gitea-mirror/capa
1
0
Fork 0
mirror of https://github.com/mandiant/capa.git synced 2025-12-05 20:40:05 -08:00
Code Issues Packages Projects Releases Wiki Activity
Files
master
capa/scripts/linter-data.json
mr-tz 9bc04ec612 update data via script
2024-01-16 15:29:25 +01:00

1654 lines
91 KiB
JSON
Raw Permalink Blame History

{
"att&ck": {
"Reconnaissance": {
"T1589": "Gather Victim Identity Information",
"T1589.001": "Gather Victim Identity Information::Credentials",
"T1589.002": "Gather Victim Identity Information::Email Addresses",
"T1589.003": "Gather Victim Identity Information::Employee Names",
"T1590": "Gather Victim Network Information",
"T1590.001": "Gather Victim Network Information::Domain Properties",
"T1590.002": "Gather Victim Network Information::DNS",
"T1590.003": "Gather Victim Network Information::Network Trust Dependencies",
"T1590.004": "Gather Victim Network Information::Network Topology",
"T1590.005": "Gather Victim Network Information::IP Addresses",
"T1590.006": "Gather Victim Network Information::Network Security Appliances",
"T1591": "Gather Victim Org Information",
"T1591.001": "Gather Victim Org Information::Determine Physical Locations",
"T1591.002": "Gather Victim Org Information::Business Relationships",
"T1591.003": "Gather Victim Org Information::Identify Business Tempo",
"T1591.004": "Gather Victim Org Information::Identify Roles",
"T1592": "Gather Victim Host Information",
"T1592.001": "Gather Victim Host Information::Hardware",
"T1592.002": "Gather Victim Host Information::Software",
"T1592.003": "Gather Victim Host Information::Firmware",
"T1592.004": "Gather Victim Host Information::Client Configurations",
"T1593": "Search Open Websites/Domains",
"T1593.001": "Search Open Websites/Domains::Social Media",
"T1593.002": "Search Open Websites/Domains::Search Engines",
"T1593.003": "Search Open Websites/Domains::Code Repositories",
"T1594": "Search Victim-Owned Websites",
"T1595": "Active Scanning",
"T1595.001": "Active Scanning::Scanning IP Blocks",
"T1595.002": "Active Scanning::Vulnerability Scanning",
"T1595.003": "Active Scanning::Wordlist Scanning",
"T1596": "Search Open Technical Databases",
"T1596.001": "Search Open Technical Databases::DNS/Passive DNS",
"T1596.002": "Search Open Technical Databases::WHOIS",
"T1596.003": "Search Open Technical Databases::Digital Certificates",
"T1596.004": "Search Open Technical Databases::CDNs",
"T1596.005": "Search Open Technical Databases::Scan Databases",
"T1597": "Search Closed Sources",
"T1597.001": "Search Closed Sources::Threat Intel Vendors",
"T1597.002": "Search Closed Sources::Purchase Technical Data",
"T1598": "Phishing for Information",
"T1598.001": "Phishing for Information::Spearphishing Service",
"T1598.002": "Phishing for Information::Spearphishing Attachment",
"T1598.003": "Phishing for Information::Spearphishing Link",
"T1598.004": "Phishing for Information::Spearphishing Voice"
},
"Resource Development": {
"T1583": "Acquire Infrastructure",
"T1583.001": "Acquire Infrastructure::Domains",
"T1583.002": "Acquire Infrastructure::DNS Server",
"T1583.003": "Acquire Infrastructure::Virtual Private Server",
"T1583.004": "Acquire Infrastructure::Server",
"T1583.005": "Acquire Infrastructure::Botnet",
"T1583.006": "Acquire Infrastructure::Web Services",
"T1583.007": "Acquire Infrastructure::Serverless",
"T1583.008": "Acquire Infrastructure::Malvertising",
"T1584": "Compromise Infrastructure",
"T1584.001": "Compromise Infrastructure::Domains",
"T1584.002": "Compromise Infrastructure::DNS Server",
"T1584.003": "Compromise Infrastructure::Virtual Private Server",
"T1584.004": "Compromise Infrastructure::Server",
"T1584.005": "Compromise Infrastructure::Botnet",
"T1584.006": "Compromise Infrastructure::Web Services",
"T1584.007": "Compromise Infrastructure::Serverless",
"T1585": "Establish Accounts",
"T1585.001": "Establish Accounts::Social Media Accounts",
"T1585.002": "Establish Accounts::Email Accounts",
"T1585.003": "Establish Accounts::Cloud Accounts",
"T1586": "Compromise Accounts",
"T1586.001": "Compromise Accounts::Social Media Accounts",
"T1586.002": "Compromise Accounts::Email Accounts",
"T1586.003": "Compromise Accounts::Cloud Accounts",
"T1587": "Develop Capabilities",
"T1587.001": "Develop Capabilities::Malware",
"T1587.002": "Develop Capabilities::Code Signing Certificates",
"T1587.003": "Develop Capabilities::Digital Certificates",
"T1587.004": "Develop Capabilities::Exploits",
"T1588": "Obtain Capabilities",
"T1588.001": "Obtain Capabilities::Malware",
"T1588.002": "Obtain Capabilities::Tool",
"T1588.003": "Obtain Capabilities::Code Signing Certificates",
"T1588.004": "Obtain Capabilities::Digital Certificates",
"T1588.005": "Obtain Capabilities::Exploits",
"T1588.006": "Obtain Capabilities::Vulnerabilities",
"T1608": "Stage Capabilities",
"T1608.001": "Stage Capabilities::Upload Malware",
"T1608.002": "Stage Capabilities::Upload Tool",
"T1608.003": "Stage Capabilities::Install Digital Certificate",
"T1608.004": "Stage Capabilities::Drive-by Target",
"T1608.005": "Stage Capabilities::Link Target",
"T1608.006": "Stage Capabilities::SEO Poisoning",
"T1650": "Acquire Access"
},
"Initial Access": {
"T1078": "Valid Accounts",
"T1078.001": "Valid Accounts::Default Accounts",
"T1078.002": "Valid Accounts::Domain Accounts",
"T1078.003": "Valid Accounts::Local Accounts",
"T1078.004": "Valid Accounts::Cloud Accounts",
"T1091": "Replication Through Removable Media",
"T1133": "External Remote Services",
"T1189": "Drive-by Compromise",
"T1190": "Exploit Public-Facing Application",
"T1195": "Supply Chain Compromise",
"T1195.001": "Supply Chain Compromise::Compromise Software Dependencies and Development Tools",
"T1195.002": "Supply Chain Compromise::Compromise Software Supply Chain",
"T1195.003": "Supply Chain Compromise::Compromise Hardware Supply Chain",
"T1199": "Trusted Relationship",
"T1200": "Hardware Additions",
"T1566": "Phishing",
"T1566.001": "Phishing::Spearphishing Attachment",
"T1566.002": "Phishing::Spearphishing Link",
"T1566.003": "Phishing::Spearphishing via Service",
"T1566.004": "Phishing::Spearphishing Voice",
"T1659": "Content Injection"
},
"Execution": {
"T1047": "Windows Management Instrumentation",
"T1053": "Scheduled Task/Job",
"T1053.002": "Scheduled Task/Job::At",
"T1053.003": "Scheduled Task/Job::Cron",
"T1053.005": "Scheduled Task/Job::Scheduled Task",
"T1053.006": "Scheduled Task/Job::Systemd Timers",
"T1053.007": "Scheduled Task/Job::Container Orchestration Job",
"T1059": "Command and Scripting Interpreter",
"T1059.001": "Command and Scripting Interpreter::PowerShell",
"T1059.002": "Command and Scripting Interpreter::AppleScript",
"T1059.003": "Command and Scripting Interpreter::Windows Command Shell",
"T1059.004": "Command and Scripting Interpreter::Unix Shell",
"T1059.005": "Command and Scripting Interpreter::Visual Basic",
"T1059.006": "Command and Scripting Interpreter::Python",
"T1059.007": "Command and Scripting Interpreter::JavaScript",
"T1059.008": "Command and Scripting Interpreter::Network Device CLI",
"T1059.009": "Command and Scripting Interpreter::Cloud API",
"T1072": "Software Deployment Tools",
"T1106": "Native API",
"T1129": "Shared Modules",
"T1203": "Exploitation for Client Execution",
"T1204": "User Execution",
"T1204.001": "User Execution::Malicious Link",
"T1204.002": "User Execution::Malicious File",
"T1204.003": "User Execution::Malicious Image",
"T1559": "Inter-Process Communication",
"T1559.001": "Inter-Process Communication::Component Object Model",
"T1559.002": "Inter-Process Communication::Dynamic Data Exchange",
"T1559.003": "Inter-Process Communication::XPC Services",
"T1569": "System Services",
"T1569.001": "System Services::Launchctl",
"T1569.002": "System Services::Service Execution",
"T1609": "Container Administration Command",
"T1610": "Deploy Container",
"T1648": "Serverless Execution",
"T1651": "Cloud Administration Command"
},
"Persistence": {
"T1037": "Boot or Logon Initialization Scripts",
"T1037.001": "Boot or Logon Initialization Scripts::Logon Script (Windows)",
"T1037.002": "Boot or Logon Initialization Scripts::Login Hook",
"T1037.003": "Boot or Logon Initialization Scripts::Network Logon Script",
"T1037.004": "Boot or Logon Initialization Scripts::RC Scripts",
"T1037.005": "Boot or Logon Initialization Scripts::Startup Items",
"T1053": "Scheduled Task/Job",
"T1053.002": "Scheduled Task/Job::At",
"T1053.003": "Scheduled Task/Job::Cron",
"T1053.005": "Scheduled Task/Job::Scheduled Task",
"T1053.006": "Scheduled Task/Job::Systemd Timers",
"T1053.007": "Scheduled Task/Job::Container Orchestration Job",
"T1078": "Valid Accounts",
"T1078.001": "Valid Accounts::Default Accounts",
"T1078.002": "Valid Accounts::Domain Accounts",
"T1078.003": "Valid Accounts::Local Accounts",
"T1078.004": "Valid Accounts::Cloud Accounts",
"T1098": "Account Manipulation",
"T1098.001": "Account Manipulation::Additional Cloud Credentials",
"T1098.002": "Account Manipulation::Additional Email Delegate Permissions",
"T1098.003": "Account Manipulation::Additional Cloud Roles",
"T1098.004": "Account Manipulation::SSH Authorized Keys",
"T1098.005": "Account Manipulation::Device Registration",
"T1098.006": "Account Manipulation::Additional Container Cluster Roles",
"T1133": "External Remote Services",
"T1136": "Create Account",
"T1136.001": "Create Account::Local Account",
"T1136.002": "Create Account::Domain Account",
"T1136.003": "Create Account::Cloud Account",
"T1137": "Office Application Startup",
"T1137.001": "Office Application Startup::Office Template Macros",
"T1137.002": "Office Application Startup::Office Test",
"T1137.003": "Office Application Startup::Outlook Forms",
"T1137.004": "Office Application Startup::Outlook Home Page",
"T1137.005": "Office Application Startup::Outlook Rules",
"T1137.006": "Office Application Startup::Add-ins",
"T1176": "Browser Extensions",
"T1197": "BITS Jobs",
"T1205": "Traffic Signaling",
"T1205.001": "Traffic Signaling::Port Knocking",
"T1205.002": "Traffic Signaling::Socket Filters",
"T1505": "Server Software Component",
"T1505.001": "Server Software Component::SQL Stored Procedures",
"T1505.002": "Server Software Component::Transport Agent",
"T1505.003": "Server Software Component::Web Shell",
"T1505.004": "Server Software Component::IIS Components",
"T1505.005": "Server Software Component::Terminal Services DLL",
"T1525": "Implant Internal Image",
"T1542": "Pre-OS Boot",
"T1542.001": "Pre-OS Boot::System Firmware",
"T1542.002": "Pre-OS Boot::Component Firmware",
"T1542.003": "Pre-OS Boot::Bootkit",
"T1542.004": "Pre-OS Boot::ROMMONkit",
"T1542.005": "Pre-OS Boot::TFTP Boot",
"T1543": "Create or Modify System Process",
"T1543.001": "Create or Modify System Process::Launch Agent",
"T1543.002": "Create or Modify System Process::Systemd Service",
"T1543.003": "Create or Modify System Process::Windows Service",
"T1543.004": "Create or Modify System Process::Launch Daemon",
"T1546": "Event Triggered Execution",
"T1546.001": "Event Triggered Execution::Change Default File Association",
"T1546.002": "Event Triggered Execution::Screensaver",
"T1546.003": "Event Triggered Execution::Windows Management Instrumentation Event Subscription",
"T1546.004": "Event Triggered Execution::Unix Shell Configuration Modification",
"T1546.005": "Event Triggered Execution::Trap",
"T1546.006": "Event Triggered Execution::LC_LOAD_DYLIB Addition",
"T1546.007": "Event Triggered Execution::Netsh Helper DLL",
"T1546.008": "Event Triggered Execution::Accessibility Features",
"T1546.009": "Event Triggered Execution::AppCert DLLs",
"T1546.010": "Event Triggered Execution::AppInit DLLs",
"T1546.011": "Event Triggered Execution::Application Shimming",
"T1546.012": "Event Triggered Execution::Image File Execution Options Injection",
"T1546.013": "Event Triggered Execution::PowerShell Profile",
"T1546.014": "Event Triggered Execution::Emond",
"T1546.015": "Event Triggered Execution::Component Object Model Hijacking",
"T1546.016": "Event Triggered Execution::Installer Packages",
"T1547": "Boot or Logon Autostart Execution",
"T1547.001": "Boot or Logon Autostart Execution::Registry Run Keys / Startup Folder",
"T1547.002": "Boot or Logon Autostart Execution::Authentication Package",
"T1547.003": "Boot or Logon Autostart Execution::Time Providers",
"T1547.004": "Boot or Logon Autostart Execution::Winlogon Helper DLL",
"T1547.005": "Boot or Logon Autostart Execution::Security Support Provider",
"T1547.006": "Boot or Logon Autostart Execution::Kernel Modules and Extensions",
"T1547.007": "Boot or Logon Autostart Execution::Re-opened Applications",
"T1547.008": "Boot or Logon Autostart Execution::LSASS Driver",
"T1547.009": "Boot or Logon Autostart Execution::Shortcut Modification",
"T1547.010": "Boot or Logon Autostart Execution::Port Monitors",
"T1547.012": "Boot or Logon Autostart Execution::Print Processors",
"T1547.013": "Boot or Logon Autostart Execution::XDG Autostart Entries",
"T1547.014": "Boot or Logon Autostart Execution::Active Setup",
"T1547.015": "Boot or Logon Autostart Execution::Login Items",
"T1554": "Compromise Client Software Binary",
"T1556": "Modify Authentication Process",
"T1556.001": "Modify Authentication Process::Domain Controller Authentication",
"T1556.002": "Modify Authentication Process::Password Filter DLL",
"T1556.003": "Modify Authentication Process::Pluggable Authentication Modules",
"T1556.004": "Modify Authentication Process::Network Device Authentication",
"T1556.005": "Modify Authentication Process::Reversible Encryption",
"T1556.006": "Modify Authentication Process::Multi-Factor Authentication",
"T1556.007": "Modify Authentication Process::Hybrid Identity",
"T1556.008": "Modify Authentication Process::Network Provider DLL",
"T1574": "Hijack Execution Flow",
"T1574.001": "Hijack Execution Flow::DLL Search Order Hijacking",
"T1574.002": "Hijack Execution Flow::DLL Side-Loading",
"T1574.004": "Hijack Execution Flow::Dylib Hijacking",
"T1574.005": "Hijack Execution Flow::Executable Installer File Permissions Weakness",
"T1574.006": "Hijack Execution Flow::Dynamic Linker Hijacking",
"T1574.007": "Hijack Execution Flow::Path Interception by PATH Environment Variable",
"T1574.008": "Hijack Execution Flow::Path Interception by Search Order Hijacking",
"T1574.009": "Hijack Execution Flow::Path Interception by Unquoted Path",
"T1574.010": "Hijack Execution Flow::Services File Permissions Weakness",
"T1574.011": "Hijack Execution Flow::Services Registry Permissions Weakness",
"T1574.012": "Hijack Execution Flow::COR_PROFILER",
"T1574.013": "Hijack Execution Flow::KernelCallbackTable",
"T1653": "Power Settings"
},
"Privilege Escalation": {
"T1037": "Boot or Logon Initialization Scripts",
"T1037.001": "Boot or Logon Initialization Scripts::Logon Script (Windows)",
"T1037.002": "Boot or Logon Initialization Scripts::Login Hook",
"T1037.003": "Boot or Logon Initialization Scripts::Network Logon Script",
"T1037.004": "Boot or Logon Initialization Scripts::RC Scripts",
"T1037.005": "Boot or Logon Initialization Scripts::Startup Items",
"T1053": "Scheduled Task/Job",
"T1053.002": "Scheduled Task/Job::At",
"T1053.003": "Scheduled Task/Job::Cron",
"T1053.005": "Scheduled Task/Job::Scheduled Task",
"T1053.006": "Scheduled Task/Job::Systemd Timers",
"T1053.007": "Scheduled Task/Job::Container Orchestration Job",
"T1055": "Process Injection",
"T1055.001": "Process Injection::Dynamic-link Library Injection",
"T1055.002": "Process Injection::Portable Executable Injection",
"T1055.003": "Process Injection::Thread Execution Hijacking",
"T1055.004": "Process Injection::Asynchronous Procedure Call",
"T1055.005": "Process Injection::Thread Local Storage",
"T1055.008": "Process Injection::Ptrace System Calls",
"T1055.009": "Process Injection::Proc Memory",
"T1055.011": "Process Injection::Extra Window Memory Injection",
"T1055.012": "Process Injection::Process Hollowing",
"T1055.013": "Process Injection::Process Doppelg\u00e4nging",
"T1055.014": "Process Injection::VDSO Hijacking",
"T1055.015": "Process Injection::ListPlanting",
"T1068": "Exploitation for Privilege Escalation",
"T1078": "Valid Accounts",
"T1078.001": "Valid Accounts::Default Accounts",
"T1078.002": "Valid Accounts::Domain Accounts",
"T1078.003": "Valid Accounts::Local Accounts",
"T1078.004": "Valid Accounts::Cloud Accounts",
"T1098": "Account Manipulation",
"T1098.001": "Account Manipulation::Additional Cloud Credentials",
"T1098.002": "Account Manipulation::Additional Email Delegate Permissions",
"T1098.003": "Account Manipulation::Additional Cloud Roles",
"T1098.004": "Account Manipulation::SSH Authorized Keys",
"T1098.005": "Account Manipulation::Device Registration",
"T1098.006": "Account Manipulation::Additional Container Cluster Roles",
"T1134": "Access Token Manipulation",
"T1134.001": "Access Token Manipulation::Token Impersonation/Theft",
"T1134.002": "Access Token Manipulation::Create Process with Token",
"T1134.003": "Access Token Manipulation::Make and Impersonate Token",
"T1134.004": "Access Token Manipulation::Parent PID Spoofing",
"T1134.005": "Access Token Manipulation::SID-History Injection",
"T1484": "Domain Policy Modification",
"T1484.001": "Domain Policy Modification::Group Policy Modification",
"T1484.002": "Domain Policy Modification::Domain Trust Modification",
"T1543": "Create or Modify System Process",
"T1543.001": "Create or Modify System Process::Launch Agent",
"T1543.002": "Create or Modify System Process::Systemd Service",
"T1543.003": "Create or Modify System Process::Windows Service",
"T1543.004": "Create or Modify System Process::Launch Daemon",
"T1546": "Event Triggered Execution",
"T1546.001": "Event Triggered Execution::Change Default File Association",
"T1546.002": "Event Triggered Execution::Screensaver",
"T1546.003": "Event Triggered Execution::Windows Management Instrumentation Event Subscription",
"T1546.004": "Event Triggered Execution::Unix Shell Configuration Modification",
"T1546.005": "Event Triggered Execution::Trap",
"T1546.006": "Event Triggered Execution::LC_LOAD_DYLIB Addition",
"T1546.007": "Event Triggered Execution::Netsh Helper DLL",
"T1546.008": "Event Triggered Execution::Accessibility Features",
"T1546.009": "Event Triggered Execution::AppCert DLLs",
"T1546.010": "Event Triggered Execution::AppInit DLLs",
"T1546.011": "Event Triggered Execution::Application Shimming",
"T1546.012": "Event Triggered Execution::Image File Execution Options Injection",
"T1546.013": "Event Triggered Execution::PowerShell Profile",
"T1546.014": "Event Triggered Execution::Emond",
"T1546.015": "Event Triggered Execution::Component Object Model Hijacking",
"T1546.016": "Event Triggered Execution::Installer Packages",
"T1547": "Boot or Logon Autostart Execution",
"T1547.001": "Boot or Logon Autostart Execution::Registry Run Keys / Startup Folder",
"T1547.002": "Boot or Logon Autostart Execution::Authentication Package",
"T1547.003": "Boot or Logon Autostart Execution::Time Providers",
"T1547.004": "Boot or Logon Autostart Execution::Winlogon Helper DLL",
"T1547.005": "Boot or Logon Autostart Execution::Security Support Provider",
"T1547.006": "Boot or Logon Autostart Execution::Kernel Modules and Extensions",
"T1547.007": "Boot or Logon Autostart Execution::Re-opened Applications",
"T1547.008": "Boot or Logon Autostart Execution::LSASS Driver",
"T1547.009": "Boot or Logon Autostart Execution::Shortcut Modification",
"T1547.010": "Boot or Logon Autostart Execution::Port Monitors",
"T1547.012": "Boot or Logon Autostart Execution::Print Processors",
"T1547.013": "Boot or Logon Autostart Execution::XDG Autostart Entries",
"T1547.014": "Boot or Logon Autostart Execution::Active Setup",
"T1547.015": "Boot or Logon Autostart Execution::Login Items",
"T1548": "Abuse Elevation Control Mechanism",
"T1548.001": "Abuse Elevation Control Mechanism::Setuid and Setgid",
"T1548.002": "Abuse Elevation Control Mechanism::Bypass User Account Control",
"T1548.003": "Abuse Elevation Control Mechanism::Sudo and Sudo Caching",
"T1548.004": "Abuse Elevation Control Mechanism::Elevated Execution with Prompt",
"T1548.005": "Abuse Elevation Control Mechanism::Temporary Elevated Cloud Access",
"T1574": "Hijack Execution Flow",
"T1574.001": "Hijack Execution Flow::DLL Search Order Hijacking",
"T1574.002": "Hijack Execution Flow::DLL Side-Loading",
"T1574.004": "Hijack Execution Flow::Dylib Hijacking",
"T1574.005": "Hijack Execution Flow::Executable Installer File Permissions Weakness",
"T1574.006": "Hijack Execution Flow::Dynamic Linker Hijacking",
"T1574.007": "Hijack Execution Flow::Path Interception by PATH Environment Variable",
"T1574.008": "Hijack Execution Flow::Path Interception by Search Order Hijacking",
"T1574.009": "Hijack Execution Flow::Path Interception by Unquoted Path",
"T1574.010": "Hijack Execution Flow::Services File Permissions Weakness",
"T1574.011": "Hijack Execution Flow::Services Registry Permissions Weakness",
"T1574.012": "Hijack Execution Flow::COR_PROFILER",
"T1574.013": "Hijack Execution Flow::KernelCallbackTable",
"T1611": "Escape to Host"
},
"Defense Evasion": {
"T1006": "Direct Volume Access",
"T1014": "Rootkit",
"T1027": "Obfuscated Files or Information",
"T1027.001": "Obfuscated Files or Information::Binary Padding",
"T1027.002": "Obfuscated Files or Information::Software Packing",
"T1027.003": "Obfuscated Files or Information::Steganography",
"T1027.004": "Obfuscated Files or Information::Compile After Delivery",
"T1027.005": "Obfuscated Files or Information::Indicator Removal from Tools",
"T1027.006": "Obfuscated Files or Information::HTML Smuggling",
"T1027.007": "Obfuscated Files or Information::Dynamic API Resolution",
"T1027.008": "Obfuscated Files or Information::Stripped Payloads",
"T1027.009": "Obfuscated Files or Information::Embedded Payloads",
"T1027.010": "Obfuscated Files or Information::Command Obfuscation",
"T1027.011": "Obfuscated Files or Information::Fileless Storage",
"T1027.012": "Obfuscated Files or Information::LNK Icon Smuggling",
"T1036": "Masquerading",
"T1036.001": "Masquerading::Invalid Code Signature",
"T1036.002": "Masquerading::Right-to-Left Override",
"T1036.003": "Masquerading::Rename System Utilities",
"T1036.004": "Masquerading::Masquerade Task or Service",
"T1036.005": "Masquerading::Match Legitimate Name or Location",
"T1036.006": "Masquerading::Space after Filename",
"T1036.007": "Masquerading::Double File Extension",
"T1036.008": "Masquerading::Masquerade File Type",
"T1036.009": "Masquerading::Break Process Trees",
"T1055": "Process Injection",
"T1055.001": "Process Injection::Dynamic-link Library Injection",
"T1055.002": "Process Injection::Portable Executable Injection",
"T1055.003": "Process Injection::Thread Execution Hijacking",
"T1055.004": "Process Injection::Asynchronous Procedure Call",
"T1055.005": "Process Injection::Thread Local Storage",
"T1055.008": "Process Injection::Ptrace System Calls",
"T1055.009": "Process Injection::Proc Memory",
"T1055.011": "Process Injection::Extra Window Memory Injection",
"T1055.012": "Process Injection::Process Hollowing",
"T1055.013": "Process Injection::Process Doppelg\u00e4nging",
"T1055.014": "Process Injection::VDSO Hijacking",
"T1055.015": "Process Injection::ListPlanting",
"T1070": "Indicator Removal",
"T1070.001": "Indicator Removal::Clear Windows Event Logs",
"T1070.002": "Indicator Removal::Clear Linux or Mac System Logs",
"T1070.003": "Indicator Removal::Clear Command History",
"T1070.004": "Indicator Removal::File Deletion",
"T1070.005": "Indicator Removal::Network Share Connection Removal",
"T1070.006": "Indicator Removal::Timestomp",
"T1070.007": "Indicator Removal::Clear Network Connection History and Configurations",
"T1070.008": "Indicator Removal::Clear Mailbox Data",
"T1070.009": "Indicator Removal::Clear Persistence",
"T1078": "Valid Accounts",
"T1078.001": "Valid Accounts::Default Accounts",
"T1078.002": "Valid Accounts::Domain Accounts",
"T1078.003": "Valid Accounts::Local Accounts",
"T1078.004": "Valid Accounts::Cloud Accounts",
"T1112": "Modify Registry",
"T1127": "Trusted Developer Utilities Proxy Execution",
"T1127.001": "Trusted Developer Utilities Proxy Execution::MSBuild",
"T1134": "Access Token Manipulation",
"T1134.001": "Access Token Manipulation::Token Impersonation/Theft",
"T1134.002": "Access Token Manipulation::Create Process with Token",
"T1134.003": "Access Token Manipulation::Make and Impersonate Token",
"T1134.004": "Access Token Manipulation::Parent PID Spoofing",
"T1134.005": "Access Token Manipulation::SID-History Injection",
"T1140": "Deobfuscate/Decode Files or Information",
"T1197": "BITS Jobs",
"T1202": "Indirect Command Execution",
"T1205": "Traffic Signaling",
"T1205.001": "Traffic Signaling::Port Knocking",
"T1205.002": "Traffic Signaling::Socket Filters",
"T1207": "Rogue Domain Controller",
"T1211": "Exploitation for Defense Evasion",
"T1216": "System Script Proxy Execution",
"T1216.001": "System Script Proxy Execution::PubPrn",
"T1218": "System Binary Proxy Execution",
"T1218.001": "System Binary Proxy Execution::Compiled HTML File",
"T1218.002": "System Binary Proxy Execution::Control Panel",
"T1218.003": "System Binary Proxy Execution::CMSTP",
"T1218.004": "System Binary Proxy Execution::InstallUtil",
"T1218.005": "System Binary Proxy Execution::Mshta",
"T1218.007": "System Binary Proxy Execution::Msiexec",
"T1218.008": "System Binary Proxy Execution::Odbcconf",
"T1218.009": "System Binary Proxy Execution::Regsvcs/Regasm",
"T1218.010": "System Binary Proxy Execution::Regsvr32",
"T1218.011": "System Binary Proxy Execution::Rundll32",
"T1218.012": "System Binary Proxy Execution::Verclsid",
"T1218.013": "System Binary Proxy Execution::Mavinject",
"T1218.014": "System Binary Proxy Execution::MMC",
"T1220": "XSL Script Processing",
"T1221": "Template Injection",
"T1222": "File and Directory Permissions Modification",
"T1222.001": "File and Directory Permissions Modification::Windows File and Directory Permissions Modification",
"T1222.002": "File and Directory Permissions Modification::Linux and Mac File and Directory Permissions Modification",
"T1480": "Execution Guardrails",
"T1480.001": "Execution Guardrails::Environmental Keying",
"T1484": "Domain Policy Modification",
"T1484.001": "Domain Policy Modification::Group Policy Modification",
"T1484.002": "Domain Policy Modification::Domain Trust Modification",
"T1497": "Virtualization/Sandbox Evasion",
"T1497.001": "Virtualization/Sandbox Evasion::System Checks",
"T1497.002": "Virtualization/Sandbox Evasion::User Activity Based Checks",
"T1497.003": "Virtualization/Sandbox Evasion::Time Based Evasion",
"T1535": "Unused/Unsupported Cloud Regions",
"T1542": "Pre-OS Boot",
"T1542.001": "Pre-OS Boot::System Firmware",
"T1542.002": "Pre-OS Boot::Component Firmware",
"T1542.003": "Pre-OS Boot::Bootkit",
"T1542.004": "Pre-OS Boot::ROMMONkit",
"T1542.005": "Pre-OS Boot::TFTP Boot",
"T1548": "Abuse Elevation Control Mechanism",
"T1548.001": "Abuse Elevation Control Mechanism::Setuid and Setgid",
"T1548.002": "Abuse Elevation Control Mechanism::Bypass User Account Control",
"T1548.003": "Abuse Elevation Control Mechanism::Sudo and Sudo Caching",
"T1548.004": "Abuse Elevation Control Mechanism::Elevated Execution with Prompt",
"T1548.005": "Abuse Elevation Control Mechanism::Temporary Elevated Cloud Access",
"T1550": "Use Alternate Authentication Material",
"T1550.001": "Use Alternate Authentication Material::Application Access Token",
"T1550.002": "Use Alternate Authentication Material::Pass the Hash",
"T1550.003": "Use Alternate Authentication Material::Pass the Ticket",
"T1550.004": "Use Alternate Authentication Material::Web Session Cookie",
"T1553": "Subvert Trust Controls",
"T1553.001": "Subvert Trust Controls::Gatekeeper Bypass",
"T1553.002": "Subvert Trust Controls::Code Signing",
"T1553.003": "Subvert Trust Controls::SIP and Trust Provider Hijacking",
"T1553.004": "Subvert Trust Controls::Install Root Certificate",
"T1553.005": "Subvert Trust Controls::Mark-of-the-Web Bypass",
"T1553.006": "Subvert Trust Controls::Code Signing Policy Modification",
"T1556": "Modify Authentication Process",
"T1556.001": "Modify Authentication Process::Domain Controller Authentication",
"T1556.002": "Modify Authentication Process::Password Filter DLL",
"T1556.003": "Modify Authentication Process::Pluggable Authentication Modules",
"T1556.004": "Modify Authentication Process::Network Device Authentication",
"T1556.005": "Modify Authentication Process::Reversible Encryption",
"T1556.006": "Modify Authentication Process::Multi-Factor Authentication",
"T1556.007": "Modify Authentication Process::Hybrid Identity",
"T1556.008": "Modify Authentication Process::Network Provider DLL",
"T1562": "Impair Defenses",
"T1562.001": "Impair Defenses::Disable or Modify Tools",
"T1562.002": "Impair Defenses::Disable Windows Event Logging",
"T1562.003": "Impair Defenses::Impair Command History Logging",
"T1562.004": "Impair Defenses::Disable or Modify System Firewall",
"T1562.006": "Impair Defenses::Indicator Blocking",
"T1562.007": "Impair Defenses::Disable or Modify Cloud Firewall",
"T1562.008": "Impair Defenses::Disable or Modify Cloud Logs",
"T1562.009": "Impair Defenses::Safe Mode Boot",
"T1562.010": "Impair Defenses::Downgrade Attack",
"T1562.011": "Impair Defenses::Spoof Security Alerting",
"T1562.012": "Impair Defenses::Disable or Modify Linux Audit System",
"T1564": "Hide Artifacts",
"T1564.001": "Hide Artifacts::Hidden Files and Directories",
"T1564.002": "Hide Artifacts::Hidden Users",
"T1564.003": "Hide Artifacts::Hidden Window",
"T1564.004": "Hide Artifacts::NTFS File Attributes",
"T1564.005": "Hide Artifacts::Hidden File System",
"T1564.006": "Hide Artifacts::Run Virtual Instance",
"T1564.007": "Hide Artifacts::VBA Stomping",
"T1564.008": "Hide Artifacts::Email Hiding Rules",
"T1564.009": "Hide Artifacts::Resource Forking",
"T1564.010": "Hide Artifacts::Process Argument Spoofing",
"T1564.011": "Hide Artifacts::Ignore Process Interrupts",
"T1574": "Hijack Execution Flow",
"T1574.001": "Hijack Execution Flow::DLL Search Order Hijacking",
"T1574.002": "Hijack Execution Flow::DLL Side-Loading",
"T1574.004": "Hijack Execution Flow::Dylib Hijacking",
"T1574.005": "Hijack Execution Flow::Executable Installer File Permissions Weakness",
"T1574.006": "Hijack Execution Flow::Dynamic Linker Hijacking",
"T1574.007": "Hijack Execution Flow::Path Interception by PATH Environment Variable",
"T1574.008": "Hijack Execution Flow::Path Interception by Search Order Hijacking",
"T1574.009": "Hijack Execution Flow::Path Interception by Unquoted Path",
"T1574.010": "Hijack Execution Flow::Services File Permissions Weakness",
"T1574.011": "Hijack Execution Flow::Services Registry Permissions Weakness",
"T1574.012": "Hijack Execution Flow::COR_PROFILER",
"T1574.013": "Hijack Execution Flow::KernelCallbackTable",
"T1578": "Modify Cloud Compute Infrastructure",
"T1578.001": "Modify Cloud Compute Infrastructure::Create Snapshot",
"T1578.002": "Modify Cloud Compute Infrastructure::Create Cloud Instance",
"T1578.003": "Modify Cloud Compute Infrastructure::Delete Cloud Instance",
"T1578.004": "Modify Cloud Compute Infrastructure::Revert Cloud Instance",
"T1578.005": "Modify Cloud Compute Infrastructure::Modify Cloud Compute Configurations",
"T1599": "Network Boundary Bridging",
"T1599.001": "Network Boundary Bridging::Network Address Translation Traversal",
"T1600": "Weaken Encryption",
"T1600.001": "Weaken Encryption::Reduce Key Space",
"T1600.002": "Weaken Encryption::Disable Crypto Hardware",
"T1601": "Modify System Image",
"T1601.001": "Modify System Image::Patch System Image",
"T1601.002": "Modify System Image::Downgrade System Image",
"T1610": "Deploy Container",
"T1612": "Build Image on Host",
"T1620": "Reflective Code Loading",
"T1622": "Debugger Evasion",
"T1647": "Plist File Modification",
"T1656": "Impersonation"
},
"Credential Access": {
"T1003": "OS Credential Dumping",
"T1003.001": "OS Credential Dumping::LSASS Memory",
"T1003.002": "OS Credential Dumping::Security Account Manager",
"T1003.003": "OS Credential Dumping::NTDS",
"T1003.004": "OS Credential Dumping::LSA Secrets",
"T1003.005": "OS Credential Dumping::Cached Domain Credentials",
"T1003.006": "OS Credential Dumping::DCSync",
"T1003.007": "OS Credential Dumping::Proc Filesystem",
"T1003.008": "OS Credential Dumping::/etc/passwd and /etc/shadow",
"T1040": "Network Sniffing",
"T1056": "Input Capture",
"T1056.001": "Input Capture::Keylogging",
"T1056.002": "Input Capture::GUI Input Capture",
"T1056.003": "Input Capture::Web Portal Capture",
"T1056.004": "Input Capture::Credential API Hooking",
"T1110": "Brute Force",
"T1110.001": "Brute Force::Password Guessing",
"T1110.002": "Brute Force::Password Cracking",
"T1110.003": "Brute Force::Password Spraying",
"T1110.004": "Brute Force::Credential Stuffing",
"T1111": "Multi-Factor Authentication Interception",
"T1187": "Forced Authentication",
"T1212": "Exploitation for Credential Access",
"T1528": "Steal Application Access Token",
"T1539": "Steal Web Session Cookie",
"T1552": "Unsecured Credentials",
"T1552.001": "Unsecured Credentials::Credentials In Files",
"T1552.002": "Unsecured Credentials::Credentials in Registry",
"T1552.003": "Unsecured Credentials::Bash History",
"T1552.004": "Unsecured Credentials::Private Keys",
"T1552.005": "Unsecured Credentials::Cloud Instance Metadata API",
"T1552.006": "Unsecured Credentials::Group Policy Preferences",
"T1552.007": "Unsecured Credentials::Container API",
"T1552.008": "Unsecured Credentials::Chat Messages",
"T1555": "Credentials from Password Stores",
"T1555.001": "Credentials from Password Stores::Keychain",
"T1555.002": "Credentials from Password Stores::Securityd Memory",
"T1555.003": "Credentials from Password Stores::Credentials from Web Browsers",
"T1555.004": "Credentials from Password Stores::Windows Credential Manager",
"T1555.005": "Credentials from Password Stores::Password Managers",
"T1555.006": "Credentials from Password Stores::Cloud Secrets Management Stores",
"T1556": "Modify Authentication Process",
"T1556.001": "Modify Authentication Process::Domain Controller Authentication",
"T1556.002": "Modify Authentication Process::Password Filter DLL",
"T1556.003": "Modify Authentication Process::Pluggable Authentication Modules",
"T1556.004": "Modify Authentication Process::Network Device Authentication",
"T1556.005": "Modify Authentication Process::Reversible Encryption",
"T1556.006": "Modify Authentication Process::Multi-Factor Authentication",
"T1556.007": "Modify Authentication Process::Hybrid Identity",
"T1556.008": "Modify Authentication Process::Network Provider DLL",
"T1557": "Adversary-in-the-Middle",
"T1557.001": "Adversary-in-the-Middle::LLMNR/NBT-NS Poisoning and SMB Relay",
"T1557.002": "Adversary-in-the-Middle::ARP Cache Poisoning",
"T1557.003": "Adversary-in-the-Middle::DHCP Spoofing",
"T1558": "Steal or Forge Kerberos Tickets",
"T1558.001": "Steal or Forge Kerberos Tickets::Golden Ticket",
"T1558.002": "Steal or Forge Kerberos Tickets::Silver Ticket",
"T1558.003": "Steal or Forge Kerberos Tickets::Kerberoasting",
"T1558.004": "Steal or Forge Kerberos Tickets::AS-REP Roasting",
"T1606": "Forge Web Credentials",
"T1606.001": "Forge Web Credentials::Web Cookies",
"T1606.002": "Forge Web Credentials::SAML Tokens",
"T1621": "Multi-Factor Authentication Request Generation",
"T1649": "Steal or Forge Authentication Certificates"
},
"Discovery": {
"T1007": "System Service Discovery",
"T1010": "Application Window Discovery",
"T1012": "Query Registry",
"T1016": "System Network Configuration Discovery",
"T1016.001": "System Network Configuration Discovery::Internet Connection Discovery",
"T1016.002": "System Network Configuration Discovery::Wi-Fi Discovery",
"T1018": "Remote System Discovery",
"T1033": "System Owner/User Discovery",
"T1040": "Network Sniffing",
"T1046": "Network Service Discovery",
"T1049": "System Network Connections Discovery",
"T1057": "Process Discovery",
"T1069": "Permission Groups Discovery",
"T1069.001": "Permission Groups Discovery::Local Groups",
"T1069.002": "Permission Groups Discovery::Domain Groups",
"T1069.003": "Permission Groups Discovery::Cloud Groups",
"T1082": "System Information Discovery",
"T1083": "File and Directory Discovery",
"T1087": "Account Discovery",
"T1087.001": "Account Discovery::Local Account",
"T1087.002": "Account Discovery::Domain Account",
"T1087.003": "Account Discovery::Email Account",
"T1087.004": "Account Discovery::Cloud Account",
"T1120": "Peripheral Device Discovery",
"T1124": "System Time Discovery",
"T1135": "Network Share Discovery",
"T1201": "Password Policy Discovery",
"T1217": "Browser Information Discovery",
"T1482": "Domain Trust Discovery",
"T1497": "Virtualization/Sandbox Evasion",
"T1497.001": "Virtualization/Sandbox Evasion::System Checks",
"T1497.002": "Virtualization/Sandbox Evasion::User Activity Based Checks",
"T1497.003": "Virtualization/Sandbox Evasion::Time Based Evasion",
"T1518": "Software Discovery",
"T1518.001": "Software Discovery::Security Software Discovery",
"T1526": "Cloud Service Discovery",
"T1538": "Cloud Service Dashboard",
"T1580": "Cloud Infrastructure Discovery",
"T1613": "Container and Resource Discovery",
"T1614": "System Location Discovery",
"T1614.001": "System Location Discovery::System Language Discovery",
"T1615": "Group Policy Discovery",
"T1619": "Cloud Storage Object Discovery",
"T1622": "Debugger Evasion",
"T1652": "Device Driver Discovery",
"T1654": "Log Enumeration"
},
"Lateral Movement": {
"T1021": "Remote Services",
"T1021.001": "Remote Services::Remote Desktop Protocol",
"T1021.002": "Remote Services::SMB/Windows Admin Shares",
"T1021.003": "Remote Services::Distributed Component Object Model",
"T1021.004": "Remote Services::SSH",
"T1021.005": "Remote Services::VNC",
"T1021.006": "Remote Services::Windows Remote Management",
"T1021.007": "Remote Services::Cloud Services",
"T1021.008": "Remote Services::Direct Cloud VM Connections",
"T1072": "Software Deployment Tools",
"T1080": "Taint Shared Content",
"T1091": "Replication Through Removable Media",
"T1210": "Exploitation of Remote Services",
"T1534": "Internal Spearphishing",
"T1550": "Use Alternate Authentication Material",
"T1550.001": "Use Alternate Authentication Material::Application Access Token",
"T1550.002": "Use Alternate Authentication Material::Pass the Hash",
"T1550.003": "Use Alternate Authentication Material::Pass the Ticket",
"T1550.004": "Use Alternate Authentication Material::Web Session Cookie",
"T1563": "Remote Service Session Hijacking",
"T1563.001": "Remote Service Session Hijacking::SSH Hijacking",
"T1563.002": "Remote Service Session Hijacking::RDP Hijacking",
"T1570": "Lateral Tool Transfer"
},
"Collection": {
"T1005": "Data from Local System",
"T1025": "Data from Removable Media",
"T1039": "Data from Network Shared Drive",
"T1056": "Input Capture",
"T1056.001": "Input Capture::Keylogging",
"T1056.002": "Input Capture::GUI Input Capture",
"T1056.003": "Input Capture::Web Portal Capture",
"T1056.004": "Input Capture::Credential API Hooking",
"T1074": "Data Staged",
"T1074.001": "Data Staged::Local Data Staging",
"T1074.002": "Data Staged::Remote Data Staging",
"T1113": "Screen Capture",
"T1114": "Email Collection",
"T1114.001": "Email Collection::Local Email Collection",
"T1114.002": "Email Collection::Remote Email Collection",
"T1114.003": "Email Collection::Email Forwarding Rule",
"T1115": "Clipboard Data",
"T1119": "Automated Collection",
"T1123": "Audio Capture",
"T1125": "Video Capture",
"T1185": "Browser Session Hijacking",
"T1213": "Data from Information Repositories",
"T1213.001": "Data from Information Repositories::Confluence",
"T1213.002": "Data from Information Repositories::Sharepoint",
"T1213.003": "Data from Information Repositories::Code Repositories",
"T1530": "Data from Cloud Storage",
"T1557": "Adversary-in-the-Middle",
"T1557.001": "Adversary-in-the-Middle::LLMNR/NBT-NS Poisoning and SMB Relay",
"T1557.002": "Adversary-in-the-Middle::ARP Cache Poisoning",
"T1557.003": "Adversary-in-the-Middle::DHCP Spoofing",
"T1560": "Archive Collected Data",
"T1560.001": "Archive Collected Data::Archive via Utility",
"T1560.002": "Archive Collected Data::Archive via Library",
"T1560.003": "Archive Collected Data::Archive via Custom Method",
"T1602": "Data from Configuration Repository",
"T1602.001": "Data from Configuration Repository::SNMP (MIB Dump)",
"T1602.002": "Data from Configuration Repository::Network Device Configuration Dump"
},
"Command and Control": {
"T1001": "Data Obfuscation",
"T1001.001": "Data Obfuscation::Junk Data",
"T1001.002": "Data Obfuscation::Steganography",
"T1001.003": "Data Obfuscation::Protocol Impersonation",
"T1008": "Fallback Channels",
"T1071": "Application Layer Protocol",
"T1071.001": "Application Layer Protocol::Web Protocols",
"T1071.002": "Application Layer Protocol::File Transfer Protocols",
"T1071.003": "Application Layer Protocol::Mail Protocols",
"T1071.004": "Application Layer Protocol::DNS",
"T1090": "Proxy",
"T1090.001": "Proxy::Internal Proxy",
"T1090.002": "Proxy::External Proxy",
"T1090.003": "Proxy::Multi-hop Proxy",
"T1090.004": "Proxy::Domain Fronting",
"T1092": "Communication Through Removable Media",
"T1095": "Non-Application Layer Protocol",
"T1102": "Web Service",
"T1102.001": "Web Service::Dead Drop Resolver",
"T1102.002": "Web Service::Bidirectional Communication",
"T1102.003": "Web Service::One-Way Communication",
"T1104": "Multi-Stage Channels",
"T1105": "Ingress Tool Transfer",
"T1132": "Data Encoding",
"T1132.001": "Data Encoding::Standard Encoding",
"T1132.002": "Data Encoding::Non-Standard Encoding",
"T1205": "Traffic Signaling",
"T1205.001": "Traffic Signaling::Port Knocking",
"T1205.002": "Traffic Signaling::Socket Filters",
"T1219": "Remote Access Software",
"T1568": "Dynamic Resolution",
"T1568.001": "Dynamic Resolution::Fast Flux DNS",
"T1568.002": "Dynamic Resolution::Domain Generation Algorithms",
"T1568.003": "Dynamic Resolution::DNS Calculation",
"T1571": "Non-Standard Port",
"T1572": "Protocol Tunneling",
"T1573": "Encrypted Channel",
"T1573.001": "Encrypted Channel::Symmetric Cryptography",
"T1573.002": "Encrypted Channel::Asymmetric Cryptography",
"T1659": "Content Injection"
},
"Exfiltration": {
"T1011": "Exfiltration Over Other Network Medium",
"T1011.001": "Exfiltration Over Other Network Medium::Exfiltration Over Bluetooth",
"T1020": "Automated Exfiltration",
"T1020.001": "Automated Exfiltration::Traffic Duplication",
"T1029": "Scheduled Transfer",
"T1030": "Data Transfer Size Limits",
"T1041": "Exfiltration Over C2 Channel",
"T1048": "Exfiltration Over Alternative Protocol",
"T1048.001": "Exfiltration Over Alternative Protocol::Exfiltration Over Symmetric Encrypted Non-C2 Protocol",
"T1048.002": "Exfiltration Over Alternative Protocol::Exfiltration Over Asymmetric Encrypted Non-C2 Protocol",
"T1048.003": "Exfiltration Over Alternative Protocol::Exfiltration Over Unencrypted Non-C2 Protocol",
"T1052": "Exfiltration Over Physical Medium",
"T1052.001": "Exfiltration Over Physical Medium::Exfiltration over USB",
"T1537": "Transfer Data to Cloud Account",
"T1567": "Exfiltration Over Web Service",
"T1567.001": "Exfiltration Over Web Service::Exfiltration to Code Repository",
"T1567.002": "Exfiltration Over Web Service::Exfiltration to Cloud Storage",
"T1567.003": "Exfiltration Over Web Service::Exfiltration to Text Storage Sites",
"T1567.004": "Exfiltration Over Web Service::Exfiltration Over Webhook"
},
"Impact": {
"T1485": "Data Destruction",
"T1486": "Data Encrypted for Impact",
"T1489": "Service Stop",
"T1490": "Inhibit System Recovery",
"T1491": "Defacement",
"T1491.001": "Defacement::Internal Defacement",
"T1491.002": "Defacement::External Defacement",
"T1495": "Firmware Corruption",
"T1496": "Resource Hijacking",
"T1498": "Network Denial of Service",
"T1498.001": "Network Denial of Service::Direct Network Flood",
"T1498.002": "Network Denial of Service::Reflection Amplification",
"T1499": "Endpoint Denial of Service",
"T1499.001": "Endpoint Denial of Service::OS Exhaustion Flood",
"T1499.002": "Endpoint Denial of Service::Service Exhaustion Flood",
"T1499.003": "Endpoint Denial of Service::Application Exhaustion Flood",
"T1499.004": "Endpoint Denial of Service::Application or System Exploitation",
"T1529": "System Shutdown/Reboot",
"T1531": "Account Access Removal",
"T1561": "Disk Wipe",
"T1561.001": "Disk Wipe::Disk Content Wipe",
"T1561.002": "Disk Wipe::Disk Structure Wipe",
"T1565": "Data Manipulation",
"T1565.001": "Data Manipulation::Stored Data Manipulation",
"T1565.002": "Data Manipulation::Transmitted Data Manipulation",
"T1565.003": "Data Manipulation::Runtime Data Manipulation",
"T1657": "Financial Theft"
}
},
"mbc": {
"Credential Access": {
"B0028": "Cryptocurrency",
"B0028.001": "Cryptocurrency::Bitcoin",
"B0028.002": "Cryptocurrency::Ethereum",
"B0028.003": "Cryptocurrency::Zcash",
"E1056": "Input Capture",
"E1056.m01": "Input Capture::Mouse Events",
"E1113": "Screen Capture",
"E1113.m01": "Screen Capture::WinAPI",
"F0002": "Keylogging",
"F0002.001": "Keylogging::Application Hook",
"F0002.002": "Keylogging::Polling",
"F0015": "Hijack Execution Flow",
"F0015.001": "Hijack Execution Flow::Export Address Table Hooking",
"F0015.002": "Hijack Execution Flow::Inline Patching",
"F0015.003": "Hijack Execution Flow::Import Address Table Hooking",
"F0015.004": "Hijack Execution Flow::Shadow System Service Dispatch Table Hooking",
"F0015.005": "Hijack Execution Flow::System Service Dispatch Table Hooking",
"F0015.006": "Hijack Execution Flow::Abuse Windows Function Calls",
"F0015.007": "Hijack Execution Flow::Procedure Hooking"
},
"Anti-Static Analysis": {
"B0008": "Executable Code Virtualization",
"B0008.001": "Executable Code Virtualization::Multiple VMs",
"B0010": "Call Graph Generation Evasion",
"B0010.001": "Call Graph Generation Evasion::Two-layer Function Return",
"B0010.002": "Call Graph Generation Evasion::Invoke NTDLL System Calls via Encoded Table",
"B0012": "Disassembler Evasion",
"B0012.002": "Disassembler Evasion::Conditional Misdirection",
"B0012.003": "Disassembler Evasion::Value Dependent Jumps",
"B0012.005": "Disassembler Evasion::VBA Stomping",
"B0012.006": "Disassembler Evasion::Desynchronizing Opaque Predicates",
"B0032": "Executable Code Obfuscation",
"B0032.001": "Executable Code Obfuscation::API Hashing",
"B0032.002": "Executable Code Obfuscation::Code Insertion",
"B0032.003": "Executable Code Obfuscation::Dead Code Insertion",
"B0032.004": "Executable Code Obfuscation::Fake Code Insertion",
"B0032.005": "Executable Code Obfuscation::Jump Insertion",
"B0032.006": "Executable Code Obfuscation::Thunk Code Insertion",
"B0032.007": "Executable Code Obfuscation::Junk Code Insertion",
"B0032.008": "Executable Code Obfuscation::Data Value Obfuscation",
"B0032.009": "Executable Code Obfuscation::Entry Point Obfuscation",
"B0032.010": "Executable Code Obfuscation::Guard Pages",
"B0032.011": "Executable Code Obfuscation::Import Address Table Obfuscation",
"B0032.012": "Executable Code Obfuscation::Import Compression",
"B0032.013": "Executable Code Obfuscation::Instruction Overlap",
"B0032.014": "Executable Code Obfuscation::Interleaving Code",
"B0032.015": "Executable Code Obfuscation::Merged Code Sections",
"B0032.016": "Executable Code Obfuscation::Structured Exception Handling (SEH)",
"B0032.017": "Executable Code Obfuscation::Stack Strings",
"B0032.018": "Executable Code Obfuscation::Symbol Obfuscation",
"B0032.019": "Executable Code Obfuscation::Opaque Predicate",
"B0032.020": "Executable Code Obfuscation::Argument Obfuscation",
"B0032.021": "Executable Code Obfuscation::Variable Recomposition",
"B0034": "Executable Code Optimization",
"B0034.001": "Executable Code Optimization::Jump/Call Absolute Address",
"B0034.002": "Executable Code Optimization::Minification",
"B0045": "Data Flow Analysis Evasion",
"B0045.001": "Data Flow Analysis Evasion::Control Dependence",
"B0045.002": "Data Flow Analysis Evasion::Implicit Flows",
"B0045.003": "Data Flow Analysis Evasion::Arbitrary Memory Corruption",
"E1027": "Obfuscated Files or Information",
"E1027.m01": "Obfuscated Files or Information::Encoding",
"E1027.m02": "Obfuscated Files or Information::Encoding-Standard Algorithm",
"E1027.m03": "Obfuscated Files or Information::Encoding-Custom Algorithm",
"E1027.m04": "Obfuscated Files or Information::Encryption",
"E1027.m05": "Obfuscated Files or Information::Encryption-Standard Algorithm",
"E1027.m06": "Obfuscated Files or Information::Encryption of Code",
"E1027.m07": "Obfuscated Files or Information::Encryption of Data",
"E1027.m08": "Obfuscated Files or Information::Encryption-Custom Algorithm",
"F0001": "Software Packing",
"F0001.001": "Software Packing::Nested Packing",
"F0001.002": "Software Packing::Standard Compression",
"F0001.003": "Software Packing::Standard Compression of Code",
"F0001.004": "Software Packing::Standard Compression of Data",
"F0001.005": "Software Packing::Custom Compression",
"F0001.006": "Software Packing::Custom Compression of Code",
"F0001.007": "Software Packing::Custom Compression of Data",
"F0001.008": "Software Packing::UPX",
"F0001.009": "Software Packing::Confuser",
"F0001.010": "Software Packing::VMProtect",
"F0001.011": "Software Packing::Themida",
"F0001.012": "Software Packing::Armadillo",
"F0001.013": "Software Packing::ASPack"
},
"Discovery": {
"B0013": "Analysis Tool Discovery",
"B0013.001": "Analysis Tool Discovery::Process detection",
"B0013.002": "Analysis Tool Discovery::Process detection - Debuggers",
"B0013.003": "Analysis Tool Discovery::Process detection - SysInternals Suite Tools",
"B0013.004": "Analysis Tool Discovery::Process detection - PCAP Utilities",
"B0013.005": "Analysis Tool Discovery::Process detection - Process Utilities",
"B0013.006": "Analysis Tool Discovery::Process detection - PE Utilities",
"B0013.007": "Analysis Tool Discovery::Process detection - Sandboxes",
"B0013.008": "Analysis Tool Discovery::Known File Location",
"B0013.009": "Analysis Tool Discovery::Known Window",
"B0013.010": "Analysis Tool Discovery::Known Windows Class Name",
"B0014": "SMTP Connection Discovery",
"B0038": "Self Discovery",
"B0043": "Taskbar Discovery",
"B0046": "Code Discovery",
"B0046.001": "Code Discovery::Enumerate PE Sections",
"B0046.002": "Code Discovery::Inspect Section Memory Permissions",
"E1010": "Application Window Discovery",
"E1082": "System Information Discovery",
"E1082.m01": "System Information Discovery::Generate Windows Exception",
"E1083": "File and Directory Discovery",
"E1083.m01": "File and Directory Discovery::Log File",
"E1083.m02": "File and Directory Discovery::Filter by Extension"
},
"Privilege Escalation": {
"E1055": "Process Injection",
"E1055.m01": "Process Injection::Hook Injection via SetWindowsHooksEx",
"E1055.m02": "Process Injection::Injection and Persistence via Registry Modification",
"E1055.m03": "Process Injection::Injection using Shims",
"E1055.m04": "Process Injection::Patch Process Command Line",
"E1055.m05": "Process Injection::Injection via Windows Fibers",
"E1608": "Install Certificate",
"F0010": "Kernel Modules and Extensions",
"F0010.001": "Kernel Modules and Extensions::Device Driver",
"F0011": "Modify Existing Service",
"F0015": "Hijack Execution Flow",
"F0015.001": "Hijack Execution Flow::Export Address Table Hooking",
"F0015.002": "Hijack Execution Flow::Inline Patching",
"F0015.003": "Hijack Execution Flow::Import Address Table Hooking",
"F0015.004": "Hijack Execution Flow::Shadow System Service Dispatch Table Hooking",
"F0015.005": "Hijack Execution Flow::System Service Dispatch Table Hooking",
"F0015.006": "Hijack Execution Flow::Abuse Windows Function Calls",
"F0015.007": "Hijack Execution Flow::Procedure Hooking"
},
"Collection": {
"B0028": "Cryptocurrency",
"B0028.001": "Cryptocurrency::Bitcoin",
"B0028.002": "Cryptocurrency::Ethereum",
"B0028.003": "Cryptocurrency::Zcash",
"E1056": "Input Capture",
"E1056.m01": "Input Capture::Mouse Events",
"E1113": "Screen Capture",
"E1113.m01": "Screen Capture::WinAPI",
"F0002": "Keylogging",
"F0002.001": "Keylogging::Application Hook",
"F0002.002": "Keylogging::Polling",
"F0015": "Hijack Execution Flow",
"F0015.001": "Hijack Execution Flow::Export Address Table Hooking",
"F0015.002": "Hijack Execution Flow::Inline Patching",
"F0015.003": "Hijack Execution Flow::Import Address Table Hooking",
"F0015.004": "Hijack Execution Flow::Shadow System Service Dispatch Table Hooking",
"F0015.005": "Hijack Execution Flow::System Service Dispatch Table Hooking",
"F0015.006": "Hijack Execution Flow::Abuse Windows Function Calls",
"F0015.007": "Hijack Execution Flow::Procedure Hooking"
},
"Lateral Movement": {
"B0020": "Send Email",
"B0021": "Send Poisoned Text Message",
"B0026": "Malicious Network Driver",
"E1105": "Ingress Tool Transfer",
"E1195": "Supply Chain Compromise",
"E1195.m01": "Supply Chain Compromise::Abuse Enterprise Certificates",
"E1195.m02": "Supply Chain Compromise::Exploit Private APIs"
},
"Command and Control": {
"B0030": "C2 Communication",
"B0030.001": "C2 Communication::Send Data",
"B0030.002": "C2 Communication::Receive Data",
"B0030.003": "C2 Communication::Server to Client File Transfer",
"B0030.004": "C2 Communication::Implant to Controller File Transfer",
"B0030.005": "C2 Communication::Check for Payload",
"B0030.006": "C2 Communication::Send System Information",
"B0030.007": "C2 Communication::Send Heartbeat",
"B0030.008": "C2 Communication::Request Command",
"B0030.009": "C2 Communication::Request Email Template",
"B0030.010": "C2 Communication::Request Email Address List",
"B0030.011": "C2 Communication::Authenticate",
"B0030.012": "C2 Communication::Directory Listing",
"B0030.013": "C2 Communication::Execute File",
"B0030.014": "C2 Communication::Execute Shell Command",
"B0030.015": "C2 Communication::File search",
"B0030.016": "C2 Communication::Start Interactive Shell",
"B0031": "Domain Name Generation",
"E1105": "Ingress Tool Transfer"
},
"Execution": {
"B0011": "Remote Commands",
"B0011.001": "Remote Commands::Delete File",
"B0011.002": "Remote Commands::Download File",
"B0011.003": "Remote Commands::Execute",
"B0011.004": "Remote Commands::Shutdown",
"B0011.005": "Remote Commands::Sleep",
"B0011.006": "Remote Commands::Uninstall",
"B0011.007": "Remote Commands::Upload File",
"B0020": "Send Email",
"B0021": "Send Poisoned Text Message",
"B0023": "Install Additional Program",
"B0024": "Prevent Concurrent Execution",
"B0025": "Conditional Execution",
"B0025.001": "Conditional Execution::Suicide Exit",
"B0025.002": "Conditional Execution::Environmental Keys",
"B0025.003": "Conditional Execution::GetVolumeInformation",
"B0025.004": "Conditional Execution::Host Fingerprint Check",
"B0025.005": "Conditional Execution::Secure Triggers",
"B0025.006": "Conditional Execution::Token Check",
"B0025.007": "Conditional Execution::Runs as Service",
"B0025.008": "Conditional Execution::Deposited Keys",
"B0044": "Execution Dependency",
"E1059": "Command and Scripting Interpreter",
"E1203": "Exploitation for Client Execution",
"E1203.m01": "Exploitation for Client Execution::Remote Desktop Protocols",
"E1203.m02": "Exploitation for Client Execution::Java-based Web Servers",
"E1203.m03": "Exploitation for Client Execution::File Transfer Protocol (FTP) Servers",
"E1203.m04": "Exploitation for Client Execution::Red Hat JBoss Enterprise Products",
"E1203.m05": "Exploitation for Client Execution::Sysinternals",
"E1203.m06": "Exploitation for Client Execution::Windows Utilities",
"E1204": "User Execution",
"E1569": "System Services",
"E1569.m01": "System Services::MSDTC"
},
"Persistence": {
"B0022": "Remote Access",
"B0022.001": "Remote Access::Reverse Shell",
"B0026": "Malicious Network Driver",
"B0035": "Shutdown Event",
"B0047": "Install Insecure or Malicious Configuration",
"E1105": "Ingress Tool Transfer",
"E1112": "Modify Registry",
"E1564": "Hide Artifacts",
"E1564.m01": "Hide Artifacts::Hidden Userspace Libraries",
"E1564.m02": "Hide Artifacts::Direct Kernel Object Manipulation",
"E1564.m03": "Hide Artifacts::Hidden Processes",
"E1564.m04": "Hide Artifacts::Hidden Services",
"E1564.m05": "Hide Artifacts::Hidden Kernel Modules",
"F0005": "Hidden Files and Directories",
"F0005.001": "Hidden Files and Directories::Extension",
"F0005.002": "Hidden Files and Directories::Location",
"F0005.003": "Hidden Files and Directories::Attribute",
"F0005.004": "Hidden Files and Directories::Timestamp",
"F0009": "Component Firmware",
"F0009.001": "Component Firmware::Router Firmware",
"F0010": "Kernel Modules and Extensions",
"F0010.001": "Kernel Modules and Extensions::Device Driver",
"F0011": "Modify Existing Service",
"F0012": "Registry Run Keys / Startup Folder",
"F0013": "Bootkit",
"F0015": "Hijack Execution Flow",
"F0015.001": "Hijack Execution Flow::Export Address Table Hooking",
"F0015.002": "Hijack Execution Flow::Inline Patching",
"F0015.003": "Hijack Execution Flow::Import Address Table Hooking",
"F0015.004": "Hijack Execution Flow::Shadow System Service Dispatch Table Hooking",
"F0015.005": "Hijack Execution Flow::System Service Dispatch Table Hooking",
"F0015.006": "Hijack Execution Flow::Abuse Windows Function Calls",
"F0015.007": "Hijack Execution Flow::Procedure Hooking"
},
"Impact": {
"B0016": "Compromise Data Integrity",
"B0017": "Destroy Hardware",
"B0018": "Resource Hijacking",
"B0018.001": "Resource Hijacking::Password Cracking",
"B0018.002": "Resource Hijacking::Cryptojacking",
"B0019": "Manipulate Network Traffic",
"B0022": "Remote Access",
"B0022.001": "Remote Access::Reverse Shell",
"B0033": "Denial of Service",
"B0039": "Spamming",
"B0042": "Modify Hardware",
"B0042.001": "Modify Hardware::CDROM",
"B0042.002": "Modify Hardware::Mouse",
"B0042.003": "Modify Hardware::Printer",
"E1190": "Exploit Kit",
"E1203": "Exploitation for Client Execution",
"E1203.m01": "Exploitation for Client Execution::Remote Desktop Protocols",
"E1203.m02": "Exploitation for Client Execution::Java-based Web Servers",
"E1203.m03": "Exploitation for Client Execution::File Transfer Protocol (FTP) Servers",
"E1203.m04": "Exploitation for Client Execution::Red Hat JBoss Enterprise Products",
"E1203.m05": "Exploitation for Client Execution::Sysinternals",
"E1203.m06": "Exploitation for Client Execution::Windows Utilities",
"E1485": "Data Destruction",
"E1485.m02": "Data Destruction::Empty Recycle Bin",
"E1485.m03": "Data Destruction::Delete Application/Software",
"E1485.m04": "Data Destruction::Delete Shadow Copies",
"E1486": "Data Encrypted for Impact",
"E1486.001": "Data Encrypted for Impact::Ransom Note",
"E1510": "Clipboard Modification",
"E1643": "Generate Traffic from Victim",
"E1643.m01": "Generate Traffic from Victim::Click Hijacking",
"E1643.m02": "Generate Traffic from Victim::Advertisement Replacement Fraud",
"F0009": "Component Firmware",
"F0009.001": "Component Firmware::Router Firmware",
"F0014": "Disk Wipe"
},
"Exfiltration": {
"E1020": "Automated Exfiltration",
"E1020.m01": "Automated Exfiltration::Exfiltrate via File Hosting Service",
"E1560": "Archive Collected Data",
"E1560.m01": "Archive Collected Data::Encoding",
"E1560.m02": "Archive Collected Data::Encryption",
"E1560.m03": "Archive Collected Data::Encoding - Standard Encoding",
"E1560.m04": "Archive Collected Data::Encoding - Custom Encoding",
"E1560.m05": "Archive Collected Data::Encryption - Standard Encryption",
"E1560.m06": "Archive Collected Data::Encryption - Custom Encryption"
},
"Anti-Behavioral Analysis": {
"B0001": "Debugger Detection",
"B0001.001": "Debugger Detection::API Hook Detection",
"B0001.002": "Debugger Detection::CheckRemoteDebuggerPresent",
"B0001.003": "Debugger Detection::CloseHandle",
"B0001.004": "Debugger Detection::Debugger Artifacts",
"B0001.005": "Debugger Detection::Hardware Breakpoints",
"B0001.006": "Debugger Detection::Interruption",
"B0001.008": "Debugger Detection::IsDebuggerPresent",
"B0001.009": "Debugger Detection::Memory Breakpoints",
"B0001.010": "Debugger Detection::Memory Write Watching",
"B0001.011": "Debugger Detection::Monitoring Thread",
"B0001.012": "Debugger Detection::NtQueryInformationProcess",
"B0001.013": "Debugger Detection::NtQueryObject",
"B0001.014": "Debugger Detection::NtSetInformationThread",
"B0001.015": "Debugger Detection::NtYieldExecution/SwitchToThread",
"B0001.016": "Debugger Detection::OutputDebugString",
"B0001.017": "Debugger Detection::Page Exception Breakpoint Detection",
"B0001.018": "Debugger Detection::Parent Process",
"B0001.019": "Debugger Detection::Process Environment Block",
"B0001.020": "Debugger Detection::Process Jobs",
"B0001.021": "Debugger Detection::ProcessHeap",
"B0001.022": "Debugger Detection::RtlAdjustPrivilege",
"B0001.023": "Debugger Detection::SeDebugPrivilege",
"B0001.024": "Debugger Detection::SetHandleInformation",
"B0001.025": "Debugger Detection::Software Breakpoints",
"B0001.026": "Debugger Detection::Stack Canary",
"B0001.027": "Debugger Detection::TIB Aware",
"B0001.028": "Debugger Detection::Timing/Delay Check",
"B0001.029": "Debugger Detection::TLS Callbacks",
"B0001.030": "Debugger Detection::UnhandledExceptionFilter",
"B0001.031": "Debugger Detection::WudfIsAnyDebuggerPresent",
"B0001.032": "Debugger Detection::Timing/Delay Check GetTickCount",
"B0001.033": "Debugger Detection::Timing/Delay Check QueryPerformanceCounter",
"B0001.034": "Debugger Detection::Anti-debugging Instructions",
"B0001.035": "Debugger Detection::Process Environment Block BeingDebugged",
"B0001.036": "Debugger Detection::Process Environment Block NtGlobalFlag",
"B0001.037": "Debugger Detection::Process Environment Block IsDebugged",
"B0001.038": "Debugger Detection::Check Processes",
"B0002": "Debugger Evasion",
"B0002.001": "Debugger Evasion::Block Interrupts",
"B0002.002": "Debugger Evasion::Break Point Clearing",
"B0002.003": "Debugger Evasion::Byte Stealing",
"B0002.004": "Debugger Evasion::Change SizeOfImage",
"B0002.005": "Debugger Evasion::Code Integrity Check",
"B0002.006": "Debugger Evasion::Exception Misdirection",
"B0002.007": "Debugger Evasion::Get Base Indirectly",
"B0002.008": "Debugger Evasion::Guard Pages",
"B0002.009": "Debugger Evasion::Hook Interrupt",
"B0002.010": "Debugger Evasion::Import Obfuscation",
"B0002.011": "Debugger Evasion::Inlining",
"B0002.012": "Debugger Evasion::Loop Escapes",
"B0002.013": "Debugger Evasion::Malloc Use",
"B0002.014": "Debugger Evasion::Modify PE Header",
"B0002.015": "Debugger Evasion::Nanomites",
"B0002.016": "Debugger Evasion::Obfuscate Library Use",
"B0002.017": "Debugger Evasion::Parallel Threads",
"B0002.018": "Debugger Evasion::Pipeline Misdirection",
"B0002.019": "Debugger Evasion::Pre-Debug",
"B0002.020": "Debugger Evasion::Relocate API Code",
"B0002.021": "Debugger Evasion::Return Obfuscation",
"B0002.022": "Debugger Evasion::RtlAdjustPrivilege",
"B0002.023": "Debugger Evasion::Section Misalignment",
"B0002.024": "Debugger Evasion::Self-Debugging",
"B0002.025": "Debugger Evasion::Self-Unmapping",
"B0002.026": "Debugger Evasion::Static Linking",
"B0002.027": "Debugger Evasion::Stolen API Code",
"B0002.028": "Debugger Evasion::Tampering",
"B0002.029": "Debugger Evasion::Thread Timeout",
"B0002.030": "Debugger Evasion::Use Interrupts",
"B0003": "Dynamic Analysis Evasion",
"B0003.001": "Dynamic Analysis Evasion::Alternative ntdll.dll",
"B0003.002": "Dynamic Analysis Evasion::Data Flood",
"B0003.003": "Dynamic Analysis Evasion::Delayed Execution",
"B0003.004": "Dynamic Analysis Evasion::Demo Mode",
"B0003.005": "Dynamic Analysis Evasion::Drop Code",
"B0003.006": "Dynamic Analysis Evasion::Encode File",
"B0003.007": "Dynamic Analysis Evasion::Hook File System",
"B0003.008": "Dynamic Analysis Evasion::Hook Interrupt",
"B0003.009": "Dynamic Analysis Evasion::Illusion",
"B0003.010": "Dynamic Analysis Evasion::Restart",
"B0003.011": "Dynamic Analysis Evasion::Code Integrity Check",
"B0003.012": "Dynamic Analysis Evasion::API Hammering",
"B0004": "Emulator Detection",
"B0004.001": "Emulator Detection::Check for Emulator-related Files",
"B0004.002": "Emulator Detection::Check for WINE Version",
"B0004.003": "Emulator Detection::Check Emulator-related Registry Keys",
"B0004.004": "Emulator Detection::Failed Network Connections",
"B0005": "Emulator Evasion",
"B0005.001": "Emulator Evasion::Different Opcode Sets",
"B0005.002": "Emulator Evasion::Undocumented/Unimplemented Opcodes",
"B0005.003": "Emulator Evasion::Unusual/Undocumented API Calls",
"B0005.004": "Emulator Evasion::Extra Loops/Time Locks",
"B0006": "Memory Dump Evasion",
"B0006.001": "Memory Dump Evasion::Code Encryption in Memory",
"B0006.002": "Memory Dump Evasion::Erase the PE header",
"B0006.003": "Memory Dump Evasion::Hide virtual memory",
"B0006.004": "Memory Dump Evasion::SizeOfImage",
"B0006.005": "Memory Dump Evasion::Tampering",
"B0006.006": "Memory Dump Evasion::Guard Pages",
"B0006.007": "Memory Dump Evasion::On-the-Fly APIs",
"B0006.008": "Memory Dump Evasion::Feed Misinformation",
"B0006.009": "Memory Dump Evasion::Flow Opcode Obstruction",
"B0006.010": "Memory Dump Evasion::Hook memory mapping APIs",
"B0006.011": "Memory Dump Evasion::Patch MmGetPhysicalMemoryRanges",
"B0007": "Sandbox Detection",
"B0007.001": "Sandbox Detection::Check Clipboard Data",
"B0007.002": "Sandbox Detection::Check Files",
"B0007.003": "Sandbox Detection::Human User Check",
"B0007.004": "Sandbox Detection::Injected DLL Testing",
"B0007.005": "Sandbox Detection::Product Key/ID Testing",
"B0007.006": "Sandbox Detection::Screen Resolution Testing",
"B0007.007": "Sandbox Detection::Self Check",
"B0007.008": "Sandbox Detection::Timing/Date Check",
"B0007.009": "Sandbox Detection::Timing/Uptime Check",
"B0007.010": "Sandbox Detection::Test API Routines",
"B0008": "Executable Code Virtualization",
"B0008.001": "Executable Code Virtualization::Multiple VMs",
"B0009": "Virtual Machine Detection",
"B0009.001": "Virtual Machine Detection::Check File and Directory Artifacts",
"B0009.002": "Virtual Machine Detection::Check Memory Artifacts",
"B0009.003": "Virtual Machine Detection::Check Named System Objects",
"B0009.004": "Virtual Machine Detection::Check Processes",
"B0009.005": "Virtual Machine Detection::Check Registry Keys",
"B0009.006": "Virtual Machine Detection::Check Running Services",
"B0009.007": "Virtual Machine Detection::Check Software",
"B0009.008": "Virtual Machine Detection::Check Virtual Devices",
"B0009.009": "Virtual Machine Detection::Check Windows",
"B0009.010": "Virtual Machine Detection::Guest Process Testing",
"B0009.011": "Virtual Machine Detection::HTML5 Performance Object Check",
"B0009.012": "Virtual Machine Detection::Human User Check",
"B0009.013": "Virtual Machine Detection::Modern Specs Check",
"B0009.014": "Virtual Machine Detection::Modern Specs Check - Total physical memory",
"B0009.015": "Virtual Machine Detection::Modern Specs Check - Drive size",
"B0009.016": "Virtual Machine Detection::Modern Specs Check - USB drive",
"B0009.017": "Virtual Machine Detection::Modern Specs Check - Printer",
"B0009.018": "Virtual Machine Detection::Modern Specs Check - Processor count",
"B0009.019": "Virtual Machine Detection::Modern Specs Check - Keyboard layout",
"B0009.020": "Virtual Machine Detection::Check Windows - Window size",
"B0009.021": "Virtual Machine Detection::Check Windows - Unique windows",
"B0009.022": "Virtual Machine Detection::Check Windows - Title bars",
"B0009.023": "Virtual Machine Detection::Unique Hardware/Firmware Check",
"B0009.024": "Virtual Machine Detection::Unique Hardware/Firmware Check - BIOS",
"B0009.025": "Virtual Machine Detection::Unique Hardware/Firmware Check - I/O Communication Port",
"B0009.026": "Virtual Machine Detection::Unique Hardware/Firmware Check - CPU Name",
"B0009.027": "Virtual Machine Detection::Unique Hardware/Firmware Check - CPU Location",
"B0009.028": "Virtual Machine Detection::Unique Hardware/Firmware Check - MAC Address",
"B0009.029": "Virtual Machine Detection::Instruction Testing",
"B0009.030": "Virtual Machine Detection::Instruction Testing - SIDT (red pill)",
"B0009.031": "Virtual Machine Detection::Instruction Testing - SGDT/SLDT (no pill)",
"B0009.032": "Virtual Machine Detection::Instruction Testing - SMSW",
"B0009.033": "Virtual Machine Detection::Instruction Testing - STR",
"B0009.034": "Virtual Machine Detection::Instruction Testing - CPUID",
"B0009.035": "Virtual Machine Detection::Instruction Testing - IN",
"B0009.036": "Virtual Machine Detection::Instruction Testing - RDTSC",
"B0009.037": "Virtual Machine Detection::Instruction Testing - VMCPUID",
"B0009.038": "Virtual Machine Detection::Instruction Testing - VPCEXT",
"B0025": "Conditional Execution",
"B0025.001": "Conditional Execution::Suicide Exit",
"B0025.002": "Conditional Execution::Environmental Keys",
"B0025.003": "Conditional Execution::GetVolumeInformation",
"B0025.004": "Conditional Execution::Host Fingerprint Check",
"B0025.005": "Conditional Execution::Secure Triggers",
"B0025.006": "Conditional Execution::Token Check",
"B0025.007": "Conditional Execution::Runs as Service",
"B0025.008": "Conditional Execution::Deposited Keys",
"B0036": "Capture Evasion",
"B0036.001": "Capture Evasion::Memory-only Payload",
"B0036.002": "Capture Evasion::Encrypted Payloads",
"B0036.003": "Capture Evasion::Multiple Stages of Loaders",
"F0001": "Software Packing",
"F0001.001": "Software Packing::Nested Packing",
"F0001.002": "Software Packing::Standard Compression",
"F0001.003": "Software Packing::Standard Compression of Code",
"F0001.004": "Software Packing::Standard Compression of Data",
"F0001.005": "Software Packing::Custom Compression",
"F0001.006": "Software Packing::Custom Compression of Code",
"F0001.007": "Software Packing::Custom Compression of Data",
"F0001.008": "Software Packing::UPX",
"F0001.009": "Software Packing::Confuser",
"F0001.010": "Software Packing::VMProtect",
"F0001.011": "Software Packing::Themida",
"F0001.012": "Software Packing::Armadillo",
"F0001.013": "Software Packing::ASPack",
"F0015": "Hijack Execution Flow",
"F0015.001": "Hijack Execution Flow::Export Address Table Hooking",
"F0015.002": "Hijack Execution Flow::Inline Patching",
"F0015.003": "Hijack Execution Flow::Import Address Table Hooking",
"F0015.004": "Hijack Execution Flow::Shadow System Service Dispatch Table Hooking",
"F0015.005": "Hijack Execution Flow::System Service Dispatch Table Hooking",
"F0015.006": "Hijack Execution Flow::Abuse Windows Function Calls",
"F0015.007": "Hijack Execution Flow::Procedure Hooking"
},
"Data": {
"C0019": "Check String",
"C0020": "Use Constant",
"C0024": "Compress Data",
"C0024.001": "Compress Data::QuickLZ",
"C0024.002": "Compress Data::IEncodingFilterFactory",
"C0025": "Decompress Data",
"C0025.001": "Decompress Data::QuickLZ",
"C0025.002": "Decompress Data::IEncodingFilterFactory",
"C0025.003": "Decompress Data::aPLib",
"C0026": "Encode Data",
"C0026.001": "Encode Data::Base64",
"C0026.002": "Encode Data::XOR",
"C0030": "Non-Cryptographic Hash",
"C0030.001": "Non-Cryptographic Hash::MurmurHash",
"C0030.002": "Non-Cryptographic Hash::pHash",
"C0030.003": "Non-Cryptographic Hash::Fast-Hash",
"C0030.004": "Non-Cryptographic Hash::dhash",
"C0030.005": "Non-Cryptographic Hash::FNV",
"C0030.006": "Non-Cryptographic Hash::djb2",
"C0032": "Checksum",
"C0032.001": "Checksum::CRC32",
"C0032.002": "Checksum::Luhn",
"C0032.003": "Checksum::BSD",
"C0032.005": "Checksum::Adler",
"C0053": "Decode Data",
"C0053.001": "Decode Data::Base64",
"C0053.002": "Decode Data::XOR",
"C0058": "Modulo",
"C0060": "Compression Library"
},
"Memory": {
"C0006": "Heap Spray",
"C0007": "Allocate Memory",
"C0008": "Change Memory Protection",
"C0008.001": "Change Memory Protection::Executable Stack",
"C0008.002": "Change Memory Protection::Executable Heap",
"C0009": "Stack Pivot",
"C0010": "Overflow Buffer",
"C0044": "Free Memory"
},
"Hardware": {
"C0023": "Load Driver",
"C0023.001": "Load Driver::Minifilter",
"C0037": "Install Driver",
"C0037.001": "Install Driver::Minifilter",
"C0057": "Simulate Hardware",
"C0057.001": "Simulate Hardware::Ctrl-Alt-Del",
"C0057.002": "Simulate Hardware::Mouse Click"
},
"File System": {
"C0015": "Alter File Extension",
"C0015.001": "Alter File Extension::Append Extension",
"C0016": "Create File",
"C0016.001": "Create File::Create Office Document",
"C0016.002": "Create File::Create Ransomware File",
"C0045": "Copy File",
"C0046": "Create Directory",
"C0047": "Delete File",
"C0048": "Delete Directory",
"C0049": "Get File Attributes",
"C0050": "Set File Attributes",
"C0051": "Read File",
"C0052": "Writes File",
"C0056": "Read Virtual Disk",
"C0063": "Move File"
},
"Process": {
"C0017": "Create Process",
"C0017.001": "Create Process::Create Process via Shellcode",
"C0017.002": "Create Process::Create Process via WMI",
"C0017.003": "Create Process::Create Suspended Process",
"C0018": "Terminate Process",
"C0022": "Synchronization",
"C0022.001": "Synchronization::Create Mutex",
"C0038": "Create Thread",
"C0039": "Terminate Thread",
"C0040": "Allocate Thread Local Storage",
"C0041": "Set Thread Local Storage Value",
"C0042": "Create Mutex",
"C0043": "Check Mutex",
"C0054": "Resume Thread",
"C0055": "Suspend Thread",
"C0064": "Enumerate Threads",
"C0065": "Open Process",
"C0066": "Open Thread"
},
"Communication": {
"C0001": "Socket Communication",
"C0001.001": "Socket Communication::Set Socket Config",
"C0001.002": "Socket Communication::TCP Server",
"C0001.003": "Socket Communication::Create Socket",
"C0001.004": "Socket Communication::Connect Socket",
"C0001.005": "Socket Communication::Start TCP Server",
"C0001.006": "Socket Communication::Receive Data",
"C0001.007": "Socket Communication::Send Data",
"C0001.008": "Socket Communication::TCP Client",
"C0001.009": "Socket Communication::Initialize Winsock Library",
"C0001.010": "Socket Communication::Create UDP Socket",
"C0001.011": "Socket Communication::Create TCP Socket",
"C0001.012": "Socket Communication::Get Socket Status",
"C0001.013": "Socket Communication::UDP Client",
"C0001.014": "Socket Communication::Send TCP Data",
"C0001.015": "Socket Communication::Send UDP Data",
"C0001.016": "Socket Communication::Receive TCP Data",
"C0001.017": "Socket Communication::Receive UDP Data",
"C0002": "HTTP Communication",
"C0002.001": "HTTP Communication::Server",
"C0002.002": "HTTP Communication::Client",
"C0002.003": "HTTP Communication::Send Request",
"C0002.004": "HTTP Communication::Open URL",
"C0002.005": "HTTP Communication::Send Data",
"C0002.006": "HTTP Communication::Download URL",
"C0002.007": "HTTP Communication::WinINet",
"C0002.008": "HTTP Communication::WinHTTP",
"C0002.009": "HTTP Communication::Connect to Server",
"C0002.010": "HTTP Communication::IWebBrowser",
"C0002.011": "HTTP Communication::Extract Body",
"C0002.012": "HTTP Communication::Create Request",
"C0002.013": "HTTP Communication::Set Header",
"C0002.014": "HTTP Communication::Read Header",
"C0002.015": "HTTP Communication::Receive Request",
"C0002.016": "HTTP Communication::Send Response",
"C0002.017": "HTTP Communication::Get Response",
"C0002.018": "HTTP Communication::Start Server",
"C0003": "Interprocess Communication",
"C0003.001": "Interprocess Communication::Create Pipe",
"C0003.002": "Interprocess Communication::Connect Pipe",
"C0003.003": "Interprocess Communication::Read Pipe",
"C0003.004": "Interprocess Communication::Write Pipe",
"C0004": "FTP Communication",
"C0004.001": "FTP Communication::Send File",
"C0004.002": "FTP Communication::WinINet",
"C0005": "WinINet",
"C0005.001": "WinINet::InternetConnect",
"C0005.002": "WinINet::InternetOpen",
"C0005.003": "WinINet::InternetOpenURL",
"C0005.004": "WinINet::InternetReadFile",
"C0005.005": "WinINet::InternetWriteFile",
"C0011": "DNS Communication",
"C0011.001": "DNS Communication::Resolve",
"C0011.002": "DNS Communication::Server Connect",
"C0011.003": "DNS Communication::DDNS Domain Connect",
"C0011.004": "DNS Communication::Resolve TLD",
"C0011.005": "DNS Communication::Resolve Free Hosting Domain",
"C0012": "SMTP Communication",
"C0012.001": "SMTP Communication::Server Connect",
"C0012.002": "SMTP Communication::Request",
"C0014": "ICMP Communication",
"C0014.001": "ICMP Communication::Generate Traffic",
"C0014.002": "ICMP Communication::Echo Request"
},
"Cryptography": {
"C0021": "Generate Pseudo-random Sequence",
"C0021.001": "Generate Pseudo-random Sequence::GetTickCount",
"C0021.002": "Generate Pseudo-random Sequence::rand",
"C0021.003": "Generate Pseudo-random Sequence::Use API",
"C0021.004": "Generate Pseudo-random Sequence::RC4 PRGA",
"C0027": "Encrypt Data",
"C0027.001": "Encrypt Data::AES",
"C0027.002": "Encrypt Data::Blowfish",
"C0027.003": "Encrypt Data::Camellia",
"C0027.004": "Encrypt Data::3DES",
"C0027.005": "Encrypt Data::Twofish",
"C0027.006": "Encrypt Data::HC-128",
"C0027.007": "Encrypt Data::HC-256",
"C0027.008": "Encrypt Data::Sosemanuk",
"C0027.009": "Encrypt Data::RC4",
"C0027.010": "Encrypt Data::RC6",
"C0027.011": "Encrypt Data::RSA",
"C0027.012": "Encrypt Data::Stream Cipher",
"C0027.013": "Encrypt Data::Skipjack",
"C0027.014": "Encrypt Data::Block Cipher",
"C0028": "Encryption Key",
"C0028.001": "Encryption Key::Import Public Key",
"C0028.002": "Encryption Key::RC4 KSA",
"C0029": "Cryptographic Hash",
"C0029.001": "Cryptographic Hash::MD5",
"C0029.002": "Cryptographic Hash::SHA1",
"C0029.003": "Cryptographic Hash::SHA256",
"C0029.004": "Cryptographic Hash::SHA224",
"C0029.005": "Cryptographic Hash::Tiger",
"C0029.006": "Cryptographic Hash::Snefru",
"C0031": "Decrypt Data",
"C0031.001": "Decrypt Data::AES",
"C0031.002": "Decrypt Data::Block Cipher",
"C0031.003": "Decrypt Data::Blowfish",
"C0031.004": "Decrypt Data::Camellia",
"C0031.005": "Decrypt Data::3DES",
"C0031.006": "Decrypt Data::HC-128",
"C0031.007": "Decrypt Data::HC-256",
"C0031.008": "Decrypt Data::RC4",
"C0031.009": "Decrypt Data::RC6",
"C0031.010": "Decrypt Data::RSA",
"C0031.011": "Decrypt Data::Skipjack",
"C0031.012": "Decrypt Data::Sosemanuk",
"C0031.013": "Decrypt Data::Stream Cipher",
"C0031.014": "Decrypt Data::Twofish",
"C0059": "Crypto Library",
"C0059.001": "Crypto Library::API Call",
"C0059.002": "Crypto Library::Static Public Library",
"C0061": "Hashed Message Authentication Code",
"C0068": "Crypto Algorithm",
"C0069": "Crypto Constant"
},
"Operating System": {
"C0033": "Console",
"C0034": "Environment Variable",
"C0034.001": "Environment Variable::Set Variable",
"C0035": "Wallpaper",
"C0036": "Registry",
"C0036.001": "Registry::Set Registry Key",
"C0036.002": "Registry::Delete Registry Key",
"C0036.003": "Registry::Open Registry Key",
"C0036.004": "Registry::Create Registry Key",
"C0036.005": "Registry::Query Registry Key",
"C0036.006": "Registry::Query Registry Value",
"C0036.007": "Registry::Delete Registry Value"
},
"Defense Evasion": {
"B0025": "Conditional Execution",
"B0025.001": "Conditional Execution::Suicide Exit",
"B0025.002": "Conditional Execution::Environmental Keys",
"B0025.003": "Conditional Execution::GetVolumeInformation",
"B0025.004": "Conditional Execution::Host Fingerprint Check",
"B0025.005": "Conditional Execution::Secure Triggers",
"B0025.006": "Conditional Execution::Token Check",
"B0025.007": "Conditional Execution::Runs as Service",
"B0025.008": "Conditional Execution::Deposited Keys",
"B0027": "Alternative Installation Location",
"B0027.001": "Alternative Installation Location::Fileless Malware",
"B0027.002": "Alternative Installation Location::Registry Install",
"B0029": "Polymorphic Code",
"B0029.001": "Polymorphic Code::Packer Stub",
"B0029.002": "Polymorphic Code::Call Indirections",
"B0029.003": "Polymorphic Code::Code Reordering",
"B0037": "Bypass Data Execution Prevention",
"B0037.001": "Bypass Data Execution Prevention::ROP Chains",
"B0040": "Covert Location",
"B0040.001": "Covert Location::Hide Data in Registry",
"B0040.002": "Covert Location::Steganography",
"B0047": "Install Insecure or Malicious Configuration",
"E1014": "Rootkit",
"E1014.m12": "Rootkit::Application Rootkit",
"E1014.m13": "Rootkit::Bootloader",
"E1014.m14": "Rootkit::Hardware/Firmware Rootkit",
"E1014.m15": "Rootkit::Hypervisor/Virtualized Rootkit",
"E1014.m16": "Rootkit::Kernel Mode Rootkit",
"E1014.m17": "Rootkit::Memory Rootkit",
"E1027": "Obfuscated Files or Information",
"E1027.m01": "Obfuscated Files or Information::Encoding",
"E1027.m02": "Obfuscated Files or Information::Encoding-Standard Algorithm",
"E1027.m03": "Obfuscated Files or Information::Encoding-Custom Algorithm",
"E1027.m04": "Obfuscated Files or Information::Encryption",
"E1027.m05": "Obfuscated Files or Information::Encryption-Standard Algorithm",
"E1027.m06": "Obfuscated Files or Information::Encryption of Code",
"E1027.m07": "Obfuscated Files or Information::Encryption of Data",
"E1027.m08": "Obfuscated Files or Information::Encryption-Custom Algorithm",
"E1055": "Process Injection",
"E1055.m01": "Process Injection::Hook Injection via SetWindowsHooksEx",
"E1055.m02": "Process Injection::Injection and Persistence via Registry Modification",
"E1055.m03": "Process Injection::Injection using Shims",
"E1055.m04": "Process Injection::Patch Process Command Line",
"E1055.m05": "Process Injection::Injection via Windows Fibers",
"E1112": "Modify Registry",
"E1564": "Hide Artifacts",
"E1564.m01": "Hide Artifacts::Hidden Userspace Libraries",
"E1564.m02": "Hide Artifacts::Direct Kernel Object Manipulation",
"E1564.m03": "Hide Artifacts::Hidden Processes",
"E1564.m04": "Hide Artifacts::Hidden Services",
"E1564.m05": "Hide Artifacts::Hidden Kernel Modules",
"F0001": "Software Packing",
"F0001.001": "Software Packing::Nested Packing",
"F0001.002": "Software Packing::Standard Compression",
"F0001.003": "Software Packing::Standard Compression of Code",
"F0001.004": "Software Packing::Standard Compression of Data",
"F0001.005": "Software Packing::Custom Compression",
"F0001.006": "Software Packing::Custom Compression of Code",
"F0001.007": "Software Packing::Custom Compression of Data",
"F0001.008": "Software Packing::UPX",
"F0001.009": "Software Packing::Confuser",
"F0001.010": "Software Packing::VMProtect",
"F0001.011": "Software Packing::Themida",
"F0001.012": "Software Packing::Armadillo",
"F0001.013": "Software Packing::ASPack",
"F0004": "Disable or Evade Security Tools",
"F0004.001": "Disable or Evade Security Tools::Disable Kernel Patch Protection",
"F0004.002": "Disable or Evade Security Tools::Disable System File Overwrite Protection",
"F0004.003": "Disable or Evade Security Tools::Unhook APIs",
"F0004.004": "Disable or Evade Security Tools::AMSI Bypass",
"F0004.005": "Disable or Evade Security Tools::Modify Policy",
"F0004.006": "Disable or Evade Security Tools::Force Lazy Writing",
"F0004.007": "Disable or Evade Security Tools::Bypass Windows File Protection",
"F0004.008": "Disable or Evade Security Tools::Heavens Gate",
"F0004.009": "Disable or Evade Security Tools::Disable Code Integrity",
"F0005": "Hidden Files and Directories",
"F0005.001": "Hidden Files and Directories::Extension",
"F0005.002": "Hidden Files and Directories::Location",
"F0005.003": "Hidden Files and Directories::Attribute",
"F0005.004": "Hidden Files and Directories::Timestamp",
"F0006": "Indicator Blocking",
"F0006.001": "Indicator Blocking::Remove SMS Warning Messages",
"F0007": "Self Deletion",
"F0007.001": "Self Deletion::COMSPEC Environment Variable",
"F0009": "Component Firmware",
"F0009.001": "Component Firmware::Router Firmware",
"F0013": "Bootkit",
"F0015": "Hijack Execution Flow",
"F0015.001": "Hijack Execution Flow::Export Address Table Hooking",
"F0015.002": "Hijack Execution Flow::Inline Patching",
"F0015.003": "Hijack Execution Flow::Import Address Table Hooking",
"F0015.004": "Hijack Execution Flow::Shadow System Service Dispatch Table Hooking",
"F0015.005": "Hijack Execution Flow::System Service Dispatch Table Hooking",
"F0015.006": "Hijack Execution Flow::Abuse Windows Function Calls",
"F0015.007": "Hijack Execution Flow::Procedure Hooking"
}
}
}
Reference in New Issue View Git Blame Copy Permalink