Post on 28-Mar-2020
MITRE ATT&CK®: APT29 Techniques Mapped to Mitigations and Data Sources
About This DiagramAligning your defenses to adversaries with ATT&CK
Resourcesattack.mitre.org • Access ATT&CK technical information
• Contribute to ATT&CK
• Follow our blog
• Watch ATT&CK presentations
attackevals.mitre.org MITRE ATT&CK Evaluations
@MITREattack
mitre-att&ck
ATT&CK provides a framework for defenders to enhance their posture against specific adversaries. To use ATT&CK in this way, find an adversary group you’re interested in and identify the techniques that they are known to use. For each technique, pull up the technique page to see how that adversary uses the technique, as well as how you can potentially mitigate and detect it.
This chart helps visualize the results. Here, we have the techniques that APT29 is known to use in the middle column. We linked each technique on the left to potential means of mitigation and on the right to data sources that defenders can use to potentially detect the technique. Defenders can look at this chart either to see how their current mitigations and data sources stack up to APT29, or as a roadmap to plan how they can architect their defenses.
For more information, you can read about APT29, or other groups, on the ATT&CK website: attack.mitre.org.
Use ATT&CK for Cyber Threat Intelligence
Cyber threat intelligence comes from many sources, including knowledge of past incidents, commercial threat feeds, information-sharing groups, government threat-sharing programs, and more. ATT&CK gives analysts a common language to communicate across reports and organizations, providing a way to structure, compare, and analyze threat intelligence.
Use ATT&CK to Build Your Defensive Platform ATT&CK includes resources designed to help cyber defenders develop analytics that detect the techniques used by an adversary. Based on threat intelligence included in ATT&CK or provided by analysts, cyber defenders can create a comprehensive set of analytics to detect threats.
Use ATT&CK for Adversary Emulation and Red Teaming
The best defense is a well-tested defense. ATT&CK provides a common adversary behavior framework based on threat intelligence that red teams can use to emulate specific threats. This helps cyber defenders find gaps in visibility, defensive tools, and processes—and then fix them.
Get Started with ATT&CK
LegendLow PriorityHigh Priority
LegendAPT28APT29Both
Comparing APT28 to APT29
Finding Gaps in Defense
Initial Access
Drive-by Compromise
Exploit Public-Facing Application
External Remote Services
Hardware Additions
Replication Through Removable Media
Spearphishing Attachment
Spearphishing Link
Spearphishing via Service
Supply Chain Compromise
Trusted Relationship
Valid Accounts
Execution
AppleScript
CMSTP
Command-Line Interface
Compiled HTML File
Control Panel Items
Dynamic Data Exchange
Execution through API
Execution through Module Load
Exploitation for Client Execution
Graphical User Interface
InstallUtil
Launchctl
Local Job Scheduling
LSASS Driver
Mshta
PowerShell
Regsvcs/Regasm
Regsvr32
Rundll32
Scheduled Task
Scripting
Service Execution
Signed Binary Proxy Execution
Signed Script Proxy Execution
Source
Space after Filename
Third-party Software
Trap
Trusted Developer Utilities
User Execution
Windows Management Instrumentation
Windows Remote Management
XSL Script Processing
Persistence
.bash_profile and .bashrc
Accessibility Features
Account Manipulation
AppCert DLLs
AppInit DLLs
Application Shimming
Authentication Package
BITS Jobs
Bootkit
Browser Extensions
Change Default File Association
Component Firmware
Component Object Model Hijacking
Create Account
DLL Search Order Hijacking
Dylib Hijacking
External Remote Services
File System Permissions Weakness
Hidden Files and Directories
Hooking
Hypervisor
Image File Execution Options Injection
Kernel Modules and Extensions
Launch Agent
Launch Daemon
Launchctl
LC_LOAD_DYLIB Addition
Local Job Scheduling
Login Item
Logon Scripts
LSASS Driver
Modify Existing Service
Netsh Helper DLL
New Service
Office Application Startup
Path Interception
Plist Modification
Port Knocking
Port Monitors
Rc.common
Re-opened Applications
Redundant Access
Registry Run Keys / Startup Folder
Scheduled Task
Screensaver
Security Support Provider
Service Registry Permissions Weakness
Setuid and Setgid
Shortcut Modification
SIP and Trust Provider Hijacking
Startup Items
System Firmware
Systemd Service
Time Providers
Trap
Valid Accounts
Web Shell
Windows Management Instrumentation EventSubscription
Winlogon Helper DLL
Privilege Escalation
Access Token Manipulation
Accessibility Features
AppCert DLLs
AppInit DLLs
Application Shimming
Bypass User Account Control
DLL Search Order Hijacking
Dylib Hijacking
Exploitation for Privilege Escalation
Extra Window Memory Injection
File System Permissions Weakness
Hooking
Image File Execution Options Injection
Launch Daemon
New Service
Path Interception
Plist Modification
Port Monitors
Process Injection
Scheduled Task
Service Registry Permissions Weakness
Setuid and Setgid
SID-History Injection
Startup Items
Sudo
Sudo Caching
Valid Accounts
Web Shell
Defense Evasion
Access Token Manipulation
Binary Padding
BITS Jobs
Bypass User Account Control
Clear Command History
CMSTP
Code Signing
Compile After Delivery
Compiled HTML File
Component Firmware
Component Object Model Hijacking
Control Panel Items
DCShadow
Deobfuscate/Decode Files or Information
Disabling Security Tools
DLL Search Order Hijacking
DLL Side-Loading
Execution Guardrails
Exploitation for Defense Evasion
Extra Window Memory Injection
File Deletion
File Permissions Modification
File System Logical Offsets
Gatekeeper Bypass
Group Policy Modification
Hidden Files and Directories
Hidden Users
Hidden Window
HISTCONTROL
Image File Execution Options Injection
Indicator Blocking
Indicator Removal from Tools
Indicator Removal on Host
Indirect Command Execution
Install Root Certificate
InstallUtil
Launchctl
LC_MAIN Hijacking
Masquerading
Modify Registry
Mshta
Network Share Connection Removal
NTFS File Attributes
Obfuscated Files or Information
Plist Modification
Port Knocking
Process Doppelgänging
Process Hollowing
Process Injection
Redundant Access
Regsvcs/Regasm
Regsvr32
Rootkit
Rundll32
Scripting
Signed Binary Proxy Execution
Signed Script Proxy Execution
SIP and Trust Provider Hijacking
Software Packing
Space after Filename
Template Injection
Timestomp
Trusted Developer Utilities
Valid Accounts
Virtualization/Sandbox Evasion
Web Service
XSL Script Processing
Credential Access
Account Manipulation
Bash History
Brute Force
Credential Dumping
Credentials in Files
Credentials in Registry
Exploitation for Credential Access
Forced Authentication
Hooking
Input Capture
Input Prompt
Kerberoasting
Keychain
LLMNR/NBT-NS Poisoning and Relay
Network Sniffing
Password Filter DLL
Private Keys
Securityd Memory
Two-Factor Authentication Interception
Discovery
Account Discovery
Application Window Discovery
Browser Bookmark Discovery
Domain Trust Discovery
File and Directory Discovery
Network Service Scanning
Network Share Discovery
Network Sniffing
Password Policy Discovery
Peripheral Device Discovery
Permission Groups Discovery
Process Discovery
Query Registry
Remote System Discovery
Security Software Discovery
System Information Discovery
System Network Configuration Discovery
System Network Connections Discovery
System Owner/User Discovery
System Service Discovery
System Time Discovery
Virtualization/Sandbox Evasion
Lateral Movement
AppleScript
Application Deployment Software
Distributed Component Object Model
Exploitation of Remote Services
Logon Scripts
Pass the Hash
Pass the Ticket
Remote Desktop Protocol
Remote File Copy
Remote Services
Replication Through Removable Media
Shared Webroot
SSH Hijacking
Taint Shared Content
Third-party Software
Windows Admin Shares
Windows Remote Management
Collection
Audio Capture
Automated Collection
Clipboard Data
Data from Information Repositories
Data from Local System
Data from Network Shared Drive
Data from Removable Media
Data Staged
Email Collection
Input Capture
Man in the Browser
Screen Capture
Video Capture
Command And Control
Commonly Used Port
Communication Through Removable Media
Connection Proxy
Custom Command and Control Protocol
Custom Cryptographic Protocol
Data Encoding
Data Obfuscation
Domain Fronting
Domain Generation Algorithms
Fallback Channels
Multi-hop Proxy
Multi-Stage Channels
Multiband Communication
Multilayer Encryption
Port Knocking
Remote Access Tools
Remote File Copy
Standard Application Layer Protocol
Standard Cryptographic Protocol
Standard Non-Application Layer Protocol
Uncommonly Used Port
Web Service
Exfiltration
Automated Exfiltration
Data Compressed
Data Encrypted
Data Transfer Size Limits
Exfiltration Over Alternative Protocol
Exfiltration Over Command and Control Channel
Exfiltration Over Other Network Medium
Exfiltration Over Physical Medium
Scheduled Transfer
Impact
Data Destruction
Data Encrypted for Impact
Defacement
Disk Content Wipe
Disk Structure Wipe
Endpoint Denial of Service
Firmware Corruption
Inhibit System Recovery
Network Denial of Service
Resource Hijacking
Runtime Data Manipulation
Service Stop
Stored Data Manipulation
Transmitted Data Manipulation
AppleScriptApplication Deployment
SoftwareDistributed Component
Object Model
Exploitation ofRemote Services
Logon ScriptsPass the HashPass the Ticket
Remote Desktop ProtocolRemote File CopyRemote Services
Replication ThroughRemovable MediaShared WebrootSSH Hijacking
Taint Shared ContentThird-party Software
Windows Admin SharesWindows Remote
Management
Commonly Used PortCommunication Through
Removable MediaConnection Proxy
Custom Command andControl Protocol
Custom CryptographicProtocol
Data EncodingData ObfuscationDomain Fronting
Domain GenerationAlgorithms
Fallback ChannelsMultiband Communication
Multi-hop ProxyMultilayer EncryptionMulti-Stage Channels
Port KnockingRemote Access Tools
Remote File CopyStandard Application Layer
ProtocolStandard Cryptographic
ProtocolStandard Non-Application
Layer ProtocolUncommonly Used Port
Web Service
Automated ExfiltrationData Compressed
Data EncryptedData Transfer Size Limits
Exfiltration Over OtherNetwork Medium
Exfiltration Over Commandand Control Channel
Exfiltration Over AlternativeProtocol
Exfiltration OverPhysical Medium
Scheduled Transfer
Data DestructionData Encrypted for Impact
DefacementDisk Content WipeDisk Structure Wipe
Endpoint Denial of ServiceFirmware Corruption
Inhibit System RecoveryNetwork Denial of Service
Resource HijackingRuntime Data Manipulation
Service StopStored Data Manipulation
Transmitted DataManipulation
Audio CaptureAutomated Collection
Clipboard DataData from Information
RepositoriesData from Local System
Data from NetworkShared Drive
Data from Removable MediaData Staged
Email CollectionInput Capture
Man in the BrowserScreen CaptureVideo Capture
Drive-by CompromiseExploit Public-Facing
ApplicationExternal Remote Services
Hardware AdditionsReplication ThroughRemovable Media
Spearphishing AttachmentSpearphishing Link
Spearphishing via ServiceSupply Chain Compromise
Trusted RelationshipValid Accounts
AppleScriptCMSTP
Command-Line InterfaceCompiled HTML FileControl Panel Items
Dynamic Data ExchangeExecution through API
Execution throughModule Load
Exploitation forClient Execution
Graphical User InterfaceInstallUtil
MshtaPowerShell
Regsvcs/RegasmRegsvr32Rundll32Scripting
Service ExecutionSigned Binary
Proxy ExecutionSigned Script
Proxy ExecutionSource
Space after FilenameThird-party Software
Trusted Developer Utilities
DLL Search Order HijackingImage File Execution Options Injection
Plist ModificationValid Accounts
Accessibility FeaturesAppCert DLLsAppInit DLLs
Application ShimmingDylib Hijacking
File System Permissions WeaknessHooking
Launch DaemonNew Service
Path InterceptionPort Monitors
Service Registry Permissions WeaknessSetuid and Setgid
Startup ItemsWeb Shell
.bash_profile and .bashrcAccount Manipulation
Authentication PackageBITS Jobs
BootkitBrowser Extensions
Change DefaultFile Association
Component Firmware
BITS JobsClear Command History
CMSTPCode Signing
Compiled HTML FileComponent Firmware
Component Object ModelHijacking
Control Panel ItemsDCShadow
Deobfuscate/Decode Filesor Information
Disabling Security ToolsDLL Side-Loading
Execution GuardrailsExploitation for
Defense EvasionFile Deletion
File PermissionsModification
File System Logical OffsetsGatekeeper Bypass
Group Policy ModificationHidden Files and Directories
Hidden Users
Exploitation forPrivilege EscalationSID-History Injection
SudoSudo Caching
Scheduled Task Binary Padding Network SniffingLaunchctl
Local Job SchedulingLSASS Driver
Trap
Access Token ManipulationBypass User Account Control
Extra Window Memory InjectionProcess Injection
Account ManipulationBash HistoryBrute Force
Credential DumpingCredentials in Files
Credentials in RegistryExploitation for
Credential AccessForced Authentication
HookingInput CaptureInput PromptKerberoasting
KeychainLLMNR/NBT-NS Poisoning
and RelayPassword Filter DLL
Private KeysSecurityd Memory
Two-Factor AuthenticationInterception
Account DiscoveryApplication Window
DiscoveryBrowser Bookmark
DiscoveryDomain Trust Discovery
File and Directory DiscoveryNetwork Service ScanningNetwork Share Discovery
Password Policy DiscoveryPeripheral Device Discovery
Permission Groups DiscoveryProcess DiscoveryQuery Discovery
Remote System DiscoverySecurity Software Discovery
System InformationDiscovery
System NetworkConfiguration Discovery
System NetworkConnections Discovery
System Owner/UserDiscovery
System Service DiscoverySystem Time DiscoveryVirtualization/Sandbox
Evasion
Initial Access
Drive-by Compromise
Exploit Public-Facing Application
External Remote Services
Hardware Additions
Replication Through Removable Media
Spearphishing Attachment
Spearphishing Link
Spearphishing via Service
Supply Chain Compromise
Trusted Relationship
Valid Accounts
Execution
AppleScript
CMSTP
Command-Line Interface
Compiled HTML File
Control Panel Items
Dynamic Data Exchange
Execution through API
Execution through Module Load
Exploitation for Client Execution
Graphical User Interface
InstallUtil
Launchctl
Local Job Scheduling
LSASS Driver
Mshta
PowerShell
Regsvcs/Regasm
Regsvr32
Rundll32
Scheduled Task
Scripting
Service Execution
Signed Binary Proxy Execution
Signed Script Proxy Execution
Source
Space after Filename
Third-party Software
Trap
Trusted Developer Utilities
User Execution
Windows Management Instrumentation
Windows Remote Management
XSL Script Processing
Persistence
.bash_profile and .bashrc
Accessibility Features
Account Manipulation
AppCert DLLs
AppInit DLLs
Application Shimming
Authentication Package
BITS Jobs
Bootkit
Browser Extensions
Change Default File Association
Component Firmware
Component Object Model Hijacking
Create Account
DLL Search Order Hijacking
Dylib Hijacking
External Remote Services
File System Permissions Weakness
Hidden Files and Directories
Hooking
Hypervisor
Image File Execution Options Injection
Kernel Modules and Extensions
Launch Agent
Launch Daemon
Launchctl
LC_LOAD_DYLIB Addition
Local Job Scheduling
Login Item
Logon Scripts
LSASS Driver
Modify Existing Service
Netsh Helper DLL
New Service
Office Application Startup
Path Interception
Plist Modification
Port Knocking
Port Monitors
Rc.common
Re-opened Applications
Redundant Access
Registry Run Keys / Startup Folder
Scheduled Task
Screensaver
Security Support Provider
Service Registry Permissions Weakness
Setuid and Setgid
Shortcut Modification
SIP and Trust Provider Hijacking
Startup Items
System Firmware
Systemd Service
Time Providers
Trap
Valid Accounts
Web Shell
Windows Management Instrumentation EventSubscription
Winlogon Helper DLL
Privilege Escalation
Access Token Manipulation
Accessibility Features
AppCert DLLs
AppInit DLLs
Application Shimming
Bypass User Account Control
DLL Search Order Hijacking
Dylib Hijacking
Exploitation for Privilege Escalation
Extra Window Memory Injection
File System Permissions Weakness
Hooking
Image File Execution Options Injection
Launch Daemon
New Service
Path Interception
Plist Modification
Port Monitors
Process Injection
Scheduled Task
Service Registry Permissions Weakness
Setuid and Setgid
SID-History Injection
Startup Items
Sudo
Sudo Caching
Valid Accounts
Web Shell
Defense Evasion
Access Token Manipulation
Binary Padding
BITS Jobs
Bypass User Account Control
Clear Command History
CMSTP
Code Signing
Compile After Delivery
Compiled HTML File
Component Firmware
Component Object Model Hijacking
Control Panel Items
DCShadow
Deobfuscate/Decode Files or Information
Disabling Security Tools
DLL Search Order Hijacking
DLL Side-Loading
Execution Guardrails
Exploitation for Defense Evasion
Extra Window Memory Injection
File Deletion
File Permissions Modification
File System Logical Offsets
Gatekeeper Bypass
Group Policy Modification
Hidden Files and Directories
Hidden Users
Hidden Window
HISTCONTROL
Image File Execution Options Injection
Indicator Blocking
Indicator Removal from Tools
Indicator Removal on Host
Indirect Command Execution
Install Root Certificate
InstallUtil
Launchctl
LC_MAIN Hijacking
Masquerading
Modify Registry
Mshta
Network Share Connection Removal
NTFS File Attributes
Obfuscated Files or Information
Plist Modification
Port Knocking
Process Doppelgänging
Process Hollowing
Process Injection
Redundant Access
Regsvcs/Regasm
Regsvr32
Rootkit
Rundll32
Scripting
Signed Binary Proxy Execution
Signed Script Proxy Execution
SIP and Trust Provider Hijacking
Software Packing
Space after Filename
Template Injection
Timestomp
Trusted Developer Utilities
Valid Accounts
Virtualization/Sandbox Evasion
Web Service
XSL Script Processing
Credential Access
Account Manipulation
Bash History
Brute Force
Credential Dumping
Credentials in Files
Credentials in Registry
Exploitation for Credential Access
Forced Authentication
Hooking
Input Capture
Input Prompt
Kerberoasting
Keychain
LLMNR/NBT-NS Poisoning and Relay
Network Sniffing
Password Filter DLL
Private Keys
Securityd Memory
Two-Factor Authentication Interception
Discovery
Account Discovery
Application Window Discovery
Browser Bookmark Discovery
Domain Trust Discovery
File and Directory Discovery
Network Service Scanning
Network Share Discovery
Network Sniffing
Password Policy Discovery
Peripheral Device Discovery
Permission Groups Discovery
Process Discovery
Query Registry
Remote System Discovery
Security Software Discovery
System Information Discovery
System Network Configuration Discovery
System Network Connections Discovery
System Owner/User Discovery
System Service Discovery
System Time Discovery
Virtualization/Sandbox Evasion
Lateral Movement
AppleScript
Application Deployment Software
Distributed Component Object Model
Exploitation of Remote Services
Logon Scripts
Pass the Hash
Pass the Ticket
Remote Desktop Protocol
Remote File Copy
Remote Services
Replication Through Removable Media
Shared Webroot
SSH Hijacking
Taint Shared Content
Third-party Software
Windows Admin Shares
Windows Remote Management
Collection
Audio Capture
Automated Collection
Clipboard Data
Data from Information Repositories
Data from Local System
Data from Network Shared Drive
Data from Removable Media
Data Staged
Email Collection
Input Capture
Man in the Browser
Screen Capture
Video Capture
Command And Control
Commonly Used Port
Communication Through Removable Media
Connection Proxy
Custom Command and Control Protocol
Custom Cryptographic Protocol
Data Encoding
Data Obfuscation
Domain Fronting
Domain Generation Algorithms
Fallback Channels
Multi-hop Proxy
Multi-Stage Channels
Multiband Communication
Multilayer Encryption
Port Knocking
Remote Access Tools
Remote File Copy
Standard Application Layer Protocol
Standard Cryptographic Protocol
Standard Non-Application Layer Protocol
Uncommonly Used Port
Web Service
Exfiltration
Automated Exfiltration
Data Compressed
Data Encrypted
Data Transfer Size Limits
Exfiltration Over Alternative Protocol
Exfiltration Over Command and Control Channel
Exfiltration Over Other Network Medium
Exfiltration Over Physical Medium
Scheduled Transfer
Impact
Data Destruction
Data Encrypted for Impact
Defacement
Disk Content Wipe
Disk Structure Wipe
Endpoint Denial of Service
Firmware Corruption
Inhibit System Recovery
Network Denial of Service
Resource Hijacking
Runtime Data Manipulation
Service Stop
Stored Data Manipulation
Transmitted Data Manipulation
EnterpriseFramework
To help cyber defenders gain a common understandingof the threats they face, MITRE developed the ATT&CK framework. It’s a globally-accessible knowledge base of adversary tactics and techniques based on real world observations and open source research contributed bythe cyber community.
Used by organizations around the world, ATT&CK provides a shared understanding of adversary tactics, techniques and procedures and how to detect, prevent, and/ormitigate them.
ATT&CK is open and available to any person or organization for use at no charge.
For more than 60 years, MITRE has worked in the public interest. Through our public-private partnerships and federally funded R&D centers, we work across government and in partnership with industry to tackle challenges to the safety, stability, and well-being of our nation.
SOLVING PROBLEMSFOR A SAFER WORLD
SOLVING PROBLEMSFOR A SAFER WORLD
Anti-virus
API monitoring
Authentication logs
Binary file metadata
Detonation chamber
DLL monitoring
DNS records
Email gateway
Environment variable
File monitoring
Host network interface
Loaded DLLs
Mail server
Malware reverse engineering
Netflow/Enclave netflow
Network intrusion detection system
Network protocol analysis
Packet capture
PowerShell logs
Process command-line parameters
Process monitoring
Process use of network
SSL/TLS inspection
System calls
Web proxy
Windows event logs
Windows Registry
WMI Objects
Active Directory Configuration
Antivirus/Antimalware
Application Isolation and Sandboxing
Audit
Code Signing
Disable or Remove Feature or Program
Encrypt Sensitive Information
Execution Prevention
Exploit Protection
Filter Network Traffic
Limit Access to Resource Over Network
Network Intrusion Prevention
Network Segmentation
Operating System Configuration
Password Policies
Privileged Account Management
Remote Data Storage
Restrict File and Directory Permissions
Restrict Web-Based Content
SSL/TLS Inspection
User Account Control
User Account Management
User Training
Mitigations APT29 Techniques Data Sources
Mitigate It! Detect It!
Accessibility Features
Bypass User Account Control
Commonly Used Port
Domain Fronting
Exploitation for Client Execution
Indicator Removal on Host
Multi-hop Proxy
Obfuscated Files or Information
Pass the Ticket
PowerShell
Scheduled Task
Software Packing
Spearphishing Attachment
Spearphishing Link
Standard Non-Application Layer Protocol
User Execution
Windows Management Instrumentation
Scripting
Accessibility Features
Bypass User Account Control
Commonly Used Port
Domain Fronting
Exploitation for Client Execution
Indicator Removal on Host
Multi-hop Proxy
Obfuscated Files or Information
Pass the Ticket
PowerShell
Rundll32Rundll32
Scheduled Task
Shortcut ModificationShortcut Modification
Software Packing
Spearphishing Attachment
Spearphishing Link
Standard Non-Application Layer Protocol
User Execution
Windows Management Instrumentation
Windows Management Instrumentation Event SubscriptionWindows Management Instrumentation Event Subscription
Scripting
SOLVING PROBLEMSFOR A SAFER WORLD
MITRE ATT&CK®
Enterprise Framework
attack.mitre.org
© 2020 MITRE Matrix current as of February 2020
Defense EvasionAccess Token Manipula�on
Binary Padding
BITS Jobs
Bypass User Account Control
Clear Command History
CMSTP
Code Signing
Compile A�er Delivery
Compiled HTML File
Component Firmware
Component ObjectModel Hijacking
Connec�on Proxy
Control Panel Items
DCShadow
Deobfuscate/Decode Filesor Informa�on
Disabling Security Tools
DLL Search Order Hijacking
DLL Side-Loading
Execu�on Guardrails
Exploita�on forDefense EvasionExtra Window
Memory Injec�onFile and Directory
Permissions Modifica�on
File Dele�on
File System Logical Offsets
Gatekeeper Bypass
Group Policy Modifica�on
Hidden Files and Directories
Hidden Users
Hidden Window
HISTCONTROL
Image File Execu�on Op�ons Injec�on
Indicator Blocking
Indicator Removal from Tools
Indicator Removal on Host
Indirect Command Execu�on
Install Root Cer�ficate
InstallU�l
Launchctl
LC_MAIN Hijacking
Masquerading
Modify Registry
Mshta
Network Share Connec�on Removal
NTFS File A�ributes
Obfuscated Files or Informa�on
Parent PID Spoofing
Plist Modifica�on
Port Knocking
Process Doppelgänging
Process Hollowing
Process Injec�on
Redundant Access
Regsvcs/Regasm
Regsvr32
Rootkit
Rundll32
Scrip�ng
Signed Binary Proxy Execu�on
Signed Script Proxy Execu�on
SIP and Trust Provider Hijacking
So�ware Packing
Space a�er Filename
Template Injec�on
Timestomp
Trusted Developer U�li�es
Valid Accounts
Virtualiza�on/Sandbox Evasion
Web Service
XSL Script Processing
Ini�al AccessDrive-by Compromise
Exploit Public-Facing Applica�on
External Remote Services
Hardware Addi�ons
Replica�on ThroughRemovable Media
Spearphishing A�achment
Spearphishing Link
Spearphishing via Service
Supply Chain Compromise
Trusted Rela�onship
Valid Accounts
Execu�onAppleScript
CMSTP
Command-Line Interface
Compiled HTML File
Component Object Model and Distributed COM
Control Panel Items
Dynamic Data Exchange
Execu�on through API
Execu�on throughModule Load
Exploita�on forClient Execu�on
Graphical User Interface
InstallU�l
Launchctl
Local Job Scheduling
LSASS Driver
Mshta
PowerShell
Regsvcs/Regasm
Regsvr32
Rundll32
Scheduled Task
Scrip�ng
Service Execu�on
Signed Binary Proxy Execu�on
Signed Script Proxy Execu�on
Source
Space a�er Filename
Third-party So�ware
Trap
Trusted Developer U�li�es
User Execu�on
Windows Management Instrumenta�on
Windows RemoteManagement
XSL Script Processing
Persistence.bash_profile and .bashrc
Accessibility Features
Account Manipula�on
AppCert DLLs
AppInit DLLs
Applica�on Shimming
Authen�ca�on Package
BITS Jobs
Bootkit
Browser Extensions
Change Default File Associa�on
Component Firmware
Component Object Model Hijacking
Create Account
DLL Search Order Hijacking
Dylib Hijacking
Emond
External Remote Services
File System Permissions Weakness
Hidden Files and Directories
Hooking
Hypervisor
Image File Execu�on Op�ons Injec�on
Kernel Modules and Extensions
Launch Agent
Launch Daemon
Launchctl
LC_LOAD_DYLIB Addi�on
Local Job Scheduling
Login Item
Logon Scripts
LSASS Driver
Modify Exis�ng Service
Netsh Helper DLL
New Service
Office Applica�on Startup
Path Intercep�on
Plist Modifica�on
Port Knocking
Port Monitors
PowerShell Profile
Rc.common
Re-openedApplica�ons
Redundant Access
Registry Run Keys /Startup Folder
Scheduled Task
Screensaver
Security Support Provider
Server So�wareComponent
Service RegistryPermissions Weakness
Setuid and Setgid
Shortcut Modifica�on
SIP and TrustProvider Hijacking
Startup Items
System Firmware
Systemd Service
Time Providers
Trap
Valid Accounts
Web ShellWindows ManagementInstrumenta�on Event
Subscrip�onWinlogon Helper DLL
Privilege Escala�onAccess Token Manipula�on
Accessibility Features
AppCert DLLs
AppInit DLLs
Applica�on Shimming
Bypass User Account Control
DLL Search Order Hijacking
Dylib Hijacking
Elevated Execu�on with Prompt
Emond
Exploita�on for Privilege Escala�on
Extra Window MemoryInjec�on
File System Permissions Weakness
Hooking
Image File Execu�on Op�ons Injec�on
Launch Daemon
New Service
Parent PID Spoofing
Path Intercep�on
Plist Modifica�on
Port Monitors
PowerShell Profile
Process Injec�on
Scheduled Task
Service Registry Permissions Weakness
Setuid and Setgid
SID-History Injec�on
Startup Items
Sudo
Sudo Caching
Valid Accounts
Web Shell
Creden�al AccessAccount Manipula�on
Bash History
Brute Force
Creden�al Dumping
Creden�als fromWeb Browsers
Creden�als in Files
Creden�als in Registry
Exploita�on forCreden�al Access
Forced Authen�ca�on
Hooking
Input Capture
Input Prompt
Kerberoas�ng
Keychain
LLMNR/NBT-NSPoisoning and Relay
Network Sniffing
Password Filter DLL
Private Keys
Steal Web Session Cookie
Securityd Memory
Two-Factor Authen�ca�on Intercep�on
DiscoveryAccount Discovery
Applica�on WindowDiscovery
Browser BookmarkDiscovery
Domain Trust Discovery
File and Directory Discovery
Network Service Scanning
Network Share Discovery
Network Sniffing
Password Policy Discovery
Peripheral DeviceDiscovery
Permission GroupsDiscovery
Process Discovery
Query Registry
Remote SystemDiscovery
Security So�wareDiscovery
So�ware Discovery
System Informa�onDiscovery
System NetworkConfigura�on Discovery
System NetworkConnec�ons Discovery
System Owner/User Discovery
System Service Discovery
System Time Discovery
Virtualiza�on/SandboxEvasion
Lateral MovementAppleScript
Applica�onDeployment So�ware
Component Object Modeland Distributed COM
Exploita�on of RemoteServices
Logon Scripts
Internal Spearphishing
Pass the Hash
Pass the Ticket
Remote Desktop Protocol
Remote File Copy
Remote Services
Replica�on ThroughRemovable Media
Shared Webroot
SSH Hijacking
Taint Shared Content
Third-party So�ware
Windows Admin Shares
Windows RemoteManagement
Collec�onAudio Capture
Automated Collec�on
Clipboard Data
Data from Informa�on Repositories
Data from Local System
Data from NetworkShared Drive
Data fromRemovable Media
Data Staged
Email Collec�on
Input Capture
Man in the Browser
Screen Capture
Video Capture
Command and ControlCommonly Used Port
Communica�on Through Removable Media
Connec�on Proxy
Custom Commandand Control Protocol
Custom CryptographicProtocol
Data Encoding
Data Obfusca�on
Domain Fron�ng
Domain Genera�onAlgorithms
Fallback Channels
Mul�-hop Proxy
Mul�-Stage Channels
Mul�band Communica�on
Mul�layer Encryp�on
Port Knocking
Remote Access Tools
Remote File Copy
Standard Applica�onLayer Protocol
Standard Cryptographic Protocol
Standard Non-Applica�onLayer Protocol
Uncommonly Used Port
Web Service
Exfiltra�onAutomated Exfiltra�on
Data Compressed
Data Encrypted
Data Transfer Size Limits
Exfiltra�on OverAlterna�ve Protocol
Exfiltra�on Over Commandand Control Channel
Exfiltra�on OverOther Network Medium
Exfiltra�on OverPhysical Medium
Scheduled Transfer
ImpactAccount Access Removal
Data Destruc�on
Data Encrypted for Impact
Defacement
Disk Content Wipe
Disk Structure Wipe
Endpoint Denial of Service
Firmware Corrup�on
Inhibit System Recovery
Network Denial of Service
Resource Hijacking
Run�me Data Manipula�on
Service Stop
System Shutdown/Reboot
Stored Data Manipula�on
Transmi�ed DataManipula�on