-
Notifications
You must be signed in to change notification settings - Fork 4
/
technique_names.json
568 lines (568 loc) · 14.6 KB
/
technique_names.json
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
[
"Data Obfuscation",
"Junk Data",
"Steganography",
"Protocol Impersonation",
"OS Credential Dumping",
"LSASS Memory",
"Security Account Manager",
"NTDS",
"LSA Secrets",
"Cached Domain Credentials",
"DCSync",
"Proc Filesystem",
"/etc/passwd and /etc/shadow",
"Data from Local System",
"Direct Volume Access",
"System Service Discovery",
"Fallback Channels",
"Application Window Discovery",
"Exfiltration Over Other Network Medium",
"Exfiltration Over Bluetooth",
"Query Registry",
"Rootkit",
"System Network Configuration Discovery",
"Internet Connection Discovery",
"Remote System Discovery",
"Automated Exfiltration",
"Traffic Duplication",
"Remote Services",
"Remote Desktop Protocol",
"SMB/Windows Admin Shares",
"Distributed Component Object Model",
"SSH",
"VNC",
"Windows Remote Management",
"Data from Removable Media",
"Obfuscated Files or Information",
"Binary Padding",
"Software Packing",
"Steganography",
"Compile After Delivery",
"Indicator Removal from Tools",
"HTML Smuggling",
"Scheduled Transfer",
"Data Transfer Size Limits",
"System Owner/User Discovery",
"Masquerading",
"Invalid Code Signature",
"Right-to-Left Override",
"Rename System Utilities",
"Masquerade Task or Service",
"Match Legitimate Name or Location",
"Space after Filename",
"Double File Extension",
"Boot or Logon Initialization Scripts",
"Logon Script (Windows)",
"Logon Script (Mac)",
"Network Logon Script",
"RC Scripts",
"Startup Items",
"Data from Network Shared Drive",
"Network Sniffing",
"Exfiltration Over C2 Channel",
"Network Service Scanning",
"Windows Management Instrumentation",
"Exfiltration Over Alternative Protocol",
"Exfiltration Over Symmetric Encrypted Non-C2 Protocol",
"Exfiltration Over Asymmetric Encrypted Non-C2 Protocol",
"Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol",
"System Network Connections Discovery",
"Exfiltration Over Physical Medium",
"Exfiltration over USB",
"Scheduled Task/Job",
"At (Linux)",
"At (Windows)",
"Cron",
"Scheduled Task",
"Systemd Timers",
"Container Orchestration Job",
"Process Injection",
"Dynamic-link Library Injection",
"Portable Executable Injection",
"Thread Execution Hijacking",
"Asynchronous Procedure Call",
"Thread Local Storage",
"Ptrace System Calls",
"Proc Memory",
"Extra Window Memory Injection",
"Process Hollowing",
"Process Doppelg\u00e4nging",
"VDSO Hijacking",
"Input Capture",
"Keylogging",
"GUI Input Capture",
"Web Portal Capture",
"Credential API Hooking",
"Process Discovery",
"Command and Scripting Interpreter",
"PowerShell",
"AppleScript",
"Windows Command Shell",
"Unix Shell",
"Visual Basic",
"Python",
"JavaScript",
"Network Device CLI",
"Exploitation for Privilege Escalation",
"Permission Groups Discovery",
"Local Groups",
"Domain Groups",
"Cloud Groups",
"Indicator Removal on Host",
"Clear Windows Event Logs",
"Clear Linux or Mac System Logs",
"Clear Command History",
"File Deletion",
"Network Share Connection Removal",
"Timestomp",
"Application Layer Protocol",
"Web Protocols",
"File Transfer Protocols",
"Mail Protocols",
"DNS",
"Software Deployment Tools",
"Data Staged",
"Local Data Staging",
"Remote Data Staging",
"Valid Accounts",
"Default Accounts",
"Domain Accounts",
"Local Accounts",
"Cloud Accounts",
"Taint Shared Content",
"System Information Discovery",
"File and Directory Discovery",
"Account Discovery",
"Local Account",
"Domain Account",
"Email Account",
"Cloud Account",
"Proxy",
"Internal Proxy",
"External Proxy",
"Multi-hop Proxy",
"Domain Fronting",
"Replication Through Removable Media",
"Communication Through Removable Media",
"Non-Application Layer Protocol",
"Account Manipulation",
"Additional Cloud Credentials",
"Exchange Email Delegate Permissions",
"Add Office 365 Global Administrator Role",
"SSH Authorized Keys",
"Web Service",
"Dead Drop Resolver",
"Bidirectional Communication",
"One-Way Communication",
"Multi-Stage Channels",
"Ingress Tool Transfer",
"Native API",
"Brute Force",
"Password Guessing",
"Password Cracking",
"Password Spraying",
"Credential Stuffing",
"Two-Factor Authentication Interception",
"Modify Registry",
"Screen Capture",
"Email Collection",
"Local Email Collection",
"Remote Email Collection",
"Email Forwarding Rule",
"Clipboard Data",
"Automated Collection",
"Peripheral Device Discovery",
"Audio Capture",
"System Time Discovery",
"Video Capture",
"Trusted Developer Utilities Proxy Execution",
"MSBuild",
"Shared Modules",
"Data Encoding",
"Standard Encoding",
"Non-Standard Encoding",
"External Remote Services",
"Access Token Manipulation",
"Token Impersonation/Theft",
"Create Process with Token",
"Make and Impersonate Token",
"Parent PID Spoofing",
"SID-History Injection",
"Network Share Discovery",
"Create Account",
"Local Account",
"Domain Account",
"Cloud Account",
"Office Application Startup",
"Office Template Macros",
"Office Test",
"Outlook Forms",
"Outlook Home Page",
"Outlook Rules",
"Add-ins",
"Deobfuscate/Decode Files or Information",
"Browser Extensions",
"Browser Session Hijacking",
"Forced Authentication",
"Drive-by Compromise",
"Exploit Public-Facing Application",
"Supply Chain Compromise",
"Compromise Software Dependencies and Development Tools",
"Compromise Software Supply Chain",
"Compromise Hardware Supply Chain",
"BITS Jobs",
"Trusted Relationship",
"Hardware Additions",
"Password Policy Discovery",
"Indirect Command Execution",
"Exploitation for Client Execution",
"User Execution",
"Malicious Link",
"Malicious File",
"Malicious Image",
"Traffic Signaling",
"Port Knocking",
"Rogue Domain Controller",
"Exploitation of Remote Services",
"Exploitation for Defense Evasion",
"Exploitation for Credential Access",
"Data from Information Repositories",
"Confluence",
"Sharepoint",
"Code Repositories",
"Signed Script Proxy Execution",
"PubPrn",
"Browser Bookmark Discovery",
"Signed Binary Proxy Execution",
"Compiled HTML File",
"Control Panel",
"CMSTP",
"InstallUtil",
"Mshta",
"Msiexec",
"Odbcconf",
"Regsvcs/Regasm",
"Regsvr32",
"Rundll32",
"Verclsid",
"Mavinject",
"MMC",
"Remote Access Software",
"XSL Script Processing",
"Template Injection",
"File and Directory Permissions Modification",
"Windows File and Directory Permissions Modification",
"Linux and Mac File and Directory Permissions Modification",
"Execution Guardrails",
"Environmental Keying",
"Domain Trust Discovery",
"Domain Policy Modification",
"Group Policy Modification",
"Domain Trust Modification",
"Data Destruction",
"Data Encrypted for Impact",
"Service Stop",
"Inhibit System Recovery",
"Defacement",
"Internal Defacement",
"External Defacement",
"Firmware Corruption",
"Resource Hijacking",
"Virtualization/Sandbox Evasion",
"System Checks",
"User Activity Based Checks",
"Time Based Evasion",
"Network Denial of Service",
"Direct Network Flood",
"Reflection Amplification",
"Endpoint Denial of Service",
"OS Exhaustion Flood",
"Service Exhaustion Flood",
"Application Exhaustion Flood",
"Application or System Exploitation",
"Server Software Component",
"SQL Stored Procedures",
"Transport Agent",
"Web Shell",
"IIS Components",
"Software Discovery",
"Security Software Discovery",
"Implant Internal Image",
"Cloud Service Discovery",
"Steal Application Access Token",
"System Shutdown/Reboot",
"Data from Cloud Storage Object",
"Account Access Removal",
"Internal Spearphishing",
"Unused/Unsupported Cloud Regions",
"Transfer Data to Cloud Account",
"Cloud Service Dashboard",
"Steal Web Session Cookie",
"Pre-OS Boot",
"System Firmware",
"Component Firmware",
"Bootkit",
"ROMMONkit",
"TFTP Boot",
"Create or Modify System Process",
"Launch Agent",
"Systemd Service",
"Windows Service",
"Launch Daemon",
"Event Triggered Execution",
"Change Default File Association",
"Screensaver",
"Windows Management Instrumentation Event Subscription",
"Unix Shell Configuration Modification",
"Trap",
"LC_LOAD_DYLIB Addition",
"Netsh Helper DLL",
"Accessibility Features",
"AppCert DLLs",
"AppInit DLLs",
"Application Shimming",
"Image File Execution Options Injection",
"PowerShell Profile",
"Emond",
"Component Object Model Hijacking",
"Boot or Logon Autostart Execution",
"Registry Run Keys / Startup Folder",
"Authentication Package",
"Time Providers",
"Winlogon Helper DLL",
"Security Support Provider",
"Kernel Modules and Extensions",
"Re-opened Applications",
"LSASS Driver",
"Shortcut Modification",
"Port Monitors",
"Plist Modification",
"Print Processors",
"XDG Autostart Entries",
"Active Setup",
"Login Items",
"Abuse Elevation Control Mechanism",
"Setuid and Setgid",
"Bypass User Account Control",
"Sudo and Sudo Caching",
"Elevated Execution with Prompt",
"Use Alternate Authentication Material",
"Application Access Token",
"Pass the Hash",
"Pass the Ticket",
"Web Session Cookie",
"Unsecured Credentials",
"Credentials In Files",
"Credentials in Registry",
"Bash History",
"Private Keys",
"Cloud Instance Metadata API",
"Group Policy Preferences",
"Container API",
"Subvert Trust Controls",
"Gatekeeper Bypass",
"Code Signing",
"SIP and Trust Provider Hijacking",
"Install Root Certificate",
"Mark-of-the-Web Bypass",
"Code Signing Policy Modification",
"Compromise Client Software Binary",
"Credentials from Password Stores",
"Keychain",
"Securityd Memory",
"Credentials from Web Browsers",
"Windows Credential Manager",
"Password Managers",
"Modify Authentication Process",
"Domain Controller Authentication",
"Password Filter DLL",
"Pluggable Authentication Modules",
"Network Device Authentication",
"Adversary-in-the-Middle",
"LLMNR/NBT-NS Poisoning and SMB Relay",
"ARP Cache Poisoning",
"Steal or Forge Kerberos Tickets",
"Golden Ticket",
"Silver Ticket",
"Kerberoasting",
"AS-REP Roasting",
"Inter-Process Communication",
"Component Object Model",
"Dynamic Data Exchange",
"Archive Collected Data",
"Archive via Utility",
"Archive via Library",
"Archive via Custom Method",
"Disk Wipe",
"Disk Content Wipe",
"Disk Structure Wipe",
"Impair Defenses",
"Disable or Modify Tools",
"Disable Windows Event Logging",
"Impair Command History Logging",
"Disable or Modify System Firewall",
"Indicator Blocking",
"Disable or Modify Cloud Firewall",
"Disable Cloud Logs",
"Safe Mode Boot",
"Downgrade Attack",
"Remote Service Session Hijacking",
"SSH Hijacking",
"RDP Hijacking",
"Hide Artifacts",
"Hidden Files and Directories",
"Hidden Users",
"Hidden Window",
"NTFS File Attributes",
"Hidden File System",
"Run Virtual Instance",
"VBA Stomping",
"Email Hiding Rules",
"Resource Forking",
"Data Manipulation",
"Stored Data Manipulation",
"Transmitted Data Manipulation",
"Runtime Data Manipulation",
"Phishing",
"Spearphishing Attachment",
"Spearphishing Link",
"Spearphishing via Service",
"Exfiltration Over Web Service",
"Exfiltration to Code Repository",
"Exfiltration to Cloud Storage",
"Dynamic Resolution",
"Fast Flux DNS",
"Domain Generation Algorithms",
"DNS Calculation",
"System Services",
"Launchctl",
"Service Execution",
"Lateral Tool Transfer",
"Non-Standard Port",
"Protocol Tunneling",
"Encrypted Channel",
"Symmetric Cryptography",
"Asymmetric Cryptography",
"Hijack Execution Flow",
"DLL Search Order Hijacking",
"DLL Side-Loading",
"Dylib Hijacking",
"Executable Installer File Permissions Weakness",
"Dynamic Linker Hijacking",
"Path Interception by PATH Environment Variable",
"Path Interception by Search Order Hijacking",
"Path Interception by Unquoted Path",
"Services File Permissions Weakness",
"Services Registry Permissions Weakness",
"COR_PROFILER",
"Modify Cloud Compute Infrastructure",
"Create Snapshot",
"Create Cloud Instance",
"Delete Cloud Instance",
"Revert Cloud Instance",
"Cloud Infrastructure Discovery",
"Acquire Infrastructure",
"Domains",
"DNS Server",
"Virtual Private Server",
"Server",
"Botnet",
"Web Services",
"Compromise Infrastructure",
"Domains",
"DNS Server",
"Virtual Private Server",
"Server",
"Botnet",
"Web Services",
"Establish Accounts",
"Social Media Accounts",
"Email Accounts",
"Compromise Accounts",
"Social Media Accounts",
"Email Accounts",
"Develop Capabilities",
"Malware",
"Code Signing Certificates",
"Digital Certificates",
"Exploits",
"Obtain Capabilities",
"Malware",
"Tool",
"Code Signing Certificates",
"Digital Certificates",
"Exploits",
"Vulnerabilities",
"Gather Victim Identity Information",
"Credentials",
"Email Addresses",
"Employee Names",
"Gather Victim Network Information",
"Domain Properties",
"DNS",
"Network Trust Dependencies",
"Network Topology",
"IP Addresses",
"Network Security Appliances",
"Gather Victim Org Information",
"Determine Physical Locations",
"Business Relationships",
"Identify Business Tempo",
"Identify Roles",
"Gather Victim Host Information",
"Hardware",
"Software",
"Firmware",
"Client Configurations",
"Search Open Websites/Domains",
"Social Media",
"Search Engines",
"Search Victim-Owned Websites",
"Active Scanning",
"Scanning IP Blocks",
"Vulnerability Scanning",
"Search Open Technical Databases",
"DNS/Passive DNS",
"WHOIS",
"Digital Certificates",
"CDNs",
"Scan Databases",
"Search Closed Sources",
"Threat Intel Vendors",
"Purchase Technical Data",
"Phishing for Information",
"Spearphishing Service",
"Spearphishing Attachment",
"Spearphishing Link",
"Network Boundary Bridging",
"Network Address Translation Traversal",
"Weaken Encryption",
"Reduce Key Space",
"Disable Crypto Hardware",
"Modify System Image",
"Patch System Image",
"Downgrade System Image",
"Data from Configuration Repository",
"SNMP (MIB Dump)",
"Network Device Configuration Dump",
"Forge Web Credentials",
"Web Cookies",
"SAML Tokens",
"Stage Capabilities",
"Upload Malware",
"Upload Tool",
"Install Digital Certificate",
"Drive-by Target",
"Link Target",
"Container Administration Command",
"Deploy Container",
"Escape to Host",
"Build Image on Host",
"Container and Resource Discovery",
"System Location Discovery",
"System Language Discovery",
"Group Policy Discovery",
"Cloud Storage Object Discovery",
"Reflective Code Loading"
]