MITRE D3FEND Knowledge Graph

D3FEND^™

A knowledge graph of cybersecurity countermeasures

1.2.0

T1001 - Data Obfuscation

T1001.001 - Junk Data

T1001.002 - Steganography

T1001.003 - Protocol or Service Impersonation

T1002 - Data Compressed

T1003 - OS Credential Dumping

T1003.001 - LSASS Memory

T1003.002 - Security Account Manager

T1003.003 - NTDS

T1003.004 - LSA Secrets

T1003.005 - Cached Domain Credentials

T1003.006 - DCSync

T1003.007 - Proc Filesystem

T1003.008 - /etc/passwd and /etc/shadow

T1004 - Winlogon Helper DLL

T1005 - Data from Local System

T1006 - Direct Volume Access

T1007 - System Service Discovery

T1008 - Fallback Channels

T1009 - Binary Padding

T1010 - Application Window Discovery

T1011 - Exfiltration Over Other Network Medium

T1011.001 - Exfiltration Over Bluetooth

T1012 - Query Registry

T1013 - Port Monitors

T1014 - Rootkit

T1015 - Accessibility Features

T1016 - System Network Configuration Discovery

T1016.001 - Internet Connection Discovery

T1016.002 - Wi-Fi Discovery

T1017 - Application Deployment Software

T1018 - Remote System Discovery

T1019 - System Firmware

T1020 - Automated Exfiltration

T1020.001 - Traffic Duplication

T1021 - Remote Services

T1021.001 - Remote Desktop Protocol

T1021.002 - SMB/Windows Admin Shares

T1021.003 - Distributed Component Object Model

T1021.004 - SSH

T1021.005 - VNC

T1021.006 - Windows Remote Management

T1021.007 - Cloud Services

T1021.008 - Direct Cloud VM Connections

T1022 - Data Encrypted

T1023 - Shortcut Modification

T1024 - Custom Cryptographic Protocol

T1025 - Data from Removable Media

T1026 - Multiband Communication

T1027 - Obfuscated Files or Information

T1027.001 - Binary Padding

T1027.002 - Software Packing

T1027.003 - Steganography

T1027.004 - Compile After Delivery

T1027.005 - Indicator Removal from Tools

T1027.006 - HTML Smuggling

T1027.007 - Dynamic API Resolution

T1027.008 - Stripped Payloads

T1027.009 - Embedded Payloads

T1027.010 - Command Obfuscation

T1027.011 - Fileless Storage

T1027.012 - LNK Icon Smuggling

T1027.013 - Encrypted/Encoded File

T1027.014 - Polymorphic Code

T1027.015 - Compression

T1027.016 - Junk Code Insertion

T1027.017 - SVG Smuggling

T1028 - Windows Remote Management

T1029 - Scheduled Transfer

T1030 - Data Transfer Size Limits

T1031 - Modify Existing Service

T1032 - Standard Cryptographic Protocol

T1033 - System Owner/User Discovery

T1034 - Path Interception

T1035 - Service Execution

T1036 - Masquerading

T1036.001 - Invalid Code Signature

T1036.002 - Right-to-Left Override

T1036.003 - Rename Legitimate Utilities

T1036.004 - Masquerade Task or Service

T1036.005 - Match Legitimate Resource Name or Location

T1036.006 - Space after Filename

T1036.007 - Double File Extension

T1036.008 - Masquerade File Type

T1036.009 - Break Process Trees

T1036.010 - Masquerade Account Name

T1036.011 - Overwrite Process Arguments

T1037 - Boot or Logon Initialization Scripts

T1037.001 - Logon Script (Windows)

T1037.002 - Login Hook

T1037.003 - Network Logon Script

T1037.004 - RC Scripts

T1037.005 - Startup Items

T1038 - DLL Search Order Hijacking

T1039 - Data from Network Shared Drive

T1040 - Network Sniffing

T1041 - Exfiltration Over C2 Channel

T1042 - Change Default File Association

T1043 - Commonly Used Port

T1044 - File System Permissions Weakness

T1045 - Software Packing

T1046 - Network Service Discovery

T1047 - Windows Management Instrumentation

T1048 - Exfiltration Over Alternative Protocol

T1048.001 - Exfiltration Over Symmetric Encrypted Non-C2 Protocol

T1048.002 - Exfiltration Over Asymmetric Encrypted Non-C2 Protocol

T1048.003 - Exfiltration Over Unencrypted Non-C2 Protocol

T1049 - System Network Connections Discovery

T1050 - New Service

T1051 - Shared Webroot

T1052 - Exfiltration Over Physical Medium

T1052.001 - Exfiltration over USB

T1053 - Scheduled Task/Job

T1053.001 - At (Linux) Execution

T1053.002 - At

T1053.003 - Cron

T1053.004 - Launchd

T1053.005 - Scheduled Task

T1053.006 - Systemd Timers

T1053.007 - Container Orchestration Job

T1054 - Indicator Blocking

T1055 - Process Injection

T1055.001 - Dynamic-link Library Injection

T1055.002 - Portable Executable Injection

T1055.003 - Thread Execution Hijacking

T1055.004 - Asynchronous Procedure Call

T1055.005 - Thread Local Storage

T1055.008 - Ptrace System Calls

T1055.009 - Proc Memory

T1055.011 - Extra Window Memory Injection

T1055.012 - Process Hollowing

T1055.013 - Process Doppelgänging

T1055.014 - VDSO Hijacking

T1055.015 - ListPlanting

T1056 - Input Capture

T1056.001 - Keylogging

T1056.002 - GUI Input Capture

T1056.003 - Web Portal Capture

T1056.004 - Credential API Hooking

T1057 - Process Discovery

T1058 - Service Registry Permissions Weakness

T1059 - Command and Scripting Interpreter

T1059.001 - PowerShell

T1059.002 - AppleScript

T1059.003 - Windows Command Shell

T1059.004 - Unix Shell

T1059.005 - Visual Basic

T1059.006 - Python

T1059.007 - JavaScript

T1059.008 - Network Device CLI

T1059.009 - Cloud API

T1059.010 - AutoHotKey & AutoIT

T1059.011 - Lua

T1059.012 - Hypervisor CLI

T1060 - Registry Run Keys / Startup Folder

T1061 - Graphical User Interface

T1062 - Hypervisor

T1063 - Security Software Discovery

T1064 - Scripting

T1065 - Uncommonly Used Port

T1066 - Indicator Removal from Tools

T1067 - Bootkit

T1068 - Exploitation for Privilege Escalation

T1069 - Permission Groups Discovery

T1069.001 - Local Groups

T1069.002 - Domain Groups

T1069.003 - Cloud Groups

T1070 - Indicator Removal

T1070.001 - Clear Windows Event Logs

T1070.002 - Clear Linux or Mac System Logs

T1070.003 - Clear Command History

T1070.004 - File Deletion

T1070.005 - Network Share Connection Removal

T1070.006 - Timestomp

T1070.007 - Clear Network Connection History and Configurations

T1070.008 - Clear Mailbox Data

T1070.009 - Clear Persistence

T1070.010 - Relocate Malware

T1071 - Application Layer Protocol

T1071.001 - Web Protocols

T1071.002 - File Transfer Protocols

T1071.003 - Mail Protocols

T1071.004 - DNS

T1071.005 - Publish/Subscribe Protocols

T1072 - Software Deployment Tools

T1073 - DLL Side-Loading

T1074 - Data Staged

T1074.001 - Local Data Staging

T1074.002 - Remote Data Staging

T1075 - Pass the Hash

T1076 - Remote Desktop Protocol

T1077 - Windows Admin Shares

T1078 - Valid Accounts

T1078.001 - Default Accounts

T1078.002 - Domain Accounts

T1078.003 - Local Accounts

T1078.004 - Cloud Accounts

T1079 - Multilayer Encryption

T1080 - Taint Shared Content

T1081 - Credentials in Files

T1082 - System Information Discovery

T1083 - File and Directory Discovery

T1084 - Windows Management Instrumentation Event Subscription

T1085 - Rundll32

T1086 - PowerShell

T1087 - Account Discovery

T1087.001 - Local Account

T1087.002 - Domain Account

T1087.003 - Email Account

T1087.004 - Cloud Account

T1088 - Bypass User Account Control

T1089 - Disabling Security Tools

T1090 - Proxy

T1090.001 - Internal Proxy

T1090.002 - External Proxy

T1090.003 - Multi-hop Proxy

T1090.004 - Domain Fronting

T1091 - Replication Through Removable Media

T1092 - Communication Through Removable Media

T1093 - Process Hollowing

T1094 - Custom Command and Control Protocol

T1095 - Non-Application Layer Protocol

T1096 - NTFS File Attributes

T1097 - Pass the Ticket

T1098 - Account Manipulation

T1098.001 - Additional Cloud Credentials

T1098.002 - Additional Email Delegate Permissions

T1098.003 - Additional Cloud Roles

T1098.004 - SSH Authorized Keys

T1098.005 - Device Registration

T1098.006 - Additional Container Cluster Roles

T1098.007 - Additional Local or Domain Groups

T1099 - Timestomp

T1100 - Web Shell

T1101 - Security Support Provider

T1102 - Web Service

T1102.001 - Dead Drop Resolver

T1102.002 - Bidirectional Communication

T1102.003 - One-Way Communication

T1103 - AppInit DLLs

T1104 - Multi-Stage Channels

T1105 - Ingress Tool Transfer

T1106 - Native API

T1107 - File Deletion

T1108 - Redundant Access

T1109 - Component Firmware

T1110 - Brute Force

T1110.001 - Password Guessing

T1110.002 - Password Cracking

T1110.003 - Password Spraying

T1110.004 - Credential Stuffing

T1111 - Multi-Factor Authentication Interception

T1112 - Modify Registry

T1113 - Screen Capture

T1114 - Email Collection

T1114.001 - Local Email Collection

T1114.002 - Remote Email Collection

T1114.003 - Email Forwarding Rule

T1115 - Clipboard Data

T1116 - Code Signing

T1117 - Regsvr32

T1118 - InstallUtil

T1119 - Automated Collection

T1120 - Peripheral Device Discovery

T1121 - Regsvcs/Regasm

T1122 - Component Object Model Hijacking

T1123 - Audio Capture

T1124 - System Time Discovery

T1125 - Video Capture

T1126 - Network Share Connection Removal

T1127 - Trusted Developer Utilities Proxy Execution

T1127.001 - MSBuild

T1127.002 - ClickOnce

T1127.003 - JamPlus

T1128 - Netsh Helper DLL

T1129 - Shared Modules

T1130 - Install Root Certificate

T1131 - Authentication Package

T1132 - Data Encoding

T1132.001 - Standard Encoding

T1132.002 - Non-Standard Encoding

T1133 - External Remote Services

T1134 - Access Token Manipulation

T1134.001 - Token Impersonation/Theft

T1134.002 - Create Process with Token

T1134.003 - Make and Impersonate Token

T1134.004 - Parent PID Spoofing

T1134.005 - SID-History Injection

T1135 - Network Share Discovery

T1136 - Create Account

T1136.001 - Local Account

T1136.002 - Domain Account

T1136.003 - Cloud Account

T1137 - Office Application Startup

T1137.001 - Office Template Macros

T1137.002 - Office Test

T1137.003 - Outlook Forms

T1137.004 - Outlook Home Page

T1137.005 - Outlook Rules

T1137.006 - Add-ins

T1138 - Application Shimming

T1139 - Bash History

T1140 - Deobfuscate/Decode Files or Information

T1141 - Input Prompt

T1142 - Keychain

T1143 - Hidden Window

T1144 - Gatekeeper Bypass

T1145 - Private Keys

T1146 - Clear Command History

T1147 - Hidden Users

T1148 - HISTCONTROL

T1149 - LC_MAIN Hijacking

T1150 - Plist Modification

T1151 - Space after Filename

T1152 - Launchctl

T1153 - Source

T1154 - Trap

T1155 - AppleScript

T1156 - Malicious Shell Modification

T1157 - Dylib Hijacking

T1158 - Hidden Files and Directories

T1159 - Launch Agent

T1160 - Launch Daemon

T1161 - LC_LOAD_DYLIB Addition

T1162 - Login Item

T1163 - Rc.common

T1164 - Re-opened Applications

T1165 - Startup Items

T1166 - Setuid and Setgid

T1167 - Securityd Memory

T1168 - Local Job Scheduling

T1169 - Sudo

T1170 - Mshta

T1171 - LLMNR/NBT-NS Poisoning and Relay

T1172 - Domain Fronting

T1173 - Dynamic Data Exchange

T1174 - Password Filter DLL

T1175 - Component Object Model and Distributed COM

T1176 - Software Extensions

T1176.001 - Browser Extensions

T1176.002 - IDE Extensions

T1177 - LSASS Driver

T1178 - SID-History Injection

T1179 - Hooking

T1180 - Screensaver

T1181 - Extra Window Memory Injection

T1182 - AppCert DLLs

T1183 - Image File Execution Options Injection

T1184 - SSH Hijacking

T1185 - Browser Session Hijacking

T1186 - Process Doppelgänging

T1187 - Forced Authentication

T1188 - Multi-hop Proxy

T1189 - Drive-by Compromise

T1190 - Exploit Public-Facing Application

T1191 - CMSTP

T1192 - Spearphishing Link

T1193 - Spearphishing Attachment

T1194 - Spearphishing via Service

T1195 - Supply Chain Compromise

T1195.001 - Compromise Software Dependencies and Development Tools

T1195.002 - Compromise Software Supply Chain

T1195.003 - Compromise Hardware Supply Chain

T1196 - Control Panel Items

T1197 - BITS Jobs

T1198 - SIP and Trust Provider Hijacking

T1199 - Trusted Relationship

T1200 - Hardware Additions

T1201 - Password Policy Discovery

T1202 - Indirect Command Execution

T1203 - Exploitation for Client Execution

T1204 - User Execution

T1204.001 - Malicious Link

T1204.002 - Malicious File

T1204.003 - Malicious Image

T1204.004 - Malicious Copy and Paste

T1205 - Traffic Signaling

T1205.001 - Port Knocking

T1205.002 - Socket Filters

T1206 - Sudo Caching

T1207 - Rogue Domain Controller

T1208 - Kerberoasting

T1209 - Time Providers

T1210 - Exploitation of Remote Services

T1211 - Exploitation for Defense Evasion

T1212 - Exploitation for Credential Access

T1213 - Data from Information Repositories

T1213.001 - Confluence

T1213.002 - Sharepoint

T1213.003 - Code Repositories

T1213.004 - Customer Relationship Management Software

T1213.005 - Messaging Applications

T1214 - Credentials in Registry

T1215 - Kernel Modules and Extensions

T1216 - System Script Proxy Execution

T1216.001 - PubPrn

T1216.002 - SyncAppvPublishingServer

T1217 - Browser Information Discovery

T1218 - System Binary Proxy Execution

T1218.001 - Compiled HTML File

T1218.002 - Control Panel

T1218.003 - CMSTP

T1218.004 - InstallUtil

T1218.005 - Mshta

T1218.007 - Msiexec

T1218.008 - Odbcconf

T1218.009 - Regsvcs/Regasm

T1218.010 - Regsvr32

T1218.011 - Rundll32

T1218.012 - Verclsid

T1218.013 - Mavinject

T1218.014 - MMC

T1218.015 - Electron Applications

T1219 - Remote Access Tools

T1219.001 - IDE Tunneling

T1219.002 - Remote Desktop Software

T1219.003 - Remote Access Hardware

T1220 - XSL Script Processing

T1221 - Template Injection

T1222 - File and Directory Permissions Modification

T1222.001 - Windows File and Directory Permissions Modification

T1222.002 - Linux and Mac File and Directory Permissions Modification

T1223 - Compiled HTML File

T1480 - Execution Guardrails

T1480.001 - Environmental Keying

T1480.002 - Mutual Exclusion

T1482 - Domain Trust Discovery

T1483 - Domain Generation Algorithms

T1484 - Domain or Tenant Policy Modification

T1484.001 - Group Policy Modification

T1484.002 - Trust Modification

T1485 - Data Destruction

T1485.001 - Lifecycle-Triggered Deletion

T1486 - Data Encrypted for Impact

T1487 - Disk Structure Wipe

T1488 - Disk Content Wipe

T1489 - Service Stop

T1490 - Inhibit System Recovery

T1491 - Defacement

T1491.001 - Internal Defacement

T1491.002 - External Defacement

T1492 - Stored Data Manipulation

T1493 - Transmitted Data Manipulation

T1494 - Runtime Data Manipulation

T1495 - Firmware Corruption

T1496 - Resource Hijacking

T1496.001 - Compute Hijacking

T1496.002 - Bandwidth Hijacking

T1496.003 - SMS Pumping

T1496.004 - Cloud Service Hijacking

T1497 - Virtualization/Sandbox Evasion

T1497.001 - System Checks

T1497.002 - User Activity Based Checks

T1497.003 - Time Based Evasion

T1498 - Network Denial of Service

T1498.001 - Direct Network Flood

T1498.002 - Reflection Amplification

T1499 - Endpoint Denial of Service

T1499.001 - OS Exhaustion Flood

T1499.002 - Service Exhaustion Flood

T1499.003 - Application Exhaustion Flood

T1499.004 - Application or System Exploitation

T1500 - Compile After Delivery

T1501 - Systemd Service

T1502 - Parent PID Spoofing

T1503 - Credentials from Web Browsers

T1504 - PowerShell Profile

T1505 - Server Software Component

T1505.001 - SQL Stored Procedures

T1505.002 - Transport Agent

T1505.003 - Web Shell

T1505.004 - IIS Components

T1505.005 - Terminal Services DLL

T1505.006 - vSphere Installation Bundles

T1506 - Web Session Cookie

T1514 - Elevated Execution with Prompt

T1518 - Software Discovery

T1518.001 - Security Software Discovery

T1519 - Emond

T1522 - Cloud Instance Metadata API

T1525 - Implant Internal Image

T1526 - Cloud Service Discovery

T1527 - Application Access Token

T1528 - Steal Application Access Token

T1529 - System Shutdown/Reboot

T1530 - Data from Cloud Storage

T1531 - Account Access Removal

T1534 - Internal Spearphishing

T1535 - Unused/Unsupported Cloud Regions

T1536 - Revert Cloud Instance

T1537 - Transfer Data to Cloud Account

T1538 - Cloud Service Dashboard

T1539 - Steal Web Session Cookie

T1542 - Pre-OS Boot

T1542.001 - System Firmware

T1542.002 - Component Firmware

T1542.003 - Bootkit

T1542.004 - ROMMONkit

T1542.005 - TFTP Boot

T1543 - Create or Modify System Process

T1543.001 - Launch Agent

T1543.002 - Systemd Service

T1543.003 - Windows Service

T1543.004 - Launch Daemon

T1543.005 - Container Service

T1546 - Event Triggered Execution

T1546.001 - Change Default File Association

T1546.002 - Screensaver

T1546.003 - Windows Management Instrumentation Event Subscription

T1546.004 - Unix Shell Configuration Modification

T1546.005 - Trap

T1546.006 - LC_LOAD_DYLIB Addition

T1546.007 - Netsh Helper DLL

T1546.008 - Accessibility Features

T1546.009 - AppCert DLLs

T1546.010 - AppInit DLLs

T1546.011 - Application Shimming

T1546.012 - Image File Execution Options Injection

T1546.013 - PowerShell Profile

T1546.014 - Emond

T1546.015 - Component Object Model Hijacking

T1546.016 - Installer Packages

T1546.017 - Udev Rules

T1547 - Boot or Logon Autostart Execution

T1547.001 - Registry Run Keys / Startup Folder

T1547.002 - Authentication Package

T1547.003 - Time Providers

T1547.004 - Winlogon Helper DLL

T1547.005 - Security Support Provider

T1547.006 - Kernel Modules and Extensions

T1547.007 - Re-opened Applications

T1547.008 - LSASS Driver

T1547.009 - Shortcut Modification

T1547.010 - Port Monitors

T1547.011 - Plist Modification

T1547.012 - Print Processors

T1547.013 - XDG Autostart Entries

T1547.014 - Active Setup

T1547.015 - Login Items

T1548 - Abuse Elevation Control Mechanism

T1548.001 - Setuid and Setgid

T1548.002 - Bypass User Account Control

T1548.003 - Sudo and Sudo Caching

T1548.004 - Elevated Execution with Prompt

T1548.005 - Temporary Elevated Cloud Access

T1548.006 - TCC Manipulation

T1550 - Use Alternate Authentication Material

T1550.001 - Application Access Token

T1550.002 - Pass the Hash

T1550.003 - Pass the Ticket

T1550.004 - Web Session Cookie

T1552 - Unsecured Credentials

T1552.001 - Credentials In Files

T1552.002 - Credentials in Registry

T1552.003 - Bash History

T1552.004 - Private Keys

T1552.005 - Cloud Instance Metadata API

T1552.006 - Group Policy Preferences

T1552.007 - Container API

T1552.008 - Chat Messages

T1553 - Subvert Trust Controls

T1553.001 - Gatekeeper Bypass

T1553.002 - Code Signing

T1553.003 - SIP and Trust Provider Hijacking

T1553.004 - Install Root Certificate

T1553.005 - Mark-of-the-Web Bypass

T1553.006 - Code Signing Policy Modification

T1554 - Compromise Host Software Binary

T1555 - Credentials from Password Stores

T1555.001 - Keychain

T1555.002 - Securityd Memory

T1555.003 - Credentials from Web Browsers

T1555.004 - Windows Credential Manager

T1555.005 - Password Managers

T1555.006 - Cloud Secrets Management Stores

T1556 - Modify Authentication Process

T1556.001 - Domain Controller Authentication

T1556.002 - Password Filter DLL

T1556.003 - Pluggable Authentication Modules

T1556.004 - Network Device Authentication

T1556.005 - Reversible Encryption

T1556.006 - Multi-Factor Authentication

T1556.007 - Hybrid Identity

T1556.008 - Network Provider DLL

T1556.009 - Conditional Access Policies

T1557 - Adversary-in-the-Middle

T1557.001 - LLMNR/NBT-NS Poisoning and SMB Relay

T1557.002 - ARP Cache Poisoning

T1557.003 - DHCP Spoofing

T1557.004 - Evil Twin

T1558 - Steal or Forge Kerberos Tickets

T1558.001 - Golden Ticket

T1558.002 - Silver Ticket

T1558.003 - Kerberoasting

T1558.004 - AS-REP Roasting

T1558.005 - Ccache Files

T1559 - Inter-Process Communication

T1559.001 - Component Object Model

T1559.002 - Dynamic Data Exchange

T1559.003 - XPC Services

T1560 - Archive Collected Data

T1560.001 - Archive via Utility

T1560.002 - Archive via Library

T1560.003 - Archive via Custom Method

T1561 - Disk Wipe

T1561.001 - Disk Content Wipe

T1561.002 - Disk Structure Wipe

T1562 - Impair Defenses

T1562.001 - Disable or Modify Tools

T1562.002 - Disable Windows Event Logging

T1562.003 - Impair Command History Logging

T1562.004 - Disable or Modify System Firewall

T1562.006 - Indicator Blocking

T1562.007 - Disable or Modify Cloud Firewall

T1562.008 - Disable or Modify Cloud Logs

T1562.009 - Safe Mode Boot

T1562.010 - Downgrade Attack

T1562.011 - Spoof Security Alerting

T1562.012 - Disable or Modify Linux Audit System

T1563 - Remote Service Session Hijacking

T1563.001 - SSH Hijacking

T1563.002 - RDP Hijacking

T1564 - Hide Artifacts

T1564.001 - Hidden Files and Directories

T1564.002 - Hidden Users

T1564.003 - Hidden Window

T1564.004 - NTFS File Attributes

T1564.005 - Hidden File System

T1564.006 - Run Virtual Instance

T1564.007 - VBA Stomping

T1564.008 - Email Hiding Rules

T1564.009 - Resource Forking

T1564.010 - Process Argument Spoofing

T1564.011 - Ignore Process Interrupts

T1564.012 - File/Path Exclusions

T1564.013 - Bind Mounts

T1564.014 - Extended Attributes

T1565 - Data Manipulation

T1565.001 - Stored Data Manipulation

T1565.002 - Transmitted Data Manipulation

T1565.003 - Runtime Data Manipulation

T1566 - Phishing

T1566.001 - Spearphishing Attachment

T1566.002 - Spearphishing Link

T1566.003 - Spearphishing via Service

T1566.004 - Spearphishing Voice

T1567 - Exfiltration Over Web Service

T1567.001 - Exfiltration to Code Repository

T1567.002 - Exfiltration to Cloud Storage

T1567.003 - Exfiltration to Text Storage Sites

T1567.004 - Exfiltration Over Webhook

T1568 - Dynamic Resolution

T1568.001 - Fast Flux DNS

T1568.002 - Domain Generation Algorithms

T1568.003 - DNS Calculation

T1569 - System Services

T1569.001 - Launchctl

T1569.002 - Service Execution

T1569.003 - Systemctl

T1570 - Lateral Tool Transfer

T1571 - Non-Standard Port

T1572 - Protocol Tunneling

T1573 - Encrypted Channel

T1573.001 - Symmetric Cryptography

T1573.002 - Asymmetric Cryptography

T1574 - Hijack Execution Flow

T1574.001 - DLL

T1574.002 - DLL Side-Loading

T1574.004 - Dylib Hijacking

T1574.005 - Executable Installer File Permissions Weakness

T1574.006 - Dynamic Linker Hijacking

T1574.007 - Path Interception by PATH Environment Variable

T1574.008 - Path Interception by Search Order Hijacking

T1574.009 - Path Interception by Unquoted Path

T1574.010 - Services File Permissions Weakness

T1574.011 - Services Registry Permissions Weakness

T1574.012 - COR_PROFILER

T1574.013 - KernelCallbackTable

T1574.014 - AppDomainManager

T1578 - Modify Cloud Compute Infrastructure

T1578.001 - Create Snapshot

T1578.002 - Create Cloud Instance

T1578.003 - Delete Cloud Instance

T1578.004 - Revert Cloud Instance

T1578.005 - Modify Cloud Compute Configurations

T1580 - Cloud Infrastructure Discovery

T1583 - Acquire Infrastructure

T1583.001 - Domains

T1583.002 - DNS Server

T1583.003 - Virtual Private Server

T1583.004 - Server

T1583.005 - Botnet

T1583.006 - Web Services

T1583.007 - Serverless

T1583.008 - Malvertising

T1584 - Compromise Infrastructure

T1584.001 - Domains

T1584.002 - DNS Server

T1584.003 - Virtual Private Server

T1584.004 - Server

T1584.005 - Botnet

T1584.006 - Web Services

T1584.007 - Serverless

T1584.008 - Network Devices

T1585 - Establish Accounts

T1585.001 - Social Media Accounts

T1585.002 - Email Accounts

T1585.003 - Cloud Accounts

T1586 - Compromise Accounts

T1586.001 - Social Media Accounts

T1586.002 - Email Accounts

T1586.003 - Cloud Accounts

T1587 - Develop Capabilities

T1587.001 - Malware

T1587.002 - Code Signing Certificates

T1587.003 - Digital Certificates

T1587.004 - Exploits

T1588 - Obtain Capabilities

T1588.001 - Malware

T1588.002 - Tool

T1588.003 - Code Signing Certificates

T1588.004 - Digital Certificates

T1588.005 - Exploits

T1588.006 - Vulnerabilities

T1588.007 - Artificial Intelligence

T1589 - Gather Victim Identity Information

T1589.001 - Credentials

T1589.002 - Email Addresses

T1589.003 - Employee Names

T1590 - Gather Victim Network Information

T1590.001 - Domain Properties

T1590.002 - DNS

T1590.003 - Network Trust Dependencies

T1590.004 - Network Topology

T1590.005 - IP Addresses

T1590.006 - Network Security Appliances

T1591 - Gather Victim Org Information

T1591.001 - Determine Physical Locations

T1591.002 - Business Relationships

T1591.003 - Identify Business Tempo

T1591.004 - Identify Roles

T1592 - Gather Victim Host Information

T1592.001 - Hardware

T1592.002 - Software

T1592.003 - Firmware

T1592.004 - Client Configurations

T1593 - Search Open Websites/Domains

T1593.001 - Social Media

T1593.002 - Search Engines

T1593.003 - Code Repositories

T1594 - Search Victim-Owned Websites

T1595 - Active Scanning

T1595.001 - Scanning IP Blocks

T1595.002 - Vulnerability Scanning

T1595.003 - Wordlist Scanning

T1596 - Search Open Technical Databases

T1596.001 - DNS/Passive DNS

T1596.002 - WHOIS

T1596.003 - Digital Certificates

T1596.004 - CDNs

T1596.005 - Scan Databases

T1597 - Search Closed Sources

T1597.001 - Threat Intel Vendors

T1597.002 - Purchase Technical Data

T1598 - Phishing for Information

T1598.001 - Spearphishing Service

T1598.002 - Spearphishing Attachment

T1598.003 - Spearphishing Link

T1598.004 - Spearphishing Voice

T1599 - Network Boundary Bridging

T1599.001 - Network Address Translation Traversal

T1600 - Weaken Encryption

T1600.001 - Reduce Key Space

T1600.002 - Disable Crypto Hardware

T1601 - Modify System Image

T1601.001 - Patch System Image

T1601.002 - Downgrade System Image

T1602 - Data from Configuration Repository

T1602.001 - SNMP (MIB Dump)

T1602.002 - Network Device Configuration Dump

T1606 - Forge Web Credentials

T1606.001 - Web Cookies

T1606.002 - SAML Tokens

T1608 - Stage Capabilities

T1608.001 - Upload Malware

T1608.002 - Upload Tool

T1608.003 - Install Digital Certificate

T1608.004 - Drive-by Target

T1608.005 - Link Target

T1608.006 - SEO Poisoning

T1609 - Container Administration Command

T1610 - Deploy Container

T1611 - Escape to Host

T1612 - Build Image on Host

T1613 - Container and Resource Discovery

T1614 - System Location Discovery

T1614.001 - System Language Discovery

T1615 - Group Policy Discovery

T1619 - Cloud Storage Object Discovery

T1620 - Reflective Code Loading

T1621 - Multi-Factor Authentication Request Generation

T1622 - Debugger Evasion

T1647 - Plist File Modification

T1648 - Serverless Execution

T1649 - Steal or Forge Authentication Certificates

T1650 - Acquire Access

T1651 - Cloud Administration Command

T1652 - Device Driver Discovery

T1653 - Power Settings

T1654 - Log Enumeration

T1656 - Impersonation

T1657 - Financial Theft

T1659 - Content Injection

T1665 - Hide Infrastructure

T1666 - Modify Cloud Resource Hierarchy

T1667 - Email Bombing

T1668 - Exclusive Control

T1669 - Wi-Fi Networks

T1671 - Cloud Application Integration

T1672 - Email Spoofing

T1673 - Virtual Machine Discovery

T1674 - Input Injection

T1675 - ESXi Administration Command

Access Control Configuration

Access Control Group

Access Control List

Access Mediator

Access Process

Access Token

Activity Dependency

Actuator

Address Space

Administrative Network Traffic

Alias

Allocate Memory

Anonymous Pipe

Application

Application Configuration

Application Configuration Database

Application Configuration Database Record

Application Configuration File

Application Installer

Application Inventory Sensor

Application Layer Firewall

Application Layer Link

Application Process

Application Process Configuration

Application Rule

Application Shim

Archive File

Artifact Server

Asset Inventory Agent

Asymmetric Key

Audio Input Device

Authenticate User

Authentication Function

Authentication Log

Authentication Server

Authentication Service

Authentication Service Application

Authorization Log

Authorization Service

Barcode Scanner Input Device

Binary Large Object

Binary Segment

Bitmap Image

Bitmap Image File

Block Device

Boot Loader

Boot Record

Boot Sector

Browser

Browser Extension

Build Tool

Bus Message

Bus Network

Bus Network Frame

Bus Network Node

Bus Network Traffic

Business Communication Platform Client

CA Certificate File

Processor Cache Memory

Call Stack

Central Processing Unit

Certificate

Certificate File

Certificate Trust Store

Chatroom Client

Child Process

Client Application

Client Computer

Clipboard

Cloud-based Database Application

Cloud Configuration

Cloud Instance Metadata

Cloud Service Sensor

Cloud Storage

Cloud User Account

Code Analyzer

Code Repository

Codec Application

Codec Library

Collaborative Software

Command

Command History Log

Command History Log File

Command Line Interface

Compiler

Compiler Configuration File

Computer Network Node

Computer Platform

Computing Image

Computing Server

Computing Snapshot

Configuration Database

Configuration Database Record

Configuration File

Configuration Management Database

Configuration Resource

Connect Socket

Console Output Function

Container Build Tool

Container Image

Container Orchestration Software

Container Process

Container Runtime

Content Policy

Copy Memory Function

Copy Token

Create File

Create Process

Create Socket

Create Thread

Credential

Credential Management System

Cryptographic Key

Custom Archive File

Cyber Sensor

DHCP Network Traffic

DHCP Server

DHCP Service

DHCP Service Application

DNS Lookup

DNS Network Traffic

DNS Record

DNS Server

Data Artifact Server

Data Dependency

Data Link Link

Database

Database Application

Database File

Database Query

Database Record

Database Server

Database Service

Database Service Application

Decoder Application

Decoy Artifact

Default User Account

Delete File

Dependency

Deserialization Function

Desktop Computer

Developer Application

Dial Up Modem

Differential Volume Snapshot

Digital Artifact

Digital Audio

Digital Audio Visual Media

Digital Document

Digital Event Record

Digital Fingerprint

Digital Identity

Digital Image

Digital Information

Digital Information Bearer

Digital Media

Digital Message

Digital Multimedia

Digital System

Digital Text

Digital Video