├── 20220307 ├── AttackCoverage.xlsx ├── attack_groups.txt ├── attack_identity.txt ├── attack_malware.txt ├── attack_marking-definition.txt ├── attack_matrix.txt ├── attack_mitigations.txt ├── attack_relationships.txt ├── attack_tactics.txt ├── attack_techniques.txt ├── attack_tools.txt ├── data_sources.csv ├── tactics.csv └── techniques.csv ├── 20220505 ├── AttackCoverage.xlsx ├── attack_data-component.txt ├── attack_data-source.txt ├── attack_groups.txt ├── attack_identity.txt ├── attack_malware.txt ├── attack_marking-definition.txt ├── attack_matrix.txt ├── attack_mitigations.txt ├── attack_relationships.txt ├── attack_tactics.txt ├── attack_techniques.txt ├── attack_tools.txt ├── data_sources.csv ├── tactics.csv └── techniques.csv ├── AttackCoverage.xlsx ├── LICENSE ├── README.md ├── images ├── ac_img_1.png ├── ac_img_10.png ├── ac_img_11.png ├── ac_img_12.png ├── ac_img_13.png ├── ac_img_14.png ├── ac_img_15.png ├── ac_img_16.png ├── ac_img_17.png ├── ac_img_18.png ├── ac_img_19.png ├── ac_img_2.png ├── ac_img_3.png ├── ac_img_4.png ├── ac_img_5.png ├── ac_img_6.png ├── ac_img_7.png ├── ac_img_8.png └── ac_img_9.png └── scripts ├── get_attack_enterprise.py └── get_tt.py /20220307/AttackCoverage.xlsx: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/RealityNet/attack-coverage/a933255173c0d512f712e2cb81a2067aa99a75a7/20220307/AttackCoverage.xlsx -------------------------------------------------------------------------------- /20220307/attack_identity.txt: -------------------------------------------------------------------------------- 1 | {'modified': '2017-06-01T00:00:00.000Z', 'name': 'The MITRE Corporation', 'identity_class': 'organization', 'object_marking_refs': ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'], 'type': 'identity', 'id': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5', 'created': '2017-06-01T00:00:00.000Z'} 2 | -------------------------------------------------------------------------------- /20220307/attack_marking-definition.txt: -------------------------------------------------------------------------------- 1 | {'created_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5', 'definition_type': 'statement', 'definition': {'statement': 'Copyright 2015-2021, The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation.'}, 'type': 'marking-definition', 'id': 'marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168', 'created': '2017-06-01T00:00:00.000Z'} 2 | -------------------------------------------------------------------------------- /20220307/attack_matrix.txt: -------------------------------------------------------------------------------- 1 | {'external_references': [{'url': 'https://attack.mitre.org/matrices/enterprise', 'external_id': 'enterprise-attack', 'source_name': 'mitre-attack'}], 'object_marking_refs': ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'], 'type': 'x-mitre-matrix', 'matrix': 'mitre-attack', 'matrix_description': 'Below are the tactics and technique representing the MITRE ATT&CK Matrix for Enterprise. The Matrix contains information for the following platforms: Windows, macOS, Linux, AWS, GCP, Azure, Azure AD, Office 365, SaaS.', 'modified': '2021-11-03T20:11:51.915Z', 'id': 'x-mitre-matrix--eafc1b4c-5e56-4965-bd4e-66a6a89c88cc', 'created': '2018-10-17T00:14:20.652Z', 'tactic_references': ['x-mitre-tactic--daa4cbb1-b4f4-4723-a824-7f1efd6e0592', 'x-mitre-tactic--d679bca2-e57d-4935-8650-8031c87a4400', 'x-mitre-tactic--ffd5bcee-6e16-4dd2-8eca-7b3beedf33ca', 'x-mitre-tactic--4ca45d45-df4d-4613-8980-bac22d278fa5', 'x-mitre-tactic--5bc1d813-693e-4823-9961-abf9af4b0e92', 'x-mitre-tactic--5e29b093-294e-49e9-a803-dab3d73b77dd', 'x-mitre-tactic--78b23412-0651-46d7-a540-170a1ce8bd5a', 'x-mitre-tactic--2558fd61-8c75-4730-94c4-11926db2a263', 'x-mitre-tactic--c17c5845-175e-4421-9713-829d0573dbc9', 'x-mitre-tactic--7141578b-e50b-4dcc-bfa4-08a8dd689e9e', 'x-mitre-tactic--d108ce10-2419-4cf9-a774-46161d6c6cfe', 'x-mitre-tactic--f72804c5-f15a-449e-a5da-2eecd181f813', 'x-mitre-tactic--9a4e74ab-5008-408c-84bf-a10dfbc53462', 'x-mitre-tactic--5569339b-94c2-49ee-afb3-2222936582c8'], 'created_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5', 'url': 'https://attack.mitre.org/matrices/enterprise'} 2 | -------------------------------------------------------------------------------- /20220307/attack_tactics.txt: -------------------------------------------------------------------------------- 1 | {'external_references': [{'url': 'https://attack.mitre.org/tactics/TA0043', 'external_id': 'TA0043', 'source_name': 'mitre-attack'}], 'object_marking_refs': ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'], 'type': 'x-mitre-tactic', 'tactic': 'Reconnaissance', 'tactic_description': 'The adversary is trying to gather information they can use to plan future operations.\n\nReconnaissance consists of techniques that involve adversaries actively or passively gathering information that can be used to support targeting. Such information may include details of the victim organization, infrastructure, or staff/personnel. This information can be leveraged by the adversary to aid in other phases of the adversary lifecycle, such as using gathered information to plan and execute Initial Access, to scope and prioritize post-compromise objectives, or to drive and lead further Reconnaissance efforts.', 'modified': '2020-10-18T02:04:50.842Z', 'id': 'x-mitre-tactic--daa4cbb1-b4f4-4723-a824-7f1efd6e0592', 'created': '2020-10-02T14:48:41.809Z', 'created_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5', 'url': 'https://attack.mitre.org/tactics/TA0043', 'matrix': 'mitre-attack', 'tactic_shortname': 'reconnaissance'} 2 | {'external_references': [{'url': 'https://attack.mitre.org/tactics/TA0042', 'external_id': 'TA0042', 'source_name': 'mitre-attack'}], 'object_marking_refs': ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'], 'type': 'x-mitre-tactic', 'tactic': 'Resource Development', 'tactic_description': 'The adversary is trying to establish resources they can use to support operations.\n\nResource Development consists of techniques that involve adversaries creating, purchasing, or compromising/stealing resources that can be used to support targeting. Such resources include infrastructure, accounts, or capabilities. These resources can be leveraged by the adversary to aid in other phases of the adversary lifecycle, such as using purchased domains to support Command and Control, email accounts for phishing as a part of Initial Access, or stealing code signing certificates to help with Defense Evasion.', 'modified': '2020-09-30T16:31:36.322Z', 'id': 'x-mitre-tactic--d679bca2-e57d-4935-8650-8031c87a4400', 'created': '2020-09-30T16:11:59.650Z', 'created_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5', 'url': 'https://attack.mitre.org/tactics/TA0042', 'matrix': 'mitre-attack', 'tactic_shortname': 'resource-development'} 3 | {'external_references': [{'url': 'https://attack.mitre.org/tactics/TA0040', 'external_id': 'TA0040', 'source_name': 'mitre-attack'}], 'object_marking_refs': ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'], 'type': 'x-mitre-tactic', 'tactic': 'Impact', 'tactic_description': 'The adversary is trying to manipulate, interrupt, or destroy your systems and data.\n \nImpact consists of techniques that adversaries use to disrupt availability or compromise integrity by manipulating business and operational processes. Techniques used for impact can include destroying or tampering with data. In some cases, business processes can look fine, but may have been altered to benefit the adversaries’ goals. These techniques might be used by adversaries to follow through on their end goal or to provide cover for a confidentiality breach.', 'modified': '2019-07-25T18:42:23.222Z', 'id': 'x-mitre-tactic--5569339b-94c2-49ee-afb3-2222936582c8', 'created': '2019-03-14T18:44:44.639Z', 'created_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5', 'url': 'https://attack.mitre.org/tactics/TA0040', 'matrix': 'mitre-attack', 'tactic_shortname': 'impact'} 4 | {'external_references': [{'source_name': 'mitre-attack', 'external_id': 'TA0006', 'url': 'https://attack.mitre.org/tactics/TA0006'}], 'object_marking_refs': ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'], 'type': 'x-mitre-tactic', 'tactic': 'Credential Access', 'tactic_description': 'The adversary is trying to steal account names and passwords.\n\nCredential Access consists of techniques for stealing credentials like account names and passwords. Techniques used to get credentials include keylogging or credential dumping. Using legitimate credentials can give adversaries access to systems, make them harder to detect, and provide the opportunity to create more accounts to help achieve their goals.', 'modified': '2019-07-19T17:43:41.967Z', 'id': 'x-mitre-tactic--2558fd61-8c75-4730-94c4-11926db2a263', 'created': '2018-10-17T00:14:20.652Z', 'created_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5', 'url': 'https://attack.mitre.org/tactics/TA0006', 'matrix': 'mitre-attack', 'tactic_shortname': 'credential-access'} 5 | {'external_references': [{'source_name': 'mitre-attack', 'external_id': 'TA0005', 'url': 'https://attack.mitre.org/tactics/TA0005'}], 'object_marking_refs': ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'], 'type': 'x-mitre-tactic', 'tactic': 'Defense Evasion', 'tactic_description': 'The adversary is trying to avoid being detected.\n\nDefense Evasion consists of techniques that adversaries use to avoid detection throughout their compromise. Techniques used for defense evasion include uninstalling/disabling security software or obfuscating/encrypting data and scripts. Adversaries also leverage and abuse trusted processes to hide and masquerade their malware. Other tactics’ techniques are cross-listed here when those techniques include the added benefit of subverting defenses. ', 'modified': '2019-07-19T17:43:23.473Z', 'id': 'x-mitre-tactic--78b23412-0651-46d7-a540-170a1ce8bd5a', 'created': '2018-10-17T00:14:20.652Z', 'created_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5', 'url': 'https://attack.mitre.org/tactics/TA0005', 'matrix': 'mitre-attack', 'tactic_shortname': 'defense-evasion'} 6 | {'external_references': [{'source_name': 'mitre-attack', 'external_id': 'TA0001', 'url': 'https://attack.mitre.org/tactics/TA0001'}], 'object_marking_refs': ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'], 'type': 'x-mitre-tactic', 'tactic': 'Initial Access', 'tactic_description': 'The adversary is trying to get into your network.\n\nInitial Access consists of techniques that use various entry vectors to gain their initial foothold within a network. Techniques used to gain a foothold include targeted spearphishing and exploiting weaknesses on public-facing web servers. Footholds gained through initial access may allow for continued access, like valid accounts and use of external remote services, or may be limited-use due to changing passwords.', 'modified': '2019-07-19T17:41:41.425Z', 'id': 'x-mitre-tactic--ffd5bcee-6e16-4dd2-8eca-7b3beedf33ca', 'created': '2018-10-17T00:14:20.652Z', 'created_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5', 'url': 'https://attack.mitre.org/tactics/TA0001', 'matrix': 'mitre-attack', 'tactic_shortname': 'initial-access'} 7 | {'external_references': [{'source_name': 'mitre-attack', 'external_id': 'TA0011', 'url': 'https://attack.mitre.org/tactics/TA0011'}], 'object_marking_refs': ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'], 'type': 'x-mitre-tactic', 'tactic': 'Command and Control', 'tactic_description': 'The adversary is trying to communicate with compromised systems to control them.\n\nCommand and Control consists of techniques that adversaries may use to communicate with systems under their control within a victim network. Adversaries commonly attempt to mimic normal, expected traffic to avoid detection. There are many ways an adversary can establish command and control with various levels of stealth depending on the victim’s network structure and defenses.', 'modified': '2019-07-19T17:45:30.644Z', 'id': 'x-mitre-tactic--f72804c5-f15a-449e-a5da-2eecd181f813', 'created': '2018-10-17T00:14:20.652Z', 'created_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5', 'url': 'https://attack.mitre.org/tactics/TA0011', 'matrix': 'mitre-attack', 'tactic_shortname': 'command-and-control'} 8 | {'external_references': [{'source_name': 'mitre-attack', 'external_id': 'TA0010', 'url': 'https://attack.mitre.org/tactics/TA0010'}], 'object_marking_refs': ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'], 'type': 'x-mitre-tactic', 'tactic': 'Exfiltration', 'tactic_description': 'The adversary is trying to steal data.\n\nExfiltration consists of techniques that adversaries may use to steal data from your network. Once they’ve collected data, adversaries often package it to avoid detection while removing it. This can include compression and encryption. Techniques for getting data out of a target network typically include transferring it over their command and control channel or an alternate channel and may also include putting size limits on the transmission.', 'modified': '2019-07-19T17:45:12.806Z', 'id': 'x-mitre-tactic--9a4e74ab-5008-408c-84bf-a10dfbc53462', 'created': '2018-10-17T00:14:20.652Z', 'created_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5', 'url': 'https://attack.mitre.org/tactics/TA0010', 'matrix': 'mitre-attack', 'tactic_shortname': 'exfiltration'} 9 | {'external_references': [{'source_name': 'mitre-attack', 'external_id': 'TA0004', 'url': 'https://attack.mitre.org/tactics/TA0004'}], 'object_marking_refs': ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'], 'type': 'x-mitre-tactic', 'tactic': 'Privilege Escalation', 'tactic_description': 'The adversary is trying to gain higher-level permissions.\n\nPrivilege Escalation consists of techniques that adversaries use to gain higher-level permissions on a system or network. Adversaries can often enter and explore a network with unprivileged access but require elevated permissions to follow through on their objectives. Common approaches are to take advantage of system weaknesses, misconfigurations, and vulnerabilities. Examples of elevated access include: \n\n* SYSTEM/root level\n* local administrator\n* user account with admin-like access \n* user accounts with access to specific system or perform specific function\n\nThese techniques often overlap with Persistence techniques, as OS features that let an adversary persist can execute in an elevated context. ', 'modified': '2021-01-06T14:21:21.641Z', 'id': 'x-mitre-tactic--5e29b093-294e-49e9-a803-dab3d73b77dd', 'created': '2018-10-17T00:14:20.652Z', 'created_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5', 'url': 'https://attack.mitre.org/tactics/TA0004', 'matrix': 'mitre-attack', 'tactic_shortname': 'privilege-escalation'} 10 | {'external_references': [{'source_name': 'mitre-attack', 'external_id': 'TA0009', 'url': 'https://attack.mitre.org/tactics/TA0009'}], 'object_marking_refs': ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'], 'type': 'x-mitre-tactic', 'tactic': 'Collection', 'tactic_description': "The adversary is trying to gather data of interest to their goal.\n\nCollection consists of techniques adversaries may use to gather information and the sources information is collected from that are relevant to following through on the adversary's objectives. Frequently, the next goal after collecting data is to steal (exfiltrate) the data. Common target sources include various drive types, browsers, audio, video, and email. Common collection methods include capturing screenshots and keyboard input.", 'modified': '2019-07-19T17:44:53.176Z', 'id': 'x-mitre-tactic--d108ce10-2419-4cf9-a774-46161d6c6cfe', 'created': '2018-10-17T00:14:20.652Z', 'created_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5', 'url': 'https://attack.mitre.org/tactics/TA0009', 'matrix': 'mitre-attack', 'tactic_shortname': 'collection'} 11 | {'external_references': [{'source_name': 'mitre-attack', 'external_id': 'TA0002', 'url': 'https://attack.mitre.org/tactics/TA0002'}], 'object_marking_refs': ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'], 'type': 'x-mitre-tactic', 'tactic': 'Execution', 'tactic_description': 'The adversary is trying to run malicious code.\n\nExecution consists of techniques that result in adversary-controlled code running on a local or remote system. Techniques that run malicious code are often paired with techniques from all other tactics to achieve broader goals, like exploring a network or stealing data. For example, an adversary might use a remote access tool to run a PowerShell script that does Remote System Discovery. ', 'modified': '2019-07-19T17:42:06.909Z', 'id': 'x-mitre-tactic--4ca45d45-df4d-4613-8980-bac22d278fa5', 'created': '2018-10-17T00:14:20.652Z', 'created_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5', 'url': 'https://attack.mitre.org/tactics/TA0002', 'matrix': 'mitre-attack', 'tactic_shortname': 'execution'} 12 | {'external_references': [{'source_name': 'mitre-attack', 'external_id': 'TA0003', 'url': 'https://attack.mitre.org/tactics/TA0003'}], 'object_marking_refs': ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'], 'type': 'x-mitre-tactic', 'tactic': 'Persistence', 'tactic_description': 'The adversary is trying to maintain their foothold.\n\nPersistence consists of techniques that adversaries use to keep access to systems across restarts, changed credentials, and other interruptions that could cut off their access. Techniques used for persistence include any access, action, or configuration changes that let them maintain their foothold on systems, such as replacing or hijacking legitimate code or adding startup code. ', 'modified': '2019-07-19T17:42:33.899Z', 'id': 'x-mitre-tactic--5bc1d813-693e-4823-9961-abf9af4b0e92', 'created': '2018-10-17T00:14:20.652Z', 'created_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5', 'url': 'https://attack.mitre.org/tactics/TA0003', 'matrix': 'mitre-attack', 'tactic_shortname': 'persistence'} 13 | {'external_references': [{'source_name': 'mitre-attack', 'external_id': 'TA0007', 'url': 'https://attack.mitre.org/tactics/TA0007'}], 'object_marking_refs': ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'], 'type': 'x-mitre-tactic', 'tactic': 'Discovery', 'tactic_description': 'The adversary is trying to figure out your environment.\n\nDiscovery consists of techniques an adversary may use to gain knowledge about the system and internal network. These techniques help adversaries observe the environment and orient themselves before deciding how to act. They also allow adversaries to explore what they can control and what’s around their entry point in order to discover how it could benefit their current objective. Native operating system tools are often used toward this post-compromise information-gathering objective. ', 'modified': '2019-07-19T17:44:13.228Z', 'id': 'x-mitre-tactic--c17c5845-175e-4421-9713-829d0573dbc9', 'created': '2018-10-17T00:14:20.652Z', 'created_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5', 'url': 'https://attack.mitre.org/tactics/TA0007', 'matrix': 'mitre-attack', 'tactic_shortname': 'discovery'} 14 | {'external_references': [{'source_name': 'mitre-attack', 'external_id': 'TA0008', 'url': 'https://attack.mitre.org/tactics/TA0008'}], 'object_marking_refs': ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'], 'type': 'x-mitre-tactic', 'tactic': 'Lateral Movement', 'tactic_description': 'The adversary is trying to move through your environment.\n\nLateral Movement consists of techniques that adversaries use to enter and control remote systems on a network. Following through on their primary objective often requires exploring the network to find their target and subsequently gaining access to it. Reaching their objective often involves pivoting through multiple systems and accounts to gain. Adversaries might install their own remote access tools to accomplish Lateral Movement or use legitimate credentials with native network and operating system tools, which may be stealthier. ', 'modified': '2019-07-19T17:44:36.953Z', 'id': 'x-mitre-tactic--7141578b-e50b-4dcc-bfa4-08a8dd689e9e', 'created': '2018-10-17T00:14:20.652Z', 'created_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5', 'url': 'https://attack.mitre.org/tactics/TA0008', 'matrix': 'mitre-attack', 'tactic_shortname': 'lateral-movement'} 15 | -------------------------------------------------------------------------------- /20220307/data_sources.csv: -------------------------------------------------------------------------------- 1 | data sources 2 | Active Directory: Active Directory Credential Request 3 | Active Directory: Active Directory Object Access 4 | Active Directory: Active Directory Object Creation 5 | Active Directory: Active Directory Object Deletion 6 | Active Directory: Active Directory Object Modification 7 | Application Log: Application Log Content 8 | Certificate: Certificate Registration 9 | Cloud Service: Cloud Service Disable 10 | Cloud Service: Cloud Service Enumeration 11 | Cloud Service: Cloud Service Metadata 12 | Cloud Service: Cloud Service Modification 13 | Cloud Storage: Cloud Storage Access 14 | Cloud Storage: Cloud Storage Creation 15 | Cloud Storage: Cloud Storage Deletion 16 | Cloud Storage: Cloud Storage Enumeration 17 | Cloud Storage: Cloud Storage Metadata 18 | Cloud Storage: Cloud Storage Modification 19 | Cluster: Cluster Metadata 20 | Command: Command Execution 21 | Container: Container Creation 22 | Container: Container Enumeration 23 | Container: Container Metadata 24 | Container: Container Start 25 | Domain Name: Active DNS 26 | Domain Name: Domain Registration 27 | Domain Name: Passive DNS 28 | Drive: Drive Access 29 | Drive: Drive Creation 30 | Drive: Drive Modification 31 | Driver: Driver Load 32 | Driver: Driver Metadata 33 | File: File Access 34 | File: File Creation 35 | File: File Deletion 36 | File: File Metadata 37 | File: File Modification 38 | Firewall: Firewall Disable 39 | Firewall: Firewall Enumeration 40 | Firewall: Firewall Metadata 41 | Firewall: Firewall Rule Modification 42 | Firmware: Firmware Modification 43 | Group: Group Enumeration 44 | Group: Group Metadata 45 | Group: Group Modification 46 | Image: Image Creation 47 | Image: Image Deletion 48 | Image: Image Metadata 49 | Image: Image Modification 50 | Instance: Instance Creation 51 | Instance: Instance Deletion 52 | Instance: Instance Enumeration 53 | Instance: Instance Metadata 54 | Instance: Instance Modification 55 | Instance: Instance Start 56 | Instance: Instance Stop 57 | Internet Scan: Response Content 58 | Internet Scan: Response Metadata 59 | Kernel: Kernel Module Load 60 | Logon Session: Logon Session Creation 61 | Logon Session: Logon Session Metadata 62 | Malware Repository: Malware Content 63 | Malware Repository: Malware Metadata 64 | Module: Module Load 65 | Named Pipe: Named Pipe Metadata 66 | Network Share: Network Share Access 67 | Network Traffic: Network Connection Creation 68 | Network Traffic: Network Traffic Content 69 | Network Traffic: Network Traffic Flow 70 | Persona: Social Media 71 | Pod: Pod Creation 72 | Pod: Pod Enumeration 73 | Pod: Pod Metadata 74 | Pod: Pod Modification 75 | Process: OS API Execution 76 | Process: Process Access 77 | Process: Process Creation 78 | Process: Process Metadata 79 | Process: Process Modification 80 | Process: Process Termination 81 | Scheduled Job: Scheduled Job Creation 82 | Scheduled Job: Scheduled Job Metadata 83 | Scheduled Job: Scheduled Job Modification 84 | Script: Script Execution 85 | Sensor Health: Host Status 86 | Service: Service Creation 87 | Service: Service Metadata 88 | Service: Service Modification 89 | Snapshot: Snapshot Creation 90 | Snapshot: Snapshot Deletion 91 | Snapshot: Snapshot Enumeration 92 | Snapshot: Snapshot Metadata 93 | Snapshot: Snapshot Modification 94 | User Account: User Account Authentication 95 | User Account: User Account Creation 96 | User Account: User Account Deletion 97 | User Account: User Account Metadata 98 | User Account: User Account Modification 99 | Volume: Volume Creation 100 | Volume: Volume Deletion 101 | Volume: Volume Enumeration 102 | Volume: Volume Metadata 103 | Volume: Volume Modification 104 | WMI: WMI Creation 105 | Web Credential: Web Credential Creation 106 | Web Credential: Web Credential Usage 107 | Windows Registry: Windows Registry Key Access 108 | Windows Registry: Windows Registry Key Creation 109 | Windows Registry: Windows Registry Key Deletion 110 | Windows Registry: Windows Registry Key Modification 111 | -------------------------------------------------------------------------------- /20220307/tactics.csv: -------------------------------------------------------------------------------- 1 | name,technique,technique_id,technique_name 2 | collection,T1005,T1005,Data from Local System (T1005) 3 | collection,T1025,T1025,Data from Removable Media (T1025) 4 | collection,T1039,T1039,Data from Network Shared Drive (T1039) 5 | collection,T1056,T1056,Input Capture (T1056) 6 | collection,T1056,T1056.001,Keylogging (T1056.001) 7 | collection,T1056,T1056.002,GUI Input Capture (T1056.002) 8 | collection,T1056,T1056.003,Web Portal Capture (T1056.003) 9 | collection,T1056,T1056.004,Credential API Hooking (T1056.004) 10 | collection,T1074,T1074,Data Staged (T1074) 11 | collection,T1074,T1074.001,Local Data Staging (T1074.001) 12 | collection,T1074,T1074.002,Remote Data Staging (T1074.002) 13 | collection,T1113,T1113,Screen Capture (T1113) 14 | collection,T1114,T1114,Email Collection (T1114) 15 | collection,T1114,T1114.001,Local Email Collection (T1114.001) 16 | collection,T1114,T1114.002,Remote Email Collection (T1114.002) 17 | collection,T1114,T1114.003,Email Forwarding Rule (T1114.003) 18 | collection,T1115,T1115,Clipboard Data (T1115) 19 | collection,T1119,T1119,Automated Collection (T1119) 20 | collection,T1123,T1123,Audio Capture (T1123) 21 | collection,T1125,T1125,Video Capture (T1125) 22 | collection,T1185,T1185,Browser Session Hijacking (T1185) 23 | collection,T1213,T1213,Data from Information Repositories (T1213) 24 | collection,T1213,T1213.001,Confluence (T1213.001) 25 | collection,T1213,T1213.002,Sharepoint (T1213.002) 26 | collection,T1213,T1213.003,Code Repositories (T1213.003) 27 | collection,T1530,T1530,Data from Cloud Storage Object (T1530) 28 | collection,T1557,T1557,Adversary-in-the-Middle (T1557) 29 | collection,T1557,T1557.001,LLMNR/NBT-NS Poisoning and SMB Relay (T1557.001) 30 | collection,T1557,T1557.002,ARP Cache Poisoning (T1557.002) 31 | collection,T1560,T1560,Archive Collected Data (T1560) 32 | collection,T1560,T1560.001,Archive via Utility (T1560.001) 33 | collection,T1560,T1560.002,Archive via Library (T1560.002) 34 | collection,T1560,T1560.003,Archive via Custom Method (T1560.003) 35 | collection,T1602,T1602,Data from Configuration Repository (T1602) 36 | collection,T1602,T1602.001,SNMP (MIB Dump) (T1602.001) 37 | collection,T1602,T1602.002,Network Device Configuration Dump (T1602.002) 38 | command-and-control,T1001,T1001,Data Obfuscation (T1001) 39 | command-and-control,T1001,T1001.001,Junk Data (T1001.001) 40 | command-and-control,T1001,T1001.002,Steganography (T1001.002) 41 | command-and-control,T1001,T1001.003,Protocol Impersonation (T1001.003) 42 | command-and-control,T1008,T1008,Fallback Channels (T1008) 43 | command-and-control,T1026,T1026,Multiband Communication (T1026) 44 | command-and-control,T1043,T1043,Commonly Used Port (T1043) 45 | command-and-control,T1071,T1071,Application Layer Protocol (T1071) 46 | command-and-control,T1071,T1071.001,Web Protocols (T1071.001) 47 | command-and-control,T1071,T1071.002,File Transfer Protocols (T1071.002) 48 | command-and-control,T1071,T1071.003,Mail Protocols (T1071.003) 49 | command-and-control,T1071,T1071.004,DNS (T1071.004) 50 | command-and-control,T1090,T1090,Proxy (T1090) 51 | command-and-control,T1090,T1090.001,Internal Proxy (T1090.001) 52 | command-and-control,T1090,T1090.002,External Proxy (T1090.002) 53 | command-and-control,T1090,T1090.003,Multi-hop Proxy (T1090.003) 54 | command-and-control,T1090,T1090.004,Domain Fronting (T1090.004) 55 | command-and-control,T1092,T1092,Communication Through Removable Media (T1092) 56 | command-and-control,T1095,T1095,Non-Application Layer Protocol (T1095) 57 | command-and-control,T1102,T1102,Web Service (T1102) 58 | command-and-control,T1102,T1102.001,Dead Drop Resolver (T1102.001) 59 | command-and-control,T1102,T1102.002,Bidirectional Communication (T1102.002) 60 | command-and-control,T1102,T1102.003,One-Way Communication (T1102.003) 61 | command-and-control,T1104,T1104,Multi-Stage Channels (T1104) 62 | command-and-control,T1105,T1105,Ingress Tool Transfer (T1105) 63 | command-and-control,T1132,T1132,Data Encoding (T1132) 64 | command-and-control,T1132,T1132.001,Standard Encoding (T1132.001) 65 | command-and-control,T1132,T1132.002,Non-Standard Encoding (T1132.002) 66 | command-and-control,T1205,T1205,Traffic Signaling (T1205) 67 | command-and-control,T1205,T1205.001,Port Knocking (T1205.001) 68 | command-and-control,T1219,T1219,Remote Access Software (T1219) 69 | command-and-control,T1568,T1568,Dynamic Resolution (T1568) 70 | command-and-control,T1568,T1568.001,Fast Flux DNS (T1568.001) 71 | command-and-control,T1568,T1568.002,Domain Generation Algorithms (T1568.002) 72 | command-and-control,T1568,T1568.003,DNS Calculation (T1568.003) 73 | command-and-control,T1571,T1571,Non-Standard Port (T1571) 74 | command-and-control,T1572,T1572,Protocol Tunneling (T1572) 75 | command-and-control,T1573,T1573,Encrypted Channel (T1573) 76 | command-and-control,T1573,T1573.001,Symmetric Cryptography (T1573.001) 77 | command-and-control,T1573,T1573.002,Asymmetric Cryptography (T1573.002) 78 | credential-access,T1003,T1003,OS Credential Dumping (T1003) 79 | credential-access,T1003,T1003.001,LSASS Memory (T1003.001) 80 | credential-access,T1003,T1003.002,Security Account Manager (T1003.002) 81 | credential-access,T1003,T1003.003,NTDS (T1003.003) 82 | credential-access,T1003,T1003.004,LSA Secrets (T1003.004) 83 | credential-access,T1003,T1003.005,Cached Domain Credentials (T1003.005) 84 | credential-access,T1003,T1003.006,DCSync (T1003.006) 85 | credential-access,T1003,T1003.007,Proc Filesystem (T1003.007) 86 | credential-access,T1003,T1003.008,/etc/passwd and /etc/shadow (T1003.008) 87 | credential-access,T1040,T1040,Network Sniffing (T1040) 88 | credential-access,T1056,T1056,Input Capture (T1056) 89 | credential-access,T1056,T1056.001,Keylogging (T1056.001) 90 | credential-access,T1056,T1056.002,GUI Input Capture (T1056.002) 91 | credential-access,T1056,T1056.003,Web Portal Capture (T1056.003) 92 | credential-access,T1056,T1056.004,Credential API Hooking (T1056.004) 93 | credential-access,T1110,T1110,Brute Force (T1110) 94 | credential-access,T1110,T1110.001,Password Guessing (T1110.001) 95 | credential-access,T1110,T1110.002,Password Cracking (T1110.002) 96 | credential-access,T1110,T1110.003,Password Spraying (T1110.003) 97 | credential-access,T1110,T1110.004,Credential Stuffing (T1110.004) 98 | credential-access,T1111,T1111,Two-Factor Authentication Interception (T1111) 99 | credential-access,T1187,T1187,Forced Authentication (T1187) 100 | credential-access,T1212,T1212,Exploitation for Credential Access (T1212) 101 | credential-access,T1528,T1528,Steal Application Access Token (T1528) 102 | credential-access,T1539,T1539,Steal Web Session Cookie (T1539) 103 | credential-access,T1552,T1552,Unsecured Credentials (T1552) 104 | credential-access,T1552,T1552.001,Credentials In Files (T1552.001) 105 | credential-access,T1552,T1552.002,Credentials in Registry (T1552.002) 106 | credential-access,T1552,T1552.003,Bash History (T1552.003) 107 | credential-access,T1552,T1552.004,Private Keys (T1552.004) 108 | credential-access,T1552,T1552.005,Cloud Instance Metadata API (T1552.005) 109 | credential-access,T1552,T1552.006,Group Policy Preferences (T1552.006) 110 | credential-access,T1552,T1552.007,Container API (T1552.007) 111 | credential-access,T1555,T1555,Credentials from Password Stores (T1555) 112 | credential-access,T1555,T1555.001,Keychain (T1555.001) 113 | credential-access,T1555,T1555.002,Securityd Memory (T1555.002) 114 | credential-access,T1555,T1555.003,Credentials from Web Browsers (T1555.003) 115 | credential-access,T1555,T1555.004,Windows Credential Manager (T1555.004) 116 | credential-access,T1555,T1555.005,Password Managers (T1555.005) 117 | credential-access,T1556,T1556,Modify Authentication Process (T1556) 118 | credential-access,T1556,T1556.001,Domain Controller Authentication (T1556.001) 119 | credential-access,T1556,T1556.002,Password Filter DLL (T1556.002) 120 | credential-access,T1556,T1556.003,Pluggable Authentication Modules (T1556.003) 121 | credential-access,T1556,T1556.004,Network Device Authentication (T1556.004) 122 | credential-access,T1557,T1557,Adversary-in-the-Middle (T1557) 123 | credential-access,T1557,T1557.001,LLMNR/NBT-NS Poisoning and SMB Relay (T1557.001) 124 | credential-access,T1557,T1557.002,ARP Cache Poisoning (T1557.002) 125 | credential-access,T1558,T1558,Steal or Forge Kerberos Tickets (T1558) 126 | credential-access,T1558,T1558.001,Golden Ticket (T1558.001) 127 | credential-access,T1558,T1558.002,Silver Ticket (T1558.002) 128 | credential-access,T1558,T1558.003,Kerberoasting (T1558.003) 129 | credential-access,T1558,T1558.004,AS-REP Roasting (T1558.004) 130 | credential-access,T1606,T1606,Forge Web Credentials (T1606) 131 | credential-access,T1606,T1606.001,Web Cookies (T1606.001) 132 | credential-access,T1606,T1606.002,SAML Tokens (T1606.002) 133 | defense-evasion,T1006,T1006,Direct Volume Access (T1006) 134 | defense-evasion,T1014,T1014,Rootkit (T1014) 135 | defense-evasion,T1027,T1027,Obfuscated Files or Information (T1027) 136 | defense-evasion,T1027,T1027.001,Binary Padding (T1027.001) 137 | defense-evasion,T1027,T1027.002,Software Packing (T1027.002) 138 | defense-evasion,T1027,T1027.003,Steganography (T1027.003) 139 | defense-evasion,T1027,T1027.004,Compile After Delivery (T1027.004) 140 | defense-evasion,T1027,T1027.005,Indicator Removal from Tools (T1027.005) 141 | defense-evasion,T1027,T1027.006,HTML Smuggling (T1027.006) 142 | defense-evasion,T1036,T1036,Masquerading (T1036) 143 | defense-evasion,T1036,T1036.001,Invalid Code Signature (T1036.001) 144 | defense-evasion,T1036,T1036.002,Right-to-Left Override (T1036.002) 145 | defense-evasion,T1036,T1036.003,Rename System Utilities (T1036.003) 146 | defense-evasion,T1036,T1036.004,Masquerade Task or Service (T1036.004) 147 | defense-evasion,T1036,T1036.005,Match Legitimate Name or Location (T1036.005) 148 | defense-evasion,T1036,T1036.006,Space after Filename (T1036.006) 149 | defense-evasion,T1036,T1036.007,Double File Extension (T1036.007) 150 | defense-evasion,T1055,T1055,Process Injection (T1055) 151 | defense-evasion,T1055,T1055.001,Dynamic-link Library Injection (T1055.001) 152 | defense-evasion,T1055,T1055.002,Portable Executable Injection (T1055.002) 153 | defense-evasion,T1055,T1055.003,Thread Execution Hijacking (T1055.003) 154 | defense-evasion,T1055,T1055.004,Asynchronous Procedure Call (T1055.004) 155 | defense-evasion,T1055,T1055.005,Thread Local Storage (T1055.005) 156 | defense-evasion,T1055,T1055.008,Ptrace System Calls (T1055.008) 157 | defense-evasion,T1055,T1055.009,Proc Memory (T1055.009) 158 | defense-evasion,T1055,T1055.011,Extra Window Memory Injection (T1055.011) 159 | defense-evasion,T1055,T1055.012,Process Hollowing (T1055.012) 160 | defense-evasion,T1055,T1055.013,Process Doppelgänging (T1055.013) 161 | defense-evasion,T1055,T1055.014,VDSO Hijacking (T1055.014) 162 | defense-evasion,T1064,T1064,Scripting (T1064) 163 | defense-evasion,T1070,T1070,Indicator Removal on Host (T1070) 164 | defense-evasion,T1070,T1070.001,Clear Windows Event Logs (T1070.001) 165 | defense-evasion,T1070,T1070.002,Clear Linux or Mac System Logs (T1070.002) 166 | defense-evasion,T1070,T1070.003,Clear Command History (T1070.003) 167 | defense-evasion,T1070,T1070.004,File Deletion (T1070.004) 168 | defense-evasion,T1070,T1070.005,Network Share Connection Removal (T1070.005) 169 | defense-evasion,T1070,T1070.006,Timestomp (T1070.006) 170 | defense-evasion,T1078,T1078,Valid Accounts (T1078) 171 | defense-evasion,T1078,T1078.001,Default Accounts (T1078.001) 172 | defense-evasion,T1078,T1078.002,Domain Accounts (T1078.002) 173 | defense-evasion,T1078,T1078.003,Local Accounts (T1078.003) 174 | defense-evasion,T1078,T1078.004,Cloud Accounts (T1078.004) 175 | defense-evasion,T1108,T1108,Redundant Access (T1108) 176 | defense-evasion,T1112,T1112,Modify Registry (T1112) 177 | defense-evasion,T1127,T1127,Trusted Developer Utilities Proxy Execution (T1127) 178 | defense-evasion,T1127,T1127.001,MSBuild (T1127.001) 179 | defense-evasion,T1134,T1134,Access Token Manipulation (T1134) 180 | defense-evasion,T1134,T1134.001,Token Impersonation/Theft (T1134.001) 181 | defense-evasion,T1134,T1134.002,Create Process with Token (T1134.002) 182 | defense-evasion,T1134,T1134.003,Make and Impersonate Token (T1134.003) 183 | defense-evasion,T1134,T1134.004,Parent PID Spoofing (T1134.004) 184 | defense-evasion,T1134,T1134.005,SID-History Injection (T1134.005) 185 | defense-evasion,T1140,T1140,Deobfuscate/Decode Files or Information (T1140) 186 | defense-evasion,T1149,T1149,LC_MAIN Hijacking (T1149) 187 | defense-evasion,T1197,T1197,BITS Jobs (T1197) 188 | defense-evasion,T1202,T1202,Indirect Command Execution (T1202) 189 | defense-evasion,T1205,T1205,Traffic Signaling (T1205) 190 | defense-evasion,T1205,T1205.001,Port Knocking (T1205.001) 191 | defense-evasion,T1207,T1207,Rogue Domain Controller (T1207) 192 | defense-evasion,T1211,T1211,Exploitation for Defense Evasion (T1211) 193 | defense-evasion,T1216,T1216,Signed Script Proxy Execution (T1216) 194 | defense-evasion,T1216,T1216.001,PubPrn (T1216.001) 195 | defense-evasion,T1218,T1218,Signed Binary Proxy Execution (T1218) 196 | defense-evasion,T1218,T1218.001,Compiled HTML File (T1218.001) 197 | defense-evasion,T1218,T1218.002,Control Panel (T1218.002) 198 | defense-evasion,T1218,T1218.003,CMSTP (T1218.003) 199 | defense-evasion,T1218,T1218.004,InstallUtil (T1218.004) 200 | defense-evasion,T1218,T1218.005,Mshta (T1218.005) 201 | defense-evasion,T1218,T1218.007,Msiexec (T1218.007) 202 | defense-evasion,T1218,T1218.008,Odbcconf (T1218.008) 203 | defense-evasion,T1218,T1218.009,Regsvcs/Regasm (T1218.009) 204 | defense-evasion,T1218,T1218.010,Regsvr32 (T1218.010) 205 | defense-evasion,T1218,T1218.011,Rundll32 (T1218.011) 206 | defense-evasion,T1218,T1218.012,Verclsid (T1218.012) 207 | defense-evasion,T1218,T1218.013,Mavinject (T1218.013) 208 | defense-evasion,T1218,T1218.014,MMC (T1218.014) 209 | defense-evasion,T1220,T1220,XSL Script Processing (T1220) 210 | defense-evasion,T1221,T1221,Template Injection (T1221) 211 | defense-evasion,T1222,T1222,File and Directory Permissions Modification (T1222) 212 | defense-evasion,T1222,T1222.001,Windows File and Directory Permissions Modification (T1222.001) 213 | defense-evasion,T1222,T1222.002,Linux and Mac File and Directory Permissions Modification (T1222.002) 214 | defense-evasion,T1480,T1480,Execution Guardrails (T1480) 215 | defense-evasion,T1480,T1480.001,Environmental Keying (T1480.001) 216 | defense-evasion,T1484,T1484,Domain Policy Modification (T1484) 217 | defense-evasion,T1484,T1484.001,Group Policy Modification (T1484.001) 218 | defense-evasion,T1484,T1484.002,Domain Trust Modification (T1484.002) 219 | defense-evasion,T1497,T1497,Virtualization/Sandbox Evasion (T1497) 220 | defense-evasion,T1497,T1497.001,System Checks (T1497.001) 221 | defense-evasion,T1497,T1497.002,User Activity Based Checks (T1497.002) 222 | defense-evasion,T1497,T1497.003,Time Based Evasion (T1497.003) 223 | defense-evasion,T1535,T1535,Unused/Unsupported Cloud Regions (T1535) 224 | defense-evasion,T1542,T1542,Pre-OS Boot (T1542) 225 | defense-evasion,T1542,T1542.001,System Firmware (T1542.001) 226 | defense-evasion,T1542,T1542.002,Component Firmware (T1542.002) 227 | defense-evasion,T1542,T1542.003,Bootkit (T1542.003) 228 | defense-evasion,T1542,T1542.004,ROMMONkit (T1542.004) 229 | defense-evasion,T1542,T1542.005,TFTP Boot (T1542.005) 230 | defense-evasion,T1548,T1548,Abuse Elevation Control Mechanism (T1548) 231 | defense-evasion,T1548,T1548.001,Setuid and Setgid (T1548.001) 232 | defense-evasion,T1548,T1548.002,Bypass User Account Control (T1548.002) 233 | defense-evasion,T1548,T1548.003,Sudo and Sudo Caching (T1548.003) 234 | defense-evasion,T1548,T1548.004,Elevated Execution with Prompt (T1548.004) 235 | defense-evasion,T1550,T1550,Use Alternate Authentication Material (T1550) 236 | defense-evasion,T1550,T1550.001,Application Access Token (T1550.001) 237 | defense-evasion,T1550,T1550.002,Pass the Hash (T1550.002) 238 | defense-evasion,T1550,T1550.003,Pass the Ticket (T1550.003) 239 | defense-evasion,T1550,T1550.004,Web Session Cookie (T1550.004) 240 | defense-evasion,T1553,T1553,Subvert Trust Controls (T1553) 241 | defense-evasion,T1553,T1553.001,Gatekeeper Bypass (T1553.001) 242 | defense-evasion,T1553,T1553.002,Code Signing (T1553.002) 243 | defense-evasion,T1553,T1553.003,SIP and Trust Provider Hijacking (T1553.003) 244 | defense-evasion,T1553,T1553.004,Install Root Certificate (T1553.004) 245 | defense-evasion,T1553,T1553.005,Mark-of-the-Web Bypass (T1553.005) 246 | defense-evasion,T1553,T1553.006,Code Signing Policy Modification (T1553.006) 247 | defense-evasion,T1556,T1556,Modify Authentication Process (T1556) 248 | defense-evasion,T1556,T1556.001,Domain Controller Authentication (T1556.001) 249 | defense-evasion,T1556,T1556.002,Password Filter DLL (T1556.002) 250 | defense-evasion,T1556,T1556.003,Pluggable Authentication Modules (T1556.003) 251 | defense-evasion,T1556,T1556.004,Network Device Authentication (T1556.004) 252 | defense-evasion,T1562,T1562,Impair Defenses (T1562) 253 | defense-evasion,T1562,T1562.001,Disable or Modify Tools (T1562.001) 254 | defense-evasion,T1562,T1562.002,Disable Windows Event Logging (T1562.002) 255 | defense-evasion,T1562,T1562.003,Impair Command History Logging (T1562.003) 256 | defense-evasion,T1562,T1562.004,Disable or Modify System Firewall (T1562.004) 257 | defense-evasion,T1562,T1562.006,Indicator Blocking (T1562.006) 258 | defense-evasion,T1562,T1562.007,Disable or Modify Cloud Firewall (T1562.007) 259 | defense-evasion,T1562,T1562.008,Disable Cloud Logs (T1562.008) 260 | defense-evasion,T1562,T1562.009,Safe Mode Boot (T1562.009) 261 | defense-evasion,T1562,T1562.010,Downgrade Attack (T1562.010) 262 | defense-evasion,T1564,T1564,Hide Artifacts (T1564) 263 | defense-evasion,T1564,T1564.001,Hidden Files and Directories (T1564.001) 264 | defense-evasion,T1564,T1564.002,Hidden Users (T1564.002) 265 | defense-evasion,T1564,T1564.003,Hidden Window (T1564.003) 266 | defense-evasion,T1564,T1564.004,NTFS File Attributes (T1564.004) 267 | defense-evasion,T1564,T1564.005,Hidden File System (T1564.005) 268 | defense-evasion,T1564,T1564.006,Run Virtual Instance (T1564.006) 269 | defense-evasion,T1564,T1564.007,VBA Stomping (T1564.007) 270 | defense-evasion,T1564,T1564.008,Email Hiding Rules (T1564.008) 271 | defense-evasion,T1564,T1564.009,Resource Forking (T1564.009) 272 | defense-evasion,T1574,T1574,Hijack Execution Flow (T1574) 273 | defense-evasion,T1574,T1574.001,DLL Search Order Hijacking (T1574.001) 274 | defense-evasion,T1574,T1574.002,DLL Side-Loading (T1574.002) 275 | defense-evasion,T1574,T1574.004,Dylib Hijacking (T1574.004) 276 | defense-evasion,T1574,T1574.005,Executable Installer File Permissions Weakness (T1574.005) 277 | defense-evasion,T1574,T1574.006,Dynamic Linker Hijacking (T1574.006) 278 | defense-evasion,T1574,T1574.007,Path Interception by PATH Environment Variable (T1574.007) 279 | defense-evasion,T1574,T1574.008,Path Interception by Search Order Hijacking (T1574.008) 280 | defense-evasion,T1574,T1574.009,Path Interception by Unquoted Path (T1574.009) 281 | defense-evasion,T1574,T1574.010,Services File Permissions Weakness (T1574.010) 282 | defense-evasion,T1574,T1574.011,Services Registry Permissions Weakness (T1574.011) 283 | defense-evasion,T1574,T1574.012,COR_PROFILER (T1574.012) 284 | defense-evasion,T1578,T1578,Modify Cloud Compute Infrastructure (T1578) 285 | defense-evasion,T1578,T1578.001,Create Snapshot (T1578.001) 286 | defense-evasion,T1578,T1578.002,Create Cloud Instance (T1578.002) 287 | defense-evasion,T1578,T1578.003,Delete Cloud Instance (T1578.003) 288 | defense-evasion,T1578,T1578.004,Revert Cloud Instance (T1578.004) 289 | defense-evasion,T1599,T1599,Network Boundary Bridging (T1599) 290 | defense-evasion,T1599,T1599.001,Network Address Translation Traversal (T1599.001) 291 | defense-evasion,T1600,T1600,Weaken Encryption (T1600) 292 | defense-evasion,T1600,T1600.001,Reduce Key Space (T1600.001) 293 | defense-evasion,T1600,T1600.002,Disable Crypto Hardware (T1600.002) 294 | defense-evasion,T1601,T1601,Modify System Image (T1601) 295 | defense-evasion,T1601,T1601.001,Patch System Image (T1601.001) 296 | defense-evasion,T1601,T1601.002,Downgrade System Image (T1601.002) 297 | defense-evasion,T1610,T1610,Deploy Container (T1610) 298 | defense-evasion,T1612,T1612,Build Image on Host (T1612) 299 | defense-evasion,T1620,T1620,Reflective Code Loading (T1620) 300 | discovery,T1007,T1007,System Service Discovery (T1007) 301 | discovery,T1010,T1010,Application Window Discovery (T1010) 302 | discovery,T1012,T1012,Query Registry (T1012) 303 | discovery,T1016,T1016,System Network Configuration Discovery (T1016) 304 | discovery,T1016,T1016.001,Internet Connection Discovery (T1016.001) 305 | discovery,T1018,T1018,Remote System Discovery (T1018) 306 | discovery,T1033,T1033,System Owner/User Discovery (T1033) 307 | discovery,T1040,T1040,Network Sniffing (T1040) 308 | discovery,T1046,T1046,Network Service Scanning (T1046) 309 | discovery,T1049,T1049,System Network Connections Discovery (T1049) 310 | discovery,T1057,T1057,Process Discovery (T1057) 311 | discovery,T1069,T1069,Permission Groups Discovery (T1069) 312 | discovery,T1069,T1069.001,Local Groups (T1069.001) 313 | discovery,T1069,T1069.002,Domain Groups (T1069.002) 314 | discovery,T1069,T1069.003,Cloud Groups (T1069.003) 315 | discovery,T1082,T1082,System Information Discovery (T1082) 316 | discovery,T1083,T1083,File and Directory Discovery (T1083) 317 | discovery,T1087,T1087,Account Discovery (T1087) 318 | discovery,T1087,T1087.001,Local Account (T1087.001) 319 | discovery,T1087,T1087.002,Domain Account (T1087.002) 320 | discovery,T1087,T1087.003,Email Account (T1087.003) 321 | discovery,T1087,T1087.004,Cloud Account (T1087.004) 322 | discovery,T1120,T1120,Peripheral Device Discovery (T1120) 323 | discovery,T1124,T1124,System Time Discovery (T1124) 324 | discovery,T1135,T1135,Network Share Discovery (T1135) 325 | discovery,T1201,T1201,Password Policy Discovery (T1201) 326 | discovery,T1217,T1217,Browser Bookmark Discovery (T1217) 327 | discovery,T1482,T1482,Domain Trust Discovery (T1482) 328 | discovery,T1497,T1497,Virtualization/Sandbox Evasion (T1497) 329 | discovery,T1497,T1497.001,System Checks (T1497.001) 330 | discovery,T1497,T1497.002,User Activity Based Checks (T1497.002) 331 | discovery,T1497,T1497.003,Time Based Evasion (T1497.003) 332 | discovery,T1518,T1518,Software Discovery (T1518) 333 | discovery,T1518,T1518.001,Security Software Discovery (T1518.001) 334 | discovery,T1526,T1526,Cloud Service Discovery (T1526) 335 | discovery,T1538,T1538,Cloud Service Dashboard (T1538) 336 | discovery,T1580,T1580,Cloud Infrastructure Discovery (T1580) 337 | discovery,T1613,T1613,Container and Resource Discovery (T1613) 338 | discovery,T1614,T1614,System Location Discovery (T1614) 339 | discovery,T1614,T1614.001,System Language Discovery (T1614.001) 340 | discovery,T1615,T1615,Group Policy Discovery (T1615) 341 | discovery,T1619,T1619,Cloud Storage Object Discovery (T1619) 342 | execution,T1047,T1047,Windows Management Instrumentation (T1047) 343 | execution,T1053,T1053,Scheduled Task/Job (T1053) 344 | execution,T1053,T1053.001,At (Linux) (T1053.001) 345 | execution,T1053,T1053.002,At (Windows) (T1053.002) 346 | execution,T1053,T1053.003,Cron (T1053.003) 347 | execution,T1053,T1053.004,Launchd (T1053.004) 348 | execution,T1053,T1053.005,Scheduled Task (T1053.005) 349 | execution,T1053,T1053.006,Systemd Timers (T1053.006) 350 | execution,T1053,T1053.007,Container Orchestration Job (T1053.007) 351 | execution,T1059,T1059,Command and Scripting Interpreter (T1059) 352 | execution,T1059,T1059.001,PowerShell (T1059.001) 353 | execution,T1059,T1059.002,AppleScript (T1059.002) 354 | execution,T1059,T1059.003,Windows Command Shell (T1059.003) 355 | execution,T1059,T1059.004,Unix Shell (T1059.004) 356 | execution,T1059,T1059.005,Visual Basic (T1059.005) 357 | execution,T1059,T1059.006,Python (T1059.006) 358 | execution,T1059,T1059.007,JavaScript (T1059.007) 359 | execution,T1059,T1059.008,Network Device CLI (T1059.008) 360 | execution,T1061,T1061,Graphical User Interface (T1061) 361 | execution,T1064,T1064,Scripting (T1064) 362 | execution,T1072,T1072,Software Deployment Tools (T1072) 363 | execution,T1106,T1106,Native API (T1106) 364 | execution,T1129,T1129,Shared Modules (T1129) 365 | execution,T1153,T1153,Source (T1153) 366 | execution,T1175,T1175,Component Object Model and Distributed COM (T1175) 367 | execution,T1203,T1203,Exploitation for Client Execution (T1203) 368 | execution,T1204,T1204,User Execution (T1204) 369 | execution,T1204,T1204.001,Malicious Link (T1204.001) 370 | execution,T1204,T1204.002,Malicious File (T1204.002) 371 | execution,T1204,T1204.003,Malicious Image (T1204.003) 372 | execution,T1559,T1559,Inter-Process Communication (T1559) 373 | execution,T1559,T1559.001,Component Object Model (T1559.001) 374 | execution,T1559,T1559.002,Dynamic Data Exchange (T1559.002) 375 | execution,T1569,T1569,System Services (T1569) 376 | execution,T1569,T1569.001,Launchctl (T1569.001) 377 | execution,T1569,T1569.002,Service Execution (T1569.002) 378 | execution,T1609,T1609,Container Administration Command (T1609) 379 | execution,T1610,T1610,Deploy Container (T1610) 380 | exfiltration,T1011,T1011,Exfiltration Over Other Network Medium (T1011) 381 | exfiltration,T1011,T1011.001,Exfiltration Over Bluetooth (T1011.001) 382 | exfiltration,T1020,T1020,Automated Exfiltration (T1020) 383 | exfiltration,T1020,T1020.001,Traffic Duplication (T1020.001) 384 | exfiltration,T1029,T1029,Scheduled Transfer (T1029) 385 | exfiltration,T1030,T1030,Data Transfer Size Limits (T1030) 386 | exfiltration,T1041,T1041,Exfiltration Over C2 Channel (T1041) 387 | exfiltration,T1048,T1048,Exfiltration Over Alternative Protocol (T1048) 388 | exfiltration,T1048,T1048.001,Exfiltration Over Symmetric Encrypted Non-C2 Protocol (T1048.001) 389 | exfiltration,T1048,T1048.002,Exfiltration Over Asymmetric Encrypted Non-C2 Protocol (T1048.002) 390 | exfiltration,T1048,T1048.003,Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol (T1048.003) 391 | exfiltration,T1052,T1052,Exfiltration Over Physical Medium (T1052) 392 | exfiltration,T1052,T1052.001,Exfiltration over USB (T1052.001) 393 | exfiltration,T1537,T1537,Transfer Data to Cloud Account (T1537) 394 | exfiltration,T1567,T1567,Exfiltration Over Web Service (T1567) 395 | exfiltration,T1567,T1567.001,Exfiltration to Code Repository (T1567.001) 396 | exfiltration,T1567,T1567.002,Exfiltration to Cloud Storage (T1567.002) 397 | impact,T1485,T1485,Data Destruction (T1485) 398 | impact,T1486,T1486,Data Encrypted for Impact (T1486) 399 | impact,T1489,T1489,Service Stop (T1489) 400 | impact,T1490,T1490,Inhibit System Recovery (T1490) 401 | impact,T1491,T1491,Defacement (T1491) 402 | impact,T1491,T1491.001,Internal Defacement (T1491.001) 403 | impact,T1491,T1491.002,External Defacement (T1491.002) 404 | impact,T1495,T1495,Firmware Corruption (T1495) 405 | impact,T1496,T1496,Resource Hijacking (T1496) 406 | impact,T1498,T1498,Network Denial of Service (T1498) 407 | impact,T1498,T1498.001,Direct Network Flood (T1498.001) 408 | impact,T1498,T1498.002,Reflection Amplification (T1498.002) 409 | impact,T1499,T1499,Endpoint Denial of Service (T1499) 410 | impact,T1499,T1499.001,OS Exhaustion Flood (T1499.001) 411 | impact,T1499,T1499.002,Service Exhaustion Flood (T1499.002) 412 | impact,T1499,T1499.003,Application Exhaustion Flood (T1499.003) 413 | impact,T1499,T1499.004,Application or System Exploitation (T1499.004) 414 | impact,T1529,T1529,System Shutdown/Reboot (T1529) 415 | impact,T1531,T1531,Account Access Removal (T1531) 416 | impact,T1561,T1561,Disk Wipe (T1561) 417 | impact,T1561,T1561.001,Disk Content Wipe (T1561.001) 418 | impact,T1561,T1561.002,Disk Structure Wipe (T1561.002) 419 | impact,T1565,T1565,Data Manipulation (T1565) 420 | impact,T1565,T1565.001,Stored Data Manipulation (T1565.001) 421 | impact,T1565,T1565.002,Transmitted Data Manipulation (T1565.002) 422 | impact,T1565,T1565.003,Runtime Data Manipulation (T1565.003) 423 | initial-access,T1078,T1078,Valid Accounts (T1078) 424 | initial-access,T1078,T1078.001,Default Accounts (T1078.001) 425 | initial-access,T1078,T1078.002,Domain Accounts (T1078.002) 426 | initial-access,T1078,T1078.003,Local Accounts (T1078.003) 427 | initial-access,T1078,T1078.004,Cloud Accounts (T1078.004) 428 | initial-access,T1091,T1091,Replication Through Removable Media (T1091) 429 | initial-access,T1133,T1133,External Remote Services (T1133) 430 | initial-access,T1189,T1189,Drive-by Compromise (T1189) 431 | initial-access,T1190,T1190,Exploit Public-Facing Application (T1190) 432 | initial-access,T1195,T1195,Supply Chain Compromise (T1195) 433 | initial-access,T1195,T1195.001,Compromise Software Dependencies and Development Tools (T1195.001) 434 | initial-access,T1195,T1195.002,Compromise Software Supply Chain (T1195.002) 435 | initial-access,T1195,T1195.003,Compromise Hardware Supply Chain (T1195.003) 436 | initial-access,T1199,T1199,Trusted Relationship (T1199) 437 | initial-access,T1200,T1200,Hardware Additions (T1200) 438 | initial-access,T1566,T1566,Phishing (T1566) 439 | initial-access,T1566,T1566.001,Spearphishing Attachment (T1566.001) 440 | initial-access,T1566,T1566.002,Spearphishing Link (T1566.002) 441 | initial-access,T1566,T1566.003,Spearphishing via Service (T1566.003) 442 | lateral-movement,T1021,T1021,Remote Services (T1021) 443 | lateral-movement,T1021,T1021.001,Remote Desktop Protocol (T1021.001) 444 | lateral-movement,T1021,T1021.002,SMB/Windows Admin Shares (T1021.002) 445 | lateral-movement,T1021,T1021.003,Distributed Component Object Model (T1021.003) 446 | lateral-movement,T1021,T1021.004,SSH (T1021.004) 447 | lateral-movement,T1021,T1021.005,VNC (T1021.005) 448 | lateral-movement,T1021,T1021.006,Windows Remote Management (T1021.006) 449 | lateral-movement,T1051,T1051,Shared Webroot (T1051) 450 | lateral-movement,T1072,T1072,Software Deployment Tools (T1072) 451 | lateral-movement,T1080,T1080,Taint Shared Content (T1080) 452 | lateral-movement,T1091,T1091,Replication Through Removable Media (T1091) 453 | lateral-movement,T1175,T1175,Component Object Model and Distributed COM (T1175) 454 | lateral-movement,T1210,T1210,Exploitation of Remote Services (T1210) 455 | lateral-movement,T1534,T1534,Internal Spearphishing (T1534) 456 | lateral-movement,T1550,T1550,Use Alternate Authentication Material (T1550) 457 | lateral-movement,T1550,T1550.001,Application Access Token (T1550.001) 458 | lateral-movement,T1550,T1550.002,Pass the Hash (T1550.002) 459 | lateral-movement,T1550,T1550.003,Pass the Ticket (T1550.003) 460 | lateral-movement,T1550,T1550.004,Web Session Cookie (T1550.004) 461 | lateral-movement,T1563,T1563,Remote Service Session Hijacking (T1563) 462 | lateral-movement,T1563,T1563.001,SSH Hijacking (T1563.001) 463 | lateral-movement,T1563,T1563.002,RDP Hijacking (T1563.002) 464 | lateral-movement,T1570,T1570,Lateral Tool Transfer (T1570) 465 | persistence,T1034,T1034,Path Interception (T1034) 466 | persistence,T1037,T1037,Boot or Logon Initialization Scripts (T1037) 467 | persistence,T1037,T1037.001,Logon Script (Windows) (T1037.001) 468 | persistence,T1037,T1037.002,Logon Script (Mac) (T1037.002) 469 | persistence,T1037,T1037.003,Network Logon Script (T1037.003) 470 | persistence,T1037,T1037.004,RC Scripts (T1037.004) 471 | persistence,T1037,T1037.005,Startup Items (T1037.005) 472 | persistence,T1053,T1053,Scheduled Task/Job (T1053) 473 | persistence,T1053,T1053.001,At (Linux) (T1053.001) 474 | persistence,T1053,T1053.002,At (Windows) (T1053.002) 475 | persistence,T1053,T1053.003,Cron (T1053.003) 476 | persistence,T1053,T1053.004,Launchd (T1053.004) 477 | persistence,T1053,T1053.005,Scheduled Task (T1053.005) 478 | persistence,T1053,T1053.006,Systemd Timers (T1053.006) 479 | persistence,T1053,T1053.007,Container Orchestration Job (T1053.007) 480 | persistence,T1062,T1062,Hypervisor (T1062) 481 | persistence,T1078,T1078,Valid Accounts (T1078) 482 | persistence,T1078,T1078.001,Default Accounts (T1078.001) 483 | persistence,T1078,T1078.002,Domain Accounts (T1078.002) 484 | persistence,T1078,T1078.003,Local Accounts (T1078.003) 485 | persistence,T1078,T1078.004,Cloud Accounts (T1078.004) 486 | persistence,T1098,T1098,Account Manipulation (T1098) 487 | persistence,T1098,T1098.001,Additional Cloud Credentials (T1098.001) 488 | persistence,T1098,T1098.002,Exchange Email Delegate Permissions (T1098.002) 489 | persistence,T1098,T1098.003,Add Office 365 Global Administrator Role (T1098.003) 490 | persistence,T1098,T1098.004,SSH Authorized Keys (T1098.004) 491 | persistence,T1108,T1108,Redundant Access (T1108) 492 | persistence,T1133,T1133,External Remote Services (T1133) 493 | persistence,T1136,T1136,Create Account (T1136) 494 | persistence,T1136,T1136.001,Local Account (T1136.001) 495 | persistence,T1136,T1136.002,Domain Account (T1136.002) 496 | persistence,T1136,T1136.003,Cloud Account (T1136.003) 497 | persistence,T1137,T1137,Office Application Startup (T1137) 498 | persistence,T1137,T1137.001,Office Template Macros (T1137.001) 499 | persistence,T1137,T1137.002,Office Test (T1137.002) 500 | persistence,T1137,T1137.003,Outlook Forms (T1137.003) 501 | persistence,T1137,T1137.004,Outlook Home Page (T1137.004) 502 | persistence,T1137,T1137.005,Outlook Rules (T1137.005) 503 | persistence,T1137,T1137.006,Add-ins (T1137.006) 504 | persistence,T1176,T1176,Browser Extensions (T1176) 505 | persistence,T1197,T1197,BITS Jobs (T1197) 506 | persistence,T1205,T1205,Traffic Signaling (T1205) 507 | persistence,T1205,T1205.001,Port Knocking (T1205.001) 508 | persistence,T1505,T1505,Server Software Component (T1505) 509 | persistence,T1505,T1505.001,SQL Stored Procedures (T1505.001) 510 | persistence,T1505,T1505.002,Transport Agent (T1505.002) 511 | persistence,T1505,T1505.003,Web Shell (T1505.003) 512 | persistence,T1505,T1505.004,IIS Components (T1505.004) 513 | persistence,T1525,T1525,Implant Internal Image (T1525) 514 | persistence,T1542,T1542,Pre-OS Boot (T1542) 515 | persistence,T1542,T1542.001,System Firmware (T1542.001) 516 | persistence,T1542,T1542.002,Component Firmware (T1542.002) 517 | persistence,T1542,T1542.003,Bootkit (T1542.003) 518 | persistence,T1542,T1542.004,ROMMONkit (T1542.004) 519 | persistence,T1542,T1542.005,TFTP Boot (T1542.005) 520 | persistence,T1543,T1543,Create or Modify System Process (T1543) 521 | persistence,T1543,T1543.001,Launch Agent (T1543.001) 522 | persistence,T1543,T1543.002,Systemd Service (T1543.002) 523 | persistence,T1543,T1543.003,Windows Service (T1543.003) 524 | persistence,T1543,T1543.004,Launch Daemon (T1543.004) 525 | persistence,T1546,T1546,Event Triggered Execution (T1546) 526 | persistence,T1546,T1546.001,Change Default File Association (T1546.001) 527 | persistence,T1546,T1546.002,Screensaver (T1546.002) 528 | persistence,T1546,T1546.003,Windows Management Instrumentation Event Subscription (T1546.003) 529 | persistence,T1546,T1546.004,Unix Shell Configuration Modification (T1546.004) 530 | persistence,T1546,T1546.005,Trap (T1546.005) 531 | persistence,T1546,T1546.006,LC_LOAD_DYLIB Addition (T1546.006) 532 | persistence,T1546,T1546.007,Netsh Helper DLL (T1546.007) 533 | persistence,T1546,T1546.008,Accessibility Features (T1546.008) 534 | persistence,T1546,T1546.009,AppCert DLLs (T1546.009) 535 | persistence,T1546,T1546.010,AppInit DLLs (T1546.010) 536 | persistence,T1546,T1546.011,Application Shimming (T1546.011) 537 | persistence,T1546,T1546.012,Image File Execution Options Injection (T1546.012) 538 | persistence,T1546,T1546.013,PowerShell Profile (T1546.013) 539 | persistence,T1546,T1546.014,Emond (T1546.014) 540 | persistence,T1546,T1546.015,Component Object Model Hijacking (T1546.015) 541 | persistence,T1547,T1547,Boot or Logon Autostart Execution (T1547) 542 | persistence,T1547,T1547.001,Registry Run Keys / Startup Folder (T1547.001) 543 | persistence,T1547,T1547.002,Authentication Package (T1547.002) 544 | persistence,T1547,T1547.003,Time Providers (T1547.003) 545 | persistence,T1547,T1547.004,Winlogon Helper DLL (T1547.004) 546 | persistence,T1547,T1547.005,Security Support Provider (T1547.005) 547 | persistence,T1547,T1547.006,Kernel Modules and Extensions (T1547.006) 548 | persistence,T1547,T1547.007,Re-opened Applications (T1547.007) 549 | persistence,T1547,T1547.008,LSASS Driver (T1547.008) 550 | persistence,T1547,T1547.009,Shortcut Modification (T1547.009) 551 | persistence,T1547,T1547.010,Port Monitors (T1547.010) 552 | persistence,T1547,T1547.011,Plist Modification (T1547.011) 553 | persistence,T1547,T1547.012,Print Processors (T1547.012) 554 | persistence,T1547,T1547.013,XDG Autostart Entries (T1547.013) 555 | persistence,T1547,T1547.014,Active Setup (T1547.014) 556 | persistence,T1547,T1547.015,Login Items (T1547.015) 557 | persistence,T1554,T1554,Compromise Client Software Binary (T1554) 558 | persistence,T1556,T1556,Modify Authentication Process (T1556) 559 | persistence,T1556,T1556.001,Domain Controller Authentication (T1556.001) 560 | persistence,T1556,T1556.002,Password Filter DLL (T1556.002) 561 | persistence,T1556,T1556.003,Pluggable Authentication Modules (T1556.003) 562 | persistence,T1556,T1556.004,Network Device Authentication (T1556.004) 563 | persistence,T1574,T1574,Hijack Execution Flow (T1574) 564 | persistence,T1574,T1574.001,DLL Search Order Hijacking (T1574.001) 565 | persistence,T1574,T1574.002,DLL Side-Loading (T1574.002) 566 | persistence,T1574,T1574.004,Dylib Hijacking (T1574.004) 567 | persistence,T1574,T1574.005,Executable Installer File Permissions Weakness (T1574.005) 568 | persistence,T1574,T1574.006,Dynamic Linker Hijacking (T1574.006) 569 | persistence,T1574,T1574.007,Path Interception by PATH Environment Variable (T1574.007) 570 | persistence,T1574,T1574.008,Path Interception by Search Order Hijacking (T1574.008) 571 | persistence,T1574,T1574.009,Path Interception by Unquoted Path (T1574.009) 572 | persistence,T1574,T1574.010,Services File Permissions Weakness (T1574.010) 573 | persistence,T1574,T1574.011,Services Registry Permissions Weakness (T1574.011) 574 | persistence,T1574,T1574.012,COR_PROFILER (T1574.012) 575 | privilege-escalation,T1034,T1034,Path Interception (T1034) 576 | privilege-escalation,T1037,T1037,Boot or Logon Initialization Scripts (T1037) 577 | privilege-escalation,T1037,T1037.001,Logon Script (Windows) (T1037.001) 578 | privilege-escalation,T1037,T1037.002,Logon Script (Mac) (T1037.002) 579 | privilege-escalation,T1037,T1037.003,Network Logon Script (T1037.003) 580 | privilege-escalation,T1037,T1037.004,RC Scripts (T1037.004) 581 | privilege-escalation,T1037,T1037.005,Startup Items (T1037.005) 582 | privilege-escalation,T1053,T1053,Scheduled Task/Job (T1053) 583 | privilege-escalation,T1053,T1053.001,At (Linux) (T1053.001) 584 | privilege-escalation,T1053,T1053.002,At (Windows) (T1053.002) 585 | privilege-escalation,T1053,T1053.003,Cron (T1053.003) 586 | privilege-escalation,T1053,T1053.004,Launchd (T1053.004) 587 | privilege-escalation,T1053,T1053.005,Scheduled Task (T1053.005) 588 | privilege-escalation,T1053,T1053.006,Systemd Timers (T1053.006) 589 | privilege-escalation,T1053,T1053.007,Container Orchestration Job (T1053.007) 590 | privilege-escalation,T1055,T1055,Process Injection (T1055) 591 | privilege-escalation,T1055,T1055.001,Dynamic-link Library Injection (T1055.001) 592 | privilege-escalation,T1055,T1055.002,Portable Executable Injection (T1055.002) 593 | privilege-escalation,T1055,T1055.003,Thread Execution Hijacking (T1055.003) 594 | privilege-escalation,T1055,T1055.004,Asynchronous Procedure Call (T1055.004) 595 | privilege-escalation,T1055,T1055.005,Thread Local Storage (T1055.005) 596 | privilege-escalation,T1055,T1055.008,Ptrace System Calls (T1055.008) 597 | privilege-escalation,T1055,T1055.009,Proc Memory (T1055.009) 598 | privilege-escalation,T1055,T1055.011,Extra Window Memory Injection (T1055.011) 599 | privilege-escalation,T1055,T1055.012,Process Hollowing (T1055.012) 600 | privilege-escalation,T1055,T1055.013,Process Doppelgänging (T1055.013) 601 | privilege-escalation,T1055,T1055.014,VDSO Hijacking (T1055.014) 602 | privilege-escalation,T1068,T1068,Exploitation for Privilege Escalation (T1068) 603 | privilege-escalation,T1078,T1078,Valid Accounts (T1078) 604 | privilege-escalation,T1078,T1078.001,Default Accounts (T1078.001) 605 | privilege-escalation,T1078,T1078.002,Domain Accounts (T1078.002) 606 | privilege-escalation,T1078,T1078.003,Local Accounts (T1078.003) 607 | privilege-escalation,T1078,T1078.004,Cloud Accounts (T1078.004) 608 | privilege-escalation,T1134,T1134,Access Token Manipulation (T1134) 609 | privilege-escalation,T1134,T1134.001,Token Impersonation/Theft (T1134.001) 610 | privilege-escalation,T1134,T1134.002,Create Process with Token (T1134.002) 611 | privilege-escalation,T1134,T1134.003,Make and Impersonate Token (T1134.003) 612 | privilege-escalation,T1134,T1134.004,Parent PID Spoofing (T1134.004) 613 | privilege-escalation,T1134,T1134.005,SID-History Injection (T1134.005) 614 | privilege-escalation,T1484,T1484,Domain Policy Modification (T1484) 615 | privilege-escalation,T1484,T1484.001,Group Policy Modification (T1484.001) 616 | privilege-escalation,T1484,T1484.002,Domain Trust Modification (T1484.002) 617 | privilege-escalation,T1543,T1543,Create or Modify System Process (T1543) 618 | privilege-escalation,T1543,T1543.001,Launch Agent (T1543.001) 619 | privilege-escalation,T1543,T1543.002,Systemd Service (T1543.002) 620 | privilege-escalation,T1543,T1543.003,Windows Service (T1543.003) 621 | privilege-escalation,T1543,T1543.004,Launch Daemon (T1543.004) 622 | privilege-escalation,T1546,T1546,Event Triggered Execution (T1546) 623 | privilege-escalation,T1546,T1546.001,Change Default File Association (T1546.001) 624 | privilege-escalation,T1546,T1546.002,Screensaver (T1546.002) 625 | privilege-escalation,T1546,T1546.003,Windows Management Instrumentation Event Subscription (T1546.003) 626 | privilege-escalation,T1546,T1546.004,Unix Shell Configuration Modification (T1546.004) 627 | privilege-escalation,T1546,T1546.005,Trap (T1546.005) 628 | privilege-escalation,T1546,T1546.006,LC_LOAD_DYLIB Addition (T1546.006) 629 | privilege-escalation,T1546,T1546.007,Netsh Helper DLL (T1546.007) 630 | privilege-escalation,T1546,T1546.008,Accessibility Features (T1546.008) 631 | privilege-escalation,T1546,T1546.009,AppCert DLLs (T1546.009) 632 | privilege-escalation,T1546,T1546.010,AppInit DLLs (T1546.010) 633 | privilege-escalation,T1546,T1546.011,Application Shimming (T1546.011) 634 | privilege-escalation,T1546,T1546.012,Image File Execution Options Injection (T1546.012) 635 | privilege-escalation,T1546,T1546.013,PowerShell Profile (T1546.013) 636 | privilege-escalation,T1546,T1546.014,Emond (T1546.014) 637 | privilege-escalation,T1546,T1546.015,Component Object Model Hijacking (T1546.015) 638 | privilege-escalation,T1547,T1547,Boot or Logon Autostart Execution (T1547) 639 | privilege-escalation,T1547,T1547.001,Registry Run Keys / Startup Folder (T1547.001) 640 | privilege-escalation,T1547,T1547.002,Authentication Package (T1547.002) 641 | privilege-escalation,T1547,T1547.003,Time Providers (T1547.003) 642 | privilege-escalation,T1547,T1547.004,Winlogon Helper DLL (T1547.004) 643 | privilege-escalation,T1547,T1547.005,Security Support Provider (T1547.005) 644 | privilege-escalation,T1547,T1547.006,Kernel Modules and Extensions (T1547.006) 645 | privilege-escalation,T1547,T1547.007,Re-opened Applications (T1547.007) 646 | privilege-escalation,T1547,T1547.008,LSASS Driver (T1547.008) 647 | privilege-escalation,T1547,T1547.009,Shortcut Modification (T1547.009) 648 | privilege-escalation,T1547,T1547.010,Port Monitors (T1547.010) 649 | privilege-escalation,T1547,T1547.011,Plist Modification (T1547.011) 650 | privilege-escalation,T1547,T1547.012,Print Processors (T1547.012) 651 | privilege-escalation,T1547,T1547.013,XDG Autostart Entries (T1547.013) 652 | privilege-escalation,T1547,T1547.014,Active Setup (T1547.014) 653 | privilege-escalation,T1547,T1547.015,Login Items (T1547.015) 654 | privilege-escalation,T1548,T1548,Abuse Elevation Control Mechanism (T1548) 655 | privilege-escalation,T1548,T1548.001,Setuid and Setgid (T1548.001) 656 | privilege-escalation,T1548,T1548.002,Bypass User Account Control (T1548.002) 657 | privilege-escalation,T1548,T1548.003,Sudo and Sudo Caching (T1548.003) 658 | privilege-escalation,T1548,T1548.004,Elevated Execution with Prompt (T1548.004) 659 | privilege-escalation,T1574,T1574,Hijack Execution Flow (T1574) 660 | privilege-escalation,T1574,T1574.001,DLL Search Order Hijacking (T1574.001) 661 | privilege-escalation,T1574,T1574.002,DLL Side-Loading (T1574.002) 662 | privilege-escalation,T1574,T1574.004,Dylib Hijacking (T1574.004) 663 | privilege-escalation,T1574,T1574.005,Executable Installer File Permissions Weakness (T1574.005) 664 | privilege-escalation,T1574,T1574.006,Dynamic Linker Hijacking (T1574.006) 665 | privilege-escalation,T1574,T1574.007,Path Interception by PATH Environment Variable (T1574.007) 666 | privilege-escalation,T1574,T1574.008,Path Interception by Search Order Hijacking (T1574.008) 667 | privilege-escalation,T1574,T1574.009,Path Interception by Unquoted Path (T1574.009) 668 | privilege-escalation,T1574,T1574.010,Services File Permissions Weakness (T1574.010) 669 | privilege-escalation,T1574,T1574.011,Services Registry Permissions Weakness (T1574.011) 670 | privilege-escalation,T1574,T1574.012,COR_PROFILER (T1574.012) 671 | privilege-escalation,T1611,T1611,Escape to Host (T1611) 672 | reconnaissance,T1589,T1589,Gather Victim Identity Information (T1589) 673 | reconnaissance,T1589,T1589.001,Credentials (T1589.001) 674 | reconnaissance,T1589,T1589.002,Email Addresses (T1589.002) 675 | reconnaissance,T1589,T1589.003,Employee Names (T1589.003) 676 | reconnaissance,T1590,T1590,Gather Victim Network Information (T1590) 677 | reconnaissance,T1590,T1590.001,Domain Properties (T1590.001) 678 | reconnaissance,T1590,T1590.002,DNS (T1590.002) 679 | reconnaissance,T1590,T1590.003,Network Trust Dependencies (T1590.003) 680 | reconnaissance,T1590,T1590.004,Network Topology (T1590.004) 681 | reconnaissance,T1590,T1590.005,IP Addresses (T1590.005) 682 | reconnaissance,T1590,T1590.006,Network Security Appliances (T1590.006) 683 | reconnaissance,T1591,T1591,Gather Victim Org Information (T1591) 684 | reconnaissance,T1591,T1591.001,Determine Physical Locations (T1591.001) 685 | reconnaissance,T1591,T1591.002,Business Relationships (T1591.002) 686 | reconnaissance,T1591,T1591.003,Identify Business Tempo (T1591.003) 687 | reconnaissance,T1591,T1591.004,Identify Roles (T1591.004) 688 | reconnaissance,T1592,T1592,Gather Victim Host Information (T1592) 689 | reconnaissance,T1592,T1592.001,Hardware (T1592.001) 690 | reconnaissance,T1592,T1592.002,Software (T1592.002) 691 | reconnaissance,T1592,T1592.003,Firmware (T1592.003) 692 | reconnaissance,T1592,T1592.004,Client Configurations (T1592.004) 693 | reconnaissance,T1593,T1593,Search Open Websites/Domains (T1593) 694 | reconnaissance,T1593,T1593.001,Social Media (T1593.001) 695 | reconnaissance,T1593,T1593.002,Search Engines (T1593.002) 696 | reconnaissance,T1594,T1594,Search Victim-Owned Websites (T1594) 697 | reconnaissance,T1595,T1595,Active Scanning (T1595) 698 | reconnaissance,T1595,T1595.001,Scanning IP Blocks (T1595.001) 699 | reconnaissance,T1595,T1595.002,Vulnerability Scanning (T1595.002) 700 | reconnaissance,T1596,T1596,Search Open Technical Databases (T1596) 701 | reconnaissance,T1596,T1596.001,DNS/Passive DNS (T1596.001) 702 | reconnaissance,T1596,T1596.002,WHOIS (T1596.002) 703 | reconnaissance,T1596,T1596.003,Digital Certificates (T1596.003) 704 | reconnaissance,T1596,T1596.004,CDNs (T1596.004) 705 | reconnaissance,T1596,T1596.005,Scan Databases (T1596.005) 706 | reconnaissance,T1597,T1597,Search Closed Sources (T1597) 707 | reconnaissance,T1597,T1597.001,Threat Intel Vendors (T1597.001) 708 | reconnaissance,T1597,T1597.002,Purchase Technical Data (T1597.002) 709 | reconnaissance,T1598,T1598,Phishing for Information (T1598) 710 | reconnaissance,T1598,T1598.001,Spearphishing Service (T1598.001) 711 | reconnaissance,T1598,T1598.002,Spearphishing Attachment (T1598.002) 712 | reconnaissance,T1598,T1598.003,Spearphishing Link (T1598.003) 713 | resource-development,T1583,T1583,Acquire Infrastructure (T1583) 714 | resource-development,T1583,T1583.001,Domains (T1583.001) 715 | resource-development,T1583,T1583.002,DNS Server (T1583.002) 716 | resource-development,T1583,T1583.003,Virtual Private Server (T1583.003) 717 | resource-development,T1583,T1583.004,Server (T1583.004) 718 | resource-development,T1583,T1583.005,Botnet (T1583.005) 719 | resource-development,T1583,T1583.006,Web Services (T1583.006) 720 | resource-development,T1584,T1584,Compromise Infrastructure (T1584) 721 | resource-development,T1584,T1584.001,Domains (T1584.001) 722 | resource-development,T1584,T1584.002,DNS Server (T1584.002) 723 | resource-development,T1584,T1584.003,Virtual Private Server (T1584.003) 724 | resource-development,T1584,T1584.004,Server (T1584.004) 725 | resource-development,T1584,T1584.005,Botnet (T1584.005) 726 | resource-development,T1584,T1584.006,Web Services (T1584.006) 727 | resource-development,T1585,T1585,Establish Accounts (T1585) 728 | resource-development,T1585,T1585.001,Social Media Accounts (T1585.001) 729 | resource-development,T1585,T1585.002,Email Accounts (T1585.002) 730 | resource-development,T1586,T1586,Compromise Accounts (T1586) 731 | resource-development,T1586,T1586.001,Social Media Accounts (T1586.001) 732 | resource-development,T1586,T1586.002,Email Accounts (T1586.002) 733 | resource-development,T1587,T1587,Develop Capabilities (T1587) 734 | resource-development,T1587,T1587.001,Malware (T1587.001) 735 | resource-development,T1587,T1587.002,Code Signing Certificates (T1587.002) 736 | resource-development,T1587,T1587.003,Digital Certificates (T1587.003) 737 | resource-development,T1587,T1587.004,Exploits (T1587.004) 738 | resource-development,T1588,T1588,Obtain Capabilities (T1588) 739 | resource-development,T1588,T1588.001,Malware (T1588.001) 740 | resource-development,T1588,T1588.002,Tool (T1588.002) 741 | resource-development,T1588,T1588.003,Code Signing Certificates (T1588.003) 742 | resource-development,T1588,T1588.004,Digital Certificates (T1588.004) 743 | resource-development,T1588,T1588.005,Exploits (T1588.005) 744 | resource-development,T1588,T1588.006,Vulnerabilities (T1588.006) 745 | resource-development,T1608,T1608,Stage Capabilities (T1608) 746 | resource-development,T1608,T1608.001,Upload Malware (T1608.001) 747 | resource-development,T1608,T1608.002,Upload Tool (T1608.002) 748 | resource-development,T1608,T1608.003,Install Digital Certificate (T1608.003) 749 | resource-development,T1608,T1608.004,Drive-by Target (T1608.004) 750 | resource-development,T1608,T1608.005,Link Target (T1608.005) 751 | unspecified,T1002,T1002,Data Compressed (T1002) 752 | unspecified,T1004,T1004,Winlogon Helper DLL (T1004) 753 | unspecified,T1009,T1009,Binary Padding (T1009) 754 | unspecified,T1013,T1013,Port Monitors (T1013) 755 | unspecified,T1015,T1015,Accessibility Features (T1015) 756 | unspecified,T1017,T1017,Application Deployment Software (T1017) 757 | unspecified,T1019,T1019,System Firmware (T1019) 758 | unspecified,T1022,T1022,Data Encrypted (T1022) 759 | unspecified,T1023,T1023,Shortcut Modification (T1023) 760 | unspecified,T1024,T1024,Custom Cryptographic Protocol (T1024) 761 | unspecified,T1028,T1028,Windows Remote Management (T1028) 762 | unspecified,T1031,T1031,Modify Existing Service (T1031) 763 | unspecified,T1032,T1032,Standard Cryptographic Protocol (T1032) 764 | unspecified,T1035,T1035,Service Execution (T1035) 765 | unspecified,T1038,T1038,DLL Search Order Hijacking (T1038) 766 | unspecified,T1042,T1042,Change Default File Association (T1042) 767 | unspecified,T1044,T1044,File System Permissions Weakness (T1044) 768 | unspecified,T1045,T1045,Software Packing (T1045) 769 | unspecified,T1050,T1050,New Service (T1050) 770 | unspecified,T1054,T1054,Indicator Blocking (T1054) 771 | unspecified,T1058,T1058,Service Registry Permissions Weakness (T1058) 772 | unspecified,T1060,T1060,Registry Run Keys / Startup Folder (T1060) 773 | unspecified,T1063,T1063,Security Software Discovery (T1063) 774 | unspecified,T1065,T1065,Uncommonly Used Port (T1065) 775 | unspecified,T1066,T1066,Indicator Removal from Tools (T1066) 776 | unspecified,T1067,T1067,Bootkit (T1067) 777 | unspecified,T1073,T1073,DLL Side-Loading (T1073) 778 | unspecified,T1075,T1075,Pass the Hash (T1075) 779 | unspecified,T1076,T1076,Remote Desktop Protocol (T1076) 780 | unspecified,T1077,T1077,Windows Admin Shares (T1077) 781 | unspecified,T1079,T1079,Multilayer Encryption (T1079) 782 | unspecified,T1081,T1081,Credentials in Files (T1081) 783 | unspecified,T1084,T1084,Windows Management Instrumentation Event Subscription (T1084) 784 | unspecified,T1085,T1085,Rundll32 (T1085) 785 | unspecified,T1086,T1086,PowerShell (T1086) 786 | unspecified,T1088,T1088,Bypass User Account Control (T1088) 787 | unspecified,T1089,T1089,Disabling Security Tools (T1089) 788 | unspecified,T1093,T1093,Process Hollowing (T1093) 789 | unspecified,T1094,T1094,Custom Command and Control Protocol (T1094) 790 | unspecified,T1096,T1096,NTFS File Attributes (T1096) 791 | unspecified,T1097,T1097,Pass the Ticket (T1097) 792 | unspecified,T1099,T1099,Timestomp (T1099) 793 | unspecified,T1100,T1100,Web Shell (T1100) 794 | unspecified,T1101,T1101,Security Support Provider (T1101) 795 | unspecified,T1103,T1103,AppInit DLLs (T1103) 796 | unspecified,T1107,T1107,File Deletion (T1107) 797 | unspecified,T1109,T1109,Component Firmware (T1109) 798 | unspecified,T1116,T1116,Code Signing (T1116) 799 | unspecified,T1117,T1117,Regsvr32 (T1117) 800 | unspecified,T1118,T1118,InstallUtil (T1118) 801 | unspecified,T1121,T1121,Regsvcs/Regasm (T1121) 802 | unspecified,T1122,T1122,Component Object Model Hijacking (T1122) 803 | unspecified,T1126,T1126,Network Share Connection Removal (T1126) 804 | unspecified,T1128,T1128,Netsh Helper DLL (T1128) 805 | unspecified,T1130,T1130,Install Root Certificate (T1130) 806 | unspecified,T1131,T1131,Authentication Package (T1131) 807 | unspecified,T1138,T1138,Application Shimming (T1138) 808 | unspecified,T1139,T1139,Bash History (T1139) 809 | unspecified,T1141,T1141,Input Prompt (T1141) 810 | unspecified,T1142,T1142,Keychain (T1142) 811 | unspecified,T1143,T1143,Hidden Window (T1143) 812 | unspecified,T1144,T1144,Gatekeeper Bypass (T1144) 813 | unspecified,T1145,T1145,Private Keys (T1145) 814 | unspecified,T1146,T1146,Clear Command History (T1146) 815 | unspecified,T1147,T1147,Hidden Users (T1147) 816 | unspecified,T1148,T1148,HISTCONTROL (T1148) 817 | unspecified,T1150,T1150,Plist Modification (T1150) 818 | unspecified,T1151,T1151,Space after Filename (T1151) 819 | unspecified,T1152,T1152,Launchctl (T1152) 820 | unspecified,T1154,T1154,Trap (T1154) 821 | unspecified,T1155,T1155,AppleScript (T1155) 822 | unspecified,T1156,T1156,Malicious Shell Modification (T1156) 823 | unspecified,T1157,T1157,Dylib Hijacking (T1157) 824 | unspecified,T1158,T1158,Hidden Files and Directories (T1158) 825 | unspecified,T1159,T1159,Launch Agent (T1159) 826 | unspecified,T1160,T1160,Launch Daemon (T1160) 827 | unspecified,T1161,T1161,LC_LOAD_DYLIB Addition (T1161) 828 | unspecified,T1162,T1162,Login Item (T1162) 829 | unspecified,T1163,T1163,Rc.common (T1163) 830 | unspecified,T1164,T1164,Re-opened Applications (T1164) 831 | unspecified,T1165,T1165,Startup Items (T1165) 832 | unspecified,T1166,T1166,Setuid and Setgid (T1166) 833 | unspecified,T1167,T1167,Securityd Memory (T1167) 834 | unspecified,T1168,T1168,Local Job Scheduling (T1168) 835 | unspecified,T1169,T1169,Sudo (T1169) 836 | unspecified,T1170,T1170,Mshta (T1170) 837 | unspecified,T1171,T1171,LLMNR/NBT-NS Poisoning and Relay (T1171) 838 | unspecified,T1172,T1172,Domain Fronting (T1172) 839 | unspecified,T1173,T1173,Dynamic Data Exchange (T1173) 840 | unspecified,T1174,T1174,Password Filter DLL (T1174) 841 | unspecified,T1177,T1177,LSASS Driver (T1177) 842 | unspecified,T1178,T1178,SID-History Injection (T1178) 843 | unspecified,T1179,T1179,Hooking (T1179) 844 | unspecified,T1180,T1180,Screensaver (T1180) 845 | unspecified,T1181,T1181,Extra Window Memory Injection (T1181) 846 | unspecified,T1182,T1182,AppCert DLLs (T1182) 847 | unspecified,T1183,T1183,Image File Execution Options Injection (T1183) 848 | unspecified,T1184,T1184,SSH Hijacking (T1184) 849 | unspecified,T1186,T1186,Process Doppelgänging (T1186) 850 | unspecified,T1188,T1188,Multi-hop Proxy (T1188) 851 | unspecified,T1191,T1191,CMSTP (T1191) 852 | unspecified,T1192,T1192,Spearphishing Link (T1192) 853 | unspecified,T1193,T1193,Spearphishing Attachment (T1193) 854 | unspecified,T1194,T1194,Spearphishing via Service (T1194) 855 | unspecified,T1196,T1196,Control Panel Items (T1196) 856 | unspecified,T1198,T1198,SIP and Trust Provider Hijacking (T1198) 857 | unspecified,T1206,T1206,Sudo Caching (T1206) 858 | unspecified,T1208,T1208,Kerberoasting (T1208) 859 | unspecified,T1209,T1209,Time Providers (T1209) 860 | unspecified,T1214,T1214,Credentials in Registry (T1214) 861 | unspecified,T1215,T1215,Kernel Modules and Extensions (T1215) 862 | unspecified,T1223,T1223,Compiled HTML File (T1223) 863 | unspecified,T1483,T1483,Domain Generation Algorithms (T1483) 864 | unspecified,T1487,T1487,Disk Structure Wipe (T1487) 865 | unspecified,T1488,T1488,Disk Content Wipe (T1488) 866 | unspecified,T1492,T1492,Stored Data Manipulation (T1492) 867 | unspecified,T1493,T1493,Transmitted Data Manipulation (T1493) 868 | unspecified,T1494,T1494,Runtime Data Manipulation (T1494) 869 | unspecified,T1500,T1500,Compile After Delivery (T1500) 870 | unspecified,T1501,T1501,Systemd Service (T1501) 871 | unspecified,T1502,T1502,Parent PID Spoofing (T1502) 872 | unspecified,T1503,T1503,Credentials from Web Browsers (T1503) 873 | unspecified,T1504,T1504,PowerShell Profile (T1504) 874 | unspecified,T1506,T1506,Web Session Cookie (T1506) 875 | unspecified,T1514,T1514,Elevated Execution with Prompt (T1514) 876 | unspecified,T1519,T1519,Emond (T1519) 877 | unspecified,T1522,T1522,Cloud Instance Metadata API (T1522) 878 | unspecified,T1527,T1527,Application Access Token (T1527) 879 | unspecified,T1536,T1536,Revert Cloud Instance (T1536) 880 | -------------------------------------------------------------------------------- /20220505/AttackCoverage.xlsx: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/RealityNet/attack-coverage/a933255173c0d512f712e2cb81a2067aa99a75a7/20220505/AttackCoverage.xlsx -------------------------------------------------------------------------------- /20220505/attack_data-source.txt: -------------------------------------------------------------------------------- 1 | {'object_marking_refs': ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'], 'external_references': [{'url': 'https://attack.mitre.org/datasources/DS0035', 'external_id': 'DS0035', 'source_name': 'mitre-attack'}], 'x_mitre_version': '1.0', 'modified': '2021-10-20T15:05:19.275Z', 'data_source': 'Internet Scan', 'created_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5', 'type': 'x-mitre-data-source', 'id': 'x-mitre-data-source--38fe306c-bdec-4f3d-8521-b72dd32dbd17', 'description': 'Information obtained (commonly via active network traffic probes or web crawling) regarding various types of resources and servers connected to the public Internet', 'created': '2021-10-20T15:05:19.275Z', 'url': 'https://attack.mitre.org/datasources/DS0035', 'matrix': 'mitre-attack', 'software_platform': ['PRE'], 'collection_layers': ['OSINT'], 'contributors': []} 2 | {'object_marking_refs': ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'], 'external_references': [{'url': 'https://attack.mitre.org/datasources/DS0037', 'external_id': 'DS0037', 'source_name': 'mitre-attack'}], 'x_mitre_version': '1.0', 'modified': '2021-10-20T15:05:19.275Z', 'data_source': 'Certificate', 'created_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5', 'type': 'x-mitre-data-source', 'id': 'x-mitre-data-source--29aa4e0e-4a26-4f79-a9bc-1ae66df1c923', 'description': "A digital document, which highlights information such as the owner's identity, used to instill trust in public keys used while encrypting network communications", 'created': '2021-10-20T15:05:19.275Z', 'url': 'https://attack.mitre.org/datasources/DS0037', 'matrix': 'mitre-attack', 'software_platform': ['PRE'], 'collection_layers': ['OSINT'], 'contributors': []} 3 | {'object_marking_refs': ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'], 'external_references': [{'url': 'https://attack.mitre.org/datasources/DS0038', 'external_id': 'DS0038', 'source_name': 'mitre-attack'}], 'x_mitre_version': '1.0', 'modified': '2021-10-20T15:05:19.275Z', 'data_source': 'Domain Name', 'created_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5', 'type': 'x-mitre-data-source', 'id': 'x-mitre-data-source--dd75f457-8dc0-4a24-9ae5-4b61c33af866', 'description': 'Information obtained (commonly through registration or activity logs) regarding one or more IP addresses registered with human readable names (ex: mitre.org)', 'created': '2021-10-20T15:05:19.275Z', 'url': 'https://attack.mitre.org/datasources/DS0038', 'matrix': 'mitre-attack', 'software_platform': ['PRE'], 'collection_layers': ['OSINT'], 'contributors': []} 4 | {'object_marking_refs': ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'], 'external_references': [{'url': 'https://attack.mitre.org/datasources/DS0034', 'external_id': 'DS0034', 'source_name': 'mitre-attack'}, {'url': 'https://aws.amazon.com/s3/', 'description': 'Amazon. (n.d.). Amazon S3. Retrieved October 13, 2021.', 'source_name': 'Amazon S3'}, {'url': 'https://azure.microsoft.com/en-us/services/storage/blobs/', 'description': 'Microsoft. (n.d.). Azure Blob Storage. Retrieved October 13, 2021.', 'source_name': 'Azure Blob Storage'}, {'url': 'https://cloud.google.com/storage', 'description': 'Google. (n.d.). Cloud Storage. Retrieved October 13, 2021.', 'source_name': 'Google Cloud Storage'}], 'x_mitre_version': '1.0', 'modified': '2021-11-10T09:30:48.698Z', 'data_source': 'Volume', 'created_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5', 'type': 'x-mitre-data-source', 'id': 'x-mitre-data-source--b0b6d26f-3747-4444-ac7a-239a6ff80cb5', 'description': 'Block object storage hosted on-premise or by third-party providers, typically made available to resources as virtualized hard drives(Citation: Amazon S3)(Citation: Azure Blob Storage)(Citation: Google Cloud Storage)', 'created': '2021-10-20T15:05:19.275Z', 'url': 'https://attack.mitre.org/datasources/DS0034', 'matrix': 'mitre-attack', 'software_platform': ['IaaS', 'Windows', 'Linux', 'macOS'], 'collection_layers': ['Cloud Control Plane', 'Host'], 'contributors': ['Center for Threat-Informed Defense (CTID)']} 5 | {'object_marking_refs': ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'], 'external_references': [{'url': 'https://attack.mitre.org/datasources/DS0036', 'external_id': 'DS0036', 'source_name': 'mitre-attack'}, {'url': 'https://docs.aws.amazon.com/IAM/latest/UserGuide/id_groups.html', 'description': 'Amazon. (n.d.). IAM user groups. Retrieved October 13, 2021.', 'source_name': 'Amazon IAM Groups'}], 'x_mitre_version': '1.0', 'modified': '2021-11-10T09:30:48.695Z', 'data_source': 'Group', 'created_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5', 'type': 'x-mitre-data-source', 'id': 'x-mitre-data-source--3c07684f-3794-4536-8f70-21efe700c0ec', 'description': 'A collection of multiple user accounts that share the same access rights to the computer and/or network resources and have common security rights(Citation: Amazon IAM Groups)', 'created': '2021-10-20T15:05:19.275Z', 'url': 'https://attack.mitre.org/datasources/DS0036', 'matrix': 'mitre-attack', 'software_platform': ['Windows', 'IaaS', 'SaaS', 'Office 365', 'Azure AD', 'Google Workspace'], 'collection_layers': ['Host', 'Cloud Control Plane'], 'contributors': ['Center for Threat-Informed Defense (CTID)']} 6 | {'object_marking_refs': ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'], 'external_references': [{'url': 'https://attack.mitre.org/datasources/DS0031', 'external_id': 'DS0031', 'source_name': 'mitre-attack'}, {'url': 'https://kubernetes.io/docs/concepts/cluster-administration/', 'description': 'kubernetes. (2021, January 16). Cluster Administration. Retrieved October 13, 2021.', 'source_name': 'Kube Cluster Admin'}, {'url': 'https://kubernetes.io/docs/reference/generated/kubectl/kubectl-commands#cluster-info', 'description': 'kubernetes. (n.d.). cluster-info. Retrieved October 13, 2021.', 'source_name': 'Kube Cluster Info'}], 'x_mitre_version': '1.0', 'modified': '2021-11-10T09:30:48.694Z', 'data_source': 'Cluster', 'created_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5', 'type': 'x-mitre-data-source', 'id': 'x-mitre-data-source--c3af32ff-65c5-4ea8-912a-fb4a85197239', 'description': 'A set of containerized computing resources that are managed together but have separate nodes to execute various tasks and/or applications(Citation: Kube Cluster Admin)(Citation: Kube Cluster Info)', 'created': '2021-10-20T15:05:19.274Z', 'url': 'https://attack.mitre.org/datasources/DS0031', 'matrix': 'mitre-attack', 'software_platform': ['Containers'], 'collection_layers': ['Container'], 'contributors': ['Center for Threat-Informed Defense (CTID)']} 7 | {'object_marking_refs': ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'], 'external_references': [{'url': 'https://attack.mitre.org/datasources/DS0028', 'external_id': 'DS0028', 'source_name': 'mitre-attack'}, {'url': 'https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/basic-audit-logon-events', 'description': 'Microsoft. (2021, September 6). Audit logon events. Retrieved September 28, 2021.', 'source_name': 'Microsoft Audit Logon Events'}], 'x_mitre_version': '1.0', 'modified': '2021-11-10T09:30:48.696Z', 'data_source': 'Logon Session', 'created_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5', 'type': 'x-mitre-data-source', 'id': 'x-mitre-data-source--4358c631-e253-4557-86df-f687d0ef9891', 'description': 'Logon occurring on a system or resource (local, domain, or cloud) to which a user/device is gaining access after successful authentication and authorizaton(Citation: Microsoft Audit Logon Events)', 'created': '2021-10-20T15:05:19.274Z', 'url': 'https://attack.mitre.org/datasources/DS0028', 'matrix': 'mitre-attack', 'software_platform': ['Windows', 'Linux', 'macOS', 'IaaS', 'SaaS', 'Office 365', 'Azure AD', 'Google Workspace'], 'collection_layers': ['Host', 'Network', 'Cloud Control Plane'], 'contributors': ['Center for Threat-Informed Defense (CTID)']} 8 | {'object_marking_refs': ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'], 'external_references': [{'url': 'https://attack.mitre.org/datasources/DS0033', 'external_id': 'DS0033', 'source_name': 'mitre-attack'}, {'url': 'https://docs.microsoft.com/en-us/windows-server/storage/nfs/nfs-overview', 'description': 'Microsoft. (2018, July 9). Network File System overview. Retrieved September 28, 2021.', 'source_name': 'Microsoft NFS Overview'}], 'x_mitre_version': '1.0', 'modified': '2021-11-10T09:30:48.697Z', 'data_source': 'Network Share', 'created_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5', 'type': 'x-mitre-data-source', 'id': 'x-mitre-data-source--ba27545a-9c32-47ea-ba6a-cce50f1b326e', 'description': 'A storage resource (typically a folder or drive) made available from one host to others using network protocols, such as Server Message Block (SMB) or Network File System (NFS)(Citation: Microsoft NFS Overview)', 'created': '2021-10-20T15:05:19.274Z', 'url': 'https://attack.mitre.org/datasources/DS0033', 'matrix': 'mitre-attack', 'software_platform': ['Windows', 'Linux', 'macOS'], 'collection_layers': ['Host'], 'contributors': ['Center for Threat-Informed Defense (CTID)']} 9 | {'object_marking_refs': ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'], 'external_references': [{'url': 'https://attack.mitre.org/datasources/DS0032', 'external_id': 'DS0032', 'source_name': 'mitre-attack'}, {'url': 'https://docs.docker.com/engine/api/v1.41/#tag/Container', 'description': 'docker docs. (n.d.). Containers. Retrieved October 13, 2021.', 'source_name': 'Docker Docs Container'}], 'x_mitre_version': '1.0', 'modified': '2021-11-10T09:30:48.694Z', 'data_source': 'Container', 'created_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5', 'type': 'x-mitre-data-source', 'id': 'x-mitre-data-source--072ec5a7-00ba-466f-9057-69751a22a967', 'description': 'A standard unit of virtualized software that packages up code and all its dependencies so the application runs quickly and reliably from one computing environment to another(Citation: Docker Docs Container)', 'created': '2021-10-20T15:05:19.274Z', 'url': 'https://attack.mitre.org/datasources/DS0032', 'matrix': 'mitre-attack', 'software_platform': ['Containers'], 'collection_layers': ['Container'], 'contributors': ['Center for Threat-Informed Defense (CTID)']} 10 | {'object_marking_refs': ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'], 'external_references': [{'url': 'https://attack.mitre.org/datasources/DS0026', 'external_id': 'DS0026', 'source_name': 'mitre-attack'}, {'url': 'https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/ad-ds-getting-started', 'description': 'Foulds, I. et al. (2018, August 7). AD DS Getting Started. Retrieved September 23, 2021.', 'source_name': 'Microsoft AD DS Getting Started'}], 'x_mitre_version': '1.0', 'modified': '2021-11-10T09:30:48.693Z', 'data_source': 'Active Directory', 'created_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5', 'type': 'x-mitre-data-source', 'id': 'x-mitre-data-source--d6188aac-17db-4861-845f-57c369f9b4c8', 'description': 'A database and set of services that allows administrators to manage permissions, access to network resources, and stored data objects (user, group, application, or devices)(Citation: Microsoft AD DS Getting Started)', 'created': '2021-10-20T15:05:19.274Z', 'url': 'https://attack.mitre.org/datasources/DS0026', 'matrix': 'mitre-attack', 'software_platform': ['Windows', 'Azure AD'], 'collection_layers': ['Host', 'Cloud Control Plane'], 'contributors': ['Center for Threat-Informed Defense (CTID)']} 11 | {'object_marking_refs': ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'], 'external_references': [{'url': 'https://attack.mitre.org/datasources/DS0027', 'external_id': 'DS0027', 'source_name': 'mitre-attack'}, {'url': 'https://developer.apple.com/library/archive/documentation/DeviceDrivers/Conceptual/IOKitFundamentals/Features/Features.html', 'description': 'Apple. (2014, April 9). What Is the I/O Kit?. Retrieved September 24, 2021.', 'source_name': 'IOKit Fundamentals'}, {'url': 'https://docs.microsoft.com/en-us/windows-hardware/drivers/gettingstarted/user-mode-and-kernel-mode', 'description': 'Viviano, A. (2021, August 17). Getting started with Windows drivers: User mode and kernel mode. Retrieved September 24, 2021.', 'source_name': 'Windows Getting Started Drivers'}], 'x_mitre_version': '1.0', 'modified': '2021-11-10T09:30:48.695Z', 'data_source': 'Driver', 'created_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5', 'type': 'x-mitre-data-source', 'id': 'x-mitre-data-source--9ec8c0d7-6137-456f-b829-c5f8b96ba054', 'description': 'A computer program that operates or controls a particular type of device that is attached to a computer. Provides a software interface to hardware devices, enabling operating systems and other computer programs to access hardware functions without needing to know precise details about the hardware being used(Citation: IOKit Fundamentals)(Citation: Windows Getting Started Drivers)', 'created': '2021-10-20T15:05:19.274Z', 'url': 'https://attack.mitre.org/datasources/DS0027', 'matrix': 'mitre-attack', 'software_platform': ['Linux', 'macOS', 'Windows'], 'collection_layers': ['Host'], 'contributors': ['Center for Threat-Informed Defense (CTID)']} 12 | {'object_marking_refs': ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'], 'external_references': [{'url': 'https://attack.mitre.org/datasources/DS0030', 'external_id': 'DS0030', 'source_name': 'mitre-attack'}, {'url': 'https://azure.microsoft.com/en-us/overview/what-is-a-virtual-machine/', 'description': 'Microsoft. (n.d.). What is a virtual machine (VM)?. Retrieved October 13, 2021.', 'source_name': 'Amazon VM'}, {'url': 'https://cloud.google.com/compute/docs/instances', 'description': 'Google. (n.d.). Virtual machine instances. Retrieved October 13, 2021.', 'source_name': 'Google VM'}], 'x_mitre_version': '1.0', 'modified': '2021-10-20T15:05:19.274Z', 'data_source': 'Instance', 'created_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5', 'type': 'x-mitre-data-source', 'id': 'x-mitre-data-source--45232bc0-e858-440d-aa93-d48c6cf167f0', 'description': 'A virtual server environment which runs workloads, hosted on-premise or by third-party cloud providers(Citation: Amazon VM)(Citation: Google VM)', 'created': '2021-10-20T15:05:19.274Z', 'url': 'https://attack.mitre.org/datasources/DS0030', 'matrix': 'mitre-attack', 'software_platform': ['IaaS'], 'collection_layers': ['Cloud Control Plane'], 'contributors': []} 13 | {'object_marking_refs': ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'], 'external_references': [{'url': 'https://attack.mitre.org/datasources/DS0029', 'external_id': 'DS0029', 'source_name': 'mitre-attack'}], 'x_mitre_version': '1.0', 'modified': '2021-11-10T09:30:48.697Z', 'data_source': 'Network Traffic', 'created_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5', 'type': 'x-mitre-data-source', 'id': 'x-mitre-data-source--c000cd5c-bbb3-4606-af6f-6c6d9de0bbe3', 'description': 'Data transmitted across a network (ex: Web, DNS, Mail, File, etc.), that is either summarized (ex: Netflow) and/or captured as raw data in an analyzable format (ex: PCAP)', 'created': '2021-10-20T15:05:19.274Z', 'url': 'https://attack.mitre.org/datasources/DS0029', 'matrix': 'mitre-attack', 'software_platform': ['Windows', 'Linux', 'macOS', 'IaaS'], 'collection_layers': ['Host', 'Network', 'Cloud Control Plane'], 'contributors': ['Center for Threat-Informed Defense (CTID)', 'ExtraHop']} 14 | {'object_marking_refs': ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'], 'external_references': [{'url': 'https://attack.mitre.org/datasources/DS0022', 'external_id': 'DS0022', 'source_name': 'mitre-attack'}, {'url': 'https://docs.microsoft.com/en-us/windows/win32/fileio/file-management', 'description': 'Microsoft. (2018, May 31). File Management (Local File Systems). Retrieved September 28, 2021.', 'source_name': 'Microsoft File Mgmt'}], 'x_mitre_version': '1.0', 'modified': '2021-11-10T09:30:48.695Z', 'data_source': 'File', 'created_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5', 'type': 'x-mitre-data-source', 'id': 'x-mitre-data-source--509ed41e-ca42-461e-9058-24602256daf9', 'description': 'A computer resource object, managed by the I/O system, for storing data (such as images, text, videos, computer programs, or any wide variety of other media)(Citation: Microsoft File Mgmt)', 'created': '2021-10-20T15:05:19.273Z', 'url': 'https://attack.mitre.org/datasources/DS0022', 'matrix': 'mitre-attack', 'software_platform': ['Windows', 'Linux', 'macOS', 'Network'], 'collection_layers': ['Host'], 'contributors': ['Center for Threat-Informed Defense (CTID)']} 15 | {'object_marking_refs': ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'], 'external_references': [{'url': 'https://attack.mitre.org/datasources/DS0018', 'external_id': 'DS0018', 'source_name': 'mitre-attack'}, {'url': 'https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html', 'description': 'Amazon. (n.d.). Security groups for your VPC. Retrieved October 13, 2021.', 'source_name': 'AWS Sec Groups VPC'}], 'x_mitre_version': '1.0', 'modified': '2021-11-10T09:30:48.695Z', 'data_source': 'Firewall', 'created_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5', 'type': 'x-mitre-data-source', 'id': 'x-mitre-data-source--f2f4f4bd-3455-400f-b2ee-104004df0f5b', 'description': 'A network security system, running locally on an endpoint or remotely as a service (ex: cloud environment), that monitors and controls incoming/outgoing network traffic based on predefined rules(Citation: AWS Sec Groups VPC)', 'created': '2021-10-20T15:05:19.273Z', 'url': 'https://attack.mitre.org/datasources/DS0018', 'matrix': 'mitre-attack', 'software_platform': ['IaaS', 'SaaS', 'Office 365', 'Azure AD', 'Linux', 'macOS', 'Windows', 'Google Workspace'], 'collection_layers': ['Cloud Control Plane', 'Host'], 'contributors': ['Center for Threat-Informed Defense (CTID)']} 16 | {'object_marking_refs': ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'], 'external_references': [{'url': 'https://attack.mitre.org/datasources/DS0021', 'external_id': 'DS0021', 'source_name': 'mitre-attack'}], 'x_mitre_version': '1.0', 'modified': '2021-10-20T15:05:19.273Z', 'data_source': 'Persona', 'created_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5', 'type': 'x-mitre-data-source', 'id': 'x-mitre-data-source--3bef4799-906c-409c-ac00-3fb7a1e352e6', 'description': 'A malicious online profile representing a user commonly used by adversaries to social engineer or otherwise target victims', 'created': '2021-10-20T15:05:19.273Z', 'url': 'https://attack.mitre.org/datasources/DS0021', 'matrix': 'mitre-attack', 'software_platform': ['PRE'], 'collection_layers': ['OSINT'], 'contributors': []} 17 | {'object_marking_refs': ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'], 'external_references': [{'url': 'https://attack.mitre.org/datasources/DS0025', 'external_id': 'DS0025', 'source_name': 'mitre-attack'}, {'url': 'https://aws.amazon.com', 'description': 'Amazon. (n.d.). Start Building on AWS Today. Retrieved October 13, 2021.', 'source_name': 'Amazon AWS'}, {'url': 'https://azure.microsoft.com/en-us/services/', 'description': 'Microsoft. (n.d.). Azure products. Retrieved October 13, 2021.', 'source_name': 'Azure Products'}], 'x_mitre_version': '1.0', 'modified': '2021-11-10T09:30:48.694Z', 'data_source': 'Cloud Service', 'created_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5', 'type': 'x-mitre-data-source', 'id': 'x-mitre-data-source--b1ddede4-cafe-4955-ac4c-14b33ac3f647', 'description': 'Infrastructure, platforms, or software that are hosted on-premise or by third-party providers, made available to users through network connections and/or APIs(Citation: Amazon AWS)(Citation: Azure Products)', 'created': '2021-10-20T15:05:19.273Z', 'url': 'https://attack.mitre.org/datasources/DS0025', 'matrix': 'mitre-attack', 'software_platform': ['IaaS', 'SaaS', 'Office 365', 'Azure AD', 'Google Workspace'], 'collection_layers': ['Cloud Control Plane'], 'contributors': ['Center for Threat-Informed Defense (CTID)']} 18 | {'object_marking_refs': ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'], 'external_references': [{'url': 'https://attack.mitre.org/datasources/DS0023', 'external_id': 'DS0023', 'source_name': 'mitre-attack'}, {'url': 'https://docs.microsoft.com/en-us/windows/win32/ipc/named-pipes', 'description': 'Microsoft. (2018, May 31). Named Pipes. Retrieved September 28, 2021.', 'source_name': 'Microsoft Named Pipes'}], 'x_mitre_version': '1.0', 'modified': '2021-11-10T09:30:48.697Z', 'data_source': 'Named Pipe', 'created_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5', 'type': 'x-mitre-data-source', 'id': 'x-mitre-data-source--221adcd5-cccf-44df-9be6-ef607a6e1c3c', 'description': 'Mechanisms that allow inter-process communication locally or over the network. A named pipe is usually found as a file and processes attach to it(Citation: Microsoft Named Pipes)', 'created': '2021-10-20T15:05:19.273Z', 'url': 'https://attack.mitre.org/datasources/DS0023', 'matrix': 'mitre-attack', 'software_platform': ['Windows', 'Linux', 'macOS'], 'collection_layers': ['Host'], 'contributors': ['Center for Threat-Informed Defense (CTID)']} 19 | {'object_marking_refs': ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'], 'external_references': [{'url': 'https://attack.mitre.org/datasources/DS0019', 'external_id': 'DS0019', 'source_name': 'mitre-attack'}, {'url': 'https://docs.microsoft.com/en-us/dotnet/framework/windows-services/introduction-to-windows-service-applications', 'description': 'Microsoft. (2017, March 30). Introduction to Windows Service Applications. Retrieved September 28, 2021.', 'source_name': 'Microsoft Services'}, {'url': 'https://www.linux.com/news/introduction-services-runlevels-and-rcd-scripts/', 'description': 'The Linux Foundation. (2006, January 11). An introduction to services, runlevels, and rc.d scripts. Retrieved September 28, 2021.', 'source_name': 'Linux Services Run Levels'}], 'x_mitre_version': '1.0', 'modified': '2021-11-10T09:30:48.698Z', 'data_source': 'Service', 'created_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5', 'type': 'x-mitre-data-source', 'id': 'x-mitre-data-source--d710099e-df94-4be4-bf85-cabd30e912bb', 'description': 'A computer process that is configured to execute continuously in the background and perform system tasks, in some cases before any user has logged in(Citation: Microsoft Services)(Citation: Linux Services Run Levels)', 'created': '2021-10-20T15:05:19.273Z', 'url': 'https://attack.mitre.org/datasources/DS0019', 'matrix': 'mitre-attack', 'software_platform': ['Windows', 'Linux', 'macOS'], 'collection_layers': ['Host'], 'contributors': ['Center for Threat-Informed Defense (CTID)']} 20 | {'object_marking_refs': ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'], 'external_references': [{'url': 'https://attack.mitre.org/datasources/DS0024', 'external_id': 'DS0024', 'source_name': 'mitre-attack'}, {'url': 'https://docs.microsoft.com/en-us/windows/win32/sysinfo/registry', 'description': 'Microsoft. (2018, May 31). Registry. Retrieved September 29, 2021.', 'source_name': 'Microsoft Registry'}], 'x_mitre_version': '1.0', 'modified': '2021-10-20T15:05:19.273Z', 'data_source': 'Windows Registry', 'created_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5', 'type': 'x-mitre-data-source', 'id': 'x-mitre-data-source--0f42a24c-e035-4f93-a91c-5f7076bd8da0', 'description': 'A Windows OS hierarchical database that stores much of the information and settings for software programs, hardware devices, user preferences, and operating-system configurations(Citation: Microsoft Registry)', 'created': '2021-10-20T15:05:19.273Z', 'url': 'https://attack.mitre.org/datasources/DS0024', 'matrix': 'mitre-attack', 'software_platform': ['Windows'], 'collection_layers': ['Host'], 'contributors': []} 21 | {'object_marking_refs': ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'], 'external_references': [{'url': 'https://attack.mitre.org/datasources/DS0017', 'external_id': 'DS0017', 'source_name': 'mitre-attack'}, {'url': 'https://confluence.atlassian.com/confkb/how-to-enable-command-line-audit-logging-in-linux-956166545.html', 'description': 'Confluence Support. (2021, September 8). How to enable command line audit logging in linux. Retrieved September 23, 2021.', 'source_name': 'Confluence Linux Command Line'}, {'url': 'https://www.scip.ch/en/?labs.20150108', 'description': 'Gagliardi, R. (n.d.). Audit in a OS X System. Retrieved September 23, 2021.', 'source_name': 'Audit OSX'}], 'x_mitre_version': '1.0', 'modified': '2021-11-10T09:30:48.694Z', 'data_source': 'Command', 'created_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5', 'type': 'x-mitre-data-source', 'id': 'x-mitre-data-source--73691708-ffb5-4e29-906d-f485f6fa7089', 'description': 'A directive given to a computer program, acting as an interpreter of some kind, in order to perform a specific task(Citation: Confluence Linux Command Line)(Citation: Audit OSX)', 'created': '2021-10-20T15:05:19.273Z', 'url': 'https://attack.mitre.org/datasources/DS0017', 'matrix': 'mitre-attack', 'software_platform': ['Windows', 'Linux', 'macOS', 'Network', 'Containers'], 'collection_layers': ['Host', 'Container'], 'contributors': ['Austin Clark', 'Center for Threat-Informed Defense (CTID)']} 22 | {'object_marking_refs': ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'], 'external_references': [{'url': 'https://attack.mitre.org/datasources/DS0020', 'external_id': 'DS0020', 'source_name': 'mitre-attack'}, {'url': 'https://docs.microsoft.com/en-us/azure/virtual-machines/linux/snapshot-copy-managed-disk', 'description': 'Microsoft. (2021, September 16). Create a snapshot of a virtual hard disk. Retrieved October 13, 2021.', 'source_name': 'Microsoft Snapshot'}, {'url': 'https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSSnapshots.html', 'description': 'Amazon. (n.d.). Amazon EBS snapshots. Retrieved October 13, 2021.', 'source_name': 'Amazon Snapshots'}], 'x_mitre_version': '1.0', 'modified': '2021-11-10T09:30:48.698Z', 'data_source': 'Snapshot', 'created_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5', 'type': 'x-mitre-data-source', 'id': 'x-mitre-data-source--6d7de3b7-283d-48f9-909c-60d123d9d768', 'description': 'A point-in-time copy of cloud volumes (files, settings, etc.) that can be created and/or deployed in cloud environments(Citation: Microsoft Snapshot)(Citation: Amazon Snapshots)', 'created': '2021-10-20T15:05:19.273Z', 'url': 'https://attack.mitre.org/datasources/DS0020', 'matrix': 'mitre-attack', 'software_platform': ['IaaS'], 'collection_layers': ['Cloud Control Plane'], 'contributors': ['Center for Threat-Informed Defense (CTID)']} 23 | {'object_marking_refs': ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'], 'external_references': [{'url': 'https://attack.mitre.org/datasources/DS0011', 'external_id': 'DS0011', 'source_name': 'mitre-attack'}, {'url': 'https://docs.microsoft.com/en-us/windows/win32/api/libloaderapi/nf-libloaderapi-loadlibrarya', 'description': 'Microsoft. (2018, December 5). LoadLibraryA function (libloaderapi.h). Retrieved September 28, 2021.', 'source_name': 'Microsoft LoadLibrary'}, {'url': 'https://docs.microsoft.com/en-us/dotnet/api/system.reflection.module', 'description': 'Microsoft. (n.d.). Module Class. Retrieved September 28, 2021.', 'source_name': 'Microsoft Module Class'}], 'x_mitre_version': '1.0', 'modified': '2021-11-10T09:30:48.697Z', 'data_source': 'Module', 'created_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5', 'type': 'x-mitre-data-source', 'id': 'x-mitre-data-source--f424e4b4-a8a4-4c58-a4ae-4f53bfd08563', 'description': 'Executable files consisting of one or more shared classes and interfaces, such as portable executable (PE) format binaries/dynamic link libraries (DLL), executable and linkable format (ELF) binaries/shared libraries, and Mach-O format binaries/shared libraries(Citation: Microsoft LoadLibrary)(Citation: Microsoft Module Class)', 'created': '2021-10-20T15:05:19.272Z', 'url': 'https://attack.mitre.org/datasources/DS0011', 'matrix': 'mitre-attack', 'software_platform': ['Windows', 'Linux', 'macOS'], 'collection_layers': ['Host'], 'contributors': ['Center for Threat-Informed Defense (CTID)']} 24 | {'object_marking_refs': ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'], 'external_references': [{'url': 'https://attack.mitre.org/datasources/DS0013', 'external_id': 'DS0013', 'source_name': 'mitre-attack'}], 'x_mitre_version': '1.0', 'modified': '2021-11-10T09:30:48.698Z', 'data_source': 'Sensor Health', 'created_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5', 'type': 'x-mitre-data-source', 'id': 'x-mitre-data-source--4523e7f3-8de2-4078-96f8-1227eb537159', 'description': 'Information from host telemetry providing insights about system status, errors, or other notable functional activity', 'created': '2021-10-20T15:05:19.272Z', 'url': 'https://attack.mitre.org/datasources/DS0013', 'matrix': 'mitre-attack', 'software_platform': ['Windows', 'Linux', 'macOS'], 'collection_layers': ['Host'], 'contributors': ['Center for Threat-Informed Defense (CTID)']} 25 | {'object_marking_refs': ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'], 'external_references': [{'url': 'https://attack.mitre.org/datasources/DS0015', 'external_id': 'DS0015', 'source_name': 'mitre-attack'}, {'url': 'https://confluence.atlassian.com/doc/working-with-confluence-logs-108364721.html', 'description': 'Confluence Support. (2021, April 22). Working with Confluence Logs. Retrieved September 23, 2021.', 'source_name': 'Confluence Logs'}], 'x_mitre_version': '1.0', 'modified': '2021-10-20T15:05:19.272Z', 'data_source': 'Application Log', 'created_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5', 'type': 'x-mitre-data-source', 'id': 'x-mitre-data-source--40269753-26bd-437b-986e-159c66dec5e4', 'description': 'Events collected by third-party services such as mail servers, web applications, or other appliances (not by the native OS or platform)(Citation: Confluence Logs)', 'created': '2021-10-20T15:05:19.272Z', 'url': 'https://attack.mitre.org/datasources/DS0015', 'matrix': 'mitre-attack', 'software_platform': ['Windows', 'Linux', 'macOS', 'IaaS', 'SaaS', 'Office 365', 'Google Workspace'], 'collection_layers': ['Host', 'Cloud Control Plane'], 'contributors': []} 26 | {'object_marking_refs': ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'], 'external_references': [{'url': 'https://attack.mitre.org/datasources/DS0012', 'external_id': 'DS0012', 'source_name': 'mitre-attack'}, {'url': 'https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_logging_windows?view=powershell-7', 'description': 'Microsoft. (2020, March 30). about_Logging_Windows. Retrieved September 28, 2021.', 'source_name': 'Microsoft PowerShell Logging'}, {'url': 'https://www.fireeye.com/blog/threat-research/2016/02/greater_visibilityt.html', 'description': 'Dunwoody, M. (2016, February 11). Greater Visibility Through PowerShell Logging. Retrieved September 28, 2021.', 'source_name': 'FireEye PowerShell Logging'}, {'url': 'https://docs.microsoft.com/en-us/windows/win32/amsi/antimalware-scan-interface-portal', 'description': 'Microsoft. (2019, April 19). Antimalware Scan Interface (AMSI). Retrieved September 28, 2021.', 'source_name': 'Microsoft AMSI'}], 'x_mitre_version': '1.0', 'modified': '2021-11-10T09:30:48.698Z', 'data_source': 'Script', 'created_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5', 'type': 'x-mitre-data-source', 'id': 'x-mitre-data-source--12c1e727-7fa4-49b6-af81-366ed2ce231e', 'description': 'A file or stream containing a list of commands, allowing them to be launched in sequence(Citation: Microsoft PowerShell Logging)(Citation: FireEye PowerShell Logging)(Citation: Microsoft AMSI)', 'created': '2021-10-20T15:05:19.272Z', 'url': 'https://attack.mitre.org/datasources/DS0012', 'matrix': 'mitre-attack', 'software_platform': ['Windows'], 'collection_layers': ['Host'], 'contributors': ['Center for Threat-Informed Defense (CTID)']} 27 | {'object_marking_refs': ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'], 'external_references': [{'url': 'https://attack.mitre.org/datasources/DS0010', 'external_id': 'DS0010', 'source_name': 'mitre-attack'}, {'url': 'https://aws.amazon.com/s3/', 'description': 'Amazon. (n.d.). Amazon S3. Retrieved October 13, 2021.', 'source_name': 'Amazon S3'}, {'url': 'https://azure.microsoft.com/en-us/services/storage/blobs/', 'description': 'Microsoft. (n.d.). Azure Blob Storage. Retrieved October 13, 2021.', 'source_name': 'Azure Blob Storage'}, {'url': 'https://cloud.google.com/storage', 'description': 'Google. (n.d.). Cloud Storage. Retrieved October 13, 2021.', 'source_name': 'Google Cloud Storage'}], 'x_mitre_version': '1.0', 'modified': '2021-11-10T09:30:48.694Z', 'data_source': 'Cloud Storage', 'created_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5', 'type': 'x-mitre-data-source', 'id': 'x-mitre-data-source--2ce537a2-3b30-4374-9397-31d6460ec0bc', 'description': 'Data object storage infrastructure hosted on-premise or by third-party providers, made available to users through network connections and/or APIs(Citation: Amazon S3)(Citation: Azure Blob Storage)(Citation: Google Cloud Storage)', 'created': '2021-10-20T15:05:19.272Z', 'url': 'https://attack.mitre.org/datasources/DS0010', 'matrix': 'mitre-attack', 'software_platform': ['IaaS'], 'collection_layers': ['Cloud Control Plane'], 'contributors': ['Center for Threat-Informed Defense (CTID)']} 28 | {'object_marking_refs': ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'], 'external_references': [{'url': 'https://attack.mitre.org/datasources/DS0016', 'external_id': 'DS0016', 'source_name': 'mitre-attack'}, {'url': 'https://docs.microsoft.com/sysinternals/downloads/sysmon#event-id-9-rawaccessread', 'description': 'Russinovich, R. & Garnier, T. (2021, August 18). Sysmon Event ID 9. Retrieved September 24, 2021.', 'source_name': 'Sysmon EID 9'}], 'x_mitre_version': '1.0', 'modified': '2021-11-10T09:30:48.695Z', 'data_source': 'Drive', 'created_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5', 'type': 'x-mitre-data-source', 'id': 'x-mitre-data-source--61bbbf27-f7c3-46ba-a6bc-48ae76928065', 'description': 'A non-volatile data storage device (hard drive, floppy disk, USB flash drive) with at least one formatted partition, typically mounted to the file system and/or assigned a drive letter(Citation: Sysmon EID 9)', 'created': '2021-10-20T15:05:19.272Z', 'url': 'https://attack.mitre.org/datasources/DS0016', 'matrix': 'mitre-attack', 'software_platform': ['Windows', 'Linux', 'macOS'], 'collection_layers': ['Host'], 'contributors': ['Center for Threat-Informed Defense (CTID)']} 29 | {'object_marking_refs': ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'], 'external_references': [{'url': 'https://attack.mitre.org/datasources/DS0008', 'external_id': 'DS0008', 'source_name': 'mitre-attack'}, {'url': 'https://www.stigviewer.com/stig/oracle_linux_5/2016-12-20/finding/V-22383', 'description': 'Unified Compliance Framework. (2016, December 20). The audit system must be configured to audit the loading and unloading of dynamic kernel modules.. Retrieved September 28, 2021.', 'source_name': 'STIG Audit Kernel Modules'}, {'url': 'https://man7.org/linux/man-pages/man2/init_module.2.html', 'description': 'Kerrisk, M. (2021, March 22). INIT_MODULE(2). Retrieved September 28, 2021.', 'source_name': 'Init Man Page'}], 'x_mitre_version': '1.0', 'modified': '2021-11-10T09:30:48.696Z', 'data_source': 'Kernel', 'created_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5', 'type': 'x-mitre-data-source', 'id': 'x-mitre-data-source--8765a845-dea1-4cd1-a56f-f54939b7ab9e', 'description': 'A computer program, at the core of a computer OS, that resides in memory and facilitates interactions between hardware and software components(Citation: STIG Audit Kernel Modules)(Citation: Init Man Page)', 'created': '2021-10-20T15:05:19.272Z', 'url': 'https://attack.mitre.org/datasources/DS0008', 'matrix': 'mitre-attack', 'software_platform': ['Linux', 'macOS'], 'collection_layers': ['Host'], 'contributors': ['Center for Threat-Informed Defense (CTID)']} 30 | {'object_marking_refs': ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'], 'external_references': [{'url': 'https://attack.mitre.org/datasources/DS0014', 'external_id': 'DS0014', 'source_name': 'mitre-attack'}, {'url': 'https://kubernetes.io/docs/reference/kubectl/kubectl/', 'description': 'kubernetes. (n.d.). kubectl. Retrieved October 13, 2021.', 'source_name': 'Kube Kubectl'}, {'url': 'https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.19/#pod-v1-core', 'description': 'kubenetes. (n.d.). Pod v1 core. Retrieved October 13, 2021.', 'source_name': 'Kube Pod'}], 'x_mitre_version': '1.0', 'modified': '2021-11-10T09:30:48.697Z', 'data_source': 'Pod', 'created_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5', 'type': 'x-mitre-data-source', 'id': 'x-mitre-data-source--06bb1e05-533b-4de3-ae87-9b99910465cf', 'description': 'A single unit of shared resources within a cluster, comprised of one or more containers(Citation: Kube Kubectl)(Citation: Kube Pod)', 'created': '2021-10-20T15:05:19.272Z', 'url': 'https://attack.mitre.org/datasources/DS0014', 'matrix': 'mitre-attack', 'software_platform': ['Containers'], 'collection_layers': ['Container'], 'contributors': ['Center for Threat-Informed Defense (CTID)']} 31 | {'object_marking_refs': ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'], 'external_references': [{'url': 'https://attack.mitre.org/datasources/DS0009', 'external_id': 'DS0009', 'source_name': 'mitre-attack'}, {'url': 'https://docs.microsoft.com/en-us/windows/win32/procthread/processes-and-threads', 'description': 'Microsoft. (2018, May 31). Processes and Threads. Retrieved September 28, 2021.', 'source_name': 'Microsoft Processes and Threads'}], 'x_mitre_version': '1.0', 'modified': '2021-11-10T09:30:48.697Z', 'data_source': 'Process', 'created_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5', 'type': 'x-mitre-data-source', 'id': 'x-mitre-data-source--e8b8ede7-337b-4c0c-8c32-5c7872c1ee22', 'description': 'Instances of computer programs that are being executed by at least one thread. Processes have memory space for process executables, loaded modules (DLLs or shared libraries), and allocated memory regions containing everything from user input to application-specific data structures(Citation: Microsoft Processes and Threads)', 'created': '2021-10-20T15:05:19.272Z', 'url': 'https://attack.mitre.org/datasources/DS0009', 'matrix': 'mitre-attack', 'software_platform': ['Windows', 'Linux', 'macOS'], 'collection_layers': ['Host'], 'contributors': ['Center for Threat-Informed Defense (CTID)']} 32 | {'object_marking_refs': ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'], 'external_references': [{'url': 'https://attack.mitre.org/datasources/DS0003', 'external_id': 'DS0003', 'source_name': 'mitre-attack'}, {'url': 'https://docs.microsoft.com/en-us/windows/win32/taskschd/tasks', 'description': 'Microsoft. (2018, May 31). Tasks. Retrieved September 28, 2021.', 'source_name': 'Microsoft Tasks'}], 'x_mitre_version': '1.0', 'modified': '2021-11-10T09:30:48.697Z', 'data_source': 'Scheduled Job', 'created_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5', 'type': 'x-mitre-data-source', 'id': 'x-mitre-data-source--c9ddfb51-eb45-4e22-b614-44ac1caa7883', 'description': 'Automated tasks that can be executed at a specific time or on a recurring schedule running in the background (ex: Cron daemon, task scheduler, BITS)(Citation: Microsoft Tasks)', 'created': '2021-10-20T15:05:19.271Z', 'url': 'https://attack.mitre.org/datasources/DS0003', 'matrix': 'mitre-attack', 'software_platform': ['Windows', 'Linux', 'macOS', 'Containers'], 'collection_layers': ['Host', 'Container'], 'contributors': ['Center for Threat-Informed Defense (CTID)']} 33 | {'object_marking_refs': ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'], 'external_references': [{'url': 'https://attack.mitre.org/datasources/DS0006', 'external_id': 'DS0006', 'source_name': 'mitre-attack'}, {'url': 'https://medium.com/@sherryhsu/session-vs-token-based-authentication-11a6c5ac45e4', 'description': 'Hsu, S. (2018, June 30). Session vs Token Based Authentication. Retrieved September 29, 2021.', 'source_name': 'Medium Authentication Tokens'}, {'url': 'https://auth0.com/docs/tokens/access-tokens', 'description': 'Auth0. (n.d.). Access Tokens. Retrieved September 29, 2021.', 'source_name': 'Auth0 Access Tokens'}], 'x_mitre_version': '1.0', 'modified': '2021-10-20T15:05:19.271Z', 'data_source': 'Web Credential', 'created_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5', 'type': 'x-mitre-data-source', 'id': 'x-mitre-data-source--1e26f222-e27e-4bfa-830c-fa4b4f18b5e4', 'description': 'Credential material, such as session cookies or tokens, used to authenticate to web applications and services(Citation: Medium Authentication Tokens)(Citation: Auth0 Access Tokens)', 'created': '2021-10-20T15:05:19.271Z', 'url': 'https://attack.mitre.org/datasources/DS0006', 'matrix': 'mitre-attack', 'software_platform': ['Windows', 'Linux', 'macOS', 'SaaS', 'Office 365', 'Azure AD', 'Google Workspace'], 'collection_layers': ['Host', 'Cloud Control Plane'], 'contributors': []} 34 | {'object_marking_refs': ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'], 'external_references': [{'url': 'https://attack.mitre.org/datasources/DS0004', 'external_id': 'DS0004', 'source_name': 'mitre-attack'}], 'x_mitre_version': '1.0', 'modified': '2021-10-20T15:05:19.271Z', 'data_source': 'Malware Repository', 'created_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5', 'type': 'x-mitre-data-source', 'id': 'x-mitre-data-source--b86d9b40-5fbe-4ef1-8dc3-263eff26f495', 'description': 'Information obtained (via shared or submitted samples) regarding malicious software (droppers, backdoors, etc.) used by adversaries', 'created': '2021-10-20T15:05:19.271Z', 'url': 'https://attack.mitre.org/datasources/DS0004', 'matrix': 'mitre-attack', 'software_platform': ['PRE'], 'collection_layers': ['OSINT'], 'contributors': []} 35 | {'object_marking_refs': ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'], 'external_references': [{'url': 'https://attack.mitre.org/datasources/DS0002', 'external_id': 'DS0002', 'source_name': 'mitre-attack'}], 'x_mitre_version': '1.0', 'modified': '2021-11-10T09:30:48.698Z', 'data_source': 'User Account', 'created_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5', 'type': 'x-mitre-data-source', 'id': 'x-mitre-data-source--0b4f86ed-f4ab-46a3-8ed1-175be1974da6', 'description': 'A profile representing a user, device, service, or application used to authenticate and access resources', 'created': '2021-10-20T15:05:19.271Z', 'url': 'https://attack.mitre.org/datasources/DS0002', 'matrix': 'mitre-attack', 'software_platform': ['Windows', 'Linux', 'macOS', 'IaaS', 'SaaS', 'Office 365', 'Azure AD', 'Containers', 'Google Workspace'], 'collection_layers': ['Host', 'Cloud Control Plane', 'Container'], 'contributors': ['Center for Threat-Informed Defense (CTID)']} 36 | {'object_marking_refs': ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'], 'external_references': [{'url': 'https://attack.mitre.org/datasources/DS0005', 'external_id': 'DS0005', 'source_name': 'mitre-attack'}, {'url': 'https://docs.microsoft.com/en-us/windows/win32/wmisdk/wmi-system-classes', 'description': 'Microsoft. (2018, May 31). WMI System Classes. Retrieved September 29, 2021.', 'source_name': 'Microsoft WMI System Classes'}, {'url': 'https://docs.microsoft.com/en-us/windows/win32/wmisdk/wmi-architecture', 'description': 'Microsoft. (2018, May 31). WMI Architecture. Retrieved September 29, 2021.', 'source_name': 'Microsoft WMI Architecture'}], 'x_mitre_version': '1.0', 'modified': '2021-11-10T09:30:48.699Z', 'data_source': 'WMI', 'created_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5', 'type': 'x-mitre-data-source', 'id': 'x-mitre-data-source--2cd6cc81-d86e-4595-a4f0-43f5519f14e6', 'description': 'The infrastructure for management data and operations that enables local and remote management of Windows personal computers and servers(Citation: Microsoft WMI System Classes)(Citation: Microsoft WMI Architecture)', 'created': '2021-10-20T15:05:19.271Z', 'url': 'https://attack.mitre.org/datasources/DS0005', 'matrix': 'mitre-attack', 'software_platform': ['Windows'], 'collection_layers': ['Host'], 'contributors': ['Center for Threat-Informed Defense (CTID)']} 37 | {'object_marking_refs': ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'], 'external_references': [{'url': 'https://attack.mitre.org/datasources/DS0007', 'external_id': 'DS0007', 'source_name': 'mitre-attack'}, {'url': 'https://docs.microsoft.com/en-us/azure/virtual-machines/windows/capture-image-resource', 'description': 'Microsoft. (2021, August 23). Create a managed image of a generalized VM in Azure. Retrieved October 13, 2021.', 'source_name': 'Microsoft Image'}, {'url': 'https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/AMIs.html', 'description': 'Amazon. (n.d.). Amazon Machine Images (AMI). Retrieved October 13, 2021.', 'source_name': 'Amazon AMI'}], 'x_mitre_version': '1.0', 'modified': '2021-11-10T09:30:48.696Z', 'data_source': 'Image', 'created_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5', 'type': 'x-mitre-data-source', 'id': 'x-mitre-data-source--1ac0ca69-e07e-4b34-9061-e4588e146c52', 'description': 'A single file used to deploy a virtual machine/bootable disk into an on-premise or third-party cloud environment(Citation: Microsoft Image)(Citation: Amazon AMI)', 'created': '2021-10-20T15:05:19.271Z', 'url': 'https://attack.mitre.org/datasources/DS0007', 'matrix': 'mitre-attack', 'software_platform': ['IaaS'], 'collection_layers': ['Cloud Control Plane'], 'contributors': ['Center for Threat-Informed Defense (CTID)']} 38 | {'object_marking_refs': ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'], 'external_references': [{'url': 'https://attack.mitre.org/datasources/DS0001', 'external_id': 'DS0001', 'source_name': 'mitre-attack'}], 'x_mitre_version': '1.0', 'modified': '2021-11-10T09:30:48.695Z', 'data_source': 'Firmware', 'created_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5', 'type': 'x-mitre-data-source', 'id': 'x-mitre-data-source--ca1cb239-ff6d-4f64-b9d7-41c8556a8b4f', 'description': 'Computer software that provides low-level control for the hardware and device(s) of a host, such as BIOS or UEFI/EFI', 'created': '2021-10-20T15:05:19.265Z', 'url': 'https://attack.mitre.org/datasources/DS0001', 'matrix': 'mitre-attack', 'software_platform': ['Windows', 'Linux', 'macOS'], 'collection_layers': ['Host'], 'contributors': ['Center for Threat-Informed Defense (CTID)']} 39 | -------------------------------------------------------------------------------- /20220505/attack_identity.txt: -------------------------------------------------------------------------------- 1 | {'modified': '2017-06-01T00:00:00.000Z', 'name': 'The MITRE Corporation', 'identity_class': 'organization', 'object_marking_refs': ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'], 'type': 'identity', 'id': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5', 'created': '2017-06-01T00:00:00.000Z'} 2 | -------------------------------------------------------------------------------- /20220505/attack_marking-definition.txt: -------------------------------------------------------------------------------- 1 | {'created_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5', 'definition_type': 'statement', 'definition': {'statement': 'Copyright 2015-2021, The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation.'}, 'type': 'marking-definition', 'id': 'marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168', 'created': '2017-06-01T00:00:00.000Z'} 2 | -------------------------------------------------------------------------------- /20220505/attack_matrix.txt: -------------------------------------------------------------------------------- 1 | {'external_references': [{'url': 'https://attack.mitre.org/matrices/enterprise', 'external_id': 'enterprise-attack', 'source_name': 'mitre-attack'}], 'object_marking_refs': ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'], 'type': 'x-mitre-matrix', 'matrix': 'mitre-attack', 'matrix_description': 'Below are the tactics and technique representing the MITRE ATT&CK Matrix for Enterprise. The Matrix contains information for the following platforms: Windows, macOS, Linux, AWS, GCP, Azure, Azure AD, Office 365, SaaS.', 'modified': '2021-11-03T20:11:51.915Z', 'id': 'x-mitre-matrix--eafc1b4c-5e56-4965-bd4e-66a6a89c88cc', 'created': '2018-10-17T00:14:20.652Z', 'tactic_references': ['x-mitre-tactic--daa4cbb1-b4f4-4723-a824-7f1efd6e0592', 'x-mitre-tactic--d679bca2-e57d-4935-8650-8031c87a4400', 'x-mitre-tactic--ffd5bcee-6e16-4dd2-8eca-7b3beedf33ca', 'x-mitre-tactic--4ca45d45-df4d-4613-8980-bac22d278fa5', 'x-mitre-tactic--5bc1d813-693e-4823-9961-abf9af4b0e92', 'x-mitre-tactic--5e29b093-294e-49e9-a803-dab3d73b77dd', 'x-mitre-tactic--78b23412-0651-46d7-a540-170a1ce8bd5a', 'x-mitre-tactic--2558fd61-8c75-4730-94c4-11926db2a263', 'x-mitre-tactic--c17c5845-175e-4421-9713-829d0573dbc9', 'x-mitre-tactic--7141578b-e50b-4dcc-bfa4-08a8dd689e9e', 'x-mitre-tactic--d108ce10-2419-4cf9-a774-46161d6c6cfe', 'x-mitre-tactic--f72804c5-f15a-449e-a5da-2eecd181f813', 'x-mitre-tactic--9a4e74ab-5008-408c-84bf-a10dfbc53462', 'x-mitre-tactic--5569339b-94c2-49ee-afb3-2222936582c8'], 'created_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5', 'url': 'https://attack.mitre.org/matrices/enterprise'} 2 | -------------------------------------------------------------------------------- /20220505/attack_tactics.txt: -------------------------------------------------------------------------------- 1 | {'external_references': [{'url': 'https://attack.mitre.org/tactics/TA0043', 'external_id': 'TA0043', 'source_name': 'mitre-attack'}], 'object_marking_refs': ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'], 'type': 'x-mitre-tactic', 'tactic': 'Reconnaissance', 'tactic_description': 'The adversary is trying to gather information they can use to plan future operations.\n\nReconnaissance consists of techniques that involve adversaries actively or passively gathering information that can be used to support targeting. Such information may include details of the victim organization, infrastructure, or staff/personnel. This information can be leveraged by the adversary to aid in other phases of the adversary lifecycle, such as using gathered information to plan and execute Initial Access, to scope and prioritize post-compromise objectives, or to drive and lead further Reconnaissance efforts.', 'modified': '2020-10-18T02:04:50.842Z', 'id': 'x-mitre-tactic--daa4cbb1-b4f4-4723-a824-7f1efd6e0592', 'created': '2020-10-02T14:48:41.809Z', 'created_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5', 'url': 'https://attack.mitre.org/tactics/TA0043', 'matrix': 'mitre-attack', 'tactic_shortname': 'reconnaissance'} 2 | {'external_references': [{'url': 'https://attack.mitre.org/tactics/TA0042', 'external_id': 'TA0042', 'source_name': 'mitre-attack'}], 'object_marking_refs': ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'], 'type': 'x-mitre-tactic', 'tactic': 'Resource Development', 'tactic_description': 'The adversary is trying to establish resources they can use to support operations.\n\nResource Development consists of techniques that involve adversaries creating, purchasing, or compromising/stealing resources that can be used to support targeting. Such resources include infrastructure, accounts, or capabilities. These resources can be leveraged by the adversary to aid in other phases of the adversary lifecycle, such as using purchased domains to support Command and Control, email accounts for phishing as a part of Initial Access, or stealing code signing certificates to help with Defense Evasion.', 'modified': '2020-09-30T16:31:36.322Z', 'id': 'x-mitre-tactic--d679bca2-e57d-4935-8650-8031c87a4400', 'created': '2020-09-30T16:11:59.650Z', 'created_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5', 'url': 'https://attack.mitre.org/tactics/TA0042', 'matrix': 'mitre-attack', 'tactic_shortname': 'resource-development'} 3 | {'external_references': [{'url': 'https://attack.mitre.org/tactics/TA0040', 'external_id': 'TA0040', 'source_name': 'mitre-attack'}], 'object_marking_refs': ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'], 'type': 'x-mitre-tactic', 'tactic': 'Impact', 'tactic_description': 'The adversary is trying to manipulate, interrupt, or destroy your systems and data.\n \nImpact consists of techniques that adversaries use to disrupt availability or compromise integrity by manipulating business and operational processes. Techniques used for impact can include destroying or tampering with data. In some cases, business processes can look fine, but may have been altered to benefit the adversaries’ goals. These techniques might be used by adversaries to follow through on their end goal or to provide cover for a confidentiality breach.', 'modified': '2019-07-25T18:42:23.222Z', 'id': 'x-mitre-tactic--5569339b-94c2-49ee-afb3-2222936582c8', 'created': '2019-03-14T18:44:44.639Z', 'created_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5', 'url': 'https://attack.mitre.org/tactics/TA0040', 'matrix': 'mitre-attack', 'tactic_shortname': 'impact'} 4 | {'external_references': [{'source_name': 'mitre-attack', 'external_id': 'TA0006', 'url': 'https://attack.mitre.org/tactics/TA0006'}], 'object_marking_refs': ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'], 'type': 'x-mitre-tactic', 'tactic': 'Credential Access', 'tactic_description': 'The adversary is trying to steal account names and passwords.\n\nCredential Access consists of techniques for stealing credentials like account names and passwords. Techniques used to get credentials include keylogging or credential dumping. Using legitimate credentials can give adversaries access to systems, make them harder to detect, and provide the opportunity to create more accounts to help achieve their goals.', 'modified': '2019-07-19T17:43:41.967Z', 'id': 'x-mitre-tactic--2558fd61-8c75-4730-94c4-11926db2a263', 'created': '2018-10-17T00:14:20.652Z', 'created_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5', 'url': 'https://attack.mitre.org/tactics/TA0006', 'matrix': 'mitre-attack', 'tactic_shortname': 'credential-access'} 5 | {'external_references': [{'source_name': 'mitre-attack', 'external_id': 'TA0005', 'url': 'https://attack.mitre.org/tactics/TA0005'}], 'object_marking_refs': ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'], 'type': 'x-mitre-tactic', 'tactic': 'Defense Evasion', 'tactic_description': 'The adversary is trying to avoid being detected.\n\nDefense Evasion consists of techniques that adversaries use to avoid detection throughout their compromise. Techniques used for defense evasion include uninstalling/disabling security software or obfuscating/encrypting data and scripts. Adversaries also leverage and abuse trusted processes to hide and masquerade their malware. Other tactics’ techniques are cross-listed here when those techniques include the added benefit of subverting defenses. ', 'modified': '2019-07-19T17:43:23.473Z', 'id': 'x-mitre-tactic--78b23412-0651-46d7-a540-170a1ce8bd5a', 'created': '2018-10-17T00:14:20.652Z', 'created_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5', 'url': 'https://attack.mitre.org/tactics/TA0005', 'matrix': 'mitre-attack', 'tactic_shortname': 'defense-evasion'} 6 | {'external_references': [{'source_name': 'mitre-attack', 'external_id': 'TA0001', 'url': 'https://attack.mitre.org/tactics/TA0001'}], 'object_marking_refs': ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'], 'type': 'x-mitre-tactic', 'tactic': 'Initial Access', 'tactic_description': 'The adversary is trying to get into your network.\n\nInitial Access consists of techniques that use various entry vectors to gain their initial foothold within a network. Techniques used to gain a foothold include targeted spearphishing and exploiting weaknesses on public-facing web servers. Footholds gained through initial access may allow for continued access, like valid accounts and use of external remote services, or may be limited-use due to changing passwords.', 'modified': '2019-07-19T17:41:41.425Z', 'id': 'x-mitre-tactic--ffd5bcee-6e16-4dd2-8eca-7b3beedf33ca', 'created': '2018-10-17T00:14:20.652Z', 'created_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5', 'url': 'https://attack.mitre.org/tactics/TA0001', 'matrix': 'mitre-attack', 'tactic_shortname': 'initial-access'} 7 | {'external_references': [{'source_name': 'mitre-attack', 'external_id': 'TA0011', 'url': 'https://attack.mitre.org/tactics/TA0011'}], 'object_marking_refs': ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'], 'type': 'x-mitre-tactic', 'tactic': 'Command and Control', 'tactic_description': 'The adversary is trying to communicate with compromised systems to control them.\n\nCommand and Control consists of techniques that adversaries may use to communicate with systems under their control within a victim network. Adversaries commonly attempt to mimic normal, expected traffic to avoid detection. There are many ways an adversary can establish command and control with various levels of stealth depending on the victim’s network structure and defenses.', 'modified': '2019-07-19T17:45:30.644Z', 'id': 'x-mitre-tactic--f72804c5-f15a-449e-a5da-2eecd181f813', 'created': '2018-10-17T00:14:20.652Z', 'created_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5', 'url': 'https://attack.mitre.org/tactics/TA0011', 'matrix': 'mitre-attack', 'tactic_shortname': 'command-and-control'} 8 | {'external_references': [{'source_name': 'mitre-attack', 'external_id': 'TA0010', 'url': 'https://attack.mitre.org/tactics/TA0010'}], 'object_marking_refs': ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'], 'type': 'x-mitre-tactic', 'tactic': 'Exfiltration', 'tactic_description': 'The adversary is trying to steal data.\n\nExfiltration consists of techniques that adversaries may use to steal data from your network. Once they’ve collected data, adversaries often package it to avoid detection while removing it. This can include compression and encryption. Techniques for getting data out of a target network typically include transferring it over their command and control channel or an alternate channel and may also include putting size limits on the transmission.', 'modified': '2019-07-19T17:45:12.806Z', 'id': 'x-mitre-tactic--9a4e74ab-5008-408c-84bf-a10dfbc53462', 'created': '2018-10-17T00:14:20.652Z', 'created_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5', 'url': 'https://attack.mitre.org/tactics/TA0010', 'matrix': 'mitre-attack', 'tactic_shortname': 'exfiltration'} 9 | {'external_references': [{'source_name': 'mitre-attack', 'external_id': 'TA0004', 'url': 'https://attack.mitre.org/tactics/TA0004'}], 'object_marking_refs': ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'], 'type': 'x-mitre-tactic', 'tactic': 'Privilege Escalation', 'tactic_description': 'The adversary is trying to gain higher-level permissions.\n\nPrivilege Escalation consists of techniques that adversaries use to gain higher-level permissions on a system or network. Adversaries can often enter and explore a network with unprivileged access but require elevated permissions to follow through on their objectives. Common approaches are to take advantage of system weaknesses, misconfigurations, and vulnerabilities. Examples of elevated access include: \n\n* SYSTEM/root level\n* local administrator\n* user account with admin-like access \n* user accounts with access to specific system or perform specific function\n\nThese techniques often overlap with Persistence techniques, as OS features that let an adversary persist can execute in an elevated context. ', 'modified': '2021-01-06T14:21:21.641Z', 'id': 'x-mitre-tactic--5e29b093-294e-49e9-a803-dab3d73b77dd', 'created': '2018-10-17T00:14:20.652Z', 'created_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5', 'url': 'https://attack.mitre.org/tactics/TA0004', 'matrix': 'mitre-attack', 'tactic_shortname': 'privilege-escalation'} 10 | {'external_references': [{'source_name': 'mitre-attack', 'external_id': 'TA0009', 'url': 'https://attack.mitre.org/tactics/TA0009'}], 'object_marking_refs': ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'], 'type': 'x-mitre-tactic', 'tactic': 'Collection', 'tactic_description': "The adversary is trying to gather data of interest to their goal.\n\nCollection consists of techniques adversaries may use to gather information and the sources information is collected from that are relevant to following through on the adversary's objectives. Frequently, the next goal after collecting data is to steal (exfiltrate) the data. Common target sources include various drive types, browsers, audio, video, and email. Common collection methods include capturing screenshots and keyboard input.", 'modified': '2019-07-19T17:44:53.176Z', 'id': 'x-mitre-tactic--d108ce10-2419-4cf9-a774-46161d6c6cfe', 'created': '2018-10-17T00:14:20.652Z', 'created_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5', 'url': 'https://attack.mitre.org/tactics/TA0009', 'matrix': 'mitre-attack', 'tactic_shortname': 'collection'} 11 | {'external_references': [{'source_name': 'mitre-attack', 'external_id': 'TA0002', 'url': 'https://attack.mitre.org/tactics/TA0002'}], 'object_marking_refs': ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'], 'type': 'x-mitre-tactic', 'tactic': 'Execution', 'tactic_description': 'The adversary is trying to run malicious code.\n\nExecution consists of techniques that result in adversary-controlled code running on a local or remote system. Techniques that run malicious code are often paired with techniques from all other tactics to achieve broader goals, like exploring a network or stealing data. For example, an adversary might use a remote access tool to run a PowerShell script that does Remote System Discovery. ', 'modified': '2019-07-19T17:42:06.909Z', 'id': 'x-mitre-tactic--4ca45d45-df4d-4613-8980-bac22d278fa5', 'created': '2018-10-17T00:14:20.652Z', 'created_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5', 'url': 'https://attack.mitre.org/tactics/TA0002', 'matrix': 'mitre-attack', 'tactic_shortname': 'execution'} 12 | {'external_references': [{'source_name': 'mitre-attack', 'external_id': 'TA0003', 'url': 'https://attack.mitre.org/tactics/TA0003'}], 'object_marking_refs': ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'], 'type': 'x-mitre-tactic', 'tactic': 'Persistence', 'tactic_description': 'The adversary is trying to maintain their foothold.\n\nPersistence consists of techniques that adversaries use to keep access to systems across restarts, changed credentials, and other interruptions that could cut off their access. Techniques used for persistence include any access, action, or configuration changes that let them maintain their foothold on systems, such as replacing or hijacking legitimate code or adding startup code. ', 'modified': '2019-07-19T17:42:33.899Z', 'id': 'x-mitre-tactic--5bc1d813-693e-4823-9961-abf9af4b0e92', 'created': '2018-10-17T00:14:20.652Z', 'created_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5', 'url': 'https://attack.mitre.org/tactics/TA0003', 'matrix': 'mitre-attack', 'tactic_shortname': 'persistence'} 13 | {'external_references': [{'source_name': 'mitre-attack', 'external_id': 'TA0007', 'url': 'https://attack.mitre.org/tactics/TA0007'}], 'object_marking_refs': ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'], 'type': 'x-mitre-tactic', 'tactic': 'Discovery', 'tactic_description': 'The adversary is trying to figure out your environment.\n\nDiscovery consists of techniques an adversary may use to gain knowledge about the system and internal network. These techniques help adversaries observe the environment and orient themselves before deciding how to act. They also allow adversaries to explore what they can control and what’s around their entry point in order to discover how it could benefit their current objective. Native operating system tools are often used toward this post-compromise information-gathering objective. ', 'modified': '2019-07-19T17:44:13.228Z', 'id': 'x-mitre-tactic--c17c5845-175e-4421-9713-829d0573dbc9', 'created': '2018-10-17T00:14:20.652Z', 'created_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5', 'url': 'https://attack.mitre.org/tactics/TA0007', 'matrix': 'mitre-attack', 'tactic_shortname': 'discovery'} 14 | {'external_references': [{'source_name': 'mitre-attack', 'external_id': 'TA0008', 'url': 'https://attack.mitre.org/tactics/TA0008'}], 'object_marking_refs': ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'], 'type': 'x-mitre-tactic', 'tactic': 'Lateral Movement', 'tactic_description': 'The adversary is trying to move through your environment.\n\nLateral Movement consists of techniques that adversaries use to enter and control remote systems on a network. Following through on their primary objective often requires exploring the network to find their target and subsequently gaining access to it. Reaching their objective often involves pivoting through multiple systems and accounts to gain. Adversaries might install their own remote access tools to accomplish Lateral Movement or use legitimate credentials with native network and operating system tools, which may be stealthier. ', 'modified': '2019-07-19T17:44:36.953Z', 'id': 'x-mitre-tactic--7141578b-e50b-4dcc-bfa4-08a8dd689e9e', 'created': '2018-10-17T00:14:20.652Z', 'created_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5', 'url': 'https://attack.mitre.org/tactics/TA0008', 'matrix': 'mitre-attack', 'tactic_shortname': 'lateral-movement'} 15 | -------------------------------------------------------------------------------- /20220505/data_sources.csv: -------------------------------------------------------------------------------- 1 | data sources 2 | Active Directory: Active Directory Credential Request 3 | Active Directory: Active Directory Object Access 4 | Active Directory: Active Directory Object Creation 5 | Active Directory: Active Directory Object Deletion 6 | Active Directory: Active Directory Object Modification 7 | Application Log: Application Log Content 8 | Certificate: Certificate Registration 9 | Cloud Service: Cloud Service Disable 10 | Cloud Service: Cloud Service Enumeration 11 | Cloud Service: Cloud Service Metadata 12 | Cloud Service: Cloud Service Modification 13 | Cloud Storage: Cloud Storage Access 14 | Cloud Storage: Cloud Storage Creation 15 | Cloud Storage: Cloud Storage Deletion 16 | Cloud Storage: Cloud Storage Enumeration 17 | Cloud Storage: Cloud Storage Metadata 18 | Cloud Storage: Cloud Storage Modification 19 | Cluster: Cluster Metadata 20 | Command: Command Execution 21 | Container: Container Creation 22 | Container: Container Enumeration 23 | Container: Container Metadata 24 | Container: Container Start 25 | Domain Name: Active DNS 26 | Domain Name: Domain Registration 27 | Domain Name: Passive DNS 28 | Drive: Drive Access 29 | Drive: Drive Creation 30 | Drive: Drive Modification 31 | Driver: Driver Load 32 | Driver: Driver Metadata 33 | File: File Access 34 | File: File Creation 35 | File: File Deletion 36 | File: File Metadata 37 | File: File Modification 38 | Firewall: Firewall Disable 39 | Firewall: Firewall Enumeration 40 | Firewall: Firewall Metadata 41 | Firewall: Firewall Rule Modification 42 | Firmware: Firmware Modification 43 | Group: Group Enumeration 44 | Group: Group Metadata 45 | Group: Group Modification 46 | Image: Image Creation 47 | Image: Image Deletion 48 | Image: Image Metadata 49 | Image: Image Modification 50 | Instance: Instance Creation 51 | Instance: Instance Deletion 52 | Instance: Instance Enumeration 53 | Instance: Instance Metadata 54 | Instance: Instance Modification 55 | Instance: Instance Start 56 | Instance: Instance Stop 57 | Internet Scan: Response Content 58 | Internet Scan: Response Metadata 59 | Kernel: Kernel Module Load 60 | Logon Session: Logon Session Creation 61 | Logon Session: Logon Session Metadata 62 | Malware Repository: Malware Content 63 | Malware Repository: Malware Metadata 64 | Module: Module Load 65 | Named Pipe: Named Pipe Metadata 66 | Network Share: Network Share Access 67 | Network Traffic: Network Connection Creation 68 | Network Traffic: Network Traffic Content 69 | Network Traffic: Network Traffic Flow 70 | Persona: Social Media 71 | Pod: Pod Creation 72 | Pod: Pod Enumeration 73 | Pod: Pod Metadata 74 | Pod: Pod Modification 75 | Process: OS API Execution 76 | Process: Process Access 77 | Process: Process Creation 78 | Process: Process Metadata 79 | Process: Process Modification 80 | Process: Process Termination 81 | Scheduled Job: Scheduled Job Creation 82 | Scheduled Job: Scheduled Job Metadata 83 | Scheduled Job: Scheduled Job Modification 84 | Script: Script Execution 85 | Sensor Health: Host Status 86 | Service: Service Creation 87 | Service: Service Metadata 88 | Service: Service Modification 89 | Snapshot: Snapshot Creation 90 | Snapshot: Snapshot Deletion 91 | Snapshot: Snapshot Enumeration 92 | Snapshot: Snapshot Metadata 93 | Snapshot: Snapshot Modification 94 | User Account: User Account Authentication 95 | User Account: User Account Creation 96 | User Account: User Account Deletion 97 | User Account: User Account Metadata 98 | User Account: User Account Modification 99 | Volume: Volume Creation 100 | Volume: Volume Deletion 101 | Volume: Volume Enumeration 102 | Volume: Volume Metadata 103 | Volume: Volume Modification 104 | WMI: WMI Creation 105 | Web Credential: Web Credential Creation 106 | Web Credential: Web Credential Usage 107 | Windows Registry: Windows Registry Key Access 108 | Windows Registry: Windows Registry Key Creation 109 | Windows Registry: Windows Registry Key Deletion 110 | Windows Registry: Windows Registry Key Modification 111 | -------------------------------------------------------------------------------- /20220505/tactics.csv: -------------------------------------------------------------------------------- 1 | name,technique,technique_id,technique_name 2 | collection,T1005,T1005,Data from Local System (T1005) 3 | collection,T1025,T1025,Data from Removable Media (T1025) 4 | collection,T1039,T1039,Data from Network Shared Drive (T1039) 5 | collection,T1056,T1056,Input Capture (T1056) 6 | collection,T1056,T1056.001,Keylogging (T1056.001) 7 | collection,T1056,T1056.002,GUI Input Capture (T1056.002) 8 | collection,T1056,T1056.003,Web Portal Capture (T1056.003) 9 | collection,T1056,T1056.004,Credential API Hooking (T1056.004) 10 | collection,T1074,T1074,Data Staged (T1074) 11 | collection,T1074,T1074.001,Local Data Staging (T1074.001) 12 | collection,T1074,T1074.002,Remote Data Staging (T1074.002) 13 | collection,T1113,T1113,Screen Capture (T1113) 14 | collection,T1114,T1114,Email Collection (T1114) 15 | collection,T1114,T1114.001,Local Email Collection (T1114.001) 16 | collection,T1114,T1114.002,Remote Email Collection (T1114.002) 17 | collection,T1114,T1114.003,Email Forwarding Rule (T1114.003) 18 | collection,T1115,T1115,Clipboard Data (T1115) 19 | collection,T1119,T1119,Automated Collection (T1119) 20 | collection,T1123,T1123,Audio Capture (T1123) 21 | collection,T1125,T1125,Video Capture (T1125) 22 | collection,T1185,T1185,Browser Session Hijacking (T1185) 23 | collection,T1213,T1213,Data from Information Repositories (T1213) 24 | collection,T1213,T1213.001,Confluence (T1213.001) 25 | collection,T1213,T1213.002,Sharepoint (T1213.002) 26 | collection,T1213,T1213.003,Code Repositories (T1213.003) 27 | collection,T1530,T1530,Data from Cloud Storage Object (T1530) 28 | collection,T1557,T1557,Adversary-in-the-Middle (T1557) 29 | collection,T1557,T1557.001,LLMNR/NBT-NS Poisoning and SMB Relay (T1557.001) 30 | collection,T1557,T1557.002,ARP Cache Poisoning (T1557.002) 31 | collection,T1557,T1557.003,DHCP Spoofing (T1557.003) 32 | collection,T1560,T1560,Archive Collected Data (T1560) 33 | collection,T1560,T1560.001,Archive via Utility (T1560.001) 34 | collection,T1560,T1560.002,Archive via Library (T1560.002) 35 | collection,T1560,T1560.003,Archive via Custom Method (T1560.003) 36 | collection,T1602,T1602,Data from Configuration Repository (T1602) 37 | collection,T1602,T1602.001,SNMP (MIB Dump) (T1602.001) 38 | collection,T1602,T1602.002,Network Device Configuration Dump (T1602.002) 39 | command-and-control,T1001,T1001,Data Obfuscation (T1001) 40 | command-and-control,T1001,T1001.001,Junk Data (T1001.001) 41 | command-and-control,T1001,T1001.002,Steganography (T1001.002) 42 | command-and-control,T1001,T1001.003,Protocol Impersonation (T1001.003) 43 | command-and-control,T1008,T1008,Fallback Channels (T1008) 44 | command-and-control,T1071,T1071,Application Layer Protocol (T1071) 45 | command-and-control,T1071,T1071.001,Web Protocols (T1071.001) 46 | command-and-control,T1071,T1071.002,File Transfer Protocols (T1071.002) 47 | command-and-control,T1071,T1071.003,Mail Protocols (T1071.003) 48 | command-and-control,T1071,T1071.004,DNS (T1071.004) 49 | command-and-control,T1090,T1090,Proxy (T1090) 50 | command-and-control,T1090,T1090.001,Internal Proxy (T1090.001) 51 | command-and-control,T1090,T1090.002,External Proxy (T1090.002) 52 | command-and-control,T1090,T1090.003,Multi-hop Proxy (T1090.003) 53 | command-and-control,T1090,T1090.004,Domain Fronting (T1090.004) 54 | command-and-control,T1092,T1092,Communication Through Removable Media (T1092) 55 | command-and-control,T1095,T1095,Non-Application Layer Protocol (T1095) 56 | command-and-control,T1102,T1102,Web Service (T1102) 57 | command-and-control,T1102,T1102.001,Dead Drop Resolver (T1102.001) 58 | command-and-control,T1102,T1102.002,Bidirectional Communication (T1102.002) 59 | command-and-control,T1102,T1102.003,One-Way Communication (T1102.003) 60 | command-and-control,T1104,T1104,Multi-Stage Channels (T1104) 61 | command-and-control,T1105,T1105,Ingress Tool Transfer (T1105) 62 | command-and-control,T1132,T1132,Data Encoding (T1132) 63 | command-and-control,T1132,T1132.001,Standard Encoding (T1132.001) 64 | command-and-control,T1132,T1132.002,Non-Standard Encoding (T1132.002) 65 | command-and-control,T1205,T1205,Traffic Signaling (T1205) 66 | command-and-control,T1205,T1205.001,Port Knocking (T1205.001) 67 | command-and-control,T1219,T1219,Remote Access Software (T1219) 68 | command-and-control,T1568,T1568,Dynamic Resolution (T1568) 69 | command-and-control,T1568,T1568.001,Fast Flux DNS (T1568.001) 70 | command-and-control,T1568,T1568.002,Domain Generation Algorithms (T1568.002) 71 | command-and-control,T1568,T1568.003,DNS Calculation (T1568.003) 72 | command-and-control,T1571,T1571,Non-Standard Port (T1571) 73 | command-and-control,T1572,T1572,Protocol Tunneling (T1572) 74 | command-and-control,T1573,T1573,Encrypted Channel (T1573) 75 | command-and-control,T1573,T1573.001,Symmetric Cryptography (T1573.001) 76 | command-and-control,T1573,T1573.002,Asymmetric Cryptography (T1573.002) 77 | credential-access,T1003,T1003,OS Credential Dumping (T1003) 78 | credential-access,T1003,T1003.001,LSASS Memory (T1003.001) 79 | credential-access,T1003,T1003.002,Security Account Manager (T1003.002) 80 | credential-access,T1003,T1003.003,NTDS (T1003.003) 81 | credential-access,T1003,T1003.004,LSA Secrets (T1003.004) 82 | credential-access,T1003,T1003.005,Cached Domain Credentials (T1003.005) 83 | credential-access,T1003,T1003.006,DCSync (T1003.006) 84 | credential-access,T1003,T1003.007,Proc Filesystem (T1003.007) 85 | credential-access,T1003,T1003.008,/etc/passwd and /etc/shadow (T1003.008) 86 | credential-access,T1040,T1040,Network Sniffing (T1040) 87 | credential-access,T1056,T1056,Input Capture (T1056) 88 | credential-access,T1056,T1056.001,Keylogging (T1056.001) 89 | credential-access,T1056,T1056.002,GUI Input Capture (T1056.002) 90 | credential-access,T1056,T1056.003,Web Portal Capture (T1056.003) 91 | credential-access,T1056,T1056.004,Credential API Hooking (T1056.004) 92 | credential-access,T1110,T1110,Brute Force (T1110) 93 | credential-access,T1110,T1110.001,Password Guessing (T1110.001) 94 | credential-access,T1110,T1110.002,Password Cracking (T1110.002) 95 | credential-access,T1110,T1110.003,Password Spraying (T1110.003) 96 | credential-access,T1110,T1110.004,Credential Stuffing (T1110.004) 97 | credential-access,T1111,T1111,Two-Factor Authentication Interception (T1111) 98 | credential-access,T1187,T1187,Forced Authentication (T1187) 99 | credential-access,T1212,T1212,Exploitation for Credential Access (T1212) 100 | credential-access,T1528,T1528,Steal Application Access Token (T1528) 101 | credential-access,T1539,T1539,Steal Web Session Cookie (T1539) 102 | credential-access,T1552,T1552,Unsecured Credentials (T1552) 103 | credential-access,T1552,T1552.001,Credentials In Files (T1552.001) 104 | credential-access,T1552,T1552.002,Credentials in Registry (T1552.002) 105 | credential-access,T1552,T1552.003,Bash History (T1552.003) 106 | credential-access,T1552,T1552.004,Private Keys (T1552.004) 107 | credential-access,T1552,T1552.005,Cloud Instance Metadata API (T1552.005) 108 | credential-access,T1552,T1552.006,Group Policy Preferences (T1552.006) 109 | credential-access,T1552,T1552.007,Container API (T1552.007) 110 | credential-access,T1555,T1555,Credentials from Password Stores (T1555) 111 | credential-access,T1555,T1555.001,Keychain (T1555.001) 112 | credential-access,T1555,T1555.002,Securityd Memory (T1555.002) 113 | credential-access,T1555,T1555.003,Credentials from Web Browsers (T1555.003) 114 | credential-access,T1555,T1555.004,Windows Credential Manager (T1555.004) 115 | credential-access,T1555,T1555.005,Password Managers (T1555.005) 116 | credential-access,T1556,T1556,Modify Authentication Process (T1556) 117 | credential-access,T1556,T1556.001,Domain Controller Authentication (T1556.001) 118 | credential-access,T1556,T1556.002,Password Filter DLL (T1556.002) 119 | credential-access,T1556,T1556.003,Pluggable Authentication Modules (T1556.003) 120 | credential-access,T1556,T1556.004,Network Device Authentication (T1556.004) 121 | credential-access,T1556,T1556.005,Reversible Encryption (T1556.005) 122 | credential-access,T1557,T1557,Adversary-in-the-Middle (T1557) 123 | credential-access,T1557,T1557.001,LLMNR/NBT-NS Poisoning and SMB Relay (T1557.001) 124 | credential-access,T1557,T1557.002,ARP Cache Poisoning (T1557.002) 125 | credential-access,T1557,T1557.003,DHCP Spoofing (T1557.003) 126 | credential-access,T1558,T1558,Steal or Forge Kerberos Tickets (T1558) 127 | credential-access,T1558,T1558.001,Golden Ticket (T1558.001) 128 | credential-access,T1558,T1558.002,Silver Ticket (T1558.002) 129 | credential-access,T1558,T1558.003,Kerberoasting (T1558.003) 130 | credential-access,T1558,T1558.004,AS-REP Roasting (T1558.004) 131 | credential-access,T1606,T1606,Forge Web Credentials (T1606) 132 | credential-access,T1606,T1606.001,Web Cookies (T1606.001) 133 | credential-access,T1606,T1606.002,SAML Tokens (T1606.002) 134 | credential-access,T1621,T1621,Multi-Factor Authentication Request Generation (T1621) 135 | defense-evasion,T1006,T1006,Direct Volume Access (T1006) 136 | defense-evasion,T1014,T1014,Rootkit (T1014) 137 | defense-evasion,T1027,T1027,Obfuscated Files or Information (T1027) 138 | defense-evasion,T1027,T1027.001,Binary Padding (T1027.001) 139 | defense-evasion,T1027,T1027.002,Software Packing (T1027.002) 140 | defense-evasion,T1027,T1027.003,Steganography (T1027.003) 141 | defense-evasion,T1027,T1027.004,Compile After Delivery (T1027.004) 142 | defense-evasion,T1027,T1027.005,Indicator Removal from Tools (T1027.005) 143 | defense-evasion,T1027,T1027.006,HTML Smuggling (T1027.006) 144 | defense-evasion,T1036,T1036,Masquerading (T1036) 145 | defense-evasion,T1036,T1036.001,Invalid Code Signature (T1036.001) 146 | defense-evasion,T1036,T1036.002,Right-to-Left Override (T1036.002) 147 | defense-evasion,T1036,T1036.003,Rename System Utilities (T1036.003) 148 | defense-evasion,T1036,T1036.004,Masquerade Task or Service (T1036.004) 149 | defense-evasion,T1036,T1036.005,Match Legitimate Name or Location (T1036.005) 150 | defense-evasion,T1036,T1036.006,Space after Filename (T1036.006) 151 | defense-evasion,T1036,T1036.007,Double File Extension (T1036.007) 152 | defense-evasion,T1055,T1055,Process Injection (T1055) 153 | defense-evasion,T1055,T1055.001,Dynamic-link Library Injection (T1055.001) 154 | defense-evasion,T1055,T1055.002,Portable Executable Injection (T1055.002) 155 | defense-evasion,T1055,T1055.003,Thread Execution Hijacking (T1055.003) 156 | defense-evasion,T1055,T1055.004,Asynchronous Procedure Call (T1055.004) 157 | defense-evasion,T1055,T1055.005,Thread Local Storage (T1055.005) 158 | defense-evasion,T1055,T1055.008,Ptrace System Calls (T1055.008) 159 | defense-evasion,T1055,T1055.009,Proc Memory (T1055.009) 160 | defense-evasion,T1055,T1055.011,Extra Window Memory Injection (T1055.011) 161 | defense-evasion,T1055,T1055.012,Process Hollowing (T1055.012) 162 | defense-evasion,T1055,T1055.013,Process Doppelgänging (T1055.013) 163 | defense-evasion,T1055,T1055.014,VDSO Hijacking (T1055.014) 164 | defense-evasion,T1055,T1055.015,ListPlanting (T1055.015) 165 | defense-evasion,T1070,T1070,Indicator Removal on Host (T1070) 166 | defense-evasion,T1070,T1070.001,Clear Windows Event Logs (T1070.001) 167 | defense-evasion,T1070,T1070.002,Clear Linux or Mac System Logs (T1070.002) 168 | defense-evasion,T1070,T1070.003,Clear Command History (T1070.003) 169 | defense-evasion,T1070,T1070.004,File Deletion (T1070.004) 170 | defense-evasion,T1070,T1070.005,Network Share Connection Removal (T1070.005) 171 | defense-evasion,T1070,T1070.006,Timestomp (T1070.006) 172 | defense-evasion,T1078,T1078,Valid Accounts (T1078) 173 | defense-evasion,T1078,T1078.001,Default Accounts (T1078.001) 174 | defense-evasion,T1078,T1078.002,Domain Accounts (T1078.002) 175 | defense-evasion,T1078,T1078.003,Local Accounts (T1078.003) 176 | defense-evasion,T1078,T1078.004,Cloud Accounts (T1078.004) 177 | defense-evasion,T1112,T1112,Modify Registry (T1112) 178 | defense-evasion,T1127,T1127,Trusted Developer Utilities Proxy Execution (T1127) 179 | defense-evasion,T1127,T1127.001,MSBuild (T1127.001) 180 | defense-evasion,T1134,T1134,Access Token Manipulation (T1134) 181 | defense-evasion,T1134,T1134.001,Token Impersonation/Theft (T1134.001) 182 | defense-evasion,T1134,T1134.002,Create Process with Token (T1134.002) 183 | defense-evasion,T1134,T1134.003,Make and Impersonate Token (T1134.003) 184 | defense-evasion,T1134,T1134.004,Parent PID Spoofing (T1134.004) 185 | defense-evasion,T1134,T1134.005,SID-History Injection (T1134.005) 186 | defense-evasion,T1140,T1140,Deobfuscate/Decode Files or Information (T1140) 187 | defense-evasion,T1197,T1197,BITS Jobs (T1197) 188 | defense-evasion,T1202,T1202,Indirect Command Execution (T1202) 189 | defense-evasion,T1205,T1205,Traffic Signaling (T1205) 190 | defense-evasion,T1205,T1205.001,Port Knocking (T1205.001) 191 | defense-evasion,T1207,T1207,Rogue Domain Controller (T1207) 192 | defense-evasion,T1211,T1211,Exploitation for Defense Evasion (T1211) 193 | defense-evasion,T1216,T1216,Signed Script Proxy Execution (T1216) 194 | defense-evasion,T1216,T1216.001,PubPrn (T1216.001) 195 | defense-evasion,T1218,T1218,Signed Binary Proxy Execution (T1218) 196 | defense-evasion,T1218,T1218.001,Compiled HTML File (T1218.001) 197 | defense-evasion,T1218,T1218.002,Control Panel (T1218.002) 198 | defense-evasion,T1218,T1218.003,CMSTP (T1218.003) 199 | defense-evasion,T1218,T1218.004,InstallUtil (T1218.004) 200 | defense-evasion,T1218,T1218.005,Mshta (T1218.005) 201 | defense-evasion,T1218,T1218.007,Msiexec (T1218.007) 202 | defense-evasion,T1218,T1218.008,Odbcconf (T1218.008) 203 | defense-evasion,T1218,T1218.009,Regsvcs/Regasm (T1218.009) 204 | defense-evasion,T1218,T1218.010,Regsvr32 (T1218.010) 205 | defense-evasion,T1218,T1218.011,Rundll32 (T1218.011) 206 | defense-evasion,T1218,T1218.012,Verclsid (T1218.012) 207 | defense-evasion,T1218,T1218.013,Mavinject (T1218.013) 208 | defense-evasion,T1218,T1218.014,MMC (T1218.014) 209 | defense-evasion,T1220,T1220,XSL Script Processing (T1220) 210 | defense-evasion,T1221,T1221,Template Injection (T1221) 211 | defense-evasion,T1222,T1222,File and Directory Permissions Modification (T1222) 212 | defense-evasion,T1222,T1222.001,Windows File and Directory Permissions Modification (T1222.001) 213 | defense-evasion,T1222,T1222.002,Linux and Mac File and Directory Permissions Modification (T1222.002) 214 | defense-evasion,T1480,T1480,Execution Guardrails (T1480) 215 | defense-evasion,T1480,T1480.001,Environmental Keying (T1480.001) 216 | defense-evasion,T1484,T1484,Domain Policy Modification (T1484) 217 | defense-evasion,T1484,T1484.001,Group Policy Modification (T1484.001) 218 | defense-evasion,T1484,T1484.002,Domain Trust Modification (T1484.002) 219 | defense-evasion,T1497,T1497,Virtualization/Sandbox Evasion (T1497) 220 | defense-evasion,T1497,T1497.001,System Checks (T1497.001) 221 | defense-evasion,T1497,T1497.002,User Activity Based Checks (T1497.002) 222 | defense-evasion,T1497,T1497.003,Time Based Evasion (T1497.003) 223 | defense-evasion,T1535,T1535,Unused/Unsupported Cloud Regions (T1535) 224 | defense-evasion,T1542,T1542,Pre-OS Boot (T1542) 225 | defense-evasion,T1542,T1542.001,System Firmware (T1542.001) 226 | defense-evasion,T1542,T1542.002,Component Firmware (T1542.002) 227 | defense-evasion,T1542,T1542.003,Bootkit (T1542.003) 228 | defense-evasion,T1542,T1542.004,ROMMONkit (T1542.004) 229 | defense-evasion,T1542,T1542.005,TFTP Boot (T1542.005) 230 | defense-evasion,T1548,T1548,Abuse Elevation Control Mechanism (T1548) 231 | defense-evasion,T1548,T1548.001,Setuid and Setgid (T1548.001) 232 | defense-evasion,T1548,T1548.002,Bypass User Account Control (T1548.002) 233 | defense-evasion,T1548,T1548.003,Sudo and Sudo Caching (T1548.003) 234 | defense-evasion,T1548,T1548.004,Elevated Execution with Prompt (T1548.004) 235 | defense-evasion,T1550,T1550,Use Alternate Authentication Material (T1550) 236 | defense-evasion,T1550,T1550.001,Application Access Token (T1550.001) 237 | defense-evasion,T1550,T1550.002,Pass the Hash (T1550.002) 238 | defense-evasion,T1550,T1550.003,Pass the Ticket (T1550.003) 239 | defense-evasion,T1550,T1550.004,Web Session Cookie (T1550.004) 240 | defense-evasion,T1553,T1553,Subvert Trust Controls (T1553) 241 | defense-evasion,T1553,T1553.001,Gatekeeper Bypass (T1553.001) 242 | defense-evasion,T1553,T1553.002,Code Signing (T1553.002) 243 | defense-evasion,T1553,T1553.003,SIP and Trust Provider Hijacking (T1553.003) 244 | defense-evasion,T1553,T1553.004,Install Root Certificate (T1553.004) 245 | defense-evasion,T1553,T1553.005,Mark-of-the-Web Bypass (T1553.005) 246 | defense-evasion,T1553,T1553.006,Code Signing Policy Modification (T1553.006) 247 | defense-evasion,T1556,T1556,Modify Authentication Process (T1556) 248 | defense-evasion,T1556,T1556.001,Domain Controller Authentication (T1556.001) 249 | defense-evasion,T1556,T1556.002,Password Filter DLL (T1556.002) 250 | defense-evasion,T1556,T1556.003,Pluggable Authentication Modules (T1556.003) 251 | defense-evasion,T1556,T1556.004,Network Device Authentication (T1556.004) 252 | defense-evasion,T1556,T1556.005,Reversible Encryption (T1556.005) 253 | defense-evasion,T1562,T1562,Impair Defenses (T1562) 254 | defense-evasion,T1562,T1562.001,Disable or Modify Tools (T1562.001) 255 | defense-evasion,T1562,T1562.002,Disable Windows Event Logging (T1562.002) 256 | defense-evasion,T1562,T1562.003,Impair Command History Logging (T1562.003) 257 | defense-evasion,T1562,T1562.004,Disable or Modify System Firewall (T1562.004) 258 | defense-evasion,T1562,T1562.006,Indicator Blocking (T1562.006) 259 | defense-evasion,T1562,T1562.007,Disable or Modify Cloud Firewall (T1562.007) 260 | defense-evasion,T1562,T1562.008,Disable Cloud Logs (T1562.008) 261 | defense-evasion,T1562,T1562.009,Safe Mode Boot (T1562.009) 262 | defense-evasion,T1562,T1562.010,Downgrade Attack (T1562.010) 263 | defense-evasion,T1564,T1564,Hide Artifacts (T1564) 264 | defense-evasion,T1564,T1564.001,Hidden Files and Directories (T1564.001) 265 | defense-evasion,T1564,T1564.002,Hidden Users (T1564.002) 266 | defense-evasion,T1564,T1564.003,Hidden Window (T1564.003) 267 | defense-evasion,T1564,T1564.004,NTFS File Attributes (T1564.004) 268 | defense-evasion,T1564,T1564.005,Hidden File System (T1564.005) 269 | defense-evasion,T1564,T1564.006,Run Virtual Instance (T1564.006) 270 | defense-evasion,T1564,T1564.007,VBA Stomping (T1564.007) 271 | defense-evasion,T1564,T1564.008,Email Hiding Rules (T1564.008) 272 | defense-evasion,T1564,T1564.009,Resource Forking (T1564.009) 273 | defense-evasion,T1564,T1564.010,Process Argument Spoofing (T1564.010) 274 | defense-evasion,T1574,T1574,Hijack Execution Flow (T1574) 275 | defense-evasion,T1574,T1574.001,DLL Search Order Hijacking (T1574.001) 276 | defense-evasion,T1574,T1574.002,DLL Side-Loading (T1574.002) 277 | defense-evasion,T1574,T1574.004,Dylib Hijacking (T1574.004) 278 | defense-evasion,T1574,T1574.005,Executable Installer File Permissions Weakness (T1574.005) 279 | defense-evasion,T1574,T1574.006,Dynamic Linker Hijacking (T1574.006) 280 | defense-evasion,T1574,T1574.007,Path Interception by PATH Environment Variable (T1574.007) 281 | defense-evasion,T1574,T1574.008,Path Interception by Search Order Hijacking (T1574.008) 282 | defense-evasion,T1574,T1574.009,Path Interception by Unquoted Path (T1574.009) 283 | defense-evasion,T1574,T1574.010,Services File Permissions Weakness (T1574.010) 284 | defense-evasion,T1574,T1574.011,Services Registry Permissions Weakness (T1574.011) 285 | defense-evasion,T1574,T1574.012,COR_PROFILER (T1574.012) 286 | defense-evasion,T1574,T1574.013,KernelCallbackTable (T1574.013) 287 | defense-evasion,T1578,T1578,Modify Cloud Compute Infrastructure (T1578) 288 | defense-evasion,T1578,T1578.001,Create Snapshot (T1578.001) 289 | defense-evasion,T1578,T1578.002,Create Cloud Instance (T1578.002) 290 | defense-evasion,T1578,T1578.003,Delete Cloud Instance (T1578.003) 291 | defense-evasion,T1578,T1578.004,Revert Cloud Instance (T1578.004) 292 | defense-evasion,T1599,T1599,Network Boundary Bridging (T1599) 293 | defense-evasion,T1599,T1599.001,Network Address Translation Traversal (T1599.001) 294 | defense-evasion,T1600,T1600,Weaken Encryption (T1600) 295 | defense-evasion,T1600,T1600.001,Reduce Key Space (T1600.001) 296 | defense-evasion,T1600,T1600.002,Disable Crypto Hardware (T1600.002) 297 | defense-evasion,T1601,T1601,Modify System Image (T1601) 298 | defense-evasion,T1601,T1601.001,Patch System Image (T1601.001) 299 | defense-evasion,T1601,T1601.002,Downgrade System Image (T1601.002) 300 | defense-evasion,T1610,T1610,Deploy Container (T1610) 301 | defense-evasion,T1612,T1612,Build Image on Host (T1612) 302 | defense-evasion,T1620,T1620,Reflective Code Loading (T1620) 303 | defense-evasion,T1622,T1622,Debugger Evasion (T1622) 304 | defense-evasion,T1647,T1647,Plist File Modification (T1647) 305 | discovery,T1007,T1007,System Service Discovery (T1007) 306 | discovery,T1010,T1010,Application Window Discovery (T1010) 307 | discovery,T1012,T1012,Query Registry (T1012) 308 | discovery,T1016,T1016,System Network Configuration Discovery (T1016) 309 | discovery,T1016,T1016.001,Internet Connection Discovery (T1016.001) 310 | discovery,T1018,T1018,Remote System Discovery (T1018) 311 | discovery,T1033,T1033,System Owner/User Discovery (T1033) 312 | discovery,T1040,T1040,Network Sniffing (T1040) 313 | discovery,T1046,T1046,Network Service Scanning (T1046) 314 | discovery,T1049,T1049,System Network Connections Discovery (T1049) 315 | discovery,T1057,T1057,Process Discovery (T1057) 316 | discovery,T1069,T1069,Permission Groups Discovery (T1069) 317 | discovery,T1069,T1069.001,Local Groups (T1069.001) 318 | discovery,T1069,T1069.002,Domain Groups (T1069.002) 319 | discovery,T1069,T1069.003,Cloud Groups (T1069.003) 320 | discovery,T1082,T1082,System Information Discovery (T1082) 321 | discovery,T1083,T1083,File and Directory Discovery (T1083) 322 | discovery,T1087,T1087,Account Discovery (T1087) 323 | discovery,T1087,T1087.001,Local Account (T1087.001) 324 | discovery,T1087,T1087.002,Domain Account (T1087.002) 325 | discovery,T1087,T1087.003,Email Account (T1087.003) 326 | discovery,T1087,T1087.004,Cloud Account (T1087.004) 327 | discovery,T1120,T1120,Peripheral Device Discovery (T1120) 328 | discovery,T1124,T1124,System Time Discovery (T1124) 329 | discovery,T1135,T1135,Network Share Discovery (T1135) 330 | discovery,T1201,T1201,Password Policy Discovery (T1201) 331 | discovery,T1217,T1217,Browser Bookmark Discovery (T1217) 332 | discovery,T1482,T1482,Domain Trust Discovery (T1482) 333 | discovery,T1497,T1497,Virtualization/Sandbox Evasion (T1497) 334 | discovery,T1497,T1497.001,System Checks (T1497.001) 335 | discovery,T1497,T1497.002,User Activity Based Checks (T1497.002) 336 | discovery,T1497,T1497.003,Time Based Evasion (T1497.003) 337 | discovery,T1518,T1518,Software Discovery (T1518) 338 | discovery,T1518,T1518.001,Security Software Discovery (T1518.001) 339 | discovery,T1526,T1526,Cloud Service Discovery (T1526) 340 | discovery,T1538,T1538,Cloud Service Dashboard (T1538) 341 | discovery,T1580,T1580,Cloud Infrastructure Discovery (T1580) 342 | discovery,T1613,T1613,Container and Resource Discovery (T1613) 343 | discovery,T1614,T1614,System Location Discovery (T1614) 344 | discovery,T1614,T1614.001,System Language Discovery (T1614.001) 345 | discovery,T1615,T1615,Group Policy Discovery (T1615) 346 | discovery,T1619,T1619,Cloud Storage Object Discovery (T1619) 347 | discovery,T1622,T1622,Debugger Evasion (T1622) 348 | execution,T1047,T1047,Windows Management Instrumentation (T1047) 349 | execution,T1053,T1053,Scheduled Task/Job (T1053) 350 | execution,T1053,T1053.001,At (Linux) (T1053.001) 351 | execution,T1053,T1053.002,At (Windows) (T1053.002) 352 | execution,T1053,T1053.003,Cron (T1053.003) 353 | execution,T1053,T1053.005,Scheduled Task (T1053.005) 354 | execution,T1053,T1053.006,Systemd Timers (T1053.006) 355 | execution,T1053,T1053.007,Container Orchestration Job (T1053.007) 356 | execution,T1059,T1059,Command and Scripting Interpreter (T1059) 357 | execution,T1059,T1059.001,PowerShell (T1059.001) 358 | execution,T1059,T1059.002,AppleScript (T1059.002) 359 | execution,T1059,T1059.003,Windows Command Shell (T1059.003) 360 | execution,T1059,T1059.004,Unix Shell (T1059.004) 361 | execution,T1059,T1059.005,Visual Basic (T1059.005) 362 | execution,T1059,T1059.006,Python (T1059.006) 363 | execution,T1059,T1059.007,JavaScript (T1059.007) 364 | execution,T1059,T1059.008,Network Device CLI (T1059.008) 365 | execution,T1072,T1072,Software Deployment Tools (T1072) 366 | execution,T1106,T1106,Native API (T1106) 367 | execution,T1129,T1129,Shared Modules (T1129) 368 | execution,T1203,T1203,Exploitation for Client Execution (T1203) 369 | execution,T1204,T1204,User Execution (T1204) 370 | execution,T1204,T1204.001,Malicious Link (T1204.001) 371 | execution,T1204,T1204.002,Malicious File (T1204.002) 372 | execution,T1204,T1204.003,Malicious Image (T1204.003) 373 | execution,T1559,T1559,Inter-Process Communication (T1559) 374 | execution,T1559,T1559.001,Component Object Model (T1559.001) 375 | execution,T1559,T1559.002,Dynamic Data Exchange (T1559.002) 376 | execution,T1559,T1559.003,XPC Services (T1559.003) 377 | execution,T1569,T1569,System Services (T1569) 378 | execution,T1569,T1569.001,Launchctl (T1569.001) 379 | execution,T1569,T1569.002,Service Execution (T1569.002) 380 | execution,T1609,T1609,Container Administration Command (T1609) 381 | execution,T1610,T1610,Deploy Container (T1610) 382 | exfiltration,T1011,T1011,Exfiltration Over Other Network Medium (T1011) 383 | exfiltration,T1011,T1011.001,Exfiltration Over Bluetooth (T1011.001) 384 | exfiltration,T1020,T1020,Automated Exfiltration (T1020) 385 | exfiltration,T1020,T1020.001,Traffic Duplication (T1020.001) 386 | exfiltration,T1029,T1029,Scheduled Transfer (T1029) 387 | exfiltration,T1030,T1030,Data Transfer Size Limits (T1030) 388 | exfiltration,T1041,T1041,Exfiltration Over C2 Channel (T1041) 389 | exfiltration,T1048,T1048,Exfiltration Over Alternative Protocol (T1048) 390 | exfiltration,T1048,T1048.001,Exfiltration Over Symmetric Encrypted Non-C2 Protocol (T1048.001) 391 | exfiltration,T1048,T1048.002,Exfiltration Over Asymmetric Encrypted Non-C2 Protocol (T1048.002) 392 | exfiltration,T1048,T1048.003,Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol (T1048.003) 393 | exfiltration,T1052,T1052,Exfiltration Over Physical Medium (T1052) 394 | exfiltration,T1052,T1052.001,Exfiltration over USB (T1052.001) 395 | exfiltration,T1537,T1537,Transfer Data to Cloud Account (T1537) 396 | exfiltration,T1567,T1567,Exfiltration Over Web Service (T1567) 397 | exfiltration,T1567,T1567.001,Exfiltration to Code Repository (T1567.001) 398 | exfiltration,T1567,T1567.002,Exfiltration to Cloud Storage (T1567.002) 399 | impact,T1485,T1485,Data Destruction (T1485) 400 | impact,T1486,T1486,Data Encrypted for Impact (T1486) 401 | impact,T1489,T1489,Service Stop (T1489) 402 | impact,T1490,T1490,Inhibit System Recovery (T1490) 403 | impact,T1491,T1491,Defacement (T1491) 404 | impact,T1491,T1491.001,Internal Defacement (T1491.001) 405 | impact,T1491,T1491.002,External Defacement (T1491.002) 406 | impact,T1495,T1495,Firmware Corruption (T1495) 407 | impact,T1496,T1496,Resource Hijacking (T1496) 408 | impact,T1498,T1498,Network Denial of Service (T1498) 409 | impact,T1498,T1498.001,Direct Network Flood (T1498.001) 410 | impact,T1498,T1498.002,Reflection Amplification (T1498.002) 411 | impact,T1499,T1499,Endpoint Denial of Service (T1499) 412 | impact,T1499,T1499.001,OS Exhaustion Flood (T1499.001) 413 | impact,T1499,T1499.002,Service Exhaustion Flood (T1499.002) 414 | impact,T1499,T1499.003,Application Exhaustion Flood (T1499.003) 415 | impact,T1499,T1499.004,Application or System Exploitation (T1499.004) 416 | impact,T1529,T1529,System Shutdown/Reboot (T1529) 417 | impact,T1531,T1531,Account Access Removal (T1531) 418 | impact,T1561,T1561,Disk Wipe (T1561) 419 | impact,T1561,T1561.001,Disk Content Wipe (T1561.001) 420 | impact,T1561,T1561.002,Disk Structure Wipe (T1561.002) 421 | impact,T1565,T1565,Data Manipulation (T1565) 422 | impact,T1565,T1565.001,Stored Data Manipulation (T1565.001) 423 | impact,T1565,T1565.002,Transmitted Data Manipulation (T1565.002) 424 | impact,T1565,T1565.003,Runtime Data Manipulation (T1565.003) 425 | initial-access,T1078,T1078,Valid Accounts (T1078) 426 | initial-access,T1078,T1078.001,Default Accounts (T1078.001) 427 | initial-access,T1078,T1078.002,Domain Accounts (T1078.002) 428 | initial-access,T1078,T1078.003,Local Accounts (T1078.003) 429 | initial-access,T1078,T1078.004,Cloud Accounts (T1078.004) 430 | initial-access,T1091,T1091,Replication Through Removable Media (T1091) 431 | initial-access,T1133,T1133,External Remote Services (T1133) 432 | initial-access,T1189,T1189,Drive-by Compromise (T1189) 433 | initial-access,T1190,T1190,Exploit Public-Facing Application (T1190) 434 | initial-access,T1195,T1195,Supply Chain Compromise (T1195) 435 | initial-access,T1195,T1195.001,Compromise Software Dependencies and Development Tools (T1195.001) 436 | initial-access,T1195,T1195.002,Compromise Software Supply Chain (T1195.002) 437 | initial-access,T1195,T1195.003,Compromise Hardware Supply Chain (T1195.003) 438 | initial-access,T1199,T1199,Trusted Relationship (T1199) 439 | initial-access,T1200,T1200,Hardware Additions (T1200) 440 | initial-access,T1566,T1566,Phishing (T1566) 441 | initial-access,T1566,T1566.001,Spearphishing Attachment (T1566.001) 442 | initial-access,T1566,T1566.002,Spearphishing Link (T1566.002) 443 | initial-access,T1566,T1566.003,Spearphishing via Service (T1566.003) 444 | lateral-movement,T1021,T1021,Remote Services (T1021) 445 | lateral-movement,T1021,T1021.001,Remote Desktop Protocol (T1021.001) 446 | lateral-movement,T1021,T1021.002,SMB/Windows Admin Shares (T1021.002) 447 | lateral-movement,T1021,T1021.003,Distributed Component Object Model (T1021.003) 448 | lateral-movement,T1021,T1021.004,SSH (T1021.004) 449 | lateral-movement,T1021,T1021.005,VNC (T1021.005) 450 | lateral-movement,T1021,T1021.006,Windows Remote Management (T1021.006) 451 | lateral-movement,T1072,T1072,Software Deployment Tools (T1072) 452 | lateral-movement,T1080,T1080,Taint Shared Content (T1080) 453 | lateral-movement,T1091,T1091,Replication Through Removable Media (T1091) 454 | lateral-movement,T1210,T1210,Exploitation of Remote Services (T1210) 455 | lateral-movement,T1534,T1534,Internal Spearphishing (T1534) 456 | lateral-movement,T1550,T1550,Use Alternate Authentication Material (T1550) 457 | lateral-movement,T1550,T1550.001,Application Access Token (T1550.001) 458 | lateral-movement,T1550,T1550.002,Pass the Hash (T1550.002) 459 | lateral-movement,T1550,T1550.003,Pass the Ticket (T1550.003) 460 | lateral-movement,T1550,T1550.004,Web Session Cookie (T1550.004) 461 | lateral-movement,T1563,T1563,Remote Service Session Hijacking (T1563) 462 | lateral-movement,T1563,T1563.001,SSH Hijacking (T1563.001) 463 | lateral-movement,T1563,T1563.002,RDP Hijacking (T1563.002) 464 | lateral-movement,T1570,T1570,Lateral Tool Transfer (T1570) 465 | persistence,T1037,T1037,Boot or Logon Initialization Scripts (T1037) 466 | persistence,T1037,T1037.001,Logon Script (Windows) (T1037.001) 467 | persistence,T1037,T1037.002,Logon Script (Mac) (T1037.002) 468 | persistence,T1037,T1037.003,Network Logon Script (T1037.003) 469 | persistence,T1037,T1037.004,RC Scripts (T1037.004) 470 | persistence,T1037,T1037.005,Startup Items (T1037.005) 471 | persistence,T1053,T1053,Scheduled Task/Job (T1053) 472 | persistence,T1053,T1053.001,At (Linux) (T1053.001) 473 | persistence,T1053,T1053.002,At (Windows) (T1053.002) 474 | persistence,T1053,T1053.003,Cron (T1053.003) 475 | persistence,T1053,T1053.005,Scheduled Task (T1053.005) 476 | persistence,T1053,T1053.006,Systemd Timers (T1053.006) 477 | persistence,T1053,T1053.007,Container Orchestration Job (T1053.007) 478 | persistence,T1078,T1078,Valid Accounts (T1078) 479 | persistence,T1078,T1078.001,Default Accounts (T1078.001) 480 | persistence,T1078,T1078.002,Domain Accounts (T1078.002) 481 | persistence,T1078,T1078.003,Local Accounts (T1078.003) 482 | persistence,T1078,T1078.004,Cloud Accounts (T1078.004) 483 | persistence,T1098,T1098,Account Manipulation (T1098) 484 | persistence,T1098,T1098.001,Additional Cloud Credentials (T1098.001) 485 | persistence,T1098,T1098.002,Exchange Email Delegate Permissions (T1098.002) 486 | persistence,T1098,T1098.003,Add Office 365 Global Administrator Role (T1098.003) 487 | persistence,T1098,T1098.004,SSH Authorized Keys (T1098.004) 488 | persistence,T1098,T1098.005,Device Registration (T1098.005) 489 | persistence,T1133,T1133,External Remote Services (T1133) 490 | persistence,T1136,T1136,Create Account (T1136) 491 | persistence,T1136,T1136.001,Local Account (T1136.001) 492 | persistence,T1136,T1136.002,Domain Account (T1136.002) 493 | persistence,T1136,T1136.003,Cloud Account (T1136.003) 494 | persistence,T1137,T1137,Office Application Startup (T1137) 495 | persistence,T1137,T1137.001,Office Template Macros (T1137.001) 496 | persistence,T1137,T1137.002,Office Test (T1137.002) 497 | persistence,T1137,T1137.003,Outlook Forms (T1137.003) 498 | persistence,T1137,T1137.004,Outlook Home Page (T1137.004) 499 | persistence,T1137,T1137.005,Outlook Rules (T1137.005) 500 | persistence,T1137,T1137.006,Add-ins (T1137.006) 501 | persistence,T1176,T1176,Browser Extensions (T1176) 502 | persistence,T1197,T1197,BITS Jobs (T1197) 503 | persistence,T1205,T1205,Traffic Signaling (T1205) 504 | persistence,T1205,T1205.001,Port Knocking (T1205.001) 505 | persistence,T1505,T1505,Server Software Component (T1505) 506 | persistence,T1505,T1505.001,SQL Stored Procedures (T1505.001) 507 | persistence,T1505,T1505.002,Transport Agent (T1505.002) 508 | persistence,T1505,T1505.003,Web Shell (T1505.003) 509 | persistence,T1505,T1505.004,IIS Components (T1505.004) 510 | persistence,T1505,T1505.005,Terminal Services DLL (T1505.005) 511 | persistence,T1525,T1525,Implant Internal Image (T1525) 512 | persistence,T1542,T1542,Pre-OS Boot (T1542) 513 | persistence,T1542,T1542.001,System Firmware (T1542.001) 514 | persistence,T1542,T1542.002,Component Firmware (T1542.002) 515 | persistence,T1542,T1542.003,Bootkit (T1542.003) 516 | persistence,T1542,T1542.004,ROMMONkit (T1542.004) 517 | persistence,T1542,T1542.005,TFTP Boot (T1542.005) 518 | persistence,T1543,T1543,Create or Modify System Process (T1543) 519 | persistence,T1543,T1543.001,Launch Agent (T1543.001) 520 | persistence,T1543,T1543.002,Systemd Service (T1543.002) 521 | persistence,T1543,T1543.003,Windows Service (T1543.003) 522 | persistence,T1543,T1543.004,Launch Daemon (T1543.004) 523 | persistence,T1546,T1546,Event Triggered Execution (T1546) 524 | persistence,T1546,T1546.001,Change Default File Association (T1546.001) 525 | persistence,T1546,T1546.002,Screensaver (T1546.002) 526 | persistence,T1546,T1546.003,Windows Management Instrumentation Event Subscription (T1546.003) 527 | persistence,T1546,T1546.004,Unix Shell Configuration Modification (T1546.004) 528 | persistence,T1546,T1546.005,Trap (T1546.005) 529 | persistence,T1546,T1546.006,LC_LOAD_DYLIB Addition (T1546.006) 530 | persistence,T1546,T1546.007,Netsh Helper DLL (T1546.007) 531 | persistence,T1546,T1546.008,Accessibility Features (T1546.008) 532 | persistence,T1546,T1546.009,AppCert DLLs (T1546.009) 533 | persistence,T1546,T1546.010,AppInit DLLs (T1546.010) 534 | persistence,T1546,T1546.011,Application Shimming (T1546.011) 535 | persistence,T1546,T1546.012,Image File Execution Options Injection (T1546.012) 536 | persistence,T1546,T1546.013,PowerShell Profile (T1546.013) 537 | persistence,T1546,T1546.014,Emond (T1546.014) 538 | persistence,T1546,T1546.015,Component Object Model Hijacking (T1546.015) 539 | persistence,T1547,T1547,Boot or Logon Autostart Execution (T1547) 540 | persistence,T1547,T1547.001,Registry Run Keys / Startup Folder (T1547.001) 541 | persistence,T1547,T1547.002,Authentication Package (T1547.002) 542 | persistence,T1547,T1547.003,Time Providers (T1547.003) 543 | persistence,T1547,T1547.004,Winlogon Helper DLL (T1547.004) 544 | persistence,T1547,T1547.005,Security Support Provider (T1547.005) 545 | persistence,T1547,T1547.006,Kernel Modules and Extensions (T1547.006) 546 | persistence,T1547,T1547.007,Re-opened Applications (T1547.007) 547 | persistence,T1547,T1547.008,LSASS Driver (T1547.008) 548 | persistence,T1547,T1547.009,Shortcut Modification (T1547.009) 549 | persistence,T1547,T1547.010,Port Monitors (T1547.010) 550 | persistence,T1547,T1547.011,Plist Modification (T1547.011) 551 | persistence,T1547,T1547.012,Print Processors (T1547.012) 552 | persistence,T1547,T1547.013,XDG Autostart Entries (T1547.013) 553 | persistence,T1547,T1547.014,Active Setup (T1547.014) 554 | persistence,T1547,T1547.015,Login Items (T1547.015) 555 | persistence,T1554,T1554,Compromise Client Software Binary (T1554) 556 | persistence,T1556,T1556,Modify Authentication Process (T1556) 557 | persistence,T1556,T1556.001,Domain Controller Authentication (T1556.001) 558 | persistence,T1556,T1556.002,Password Filter DLL (T1556.002) 559 | persistence,T1556,T1556.003,Pluggable Authentication Modules (T1556.003) 560 | persistence,T1556,T1556.004,Network Device Authentication (T1556.004) 561 | persistence,T1556,T1556.005,Reversible Encryption (T1556.005) 562 | persistence,T1574,T1574,Hijack Execution Flow (T1574) 563 | persistence,T1574,T1574.001,DLL Search Order Hijacking (T1574.001) 564 | persistence,T1574,T1574.002,DLL Side-Loading (T1574.002) 565 | persistence,T1574,T1574.004,Dylib Hijacking (T1574.004) 566 | persistence,T1574,T1574.005,Executable Installer File Permissions Weakness (T1574.005) 567 | persistence,T1574,T1574.006,Dynamic Linker Hijacking (T1574.006) 568 | persistence,T1574,T1574.007,Path Interception by PATH Environment Variable (T1574.007) 569 | persistence,T1574,T1574.008,Path Interception by Search Order Hijacking (T1574.008) 570 | persistence,T1574,T1574.009,Path Interception by Unquoted Path (T1574.009) 571 | persistence,T1574,T1574.010,Services File Permissions Weakness (T1574.010) 572 | persistence,T1574,T1574.011,Services Registry Permissions Weakness (T1574.011) 573 | persistence,T1574,T1574.012,COR_PROFILER (T1574.012) 574 | persistence,T1574,T1574.013,KernelCallbackTable (T1574.013) 575 | privilege-escalation,T1037,T1037,Boot or Logon Initialization Scripts (T1037) 576 | privilege-escalation,T1037,T1037.001,Logon Script (Windows) (T1037.001) 577 | privilege-escalation,T1037,T1037.002,Logon Script (Mac) (T1037.002) 578 | privilege-escalation,T1037,T1037.003,Network Logon Script (T1037.003) 579 | privilege-escalation,T1037,T1037.004,RC Scripts (T1037.004) 580 | privilege-escalation,T1037,T1037.005,Startup Items (T1037.005) 581 | privilege-escalation,T1053,T1053,Scheduled Task/Job (T1053) 582 | privilege-escalation,T1053,T1053.001,At (Linux) (T1053.001) 583 | privilege-escalation,T1053,T1053.002,At (Windows) (T1053.002) 584 | privilege-escalation,T1053,T1053.003,Cron (T1053.003) 585 | privilege-escalation,T1053,T1053.005,Scheduled Task (T1053.005) 586 | privilege-escalation,T1053,T1053.006,Systemd Timers (T1053.006) 587 | privilege-escalation,T1053,T1053.007,Container Orchestration Job (T1053.007) 588 | privilege-escalation,T1055,T1055,Process Injection (T1055) 589 | privilege-escalation,T1055,T1055.001,Dynamic-link Library Injection (T1055.001) 590 | privilege-escalation,T1055,T1055.002,Portable Executable Injection (T1055.002) 591 | privilege-escalation,T1055,T1055.003,Thread Execution Hijacking (T1055.003) 592 | privilege-escalation,T1055,T1055.004,Asynchronous Procedure Call (T1055.004) 593 | privilege-escalation,T1055,T1055.005,Thread Local Storage (T1055.005) 594 | privilege-escalation,T1055,T1055.008,Ptrace System Calls (T1055.008) 595 | privilege-escalation,T1055,T1055.009,Proc Memory (T1055.009) 596 | privilege-escalation,T1055,T1055.011,Extra Window Memory Injection (T1055.011) 597 | privilege-escalation,T1055,T1055.012,Process Hollowing (T1055.012) 598 | privilege-escalation,T1055,T1055.013,Process Doppelgänging (T1055.013) 599 | privilege-escalation,T1055,T1055.014,VDSO Hijacking (T1055.014) 600 | privilege-escalation,T1055,T1055.015,ListPlanting (T1055.015) 601 | privilege-escalation,T1068,T1068,Exploitation for Privilege Escalation (T1068) 602 | privilege-escalation,T1078,T1078,Valid Accounts (T1078) 603 | privilege-escalation,T1078,T1078.001,Default Accounts (T1078.001) 604 | privilege-escalation,T1078,T1078.002,Domain Accounts (T1078.002) 605 | privilege-escalation,T1078,T1078.003,Local Accounts (T1078.003) 606 | privilege-escalation,T1078,T1078.004,Cloud Accounts (T1078.004) 607 | privilege-escalation,T1134,T1134,Access Token Manipulation (T1134) 608 | privilege-escalation,T1134,T1134.001,Token Impersonation/Theft (T1134.001) 609 | privilege-escalation,T1134,T1134.002,Create Process with Token (T1134.002) 610 | privilege-escalation,T1134,T1134.003,Make and Impersonate Token (T1134.003) 611 | privilege-escalation,T1134,T1134.004,Parent PID Spoofing (T1134.004) 612 | privilege-escalation,T1134,T1134.005,SID-History Injection (T1134.005) 613 | privilege-escalation,T1484,T1484,Domain Policy Modification (T1484) 614 | privilege-escalation,T1484,T1484.001,Group Policy Modification (T1484.001) 615 | privilege-escalation,T1484,T1484.002,Domain Trust Modification (T1484.002) 616 | privilege-escalation,T1543,T1543,Create or Modify System Process (T1543) 617 | privilege-escalation,T1543,T1543.001,Launch Agent (T1543.001) 618 | privilege-escalation,T1543,T1543.002,Systemd Service (T1543.002) 619 | privilege-escalation,T1543,T1543.003,Windows Service (T1543.003) 620 | privilege-escalation,T1543,T1543.004,Launch Daemon (T1543.004) 621 | privilege-escalation,T1546,T1546,Event Triggered Execution (T1546) 622 | privilege-escalation,T1546,T1546.001,Change Default File Association (T1546.001) 623 | privilege-escalation,T1546,T1546.002,Screensaver (T1546.002) 624 | privilege-escalation,T1546,T1546.003,Windows Management Instrumentation Event Subscription (T1546.003) 625 | privilege-escalation,T1546,T1546.004,Unix Shell Configuration Modification (T1546.004) 626 | privilege-escalation,T1546,T1546.005,Trap (T1546.005) 627 | privilege-escalation,T1546,T1546.006,LC_LOAD_DYLIB Addition (T1546.006) 628 | privilege-escalation,T1546,T1546.007,Netsh Helper DLL (T1546.007) 629 | privilege-escalation,T1546,T1546.008,Accessibility Features (T1546.008) 630 | privilege-escalation,T1546,T1546.009,AppCert DLLs (T1546.009) 631 | privilege-escalation,T1546,T1546.010,AppInit DLLs (T1546.010) 632 | privilege-escalation,T1546,T1546.011,Application Shimming (T1546.011) 633 | privilege-escalation,T1546,T1546.012,Image File Execution Options Injection (T1546.012) 634 | privilege-escalation,T1546,T1546.013,PowerShell Profile (T1546.013) 635 | privilege-escalation,T1546,T1546.014,Emond (T1546.014) 636 | privilege-escalation,T1546,T1546.015,Component Object Model Hijacking (T1546.015) 637 | privilege-escalation,T1547,T1547,Boot or Logon Autostart Execution (T1547) 638 | privilege-escalation,T1547,T1547.001,Registry Run Keys / Startup Folder (T1547.001) 639 | privilege-escalation,T1547,T1547.002,Authentication Package (T1547.002) 640 | privilege-escalation,T1547,T1547.003,Time Providers (T1547.003) 641 | privilege-escalation,T1547,T1547.004,Winlogon Helper DLL (T1547.004) 642 | privilege-escalation,T1547,T1547.005,Security Support Provider (T1547.005) 643 | privilege-escalation,T1547,T1547.006,Kernel Modules and Extensions (T1547.006) 644 | privilege-escalation,T1547,T1547.007,Re-opened Applications (T1547.007) 645 | privilege-escalation,T1547,T1547.008,LSASS Driver (T1547.008) 646 | privilege-escalation,T1547,T1547.009,Shortcut Modification (T1547.009) 647 | privilege-escalation,T1547,T1547.010,Port Monitors (T1547.010) 648 | privilege-escalation,T1547,T1547.011,Plist Modification (T1547.011) 649 | privilege-escalation,T1547,T1547.012,Print Processors (T1547.012) 650 | privilege-escalation,T1547,T1547.013,XDG Autostart Entries (T1547.013) 651 | privilege-escalation,T1547,T1547.014,Active Setup (T1547.014) 652 | privilege-escalation,T1547,T1547.015,Login Items (T1547.015) 653 | privilege-escalation,T1548,T1548,Abuse Elevation Control Mechanism (T1548) 654 | privilege-escalation,T1548,T1548.001,Setuid and Setgid (T1548.001) 655 | privilege-escalation,T1548,T1548.002,Bypass User Account Control (T1548.002) 656 | privilege-escalation,T1548,T1548.003,Sudo and Sudo Caching (T1548.003) 657 | privilege-escalation,T1548,T1548.004,Elevated Execution with Prompt (T1548.004) 658 | privilege-escalation,T1574,T1574,Hijack Execution Flow (T1574) 659 | privilege-escalation,T1574,T1574.001,DLL Search Order Hijacking (T1574.001) 660 | privilege-escalation,T1574,T1574.002,DLL Side-Loading (T1574.002) 661 | privilege-escalation,T1574,T1574.004,Dylib Hijacking (T1574.004) 662 | privilege-escalation,T1574,T1574.005,Executable Installer File Permissions Weakness (T1574.005) 663 | privilege-escalation,T1574,T1574.006,Dynamic Linker Hijacking (T1574.006) 664 | privilege-escalation,T1574,T1574.007,Path Interception by PATH Environment Variable (T1574.007) 665 | privilege-escalation,T1574,T1574.008,Path Interception by Search Order Hijacking (T1574.008) 666 | privilege-escalation,T1574,T1574.009,Path Interception by Unquoted Path (T1574.009) 667 | privilege-escalation,T1574,T1574.010,Services File Permissions Weakness (T1574.010) 668 | privilege-escalation,T1574,T1574.011,Services Registry Permissions Weakness (T1574.011) 669 | privilege-escalation,T1574,T1574.012,COR_PROFILER (T1574.012) 670 | privilege-escalation,T1574,T1574.013,KernelCallbackTable (T1574.013) 671 | privilege-escalation,T1611,T1611,Escape to Host (T1611) 672 | reconnaissance,T1589,T1589,Gather Victim Identity Information (T1589) 673 | reconnaissance,T1589,T1589.001,Credentials (T1589.001) 674 | reconnaissance,T1589,T1589.002,Email Addresses (T1589.002) 675 | reconnaissance,T1589,T1589.003,Employee Names (T1589.003) 676 | reconnaissance,T1590,T1590,Gather Victim Network Information (T1590) 677 | reconnaissance,T1590,T1590.001,Domain Properties (T1590.001) 678 | reconnaissance,T1590,T1590.002,DNS (T1590.002) 679 | reconnaissance,T1590,T1590.003,Network Trust Dependencies (T1590.003) 680 | reconnaissance,T1590,T1590.004,Network Topology (T1590.004) 681 | reconnaissance,T1590,T1590.005,IP Addresses (T1590.005) 682 | reconnaissance,T1590,T1590.006,Network Security Appliances (T1590.006) 683 | reconnaissance,T1591,T1591,Gather Victim Org Information (T1591) 684 | reconnaissance,T1591,T1591.001,Determine Physical Locations (T1591.001) 685 | reconnaissance,T1591,T1591.002,Business Relationships (T1591.002) 686 | reconnaissance,T1591,T1591.003,Identify Business Tempo (T1591.003) 687 | reconnaissance,T1591,T1591.004,Identify Roles (T1591.004) 688 | reconnaissance,T1592,T1592,Gather Victim Host Information (T1592) 689 | reconnaissance,T1592,T1592.001,Hardware (T1592.001) 690 | reconnaissance,T1592,T1592.002,Software (T1592.002) 691 | reconnaissance,T1592,T1592.003,Firmware (T1592.003) 692 | reconnaissance,T1592,T1592.004,Client Configurations (T1592.004) 693 | reconnaissance,T1593,T1593,Search Open Websites/Domains (T1593) 694 | reconnaissance,T1593,T1593.001,Social Media (T1593.001) 695 | reconnaissance,T1593,T1593.002,Search Engines (T1593.002) 696 | reconnaissance,T1594,T1594,Search Victim-Owned Websites (T1594) 697 | reconnaissance,T1595,T1595,Active Scanning (T1595) 698 | reconnaissance,T1595,T1595.001,Scanning IP Blocks (T1595.001) 699 | reconnaissance,T1595,T1595.002,Vulnerability Scanning (T1595.002) 700 | reconnaissance,T1595,T1595.003,Wordlist Scanning (T1595.003) 701 | reconnaissance,T1596,T1596,Search Open Technical Databases (T1596) 702 | reconnaissance,T1596,T1596.001,DNS/Passive DNS (T1596.001) 703 | reconnaissance,T1596,T1596.002,WHOIS (T1596.002) 704 | reconnaissance,T1596,T1596.003,Digital Certificates (T1596.003) 705 | reconnaissance,T1596,T1596.004,CDNs (T1596.004) 706 | reconnaissance,T1596,T1596.005,Scan Databases (T1596.005) 707 | reconnaissance,T1597,T1597,Search Closed Sources (T1597) 708 | reconnaissance,T1597,T1597.001,Threat Intel Vendors (T1597.001) 709 | reconnaissance,T1597,T1597.002,Purchase Technical Data (T1597.002) 710 | reconnaissance,T1598,T1598,Phishing for Information (T1598) 711 | reconnaissance,T1598,T1598.001,Spearphishing Service (T1598.001) 712 | reconnaissance,T1598,T1598.002,Spearphishing Attachment (T1598.002) 713 | reconnaissance,T1598,T1598.003,Spearphishing Link (T1598.003) 714 | resource-development,T1583,T1583,Acquire Infrastructure (T1583) 715 | resource-development,T1583,T1583.001,Domains (T1583.001) 716 | resource-development,T1583,T1583.002,DNS Server (T1583.002) 717 | resource-development,T1583,T1583.003,Virtual Private Server (T1583.003) 718 | resource-development,T1583,T1583.004,Server (T1583.004) 719 | resource-development,T1583,T1583.005,Botnet (T1583.005) 720 | resource-development,T1583,T1583.006,Web Services (T1583.006) 721 | resource-development,T1584,T1584,Compromise Infrastructure (T1584) 722 | resource-development,T1584,T1584.001,Domains (T1584.001) 723 | resource-development,T1584,T1584.002,DNS Server (T1584.002) 724 | resource-development,T1584,T1584.003,Virtual Private Server (T1584.003) 725 | resource-development,T1584,T1584.004,Server (T1584.004) 726 | resource-development,T1584,T1584.005,Botnet (T1584.005) 727 | resource-development,T1584,T1584.006,Web Services (T1584.006) 728 | resource-development,T1585,T1585,Establish Accounts (T1585) 729 | resource-development,T1585,T1585.001,Social Media Accounts (T1585.001) 730 | resource-development,T1585,T1585.002,Email Accounts (T1585.002) 731 | resource-development,T1586,T1586,Compromise Accounts (T1586) 732 | resource-development,T1586,T1586.001,Social Media Accounts (T1586.001) 733 | resource-development,T1586,T1586.002,Email Accounts (T1586.002) 734 | resource-development,T1587,T1587,Develop Capabilities (T1587) 735 | resource-development,T1587,T1587.001,Malware (T1587.001) 736 | resource-development,T1587,T1587.002,Code Signing Certificates (T1587.002) 737 | resource-development,T1587,T1587.003,Digital Certificates (T1587.003) 738 | resource-development,T1587,T1587.004,Exploits (T1587.004) 739 | resource-development,T1588,T1588,Obtain Capabilities (T1588) 740 | resource-development,T1588,T1588.001,Malware (T1588.001) 741 | resource-development,T1588,T1588.002,Tool (T1588.002) 742 | resource-development,T1588,T1588.003,Code Signing Certificates (T1588.003) 743 | resource-development,T1588,T1588.004,Digital Certificates (T1588.004) 744 | resource-development,T1588,T1588.005,Exploits (T1588.005) 745 | resource-development,T1588,T1588.006,Vulnerabilities (T1588.006) 746 | resource-development,T1608,T1608,Stage Capabilities (T1608) 747 | resource-development,T1608,T1608.001,Upload Malware (T1608.001) 748 | resource-development,T1608,T1608.002,Upload Tool (T1608.002) 749 | resource-development,T1608,T1608.003,Install Digital Certificate (T1608.003) 750 | resource-development,T1608,T1608.004,Drive-by Target (T1608.004) 751 | resource-development,T1608,T1608.005,Link Target (T1608.005) 752 | -------------------------------------------------------------------------------- /AttackCoverage.xlsx: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/RealityNet/attack-coverage/a933255173c0d512f712e2cb81a2067aa99a75a7/AttackCoverage.xlsx -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | Creative Commons Legal Code 2 | 3 | CC0 1.0 Universal 4 | 5 | CREATIVE COMMONS CORPORATION IS NOT A LAW FIRM AND DOES NOT PROVIDE 6 | LEGAL SERVICES. DISTRIBUTION OF THIS DOCUMENT DOES NOT CREATE AN 7 | ATTORNEY-CLIENT RELATIONSHIP. CREATIVE COMMONS PROVIDES THIS 8 | INFORMATION ON AN "AS-IS" BASIS. CREATIVE COMMONS MAKES NO WARRANTIES 9 | REGARDING THE USE OF THIS DOCUMENT OR THE INFORMATION OR WORKS 10 | PROVIDED HEREUNDER, AND DISCLAIMS LIABILITY FOR DAMAGES RESULTING FROM 11 | THE USE OF THIS DOCUMENT OR THE INFORMATION OR WORKS PROVIDED 12 | HEREUNDER. 13 | 14 | Statement of Purpose 15 | 16 | The laws of most jurisdictions throughout the world automatically confer 17 | exclusive Copyright and Related Rights (defined below) upon the creator 18 | and subsequent owner(s) (each and all, an "owner") of an original work of 19 | authorship and/or a database (each, a "Work"). 20 | 21 | Certain owners wish to permanently relinquish those rights to a Work for 22 | the purpose of contributing to a commons of creative, cultural and 23 | scientific works ("Commons") that the public can reliably and without fear 24 | of later claims of infringement build upon, modify, incorporate in other 25 | works, reuse and redistribute as freely as possible in any form whatsoever 26 | and for any purposes, including without limitation commercial purposes. 27 | These owners may contribute to the Commons to promote the ideal of a free 28 | culture and the further production of creative, cultural and scientific 29 | works, or to gain reputation or greater distribution for their Work in 30 | part through the use and efforts of others. 31 | 32 | For these and/or other purposes and motivations, and without any 33 | expectation of additional consideration or compensation, the person 34 | associating CC0 with a Work (the "Affirmer"), to the extent that he or she 35 | is an owner of Copyright and Related Rights in the Work, voluntarily 36 | elects to apply CC0 to the Work and publicly distribute the Work under its 37 | terms, with knowledge of his or her Copyright and Related Rights in the 38 | Work and the meaning and intended legal effect of CC0 on those rights. 39 | 40 | 1. Copyright and Related Rights. A Work made available under CC0 may be 41 | protected by copyright and related or neighboring rights ("Copyright and 42 | Related Rights"). Copyright and Related Rights include, but are not 43 | limited to, the following: 44 | 45 | i. the right to reproduce, adapt, distribute, perform, display, 46 | communicate, and translate a Work; 47 | ii. moral rights retained by the original author(s) and/or performer(s); 48 | iii. publicity and privacy rights pertaining to a person's image or 49 | likeness depicted in a Work; 50 | iv. rights protecting against unfair competition in regards to a Work, 51 | subject to the limitations in paragraph 4(a), below; 52 | v. rights protecting the extraction, dissemination, use and reuse of data 53 | in a Work; 54 | vi. database rights (such as those arising under Directive 96/9/EC of the 55 | European Parliament and of the Council of 11 March 1996 on the legal 56 | protection of databases, and under any national implementation 57 | thereof, including any amended or successor version of such 58 | directive); and 59 | vii. other similar, equivalent or corresponding rights throughout the 60 | world based on applicable law or treaty, and any national 61 | implementations thereof. 62 | 63 | 2. Waiver. To the greatest extent permitted by, but not in contravention 64 | of, applicable law, Affirmer hereby overtly, fully, permanently, 65 | irrevocably and unconditionally waives, abandons, and surrenders all of 66 | Affirmer's Copyright and Related Rights and associated claims and causes 67 | of action, whether now known or unknown (including existing as well as 68 | future claims and causes of action), in the Work (i) in all territories 69 | worldwide, (ii) for the maximum duration provided by applicable law or 70 | treaty (including future time extensions), (iii) in any current or future 71 | medium and for any number of copies, and (iv) for any purpose whatsoever, 72 | including without limitation commercial, advertising or promotional 73 | purposes (the "Waiver"). Affirmer makes the Waiver for the benefit of each 74 | member of the public at large and to the detriment of Affirmer's heirs and 75 | successors, fully intending that such Waiver shall not be subject to 76 | revocation, rescission, cancellation, termination, or any other legal or 77 | equitable action to disrupt the quiet enjoyment of the Work by the public 78 | as contemplated by Affirmer's express Statement of Purpose. 79 | 80 | 3. Public License Fallback. Should any part of the Waiver for any reason 81 | be judged legally invalid or ineffective under applicable law, then the 82 | Waiver shall be preserved to the maximum extent permitted taking into 83 | account Affirmer's express Statement of Purpose. In addition, to the 84 | extent the Waiver is so judged Affirmer hereby grants to each affected 85 | person a royalty-free, non transferable, non sublicensable, non exclusive, 86 | irrevocable and unconditional license to exercise Affirmer's Copyright and 87 | Related Rights in the Work (i) in all territories worldwide, (ii) for the 88 | maximum duration provided by applicable law or treaty (including future 89 | time extensions), (iii) in any current or future medium and for any number 90 | of copies, and (iv) for any purpose whatsoever, including without 91 | limitation commercial, advertising or promotional purposes (the 92 | "License"). The License shall be deemed effective as of the date CC0 was 93 | applied by Affirmer to the Work. Should any part of the License for any 94 | reason be judged legally invalid or ineffective under applicable law, such 95 | partial invalidity or ineffectiveness shall not invalidate the remainder 96 | of the License, and in such case Affirmer hereby affirms that he or she 97 | will not (i) exercise any of his or her remaining Copyright and Related 98 | Rights in the Work or (ii) assert any associated claims and causes of 99 | action with respect to the Work, in either case contrary to Affirmer's 100 | express Statement of Purpose. 101 | 102 | 4. Limitations and Disclaimers. 103 | 104 | a. No trademark or patent rights held by Affirmer are waived, abandoned, 105 | surrendered, licensed or otherwise affected by this document. 106 | b. Affirmer offers the Work as-is and makes no representations or 107 | warranties of any kind concerning the Work, express, implied, 108 | statutory or otherwise, including without limitation warranties of 109 | title, merchantability, fitness for a particular purpose, non 110 | infringement, or the absence of latent or other defects, accuracy, or 111 | the present or absence of errors, whether or not discoverable, all to 112 | the greatest extent permissible under applicable law. 113 | c. Affirmer disclaims responsibility for clearing rights of other persons 114 | that may apply to the Work or any use thereof, including without 115 | limitation any person's Copyright and Related Rights in the Work. 116 | Further, Affirmer disclaims responsibility for obtaining any necessary 117 | consents, permissions or other rights required for any use of the 118 | Work. 119 | d. Affirmer understands and acknowledges that Creative Commons is not a 120 | party to this document and has no duty or obligation with respect to 121 | this CC0 or use of the Work. 122 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # attack-coverage 2 | An *excel*-centric approach for managing the MITRE ATT&CK® tactics and techniques. 3 | 4 | ## the goal 5 | 6 | The Excel file *AttackCoverage.xlsx* can be used to get a *coverage measure* of MITRE ATT&CK® tactics and techniques, in terms of *detections rules*. Working as DFIR consultants for different companies, with different SOCs and technologies in place, it was needed a *simple* and *portable* way to get a sort of *awareness* about which attackers' tactics/techniques a customer is able to detect and, more important, what is missing. 7 | 8 | ## AttackCoverage.xlsx 9 | 10 | Before a brief explanation about the usage, please consider that all the 7 worksheets share specific characteristics. The *header* of each worksheet has colours: *gray* means a static fields, strings or numbers; *blue* means calculated values, with formulas; *white* means columns (cells) that expect an input from the users. Usually you will not mess with gray or blue columns, with exceptions. *White* columns with "Active" or "IsActive" captions expect to be blank or filled with the string "*yes*": there is not a "*no*", just "*yes*" or blank. 11 | 12 | ## adding the first *detection rule* 13 | 14 | From the *blue team* perspective, the great part of the job will be done in the **detections** worksheet. Here is where you'll set your detection rules: the provided worksheet has the first four columns as an example, and you can add/remove/change them. Unless you're modifying the excel, do not touch the "*is active*" and "*attack1..3*" columns. Let's insert the **first** detection rule, which aims to detect attackers' attempt to access the LSASS Memory, sub-technique T1003.001. 15 | 16 | ![adding detection rule](/images/ac_img_1.png) 17 | 18 | The first columns, the *gray* ones, are up to you. If you want to make the detection rule *active*, simply write *yes* in the column. To **map** that specific rule to one or more (could be) Attack Techniques/Sub-Techniques, just use the *attack1..3* columns. 19 | 20 | Let's switch on **techniques** worksheet. As you will see, we have two **red** lines: one for T1003.001 (LSASS Memory sub-technique) and one for T1003, the *technique* which T1003.001 belongs to. 21 | 22 | ![techniques](/images/ac_img_2.png) 23 | 24 | The **red** colouring reflects the *inconsistent* state reported in column *technique status*. It means you have a detection rule for a specific (sub)technique but your're **missing any data source** required to detect it: check the column *data source available*, which is zero. Techniques data sources are written in the *data sources* column, separated by a pipe '|'. To "solve" the issue you can: disable the rule since it can't work; fix the missing data source as shown in the next picture, by accessing the **source** worksheet and putting "*yes*" in the proper field. 25 | 26 | ![sources](/images/ac_img_3.png) 27 | 28 | ## the **techniques** worksheet 29 | 30 | Going back to the *techniques* worksheet you'll get two *green* lines and multiple *yellow* ones. First, the green ones: since you have the proper (or, better, *a* proper) data source for the detection rule, the technique status changed to **detect**. It means you *could* be able to detect that specific sub-technique T1003.001. Moreover, since you're detecting a sub-technique, the "*father*" technique T1003 will reflect this detection too, in a slightly different way. The "*default counting rule*" follows: 31 | 32 | > By default the **minimum number of expected detection rules** is **1** for Techniques without any sub-technique. For Techniques with one or more sub-techniques, the minum number of expected detection rules is **the number of sub-techniques**. This number is automatically calculated and reported in the "*minimum detection rules*" column. 33 | 34 | In the current scenario, the minimum expected detection rule for T1003.001 is *1*, while for T1003 (the Technique) is *8* because "OS Credential Dumping" has eight sub-techniques. What about the *yellow* lines ("*technique status*" equals to "*no detect*")? Since you've enabled a *data source*, any technique using that data source **could be detected**: in different words, you have the data to detect those techniques but *no detections rules* in place! Time to fill the gaps! 35 | 36 | ![techniques](/images/ac_img_4.png) 37 | 38 | ## the **STATUS** and the **COVERAGE** worksheets 39 | 40 | What you are currently detecting in terms of techniques and sub-techniques, organized by *tactics*, is shown into the STATUS worksheet. It's a better view of the work done, what you're missing entirely (no data sources available!) and what you could detect if you'll prepare the proper detection rules. 41 | 42 | ![STATUS](/images/ac_img_5.png) 43 | 44 | "*Wait a moment. Why in the STATUS cells related to T1003 and T1003.001 we have 0 detection rules and 1 detection rules? And both are green?*". Remember that the STATUS worksheet represents what you are detecting (techniques and sub-techniques) and what you are not. For the *coverage* there is the COVERAGE worksheet. As shown in the next picture, the COVERAGE will report *13%* for the Technique, since you have just 1 out of 8 detection rules expected for T1003. 45 | 46 | ![COVERAGE](/images/ac_img_6.png) 47 | 48 | You'll spot that COVERAGE will address only Techniques organized in the "*classic*" Attack way, by Tactics. In the end, for each Tactics, you'll get the total coverage. 49 | 50 | ## *I have a new fancy sub-technique not included in the Attack framework!* 51 | 52 | This is supercool, and the Excel file is already built to cover that. Place the detection rule by using the **detection** worksheet and assign to the "*OS Credential Dumping (T1003)*" technique, since it will not apply to any of the sub-techniques described by the Attack framework. 53 | 54 | ![detections](/images/ac_img_7.png) 55 | 56 | Go back to **techniques**: now you got **2** detection rules for T1003, one from T1003.001 and one directly applied to T1003 (column "*detection rules for technique*"). Unfortunately this is **unexpected**: techniques with sub-techniques are not expected to have detection rules applied **directly** to them! This **error** is reported in the "*Error checks*" column: always check it! 57 | 58 | ![techniques](/images/ac_img_8.png) 59 | 60 | > You can't have more detection rules than the expected ones! Coverage will be wrong. Remember the minimum expected ones: **1** for Techniques without any sub-technique; **n** for Techniques with *n* sub-techniques **and 0** for the Technique itself. 61 | 62 | How to handle that? Easy, that's the reason of the *white* column "**detection rules modifier**". Just add *1* to the T1003 related cell: it means we *expect* a detection rule that will *direclty* target the "main" Technique T1003. See the pictures. 63 | 64 | ![techniques](/images/ac_img_9.png) 65 | 66 | No more errors: STATUS and COVERAGE will reflect this new addendum. 67 | 68 | ![STATUS](/images/ac_img_10.png) 69 | 70 | ![COVERAGE](/images/ac_img_11.png) 71 | 72 | ## *I want to disable some techniques/sub-techniques, I don't need them* 73 | 74 | Again, the Excel file is built to support this, by using the "**detection rules modifier**" in the *techniques* worksheet. Suppose you want to disable "*At (Linux) (T1053.001)*" sub-technique since you have no Linux hosts. Simply put **-1** in the cell related to T1053.001, as shown in the next pictures. 75 | 76 | ![techniques](/images/ac_img_12.png) 77 | 78 | This will be reflected in the STATUS too: note that T1053.001 is used in different Tactics. 79 | 80 | ![STATUS](/images/ac_img_13.png) 81 | 82 | What if you want to disable not just that sub-technique but **the whole** T1053 one? Simply put **-1** in each sub-technique belonging to T1053, as shown: you don't need to put a *-1* to the Technique itself, unless it's a Technique without sub-techniques. 83 | 84 | ![techniques](/images/ac_img_14.png) 85 | 86 | Again, the disabled technique (and its sub-techniques) will be shown in **STATUS**. 87 | 88 | ![STATUS](/images/ac_img_15.png) 89 | 90 | What about the **COVERAGE**? It will reflect this fact by putting 100% for the Technique. It could sound *weird*, but indeed it's better not to *remove* it to maintain the *awaraness*. 91 | 92 | ![COVERAGE](/images/ac_img_16.png) 93 | 94 | ## *I have a custom data source not in the Attack list!* 95 | 96 | This is a bit annoying to update. Use the **sources** worksheet and *insert* a new row: this *insertion* will update the *table*. For example, insert the *Custom data source* as shown 97 | 98 | ![sources](/images/ac_img_17.png) 99 | 100 | Then, **for each of the techniques** involved by this new source you have to update the *data sources* column in the **techniques** worksheet: remember that each source is separated by the *pipe*, "|". 101 | 102 | ![techniques](/images/ac_img_18.png) 103 | 104 | Not the best solution, indeed. A better one should be implemented. After the update, the T1098 will become *yellow*, as expected. 105 | 106 | ![techniques](/images/ac_img_19.png) 107 | 108 | ## how to update 109 | 110 | I will update the Excel file when new Attack version will be available. Still, if you'll have a filled Excel file you need a way to update your own. As you can see in this repository, there is a folder called *20201030*: this folder contains the files used to create the actual AttackCoverage.xlsx. The most important files are the **.csv** ones, because they are used to fill the "*static*" (*gray* columns) cells for **sources** (file: data_sources.csv), **tactics** (file: tactis.csv) and **techniques** (file: techniques.csv). I will then recreate those file for the new version(s), and you can simply *diff* those CSV files to properly update/insert/remove the related lines in your Excel file. It could be "*complicated*" in case of new *tactics* (as version 8 did), because wrongly updating STATUS and COVERAGE worksheets would introduce errors: so pay attention or "shout" an issue here. 111 | 112 | ## how is built 113 | 114 | As explained in the "*how to update*" section, the starting files to build AttackCoverage.xlsx are the CSV ones. Those files are built by using the Python3 scripts you'll find in the **script** folder: you can use by yourselves to build your own *coverage* approach. There is one major requirement, which is the (awesome) **attackcti** library provided by Roberto Rodriguez (@Cyb3rWard0g) and Jose Luis Rodriguez (@Cyb3rPandaH). Then the Excel file is using *tables*, formulas and conditional formatting: easy as it is, no *macro(s)* in place ;) 115 | 116 | Note that in the **version** worksheet is reported the Attack Framework version used: in the current scenario is **version 11, April 2022**. Cell "*Based on template version*" is used to track the different customers' excel files used to create their own, while "*Current Excel file version*" reflects any modification made to a specific instance (eg: when adding a new detection rule, etc.). 117 | 118 | ## credits 119 | 120 | Kudos and thanks to Roberto Rodriguez (@Cyb3rWard0g) for his *attackcti* framework and, more important, for the inspiration I got from his blog post "How Hot Is Your Hunt Team? " at https://cyberwardog.blogspot.com/2017/07/how-hot-is-your-hunt-team.html 121 | 122 | -------------------------------------------------------------------------------- /images/ac_img_1.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/RealityNet/attack-coverage/a933255173c0d512f712e2cb81a2067aa99a75a7/images/ac_img_1.png -------------------------------------------------------------------------------- /images/ac_img_10.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/RealityNet/attack-coverage/a933255173c0d512f712e2cb81a2067aa99a75a7/images/ac_img_10.png -------------------------------------------------------------------------------- /images/ac_img_11.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/RealityNet/attack-coverage/a933255173c0d512f712e2cb81a2067aa99a75a7/images/ac_img_11.png -------------------------------------------------------------------------------- /images/ac_img_12.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/RealityNet/attack-coverage/a933255173c0d512f712e2cb81a2067aa99a75a7/images/ac_img_12.png -------------------------------------------------------------------------------- /images/ac_img_13.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/RealityNet/attack-coverage/a933255173c0d512f712e2cb81a2067aa99a75a7/images/ac_img_13.png -------------------------------------------------------------------------------- /images/ac_img_14.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/RealityNet/attack-coverage/a933255173c0d512f712e2cb81a2067aa99a75a7/images/ac_img_14.png -------------------------------------------------------------------------------- /images/ac_img_15.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/RealityNet/attack-coverage/a933255173c0d512f712e2cb81a2067aa99a75a7/images/ac_img_15.png -------------------------------------------------------------------------------- /images/ac_img_16.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/RealityNet/attack-coverage/a933255173c0d512f712e2cb81a2067aa99a75a7/images/ac_img_16.png -------------------------------------------------------------------------------- /images/ac_img_17.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/RealityNet/attack-coverage/a933255173c0d512f712e2cb81a2067aa99a75a7/images/ac_img_17.png -------------------------------------------------------------------------------- /images/ac_img_18.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/RealityNet/attack-coverage/a933255173c0d512f712e2cb81a2067aa99a75a7/images/ac_img_18.png -------------------------------------------------------------------------------- /images/ac_img_19.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/RealityNet/attack-coverage/a933255173c0d512f712e2cb81a2067aa99a75a7/images/ac_img_19.png -------------------------------------------------------------------------------- /images/ac_img_2.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/RealityNet/attack-coverage/a933255173c0d512f712e2cb81a2067aa99a75a7/images/ac_img_2.png -------------------------------------------------------------------------------- /images/ac_img_3.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/RealityNet/attack-coverage/a933255173c0d512f712e2cb81a2067aa99a75a7/images/ac_img_3.png -------------------------------------------------------------------------------- /images/ac_img_4.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/RealityNet/attack-coverage/a933255173c0d512f712e2cb81a2067aa99a75a7/images/ac_img_4.png -------------------------------------------------------------------------------- /images/ac_img_5.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/RealityNet/attack-coverage/a933255173c0d512f712e2cb81a2067aa99a75a7/images/ac_img_5.png -------------------------------------------------------------------------------- /images/ac_img_6.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/RealityNet/attack-coverage/a933255173c0d512f712e2cb81a2067aa99a75a7/images/ac_img_6.png -------------------------------------------------------------------------------- /images/ac_img_7.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/RealityNet/attack-coverage/a933255173c0d512f712e2cb81a2067aa99a75a7/images/ac_img_7.png -------------------------------------------------------------------------------- /images/ac_img_8.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/RealityNet/attack-coverage/a933255173c0d512f712e2cb81a2067aa99a75a7/images/ac_img_8.png -------------------------------------------------------------------------------- /images/ac_img_9.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/RealityNet/attack-coverage/a933255173c0d512f712e2cb81a2067aa99a75a7/images/ac_img_9.png -------------------------------------------------------------------------------- /scripts/get_attack_enterprise.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python3 2 | # -*- coding: utf-8 -*- 3 | # 4 | # Written by Francesco "dfirfpi" Picasso, Reality Net System Solutions 5 | # 6 | # Version: 20200831 7 | 8 | from attackcti import attack_client 9 | lift = attack_client() 10 | all_enterprise = lift.get_enterprise(stix_format=False) 11 | 12 | for entry in all_enterprise: 13 | with open('attack_' + entry + '.txt', mode='w', encoding='utf-8') as fout: 14 | for subentry in all_enterprise[entry]: 15 | fout.write('{}\n'.format(subentry)) -------------------------------------------------------------------------------- /scripts/get_tt.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python3 2 | # -*- coding: utf-8 -*- 3 | # 4 | # get_tt: Get (Attack) T(echniques) T(actics) 5 | # Written by Francesco "dfirfpi" Picasso, Reality Net System Solutions 6 | # 7 | # Version: 20200831 8 | 9 | import bisect 10 | import sys 11 | from attackcti import attack_client 12 | 13 | # ----------------------------------------------------------------------------- 14 | 15 | CSV_SEPARATOR = ',' 16 | CSV_INTERNAL_SEPARATOR = '|' 17 | NEWLINE = '\n' 18 | UNSPECIFIED_TACTIC = 'unspecified' 19 | 20 | # ----------------------------------------------------------------------------- 21 | 22 | class ATechnique(): 23 | 24 | def __init__(self, identifier, name): 25 | 26 | # Due to sub-techniques, create a "new" column with the main technique. 27 | self._technique = identifier.split('.')[0] 28 | 29 | self._id = identifier 30 | self._name = '{} ({})'.format(name, self._id) 31 | self._tactics = [] 32 | self._data_sources = [] 33 | self._data_sources_num = 0 34 | 35 | @property 36 | def id(self): 37 | return self._id 38 | 39 | @property 40 | def name(self): 41 | return self._name 42 | 43 | @property 44 | def technique(self): 45 | return self._technique 46 | 47 | @property 48 | def tactics(self): 49 | return self._tactics 50 | 51 | @property 52 | def data_sources(self): 53 | return self._data_sources 54 | 55 | @property 56 | def data_sources_num(self): 57 | return self._data_sources_num 58 | 59 | def add_data_source(self, data_source): 60 | self._data_sources.append(data_source) 61 | self._data_sources_num += 1 62 | 63 | def add_tactic(self, tactic): 64 | self._tactics.append(tactic) 65 | 66 | def tactics_csv_row(self, newline=None): 67 | 68 | assert len(self.tactics) >= 1 69 | 70 | for tactic in self.tactics: 71 | row = CSV_SEPARATOR.join((tactic, 72 | self.technique, 73 | self.id, 74 | self.name)) 75 | row = row + newline if newline else row 76 | yield row 77 | 78 | def techniques_csv_row(self, newline=None): 79 | 80 | assert len(self.tactics) >= 1 81 | tactics = self.tactics[0] 82 | if len(self.tactics) > 1: 83 | tactics = CSV_INTERNAL_SEPARATOR.join(x for x in self.tactics) 84 | 85 | if len(self.data_sources) == 1: 86 | data_sources = self.data_sources[0] 87 | elif len(self.data_sources) > 1: 88 | data_sources = CSV_INTERNAL_SEPARATOR.join( 89 | x for x in self.data_sources) 90 | else: 91 | data_sources = '' 92 | 93 | row = CSV_SEPARATOR.join((self.technique, 94 | self.id, 95 | self.name, 96 | tactics, 97 | data_sources, 98 | str(self.data_sources_num))) 99 | row = row + newline if newline else row 100 | return row 101 | 102 | def tactics_csv_header(newline=None): 103 | header = CSV_SEPARATOR.join(('name', 104 | 'technique', 105 | 'technique_id', 106 | 'technique_name')) 107 | header = header + newline if newline else header 108 | return header 109 | 110 | def techniques_csv_header(newline=None): 111 | header = CSV_SEPARATOR.join(('technique', 112 | 'id', 113 | 'name', 114 | 'tactics', 115 | 'data_sources', 116 | 'data_sources_num')) 117 | header = header + newline if newline else header 118 | return header 119 | 120 | # ----------------------------------------------------------------------------- 121 | 122 | def get_techniques(): 123 | 124 | lift = attack_client() 125 | all_enterprise = lift.get_enterprise(stix_format=False) 126 | 127 | data_sources_dict = {} 128 | techniques_dict = {} 129 | 130 | for technique in all_enterprise['techniques']: 131 | 132 | technique_id = technique['technique_id'] 133 | technique_name = technique['technique'] 134 | 135 | technique_obj = ATechnique(technique_id, technique_name) 136 | 137 | if 'tactic' in technique: 138 | for tactic in technique['tactic']: 139 | technique_obj.add_tactic(tactic) 140 | else: 141 | technique_obj.add_tactic(UNSPECIFIED_TACTIC) 142 | 143 | if 'data_sources' in technique: 144 | for data_source in technique['data_sources']: 145 | technique_obj.add_data_source(data_source) 146 | if data_source not in data_sources_dict: 147 | data_sources_dict[data_source] = data_source 148 | 149 | assert technique_id not in techniques_dict 150 | techniques_dict[technique_id] = technique_obj 151 | 152 | return techniques_dict, data_sources_dict 153 | 154 | # ----------------------------------------------------------------------------- 155 | 156 | def save_data_sources(data_sources): 157 | 158 | with open('data_sources.csv', mode='w', encoding='utf-8') as fout: 159 | fout.write('data sources\n') 160 | for k, v in sorted(data_sources.items()): 161 | fout.write('{}\n'.format(k)) 162 | 163 | # ----------------------------------------------------------------------------- 164 | 165 | def save_tactis(techniques): 166 | 167 | with open('tactics.csv', mode='w', encoding='utf-8') as fout: 168 | fout.write(ATechnique.tactics_csv_header(NEWLINE)) 169 | 170 | tactics_list = [] 171 | for technique_id, technique in techniques.items(): 172 | assert technique_id == technique.id 173 | for tactic in technique.tactics_csv_row(NEWLINE): 174 | bisect.insort(tactics_list, tactic) 175 | 176 | for tactic in tactics_list: 177 | fout.write(tactic) 178 | 179 | # ----------------------------------------------------------------------------- 180 | 181 | def save_techniques(techniques): 182 | 183 | with open('techniques.csv', mode='w', encoding='utf-8') as fout: 184 | fout.write(ATechnique.techniques_csv_header(NEWLINE)) 185 | 186 | for technique_id, technique in sorted(techniques.items()): 187 | assert technique_id == technique.id 188 | fout.write(technique.techniques_csv_row(NEWLINE)) 189 | 190 | # ----------------------------------------------------------------------------- 191 | 192 | if __name__ == '__main__': 193 | 194 | if sys.version_info[0] < 3: 195 | sys.exit('Python 3 or a more recent version is required.') 196 | 197 | techniques = {} 198 | techniques, data_sources = get_techniques() 199 | save_tactis(techniques) 200 | save_techniques(techniques) 201 | save_data_sources(data_sources) 202 | --------------------------------------------------------------------------------