Please enable JavaScript.
Coggle requires JavaScript to display documents.
MITRE ATT&CK® Matrix for Enterprise v10 - Coggle Diagram
MITRE ATT&CK® Matrix for Enterprise v10
Initial Access
初期アクセス
攻撃対象への足場づくり
Drive-by Compromise
ドライブバイダウンロード攻撃
T1189
Exploit Public-Facing Application
公開アプリのエクスプロイト
T1190
External Remote Services
外部のリモートサービス
vpnやリモートゲートウェイなど?
T1133
Hardware Additions
ハードウェアの追加
内部にラズパイを置くなど
T1200
Phishing
フィッシング
T1566
Sub-techniques
Spearphishing Attachment
T1566.001
Spearphishing Link
T1566.002
Spearphishing via Service
T1566.003
Replication Through Removable Media
リムーバブルメディアを介した複製
USBメモリからの感染
T1091
Supply Chain Compromise
サプライチェーン侵害
T1195
Sub-techniques
Compromise Software Dependencies and Development Tools
T1195.001
Compromise Software Supply Chain
T1195.002
Compromise Hardware Supply Chain
T1195.003
Trusted Relationship
信頼関係
信頼関係につけこんだアクセス
T1199
Valid Accounts
正規アカウント
正規のアカウントを利用したアクセス
T1078
Sub-techniques
Default Accounts
T1078.001
Domain Accounts
T1078.002
Local Accounts
T1078.003
Cloud Accounts
T1078.004
Resource Development
リソース開発
攻撃のためのリソースの用意
Acquire Infrastructure
インフラ購入
DDoSサービスの購入など
T1583
Sub-techniques
Domains
T1583.001
DNS Server
T1583.002
Virtual Private Server
T1583.003
Server
T1583.004
Botnet
T1583.005
Web Services
T1583.006
Compromise Accounts
アカウント侵害
T1586
Sub-techniques
Social Media Accounts
T1586.001
Email Accounts
T1586.002
Compromise Infrastructure
インフラ侵害
T1584
Sub-techniques
Domains
T1584.001
DNS Server
T1584.002
Virtual Private Server
T1584.003
Server
T1584.004
Botnet
T1584.005
Web Services
T1584.006
Develop Capabilities
独自開発
マルウェアなどを個人で開発するなど
T1587
Sub-techniques
Malware
T1587.001
Code Signing Certificates
T1587.002
Digital Certificates
T1587.003
Exploits
T1587.004
Establish Accounts
アカウント開発
SNSなどでペルソナ生成など
T1585
Sub-techniques
Social Media Accounts
T1585.001
Email Accounts
T1585.002
Obtain Capabilities
スキルの入手
rootkitやゼロデイの購入など
T1588
Sub-techniques
Malware
T1588.001
Tool
T1588.002
Code Signing Certificates
T1588.003
Digital Certificates
T1588.004
Exploits
T1588.005
Vulnerabilities
T1588.006
Stage Capabilities
スキルのステージング
マルウェアをGithubに置くなど
T1608
Sub-techniques
Upload Malware
T1608.001
Upload Tool
T1608.002
Install Digital Certificate
T1608.003
Drive-by Target
T1608.004
Link Target
T1608.005
Execution
実行
悪意のあるコードの実行
Command and Scripting Interpreter
コマンドインタプリタ
PowerShellやAppleScriptによる実行など
T1059
Sub-techniques
PowerShell
T1059.001
AppleScript
T1059.002
Windows Command Shell
T1059.003
Unix Shell
T1059.004
Visual Basic
T1059.005
Python
T1059.006
JavaScript
T1059.007
Network Device CLI
T1059.008
Container Administration Command
コンテナ管理コマンド
Dockerデーモンやkube-api-server経由での実行など
T1609
Deploy Container
コンテナのデプロイ
コンテナ経由での実行
T1610
Exploitation for Client Execution
クライアント実行のためのエクスプロイト
クライアントアプリの脆弱性を突くなど
T1203
Inter-Process Communication
プロセス間通信
シグナルやUNIXドメインソケットを経由した実行など
T1559
Sub-techniques
Component Object Model
T1559.001
Dynamic Data Exchange
T1559.002
Native API
ネイティブAPI
NtCreateProcessなど?
T1106
Scheduled Task/Job
スケジュール実行
cronでの実行など
T1053
Sub-techniques
At (Linux)
T1053.001
At (Windows)
T1053.002
Cron
T1053.003
Launchd
T1053.004
Scheduled Task
T1053.005
Systemd Timers
T1053.006
Container Orchestration Job
T1053.007
Shared Modules
共有モジュール
DLLのロード時の実行など
T1129
Software Deployment Tools
ソフトウェア配信ツール
サードパーティ製Appstoreの利用など
T1072
System Services
システムサービスによる実行
launchctlなど(systemcltも?)
T1569
Sub-techniques
Launchctl
T1569.001
Service Execution
T1569.002
User Execution
ユーザ実行
T1204
Sub-techniques
Malicious Link
T1204.001
Malicious File
T1204.002
Malicious Image
T1204.003
Windows Management Instrumentation
WMIによる実行
T1047
Persistence
永続化
侵入状態の維持
Account Manipulation
T1098
Sub-techniques
Additional Cloud Credentials
T1098.001
Exchange Email Delegate Permissions
T1098.002
Add Office 365 Global Administrator Role
T1098.003
SSH Authorized Keys
T1098.004
BITS Jobs
T1197
Boot or Logon Autostart Execution
T1547
Sub-techniques
Registry Run Keys / Startup Folder
T1547.001
Authentication Package
T1547.002
Time Providers
T1547.003
Winlogon Helper DLL
T1547.004
Security Support Provider
T1547.005
Kernel Modules and Extensions
T1547.006
Re-opened Applications
T1547.007
LSASS Driver
T1547.008
Shortcut Modification
T1547.009
Port Monitors
T1547.010
Plist Modification
T1547.011
Print Processors
T1547.012
XDG Autostart Entries
T1547.013
Active Setup
T1547.014
Login Items
T1547.015
Boot or Logon Initialization Scripts
T1037
Sub-techniques
Logon Script (Windows)
T1037.001
Logon Script (Mac)
T1037.002
Network Logon Script
T1037.003
RC Scripts
T1037.004
Startup Items
T1037.005
Browser Extensions
T1176
Compromise Client Software Binary
T1554
Create Account
T1136
Sub-techniques
Local Account
T1136.001
Domain Account
T1136.002
Cloud Account
T1136.003
Create or Modify System Process
T1543
Sub-techniques
Launch Agent
T1543.001
Systemd Service
T1543.002
Windows Service
T1543.003
Launch Daemon
T1543.004
Event Triggered Execution
T1546
Sub-techniques
Change Default File Association
T1546.001
Screensaver
T1546.002
Windows Management Instrumentation Event Subscription
T1546.003
Unix Shell Configuration Modification
T1546.004
Trap
T1546.005
LC_LOAD_DYLIB Addition
T1546.006
Netsh Helper DLL
T1546.007
Accessibility Features
T1546.008
AppCert DLLs
T1546.009
AppInit DLLs
T1546.010
Application Shimming
T1546.011
Image File Execution Options Injection
T1546.012
PowerShell Profile
T1546.013
Emond
T1546.014
Component Object Model Hijacking
T1546.015
External Remote Services
T1133
Hijack Execution Flow
T1574
Sub-techniques
DLL Search Order Hijacking
T1574.001
DLL Side-Loading
T1574.002
Dylib Hijacking
T1574.004
Executable Installer File Permissions Weakness
T1574.005
Dynamic Linker Hijacking
T1574.006
Path Interception by PATH Environment Variable
T1574.007
Path Interception by Search Order Hijacking
T1574.008
Path Interception by Unquoted Path
T1574.009
Services File Permissions Weakness
T1574.010
Services Registry Permissions Weakness
T1574.011
COR_PROFILER
T1574.012
Implant Internal Image
T1525
Modify Authentication Process
T1556
Sub-techniques
Domain Controller Authentication
T1556.001
Password Filter DLL
T1556.002
Pluggable Authentication Modules
T1556.003
Network Device Authentication
T1556.004
Office Application Startup
T1137
Sub-techniques
Office Template Macros
T1137.001
Office Test
T1137.002
Outlook Forms
T1137.003
Outlook Home Page
T1137.004
Outlook Rules
T1137.005
Add-ins
T1137.006
Pre-OS Boot
T1542
Sub-techniques
System Firmware
T1542.001
Component Firmware
T1542.002
Bootkit
T1542.003
ROMMONkit
T1542.004
TFTP Boot
T1542.005
Scheduled Task/Job
T1053
Sub-techniques
At (Linux)
T1053.001
At (Windows)
T1053.002
Cron
T1053.003
Launchd
T1053.004
Scheduled Task
T1053.005
Systemd Timers
T1053.006
Container Orchestration Job
T1053.007
Server Software Component
T1505
Sub-techniques
SQL Stored Procedures
T1505.001
Transport Agent
T1505.002
Web Shell
T1505.003
IIS Components
T1505.004
Traffic Signaling
T1205
Sub-techniques
Port Knocking
T1205.001
Valid Accounts
T1078
Sub-techniques
Default Accounts
T1078.001
Domain Accounts
T1078.002
Local Accounts
T1078.003
Cloud Accounts
T1078.004
Privilege Escalation
権限昇格
rootへのアクセス
Abuse Elevation Control Mechanism
T1548
Sub-techniques
Setuid and Setgid
T1548.001
Bypass User Account Control
T1548.002
Sudo and Sudo Caching
T1548.003
Elevated Execution with Prompt
T1548.004
Access Token Manipulation
T1134
Sub-techniques
Token Impersonation/Theft
T1134.001
Create Process with Token
T1134.002
Make and Impersonate Token
T1134.003
Parent PID Spoofing
T1134.004
SID-History Injection
T1134.005
Boot or Logon Autostart Execution
T1547
Sub-techniques
Registry Run Keys / Startup Folder
T1547.001
Authentication Package
T1547.002
Time Providers
T1547.003
Winlogon Helper DLL
T1547.004
Security Support Provider
T1547.005
Kernel Modules and Extensions
T1547.006
Re-opened Applications
T1547.007
LSASS Driver
T1547.008
Shortcut Modification
T1547.009
Port Monitors
T1547.010
Plist Modification
T1547.011
Print Processors
T1547.012
XDG Autostart Entries
T1547.013
Active Setup
T1547.014
Login Items
T1547.015
Boot or Logon Initialization Scripts
T1037
Sub-techniques
Logon Script (Windows)
T1037.001
Logon Script (Mac)
T1037.002
Network Logon Script
T1037.003
RC Scripts
T1037.004
Startup Items
T1037.005
Create or Modify System Process
T1543
Sub-techniques
Launch Agent
T1543.001
Systemd Service
T1543.002
Windows Service
T1543.003
Launch Daemon
T1543.004
Domain Policy Modification
T1484
Sub-techniques
Group Policy Modification
T1484.001
Domain Trust Modification
T1484.002
Escape to Host
T1611
Event Triggered Execution
T1546
Sub-techniques
Change Default File Association
T1546.001
Screensaver
T1546.002
Windows Management Instrumentation Event Subscription
T1546.003
Unix Shell Configuration Modification
T1546.004
Trap
T1546.005
LC_LOAD_DYLIB Addition
T1546.006
Netsh Helper DLL
T1546.007
Accessibility Features
T1546.008
AppCert DLLs
T1546.009
AppInit DLLs
T1546.010
Application Shimming
T1546.011
Image File Execution Options Injection
T1546.012
PowerShell Profile
T1546.013
Emond
T1546.014
Component Object Model Hijacking
T1546.015
Exploitation for Privilege Escalation
T1068
Hijack Execution Flow
T1574
Sub-techniques
DLL Search Order Hijacking
T1574.001
DLL Side-Loading
T1574.002
Dylib Hijacking
T1574.004
Executable Installer File Permissions Weakness
T1574.005
Dynamic Linker Hijacking
T1574.006
Path Interception by PATH Environment Variable
T1574.007
Path Interception by Search Order Hijacking
T1574.008
Path Interception by Unquoted Path
T1574.009
Services File Permissions Weakness
T1574.010
Services Registry Permissions Weakness
T1574.011
COR_PROFILER
T1574.012
Process Injection
T1055
Sub-techniques
Dynamic-link Library Injection
T1055.001
Portable Executable Injection
T1055.002
Thread Execution Hijacking
T1055.003
Asynchronous Procedure Call
T1055.004
Thread Local Storage
T1055.005
Ptrace System Calls
T1055.008
Proc Memory
T1055.009
Extra Window Memory Injection
T1055.011
Process Hollowing
T1055.012
Process Doppelgänging
T1055.013
VDSO Hijacking
T1055.014
Scheduled Task/Job
T1053
Sub-techniques
At (Linux)
T1053.001
At (Windows)
T1053.002
Cron
T1053.003
Launchd
T1053.004
Scheduled Task
T1053.005
Systemd Timers
T1053.006
Container Orchestration Job
T1053.007
Valid Accounts
T1078
Sub-techniques
Default Accounts
T1078.001
Domain Accounts
T1078.002
Local Accounts
T1078.003
Cloud Accounts
T1078.004
Credential Access
Adversary-in-the-Middle
T1557
Sub-techniques
LLMNR/NBT-NS Poisoning and SMB Relay
T1557.001
ARP Cache Poisoning
T1557.002
Brute Force
T1110
Sub-techniques
Password Guessing
T1110.001
Password Cracking
T1110.002
Password Spraying
T1110.003
Credential Stuffing
T1110.004
Credentials from Password Stores
T1555
Sub-techniques
Keychain
T1555.001
Securityd Memory
T1555.002
Credentials from Web Browsers
T1555.003
Windows Credential Manager
T1555.004
Password Managers
T1555.005
Exploitation for Credential Access
T1212
Forced Authentication
T1187
Forge Web Credentials
T1606
Sub-techniques
Web Cookies
T1606.001
SAML Tokens
T1606.002
Input Capture
T1056
Sub-techniques
Keylogging
T1056.001
GUI Input Capture
T1056.002
Web Portal Capture
T1056.003
Credential API Hooking
T1056.004
Modify Authentication Process
T1556
Sub-techniques
Domain Controller Authentication
T1556.001
Password Filter DLL
T1556.002
Pluggable Authentication Modules
T1556.003
Network Device Authentication
T1556.004
Network Sniffing
T1040
OS Credential Dumping
T1003
Sub-techniques
LSASS Memory
T1003.001
Security Account Manager
T1003.002
NTDS
T1003.003
LSA Secrets
T1003.004
Cached Domain Credentials
T1003.005
DCSync
T1003.006
Proc Filesystem
T1003.007
/etc/passwd and /etc/shadow
T1003.008
Steal Application Access Token
T1528
Steal or Forge Kerberos Tickets
T1558
Sub-techniques
Golden Ticket
T1558.001
Silver Ticket
T1558.002
Kerberoasting
T1558.003
AS-REP Roasting
T1558.004
Steal Web Session Cookie
T1539
Two-Factor Authentication Interception
T1111
Unsecured Credentials
T1552
Sub-techniques
Credentials In Files
T1552.001
Credentials in Registry
T1552.002
Bash History
T1552.003
Private Keys
T1552.004
Cloud Instance Metadata API
T1552.005
Group Policy Preferences
T1552.006
Container API
T1552.007
Discovery
Account Discovery
T1087
Sub-techniques
Local Account
T1087.001
Domain Account
T1087.002
Email Account
T1087.003
Cloud Account
T1087.004
Application Window Discovery
T1010
Browser Bookmark Discovery
T1217
Cloud Infrastructure Discovery
T1580
Cloud Service Dashboard
T1538
Cloud Service Discovery
T1526
Cloud Storage Object Discovery
T1619
Container and Resource Discovery
T1613
Domain Trust Discovery
T1482
File and Directory Discovery
T1083
Group Policy Discovery
T1615
Network Service Scanning
T1046
Network Share Discovery
T1135
Network Sniffing
T1040
Password Policy Discovery
T1201
Peripheral Device Discovery
T1120
Permission Groups Discovery
T1069
Sub-techniques
Local Groups
T1069.001
Domain Groups
T1069.002
Cloud Groups
T1069.003
Process Discovery
T1057
Query Registry
T1012
Remote System Discovery
T1018
Software Discovery
T1518
Sub-techniques
Security Software Discovery
T1518.001
System Information Discovery
T1082
System Location Discovery
T1614
Sub-techniques
System Language Discovery
T1614.001
System Network Configuration Discovery
T1016
Sub-techniques
Internet Connection Discovery
T1016.001
System Network Connections Discovery
T1049
System Owner/User Discovery
T1033
System Service Discovery
T1007
System Time Discovery
T1124
Virtualization/Sandbox Evasion
T1497
Sub-techniques
System Checks
T1497.001
User Activity Based Checks
T1497.002
Time Based Evasion
T1497.003
Lateral Movement
Exploitation of Remote Services
T1210
Internal Spearphishing
T1534
Lateral Tool Transfer
T1570
Remote Service Session Hijacking
T1563
Sub-techniques
SSH Hijacking
T1563.001
RDP Hijacking
T1563.002
Remote Services
T1021
Sub-techniques
Remote Desktop Protocol
T1021.001
SMB/Windows Admin Shares
T1021.002
Distributed Component Object Model
T1021.003
SSH
T1021.004
VNC
T1021.005
Windows Remote Management
T1021.006
Replication Through Removable Media
T1091
Software Deployment Tools
T1072
Taint Shared Content
T1080
Use Alternate Authentication Material
T1550
Sub-techniques
Application Access Token
T1550.001
Pass the Hash
T1550.002
Pass the Ticket
T1550.003
Web Session Cookie
T1550.004
Collection
Adversary-in-the-Middle
T1557
Sub-techniques
LLMNR/NBT-NS Poisoning and SMB Relay
T1557.001
ARP Cache Poisoning
T1557.002
Archive Collected Data
T1560
Sub-techniques
Archive via Utility
T1560.001
Archive via Library
T1560.002
Archive via Custom Method
T1560.003
Audio Capture
T1123
Automated Collection
T1119
Browser Session Hijacking
T1185
Clipboard Data
T1115
Data from Cloud Storage Object
T1530
Data from Configuration Repository
T1602
Sub-techniques
SNMP (MIB Dump)
T1602.001
Network Device Configuration Dump
T1602.002
Data from Information Repositories
T1213
Sub-techniques
Confluence
T1213.001
Sharepoint
T1213.002
Code Repositories
T1213.003
Data from Local System
T1005
Data from Network Shared Drive
T1039
Data from Removable Media
T1025
Data Staged
T1074
Sub-techniques
Local Data Staging
T1074.001
Remote Data Staging
T1074.002
Email Collection
T1114
Sub-techniques
Local Email Collection
T1114.001
Remote Email Collection
T1114.002
Email Forwarding Rule
T1114.003
Input Capture
T1056
Sub-techniques
Keylogging
T1056.001
GUI Input Capture
T1056.002
Web Portal Capture
T1056.003
Credential API Hooking
T1056.004
Screen Capture
T1113
Video Capture
T1125
Exfiltration
Automated Exfiltration
T1020
Sub-techniques
Traffic Duplication
T1020.001
Data Transfer Size Limits
T1030
Exfiltration Over Alternative Protocol
T1048
Sub-techniques
Exfiltration Over Symmetric Encrypted Non-C2 Protocol
T1048.001
Exfiltration Over Asymmetric Encrypted Non-C2 Protocol
T1048.002
Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol
T1048.003
Exfiltration Over C2 Channel
T1041
Exfiltration Over Other Network Medium
T1011
Sub-techniques
Exfiltration Over Bluetooth
T1011.001
Exfiltration Over Physical Medium
T1052
Sub-techniques
Exfiltration over USB
T1052.001
Exfiltration Over Web Service
T1567
Sub-techniques
Exfiltration to Code Repository
T1567.001
Exfiltration to Cloud Storage
T1567.002
Scheduled Transfer
T1029
Transfer Data to Cloud Account
T1537
Command and Control
Application Layer Protocol
T1071
Sub-techniques
Web Protocols
T1071.001
File Transfer Protocols
T1071.002
Mail Protocols
T1071.003
DNS
T1071.004
Communication Through Removable Media
T1092
Data Encoding
T1132
Sub-techniques
Standard Encoding
T1132.001
Non-Standard Encoding
T1132.002
Data Obfuscation
T1001
Sub-techniques
Junk Data
T1001.001
Steganography
T1001.002
Protocol Impersonation
T1001.003
Dynamic Resolution
T1568
Sub-techniques
Fast Flux DNS
T1568.001
Domain Generation Algorithms
T1568.002
DNS Calculation
T1568.003
Encrypted Channel
T1573
Sub-techniques
Symmetric Cryptography
T1573.001
Asymmetric Cryptography
T1573.002
Fallback Channels
T1008
Ingress Tool Transfer
T1105
Multi-Stage Channels
T1104
Non-Application Layer Protocol
T1095
Non-Standard Port
T1571
Protocol Tunneling
T1572
Proxy
T1090
Sub-techniques
Internal Proxy
T1090.001
External Proxy
T1090.002
Multi-hop Proxy
T1090.003
Domain Fronting
T1090.004
Remote Access Software
T1219
Traffic Signaling
T1205
Sub-techniques
Port Knocking
T1205.001
Web Service
T1102
Sub-techniques
Dead Drop Resolver
T1102.001
Bidirectional Communication
T1102.002
One-Way Communication
T1102.003
Impact
Account Access Removal
T1531
Data Destruction
T1485
Data Encrypted for Impact
T1486
Data Manipulation
T1565
Sub-techniques
Stored Data Manipulation
T1565.001
Transmitted Data Manipulation
T1565.002
Runtime Data Manipulation
T1565.003
Defacement
T1491
Sub-techniques
Internal Defacement
T1491.001
External Defacement
T1491.002
Disk Wipe
T1561
Sub-techniques
Disk Content Wipe
T1561.001
Disk Structure Wipe
T1561.002
Endpoint Denial of Service
T1499
Sub-techniques
OS Exhaustion Flood
T1499.001
Service Exhaustion Flood
T1499.002
Application Exhaustion Flood
T1499.003
Application or System Exploitation
T1499.004
Firmware Corruption
T1495
Inhibit System Recovery
T1490
Network Denial of Service
T1498
Sub-techniques
Direct Network Flood
T1498.001
Reflection Amplification
T1498.002
Resource Hijacking
T1496
Service Stop
T1489
System Shutdown/Reboot
T1529
Defense Evasion
Abuse Elevation Control Mechanism
T1548
Sub-techniques
Setuid and Setgid
T1548.001
Bypass User Account Control
T1548.002
Sudo and Sudo Caching
T1548.003
Elevated Execution with Prompt
T1548.004
Access Token Manipulation
T1134
Sub-techniques
Token Impersonation/Theft
T1134.001
Create Process with Token
T1134.002
Make and Impersonate Token
T1134.003
Parent PID Spoofing
T1134.004
SID-History Injection
T1134.005
BITS Jobs
T1197
Build Image on Host
T1612
Deobfuscate/Decode Files or Information
T1140
Deploy Container
T1610
Direct Volume Access
T1006
Domain Policy Modification
T1484
Sub-techniques
Group Policy Modification
T1484.001
Domain Trust Modification
T1484.002
Execution Guardrails
T1480
Sub-techniques
Environmental Keying
T1480.001
Exploitation for Defense Evasion
T1211
File and Directory Permissions Modification
T1222
Sub-techniques
Windows File and Directory Permissions Modification
T1222.001
Linux and Mac File and Directory Permissions Modification
T1222.002
Hide Artifacts
T1564
Sub-techniques
Hidden Files and Directories
T1564.001
Hidden Users
T1564.002
Hidden Window
T1564.003
NTFS File Attributes
T1564.004
Hidden File System
T1564.005
Run Virtual Instance
T1564.006
VBA Stomping
T1564.007
Email Hiding Rules
T1564.008
Resource Forking
T1564.009
Hijack Execution Flow
T1574
Sub-techniques
DLL Search Order Hijacking
T1574.001
DLL Side-Loading
T1574.002
Dylib Hijacking
T1574.004
Executable Installer File Permissions Weakness
T1574.005
Dynamic Linker Hijacking
T1574.006
Path Interception by PATH Environment Variable
T1574.007
Path Interception by Search Order Hijacking
T1574.008
Path Interception by Unquoted Path
T1574.009
Services File Permissions Weakness
T1574.010
Services Registry Permissions Weakness
T1574.011
COR_PROFILER
T1574.012
Impair Defenses
T1562
Sub-techniques
Disable or Modify Tools
T1562.001
Disable Windows Event Logging
T1562.002
Impair Command History Logging
T1562.003
Disable or Modify System Firewall
T1562.004
Indicator Blocking
T1562.006
Disable or Modify Cloud Firewall
T1562.007
Disable Cloud Logs
T1562.008
Safe Mode Boot
T1562.009
Downgrade Attack
T1562.010
Indicator Removal on Host
T1070
Sub-techniques
Clear Windows Event Logs
T1070.001
Clear Linux or Mac System Logs
T1070.002
Clear Command History
T1070.003
File Deletion
T1070.004
Network Share Connection Removal
T1070.005
Timestomp
T1070.006
Indirect Command Execution
T1202
Masquerading
T1036
Sub-techniques
Invalid Code Signature
T1036.001
Right-to-Left Override
T1036.002
Rename System Utilities
T1036.003
Masquerade Task or Service
T1036.004
Match Legitimate Name or Location
T1036.005
Space after Filename
T1036.006
Double File Extension
T1036.007
Modify Authentication Process
T1556
Sub-techniques
Domain Controller Authentication
T1556.001
Password Filter DLL
T1556.002
Pluggable Authentication Modules
T1556.003
Network Device Authentication
T1556.004
Modify Cloud Compute Infrastructure
T1578
Sub-techniques
Create Snapshot
T1578.001
Create Cloud Instance
T1578.002
Delete Cloud Instance
T1578.003
Revert Cloud Instance
T1578.004
Modify Registry
T1112
Modify System Image
T1601
Sub-techniques
Patch System Image
T1601.001
Downgrade System Image
T1601.002
Network Boundary Bridging
T1599
Sub-techniques
Network Address Translation Traversal
T1599.001
Obfuscated Files or Information
T1027
Sub-techniques
Binary Padding
T1027.001
Software Packing
T1027.002
Steganography
T1027.003
Compile After Delivery
T1027.004
Indicator Removal from Tools
T1027.005
HTML Smuggling
T1027.006
Pre-OS Boot
T1542
Sub-techniques
System Firmware
T1542.001
Component Firmware
T1542.002
Bootkit
T1542.003
ROMMONkit
T1542.004
TFTP Boot
T1542.005
Process Injection
T1055
Sub-techniques
Dynamic-link Library Injection
T1055.001
Portable Executable Injection
T1055.002
Thread Execution Hijacking
T1055.003
Asynchronous Procedure Call
T1055.004
Thread Local Storage
T1055.005
Ptrace System Calls
T1055.008
Proc Memory
T1055.009
Extra Window Memory Injection
T1055.011
Process Hollowing
T1055.012
Process Doppelgänging
T1055.013
VDSO Hijacking
T1055.014
Reflective Code Loading
T1620
Rogue Domain Controller
T1207
Rootkit
T1014
Signed Binary Proxy Execution
T1218
Sub-techniques
Compiled HTML File
T1218.001
Control Panel
T1218.002
CMSTP
T1218.003
InstallUtil
T1218.004
Mshta
T1218.005
Msiexec
T1218.007
Odbcconf
T1218.008
Regsvcs/Regasm
T1218.009
Regsvr32
T1218.010
Rundll32
T1218.011
Verclsid
T1218.012
Mavinject
T1218.013
MMC
T1218.014
Signed Script Proxy Execution
T1216
Sub-techniques
PubPrn
T1216.001
Subvert Trust Controls
T1553
Sub-techniques
Gatekeeper Bypass
T1553.001
Code Signing
T1553.002
SIP and Trust Provider Hijacking
T1553.003
Install Root Certificate
T1553.004
Mark-of-the-Web Bypass
T1553.005
Code Signing Policy Modification
T1553.006
Template Injection
T1221
Traffic Signaling
T1205
Sub-techniques
Port Knocking
T1205.001
Trusted Developer Utilities Proxy Execution
T1127
Sub-techniques
MSBuild
T1127.001
Unused/Unsupported Cloud Regions
T1535
Use Alternate Authentication Material
T1550
Sub-techniques
Application Access Token
T1550.001
Pass the Hash
T1550.002
Pass the Ticket
T1550.003
Web Session Cookie
T1550.004
Valid Accounts
T1078
Sub-techniques
Default Accounts
T1078.001
Domain Accounts
T1078.002
Local Accounts
T1078.003
Cloud Accounts
T1078.004
Virtualization/Sandbox Evasion
T1497
Sub-techniques
System Checks
T1497.001
User Activity Based Checks
T1497.002
Time Based Evasion
T1497.003
Weaken Encryption
T1600
Sub-techniques
Reduce Key Space
T1600.001
Disable Crypto Hardware
T1600.002
XSL Script Processing
T1220