Adversaries may register malicious password filter dynamic link libraries (DLLs) into the authentication process to acquire user credentials as they are validated. Windows password filters are password policy enforcement mechanisms for both domain and local accounts. Filters are implemented as DLLs containing a method to validate potential passwords against password policies. Adversaries can register malicious password filters to harvest credentials from local computers and/or entire domains.	Windows	https://attack.mitre.org/techniques/T1556/002	Yes
318	T1556.003	Modify Authentication Process: Pluggable Authentication Modules	Credential Access,Defense Evasion,Persistence	Adversaries may modify pluggable authentication modules (PAM) to access user credentials or enable otherwise unwarranted access to accounts. PAM is a modular system of configuration files, libraries, and executable files which guide authentication for many services. Adversaries may modify components of the PAM system to create backdoors. Malicious modifications to the PAM system may also be abused to steal credentials. Adversaries may infect PAM resources with code to harvest user credentials, since the values exchanged with PAM components may be plain-text.	Linux,macOS	https://attack.mitre.org/techniques/T1556/003	Yes
319	T1556.004	Modify Authentication Process: Network Device Authentication	Credential Access,Defense Evasion,Persistence	Adversaries may use ?Patch System Image? to hard code a password in the operating system, thus bypassing of native authentication mechanisms for local accounts on network devices.	Network	https://attack.mitre.org/techniques/T1556/004	Yes
320	T1557.001	Man-in-the-Middle: LLMNR/NBT-NS Poisoning and SMB Relay	Collection,Credential Access	Adversaries may attempt to position themselves between two or more networked devices using a man-in-the-middle (MiTM) technique to support follow-on behaviors such as Network Sniffing or Transmitted Data Manipulation. By responding to Link-Local Multicast Name Resolution (LLMNR) and NetBIOS Name Service (NBT-NS) network traffic, adversaries may spoof an authoritative source for name resolution to force communication with an adversary controlled system. This activity may be used to collect or relay authentication materials.	Windows	https://attack.mitre.org/techniques/T1557/001	No
321	T1557.002	Man-in-the-Middle: ARP Cache Poisoning	Collection,Credential Access	Adversaries may poison Address Resolution Protocol (ARP) caches to position themselves between the communication of two or more networked devices. This activity may be used to enable follow-on behaviors such as Network Sniffing or Transmitted Data Manipulation. An adversary may passively wait for an ARP request to poison the ARP cache of the requesting device. The adversary may reply with their MAC address, thus deceiving the victim by making them believe that they are communicating with the intended networked device. For the adversary to poison the ARP cache, their reply must be faster than the one made by the legitimate IP address owner. Adversaries may also send a gratuitous ARP reply that maliciously announces the ownership of a particular IP address to all the devices in the local network segment. Adversaries may use ARP cache poisoning as a means to man-in-the-middle (MiTM) network traffic. This activity may be used to collect and/or relay data such as credentials, especially those sent over an insecure, unencrypted protocol.	Linux,Windows,macOS	https://attack.mitre.org/techniques/T1557/002	No
322	T1558.001	Steal or Forge Kerberos Tickets: Golden Ticket	Credential Access	Adversaries may attempt to subvert Kerberos authentication by stealing or forging Kerberos tickets to enable Pass the Ticket. Adversaries who have the KRBTGT account password hash may forge Kerberos ticket-granting tickets (TGT), also known as a golden ticket. Golden tickets enable adversaries to generate authentication material for any account in Active Directory.	Windows	https://attack.mitre.org/techniques/T1558/001	No
323	T1558.002	Steal or Forge Kerberos Tickets: Silver Ticket	Credential Access	Adversaries may attempt to subvert Kerberos authentication by stealing or forging Kerberos tickets to enable Pass the Ticket. Adversaries who have the password hash of a target service account (e.g. SharePoint, MSSQL) may forge Kerberos ticket granting service (TGS) tickets, also known as silver tickets. Kerberos TGS tickets are also known as service tickets.	Windows	https://attack.mitre.org/techniques/T1558/002	No
324	T1558.003	Steal or Forge Kerberos Tickets: Kerberoasting	Credential Access	Adversaries may attempt to subvert Kerberos authentication by stealing or forging Kerberos tickets to enable Pass the Ticket. Adversaries may abuse a valid Kerberos ticket-granting ticket (TGT) or sniff network traffic to obtain a ticket-granting service (TGS) ticket that may be vulnerable to Brute Force. Cracked hashes may enable Persistence, Privilege Escalation, and Lateral Movement via access to Valid Accounts.	Windows	https://attack.mitre.org/techniques/T1558/003	No
325	T1558.004	Steal or Forge Kerberos Tickets: AS-REP Roasting	Credential Access	Adversaries may reveal credentials of accounts that have disabled Kerberos Preauthentication by Password Cracking Kerberos messages. Preauthentication offers protection against offline Password Cracking. For each account found without preauthentication, an adversary may send an AS-REQ message without the encrypted timestamp and receive an AS-REP message with TGT data which may be encrypted with an insecure algorithm such as RC4. The recovered encrypted data may be vulnerable to offline Password Cracking attacks similarly to Kerberoasting and expose plaintext credentials. Cracked hashes may enable Persistence, Privilege Escalation, and Lateral Movement via access to Valid Accounts.	Windows	https://attack.mitre.org/techniques/T1558/004	No
326	T1559.001	Inter-Process Communication: Component Object Model	Execution	Adversaries may use the Windows Component Object Model (COM) for local code execution. Through COM, a client object can call methods of server objects, which are typically binary Dynamic Link Libraries (DLL) or executables (EXE).	Windows	https://attack.mitre.org/techniques/T1559/001	No
327	T1559.002	Inter-Process Communication: Dynamic Data Exchange	Execution	Adversaries may use Windows Dynamic Data Exchange (DDE) to execute arbitrary commands. DDE is a client-server protocol for one-time and/or continuous inter-process communication (IPC) between applications.	Windows	https://attack.mitre.org/techniques/T1559/002	No
328	T1560.001	Archive Collected Data: Archive via Utility	Collection	An adversary may compress or encrypt data that is collected prior to exfiltration using 3rd party utilities. Many utilities exist that can archive data, including 7-Zip, WinRAR, and WinZip. Most utilities include functionality to encrypt and/or compress data.	Linux,Windows,macOS	https://attack.mitre.org/techniques/T1560/001	No
329	T1560.002	Archive Collected Data: Archive via Library	Collection	An adversary may compress or encrypt data that is collected prior to exfiltration using 3rd party libraries. Many libraries exist that can archive data, including Python rarfile, libzip, and zlib. Most libraries include functionality to encrypt and/or compress data.	Linux,Windows,macOS	https://attack.mitre.org/techniques/T1560/002	No
330	T1560.003	Archive Collected Data: Archive via Custom Method	Collection	An adversary may compress or encrypt data that is collected prior to exfiltration using a custom method. Adversaries may choose to use custom archival methods, such as encryption with XOR or stream ciphers implemented with no external library or utility references. Custom implementations of well-known compression algorithms have also been used.(Citation: ESET Sednit Part 2)	Linux,Windows,macOS	https://attack.mitre.org/techniques/T1560/003	No
331	T1561.001	Disk Wipe: Disk Content Wipe	Impact	Adversaries may erase the contents of storage devices on specific systems or in large numbers in a network to interrupt availability to system and network resources. Examples include Novetta Blockbuster Destructive Malware. To maximize impact on the target organization in operations where network-wide availability interruption is the goal, malware used for wiping disk content may have worm-like features to propagate across a network by leveraging additional techniques.	Linux,Windows,macOS	https://attack.mitre.org/techniques/T1561/001	No
332	T1561.002	Disk Wipe: Disk Structure Wipe	Impact	Adversaries may corrupt or wipe the disk data structures on a hard drive necessary to boot a system; targeting specific critical systems or in large numbers in a network to interrupt availability to system and network resources.	Linux,Windows,macOS	https://attack.mitre.org/techniques/T1561/002	No
333	T1562.001	Impair Defenses: Disable or Modify Tools	Defense Evasion	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.	Containers,IaaS,Linux,Windows,macOS	https://attack.mitre.org/techniques/T1562/001	Yes
334	T1562.002	Impair Defenses: Disable Windows Event Logging	Defense Evasion	Adversaries may disable Windows event logging to limit data that can be leveraged for detections and audits.	Windows	https://attack.mitre.org/techniques/T1562/002	No
335	T1562.003	Impair Defenses: Impair Command History Logging	Defense Evasion	Adversaries may configure HISTCONTROL to not log all command history. The HISTCONTROL environment variable keeps track of what should be saved by the "history" command and eventually into the "~/.bash_history" file when a user logs out. Adversaries can abuse this to operate without leaving traces by simply prepending a space to all of their terminal commands.	Linux,Windows,macOS	https://attack.mitre.org/techniques/T1562/003	No
336	T1562.004	Impair Defenses: Disable or Modify System Firewall	Defense Evasion	Adversaries may disable or modify system firewalls in order to bypass controls limiting network usage. Changes could be disabling the entire mechanism as well as adding, deleting, or modifying particular rules. This can be done numerous ways depending on the operating system, including via command-line, editing Windows Registry keys, and Windows Control Panel. Modifying or disabling a system firewall may enable adversary C2 communications, lateral movement, and/or data exfiltration that would otherwise not be allowed.	Linux,Windows,macOS	https://attack.mitre.org/techniques/T1562/004	No
337	T1562.006	Impair Defenses: Indicator Blocking	Defense Evasion	An adversary may attempt to block indicators or events typically captured by sensors from being gathered and analyzed. This could include maliciously redirecting or even disabling host-based sensors, such as Event Tracing for Windows (ETW), by tampering settings that control the collection and flow of event telemetry. In the case of network-based reporting of indicators, an adversary may block traffic associated with reporting to prevent central analysis.	Linux,Windows,macOS	https://attack.mitre.org/techniques/T1562/006	No
338	T1562.007	Impair Defenses: Disable or Modify Cloud Firewall	Defense Evasion	Adversaries may disable or modify a firewall within a cloud environment to bypass controls that limit access to cloud resources. Cloud firewalls are separate from system firewalls. Modifying or disabling a cloud firewall may enable adversary C2 communications, lateral movement, and/or data exfiltration that would otherwise not be allowed.	IaaS	https://attack.mitre.org/techniques/T1562/007	Yes
339	T1562.008	Impair Defenses: Disable Cloud Logs	Defense Evasion	An adversary may disable cloud logging capabilities and integrations to limit what data is collected on their activities and avoid detection. Cloud environments allow for collection and analysis of audit and application logs that provide insight into what activities a user does within the environment. If an attacker has sufficient permissions, they can disable logging to avoid detection of their activities.	IaaS	https://attack.mitre.org/techniques/T1562/008	Yes
340	T1563.001	Remote Service Session Hijacking: SSH Hijacking	Lateral Movement	Adversaries may hijack a legitimate user's SSH session to move laterally within an environment. It allows a user to connect to another system via an encrypted tunnel, commonly authenticating through a password, certificate or the use of an asymmetric encryption key pair.	Linux,macOS	https://attack.mitre.org/techniques/T1563/001	No
341	T1563.002	Remote Service Session Hijacking: RDP Hijacking	Lateral Movement	Adversaries may hijack a legitimate user's remote desktop session to move laterally within an environment. Remote desktop allows a user to log into an interactive session with a system desktop graphical user interface on a remote system. With System permissions and using Terminal Services Console, `c:\windows\system32\tscon.exe [session number to be stolen]`, an adversary can hijack a session without the need for credentials or prompts to the user. This can be done remotely or locally and with active or disconnected sessions. All of this can be done by using native Windows commands	Windows	https://attack.mitre.org/techniques/T1563/002	No
342	T1564.001	Hide Artifacts: Hidden Files and Directories	Defense Evasion	Adversaries may set files and directories to be hidden to evade detection mechanisms. These files don't show up when a user browses the file system with a GUI or when using normal commands on the command line. Adversaries can use this to their advantage to hide files and folders anywhere on the system and evading a typical user or system analysis that does not incorporate investigation of hidden files.	Linux,Windows,macOS	https://attack.mitre.org/techniques/T1564/001	No
343	T1564.002	Hide Artifacts: Hidden Users	Defense Evasion	Adversaries may use hidden users in macOS to mask the presence of user accounts they create by setting the priperty value of Hide500Users to Yes. This enables adversaries to conceal user accounts.	macOS	https://attack.mitre.org/techniques/T1564/002	No
344	T1564.003	Hide Artifacts: Hidden Window	Defense Evasion	Adversaries may use hidden windows to conceal malicious activity from the plain sight of users. In some cases, windows that would typically be displayed when an application carries out an operation can be hidden. This may be utilized by system administrators to avoid disrupting user work environments when carrying out administrative tasks. Adversaries may abuse these functionalities to hide otherwise visible windows from users so as not to alert the user to adversary activity on the system.	Windows,macOS	https://attack.mitre.org/techniques/T1564/003	No
345	T1564.004	Hide Artifacts: NTFS File Attributes	Defense Evasion	Adversaries may use New Technology File System (NTFS) file attributes to hide their malicious data in order to evade detection. Every NTFS formatted partition contains a Master File Table (MFT) that maintains a record for every file/directory on the partition. Within MFT entries are file attributes, such as Extended Attributes (EA) and Data, that can be used to store arbitrary data (and even complete files). Adversaries may store malicious data or binaries in file attribute metadata instead of directly in files. This may be done to evade some defenses, such as static indicator scanning tools and anti-virus.	Windows	https://attack.mitre.org/techniques/T1564/004	No
346	T1564.005	Hide Artifacts: Hidden File System	Defense Evasion	Adversaries may use a hidden file system to conceal malicious activity from users and security tools. File systems provide a structure to store and access data from physical storage. Adversaries may use their own abstracted file system, separate from the standard file system present on the infected system. In doing so, adversaries can hide the presence of malicious components and file input/output from security tools.	Linux,Windows,macOS	https://attack.mitre.org/techniques/T1564/005	No
347	T1564.006	Hide Artifacts: Run Virtual Instance	Defense Evasion	Adversaries may carry out malicious operations using a virtual instance to avoid detection.?By running malicious code inside of a virtual instance, adversaries can hide artifacts associated with their behavior from security tools that are unable to monitor activity inside the virtual instance.	Linux,Windows,macOS	https://attack.mitre.org/techniques/T1564/006	No
348	T1564.007	Hide Artifacts: VBA Stomping	Defense Evasion	Adversaries may hide malicious Visual Basic for Applications (VBA) payloads embedded within MS Office documents by replacing the VBA source code with benign data. MS Office documents with embedded VBA content store source code inside of module streams. Each module stream has a PerformanceCache that stores a separate compiled version of the VBA source code known as p-code. The p-code is executed when the MS Office version specified in the VBA_PROJECT stream matches the version of the host MS Office application. An adversary may hide malicious VBA code by overwriting the VBA source code location with zero's, benign code, or random bytes while leaving the previously compiled malicious p-code. Tools that scan for malicious VBA source code may be bypassed as the unwanted code is hidden in the compiled p-code. If there is a version match between the VBA_PROJECT stream and host MS Office application, the p-code will be executed.	Linux,Windows,macOS	https://attack.mitre.org/techniques/T1564/007	No
349	T1565.001	Data Manipulation: Stored Data Manipulation	Impact	Adversaries may insert, delete, or manipulate data at rest in order to manipulate external outcomes or hide activity. Stored data could include a variety of file formats, such as Office files, databases, stored emails, and custom file formats. By manipulating stored data, adversaries may attempt to affect a business process, organizational understanding, and decision making.	Linux,Windows,macOS	https://attack.mitre.org/techniques/T1565/001	No
350	T1565.002	Data Manipulation: Transmitted Data Manipulation	Impact	Adversaries may alter data en route to storage or other systems in order to manipulate external outcomes or hide activity. Manipulation may be possible over a network connection or between system processes where there is an opportunity deploy a tool that will intercept and change information.By manipulating transmitted data, adversaries may attempt to affect a business process, organizational understanding, and decision making.	Linux,Windows,macOS	https://attack.mitre.org/techniques/T1565/002	No
351	T1565.003	Data Manipulation: Runtime Data Manipulation	Impact	Adversaries may modify systems in order to manipulate the data as it is accessed and displayed to an end user. Adversaries may alter application binaries used to display data in order to cause runtime manipulations. By manipulating runtime data, adversaries may attempt to affect a business process, organizational understanding, and decision making.	Linux,Windows,macOS	https://attack.mitre.org/techniques/T1565/003	No
352	T1566.001	Phishing: Spearphishing Attachment	Initial Access	Adversaries may send spearphishing emails with a malicious attachment in an attempt to elicit sensitive information and/or gain access to victim systems. Spearphishing attachment is different from other forms of spearphishing in that it employs the use of malware attached to an email. Upon opening the attachment (and potentially clicking past protections), the adversary's payload exploits a vulnerability or directly executes on the user's system. Adversaries frequently manipulate file extensions and icons in order to make attached executables appear to be document files, or files exploiting one application appear to be a file for a different one.	Linux,Windows,macOS	https://attack.mitre.org/techniques/T1566/001	No
353	T1566.002	Phishing: Spearphishing Link	Initial Access	Adversaries may send spearphishing emails with a malicious link in an attempt to elicit sensitive information and/or gain access to victim systems. Spearphishing with a link employs the use of links to download malware contained in email, instead of attaching malicious files to the email itself, to avoid defenses that may inspect email attachments. Generally, the links will be accompanied by social engineering text and require the user to actively click or copy and paste a URL into a browser. The visited website may compromise the web browser using an exploit, or the user will be prompted to download applications, documents, zip files, or even executables depending on the pretext for the email in the first place.	Google Workspace,Linux,Office 365,SaaS,Windows,macOS	https://attack.mitre.org/techniques/T1566/002	Yes
354	T1566.003	Phishing: Spearphishing via Service	Initial Access	Adversaries may send spearphishing messages via third-party services in an attempt to elicit sensitive information and/or gain access to victim systems. Spearphishing via service employs the use of third party services rather than directly via enterprise email channels. Adversaries send messages through various social media services, personal webmail, and other non-enterprise controlled services. These services are more likely to have a less-strict security policy than an enterprise. After building rapport with a target via social media, adversaries send content to a personal webmail service that the target uses on their work computer. This allows an adversary to bypass some email restrictions on the work account, and the target is more likely to open the file since it's something they were expecting.	Linux,Windows,macOS	https://attack.mitre.org/techniques/T1566/003	No
355	T1567.001	Exfiltration Over Web Service: Exfiltration to Code Repository	Exfiltration	Adversaries may exfiltrate data to a code repository rather than over their primary command and control channel. Code repositories are often accessible via an API. Access to these APIs are often over HTTPS, which gives the adversary an additional level of protection. Exfiltration to a code repository can also provide a significant amount of cover to the adversary if it is a popular service already used by hosts within the network.	Linux,Windows,macOS	https://attack.mitre.org/techniques/T1567/001	No
356	T1567.002	Exfiltration Over Web Service: Exfiltration to Cloud Storage	Exfiltration	Adversaries may exfiltrate data to a cloud storage service rather than over their primary command and control channel. Cloud storage services allow for the storage, edit, and retrieval of data from a remote cloud storage server over the Internet.	Linux,Windows,macOS	https://attack.mitre.org/techniques/T1567/002	No
357	T1568.001	Dynamic Resolution: Fast Flux DNS	Command And Control	Adversaries may use Fast Flux DNS to hide a command and control channel behind an array of rapidly changing IP addresses linked to a single domain resolution. This technique uses a fully qualified domain name, with multiple IP addresses assigned to it which are swapped with high frequency, using a combination of round robin IP addressing and short Time-To-Live (TTL) for a DNS resource record.	Linux,Windows,macOS	https://attack.mitre.org/techniques/T1568/001	No
358	T1568.002	Dynamic Resolution: Domain Generation Algorithms	Command And Control	Adversaries may make use of Domain Generation Algorithms (DGAs) to dynamically identify a destination domain for command and control traffic rather than relying on a list of static IP addresses or domains. This has the advantage of making it much harder for defenders block, track, or take over the command and control channel, as there potentially could be thousands of domains that malware can check for instructions. Adversaries may use DGAs for the purpose of Fallback Channels. When contact is lost with the primary command and control server malware may employ a DGA as a means to reestablishing command and control.	Linux,Windows,macOS	https://attack.mitre.org/techniques/T1568/002	No
359	T1568.003	Dynamic Resolution: DNS Calculation	Command And Control	Adversaries may perform calculations on addresses returned in DNS results to determine which port and IP address to use for command and control, rather than relying on a predetermined port number or the actual returned IP address. A IP and/or port number calculation can be used to bypass egress filtering on a C2 channel.	Linux,Windows,macOS	https://attack.mitre.org/techniques/T1568/003	No
360	T1569.001	System Services: Launchctl	Execution	Adversaries may abuse launchctl to execute commands or programs. Launchctl controls the macOS launchd process, which handles things like Launch Agent and Launch Daemon, but can execute other commands or programs itself. Launchctl supports taking subcommands on the command-line, interactively, or even redirected from standard input. Running a command from launchctl is simple and adversaries can abuse this functionality to execute code or even bypass application control if launchctl is an allowed process.	macOS	https://attack.mitre.org/techniques/T1569/001	No
361	T1569.002	System Services: Service Execution	Execution	Adversaries may abuse the Windows service control manager to execute malicious commands or payloads. The Windows service control manager is an interface to manage and manipulate services. The service control manager is accessible to users via GUI components as well as system utilities such as sc.exe. PsExec can also be used to execute commands or payloads via a temporary Windows service created through the service control manager API. Adversaries may execute malicious content by either executing a new or modified service. This technique is the execution used in conjunction with Windows Service during service persistence or privilege escalation.	Windows	https://attack.mitre.org/techniques/T1569/002	No
362	T1570	Lateral Tool Transfer	Lateral Movement	Adversaries may transfer tools or other files between systems in a compromised environment. Files may be copied from one system to another to stage adversary tools or other files over the course of an operation. Adversaries may copy files laterally between internal victim systems to support lateral movement using inherent file sharing protocols such as file sharing over SMB to connected network shares or with authenticated connections with SMB/Windows Admin Shares.	Linux,Windows,macOS	https://attack.mitre.org/techniques/T1570	No
363	T1571	Non-Standard Port	Command And Control	Adversaries may communicate using a protocol and port paring that are typically not associated. For example, HTTPS over port 8088 or port 587, as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.	Linux,Windows,macOS	https://attack.mitre.org/techniques/T1571	No
364	T1572	Protocol Tunneling	Command And Control	Adversaries may tunnel network communications to and from a victim system within a separate protocol to avoid detection/network filtering and/or enable access to otherwise unreachable systems. This behavior may conceal malicious traffic by blending in with existing traffic and/or provide an outer layer of encryption (similar to a VPN). Tunneling could also enable routing of network packets that would otherwise not reach their intended destination, such as SMB, RDP, or other traffic that would be filtered by network appliances or not routed over the Internet. Adversaries may perform SSH tunneling (also known as SSH port forwarding), DNS over HTTPS (DoH), queries to resolve C2 communications and infrastructure.	Linux,Windows,macOS	https://attack.mitre.org/techniques/T1572	No
365	T1573.001	Encrypted Channel: Symmetric Cryptography	Command And Control	Adversaries may employ a known symmetric encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Symmetric encryption algorithms use the same key for plaintext encryption and ciphertext decryption. Common symmetric encryption algorithms include AES, DES, 3DES, Blowfish, and RC4.	Linux,Windows,macOS	https://attack.mitre.org/techniques/T1573/001	No
366	T1573.002	Encrypted Channel: Asymmetric Cryptography	Command And Control	Adversaries may employ a known asymmetric encryption algorithm (also known as public key cryptography) to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Due to how the keys are generated, the sender encrypts data with the receiver's public key and the receiver decrypts the data with their private key. This ensures that only the intended recipient can read the encrypted data.	Linux,Windows,macOS	https://attack.mitre.org/techniques/T1573/002	No
367	T1574.001	Hijack Execution Flow: DLL Search Order Hijacking	Defense Evasion,Persistence,Privilege Escalation	Adversaries may execute their own malicious payloads by hijacking the search order used to load DLLs. Windows systems use a common method to look for required DLLs to load into a program. Hijacking DLL loads may be for the purpose of establishing persistence as well as elevating privileges and/or evading restrictions on file execution. If a search order-vulnerable program is configured to run at a higher privilege level, then the adversary-controlled DLL that is loaded will also be executed at the higher level. In this case, the technique could be used for privilege escalation from user to administrator or SYSTEM or from administrator to SYSTEM, depending on the program.	Windows	https://attack.mitre.org/techniques/T1574/001	No
368	T1574.002	Hijack Execution Flow: DLL Side-Loading	Defense Evasion,Persistence,Privilege Escalation	Adversaries may execute their own malicious payloads by hijacking the library manifest used to load DLLs. Adversaries may take advantage of vague references in the library manifest of a program by replacing a legitimate library with a malicious one, causing the operating system to load their malicious library when it is called for by the victim program. Adversaries likely use this technique as a means of masking actions they perform under a legitimate, trusted system or software process.	Windows	https://attack.mitre.org/techniques/T1574/002	No
369	T1574.004	Hijack Execution Flow: Dylib Hijacking	Defense Evasion,Persistence,Privilege Escalation	Adversaries may execute their own malicious payloads by hijacking ambiguous paths used to load libraries. Adversaries may plant trojan dynamic libraries, in a directory that will be searched by the operating system before the legitimate library specified by the victim program, so that their malicious library will be loaded into the victim program instead. MacOS and OS X use a common method to look for required dynamic libraries (dylib) to load into a program based on search paths. If the program is configured to run at a higher privilege level than the current user, then when the dylib is loaded into the application, the dylib will also run at that elevated level.	macOS	https://attack.mitre.org/techniques/T1574/004	No
370	T1574.005	Hijack Execution Flow: Executable Installer File Permissions Weakness	Defense Evasion,Persistence,Privilege Escalation	Adversaries may execute their own malicious payloads by hijacking the binaries used by an installer. These processes may automatically execute specific binaries as part of their functionality or to perform other actions. If the permissions on the file system directory containing a target binary, or permissions on the binary itself, are improperly set, then the target binary may be overwritten with another binary using user-level permissions and executed by the original process. If the original process and thread are running under a higher permissions level, then the replaced binary will also execute under higher-level permissions, which could include SYSTEM.If the executing process is set to run at a specific time or during a certain event (e.g., system bootup) then this technique can also be used for persistence.	Windows	https://attack.mitre.org/techniques/T1574/005	No
371	T1574.006	Hijack Execution Flow: Dynamic Linker Hijacking	Defense Evasion,Persistence,Privilege Escalation	Adversaries may execute their own malicious payloads by hijacking the dynamic linker used to load libraries. The dynamic linker is used to load shared library dependencies needed by an executing program. The dynamic linker will typically check provided absolute paths and common directories for these dependencies, but can be overridden by shared objects specified by LD_PRELOAD to be loaded before all others. Adversaries may set LD_PRELOAD to point to malicious libraries that match the name of legitimate libraries which are requested by a victim program, causing the operating system to load the adversary's malicious code upon execution of the victim program. LD_PRELOAD hijacking may grant access to the victim process's memory, system/network resources, and possibly elevated privileges. Execution via LD_PRELOAD hijacking may also evade detection from security products since the execution is masked under a legitimate process.	Linux,macOS	https://attack.mitre.org/techniques/T1574/006	Yes
372	T1574.007	Hijack Execution Flow: Path Interception by PATH Environment Variable	Defense Evasion,Persistence,Privilege Escalation	Adversaries may execute their own malicious payloads by hijacking environment variables used to load libraries. Adversaries may place a program in an earlier entry in the list of directories stored in the PATH environment variable, which Windows will then execute when it searches sequentially through that PATH listing in search of the binary that was called from a script or the command line.	Windows	https://attack.mitre.org/techniques/T1574/007	No
373	T1574.008	Hijack Execution Flow: Path Interception by Search Order Hijacking	Defense Evasion,Persistence,Privilege Escalation	Adversaries may execute their own malicious payloads by hijacking the search order used to load other programs. Because some programs do not call other programs using the full path, adversaries may place their own file in the directory where the calling program is located, causing the operating system to launch their malicious software at the request of the calling program.	Windows	https://attack.mitre.org/techniques/T1574/008	No
374	T1574.009	Hijack Execution Flow: Path Interception by Unquoted Path	Defense Evasion,Persistence,Privilege Escalation	Adversaries may execute their own malicious payloads by hijacking vulnerable file path references. Adversaries can take advantage of paths that lack surrounding quotations by placing an executable in a higher level directory within the path, so that Windows will choose the adversary's executable to launch. This technique can be used for persistence if executables are called on a regular basis, as well as privilege escalation if intercepted executables are started by a higher privileged process.	Windows	https://attack.mitre.org/techniques/T1574/009	No
375	T1574.010	Hijack Execution Flow: Services File Permissions Weakness	Defense Evasion,Persistence,Privilege Escalation	Adversaries may execute their own malicious payloads by hijacking the binaries used by services. Adversaries may use flaws in the permissions of Windows services to replace the binary that is executed upon service start. These service processes may automatically execute specific binaries as part of their functionality or to perform other actions. If the permissions on the file system directory containing a target binary, or permissions on the binary itself are improperly set, then the target binary may be overwritten with another binary using user-level permissions and executed by the original process. If the original process and thread are running under a higher permissions level, then the replaced binary will also execute under higher-level permissions, which could include SYSTEM. Adversaries may use this technique to replace legitimate binaries with malicious ones as a means of executing code at a higher permissions level. If the executing process is set to run at a specific time or during a certain event (e.g., system bootup) then this technique can also be used for persistence.	Windows	https://attack.mitre.org/techniques/T1574/010	No
376	T1574.011	Hijack Execution Flow: Services Registry Permissions Weakness	Defense Evasion,Persistence,Privilege Escalation	Adversaries may execute their own malicious payloads by hijacking the Registry entries used by services. Adversaries may use flaws in the permissions for registry to redirect from the originally specified executable to one that they control, in order to launch their own code at Service start. The information stored under a service's Registry keys can be manipulated to modify a service's execution parameters through tools such as the service controller, sc.exe or Reg.	Windows	https://attack.mitre.org/techniques/T1574/011	No
377	T1574.012	Hijack Execution Flow: COR_PROFILER	Defense Evasion,Persistence,Privilege Escalation	Adversaries may leverage the COR_PROFILER environment variable to hijack the execution flow of programs that load the .NET CLR. The COR_PROFILER is a .NET Framework feature which allows developers to specify an unmanaged (or external of .NET) profiling DLL to be loaded into each .NET process that loads the Common Language Runtime (CLR). Adversaries may abuse COR_PROFILER to establish persistence that executes a malicious DLL in the context of all .NET processes every time the CLR is invoked. The COR_PROFILER can also be used to elevate privileges.	Windows	https://attack.mitre.org/techniques/T1574/012	No
378	T1578.001	Modify Cloud Compute Infrastructure: Create Snapshot	Defense Evasion	An adversary may create a snapshot or data backup within a cloud account to evade defenses. By first Creating a Cloud Instance, mounting one or more created snapshots to that instance, and then applying a firewall policy that allows the adversary access to the created instance, an adversary can gain inbound and outbound SSH access.	IaaS	https://attack.mitre.org/techniques/T1578/001	Yes
379	T1578.002	Modify Cloud Compute Infrastructure: Create Cloud Instance	Defense Evasion	An adversary may create a new instance or virtual machine (VM) within the compute service of a cloud account to evade defenses. Creating a new instance may allow an adversary to bypass firewall rules and permissions that exist on instances currently residing within an account. Creating a new instance may also allow an adversary to carry out malicious activity within an environment without affecting the execution of current running instances.	IaaS	https://attack.mitre.org/techniques/T1578/002	Yes
380	T1578.003	Modify Cloud Compute Infrastructure: Delete Cloud Instance	Defense Evasion	An adversary may delete a cloud instance after they have performed malicious activities in an attempt to evade detection and remove evidence of their presence. Deleting an instance or virtual machine can remove valuable forensic artifacts and other evidence of suspicious behavior if the instance is not recoverable.	IaaS	https://attack.mitre.org/techniques/T1578/003	Yes
381	T1578.004	Modify Cloud Compute Infrastructure: Revert Cloud Instance	Defense Evasion	An adversary may revert changes made to a cloud instance after they have performed malicious activities in attempt to evade detection and remove evidence of their presence. In highly virtualized environments, such as cloud-based infrastructure, this may be accomplished by restoring virtual machine (VM) or data storage snapshots through the cloud management dashboard or cloud APIs. Another variation of this technique is to utilize temporary storage attached to the compute instance, which often reset upon stop/restart of the VM.	IaaS	https://attack.mitre.org/techniques/T1578/004	Yes
382	T1580	Cloud Infrastructure Discovery	Discovery	An adversary may attempt to discover resources that are available within an infrastructure-as-a-service (IaaS) environment. This includes compute service resources such as instances, virtual machines, and snapshots as well as resources of other services including the storage and database services. An adversary may enumerate resources using a compromised user's access keys to determine which are available to that user. The discovery of these available resources may help adversaries determine their next steps in the Cloud environment, such as establishing Persistence. This technique focuses on the discovery of components of the provided services rather than the services themselves.	IaaS	https://attack.mitre.org/techniques/T1580	Yes
383	T1583.001	Acquire Infrastructure: Domains	Resource Development	Before compromising a victim, adversaries may purchase domains that can be used during targeting. Adversaries can use purchased domains for a variety of purposes, including for Phishing, Drive-by Compromise, and Command and Control. Adversaries may choose domains that are similar to legitimate domains, including through use of homoglyphs or use of a different top-level domain (TLD). Typosquatting may be used to aid in delivery of payloads via Drive-by Compromise. Adversaries can also use internationalized domain names (IDNs) to create visually similar lookalike domains for use in operations.		https://attack.mitre.org/techniques/T1583/001	No
384	T1583.002	Acquire Infrastructure: DNS Server	Resource Development	Before compromising a victim, adversaries may set up their own Domain Name System (DNS) servers that can be used during targeting. During post-compromise activity, adversaries may utilize DNS traffic for various tasks, including for Command and Control. Instead of hijacking existing DNS servers, adversaries may opt to configure and run their own DNS servers in support of operations. By running their own DNS servers, adversaries can have more control over how they administer server-side DNS C2 traffic. With control over a DNS server, adversaries can configure DNS applications to provide conditional responses to malware and, generally, have more flexibility in the structure of the DNS-based C2 channel.		https://attack.mitre.org/techniques/T1583/002	No
385	T1583.003	Acquire Infrastructure: Virtual Private Server	Resource Development	Before compromising a victim, adversaries may rent Virtual Private Servers (VPSs)?that can be used during targeting. There exist a variety of cloud service providers that will sell virtual machines/containers as a service. By utilizing a VPS, adversaries can make it difficult to physically tie back operations to them. The use of cloud infrastructure can also make it easier for adversaries to rapidly provision, modify, and shut down their infrastructure. Acquiring a VPS for use in later stages of the adversary lifecycle, such as Command and Control, can allow adversaries to benefit from the ubiquity and trust associated with higher reputation cloud service providers. Adversaries may also acquire infrastructure from VPS service providers that are known for renting VPSs with minimal registration information, allowing for more anonymous acquisitions of infrastructure.		https://attack.mitre.org/techniques/T1583/003	No
386	T1583.004	Acquire Infrastructure: Server	Resource Development	Before compromising a victim, adversaries may buy, lease, or rent physical servers?that can be used during targeting. Use of servers allows an adversary to stage, launch, and execute an operation. During post-compromise activity, adversaries may utilize servers for various tasks, including for Command and Control. Instead of compromising a third-party or renting a Virtual Private Server, adversaries may opt to configure and run their own servers in support of operations.		https://attack.mitre.org/techniques/T1583/004	No
387	T1583.005	Acquire Infrastructure: Botnet	Resource Development	Before compromising a victim, adversaries may buy, lease, or rent a network of compromised systems?that can be used during targeting. A botnet is a network of compromised systems that can be instructed to perform coordinated tasks. Adversaries may purchase a subscription to use an existing botnet from a booter/stressor service. With a botnet at their disposal, adversaries may perform follow-on activity such as large-scale Phishing or Distributed Denial of Service (DDoS).		https://attack.mitre.org/techniques/T1583/005	No
388	T1583.006	Acquire Infrastructure: Web Services	Resource Development	Before compromising a victim, adversaries may register for web services?that can be used during targeting. A variety of popular websites exist for adversaries to register for a web-based service that can be abused during later stages of the adversary lifecycle, such as during Command and Control or Exfiltration Over Web Service. Using common services, such as those offered by Google or Twitter, makes it easier for adversaries to hide in expected noise. By utilizing a web service, adversaries can make it difficult to physically tie back operations to them.		https://attack.mitre.org/techniques/T1583/006	No
389	T1584.001	Compromise Infrastructure: Domains	Resource Development	Before compromising a victim, adversaries may hijack domains and/or subdomains that can be used during targeting. Domain registration hijacking is the act of changing the registration of a domain name without the permission of the original registrant. An adversary may gain access to an email account for the person listed as the owner of the domain. The adversary can then claim that they forgot their password in order to make changes to the domain registration. Other possibilities include social engineering a domain registration help desk to gain access to an account or taking advantage of renewal process gaps. Subdomain hijacking can also occur when organizations have DNS entries that point to non-existent or de-provisioned resources. In such cases, an adversary may take control of a subdomain to conduct operations with the benefit of the trust associated with that domain.		https://attack.mitre.org/techniques/T1584/001	No
390	T1584.002	Compromise Infrastructure: DNS Server	Resource Development	Before compromising a victim, adversaries may compromise third-party DNS servers that can be used during targeting. During post-compromise activity, adversaries may utilize DNS traffic for various tasks, including for Command and Control. Instead of setting up their own DNS servers, adversaries may compromise third-party DNS servers in support of operations. By compromising DNS servers, adversaries can alter DNS records. Such control can allow for redirection of an organization's traffic, facilitating Collection and Credential Access efforts for the adversary. Adversaries may also be able to silently create subdomains pointed at malicious servers without tipping off the actual owner of the DNS server.		https://attack.mitre.org/techniques/T1584/002	No
391	T1584.003	Compromise Infrastructure: Virtual Private Server	Resource Development	Before compromising a victim, adversaries may compromise third-party Virtual Private Servers (VPSs) that can be used during targeting. There exist a variety of cloud service providers that will sell virtual machines/containers as a service. Adversaries may compromise VPSs purchased by third-party entities. By compromising a VPS to use as infrastructure, adversaries can make it difficult to physically tie back operations to themselves. Compromising a VPS for use in later stages of the adversary lifecycle, such as Command and Control, can allow adversaries to benefit from the ubiquity and trust associated with higher reputation cloud service providers.		https://attack.mitre.org/techniques/T1584/003	No
392	T1584.004	Compromise Infrastructure: Server	Resource Development	Before compromising a victim, adversaries may compromise third-party servers that can be used during targeting. Use of servers allows an adversary to stage, launch, and execute an operation. During post-compromise activity, adversaries may utilize servers for various tasks, including for Command and Control. Instead of purchasing a Server or Virtual Private Server, adversaries may compromise third-party servers in support of operations. Adversaries may also compromise web servers to support watering hole operations.		https://attack.mitre.org/techniques/T1584/004	No
393	T1584.005	Compromise Infrastructure: Botnet	Resource Development	Before compromising a victim, adversaries may compromise numerous third-party systems to form a botnet?that can be used during targeting. A botnet is a network of compromised systems that can be instructed to perform coordinated tasks. Instead of purchasing/renting a botnet from a booter/stressor service, adversaries may build their own botnet by compromising numerous third-party systems. Adversaries may also conduct a takeover of an existing botnet, such as redirecting bots to adversary-controlled C2 servers. With a botnet at their disposal, adversaries may perform follow-on activity such as large-scale Phishing or Distributed Denial of Service (DDoS).		https://attack.mitre.org/techniques/T1584/005	No
394	T1584.006	Compromise Infrastructure: Web Services	Resource Development	Before compromising a victim, adversaries may compromise access to third-party web services?that can be used during targeting. A variety of popular websites exist for legitimate users to register for web-based services, such as GitHub, Twitter, Dropbox, Google, etc. Adversaries may try to take ownership of a legitimate user's access to a web service and use that web service as infrastructure in support of cyber operations. Such web services can be abused during later stages of the adversary lifecycle, such as during Command and Control or Exfiltration Over Web Service. Using common services, such as those offered by Google or Twitter, makes it easier for adversaries to hide in expected noise. By utilizing a web service, particularly when access is stolen from legitimate users, adversaries can make it difficult to physically tie back operations to them.		https://attack.mitre.org/techniques/T1584/006	No
395	T1585.001	Establish Accounts: Social Media Accounts	Resource Development	Before compromising a victim, adversaries may create and cultivate social media accounts that can be used during targeting. Adversaries can create social media accounts that can be used to build a persona to further operations. Persona development consists of the development of public information, presence, history and appropriate affiliations. Once a persona has been developed an adversary can use it to create connections to targets of interest. These connections may be direct or may include trying to connect through others. These accounts may be leveraged during other phases of the adversary lifecycle, such as during Initial Access.		https://attack.mitre.org/techniques/T1585/001	No
396	T1585.002	Establish Accounts: Email Accounts	Resource Development	Before compromising a victim, adversaries may create email accounts that can be used during targeting. Adversaries can use accounts created with email providers to further their operations, such as leveraging them to conduct Phishing for Information or Phishing. Adversaries may also take steps to cultivate a persona around the email account, such as through use of Social Media Accounts, to increase the chance of success of follow-on behaviors. Created email accounts can also be used in the acquisition of infrastructure. To decrease the chance of physically tying back operations to themselves, adversaries may make use of disposable email services.		https://attack.mitre.org/techniques/T1585/002	No
397	T1586.001	Compromise Accounts: Social Media Accounts	Resource Development	Before compromising a victim, adversaries may compromise social media accounts that can be used during targeting. For operations incorporating social engineering, the utilization of an online persona may be important. Rather than creating and cultivating social media profiles, adversaries may compromise existing social media accounts. Utilizing an existing persona may engender a level of trust in a potential victim if they have a relationship, or knowledge of, the compromised persona. Adversaries can use a compromised social media profile to create new, or hijack existing, connections to targets of interest. These connections may be direct or may include trying to connect through others. Compromised profiles may be leveraged during other phases of the adversary lifecycle, such as during Initial Access.		https://attack.mitre.org/techniques/T1586/001	No
398	T1586.002	Compromise Accounts: Email Accounts	Resource Development	Before compromising a victim, adversaries may compromise email accounts that can be used during targeting. Adversaries can use compromised email accounts to further their operations, such as leveraging them to conduct Phishing. Utilizing an existing persona with a compromised email account may engender a level of trust in a potential victim if they have a relationship, or knowledge of, the compromised persona. Compromised email accounts can also be used in the acquisition of infrastructure		https://attack.mitre.org/techniques/T1586/002	No
399	T1587.001	Develop Capabilities: Malware	Resource Development	Before compromising a victim, adversaries may develop malware and malware components that can be used during targeting. Building malicious software can include the development of payloads, droppers, post-compromise tools, backdoors, packers, C2 protocols, and the creation of infected removable media. Adversaries may develop malware to support their operations, creating a means for maintaining control of remote machines, evading defenses, and executing post-compromise behaviors.		https://attack.mitre.org/techniques/T1587/001	No
400	T1587.002	Develop Capabilities: Code Signing Certificates	Resource Development	Before compromising a victim, adversaries may create self-signed code signing certificates that can be used during targeting. Code signing is the process of digitally signing executables and scripts to confirm the software author and guarantee that the code has not been altered or corrupted. Code signing provides a level of authenticity for a program from the developer and a guarantee that the program has not been tampered with.		https://attack.mitre.org/techniques/T1587/002	No
401	T1587.003	Develop Capabilities: Digital Certificates	Resource Development	Before compromising a victim, adversaries may create self-signed SSL/TLS certificates that can be used during targeting. Adversaries may create self-signed SSL/TLS certificates that can be used to further their operations, such as encrypting C2 traffic or even enabling Man-in-the-Middle if added to the root of trust.		https://attack.mitre.org/techniques/T1587/003	No
402	T1587.004	Develop Capabilities: Exploits	Resource Development	Before compromising a victim, adversaries may develop exploits that can be used during targeting. An exploit takes advantage of a bug or vulnerability in order to cause unintended or unanticipated behavior to occur on computer hardware or software. An adversary may develop their own exploits. Adversaries may use exploits during various phases of the adversary lifecycle.		https://attack.mitre.org/techniques/T1587/004	No
403	T1588.001	Obtain Capabilities: Malware	Resource Development	Before compromising a victim, adversaries may buy, steal, or download malware that can be used during targeting. Malicious software can include payloads, droppers, post-compromise tools, backdoors, packers, and C2 protocols. Adversaries may acquire malware to support their operations, obtaining a means for maintaining control of remote machines, evading defenses, and executing post-compromise behaviors.		https://attack.mitre.org/techniques/T1588/001	No
404	T1588.002	Obtain Capabilities: Tool	Resource Development	Before compromising a victim, adversaries may buy, steal, or download software tools that can be used during targeting. A tool can be used for malicious purposes by an adversary, but (unlike malware) were not intended to be used for those purposes. Tool acquisition can involve the procurement of commercial software licenses, including for red teaming tools such as Cobalt Strike. Commercial software may be obtained through purchase, stealing licenses (or licensed copies of the software), or cracking trial versions. Adversaries may obtain tools to support their operations, including to support execution of post-compromise behaviors.		https://attack.mitre.org/techniques/T1588/002	No
405	T1588.003	Obtain Capabilities: Code Signing Certificates	Resource Development	Before compromising a victim, adversaries may buy and/or steal code signing certificates that can be used during targeting. Code signing is the process of digitally signing executables and scripts to confirm the software author and guarantee that the code has not been altered or corrupted. Code signing provides a level of authenticity for a program from the developer and a guarantee that the program has not been tampered with.		https://attack.mitre.org/techniques/T1588/003	No
406	T1588.004	Obtain Capabilities: Digital Certificates	Resource Development	Before compromising a victim, adversaries may buy and/or steal SSL/TLS certificates that can be used during targeting. Adversaries may purchase or steal SSL/TLS certificates to further their operations, such as encrypting C2 traffic or even enabling Man-in-the-Middle if the certificate is trusted or otherwise added to the root of trust.		https://attack.mitre.org/techniques/T1588/004	No
407	T1588.005	Obtain Capabilities: Exploits	Resource Development	Before compromising a victim, adversaries may buy, steal, or download exploits that can be used during targeting. An exploit takes advantage of a bug or vulnerability in order to cause unintended or unanticipated behavior to occur on computer hardware or software. Adversaries may use exploits during various phases of the adversary lifecycle.		https://attack.mitre.org/techniques/T1588/005	No
408	T1588.006	Obtain Capabilities: Vulnerabilities	Resource Development	Before compromising a victim, adversaries may acquire information about vulnerabilities that can be used during targeting. A vulnerability is a weakness in computer hardware or software that can, potentially, be exploited by an adversary to cause unintended or unanticipated behavior to occur.		https://attack.mitre.org/techniques/T1588/006	No
409	T1589.001	Gather Victim Identity Information: Credentials	Reconnaissance	Before compromising a victim, adversaries may gather credentials that can be used during targeting. Account credentials gathered by adversaries may be those directly associated with the target victim organization or attempt to take advantage of the tendency for users to use the same passwords across personal and business accounts.		https://attack.mitre.org/techniques/T1589/001	No
410	T1589.002	Gather Victim Identity Information: Email Addresses	Reconnaissance	Before compromising a victim, adversaries may gather email addresses that can be used during targeting. Even if internal instances exist, organizations may have public-facing email infrastructure and addresses for employees.		https://attack.mitre.org/techniques/T1589/002	No
411	T1589.003	Gather Victim Identity Information: Employee Names	Reconnaissance	Before compromising a victim, adversaries may gather employee names that can be used during targeting. Employee names be used to derive email addresses as well as to help guide other reconnaissance efforts and/or craft more-believable lures. Adversaries may easily gather employee names, since they may be readily available and exposed via online or other accessible data sets such as Social Media or Victim-Owned Websites.		https://attack.mitre.org/techniques/T1589/003	No
412	T1590.001	Gather Victim Network Information: Domain Properties	Reconnaissance	Before compromising a victim, adversaries may gather information about the victim's network domain(s) that can be used during targeting. Information about domains and their properties may include a variety of details, including what domain(s) the victim owns as well as administrative data (ex: name, registrar, etc.) and more directly actionable information such as contacts (email addresses and phone numbers), business addresses, and name servers. Adversaries may gather this information in various ways, such as direct collection actions via Active Scanning or Phishing for Information.		https://attack.mitre.org/techniques/T1590/001	No
413	T1590.002	Gather Victim Network Information: DNS	Reconnaissance	Before compromising a victim, adversaries may gather information about the victim's DNS that can be used during targeting. DNS information may include a variety of details, including registered name servers as well as records that outline addressing for a target's subdomains, mail servers, and other hosts.		https://attack.mitre.org/techniques/T1590/002	No
414	T1590.003	Gather Victim Network Information: Network Trust Dependencies	Reconnaissance	Before compromising a victim, adversaries may gather information about the victim's network trust dependencies that can be used during targeting. Information about network trusts may include a variety of details, including second or third-party organizations/domains (ex: managed service providers, contractors, etc.) that have connected (and potentially elevated) network access.		https://attack.mitre.org/techniques/T1590/003	No
415	T1590.004	Gather Victim Network Information: Network Topology	Reconnaissance	Before compromising a victim, adversaries may gather information about the victim's network topology that can be used during targeting. Information about network topologies may include a variety of details, including the physical and/or logical arrangement of both external-facing and internal network environments. This information may also include specifics regarding network devices (gateways, routers, etc.) and other infrastructure.		https://attack.mitre.org/techniques/T1590/004	No
416	T1590.005	Gather Victim Network Information: IP Addresses	Reconnaissance	Before compromising a victim, adversaries may gather the victim's IP addresses that can be used during targeting. Public IP addresses may be allocated to organizations by block, or a range of sequential addresses. Information about assigned IP addresses may include a variety of details, such as which IP addresses are in use. IP addresses may also enable an adversary to derive other details about a victim, such as organizational size, physical location(s), Internet service provider, and or where/how their publicly-facing infrastructure is hosted.		https://attack.mitre.org/techniques/T1590/005	No
417	T1590.006	Gather Victim Network Information: Network Security Appliances	Reconnaissance	Before compromising a victim, adversaries may gather information about the victim's network security appliances that can be used during targeting. Information about network security appliances may include a variety of details, such as the existence and specifics of deployed firewalls, content filters, and proxies/bastion hosts. Adversaries may also target information about victim network-based intrusion detection systems (NIDS) or other appliances related to defensive cybersecurity operations.		https://attack.mitre.org/techniques/T1590/006	No
418	T1591.001	Gather Victim Org Information: Determine Physical Locations	Reconnaissance	Before compromising a victim, adversaries may gather the victim's physical location(s) that can be used during targeting. Information about physical locations of a target organization may include a variety of details, including where key resources and infrastructure are housed. Physical locations may also indicate what legal jurisdiction and/or authorities the victim operates within.		https://attack.mitre.org/techniques/T1591/001	No
419	T1591.002	Gather Victim Org Information: Business Relationships	Reconnaissance	Before compromising a victim, adversaries may gather information about the victim's business relationships that can be used during targeting. Information about an organization's business relationships may include a variety of details, including second or third-party organizations/domains (ex: managed service providers, contractors, etc.) that have connected (and potentially elevated) network access. This information may also reveal supply chains and shipment paths for the victim's hardware and software resources.		https://attack.mitre.org/techniques/T1591/002	No
420	T1591.003	Gather Victim Org Information: Identify Business Tempo	Reconnaissance	Before compromising a victim, adversaries may gather information about the victim's business tempo that can be used during targeting. Information about an organization's business tempo may include a variety of details, including operational hours/days of the week. This information may also reveal times/dates of purchases and shipments of the victim's hardware and software resources.		https://attack.mitre.org/techniques/T1591/003	No
421	T1591.004	Gather Victim Org Information: Identify Roles	Reconnaissance	Before compromising a victim, adversaries may gather information about identities and roles within the victim organization that can be used during targeting. Information about business roles may reveal a variety of targetable details, including identifiable information for key personnel as well as what data/resources they have access to.		https://attack.mitre.org/techniques/T1591/004	No
422	T1592.001	Gather Victim Host Information: Hardware	Reconnaissance	Before compromising a victim, adversaries may gather information about the victim's host hardware that can be used during targeting. Information about hardware infrastructure may include a variety of details such as types and versions on specific hosts, as well as the presence of additional components that might be indicative of added defensive protections (ex: card/biometric readers, dedicated encryption hardware, etc.).		https://attack.mitre.org/techniques/T1592/001	No
423	T1592.002	Gather Victim Host Information: Software	Reconnaissance	Before compromising a victim, adversaries may gather information about the victim's host software that can be used during targeting. Information about installed software may include a variety of details such as types and versions on specific hosts, as well as the presence of additional components that might be indicative of added defensive protections (ex: antivirus, SIEMs, etc.).		https://attack.mitre.org/techniques/T1592/002	No
424	T1592.003	Gather Victim Host Information: Firmware	Reconnaissance	Before compromising a victim, adversaries may gather information about the victim's host firmware that can be used during targeting. Information about host firmware may include a variety of details such as type and versions on specific hosts, which may be used to infer more information about hosts in the environment (ex: configuration, purpose, age/patch level, etc.).		https://attack.mitre.org/techniques/T1592/003	No
425	T1592.004	Gather Victim Host Information: Client Configurations	Reconnaissance	Before compromising a victim, adversaries may gather information about the victim's client configurations that can be used during targeting. Information about client configurations may include a variety of details and settings, including operating system/version, virtualization, architecture (ex: 32 or 64 bit), language, and/or time zone.		https://attack.mitre.org/techniques/T1592/004	No
426	T1593.001	Search Open Websites/Domains: Social Media	Reconnaissance	Before compromising a victim, adversaries may search social media for information about victims that can be used during targeting. Social media sites may contain various information about a victim organization, such as business announcements as well as information about the roles, locations, and interests of staff.		https://attack.mitre.org/techniques/T1593/001	No
427	T1593.002	Search Open Websites/Domains: Search Engines	Reconnaissance	Before compromising a victim, adversaries may use search engines to collect information about victims that can be used during targeting. Search engine services typical crawl online sites to index context and may provide users with specialized syntax to search for specific keywords or specific types of content (i.e. filetypes).		https://attack.mitre.org/techniques/T1593/002	No
428	T1594	Search Victim-Owned Websites	Reconnaissance	Before compromising a victim, adversaries may search websites owned by the victim for information that can be used during targeting. Victim-owned websites may contain a variety of details, including names of departments/divisions, physical locations, and data about key employees such as names, roles, and contact info. These sites may also have details highlighting business operations and relationships.		https://attack.mitre.org/techniques/T1594	No
429	T1595.001	Active Scanning: Scanning IP Blocks	Reconnaissance	Before compromising a victim, adversaries may scan victim IP blocks to gather information that can be used during targeting. Public IP addresses may be allocated to organizations by block, or a range of sequential addresses.		https://attack.mitre.org/techniques/T1595/001	No
430	T1595.002	Active Scanning: Vulnerability Scanning	Reconnaissance	Before compromising a victim, adversaries may scan victims for vulnerabilities that can be used during targeting. Vulnerability scans typically check if the configuration of a target host/application (ex: software and version) potentially aligns with the target of a specific exploit the adversary may seek to use.		https://attack.mitre.org/techniques/T1595/002	No
431	T1596.001	Search Open Technical Databases: DNS/Passive DNS	Reconnaissance	Before compromising a victim, adversaries may search DNS data for information about victims that can be used during targeting. DNS information may include a variety of details, including registered name servers as well as records that outline addressing for a target's subdomains, mail servers, and other hosts.		https://attack.mitre.org/techniques/T1596/001	No
432	T1596.002	Search Open Technical Databases: WHOIS	Reconnaissance	Before compromising a victim, adversaries may search public WHOIS data for information about victims that can be used during targeting. WHOIS data is stored by regional Internet registries (RIR) responsible for allocating and assigning Internet resources such as domain names. Anyone can query WHOIS servers for information about a registered domain, such as assigned IP blocks, contact information, and DNS nameservers.(Citation: W		https://attack.mitre.org/techniques/T1596/002	No
433	T1596.003	Search Open Technical Databases: Digital Certificates	Reconnaissance	Before compromising a victim, adversaries may search public digital certificate data for information about victims that can be used during targeting. Digital certificates are issued by a certificate authority (CA) in order to cryptographically verify the origin of signed content. These certificates, such as those used for encrypted web traffic (HTTPS SSL/TLS communications), contain information about the registered organization such as name and location.		https://attack.mitre.org/techniques/T1596/003	No
434	T1596.004	Search Open Technical Databases: CDNs	Reconnaissance	Before compromising a victim, adversaries may search content delivery network (CDN) data about victims that can be used during targeting. CDNs allow an organization to host content from a distributed, load balanced array of servers. CDNs may also allow organizations to customize content delivery based on the requestor's geographical region.		https://attack.mitre.org/techniques/T1596/004	No
435	T1596.005	Search Open Technical Databases: Scan Databases	Reconnaissance	Before compromising a victim, adversaries may search within public scan databases for information about victims that can be used during targeting. Various online services continuously publish the results of Internet scans/surveys, often harvesting information such as active IP addresses, hostnames, open ports, certificates, and even server banners.(Citation: Shodan)		https://attack.mitre.org/techniques/T1596/005	No
436	T1597.001	Search Closed Sources: Threat Intel Vendors	Reconnaissance	Before compromising a victim, adversaries may search private data from threat intelligence vendors for information that can be used during targeting. Threat intelligence vendors may offer paid feeds or portals that offer more data than what is publicly reported. Although sensitive details (such as customer names and other identifiers) may be redacted, this information may contain trends regarding breaches such as target industries, attribution claims, and successful TTPs/countermeasures.		https://attack.mitre.org/techniques/T1597/001	No
437	T1597.002	Search Closed Sources: Purchase Technical Data	Reconnaissance	Before compromising a victim, adversaries may purchase technical information about victims that can be used during targeting. Information about victims may be available for purchase within reputable private sources and databases, such as paid subscriptions to feeds of scan databases or other data aggregation services. Adversaries may also purchase information from less-reputable sources such as dark web or cybercrime blackmarkets.		https://attack.mitre.org/techniques/T1597/002	No
438	T1598.001	Phishing for Information: Spearphishing Service	Reconnaissance	Before compromising a victim, adversaries may send spearphishing messages via third-party services to elicit sensitive information that can be used during targeting. Spearphishing for information is an attempt to trick targets into divulging information, frequently credentials or other actionable information. Spearphishing for information frequently involves social engineering techniques, such as posing as a source with a reason to collect information (ex: [Establish Accounts](https://attack.mitre.org/techniques/T1585) or [Compromise Accounts](https://attack.mitre.org/techniques/T1586)) and/or sending multiple, seemingly urgent messages.		https://attack.mitre.org/techniques/T1598/001	No
439	T1598.002	Phishing for Information: Spearphishing Attachment	Reconnaissance	Before compromising a victim, adversaries may send spearphishing messages with a malicious attachment to elicit sensitive information that can be used during targeting. Spearphishing for information is an attempt to trick targets into divulging information, frequently credentials or other actionable information. Spearphishing for information frequently involves social engineering techniques, such as posing as a source with a reason to collect information (ex: Establish Accounts or Compromise Accounts and/or sending multiple, seemingly urgent messages.		https://attack.mitre.org/techniques/T1598/002	No
440	T1598.003	Phishing for Information: Spearphishing Link	Reconnaissance	Before compromising a victim, adversaries may send spearphishing messages with a malicious link to elicit sensitive information that can be used during targeting. Spearphishing for information is an attempt to trick targets into divulging information, frequently credentials or other actionable information. Spearphishing for information frequently involves social engineering techniques, such as posing as a source with a reason to collect information (ex: Establish Accounts or Compromise Accounts and/or sending multiple, seemingly urgent messages.		https://attack.mitre.org/techniques/T1598/003	No
441	T1599.001	Network Boundary Bridging: Network Address Translation Traversal	Defense Evasion	Adversaries may bridge network boundaries by modifying a network device's Network Address Translation (NAT) configuration. Malicious modifications to NAT may enable an adversary to bypass restrictions on traffic routing that otherwise separate trusted and untrusted networks. When an adversary gains control of a network boundary device, they can either leverage existing NAT configurations to send traffic between two separated networks, or they can implement NAT configurations of their own design. Adversaries may use Patch System Image to change the operating system of a network device, implementing their own custom NAT mechanisms to further obscure their activities.	Network	https://attack.mitre.org/techniques/T1599/001	No
442	T1600.001	Weaken Encryption: Reduce Key Space	Defense Evasion	Adversaries may reduce the level of effort required to decrypt data transmitted over the network by reducing the cipher strength of encrypted communications. Adversaries can weaken the encryption software on a compromised network device by reducing the key size used by the software to convert plaintext to ciphertext (e.g., from hundreds or thousands of bytes to just a couple of bytes). As a result, adversaries dramatically reduce the amount of effort needed to decrypt the protected information without the key. Adversaries may modify the key size used and other encryption parameters using specialized commands in a Network Device CLI introduced to the system through Modify System Image to change the configuration of the device.	Network	https://attack.mitre.org/techniques/T1600/001	No
443	T1600.002	Weaken Encryption: Disable Crypto Hardware	Defense Evasion	Adversaries disable a network device's dedicated hardware encryption, which may enable them to leverage weaknesses in software encryption in order to reduce the effort involved in collecting, manipulating, and exfiltrating transmitted data.	Network	https://attack.mitre.org/techniques/T1600/002	No
444	T1601.001	Modify System Image: Patch System Image	Defense Evasion	Adversaries may modify the operating system of a network device to introduce new capabilities or weaken existing defenses. Some network devices are built with a monolithic architecture, where the entire operating system and most of the functionality of the device is contained within a single file. Adversaries may change this file in storage, to be loaded in a future boot, or in memory during runtime.	Network	https://attack.mitre.org/techniques/T1601/001	No
445	T1601.002	Modify System Image: Downgrade System Image	Defense Evasion	Adversaries may install an older version of the operating system of a network device to weaken security. Older operating system versions on network devices often have weaker encryption ciphers and, in general, fewer/less updated defensive features.	Network	https://attack.mitre.org/techniques/T1601/002	No
446	T1602.001	Data from Configuration Repository: SNMP (MIB Dump)	Collection	Adversaries may target the Management Information Base (MIB) to collect and/or mine valuable information in a network managed using Simple Network Management Protocol (SNMP).	Network	https://attack.mitre.org/techniques/T1602/001	No
447	T1602.002	Data from Configuration Repository: Network Device Configuration Dump	Collection	Adversaries may access network configuration files to collect sensitive data about the device and the network. The network configuration is a file containing parameters that determine the operation of the device. The device typically stores an in-memory copy of the configuration while operating, and a separate configuration on non-volatile storage to load after device reset. Adversaries can inspect the configuration files to reveal information about the target network and its layout, the network device and its software, or identifying legitimate accounts and credentials for later use.	Network	https://attack.mitre.org/techniques/T1602/002	No
448	T1606.001	Forge Web Credentials: Web Cookies	Credential Access	Adversaries may forge web cookies that can be used to gain access to web applications or Internet services. Web applications and services (hosted in cloud SaaS environments or on-premise servers) often use session cookies to authenticate and authorize user access.	Linux,SaaS,Windows,macOS	https://attack.mitre.org/techniques/T1606/001	No
449	T1606.002	Forge Web Credentials: SAML Tokens	Credential Access	An adversary may forge SAML tokens with any permissions claims and lifetimes if they possess a valid SAML token-signing certificate.	Azure AD,Google Workspace,Office 365,SaaS,Windows	https://attack.mitre.org/techniques/T1606/002	No
450	T1608.001	Stage Capabilities: Upload Malware	Resource Development	Adversaries may upload malware to third-party or adversary controlled infrastructure to make it accessible during targeting. Malicious software can include payloads, droppers, post-compromise tools, backdoors, and a variety of other malicious content. Adversaries may upload malware to support their operations, such as making a payload available to a victim network to enable [Ingress Tool Transfer](https://attack.mitre.org/techniques/T1105) by placing it on an Internet accessible web server.		https://attack.mitre.org/techniques/T1608/001	Yes
451	T1608.002	Stage Capabilities: Upload Tool	Resource Development	Adversaries may upload tools to third-party or adversary controlled infrastructure to make it accessible during targeting. Tools can be open or closed source, free or commercial. Tools can be used for malicious purposes by an adversary, but (unlike malware) were not intended to be used for those purposes (ex: [PsExec](https://attack.mitre.org/software/S0029)). Adversaries may upload tools to support their operations, such as making a tool available to a victim network to enable [Ingress Tool Transfer](https://attack.mitre.org/techniques/T1105) by placing it on an Internet accessible web server.		https://attack.mitre.org/techniques/T1608/002	Yes
452	T1608.003	Stage Capabilities: Install Digital Certificate	Resource Development	Adversaries may install SSL/TLS certificates that can be used during targeting. SSL/TLS certificates are files that can be installed on servers to enable secure communications between systems. Digital certificates include information about the key, information about its owner's identity, and the digital signature of an entity that has verified the certificate's contents are correct. If the signature is valid, and the person examining the certificate trusts the signer, then they know they can use that key to communicate securely with its owner. Certificates can be uploaded to a server, then the server can be configured to use the certificate to enable encrypted communication with it.(Citation: DigiCert Install SSL Cert)		https://attack.mitre.org/techniques/T1608/003	Yes
453	T1608.004	Stage Capabilities: Drive-by Target	Resource Development	Adversaries may prepare an operational environment to infect systems that visit a website over the normal course of browsing. Endpoint systems may be compromised through browsing to adversary controlled sites, as in [Drive-by Compromise](https://attack.mitre.org/techniques/T1189). In such cases, the user's web browser is typically targeted for exploitation (often not requiring any extra user interaction once landing on the site), but adversaries may also set up websites for non-exploitation behavior such as [Application Access Token](https://attack.mitre.org/techniques/T1550/001). Prior to [Drive-by Compromise](https://attack.mitre.org/techniques/T1189), adversaries must stage resources needed to deliver that exploit to users who browse to an adversary controlled site. Drive-by content can be staged on adversary controlled infrastructure that has been acquired ([Acquire Infrastructure](https://attack.mitre.org/techniques/T1583)) or previously compromised ([Compromise Infrastructure](https://attack.mitre.org/techniques/T1584)).		https://attack.mitre.org/techniques/T1608/004	Yes
454	T1608.005	Stage Capabilities: Link Target	Resource Development	Adversaries may put in place resources that are referenced by a link that can be used during targeting. An adversary may rely upon a user clicking a malicious link in order to divulge information (including credentials) or to gain execution, as in [Malicious Link](https://attack.mitre.org/techniques/T1204/001). Links can be used for spearphishing, such as sending an email accompanied by social engineering text to coax the user to actively click or copy and paste a URL into a browser. Prior to a phish for information (as in [Spearphishing Link](https://attack.mitre.org/techniques/T1598/003)) or a phish to gain initial access to a system (as in [Spearphishing Link](https://attack.mitre.org/techniques/T1566/002)), an adversary must set up the resources for a link target for the spearphishing link.		https://attack.mitre.org/techniques/T1608/005	Yes
455	T1609	Container Administration Command	Execution	Adversaries may abuse a container administration service to execute commands within a container. A container administration service such as the Docker daemon, the Kubernetes API server, or the kubelet may allow remote management of containers within an environment.(Citation: Docker Daemon CLI)(Citation: Kubernetes API)(Citation: Kubernetes Kubelet)	Containers	https://attack.mitre.org/techniques/T1609	Yes
456	T1610	Deploy Container	Defense Evasion,Execution	Adversaries may deploy a container into an environment to facilitate execution or evade defenses. In some cases, adversaries may deploy a new container to execute processes associated with a particular image or deployment, such as processes that execute or download malware. In others, an adversary may deploy a new container configured without network rules, user limitations, etc. to bypass existing defenses within the environment.	Containers	https://attack.mitre.org/techniques/T1610	Yes
457	T1611	Escape to Host	Privilege Escalation	Adversaries may break out of a container to gain access to the underlying host. This can allow an adversary access to other containerized resources from the host level or to the host itself. In principle, containerized resources should provide a clear separation of application functionality and be isolated from the host environment.(Citation: Docker Overview)	Containers,Linux,Windows	https://attack.mitre.org/techniques/T1611	Yes
458	T1612	Build Image on Host	Defense Evasion	Adversaries may build a container image directly on a host to bypass defenses that monitor for the retrieval of malicious images from a public registry. A remote <code>build</code> request may be sent to the Docker API that includes a Dockerfile that pulls a vanilla base image, such as alpine, from a public or local registry and then builds a custom image upon it.(Citation: Docker Build Image)	Containers	https://attack.mitre.org/techniques/T1612	Yes
459	T1613	Container and Resource Discovery	Discovery	Adversaries may attempt to discover containers and other resources that are available within a containers environment. Other resources may include images, deployments, pods, nodes, and other information such as the status of a cluster.	Containers	https://attack.mitre.org/techniques/T1613	Yes
460	T1614	System Location Discovery	Discovery		IaaS,Linux,Windows,macOS	https://attack.mitre.org/techniques/T1614	Yes

257 KiB Raw Blame History

257 KiB

Raw Blame History