Posts by Tag

windows

T1574.011

Hijack Execution Flow: Services Registry Permissions Weakness

T1574.009

Hijack Execution Flow: Path Interception by Unquoted Path

T1574.002

Hijack Execution Flow: DLL Side-Loading

T1574.001

Hijack Execution Flow: DLL Search Order Hijacking

T1564.001

Hide Artifacts: Hidden Files and Directories

T1563.002

Remote Service Session Hijacking: RDP Hijacking

T1562.004

Impair Defenses: Disable or Modify System Firewall

T1562.002

Impair Defenses: Disable Windows Event Logging

T1562.001

Impair Defenses: Disable or Modify Tools

T1560

Archive Collected Data

T1560.001

Archive Collected Data: Archive via Utility

T1559.002

Inter-Process Communication: Dynamic Data Exchange

T1558.003

Steal or Forge Kerberos Tickets: Kerberoasting

T1556.002

Modify Authentication Process: Password Filter DLL

T1555.003

Credentials from Password Stores: Credentials from Web Browsers

T1553.004

Subvert Trust Controls: Install Root Certificate

T1552.006

Unsecured Credentials: Group Policy Preferences

T1552.002

Unsecured Credentials: Credentials in Registry

T1552.001

Unsecured Credentials: Credentials In Files

T1550.003

Use Alternate Authentication Material: Pass the Ticket

T1550.002

Use Alternate Authentication Material: Pass the Hash

T1548.002

Abuse Elevation Control Mechanism: Bypass User Access Control

T1547.009

Boot or Logon Autostart Execution: Shortcut Modification

T1547.005

Boot or Logon Autostart Execution: Security Support Provider

T1547.004

Boot or Logon Autostart Execution: Winlogon Helper DLL

T1547.001

Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder

T1546.013

Event Triggered Execution: PowerShell Profile

T1546.012

Event Triggered Execution: Image File Execution Options Injection

T1546.011

Event Triggered Execution: Application Shimming

T1546.010

Event Triggered Execution: AppInit DLLs

T1546.008

Event Triggered Execution: Accessibility Features

T1546.007

Event Triggered Execution: Netsh Helper DLL

T1546.003

Event Triggered Execution: Windows Management Instrumentation Event Subscription

T1546.002

Event Triggered Execution: Screensaver

T1546.001

Event Triggered Execution: Change Default File Association

T1543.003

Create or Modify System Process: Windows Service

T1531

Account Access Removal

T1529

System Shutdown/Reboot

T1518.001

Software Discovery: Security Software Discovery

T1505.002

Server Software Component: Transport Agent

T1497.001

Virtualization/Sandbox Evasion: System Checks

T1490

Inhibit System Recovery

T1482

Domain Trust Discovery

T1222.001

File and Directory Permissions Modification: Windows File and Directory Permissions Modification

T1219

Remote Access Software

T1218

Signed Binary Proxy Execution

T1218.011

Signed Binary Proxy Execution: Rundll32

T1218.010

Signed Binary Proxy Execution: Regsvr32

T1218.009

Signed Binary Proxy Execution: Regsvcs/Regasm

T1218.008

Signed Binary Proxy Execution: Odbcconf

T1218.007

Signed Binary Proxy Execution: Msiexec

T1218.004

Signed Binary Proxy Execution: InstallUtil

T1218.002

Signed Binary Proxy Execution: Control Panel

T1218.001

Signed Binary Proxy Execution: Compiled HTML File

T1217

Browser Bookmark Discovery

T1216

Signed Script Proxy Execution

T1207

Rogue Domain Controller

T1202

Indirect Command Execution

T1201

Password Policy Discovery

T1140

Deobfuscate/Decode Files or Information

T1137.002

Office Application Startup: Office Test

T1135

Network Share Discovery

T1134.004

Access Token Manipulation: Parent PID Spoofing

T1134.001

Access Token Manipulation: Token Impersonation/Theft

T1127.001

Trusted Developer Utilities Proxy Execution: MSBuild

T1114.001

Email Collection: Local Email Collection

T1095

Non-Application Layer Protocol

T1083

File and Directory Discovery

T1082

System Information Discovery

T1071.001

Application Layer Protocol: Web Protocols

T1070

Indicator Removal on Host

T1070.005

Indicator Removal on Host: Network Share Connection Removal

T1070.004

Indicator Removal on Host: File Deletion

T1070.003

Indicator Removal on Host: Clear Command History

T1070.001

Indicator Removal on Host: Clear Windows Event Logs

T1069.002

Permission Groups Discovery: Domain Groups

T1069.001

Permission Groups Discovery: Local Groups

T1059.005

Command and Scripting Interpreter: Visual Basic

T1059.003

Command and Scripting Interpreter: Windows Command Shell

T1059.001

Command and Scripting Interpreter: PowerShell

T1055.004

Process Injection: Asynchronous Procedure Call

T1049

System Network Connections Discovery

T1048.003

Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol

T1047

Windows Management Instrumentation

T1046

Network Service Scanning

T1037.001

Boot or Logon Initialization Scripts: Logon Script (Windows)

T1036.004

Masquerading: Masquerade Task or Service

T1033

System Owner/User Discovery

T1027

Obfuscated Files or Information

T1027.004

Obfuscated Files or Information: Compile After Delivery

T1021.006

Remote Services: Windows Remote Management

T1021.003

Remote Services: Distributed Component Object Model

T1021.002

Remote Services: SMB/Windows Admin Shares

T1021.001

Remote Services: Remote Desktop Protocol

T1020

Automated Exfiltration

T1018

Remote System Discovery

T1016

System Network Configuration Discovery

T1010

Application Window Discovery

T1007

System Service Discovery

T1003.002

OS Credential Dumping: Security Account Manager

Back to Top ↑

command_prompt

T1574.011

Hijack Execution Flow: Services Registry Permissions Weakness

T1574.009

Hijack Execution Flow: Path Interception by Unquoted Path

T1574.002

Hijack Execution Flow: DLL Side-Loading

T1574.001

Hijack Execution Flow: DLL Search Order Hijacking

T1564.001

Hide Artifacts: Hidden Files and Directories

T1563.002

Remote Service Session Hijacking: RDP Hijacking

T1562.004

Impair Defenses: Disable or Modify System Firewall

T1562.001

Impair Defenses: Disable or Modify Tools

T1560.001

Archive Collected Data: Archive via Utility

T1559.002

Inter-Process Communication: Dynamic Data Exchange

T1553.004

Subvert Trust Controls: Install Root Certificate

T1552.006

Unsecured Credentials: Group Policy Preferences

T1552.002

Unsecured Credentials: Credentials in Registry

T1552.001

Unsecured Credentials: Credentials In Files

T1550.003

Use Alternate Authentication Material: Pass the Ticket

T1550.002

Use Alternate Authentication Material: Pass the Hash

T1548.002

Abuse Elevation Control Mechanism: Bypass User Access Control

T1547.009

Boot or Logon Autostart Execution: Shortcut Modification

T1547.001

Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder

T1546.012

Event Triggered Execution: Image File Execution Options Injection

T1546.011

Event Triggered Execution: Application Shimming

T1546.010

Event Triggered Execution: AppInit DLLs

T1546.008

Event Triggered Execution: Accessibility Features

T1546.007

Event Triggered Execution: Netsh Helper DLL

T1546.002

Event Triggered Execution: Screensaver

T1546.001

Event Triggered Execution: Change Default File Association

T1543.003

Create or Modify System Process: Windows Service

T1531

Account Access Removal

T1529

System Shutdown/Reboot

T1518.001

Software Discovery: Security Software Discovery

T1490

Inhibit System Recovery

T1482

Domain Trust Discovery

T1222.001

File and Directory Permissions Modification: Windows File and Directory Permissions Modification

T1218

Signed Binary Proxy Execution

T1218.011

Signed Binary Proxy Execution: Rundll32

T1218.010

Signed Binary Proxy Execution: Regsvr32

T1218.009

Signed Binary Proxy Execution: Regsvcs/Regasm

T1218.008

Signed Binary Proxy Execution: Odbcconf

T1218.007

Signed Binary Proxy Execution: Msiexec

T1218.002

Signed Binary Proxy Execution: Control Panel

T1218.001

Signed Binary Proxy Execution: Compiled HTML File

T1217

Browser Bookmark Discovery

T1216

Signed Script Proxy Execution

T1202

Indirect Command Execution

T1201

Password Policy Discovery

T1140

Deobfuscate/Decode Files or Information

T1137.002

Office Application Startup: Office Test

T1135

Network Share Discovery

T1127.001

Trusted Developer Utilities Proxy Execution: MSBuild

T1083

File and Directory Discovery

T1082

System Information Discovery

T1071.001

Application Layer Protocol: Web Protocols

T1070

Indicator Removal on Host

T1070.005

Indicator Removal on Host: Network Share Connection Removal

T1070.004

Indicator Removal on Host: File Deletion

T1070.001

Indicator Removal on Host: Clear Windows Event Logs

T1069.002

Permission Groups Discovery: Domain Groups

T1069.001

Permission Groups Discovery: Local Groups

T1059.001

Command and Scripting Interpreter: PowerShell

T1055.004

Process Injection: Asynchronous Procedure Call

T1049

System Network Connections Discovery

T1047

Windows Management Instrumentation

T1037.001

Boot or Logon Initialization Scripts: Logon Script (Windows)

T1036.004

Masquerading: Masquerade Task or Service

T1033

System Owner/User Discovery

T1027

Obfuscated Files or Information

T1027.004

Obfuscated Files or Information: Compile After Delivery

T1021.002

Remote Services: SMB/Windows Admin Shares

T1018

Remote System Discovery

T1016

System Network Configuration Discovery

T1010

Application Window Discovery

T1007

System Service Discovery

T1003.002

OS Credential Dumping: Security Account Manager

Back to Top ↑

powershell

T1574.011

Hijack Execution Flow: Services Registry Permissions Weakness

T1562.004

Impair Defenses: Disable or Modify System Firewall

T1562.002

Impair Defenses: Disable Windows Event Logging

T1562.001

Impair Defenses: Disable or Modify Tools

T1560

Archive Collected Data

T1558.003

Steal or Forge Kerberos Tickets: Kerberoasting

T1556.002

Modify Authentication Process: Password Filter DLL

T1555.003

Credentials from Password Stores: Credentials from Web Browsers

T1553.004

Subvert Trust Controls: Install Root Certificate

T1552.006

Unsecured Credentials: Group Policy Preferences

T1552.001

Unsecured Credentials: Credentials In Files

T1548.002

Abuse Elevation Control Mechanism: Bypass User Access Control

T1547.009

Boot or Logon Autostart Execution: Shortcut Modification

T1547.005

Boot or Logon Autostart Execution: Security Support Provider

T1547.004

Boot or Logon Autostart Execution: Winlogon Helper DLL

T1547.001

Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder

T1546.013

Event Triggered Execution: PowerShell Profile

T1546.011

Event Triggered Execution: Application Shimming

T1546.008

Event Triggered Execution: Accessibility Features

T1546.003

Event Triggered Execution: Windows Management Instrumentation Event Subscription

T1543.003

Create or Modify System Process: Windows Service

T1531

Account Access Removal

T1518.001

Software Discovery: Security Software Discovery

T1505.002

Server Software Component: Transport Agent

T1497.001

Virtualization/Sandbox Evasion: System Checks

T1490

Inhibit System Recovery

T1482

Domain Trust Discovery

T1222.001

File and Directory Permissions Modification: Windows File and Directory Permissions Modification

T1219

Remote Access Software

T1218.009

Signed Binary Proxy Execution: Regsvcs/Regasm

T1218.004

Signed Binary Proxy Execution: InstallUtil

T1218.001

Signed Binary Proxy Execution: Compiled HTML File

T1217

Browser Bookmark Discovery

T1135

Network Share Discovery

T1134.004

Access Token Manipulation: Parent PID Spoofing

T1134.001

Access Token Manipulation: Token Impersonation/Theft

T1114.001

Email Collection: Local Email Collection

T1095

Non-Application Layer Protocol

T1083

File and Directory Discovery

T1071.001

Application Layer Protocol: Web Protocols

T1070.005

Indicator Removal on Host: Network Share Connection Removal

T1070.004

Indicator Removal on Host: File Deletion

T1070.003

Indicator Removal on Host: Clear Command History

T1070.001

Indicator Removal on Host: Clear Windows Event Logs

T1069.002

Permission Groups Discovery: Domain Groups

T1069.001

Permission Groups Discovery: Local Groups

T1059.005

Command and Scripting Interpreter: Visual Basic

T1059.003

Command and Scripting Interpreter: Windows Command Shell

T1059.001

Command and Scripting Interpreter: PowerShell

T1049

System Network Connections Discovery

T1048.003

Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol

T1046

Network Service Scanning

T1033

System Owner/User Discovery

T1027

Obfuscated Files or Information

T1027.004

Obfuscated Files or Information: Compile After Delivery

T1021.006

Remote Services: Windows Remote Management

T1021.003

Remote Services: Distributed Component Object Model

T1021.002

Remote Services: SMB/Windows Admin Shares

T1021.001

Remote Services: Remote Desktop Protocol

T1020

Automated Exfiltration

T1018

Remote System Discovery

T1016

System Network Configuration Discovery

T1003.002

OS Credential Dumping: Security Account Manager

Back to Top ↑

macos

T1564.001

Hide Artifacts: Hidden Files and Directories

T1562.001

Impair Defenses: Disable or Modify Tools

T1560.001

Archive Collected Data: Archive via Utility

T1555.003

Credentials from Password Stores: Credentials from Web Browsers

T1555.001

Credentials from Password Stores: Keychain

T1553.004

Subvert Trust Controls: Install Root Certificate

T1553.001

Subvert Trust Controls: Gatekeeper Bypass

T1552.001

Unsecured Credentials: Credentials In Files

T1548.003

Abuse Elevation Control Mechanism: Sudo and Sudo Caching

T1548.001

Abuse Elevation Control Mechanism: Setuid and Setgid

T1547.011

Boot or Logon Autostart Execution: Plist Modification

T1547.007

Boot or Logon Autostart Execution: Re-opened Applications

T1546.004

Event Triggered Execution: .bash_profile and .bashrc

T1543.004

Create or Modify System Process: Launch Daemon

T1543.001

Create or Modify System Process: Launch Agent

T1529

System Shutdown/Reboot

T1518.001

Software Discovery: Security Software Discovery

T1497.001

Virtualization/Sandbox Evasion: System Checks

T1222.002

File and Directory Permissions Modification: Linux and Mac File and Directory Permissions Modification

T1217

Browser Bookmark Discovery

T1201

Password Policy Discovery

T1135

Network Share Discovery

T1083

File and Directory Discovery

T1082

System Information Discovery

T1071.001

Application Layer Protocol: Web Protocols

T1070.004

Indicator Removal on Host: File Deletion

T1070.003

Indicator Removal on Host: Clear Command History

T1070.002

Indicator Removal on Host: Clear Linux or Mac System Logs

T1069.003

Permission Groups Discovery: Cloud Groups

T1069.001

Permission Groups Discovery: Local Groups

T1059.004

Command and Scripting Interpreter: Bash

T1059.002

Command and Scripting Interpreter: AppleScript

T1049

System Network Connections Discovery

T1048

Exfiltration Over Alternative Protocol

T1048.003

Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol

T1046

Network Service Scanning

T1037.005

Boot or Logon Initialization Scripts: Startup Items

T1037.004

Boot or Logon Initialization Scripts: Rc.common

T1037.002

Boot or Logon Initialization Scripts: Logon Script (Mac)

T1033

System Owner/User Discovery

T1030

Data Transfer Size Limits

T1027

Obfuscated Files or Information

T1027.002

Obfuscated Files or Information: Software Packing

T1027.001

Obfuscated Files or Information: Binary Padding

T1018

Remote System Discovery

T1016

System Network Configuration Discovery

Back to Top ↑

linux

T1564.001

Hide Artifacts: Hidden Files and Directories

T1562.004

Impair Defenses: Disable or Modify System Firewall

T1562.001

Impair Defenses: Disable or Modify Tools

T1560.001

Archive Collected Data: Archive via Utility

T1553.004

Subvert Trust Controls: Install Root Certificate

T1552.001

Unsecured Credentials: Credentials In Files

T1548.003

Abuse Elevation Control Mechanism: Sudo and Sudo Caching

T1548.001

Abuse Elevation Control Mechanism: Setuid and Setgid

T1547.006

Boot or Logon Autostart Execution: Kernel Modules and Extensions

T1546.004

Event Triggered Execution: .bash_profile and .bashrc

T1543.002

Create or Modify System Process: Systemd Service

T1529

System Shutdown/Reboot

T1518.001

Software Discovery: Security Software Discovery

T1497.001

Virtualization/Sandbox Evasion: System Checks

T1222.002

File and Directory Permissions Modification: Linux and Mac File and Directory Permissions Modification

T1217

Browser Bookmark Discovery

T1201

Password Policy Discovery

T1135

Network Share Discovery

T1083

File and Directory Discovery

T1082

System Information Discovery

T1071.001

Application Layer Protocol: Web Protocols

T1070.004

Indicator Removal on Host: File Deletion

T1070.003

Indicator Removal on Host: Clear Command History

T1070.002

Indicator Removal on Host: Clear Linux or Mac System Logs

T1069.003

Permission Groups Discovery: Cloud Groups

T1069.001

Permission Groups Discovery: Local Groups

T1059.004

Command and Scripting Interpreter: Bash

T1049

System Network Connections Discovery

T1048

Exfiltration Over Alternative Protocol

T1048.003

Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol

T1046

Network Service Scanning

T1033

System Owner/User Discovery

T1030

Data Transfer Size Limits

T1027

Obfuscated Files or Information

T1027.002

Obfuscated Files or Information: Software Packing

T1027.001

Obfuscated Files or Information: Binary Padding

T1018

Remote System Discovery

T1016

System Network Configuration Discovery

Back to Top ↑

sh

T1564.001

Hide Artifacts: Hidden Files and Directories

T1562.004

Impair Defenses: Disable or Modify System Firewall

T1562.001

Impair Defenses: Disable or Modify Tools

T1560.001

Archive Collected Data: Archive via Utility

T1555.003

Credentials from Password Stores: Credentials from Web Browsers

T1555.001

Credentials from Password Stores: Keychain

T1553.004

Subvert Trust Controls: Install Root Certificate

T1553.001

Subvert Trust Controls: Gatekeeper Bypass

T1552.001

Unsecured Credentials: Credentials In Files

T1548.003

Abuse Elevation Control Mechanism: Sudo and Sudo Caching

T1548.001

Abuse Elevation Control Mechanism: Setuid and Setgid

T1547.007

Boot or Logon Autostart Execution: Re-opened Applications

T1546.004

Event Triggered Execution: .bash_profile and .bashrc

T1518.001

Software Discovery: Security Software Discovery

T1497.001

Virtualization/Sandbox Evasion: System Checks

T1222.002

File and Directory Permissions Modification: Linux and Mac File and Directory Permissions Modification

T1217

Browser Bookmark Discovery

T1135

Network Share Discovery

T1083

File and Directory Discovery

T1082

System Information Discovery

T1071.001

Application Layer Protocol: Web Protocols

T1070.004

Indicator Removal on Host: File Deletion

T1070.003

Indicator Removal on Host: Clear Command History

T1070.002

Indicator Removal on Host: Clear Linux or Mac System Logs

T1069.003

Permission Groups Discovery: Cloud Groups

T1069.001

Permission Groups Discovery: Local Groups

T1059.004

Command and Scripting Interpreter: Bash

T1059.002

Command and Scripting Interpreter: AppleScript

T1049

System Network Connections Discovery

T1048

Exfiltration Over Alternative Protocol

T1046

Network Service Scanning

T1037.005

Boot or Logon Initialization Scripts: Startup Items

T1033

System Owner/User Discovery

T1030

Data Transfer Size Limits

T1027

Obfuscated Files or Information

T1027.002

Obfuscated Files or Information: Software Packing

T1027.001

Obfuscated Files or Information: Binary Padding

T1018

Remote System Discovery

T1016

System Network Configuration Discovery

Back to Top ↑

bash

T1552.001

Unsecured Credentials: Credentials In Files

T1547.006

Boot or Logon Autostart Execution: Kernel Modules and Extensions

T1543.004

Create or Modify System Process: Launch Daemon

T1543.002

Create or Modify System Process: Systemd Service

T1543.001

Create or Modify System Process: Launch Agent

T1529

System Shutdown/Reboot

T1222.002

File and Directory Permissions Modification: Linux and Mac File and Directory Permissions Modification

T1201

Password Policy Discovery

T1082

System Information Discovery

T1070.004

Indicator Removal on Host: File Deletion

T1070.002

Indicator Removal on Host: Clear Linux or Mac System Logs

T1037.004

Boot or Logon Initialization Scripts: Rc.common

Back to Top ↑

manual

T1559.002

Inter-Process Communication: Dynamic Data Exchange

T1547.011

Boot or Logon Autostart Execution: Plist Modification

T1547.007

Boot or Logon Autostart Execution: Re-opened Applications

T1207

Rogue Domain Controller

T1059.001

Command and Scripting Interpreter: PowerShell

T1048.003

Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol

T1037.002

Boot or Logon Initialization Scripts: Logon Script (Mac)

Back to Top ↑