{ "att&ck": { "Reconnaissance": { "T1589": "Gather Victim Identity Information", "T1589.001": "Gather Victim Identity Information::Credentials", "T1589.002": "Gather Victim Identity Information::Email Addresses", "T1589.003": "Gather Victim Identity Information::Employee Names", "T1590": "Gather Victim Network Information", "T1590.001": "Gather Victim Network Information::Domain Properties", "T1590.002": "Gather Victim Network Information::DNS", "T1590.003": "Gather Victim Network Information::Network Trust Dependencies", "T1590.004": "Gather Victim Network Information::Network Topology", "T1590.005": "Gather Victim Network Information::IP Addresses", "T1590.006": "Gather Victim Network Information::Network Security Appliances", "T1591": "Gather Victim Org Information", "T1591.001": "Gather Victim Org Information::Determine Physical Locations", "T1591.002": "Gather Victim Org Information::Business Relationships", "T1591.003": "Gather Victim Org Information::Identify Business Tempo", "T1591.004": "Gather Victim Org Information::Identify Roles", "T1592": "Gather Victim Host Information", "T1592.001": "Gather Victim Host Information::Hardware", "T1592.002": "Gather Victim Host Information::Software", "T1592.003": "Gather Victim Host Information::Firmware", "T1592.004": "Gather Victim Host Information::Client Configurations", "T1593": "Search Open Websites/Domains", "T1593.001": "Search Open Websites/Domains::Social Media", "T1593.002": "Search Open Websites/Domains::Search Engines", "T1593.003": "Search Open Websites/Domains::Code Repositories", "T1594": "Search Victim-Owned Websites", "T1595": "Active Scanning", "T1595.001": "Active Scanning::Scanning IP Blocks", "T1595.002": "Active Scanning::Vulnerability Scanning", "T1595.003": "Active Scanning::Wordlist Scanning", "T1596": "Search Open Technical Databases", "T1596.001": "Search Open Technical Databases::DNS/Passive DNS", "T1596.002": "Search Open Technical Databases::WHOIS", "T1596.003": "Search Open Technical Databases::Digital Certificates", "T1596.004": "Search Open Technical Databases::CDNs", "T1596.005": "Search Open Technical Databases::Scan Databases", "T1597": "Search Closed Sources", "T1597.001": "Search Closed Sources::Threat Intel Vendors", "T1597.002": "Search Closed Sources::Purchase Technical Data", "T1598": "Phishing for Information", "T1598.001": "Phishing for Information::Spearphishing Service", "T1598.002": "Phishing for Information::Spearphishing Attachment", "T1598.003": "Phishing for Information::Spearphishing Link", "T1598.004": "Phishing for Information::Spearphishing Voice" }, "Resource Development": { "T1583": "Acquire Infrastructure", "T1583.001": "Acquire Infrastructure::Domains", "T1583.002": "Acquire Infrastructure::DNS Server", "T1583.003": "Acquire Infrastructure::Virtual Private Server", "T1583.004": "Acquire Infrastructure::Server", "T1583.005": "Acquire Infrastructure::Botnet", "T1583.006": "Acquire Infrastructure::Web Services", "T1583.007": "Acquire Infrastructure::Serverless", "T1583.008": "Acquire Infrastructure::Malvertising", "T1584": "Compromise Infrastructure", "T1584.001": "Compromise Infrastructure::Domains", "T1584.002": "Compromise Infrastructure::DNS Server", "T1584.003": "Compromise Infrastructure::Virtual Private Server", "T1584.004": "Compromise Infrastructure::Server", "T1584.005": "Compromise Infrastructure::Botnet", "T1584.006": "Compromise Infrastructure::Web Services", "T1584.007": "Compromise Infrastructure::Serverless", "T1585": "Establish Accounts", "T1585.001": "Establish Accounts::Social Media Accounts", "T1585.002": "Establish Accounts::Email Accounts", "T1585.003": "Establish Accounts::Cloud Accounts", "T1586": "Compromise Accounts", "T1586.001": "Compromise Accounts::Social Media Accounts", "T1586.002": "Compromise Accounts::Email Accounts", "T1586.003": "Compromise Accounts::Cloud Accounts", "T1587": "Develop Capabilities", "T1587.001": "Develop Capabilities::Malware", "T1587.002": "Develop Capabilities::Code Signing Certificates", "T1587.003": "Develop Capabilities::Digital Certificates", "T1587.004": "Develop Capabilities::Exploits", "T1588": "Obtain Capabilities", "T1588.001": "Obtain Capabilities::Malware", "T1588.002": "Obtain Capabilities::Tool", "T1588.003": "Obtain Capabilities::Code Signing Certificates", "T1588.004": "Obtain Capabilities::Digital Certificates", "T1588.005": "Obtain Capabilities::Exploits", "T1588.006": "Obtain Capabilities::Vulnerabilities", "T1608": "Stage Capabilities", "T1608.001": "Stage Capabilities::Upload Malware", "T1608.002": "Stage Capabilities::Upload Tool", "T1608.003": "Stage Capabilities::Install Digital Certificate", "T1608.004": "Stage Capabilities::Drive-by Target", "T1608.005": "Stage Capabilities::Link Target", "T1608.006": "Stage Capabilities::SEO Poisoning", "T1650": "Acquire Access" }, "Initial Access": { "T1078": "Valid Accounts", "T1078.001": "Valid Accounts::Default Accounts", "T1078.002": "Valid Accounts::Domain Accounts", "T1078.003": "Valid Accounts::Local Accounts", "T1078.004": "Valid Accounts::Cloud Accounts", "T1091": "Replication Through Removable Media", "T1133": "External Remote Services", "T1189": "Drive-by Compromise", "T1190": "Exploit Public-Facing Application", "T1195": "Supply Chain Compromise", "T1195.001": "Supply Chain Compromise::Compromise Software Dependencies and Development Tools", "T1195.002": "Supply Chain Compromise::Compromise Software Supply Chain", "T1195.003": "Supply Chain Compromise::Compromise Hardware Supply Chain", "T1199": "Trusted Relationship", "T1200": "Hardware Additions", "T1566": "Phishing", "T1566.001": "Phishing::Spearphishing Attachment", "T1566.002": "Phishing::Spearphishing Link", "T1566.003": "Phishing::Spearphishing via Service", "T1566.004": "Phishing::Spearphishing Voice", "T1659": "Content Injection" }, "Execution": { "T1047": "Windows Management Instrumentation", "T1053": "Scheduled Task/Job", "T1053.002": "Scheduled Task/Job::At", "T1053.003": "Scheduled Task/Job::Cron", "T1053.005": "Scheduled Task/Job::Scheduled Task", "T1053.006": "Scheduled Task/Job::Systemd Timers", "T1053.007": "Scheduled Task/Job::Container Orchestration Job", "T1059": "Command and Scripting Interpreter", "T1059.001": "Command and Scripting Interpreter::PowerShell", "T1059.002": "Command and Scripting Interpreter::AppleScript", "T1059.003": "Command and Scripting Interpreter::Windows Command Shell", "T1059.004": "Command and Scripting Interpreter::Unix Shell", "T1059.005": "Command and Scripting Interpreter::Visual Basic", "T1059.006": "Command and Scripting Interpreter::Python", "T1059.007": "Command and Scripting Interpreter::JavaScript", "T1059.008": "Command and Scripting Interpreter::Network Device CLI", "T1059.009": "Command and Scripting Interpreter::Cloud API", "T1072": "Software Deployment Tools", "T1106": "Native API", "T1129": "Shared Modules", "T1203": "Exploitation for Client Execution", "T1204": "User Execution", "T1204.001": "User Execution::Malicious Link", "T1204.002": "User Execution::Malicious File", "T1204.003": "User Execution::Malicious Image", "T1559": "Inter-Process Communication", "T1559.001": "Inter-Process Communication::Component Object Model", "T1559.002": "Inter-Process Communication::Dynamic Data Exchange", "T1559.003": "Inter-Process Communication::XPC Services", "T1569": "System Services", "T1569.001": "System Services::Launchctl", "T1569.002": "System Services::Service Execution", "T1609": "Container Administration Command", "T1610": "Deploy Container", "T1648": "Serverless Execution", "T1651": "Cloud Administration Command" }, "Persistence": { "T1037": "Boot or Logon Initialization Scripts", "T1037.001": "Boot or Logon Initialization Scripts::Logon Script (Windows)", "T1037.002": "Boot or Logon Initialization Scripts::Login Hook", "T1037.003": "Boot or Logon Initialization Scripts::Network Logon Script", "T1037.004": "Boot or Logon Initialization Scripts::RC Scripts", "T1037.005": "Boot or Logon Initialization Scripts::Startup Items", "T1053": "Scheduled Task/Job", "T1053.002": "Scheduled Task/Job::At", "T1053.003": "Scheduled Task/Job::Cron", "T1053.005": "Scheduled Task/Job::Scheduled Task", "T1053.006": "Scheduled Task/Job::Systemd Timers", "T1053.007": "Scheduled Task/Job::Container Orchestration Job", "T1078": "Valid Accounts", "T1078.001": "Valid Accounts::Default Accounts", "T1078.002": "Valid Accounts::Domain Accounts", "T1078.003": "Valid Accounts::Local Accounts", "T1078.004": "Valid Accounts::Cloud Accounts", "T1098": "Account Manipulation", "T1098.001": "Account Manipulation::Additional Cloud Credentials", "T1098.002": "Account Manipulation::Additional Email Delegate Permissions", "T1098.003": "Account Manipulation::Additional Cloud Roles", "T1098.004": "Account Manipulation::SSH Authorized Keys", "T1098.005": "Account Manipulation::Device Registration", "T1098.006": "Account Manipulation::Additional Container Cluster Roles", "T1133": "External Remote Services", "T1136": "Create Account", "T1136.001": "Create Account::Local Account", "T1136.002": "Create Account::Domain Account", "T1136.003": "Create Account::Cloud Account", "T1137": "Office Application Startup", "T1137.001": "Office Application Startup::Office Template Macros", "T1137.002": "Office Application Startup::Office Test", "T1137.003": "Office Application Startup::Outlook Forms", "T1137.004": "Office Application Startup::Outlook Home Page", "T1137.005": "Office Application Startup::Outlook Rules", "T1137.006": "Office Application Startup::Add-ins", "T1176": "Browser Extensions", "T1197": "BITS Jobs", "T1205": "Traffic Signaling", "T1205.001": "Traffic Signaling::Port Knocking", "T1205.002": "Traffic Signaling::Socket Filters", "T1505": "Server Software Component", "T1505.001": "Server Software Component::SQL Stored Procedures", "T1505.002": "Server Software Component::Transport Agent", "T1505.003": "Server Software Component::Web Shell", "T1505.004": "Server Software Component::IIS Components", "T1505.005": "Server Software Component::Terminal Services DLL", "T1525": "Implant Internal Image", "T1542": "Pre-OS Boot", "T1542.001": "Pre-OS Boot::System Firmware", "T1542.002": "Pre-OS Boot::Component Firmware", "T1542.003": "Pre-OS Boot::Bootkit", "T1542.004": "Pre-OS Boot::ROMMONkit", "T1542.005": "Pre-OS Boot::TFTP Boot", "T1543": "Create or Modify System Process", "T1543.001": "Create or Modify System Process::Launch Agent", "T1543.002": "Create or Modify System Process::Systemd Service", "T1543.003": "Create or Modify System Process::Windows Service", "T1543.004": "Create or Modify System Process::Launch Daemon", "T1546": "Event Triggered Execution", "T1546.001": "Event Triggered Execution::Change Default File Association", "T1546.002": "Event Triggered Execution::Screensaver", "T1546.003": "Event Triggered Execution::Windows Management Instrumentation Event Subscription", "T1546.004": "Event Triggered Execution::Unix Shell Configuration Modification", "T1546.005": "Event Triggered Execution::Trap", "T1546.006": "Event Triggered Execution::LC_LOAD_DYLIB Addition", "T1546.007": "Event Triggered Execution::Netsh Helper DLL", "T1546.008": "Event Triggered Execution::Accessibility Features", "T1546.009": "Event Triggered Execution::AppCert DLLs", "T1546.010": "Event Triggered Execution::AppInit DLLs", "T1546.011": "Event Triggered Execution::Application Shimming", "T1546.012": "Event Triggered Execution::Image File Execution Options Injection", "T1546.013": "Event Triggered Execution::PowerShell Profile", "T1546.014": "Event Triggered Execution::Emond", "T1546.015": "Event Triggered Execution::Component Object Model Hijacking", "T1546.016": "Event Triggered Execution::Installer Packages", "T1547": "Boot or Logon Autostart Execution", "T1547.001": "Boot or Logon Autostart Execution::Registry Run Keys / Startup Folder", "T1547.002": "Boot or Logon Autostart Execution::Authentication Package", "T1547.003": "Boot or Logon Autostart Execution::Time Providers", "T1547.004": "Boot or Logon Autostart Execution::Winlogon Helper DLL", "T1547.005": "Boot or Logon Autostart Execution::Security Support Provider", "T1547.006": "Boot or Logon Autostart Execution::Kernel Modules and Extensions", "T1547.007": "Boot or Logon Autostart Execution::Re-opened Applications", "T1547.008": "Boot or Logon Autostart Execution::LSASS Driver", "T1547.009": "Boot or Logon Autostart Execution::Shortcut Modification", "T1547.010": "Boot or Logon Autostart Execution::Port Monitors", "T1547.012": "Boot or Logon Autostart Execution::Print Processors", "T1547.013": "Boot or Logon Autostart Execution::XDG Autostart Entries", "T1547.014": "Boot or Logon Autostart Execution::Active Setup", "T1547.015": "Boot or Logon Autostart Execution::Login Items", "T1554": "Compromise Client Software Binary", "T1556": "Modify Authentication Process", "T1556.001": "Modify Authentication Process::Domain Controller Authentication", "T1556.002": "Modify Authentication Process::Password Filter DLL", "T1556.003": "Modify Authentication Process::Pluggable Authentication Modules", "T1556.004": "Modify Authentication Process::Network Device Authentication", "T1556.005": "Modify Authentication Process::Reversible Encryption", "T1556.006": "Modify Authentication Process::Multi-Factor Authentication", "T1556.007": "Modify Authentication Process::Hybrid Identity", "T1556.008": "Modify Authentication Process::Network Provider DLL", "T1574": "Hijack Execution Flow", "T1574.001": "Hijack Execution Flow::DLL Search Order Hijacking", "T1574.002": "Hijack Execution Flow::DLL Side-Loading", "T1574.004": "Hijack Execution Flow::Dylib Hijacking", "T1574.005": "Hijack Execution Flow::Executable Installer File Permissions Weakness", "T1574.006": "Hijack Execution Flow::Dynamic Linker Hijacking", "T1574.007": "Hijack Execution Flow::Path Interception by PATH Environment Variable", "T1574.008": "Hijack Execution Flow::Path Interception by Search Order Hijacking", "T1574.009": "Hijack Execution Flow::Path Interception by Unquoted Path", "T1574.010": "Hijack Execution Flow::Services File Permissions Weakness", "T1574.011": "Hijack Execution Flow::Services Registry Permissions Weakness", "T1574.012": "Hijack Execution Flow::COR_PROFILER", "T1574.013": "Hijack Execution Flow::KernelCallbackTable", "T1653": "Power Settings" }, "Privilege Escalation": { "T1037": "Boot or Logon Initialization Scripts", "T1037.001": "Boot or Logon Initialization Scripts::Logon Script (Windows)", "T1037.002": "Boot or Logon Initialization Scripts::Login Hook", "T1037.003": "Boot or Logon Initialization Scripts::Network Logon Script", "T1037.004": "Boot or Logon Initialization Scripts::RC Scripts", "T1037.005": "Boot or Logon Initialization Scripts::Startup Items", "T1053": "Scheduled Task/Job", "T1053.002": "Scheduled Task/Job::At", "T1053.003": "Scheduled Task/Job::Cron", "T1053.005": "Scheduled Task/Job::Scheduled Task", "T1053.006": "Scheduled Task/Job::Systemd Timers", "T1053.007": "Scheduled Task/Job::Container Orchestration Job", "T1055": "Process Injection", "T1055.001": "Process Injection::Dynamic-link Library Injection", "T1055.002": "Process Injection::Portable Executable Injection", "T1055.003": "Process Injection::Thread Execution Hijacking", "T1055.004": "Process Injection::Asynchronous Procedure Call", "T1055.005": "Process Injection::Thread Local Storage", "T1055.008": "Process Injection::Ptrace System Calls", "T1055.009": "Process Injection::Proc Memory", "T1055.011": "Process Injection::Extra Window Memory Injection", "T1055.012": "Process Injection::Process Hollowing", "T1055.013": "Process Injection::Process Doppelg\u00e4nging", "T1055.014": "Process Injection::VDSO Hijacking", "T1055.015": "Process Injection::ListPlanting", "T1068": "Exploitation for Privilege Escalation", "T1078": "Valid Accounts", "T1078.001": "Valid Accounts::Default Accounts", "T1078.002": "Valid Accounts::Domain Accounts", "T1078.003": "Valid Accounts::Local Accounts", "T1078.004": "Valid Accounts::Cloud Accounts", "T1098": "Account Manipulation", "T1098.001": "Account Manipulation::Additional Cloud Credentials", "T1098.002": "Account Manipulation::Additional Email Delegate Permissions", "T1098.003": "Account Manipulation::Additional Cloud Roles", "T1098.004": "Account Manipulation::SSH Authorized Keys", "T1098.005": "Account Manipulation::Device Registration", "T1098.006": "Account Manipulation::Additional Container Cluster Roles", "T1134": "Access Token Manipulation", "T1134.001": "Access Token Manipulation::Token Impersonation/Theft", "T1134.002": "Access Token Manipulation::Create Process with Token", "T1134.003": "Access Token Manipulation::Make and Impersonate Token", "T1134.004": "Access Token Manipulation::Parent PID Spoofing", "T1134.005": "Access Token Manipulation::SID-History Injection", "T1484": "Domain Policy Modification", "T1484.001": "Domain Policy Modification::Group Policy Modification", "T1484.002": "Domain Policy Modification::Domain Trust Modification", "T1543": "Create or Modify System Process", "T1543.001": "Create or Modify System Process::Launch Agent", "T1543.002": "Create or Modify System Process::Systemd Service", "T1543.003": "Create or Modify System Process::Windows Service", "T1543.004": "Create or Modify System Process::Launch Daemon", "T1546": "Event Triggered Execution", "T1546.001": "Event Triggered Execution::Change Default File Association", "T1546.002": "Event Triggered Execution::Screensaver", "T1546.003": "Event Triggered Execution::Windows Management Instrumentation Event Subscription", "T1546.004": "Event Triggered Execution::Unix Shell Configuration Modification", "T1546.005": "Event Triggered Execution::Trap", "T1546.006": "Event Triggered Execution::LC_LOAD_DYLIB Addition", "T1546.007": "Event Triggered Execution::Netsh Helper DLL", "T1546.008": "Event Triggered Execution::Accessibility Features", "T1546.009": "Event Triggered Execution::AppCert DLLs", "T1546.010": "Event Triggered Execution::AppInit DLLs", "T1546.011": "Event Triggered Execution::Application Shimming", "T1546.012": "Event Triggered Execution::Image File Execution Options Injection", "T1546.013": "Event Triggered Execution::PowerShell Profile", "T1546.014": "Event Triggered Execution::Emond", "T1546.015": "Event Triggered Execution::Component Object Model Hijacking", "T1546.016": "Event Triggered Execution::Installer Packages", "T1547": "Boot or Logon Autostart Execution", "T1547.001": "Boot or Logon Autostart Execution::Registry Run Keys / Startup Folder", "T1547.002": "Boot or Logon Autostart Execution::Authentication Package", "T1547.003": "Boot or Logon Autostart Execution::Time Providers", "T1547.004": "Boot or Logon Autostart Execution::Winlogon Helper DLL", "T1547.005": "Boot or Logon Autostart Execution::Security Support Provider", "T1547.006": "Boot or Logon Autostart Execution::Kernel Modules and Extensions", "T1547.007": "Boot or Logon Autostart Execution::Re-opened Applications", "T1547.008": "Boot or Logon Autostart Execution::LSASS Driver", "T1547.009": "Boot or Logon Autostart Execution::Shortcut Modification", "T1547.010": "Boot or Logon Autostart Execution::Port Monitors", "T1547.012": "Boot or Logon Autostart Execution::Print Processors", "T1547.013": "Boot or Logon Autostart Execution::XDG Autostart Entries", "T1547.014": "Boot or Logon Autostart Execution::Active Setup", "T1547.015": "Boot or Logon Autostart Execution::Login Items", "T1548": "Abuse Elevation Control Mechanism", "T1548.001": "Abuse Elevation Control Mechanism::Setuid and Setgid", "T1548.002": "Abuse Elevation Control Mechanism::Bypass User Account Control", "T1548.003": "Abuse Elevation Control Mechanism::Sudo and Sudo Caching", "T1548.004": "Abuse Elevation Control Mechanism::Elevated Execution with Prompt", "T1548.005": "Abuse Elevation Control Mechanism::Temporary Elevated Cloud Access", "T1574": "Hijack Execution Flow", "T1574.001": "Hijack Execution Flow::DLL Search Order Hijacking", "T1574.002": "Hijack Execution Flow::DLL Side-Loading", "T1574.004": "Hijack Execution Flow::Dylib Hijacking", "T1574.005": "Hijack Execution Flow::Executable Installer File Permissions Weakness", "T1574.006": "Hijack Execution Flow::Dynamic Linker Hijacking", "T1574.007": "Hijack Execution Flow::Path Interception by PATH Environment Variable", "T1574.008": "Hijack Execution Flow::Path Interception by Search Order Hijacking", "T1574.009": "Hijack Execution Flow::Path Interception by Unquoted Path", "T1574.010": "Hijack Execution Flow::Services File Permissions Weakness", "T1574.011": "Hijack Execution Flow::Services Registry Permissions Weakness", "T1574.012": "Hijack Execution Flow::COR_PROFILER", "T1574.013": "Hijack Execution Flow::KernelCallbackTable", "T1611": "Escape to Host" }, "Defense Evasion": { "T1006": "Direct Volume Access", "T1014": "Rootkit", "T1027": "Obfuscated Files or Information", "T1027.001": "Obfuscated Files or Information::Binary Padding", "T1027.002": "Obfuscated Files or Information::Software Packing", "T1027.003": "Obfuscated Files or Information::Steganography", "T1027.004": "Obfuscated Files or Information::Compile After Delivery", "T1027.005": "Obfuscated Files or Information::Indicator Removal from Tools", "T1027.006": "Obfuscated Files or Information::HTML Smuggling", "T1027.007": "Obfuscated Files or Information::Dynamic API Resolution", "T1027.008": "Obfuscated Files or Information::Stripped Payloads", "T1027.009": "Obfuscated Files or Information::Embedded Payloads", "T1027.010": "Obfuscated Files or Information::Command Obfuscation", "T1027.011": "Obfuscated Files or Information::Fileless Storage", "T1027.012": "Obfuscated Files or Information::LNK Icon Smuggling", "T1036": "Masquerading", "T1036.001": "Masquerading::Invalid Code Signature", "T1036.002": "Masquerading::Right-to-Left Override", "T1036.003": "Masquerading::Rename System Utilities", "T1036.004": "Masquerading::Masquerade Task or Service", "T1036.005": "Masquerading::Match Legitimate Name or Location", "T1036.006": "Masquerading::Space after Filename", "T1036.007": "Masquerading::Double File Extension", "T1036.008": "Masquerading::Masquerade File Type", "T1036.009": "Masquerading::Break Process Trees", "T1055": "Process Injection", "T1055.001": "Process Injection::Dynamic-link Library Injection", "T1055.002": "Process Injection::Portable Executable Injection", "T1055.003": "Process Injection::Thread Execution Hijacking", "T1055.004": "Process Injection::Asynchronous Procedure Call", "T1055.005": "Process Injection::Thread Local Storage", "T1055.008": "Process Injection::Ptrace System Calls", "T1055.009": "Process Injection::Proc Memory", "T1055.011": "Process Injection::Extra Window Memory Injection", "T1055.012": "Process Injection::Process Hollowing", "T1055.013": "Process Injection::Process Doppelg\u00e4nging", "T1055.014": "Process Injection::VDSO Hijacking", "T1055.015": "Process Injection::ListPlanting", "T1070": "Indicator Removal", "T1070.001": "Indicator Removal::Clear Windows Event Logs", "T1070.002": "Indicator Removal::Clear Linux or Mac System Logs", "T1070.003": "Indicator Removal::Clear Command History", "T1070.004": "Indicator Removal::File Deletion", "T1070.005": "Indicator Removal::Network Share Connection Removal", "T1070.006": "Indicator Removal::Timestomp", "T1070.007": "Indicator Removal::Clear Network Connection History and Configurations", "T1070.008": "Indicator Removal::Clear Mailbox Data", "T1070.009": "Indicator Removal::Clear Persistence", "T1078": "Valid Accounts", "T1078.001": "Valid Accounts::Default Accounts", "T1078.002": "Valid Accounts::Domain Accounts", "T1078.003": "Valid Accounts::Local Accounts", "T1078.004": "Valid Accounts::Cloud Accounts", "T1112": "Modify Registry", "T1127": "Trusted Developer Utilities Proxy Execution", "T1127.001": "Trusted Developer Utilities Proxy Execution::MSBuild", "T1134": "Access Token Manipulation", "T1134.001": "Access Token Manipulation::Token Impersonation/Theft", "T1134.002": "Access Token Manipulation::Create Process with Token", "T1134.003": "Access Token Manipulation::Make and Impersonate Token", "T1134.004": "Access Token Manipulation::Parent PID Spoofing", "T1134.005": "Access Token Manipulation::SID-History Injection", "T1140": "Deobfuscate/Decode Files or Information", "T1197": "BITS Jobs", "T1202": "Indirect Command Execution", "T1205": "Traffic Signaling", "T1205.001": "Traffic Signaling::Port Knocking", "T1205.002": "Traffic Signaling::Socket Filters", "T1207": "Rogue Domain Controller", "T1211": "Exploitation for Defense Evasion", "T1216": "System Script Proxy Execution", "T1216.001": "System Script Proxy Execution::PubPrn", "T1218": "System Binary Proxy Execution", "T1218.001": "System Binary Proxy Execution::Compiled HTML File", "T1218.002": "System Binary Proxy Execution::Control Panel", "T1218.003": "System Binary Proxy Execution::CMSTP", "T1218.004": "System Binary Proxy Execution::InstallUtil", "T1218.005": "System Binary Proxy Execution::Mshta", "T1218.007": "System Binary Proxy Execution::Msiexec", "T1218.008": "System Binary Proxy Execution::Odbcconf", "T1218.009": "System Binary Proxy Execution::Regsvcs/Regasm", "T1218.010": "System Binary Proxy Execution::Regsvr32", "T1218.011": "System Binary Proxy Execution::Rundll32", "T1218.012": "System Binary Proxy Execution::Verclsid", "T1218.013": "System Binary Proxy Execution::Mavinject", "T1218.014": "System Binary Proxy Execution::MMC", "T1220": "XSL Script Processing", "T1221": "Template Injection", "T1222": "File and Directory Permissions Modification", "T1222.001": "File and Directory Permissions Modification::Windows File and Directory Permissions Modification", "T1222.002": "File and Directory Permissions Modification::Linux and Mac File and Directory Permissions Modification", "T1480": "Execution Guardrails", "T1480.001": "Execution Guardrails::Environmental Keying", "T1484": "Domain Policy Modification", "T1484.001": "Domain Policy Modification::Group Policy Modification", "T1484.002": "Domain Policy Modification::Domain Trust Modification", "T1497": "Virtualization/Sandbox Evasion", "T1497.001": "Virtualization/Sandbox Evasion::System Checks", "T1497.002": "Virtualization/Sandbox Evasion::User Activity Based Checks", "T1497.003": "Virtualization/Sandbox Evasion::Time Based Evasion", "T1535": "Unused/Unsupported Cloud Regions", "T1542": "Pre-OS Boot", "T1542.001": "Pre-OS Boot::System Firmware", "T1542.002": "Pre-OS Boot::Component Firmware", "T1542.003": "Pre-OS Boot::Bootkit", "T1542.004": "Pre-OS Boot::ROMMONkit", "T1542.005": "Pre-OS Boot::TFTP Boot", "T1548": "Abuse Elevation Control Mechanism", "T1548.001": "Abuse Elevation Control Mechanism::Setuid and Setgid", "T1548.002": "Abuse Elevation Control Mechanism::Bypass User Account Control", "T1548.003": "Abuse Elevation Control Mechanism::Sudo and Sudo Caching", "T1548.004": "Abuse Elevation Control Mechanism::Elevated Execution with Prompt", "T1548.005": "Abuse Elevation Control Mechanism::Temporary Elevated Cloud Access", "T1550": "Use Alternate Authentication Material", "T1550.001": "Use Alternate Authentication Material::Application Access Token", "T1550.002": "Use Alternate Authentication Material::Pass the Hash", "T1550.003": "Use Alternate Authentication Material::Pass the Ticket", "T1550.004": "Use Alternate Authentication Material::Web Session Cookie", "T1553": "Subvert Trust Controls", "T1553.001": "Subvert Trust Controls::Gatekeeper Bypass", "T1553.002": "Subvert Trust Controls::Code Signing", "T1553.003": "Subvert Trust Controls::SIP and Trust Provider Hijacking", "T1553.004": "Subvert Trust Controls::Install Root Certificate", "T1553.005": "Subvert Trust Controls::Mark-of-the-Web Bypass", "T1553.006": "Subvert Trust Controls::Code Signing Policy Modification", "T1556": "Modify Authentication Process", "T1556.001": "Modify Authentication Process::Domain Controller Authentication", "T1556.002": "Modify Authentication Process::Password Filter DLL", "T1556.003": "Modify Authentication Process::Pluggable Authentication Modules", "T1556.004": "Modify Authentication Process::Network Device Authentication", "T1556.005": "Modify Authentication Process::Reversible Encryption", "T1556.006": "Modify Authentication Process::Multi-Factor Authentication", "T1556.007": "Modify Authentication Process::Hybrid Identity", "T1556.008": "Modify Authentication Process::Network Provider DLL", "T1562": "Impair Defenses", "T1562.001": "Impair Defenses::Disable or Modify Tools", "T1562.002": "Impair Defenses::Disable Windows Event Logging", "T1562.003": "Impair Defenses::Impair Command History Logging", "T1562.004": "Impair Defenses::Disable or Modify System Firewall", "T1562.006": "Impair Defenses::Indicator Blocking", "T1562.007": "Impair Defenses::Disable or Modify Cloud Firewall", "T1562.008": "Impair Defenses::Disable or Modify Cloud Logs", "T1562.009": "Impair Defenses::Safe Mode Boot", "T1562.010": "Impair Defenses::Downgrade Attack", "T1562.011": "Impair Defenses::Spoof Security Alerting", "T1562.012": "Impair Defenses::Disable or Modify Linux Audit System", "T1564": "Hide Artifacts", "T1564.001": "Hide Artifacts::Hidden Files and Directories", "T1564.002": "Hide Artifacts::Hidden Users", "T1564.003": "Hide Artifacts::Hidden Window", "T1564.004": "Hide Artifacts::NTFS File Attributes", "T1564.005": "Hide Artifacts::Hidden File System", "T1564.006": "Hide Artifacts::Run Virtual Instance", "T1564.007": "Hide Artifacts::VBA Stomping", "T1564.008": "Hide Artifacts::Email Hiding Rules", "T1564.009": "Hide Artifacts::Resource Forking", "T1564.010": "Hide Artifacts::Process Argument Spoofing", "T1564.011": "Hide Artifacts::Ignore Process Interrupts", "T1574": "Hijack Execution Flow", "T1574.001": "Hijack Execution Flow::DLL Search Order Hijacking", "T1574.002": "Hijack Execution Flow::DLL Side-Loading", "T1574.004": "Hijack Execution Flow::Dylib Hijacking", "T1574.005": "Hijack Execution Flow::Executable Installer File Permissions Weakness", "T1574.006": "Hijack Execution Flow::Dynamic Linker Hijacking", "T1574.007": "Hijack Execution Flow::Path Interception by PATH Environment Variable", "T1574.008": "Hijack Execution Flow::Path Interception by Search Order Hijacking", "T1574.009": "Hijack Execution Flow::Path Interception by Unquoted Path", "T1574.010": "Hijack Execution Flow::Services File Permissions Weakness", "T1574.011": "Hijack Execution Flow::Services Registry Permissions Weakness", "T1574.012": "Hijack Execution Flow::COR_PROFILER", "T1574.013": "Hijack Execution Flow::KernelCallbackTable", "T1578": "Modify Cloud Compute Infrastructure", "T1578.001": "Modify Cloud Compute Infrastructure::Create Snapshot", "T1578.002": "Modify Cloud Compute Infrastructure::Create Cloud Instance", "T1578.003": "Modify Cloud Compute Infrastructure::Delete Cloud Instance", "T1578.004": "Modify Cloud Compute Infrastructure::Revert Cloud Instance", "T1578.005": "Modify Cloud Compute Infrastructure::Modify Cloud Compute Configurations", "T1599": "Network Boundary Bridging", "T1599.001": "Network Boundary Bridging::Network Address Translation Traversal", "T1600": "Weaken Encryption", "T1600.001": "Weaken Encryption::Reduce Key Space", "T1600.002": "Weaken Encryption::Disable Crypto Hardware", "T1601": "Modify System Image", "T1601.001": "Modify System Image::Patch System Image", "T1601.002": "Modify System Image::Downgrade System Image", "T1610": "Deploy Container", "T1612": "Build Image on Host", "T1620": "Reflective Code Loading", "T1622": "Debugger Evasion", "T1647": "Plist File Modification", "T1656": "Impersonation" }, "Credential Access": { "T1003": "OS Credential Dumping", "T1003.001": "OS Credential Dumping::LSASS Memory", "T1003.002": "OS Credential Dumping::Security Account Manager", "T1003.003": "OS Credential Dumping::NTDS", "T1003.004": "OS Credential Dumping::LSA Secrets", "T1003.005": "OS Credential Dumping::Cached Domain Credentials", "T1003.006": "OS Credential Dumping::DCSync", "T1003.007": "OS Credential Dumping::Proc Filesystem", "T1003.008": "OS Credential Dumping::/etc/passwd and /etc/shadow", "T1040": "Network Sniffing", "T1056": "Input Capture", "T1056.001": "Input Capture::Keylogging", "T1056.002": "Input Capture::GUI Input Capture", "T1056.003": "Input Capture::Web Portal Capture", "T1056.004": "Input Capture::Credential API Hooking", "T1110": "Brute Force", "T1110.001": "Brute Force::Password Guessing", "T1110.002": "Brute Force::Password Cracking", "T1110.003": "Brute Force::Password Spraying", "T1110.004": "Brute Force::Credential Stuffing", "T1111": "Multi-Factor Authentication Interception", "T1187": "Forced Authentication", "T1212": "Exploitation for Credential Access", "T1528": "Steal Application Access Token", "T1539": "Steal Web Session Cookie", "T1552": "Unsecured Credentials", "T1552.001": "Unsecured Credentials::Credentials In Files", "T1552.002": "Unsecured Credentials::Credentials in Registry", "T1552.003": "Unsecured Credentials::Bash History", "T1552.004": "Unsecured Credentials::Private Keys", "T1552.005": "Unsecured Credentials::Cloud Instance Metadata API", "T1552.006": "Unsecured Credentials::Group Policy Preferences", "T1552.007": "Unsecured Credentials::Container API", "T1552.008": "Unsecured Credentials::Chat Messages", "T1555": "Credentials from Password Stores", "T1555.001": "Credentials from Password Stores::Keychain", "T1555.002": "Credentials from Password Stores::Securityd Memory", "T1555.003": "Credentials from Password Stores::Credentials from Web Browsers", "T1555.004": "Credentials from Password Stores::Windows Credential Manager", "T1555.005": "Credentials from Password Stores::Password Managers", "T1555.006": "Credentials from Password Stores::Cloud Secrets Management Stores", "T1556": "Modify Authentication Process", "T1556.001": "Modify Authentication Process::Domain Controller Authentication", "T1556.002": "Modify Authentication Process::Password Filter DLL", "T1556.003": "Modify Authentication Process::Pluggable Authentication Modules", "T1556.004": "Modify Authentication Process::Network Device Authentication", "T1556.005": "Modify Authentication Process::Reversible Encryption", "T1556.006": "Modify Authentication Process::Multi-Factor Authentication", "T1556.007": "Modify Authentication Process::Hybrid Identity", "T1556.008": "Modify Authentication Process::Network Provider DLL", "T1557": "Adversary-in-the-Middle", "T1557.001": "Adversary-in-the-Middle::LLMNR/NBT-NS Poisoning and SMB Relay", "T1557.002": "Adversary-in-the-Middle::ARP Cache Poisoning", "T1557.003": "Adversary-in-the-Middle::DHCP Spoofing", "T1558": "Steal or Forge Kerberos Tickets", "T1558.001": "Steal or Forge Kerberos Tickets::Golden Ticket", "T1558.002": "Steal or Forge Kerberos Tickets::Silver Ticket", "T1558.003": "Steal or Forge Kerberos Tickets::Kerberoasting", "T1558.004": "Steal or Forge Kerberos Tickets::AS-REP Roasting", "T1606": "Forge Web Credentials", "T1606.001": "Forge Web Credentials::Web Cookies", "T1606.002": "Forge Web Credentials::SAML Tokens", "T1621": "Multi-Factor Authentication Request Generation", "T1649": "Steal or Forge Authentication Certificates" }, "Discovery": { "T1007": "System Service Discovery", "T1010": "Application Window Discovery", "T1012": "Query Registry", "T1016": "System Network Configuration Discovery", "T1016.001": "System Network Configuration Discovery::Internet Connection Discovery", "T1016.002": "System Network Configuration Discovery::Wi-Fi Discovery", "T1018": "Remote System Discovery", "T1033": "System Owner/User Discovery", "T1040": "Network Sniffing", "T1046": "Network Service Discovery", "T1049": "System Network Connections Discovery", "T1057": "Process Discovery", "T1069": "Permission Groups Discovery", "T1069.001": "Permission Groups Discovery::Local Groups", "T1069.002": "Permission Groups Discovery::Domain Groups", "T1069.003": "Permission Groups Discovery::Cloud Groups", "T1082": "System Information Discovery", "T1083": "File and Directory Discovery", "T1087": "Account Discovery", "T1087.001": "Account Discovery::Local Account", "T1087.002": "Account Discovery::Domain Account", "T1087.003": "Account Discovery::Email Account", "T1087.004": "Account Discovery::Cloud Account", "T1120": "Peripheral Device Discovery", "T1124": "System Time Discovery", "T1135": "Network Share Discovery", "T1201": "Password Policy Discovery", "T1217": "Browser Information Discovery", "T1482": "Domain Trust Discovery", "T1497": "Virtualization/Sandbox Evasion", "T1497.001": "Virtualization/Sandbox Evasion::System Checks", "T1497.002": "Virtualization/Sandbox Evasion::User Activity Based Checks", "T1497.003": "Virtualization/Sandbox Evasion::Time Based Evasion", "T1518": "Software Discovery", "T1518.001": "Software Discovery::Security Software Discovery", "T1526": "Cloud Service Discovery", "T1538": "Cloud Service Dashboard", "T1580": "Cloud Infrastructure Discovery", "T1613": "Container and Resource Discovery", "T1614": "System Location Discovery", "T1614.001": "System Location Discovery::System Language Discovery", "T1615": "Group Policy Discovery", "T1619": "Cloud Storage Object Discovery", "T1622": "Debugger Evasion", "T1652": "Device Driver Discovery", "T1654": "Log Enumeration" }, "Lateral Movement": { "T1021": "Remote Services", "T1021.001": "Remote Services::Remote Desktop Protocol", "T1021.002": "Remote Services::SMB/Windows Admin Shares", "T1021.003": "Remote Services::Distributed Component Object Model", "T1021.004": "Remote Services::SSH", "T1021.005": "Remote Services::VNC", "T1021.006": "Remote Services::Windows Remote Management", "T1021.007": "Remote Services::Cloud Services", "T1021.008": "Remote Services::Direct Cloud VM Connections", "T1072": "Software Deployment Tools", "T1080": "Taint Shared Content", "T1091": "Replication Through Removable Media", "T1210": "Exploitation of Remote Services", "T1534": "Internal Spearphishing", "T1550": "Use Alternate Authentication Material", "T1550.001": "Use Alternate Authentication Material::Application Access Token", "T1550.002": "Use Alternate Authentication Material::Pass the Hash", "T1550.003": "Use Alternate Authentication Material::Pass the Ticket", "T1550.004": "Use Alternate Authentication Material::Web Session Cookie", "T1563": "Remote Service Session Hijacking", "T1563.001": "Remote Service Session Hijacking::SSH Hijacking", "T1563.002": "Remote Service Session Hijacking::RDP Hijacking", "T1570": "Lateral Tool Transfer" }, "Collection": { "T1005": "Data from Local System", "T1025": "Data from Removable Media", "T1039": "Data from Network Shared Drive", "T1056": "Input Capture", "T1056.001": "Input Capture::Keylogging", "T1056.002": "Input Capture::GUI Input Capture", "T1056.003": "Input Capture::Web Portal Capture", "T1056.004": "Input Capture::Credential API Hooking", "T1074": "Data Staged", "T1074.001": "Data Staged::Local Data Staging", "T1074.002": "Data Staged::Remote Data Staging", "T1113": "Screen Capture", "T1114": "Email Collection", "T1114.001": "Email Collection::Local Email Collection", "T1114.002": "Email Collection::Remote Email Collection", "T1114.003": "Email Collection::Email Forwarding Rule", "T1115": "Clipboard Data", "T1119": "Automated Collection", "T1123": "Audio Capture", "T1125": "Video Capture", "T1185": "Browser Session Hijacking", "T1213": "Data from Information Repositories", "T1213.001": "Data from Information Repositories::Confluence", "T1213.002": "Data from Information Repositories::Sharepoint", "T1213.003": "Data from Information Repositories::Code Repositories", "T1530": "Data from Cloud Storage", "T1557": "Adversary-in-the-Middle", "T1557.001": "Adversary-in-the-Middle::LLMNR/NBT-NS Poisoning and SMB Relay", "T1557.002": "Adversary-in-the-Middle::ARP Cache Poisoning", "T1557.003": "Adversary-in-the-Middle::DHCP Spoofing", "T1560": "Archive Collected Data", "T1560.001": "Archive Collected Data::Archive via Utility", "T1560.002": "Archive Collected Data::Archive via Library", "T1560.003": "Archive Collected Data::Archive via Custom Method", "T1602": "Data from Configuration Repository", "T1602.001": "Data from Configuration Repository::SNMP (MIB Dump)", "T1602.002": "Data from Configuration Repository::Network Device Configuration Dump" }, "Command and Control": { "T1001": "Data Obfuscation", "T1001.001": "Data Obfuscation::Junk Data", "T1001.002": "Data Obfuscation::Steganography", "T1001.003": "Data Obfuscation::Protocol Impersonation", "T1008": "Fallback Channels", "T1071": "Application Layer Protocol", "T1071.001": "Application Layer Protocol::Web Protocols", "T1071.002": "Application Layer Protocol::File Transfer Protocols", "T1071.003": "Application Layer Protocol::Mail Protocols", "T1071.004": "Application Layer Protocol::DNS", "T1090": "Proxy", "T1090.001": "Proxy::Internal Proxy", "T1090.002": "Proxy::External Proxy", "T1090.003": "Proxy::Multi-hop Proxy", "T1090.004": "Proxy::Domain Fronting", "T1092": "Communication Through Removable Media", "T1095": "Non-Application Layer Protocol", "T1102": "Web Service", "T1102.001": "Web Service::Dead Drop Resolver", "T1102.002": "Web Service::Bidirectional Communication", "T1102.003": "Web Service::One-Way Communication", "T1104": "Multi-Stage Channels", "T1105": "Ingress Tool Transfer", "T1132": "Data Encoding", "T1132.001": "Data Encoding::Standard Encoding", "T1132.002": "Data Encoding::Non-Standard Encoding", "T1205": "Traffic Signaling", "T1205.001": "Traffic Signaling::Port Knocking", "T1205.002": "Traffic Signaling::Socket Filters", "T1219": "Remote Access Software", "T1568": "Dynamic Resolution", "T1568.001": "Dynamic Resolution::Fast Flux DNS", "T1568.002": "Dynamic Resolution::Domain Generation Algorithms", "T1568.003": "Dynamic Resolution::DNS Calculation", "T1571": "Non-Standard Port", "T1572": "Protocol Tunneling", "T1573": "Encrypted Channel", "T1573.001": "Encrypted Channel::Symmetric Cryptography", "T1573.002": "Encrypted Channel::Asymmetric Cryptography", "T1659": "Content Injection" }, "Exfiltration": { "T1011": "Exfiltration Over Other Network Medium", "T1011.001": "Exfiltration Over Other Network Medium::Exfiltration Over Bluetooth", "T1020": "Automated Exfiltration", "T1020.001": "Automated Exfiltration::Traffic Duplication", "T1029": "Scheduled Transfer", "T1030": "Data Transfer Size Limits", "T1041": "Exfiltration Over C2 Channel", "T1048": "Exfiltration Over Alternative Protocol", "T1048.001": "Exfiltration Over Alternative Protocol::Exfiltration Over Symmetric Encrypted Non-C2 Protocol", "T1048.002": "Exfiltration Over Alternative Protocol::Exfiltration Over Asymmetric Encrypted Non-C2 Protocol", "T1048.003": "Exfiltration Over Alternative Protocol::Exfiltration Over Unencrypted Non-C2 Protocol", "T1052": "Exfiltration Over Physical Medium", "T1052.001": "Exfiltration Over Physical Medium::Exfiltration over USB", "T1537": "Transfer Data to Cloud Account", "T1567": "Exfiltration Over Web Service", "T1567.001": "Exfiltration Over Web Service::Exfiltration to Code Repository", "T1567.002": "Exfiltration Over Web Service::Exfiltration to Cloud Storage", "T1567.003": "Exfiltration Over Web Service::Exfiltration to Text Storage Sites", "T1567.004": "Exfiltration Over Web Service::Exfiltration Over Webhook" }, "Impact": { "T1485": "Data Destruction", "T1486": "Data Encrypted for Impact", "T1489": "Service Stop", "T1490": "Inhibit System Recovery", "T1491": "Defacement", "T1491.001": "Defacement::Internal Defacement", "T1491.002": "Defacement::External Defacement", "T1495": "Firmware Corruption", "T1496": "Resource Hijacking", "T1498": "Network Denial of Service", "T1498.001": "Network Denial of Service::Direct Network Flood", "T1498.002": "Network Denial of Service::Reflection Amplification", "T1499": "Endpoint Denial of Service", "T1499.001": "Endpoint Denial of Service::OS Exhaustion Flood", "T1499.002": "Endpoint Denial of Service::Service Exhaustion Flood", "T1499.003": "Endpoint Denial of Service::Application Exhaustion Flood", "T1499.004": "Endpoint Denial of Service::Application or System Exploitation", "T1529": "System Shutdown/Reboot", "T1531": "Account Access Removal", "T1561": "Disk Wipe", "T1561.001": "Disk Wipe::Disk Content Wipe", "T1561.002": "Disk Wipe::Disk Structure Wipe", "T1565": "Data Manipulation", "T1565.001": "Data Manipulation::Stored Data Manipulation", "T1565.002": "Data Manipulation::Transmitted Data Manipulation", "T1565.003": "Data Manipulation::Runtime Data Manipulation", "T1657": "Financial Theft" } }, "mbc": { "Credential Access": { "B0028": "Cryptocurrency", "B0028.001": "Cryptocurrency::Bitcoin", "B0028.002": "Cryptocurrency::Ethereum", "B0028.003": "Cryptocurrency::Zcash", "E1056": "Input Capture", "E1056.m01": "Input Capture::Mouse Events", "E1113": "Screen Capture", "E1113.m01": "Screen Capture::WinAPI", "F0002": "Keylogging", "F0002.001": "Keylogging::Application Hook", "F0002.002": "Keylogging::Polling", "F0015": "Hijack Execution Flow", "F0015.001": "Hijack Execution Flow::Export Address Table Hooking", "F0015.002": "Hijack Execution Flow::Inline Patching", "F0015.003": "Hijack Execution Flow::Import Address Table Hooking", "F0015.004": "Hijack Execution Flow::Shadow System Service Dispatch Table Hooking", "F0015.005": "Hijack Execution Flow::System Service Dispatch Table Hooking", "F0015.006": "Hijack Execution Flow::Abuse Windows Function Calls", "F0015.007": "Hijack Execution Flow::Procedure Hooking" }, "Anti-Static Analysis": { "B0008": "Executable Code Virtualization", "B0008.001": "Executable Code Virtualization::Multiple VMs", "B0010": "Call Graph Generation Evasion", "B0010.001": "Call Graph Generation Evasion::Two-layer Function Return", "B0010.002": "Call Graph Generation Evasion::Invoke NTDLL System Calls via Encoded Table", "B0012": "Disassembler Evasion", "B0012.002": "Disassembler Evasion::Conditional Misdirection", "B0012.003": "Disassembler Evasion::Value Dependent Jumps", "B0012.005": "Disassembler Evasion::VBA Stomping", "B0012.006": "Disassembler Evasion::Desynchronizing Opaque Predicates", "B0032": "Executable Code Obfuscation", "B0032.001": "Executable Code Obfuscation::API Hashing", "B0032.002": "Executable Code Obfuscation::Code Insertion", "B0032.003": "Executable Code Obfuscation::Dead Code Insertion", "B0032.004": "Executable Code Obfuscation::Fake Code Insertion", "B0032.005": "Executable Code Obfuscation::Jump Insertion", "B0032.006": "Executable Code Obfuscation::Thunk Code Insertion", "B0032.007": "Executable Code Obfuscation::Junk Code Insertion", "B0032.008": "Executable Code Obfuscation::Data Value Obfuscation", "B0032.009": "Executable Code Obfuscation::Entry Point Obfuscation", "B0032.010": "Executable Code Obfuscation::Guard Pages", "B0032.011": "Executable Code Obfuscation::Import Address Table Obfuscation", "B0032.012": "Executable Code Obfuscation::Import Compression", "B0032.013": "Executable Code Obfuscation::Instruction Overlap", "B0032.014": "Executable Code Obfuscation::Interleaving Code", "B0032.015": "Executable Code Obfuscation::Merged Code Sections", "B0032.016": "Executable Code Obfuscation::Structured Exception Handling (SEH)", "B0032.017": "Executable Code Obfuscation::Stack Strings", "B0032.018": "Executable Code Obfuscation::Symbol Obfuscation", "B0032.019": "Executable Code Obfuscation::Opaque Predicate", "B0032.020": "Executable Code Obfuscation::Argument Obfuscation", "B0032.021": "Executable Code Obfuscation::Variable Recomposition", "B0034": "Executable Code Optimization", "B0034.001": "Executable Code Optimization::Jump/Call Absolute Address", "B0034.002": "Executable Code Optimization::Minification", "B0045": "Data Flow Analysis Evasion", "B0045.001": "Data Flow Analysis Evasion::Control Dependence", "B0045.002": "Data Flow Analysis Evasion::Implicit Flows", "B0045.003": "Data Flow Analysis Evasion::Arbitrary Memory Corruption", "E1027": "Obfuscated Files or Information", "E1027.m01": "Obfuscated Files or Information::Encoding", "E1027.m02": "Obfuscated Files or Information::Encoding-Standard Algorithm", "E1027.m03": "Obfuscated Files or Information::Encoding-Custom Algorithm", "E1027.m04": "Obfuscated Files or Information::Encryption", "E1027.m05": "Obfuscated Files or Information::Encryption-Standard Algorithm", "E1027.m06": "Obfuscated Files or Information::Encryption of Code", "E1027.m07": "Obfuscated Files or Information::Encryption of Data", "E1027.m08": "Obfuscated Files or Information::Encryption-Custom Algorithm", "F0001": "Software Packing", "F0001.001": "Software Packing::Nested Packing", "F0001.002": "Software Packing::Standard Compression", "F0001.003": "Software Packing::Standard Compression of Code", "F0001.004": "Software Packing::Standard Compression of Data", "F0001.005": "Software Packing::Custom Compression", "F0001.006": "Software Packing::Custom Compression of Code", "F0001.007": "Software Packing::Custom Compression of Data", "F0001.008": "Software Packing::UPX", "F0001.009": "Software Packing::Confuser", "F0001.010": "Software Packing::VMProtect", "F0001.011": "Software Packing::Themida", "F0001.012": "Software Packing::Armadillo", "F0001.013": "Software Packing::ASPack" }, "Discovery": { "B0013": "Analysis Tool Discovery", "B0013.001": "Analysis Tool Discovery::Process detection", "B0013.002": "Analysis Tool Discovery::Process detection - Debuggers", "B0013.003": "Analysis Tool Discovery::Process detection - SysInternals Suite Tools", "B0013.004": "Analysis Tool Discovery::Process detection - PCAP Utilities", "B0013.005": "Analysis Tool Discovery::Process detection - Process Utilities", "B0013.006": "Analysis Tool Discovery::Process detection - PE Utilities", "B0013.007": "Analysis Tool Discovery::Process detection - Sandboxes", "B0013.008": "Analysis Tool Discovery::Known File Location", "B0013.009": "Analysis Tool Discovery::Known Window", "B0013.010": "Analysis Tool Discovery::Known Windows Class Name", "B0014": "SMTP Connection Discovery", "B0038": "Self Discovery", "B0043": "Taskbar Discovery", "B0046": "Code Discovery", "B0046.001": "Code Discovery::Enumerate PE Sections", "B0046.002": "Code Discovery::Inspect Section Memory Permissions", "E1010": "Application Window Discovery", "E1082": "System Information Discovery", "E1082.m01": "System Information Discovery::Generate Windows Exception", "E1083": "File and Directory Discovery", "E1083.m01": "File and Directory Discovery::Log File", "E1083.m02": "File and Directory Discovery::Filter by Extension" }, "Privilege Escalation": { "E1055": "Process Injection", "E1055.m01": "Process Injection::Hook Injection via SetWindowsHooksEx", "E1055.m02": "Process Injection::Injection and Persistence via Registry Modification", "E1055.m03": "Process Injection::Injection using Shims", "E1055.m04": "Process Injection::Patch Process Command Line", "E1055.m05": "Process Injection::Injection via Windows Fibers", "E1608": "Install Certificate", "F0010": "Kernel Modules and Extensions", "F0010.001": "Kernel Modules and Extensions::Device Driver", "F0011": "Modify Existing Service", "F0015": "Hijack Execution Flow", "F0015.001": "Hijack Execution Flow::Export Address Table Hooking", "F0015.002": "Hijack Execution Flow::Inline Patching", "F0015.003": "Hijack Execution Flow::Import Address Table Hooking", "F0015.004": "Hijack Execution Flow::Shadow System Service Dispatch Table Hooking", "F0015.005": "Hijack Execution Flow::System Service Dispatch Table Hooking", "F0015.006": "Hijack Execution Flow::Abuse Windows Function Calls", "F0015.007": "Hijack Execution Flow::Procedure Hooking" }, "Collection": { "B0028": "Cryptocurrency", "B0028.001": "Cryptocurrency::Bitcoin", "B0028.002": "Cryptocurrency::Ethereum", "B0028.003": "Cryptocurrency::Zcash", "E1056": "Input Capture", "E1056.m01": "Input Capture::Mouse Events", "E1113": "Screen Capture", "E1113.m01": "Screen Capture::WinAPI", "F0002": "Keylogging", "F0002.001": "Keylogging::Application Hook", "F0002.002": "Keylogging::Polling", "F0015": "Hijack Execution Flow", "F0015.001": "Hijack Execution Flow::Export Address Table Hooking", "F0015.002": "Hijack Execution Flow::Inline Patching", "F0015.003": "Hijack Execution Flow::Import Address Table Hooking", "F0015.004": "Hijack Execution Flow::Shadow System Service Dispatch Table Hooking", "F0015.005": "Hijack Execution Flow::System Service Dispatch Table Hooking", "F0015.006": "Hijack Execution Flow::Abuse Windows Function Calls", "F0015.007": "Hijack Execution Flow::Procedure Hooking" }, "Lateral Movement": { "B0020": "Send Email", "B0021": "Send Poisoned Text Message", "B0026": "Malicious Network Driver", "E1105": "Ingress Tool Transfer", "E1195": "Supply Chain Compromise", "E1195.m01": "Supply Chain Compromise::Abuse Enterprise Certificates", "E1195.m02": "Supply Chain Compromise::Exploit Private APIs" }, "Command and Control": { "B0030": "C2 Communication", "B0030.001": "C2 Communication::Send Data", "B0030.002": "C2 Communication::Receive Data", "B0030.003": "C2 Communication::Server to Client File Transfer", "B0030.004": "C2 Communication::Implant to Controller File Transfer", "B0030.005": "C2 Communication::Check for Payload", "B0030.006": "C2 Communication::Send System Information", "B0030.007": "C2 Communication::Send Heartbeat", "B0030.008": "C2 Communication::Request Command", "B0030.009": "C2 Communication::Request Email Template", "B0030.010": "C2 Communication::Request Email Address List", "B0030.011": "C2 Communication::Authenticate", "B0030.012": "C2 Communication::Directory Listing", "B0030.013": "C2 Communication::Execute File", "B0030.014": "C2 Communication::Execute Shell Command", "B0030.015": "C2 Communication::File search", "B0030.016": "C2 Communication::Start Interactive Shell", "B0031": "Domain Name Generation", "E1105": "Ingress Tool Transfer" }, "Execution": { "B0011": "Remote Commands", "B0011.001": "Remote Commands::Delete File", "B0011.002": "Remote Commands::Download File", "B0011.003": "Remote Commands::Execute", "B0011.004": "Remote Commands::Shutdown", "B0011.005": "Remote Commands::Sleep", "B0011.006": "Remote Commands::Uninstall", "B0011.007": "Remote Commands::Upload File", "B0020": "Send Email", "B0021": "Send Poisoned Text Message", "B0023": "Install Additional Program", "B0024": "Prevent Concurrent Execution", "B0025": "Conditional Execution", "B0025.001": "Conditional Execution::Suicide Exit", "B0025.002": "Conditional Execution::Environmental Keys", "B0025.003": "Conditional Execution::GetVolumeInformation", "B0025.004": "Conditional Execution::Host Fingerprint Check", "B0025.005": "Conditional Execution::Secure Triggers", "B0025.006": "Conditional Execution::Token Check", "B0025.007": "Conditional Execution::Runs as Service", "B0025.008": "Conditional Execution::Deposited Keys", "B0044": "Execution Dependency", "E1059": "Command and Scripting Interpreter", "E1203": "Exploitation for Client Execution", "E1203.m01": "Exploitation for Client Execution::Remote Desktop Protocols", "E1203.m02": "Exploitation for Client Execution::Java-based Web Servers", "E1203.m03": "Exploitation for Client Execution::File Transfer Protocol (FTP) Servers", "E1203.m04": "Exploitation for Client Execution::Red Hat JBoss Enterprise Products", "E1203.m05": "Exploitation for Client Execution::Sysinternals", "E1203.m06": "Exploitation for Client Execution::Windows Utilities", "E1204": "User Execution", "E1569": "System Services", "E1569.m01": "System Services::MSDTC" }, "Persistence": { "B0022": "Remote Access", "B0022.001": "Remote Access::Reverse Shell", "B0026": "Malicious Network Driver", "B0035": "Shutdown Event", "B0047": "Install Insecure or Malicious Configuration", "E1105": "Ingress Tool Transfer", "E1112": "Modify Registry", "E1564": "Hide Artifacts", "E1564.m01": "Hide Artifacts::Hidden Userspace Libraries", "E1564.m02": "Hide Artifacts::Direct Kernel Object Manipulation", "E1564.m03": "Hide Artifacts::Hidden Processes", "E1564.m04": "Hide Artifacts::Hidden Services", "E1564.m05": "Hide Artifacts::Hidden Kernel Modules", "F0005": "Hidden Files and Directories", "F0005.001": "Hidden Files and Directories::Extension", "F0005.002": "Hidden Files and Directories::Location", "F0005.003": "Hidden Files and Directories::Attribute", "F0005.004": "Hidden Files and Directories::Timestamp", "F0009": "Component Firmware", "F0009.001": "Component Firmware::Router Firmware", "F0010": "Kernel Modules and Extensions", "F0010.001": "Kernel Modules and Extensions::Device Driver", "F0011": "Modify Existing Service", "F0012": "Registry Run Keys / Startup Folder", "F0013": "Bootkit", "F0015": "Hijack Execution Flow", "F0015.001": "Hijack Execution Flow::Export Address Table Hooking", "F0015.002": "Hijack Execution Flow::Inline Patching", "F0015.003": "Hijack Execution Flow::Import Address Table Hooking", "F0015.004": "Hijack Execution Flow::Shadow System Service Dispatch Table Hooking", "F0015.005": "Hijack Execution Flow::System Service Dispatch Table Hooking", "F0015.006": "Hijack Execution Flow::Abuse Windows Function Calls", "F0015.007": "Hijack Execution Flow::Procedure Hooking" }, "Impact": { "B0016": "Compromise Data Integrity", "B0017": "Destroy Hardware", "B0018": "Resource Hijacking", "B0018.001": "Resource Hijacking::Password Cracking", "B0018.002": "Resource Hijacking::Cryptojacking", "B0019": "Manipulate Network Traffic", "B0022": "Remote Access", "B0022.001": "Remote Access::Reverse Shell", "B0033": "Denial of Service", "B0039": "Spamming", "B0042": "Modify Hardware", "B0042.001": "Modify Hardware::CDROM", "B0042.002": "Modify Hardware::Mouse", "B0042.003": "Modify Hardware::Printer", "E1190": "Exploit Kit", "E1203": "Exploitation for Client Execution", "E1203.m01": "Exploitation for Client Execution::Remote Desktop Protocols", "E1203.m02": "Exploitation for Client Execution::Java-based Web Servers", "E1203.m03": "Exploitation for Client Execution::File Transfer Protocol (FTP) Servers", "E1203.m04": "Exploitation for Client Execution::Red Hat JBoss Enterprise Products", "E1203.m05": "Exploitation for Client Execution::Sysinternals", "E1203.m06": "Exploitation for Client Execution::Windows Utilities", "E1485": "Data Destruction", "E1485.m02": "Data Destruction::Empty Recycle Bin", "E1485.m03": "Data Destruction::Delete Application/Software", "E1485.m04": "Data Destruction::Delete Shadow Copies", "E1486": "Data Encrypted for Impact", "E1486.001": "Data Encrypted for Impact::Ransom Note", "E1510": "Clipboard Modification", "E1643": "Generate Traffic from Victim", "E1643.m01": "Generate Traffic from Victim::Click Hijacking", "E1643.m02": "Generate Traffic from Victim::Advertisement Replacement Fraud", "F0009": "Component Firmware", "F0009.001": "Component Firmware::Router Firmware", "F0014": "Disk Wipe" }, "Exfiltration": { "E1020": "Automated Exfiltration", "E1020.m01": "Automated Exfiltration::Exfiltrate via File Hosting Service", "E1560": "Archive Collected Data", "E1560.m01": "Archive Collected Data::Encoding", "E1560.m02": "Archive Collected Data::Encryption", "E1560.m03": "Archive Collected Data::Encoding - Standard Encoding", "E1560.m04": "Archive Collected Data::Encoding - Custom Encoding", "E1560.m05": "Archive Collected Data::Encryption - Standard Encryption", "E1560.m06": "Archive Collected Data::Encryption - Custom Encryption" }, "Anti-Behavioral Analysis": { "B0001": "Debugger Detection", "B0001.001": "Debugger Detection::API Hook Detection", "B0001.002": "Debugger Detection::CheckRemoteDebuggerPresent", "B0001.003": "Debugger Detection::CloseHandle", "B0001.004": "Debugger Detection::Debugger Artifacts", "B0001.005": "Debugger Detection::Hardware Breakpoints", "B0001.006": "Debugger Detection::Interruption", "B0001.008": "Debugger Detection::IsDebuggerPresent", "B0001.009": "Debugger Detection::Memory Breakpoints", "B0001.010": "Debugger Detection::Memory Write Watching", "B0001.011": "Debugger Detection::Monitoring Thread", "B0001.012": "Debugger Detection::NtQueryInformationProcess", "B0001.013": "Debugger Detection::NtQueryObject", "B0001.014": "Debugger Detection::NtSetInformationThread", "B0001.015": "Debugger Detection::NtYieldExecution/SwitchToThread", "B0001.016": "Debugger Detection::OutputDebugString", "B0001.017": "Debugger Detection::Page Exception Breakpoint Detection", "B0001.018": "Debugger Detection::Parent Process", "B0001.019": "Debugger Detection::Process Environment Block", "B0001.020": "Debugger Detection::Process Jobs", "B0001.021": "Debugger Detection::ProcessHeap", "B0001.022": "Debugger Detection::RtlAdjustPrivilege", "B0001.023": "Debugger Detection::SeDebugPrivilege", "B0001.024": "Debugger Detection::SetHandleInformation", "B0001.025": "Debugger Detection::Software Breakpoints", "B0001.026": "Debugger Detection::Stack Canary", "B0001.027": "Debugger Detection::TIB Aware", "B0001.028": "Debugger Detection::Timing/Delay Check", "B0001.029": "Debugger Detection::TLS Callbacks", "B0001.030": "Debugger Detection::UnhandledExceptionFilter", "B0001.031": "Debugger Detection::WudfIsAnyDebuggerPresent", "B0001.032": "Debugger Detection::Timing/Delay Check GetTickCount", "B0001.033": "Debugger Detection::Timing/Delay Check QueryPerformanceCounter", "B0001.034": "Debugger Detection::Anti-debugging Instructions", "B0001.035": "Debugger Detection::Process Environment Block BeingDebugged", "B0001.036": "Debugger Detection::Process Environment Block NtGlobalFlag", "B0001.037": "Debugger Detection::Process Environment Block IsDebugged", "B0001.038": "Debugger Detection::Check Processes", "B0002": "Debugger Evasion", "B0002.001": "Debugger Evasion::Block Interrupts", "B0002.002": "Debugger Evasion::Break Point Clearing", "B0002.003": "Debugger Evasion::Byte Stealing", "B0002.004": "Debugger Evasion::Change SizeOfImage", "B0002.005": "Debugger Evasion::Code Integrity Check", "B0002.006": "Debugger Evasion::Exception Misdirection", "B0002.007": "Debugger Evasion::Get Base Indirectly", "B0002.008": "Debugger Evasion::Guard Pages", "B0002.009": "Debugger Evasion::Hook Interrupt", "B0002.010": "Debugger Evasion::Import Obfuscation", "B0002.011": "Debugger Evasion::Inlining", "B0002.012": "Debugger Evasion::Loop Escapes", "B0002.013": "Debugger Evasion::Malloc Use", "B0002.014": "Debugger Evasion::Modify PE Header", "B0002.015": "Debugger Evasion::Nanomites", "B0002.016": "Debugger Evasion::Obfuscate Library Use", "B0002.017": "Debugger Evasion::Parallel Threads", "B0002.018": "Debugger Evasion::Pipeline Misdirection", "B0002.019": "Debugger Evasion::Pre-Debug", "B0002.020": "Debugger Evasion::Relocate API Code", "B0002.021": "Debugger Evasion::Return Obfuscation", "B0002.022": "Debugger Evasion::RtlAdjustPrivilege", "B0002.023": "Debugger Evasion::Section Misalignment", "B0002.024": "Debugger Evasion::Self-Debugging", "B0002.025": "Debugger Evasion::Self-Unmapping", "B0002.026": "Debugger Evasion::Static Linking", "B0002.027": "Debugger Evasion::Stolen API Code", "B0002.028": "Debugger Evasion::Tampering", "B0002.029": "Debugger Evasion::Thread Timeout", "B0002.030": "Debugger Evasion::Use Interrupts", "B0003": "Dynamic Analysis Evasion", "B0003.001": "Dynamic Analysis Evasion::Alternative ntdll.dll", "B0003.002": "Dynamic Analysis Evasion::Data Flood", "B0003.003": "Dynamic Analysis Evasion::Delayed Execution", "B0003.004": "Dynamic Analysis Evasion::Demo Mode", "B0003.005": "Dynamic Analysis Evasion::Drop Code", "B0003.006": "Dynamic Analysis Evasion::Encode File", "B0003.007": "Dynamic Analysis Evasion::Hook File System", "B0003.008": "Dynamic Analysis Evasion::Hook Interrupt", "B0003.009": "Dynamic Analysis Evasion::Illusion", "B0003.010": "Dynamic Analysis Evasion::Restart", "B0003.011": "Dynamic Analysis Evasion::Code Integrity Check", "B0003.012": "Dynamic Analysis Evasion::API Hammering", "B0004": "Emulator Detection", "B0004.001": "Emulator Detection::Check for Emulator-related Files", "B0004.002": "Emulator Detection::Check for WINE Version", "B0004.003": "Emulator Detection::Check Emulator-related Registry Keys", "B0004.004": "Emulator Detection::Failed Network Connections", "B0005": "Emulator Evasion", "B0005.001": "Emulator Evasion::Different Opcode Sets", "B0005.002": "Emulator Evasion::Undocumented/Unimplemented Opcodes", "B0005.003": "Emulator Evasion::Unusual/Undocumented API Calls", "B0005.004": "Emulator Evasion::Extra Loops/Time Locks", "B0006": "Memory Dump Evasion", "B0006.001": "Memory Dump Evasion::Code Encryption in Memory", "B0006.002": "Memory Dump Evasion::Erase the PE header", "B0006.003": "Memory Dump Evasion::Hide virtual memory", "B0006.004": "Memory Dump Evasion::SizeOfImage", "B0006.005": "Memory Dump Evasion::Tampering", "B0006.006": "Memory Dump Evasion::Guard Pages", "B0006.007": "Memory Dump Evasion::On-the-Fly APIs", "B0006.008": "Memory Dump Evasion::Feed Misinformation", "B0006.009": "Memory Dump Evasion::Flow Opcode Obstruction", "B0006.010": "Memory Dump Evasion::Hook memory mapping APIs", "B0006.011": "Memory Dump Evasion::Patch MmGetPhysicalMemoryRanges", "B0007": "Sandbox Detection", "B0007.001": "Sandbox Detection::Check Clipboard Data", "B0007.002": "Sandbox Detection::Check Files", "B0007.003": "Sandbox Detection::Human User Check", "B0007.004": "Sandbox Detection::Injected DLL Testing", "B0007.005": "Sandbox Detection::Product Key/ID Testing", "B0007.006": "Sandbox Detection::Screen Resolution Testing", "B0007.007": "Sandbox Detection::Self Check", "B0007.008": "Sandbox Detection::Timing/Date Check", "B0007.009": "Sandbox Detection::Timing/Uptime Check", "B0007.010": "Sandbox Detection::Test API Routines", "B0008": "Executable Code Virtualization", "B0008.001": "Executable Code Virtualization::Multiple VMs", "B0009": "Virtual Machine Detection", "B0009.001": "Virtual Machine Detection::Check File and Directory Artifacts", "B0009.002": "Virtual Machine Detection::Check Memory Artifacts", "B0009.003": "Virtual Machine Detection::Check Named System Objects", "B0009.004": "Virtual Machine Detection::Check Processes", "B0009.005": "Virtual Machine Detection::Check Registry Keys", "B0009.006": "Virtual Machine Detection::Check Running Services", "B0009.007": "Virtual Machine Detection::Check Software", "B0009.008": "Virtual Machine Detection::Check Virtual Devices", "B0009.009": "Virtual Machine Detection::Check Windows", "B0009.010": "Virtual Machine Detection::Guest Process Testing", "B0009.011": "Virtual Machine Detection::HTML5 Performance Object Check", "B0009.012": "Virtual Machine Detection::Human User Check", "B0009.013": "Virtual Machine Detection::Modern Specs Check", "B0009.014": "Virtual Machine Detection::Modern Specs Check - Total physical memory", "B0009.015": "Virtual Machine Detection::Modern Specs Check - Drive size", "B0009.016": "Virtual Machine Detection::Modern Specs Check - USB drive", "B0009.017": "Virtual Machine Detection::Modern Specs Check - Printer", "B0009.018": "Virtual Machine Detection::Modern Specs Check - Processor count", "B0009.019": "Virtual Machine Detection::Modern Specs Check - Keyboard layout", "B0009.020": "Virtual Machine Detection::Check Windows - Window size", "B0009.021": "Virtual Machine Detection::Check Windows - Unique windows", "B0009.022": "Virtual Machine Detection::Check Windows - Title bars", "B0009.023": "Virtual Machine Detection::Unique Hardware/Firmware Check", "B0009.024": "Virtual Machine Detection::Unique Hardware/Firmware Check - BIOS", "B0009.025": "Virtual Machine Detection::Unique Hardware/Firmware Check - I/O Communication Port", "B0009.026": "Virtual Machine Detection::Unique Hardware/Firmware Check - CPU Name", "B0009.027": "Virtual Machine Detection::Unique Hardware/Firmware Check - CPU Location", "B0009.028": "Virtual Machine Detection::Unique Hardware/Firmware Check - MAC Address", "B0009.029": "Virtual Machine Detection::Instruction Testing", "B0009.030": "Virtual Machine Detection::Instruction Testing - SIDT (red pill)", "B0009.031": "Virtual Machine Detection::Instruction Testing - SGDT/SLDT (no pill)", "B0009.032": "Virtual Machine Detection::Instruction Testing - SMSW", "B0009.033": "Virtual Machine Detection::Instruction Testing - STR", "B0009.034": "Virtual Machine Detection::Instruction Testing - CPUID", "B0009.035": "Virtual Machine Detection::Instruction Testing - IN", "B0009.036": "Virtual Machine Detection::Instruction Testing - RDTSC", "B0009.037": "Virtual Machine Detection::Instruction Testing - VMCPUID", "B0009.038": "Virtual Machine Detection::Instruction Testing - VPCEXT", "B0025": "Conditional Execution", "B0025.001": "Conditional Execution::Suicide Exit", "B0025.002": "Conditional Execution::Environmental Keys", "B0025.003": "Conditional Execution::GetVolumeInformation", "B0025.004": "Conditional Execution::Host Fingerprint Check", "B0025.005": "Conditional Execution::Secure Triggers", "B0025.006": "Conditional Execution::Token Check", "B0025.007": "Conditional Execution::Runs as Service", "B0025.008": "Conditional Execution::Deposited Keys", "B0036": "Capture Evasion", "B0036.001": "Capture Evasion::Memory-only Payload", "B0036.002": "Capture Evasion::Encrypted Payloads", "B0036.003": "Capture Evasion::Multiple Stages of Loaders", "F0001": "Software Packing", "F0001.001": "Software Packing::Nested Packing", "F0001.002": "Software Packing::Standard Compression", "F0001.003": "Software Packing::Standard Compression of Code", "F0001.004": "Software Packing::Standard Compression of Data", "F0001.005": "Software Packing::Custom Compression", "F0001.006": "Software Packing::Custom Compression of Code", "F0001.007": "Software Packing::Custom Compression of Data", "F0001.008": "Software Packing::UPX", "F0001.009": "Software Packing::Confuser", "F0001.010": "Software Packing::VMProtect", "F0001.011": "Software Packing::Themida", "F0001.012": "Software Packing::Armadillo", "F0001.013": "Software Packing::ASPack", "F0015": "Hijack Execution Flow", "F0015.001": "Hijack Execution Flow::Export Address Table Hooking", "F0015.002": "Hijack Execution Flow::Inline Patching", "F0015.003": "Hijack Execution Flow::Import Address Table Hooking", "F0015.004": "Hijack Execution Flow::Shadow System Service Dispatch Table Hooking", "F0015.005": "Hijack Execution Flow::System Service Dispatch Table Hooking", "F0015.006": "Hijack Execution Flow::Abuse Windows Function Calls", "F0015.007": "Hijack Execution Flow::Procedure Hooking" }, "Data": { "C0019": "Check String", "C0020": "Use Constant", "C0024": "Compress Data", "C0024.001": "Compress Data::QuickLZ", "C0024.002": "Compress Data::IEncodingFilterFactory", "C0025": "Decompress Data", "C0025.001": "Decompress Data::QuickLZ", "C0025.002": "Decompress Data::IEncodingFilterFactory", "C0025.003": "Decompress Data::aPLib", "C0026": "Encode Data", "C0026.001": "Encode Data::Base64", "C0026.002": "Encode Data::XOR", "C0030": "Non-Cryptographic Hash", "C0030.001": "Non-Cryptographic Hash::MurmurHash", "C0030.002": "Non-Cryptographic Hash::pHash", "C0030.003": "Non-Cryptographic Hash::Fast-Hash", "C0030.004": "Non-Cryptographic Hash::dhash", "C0030.005": "Non-Cryptographic Hash::FNV", "C0030.006": "Non-Cryptographic Hash::djb2", "C0032": "Checksum", "C0032.001": "Checksum::CRC32", "C0032.002": "Checksum::Luhn", "C0032.003": "Checksum::BSD", "C0032.005": "Checksum::Adler", "C0053": "Decode Data", "C0053.001": "Decode Data::Base64", "C0053.002": "Decode Data::XOR", "C0058": "Modulo", "C0060": "Compression Library" }, "Memory": { "C0006": "Heap Spray", "C0007": "Allocate Memory", "C0008": "Change Memory Protection", "C0008.001": "Change Memory Protection::Executable Stack", "C0008.002": "Change Memory Protection::Executable Heap", "C0009": "Stack Pivot", "C0010": "Overflow Buffer", "C0044": "Free Memory" }, "Hardware": { "C0023": "Load Driver", "C0023.001": "Load Driver::Minifilter", "C0037": "Install Driver", "C0037.001": "Install Driver::Minifilter", "C0057": "Simulate Hardware", "C0057.001": "Simulate Hardware::Ctrl-Alt-Del", "C0057.002": "Simulate Hardware::Mouse Click" }, "File System": { "C0015": "Alter File Extension", "C0015.001": "Alter File Extension::Append Extension", "C0016": "Create File", "C0016.001": "Create File::Create Office Document", "C0016.002": "Create File::Create Ransomware File", "C0045": "Copy File", "C0046": "Create Directory", "C0047": "Delete File", "C0048": "Delete Directory", "C0049": "Get File Attributes", "C0050": "Set File Attributes", "C0051": "Read File", "C0052": "Writes File", "C0056": "Read Virtual Disk", "C0063": "Move File" }, "Process": { "C0017": "Create Process", "C0017.001": "Create Process::Create Process via Shellcode", "C0017.002": "Create Process::Create Process via WMI", "C0017.003": "Create Process::Create Suspended Process", "C0018": "Terminate Process", "C0022": "Synchronization", "C0022.001": "Synchronization::Create Mutex", "C0038": "Create Thread", "C0039": "Terminate Thread", "C0040": "Allocate Thread Local Storage", "C0041": "Set Thread Local Storage Value", "C0042": "Create Mutex", "C0043": "Check Mutex", "C0054": "Resume Thread", "C0055": "Suspend Thread", "C0064": "Enumerate Threads", "C0065": "Open Process", "C0066": "Open Thread" }, "Communication": { "C0001": "Socket Communication", "C0001.001": "Socket Communication::Set Socket Config", "C0001.002": "Socket Communication::TCP Server", "C0001.003": "Socket Communication::Create Socket", "C0001.004": "Socket Communication::Connect Socket", "C0001.005": "Socket Communication::Start TCP Server", "C0001.006": "Socket Communication::Receive Data", "C0001.007": "Socket Communication::Send Data", "C0001.008": "Socket Communication::TCP Client", "C0001.009": "Socket Communication::Initialize Winsock Library", "C0001.010": "Socket Communication::Create UDP Socket", "C0001.011": "Socket Communication::Create TCP Socket", "C0001.012": "Socket Communication::Get Socket Status", "C0001.013": "Socket Communication::UDP Client", "C0001.014": "Socket Communication::Send TCP Data", "C0001.015": "Socket Communication::Send UDP Data", "C0001.016": "Socket Communication::Receive TCP Data", "C0001.017": "Socket Communication::Receive UDP Data", "C0002": "HTTP Communication", "C0002.001": "HTTP Communication::Server", "C0002.002": "HTTP Communication::Client", "C0002.003": "HTTP Communication::Send Request", "C0002.004": "HTTP Communication::Open URL", "C0002.005": "HTTP Communication::Send Data", "C0002.006": "HTTP Communication::Download URL", "C0002.007": "HTTP Communication::WinINet", "C0002.008": "HTTP Communication::WinHTTP", "C0002.009": "HTTP Communication::Connect to Server", "C0002.010": "HTTP Communication::IWebBrowser", "C0002.011": "HTTP Communication::Extract Body", "C0002.012": "HTTP Communication::Create Request", "C0002.013": "HTTP Communication::Set Header", "C0002.014": "HTTP Communication::Read Header", "C0002.015": "HTTP Communication::Receive Request", "C0002.016": "HTTP Communication::Send Response", "C0002.017": "HTTP Communication::Get Response", "C0002.018": "HTTP Communication::Start Server", "C0003": "Interprocess Communication", "C0003.001": "Interprocess Communication::Create Pipe", "C0003.002": "Interprocess Communication::Connect Pipe", "C0003.003": "Interprocess Communication::Read Pipe", "C0003.004": "Interprocess Communication::Write Pipe", "C0004": "FTP Communication", "C0004.001": "FTP Communication::Send File", "C0004.002": "FTP Communication::WinINet", "C0005": "WinINet", "C0005.001": "WinINet::InternetConnect", "C0005.002": "WinINet::InternetOpen", "C0005.003": "WinINet::InternetOpenURL", "C0005.004": "WinINet::InternetReadFile", "C0005.005": "WinINet::InternetWriteFile", "C0011": "DNS Communication", "C0011.001": "DNS Communication::Resolve", "C0011.002": "DNS Communication::Server Connect", "C0011.003": "DNS Communication::DDNS Domain Connect", "C0011.004": "DNS Communication::Resolve TLD", "C0011.005": "DNS Communication::Resolve Free Hosting Domain", "C0012": "SMTP Communication", "C0012.001": "SMTP Communication::Server Connect", "C0012.002": "SMTP Communication::Request", "C0014": "ICMP Communication", "C0014.001": "ICMP Communication::Generate Traffic", "C0014.002": "ICMP Communication::Echo Request" }, "Cryptography": { "C0021": "Generate Pseudo-random Sequence", "C0021.001": "Generate Pseudo-random Sequence::GetTickCount", "C0021.002": "Generate Pseudo-random Sequence::rand", "C0021.003": "Generate Pseudo-random Sequence::Use API", "C0021.004": "Generate Pseudo-random Sequence::RC4 PRGA", "C0027": "Encrypt Data", "C0027.001": "Encrypt Data::AES", "C0027.002": "Encrypt Data::Blowfish", "C0027.003": "Encrypt Data::Camellia", "C0027.004": "Encrypt Data::3DES", "C0027.005": "Encrypt Data::Twofish", "C0027.006": "Encrypt Data::HC-128", "C0027.007": "Encrypt Data::HC-256", "C0027.008": "Encrypt Data::Sosemanuk", "C0027.009": "Encrypt Data::RC4", "C0027.010": "Encrypt Data::RC6", "C0027.011": "Encrypt Data::RSA", "C0027.012": "Encrypt Data::Stream Cipher", "C0027.013": "Encrypt Data::Skipjack", "C0027.014": "Encrypt Data::Block Cipher", "C0028": "Encryption Key", "C0028.001": "Encryption Key::Import Public Key", "C0028.002": "Encryption Key::RC4 KSA", "C0029": "Cryptographic Hash", "C0029.001": "Cryptographic Hash::MD5", "C0029.002": "Cryptographic Hash::SHA1", "C0029.003": "Cryptographic Hash::SHA256", "C0029.004": "Cryptographic Hash::SHA224", "C0029.005": "Cryptographic Hash::Tiger", "C0029.006": "Cryptographic Hash::Snefru", "C0031": "Decrypt Data", "C0031.001": "Decrypt Data::AES", "C0031.002": "Decrypt Data::Block Cipher", "C0031.003": "Decrypt Data::Blowfish", "C0031.004": "Decrypt Data::Camellia", "C0031.005": "Decrypt Data::3DES", "C0031.006": "Decrypt Data::HC-128", "C0031.007": "Decrypt Data::HC-256", "C0031.008": "Decrypt Data::RC4", "C0031.009": "Decrypt Data::RC6", "C0031.010": "Decrypt Data::RSA", "C0031.011": "Decrypt Data::Skipjack", "C0031.012": "Decrypt Data::Sosemanuk", "C0031.013": "Decrypt Data::Stream Cipher", "C0031.014": "Decrypt Data::Twofish", "C0059": "Crypto Library", "C0059.001": "Crypto Library::API Call", "C0059.002": "Crypto Library::Static Public Library", "C0061": "Hashed Message Authentication Code", "C0068": "Crypto Algorithm", "C0069": "Crypto Constant" }, "Operating System": { "C0033": "Console", "C0034": "Environment Variable", "C0034.001": "Environment Variable::Set Variable", "C0035": "Wallpaper", "C0036": "Registry", "C0036.001": "Registry::Set Registry Key", "C0036.002": "Registry::Delete Registry Key", "C0036.003": "Registry::Open Registry Key", "C0036.004": "Registry::Create Registry Key", "C0036.005": "Registry::Query Registry Key", "C0036.006": "Registry::Query Registry Value", "C0036.007": "Registry::Delete Registry Value" }, "Defense Evasion": { "B0025": "Conditional Execution", "B0025.001": "Conditional Execution::Suicide Exit", "B0025.002": "Conditional Execution::Environmental Keys", "B0025.003": "Conditional Execution::GetVolumeInformation", "B0025.004": "Conditional Execution::Host Fingerprint Check", "B0025.005": "Conditional Execution::Secure Triggers", "B0025.006": "Conditional Execution::Token Check", "B0025.007": "Conditional Execution::Runs as Service", "B0025.008": "Conditional Execution::Deposited Keys", "B0027": "Alternative Installation Location", "B0027.001": "Alternative Installation Location::Fileless Malware", "B0027.002": "Alternative Installation Location::Registry Install", "B0029": "Polymorphic Code", "B0029.001": "Polymorphic Code::Packer Stub", "B0029.002": "Polymorphic Code::Call Indirections", "B0029.003": "Polymorphic Code::Code Reordering", "B0037": "Bypass Data Execution Prevention", "B0037.001": "Bypass Data Execution Prevention::ROP Chains", "B0040": "Covert Location", "B0040.001": "Covert Location::Hide Data in Registry", "B0040.002": "Covert Location::Steganography", "B0047": "Install Insecure or Malicious Configuration", "E1014": "Rootkit", "E1014.m12": "Rootkit::Application Rootkit", "E1014.m13": "Rootkit::Bootloader", "E1014.m14": "Rootkit::Hardware/Firmware Rootkit", "E1014.m15": "Rootkit::Hypervisor/Virtualized Rootkit", "E1014.m16": "Rootkit::Kernel Mode Rootkit", "E1014.m17": "Rootkit::Memory Rootkit", "E1027": "Obfuscated Files or Information", "E1027.m01": "Obfuscated Files or Information::Encoding", "E1027.m02": "Obfuscated Files or Information::Encoding-Standard Algorithm", "E1027.m03": "Obfuscated Files or Information::Encoding-Custom Algorithm", "E1027.m04": "Obfuscated Files or Information::Encryption", "E1027.m05": "Obfuscated Files or Information::Encryption-Standard Algorithm", "E1027.m06": "Obfuscated Files or Information::Encryption of Code", "E1027.m07": "Obfuscated Files or Information::Encryption of Data", "E1027.m08": "Obfuscated Files or Information::Encryption-Custom Algorithm", "E1055": "Process Injection", "E1055.m01": "Process Injection::Hook Injection via SetWindowsHooksEx", "E1055.m02": "Process Injection::Injection and Persistence via Registry Modification", "E1055.m03": "Process Injection::Injection using Shims", "E1055.m04": "Process Injection::Patch Process Command Line", "E1055.m05": "Process Injection::Injection via Windows Fibers", "E1112": "Modify Registry", "E1564": "Hide Artifacts", "E1564.m01": "Hide Artifacts::Hidden Userspace Libraries", "E1564.m02": "Hide Artifacts::Direct Kernel Object Manipulation", "E1564.m03": "Hide Artifacts::Hidden Processes", "E1564.m04": "Hide Artifacts::Hidden Services", "E1564.m05": "Hide Artifacts::Hidden Kernel Modules", "F0001": "Software Packing", "F0001.001": "Software Packing::Nested Packing", "F0001.002": "Software Packing::Standard Compression", "F0001.003": "Software Packing::Standard Compression of Code", "F0001.004": "Software Packing::Standard Compression of Data", "F0001.005": "Software Packing::Custom Compression", "F0001.006": "Software Packing::Custom Compression of Code", "F0001.007": "Software Packing::Custom Compression of Data", "F0001.008": "Software Packing::UPX", "F0001.009": "Software Packing::Confuser", "F0001.010": "Software Packing::VMProtect", "F0001.011": "Software Packing::Themida", "F0001.012": "Software Packing::Armadillo", "F0001.013": "Software Packing::ASPack", "F0004": "Disable or Evade Security Tools", "F0004.001": "Disable or Evade Security Tools::Disable Kernel Patch Protection", "F0004.002": "Disable or Evade Security Tools::Disable System File Overwrite Protection", "F0004.003": "Disable or Evade Security Tools::Unhook APIs", "F0004.004": "Disable or Evade Security Tools::AMSI Bypass", "F0004.005": "Disable or Evade Security Tools::Modify Policy", "F0004.006": "Disable or Evade Security Tools::Force Lazy Writing", "F0004.007": "Disable or Evade Security Tools::Bypass Windows File Protection", "F0004.008": "Disable or Evade Security Tools::Heavens Gate", "F0004.009": "Disable or Evade Security Tools::Disable Code Integrity", "F0005": "Hidden Files and Directories", "F0005.001": "Hidden Files and Directories::Extension", "F0005.002": "Hidden Files and Directories::Location", "F0005.003": "Hidden Files and Directories::Attribute", "F0005.004": "Hidden Files and Directories::Timestamp", "F0006": "Indicator Blocking", "F0006.001": "Indicator Blocking::Remove SMS Warning Messages", "F0007": "Self Deletion", "F0007.001": "Self Deletion::COMSPEC Environment Variable", "F0009": "Component Firmware", "F0009.001": "Component Firmware::Router Firmware", "F0013": "Bootkit", "F0015": "Hijack Execution Flow", "F0015.001": "Hijack Execution Flow::Export Address Table Hooking", "F0015.002": "Hijack Execution Flow::Inline Patching", "F0015.003": "Hijack Execution Flow::Import Address Table Hooking", "F0015.004": "Hijack Execution Flow::Shadow System Service Dispatch Table Hooking", "F0015.005": "Hijack Execution Flow::System Service Dispatch Table Hooking", "F0015.006": "Hijack Execution Flow::Abuse Windows Function Calls", "F0015.007": "Hijack Execution Flow::Procedure Hooking" } } }