Skip to content

Latest commit

 

History

History
2000 lines (1443 loc) · 179 KB

ATT&CK.md

File metadata and controls

2000 lines (1443 loc) · 179 KB

Credential Access

T1556.003: Pluggable Authentication Modules

T1056.001: Keylogging

T1003: OS Credential Dumping

T1552.005: Cloud Instance Metadata API

missing from ATT&CK

T1110.002: Password Cracking

T1003.007: Proc Filesystem

T1555.005: Password Managers

T1040: Network Sniffing

T1558: Steal or Forge Kerberos Tickets

T1555: Credentials from Password Stores

T1552: Unsecured Credentials

T1552.004: Private Keys

T1110.003: Password Spraying

T1649: Steal or Forge Authentication Certificates

T1552.003: Bash History

T1212: Exploitation for Credential Access

T1110: Brute Force

T1003.008: /etc/passwd and /etc/shadow

T1556: Modify Authentication Process

Execution

T1129: Shared Modules

missing from ATT&CK

T1053.003: Cron

T1106: Native API

T1610: Deploy Container

missing from ATT&CK

T1053.001: At (Linux)

T1059: Command and Scripting Interpreter

T1204: User Execution

T1072: Software Deployment Tools

T1059.004: Unix Shell

T1559: Inter-Process Communication

T1569: System Services

T1569.002: Service Execution

missing from ATT&CK

Impact

T1486: Data Encrypted for Impact

T1499: Endpoint Denial of Service

T1496: Resource Hijacking

T1565.002: Transmitted Data Manipulation

T1485: Data Destruction

T1498: Network Denial of Service

T1490: Inhibit System Recovery

T1561.001: Disk Content Wipe

T1529: System Shutdown/Reboot

Persistence

T1205.002: Socket Filters

T1037: Boot or Logon Initialization Scripts

T1556.003: Pluggable Authentication Modules

T1543: Create or Modify System Process

T1133: External Remote Services

T1542.003: Bootkit

T1053.003: Cron

T1098.003: Additional Cloud Roles

missing from ATT&CK

T1205: Traffic Signaling

T1525: Implant Internal Image

missing from ATT&CK

T1505.003: Web Shell

T1078.001: Default Accounts

T1574.006: Dynamic Linker Hijacking

T1053.001: At (Linux)

T1098.004: SSH Authorized Keys

T1205.001: Port Knocking

T1554: Compromise Client Software Binary

T1136.003: Cloud Account

missing from ATT&CK

T1098: Account Manipulation

T1547.006: Kernel Modules and Extensions

T1574: Hijack Execution Flow

T1078: Valid Accounts

T1546.004: Unix Shell Configuration Modification

T1100: Web Shell

T1505: Server Software Component

T1037.004: RC Scripts

T1543.002: Systemd Service

T1136: Create Account

T1574.002: DLL Side-Loading

missing from ATT&CK

T1078.004: Cloud Accounts

missing from ATT&CK

T1556: Modify Authentication Process

Privilege Escalation

T1037: Boot or Logon Initialization Scripts

T1543: Create or Modify System Process

T1053.003: Cron

T1055: Process Injection

T1611: Escape to Host

T1078.001: Default Accounts

T1574.006: Dynamic Linker Hijacking

T1053.001: At (Linux)

T1548: Abuse Elevation Control Mechanism

T1548.001: Setuid and Setgid

T1134.004: Parent PID Spoofing

missing from ATT&CK

T1547.006: Kernel Modules and Extensions

T1574: Hijack Execution Flow

T1078: Valid Accounts

T1055.012: Process Hollowing

missing from ATT&CK

T1068: Exploitation for Privilege Escalation

T1546.004: Unix Shell Configuration Modification

T1100: Web Shell

T1055.009: Proc Memory

T1037.004: RC Scripts

T1543.002: Systemd Service

T1574.002: DLL Side-Loading

missing from ATT&CK

T1055.008: Ptrace System Calls

T1078.004: Cloud Accounts

missing from ATT&CK

Lateral Movement

T1021.005: VNC

T1021.004: SSH

T1563.001: SSH Hijacking

T1021.002: SMB/Windows Admin Shares

missing from ATT&CK

T1021: Remote Services

T1072: Software Deployment Tools

Defense Evasion

T1205.002: Socket Filters

T1027.009: Embedded Payloads

T1556.003: Pluggable Authentication Modules

T1014: Rootkit

T1578: Modify Cloud Compute Infrastructure

missing from ATT&CK

T1542.003: Bootkit

T1036.005: Match Legitimate Name or Location

T1564: Hide Artifacts

T1070.002: Clear Linux or Mac System Logs

T1202: Indirect Command Execution

missing from ATT&CK

T1140: Deobfuscate/Decode Files or Information

T1562: Impair Defenses

T1036: Masquerading

T1055: Process Injection

T1205: Traffic Signaling

T1218: System Binary Proxy Execution

T1070.006: Timestomp

T1620: Reflective Code Loading

T1497.003: Time Based Evasion

T1599.001: Network Address Translation Traversal

missing from ATT&CK

T1562.004: Disable or Modify System Firewall

T1610: Deploy Container

missing from ATT&CK

T1078.001: Default Accounts

T1574.006: Dynamic Linker Hijacking

T1222: File and Directory Permissions Modification

T1548: Abuse Elevation Control Mechanism

T1548.001: Setuid and Setgid

T1562.006: Indicator Blocking

T1070: Indicator Removal

T1036.004: Masquerade Task or Service

T1480: Execution Guardrails

T1205.001: Port Knocking

T1562.003: Impair Command History Logging

T1134.004: Parent PID Spoofing

missing from ATT&CK

T1562.001: Disable or Modify Tools

T1601: Modify System Image

missing from ATT&CK

T1574: Hijack Execution Flow

T1078: Valid Accounts

T1055.012: Process Hollowing

missing from ATT&CK

T1027: Obfuscated Files or Information

T1036.003: Rename System Utilities

T1027.004: Compile After Delivery

T1562.008: Disable Cloud Logs

missing from ATT&CK

T1578.002: Create Cloud Instance

missing from ATT&CK

T1055.009: Proc Memory

T1070.004: File Deletion

T1027.002: Software Packing

T1622: Debugger Evasion

T1574.002: DLL Side-Loading

missing from ATT&CK

T1055.008: Ptrace System Calls

T1027.007: Dynamic API Resolution

missing from ATT&CK

T1564.001: Hidden Files and Directories

T1078.004: Cloud Accounts

missing from ATT&CK

T1480.001: Environmental Keying

T1556: Modify Authentication Process

Exfiltration

T1567: Exfiltration Over Web Service

T1020: Automated Exfiltration

T1048.001: Exfiltration Over Symmetric Encrypted Non-C2 Protocol

T1041: Exfiltration Over C2 Channel

T1048: Exfiltration Over Alternative Protocol

T1048.003: Exfiltration Over Unencrypted Non-C2 Protocol

Discovery

T1033: System Owner/User Discovery

T1613: Container and Resource Discovery

missing from ATT&CK

T1069: Permission Groups Discovery

T1069.003: Cloud Groups

missing from ATT&CK

T1087.002: Domain Account

T1007: System Service Discovery

T1040: Network Sniffing

T1082: System Information Discovery

T1497.003: Time Based Evasion

T1580: Cloud Infrastructure Discovery

missing from ATT&CK

T1016: System Network Configuration Discovery

T1083: File and Directory Discovery

T1619: Cloud Storage Object Discovery

missing from ATT&CK

T1057: Process Discovery

T1526: Cloud Service Discovery

missing from ATT&CK

T1018: Remote System Discovery

T1046: Network Service Discovery

T1518: Software Discovery

T1622: Debugger Evasion

T1124: System Time Discovery

missing from ATT&CK

Collection

T1560.001: Archive via Utility

T1056.001: Keylogging

T1602: Data from Configuration Repository

missing from ATT&CK

T1005: Data from Local System

T1560.002: Archive via Library

T1213.003: Code Repositories

missing from ATT&CK

T1602.001: SNMP (MIB Dump)

missing from ATT&CK

Resource Development

T1583.008: Malvertising

missing from ATT&CK

T1587.001: Malware

missing from ATT&CK

T1587.002: Code Signing Certificates

missing from ATT&CK

T1608.001: Upload Malware

missing from ATT&CK

T1583.001: Domains

missing from ATT&CK

T1608.002: Upload Tool

missing from ATT&CK

T1588.001: Malware

missing from ATT&CK

T1584: Compromise Infrastructure

missing from ATT&CK

T1608: Stage Capabilities

missing from ATT&CK

T1588.002: Tool

missing from ATT&CK

T1585: Establish Accounts

missing from ATT&CK

T1588: Obtain Capabilities

missing from ATT&CK

Reconnaissance

T1590.002: DNS

missing from ATT&CK

T1594: Search Victim-Owned Websites

missing from ATT&CK

T1589: Gather Victim Identity Information

missing from ATT&CK

T1595.002: Vulnerability Scanning

missing from ATT&CK

T1595: Active Scanning

missing from ATT&CK

T1590: Gather Victim Network Information

missing from ATT&CK

T1593: Search Open Websites/Domains

missing from ATT&CK

T1592.002: Software

missing from ATT&CK

T1589.001: Credentials

missing from ATT&CK

Command and Control

T1205.002: Socket Filters

T1132.001: Standard Encoding

T1071.004: DNS

T1573.001: Symmetric Cryptography

T1071: Application Layer Protocol

T1205: Traffic Signaling

T1572: Protocol Tunneling

T1092: Communication Through Removable Media

T1090.002: External Proxy

T1090: Proxy

T1102: Web Service

T1205.001: Port Knocking

T1071.002: File Transfer Protocols

T1090.003: Multi-hop Proxy

T1001: Data Obfuscation

T1571: Non-Standard Port

T1573: Encrypted Channel

T1573.002: Asymmetric Cryptography

T1095: Non-Application Layer Protocol

T1001.003: Protocol Impersonation

T1132: Data Encoding

T1132.002: Non-Standard Encoding

T1071.001: Web Protocols

T1105: Ingress Tool Transfer

T1090.001: Internal Proxy

Initial Access

T1133: External Remote Services

T1195.001: Compromise Software Dependencies and Development Tools

T1566.001: Spearphishing Attachment

T1190: Exploit Public-Facing Application

T1078.001: Default Accounts

T1199: Trusted Relationship

T1078: Valid Accounts

T1078.004: Cloud Accounts

missing from ATT&CK