D3FEND™
A knowledge graph of cybersecurity countermeasures
T1001 - Data Obfuscation
T1001.001 - Junk Data
T1001.002 - Steganography
T1001.003 - Protocol Impersonation
T1002 - Data Compressed
T1003 - OS Credential Dumping
T1003.001 - LSASS Memory
T1003.002 - Security Account Manager
T1003.003 - NTDS
T1003.004 - LSA Secrets
T1003.005 - Cached Domain Credentials
T1003.006 - DCSync
T1003.007 - Proc Filesystem
T1003.008 - /etc/passwd and /etc/shadow
T1004 - Winlogon Helper DLL
T1005 - Data from Local System
T1006 - Direct Volume Access
T1007 - System Service Discovery
T1008 - Fallback Channels
T1009 - Binary Padding
T1010 - Application Window Discovery
T1011 - Exfiltration Over Other Network Medium
T1011.001 - Exfiltration Over Bluetooth
T1012 - Query Registry
T1013 - Port Monitors
T1014 - Rootkit
T1015 - Accessibility Features
T1016 - System Network Configuration Discovery
T1016.001 - Internet Connection Discovery
T1016.002 - Wi-Fi Discovery
T1017 - Application Deployment Software
T1018 - Remote System Discovery
T1019 - System Firmware
T1020 - Automated Exfiltration
T1020.001 - Traffic Duplication
T1021 - Remote Services
T1021.001 - Remote Desktop Protocol
T1021.002 - SMB/Windows Admin Shares
T1021.003 - Distributed Component Object Model
T1021.004 - SSH
T1021.005 - VNC
T1021.006 - Windows Remote Management
T1021.007 - Cloud Services
T1021.008 - Direct Cloud VM Connections
T1022 - Data Encrypted
T1023 - Shortcut Modification
T1024 - Custom Cryptographic Protocol
T1025 - Data from Removable Media
T1026 - Multiband Communication
T1027 - Obfuscated Files or Information
T1027.001 - Binary Padding
T1027.002 - Software Packing
T1027.003 - Steganography
T1027.004 - Compile After Delivery
T1027.005 - Indicator Removal from Tools
T1027.006 - HTML Smuggling
T1027.007 - Dynamic API Resolution
T1027.008 - Stripped Payloads
T1027.009 - Embedded Payloads
T1027.010 - Command Obfuscation
T1027.011 - Fileless Storage
T1027.012 - LNK Icon Smuggling
T1027.013 - Encrypted/Encoded File
T1028 - Windows Remote Management
T1029 - Scheduled Transfer
T1030 - Data Transfer Size Limits
T1031 - Modify Existing Service
T1032 - Standard Cryptographic Protocol
T1033 - System Owner/User Discovery
T1034 - Path Interception
T1035 - Service Execution
T1036 - Masquerading
T1036.001 - Invalid Code Signature
T1036.002 - Right-to-Left Override
T1036.003 - Rename System Utilities
T1036.004 - Masquerade Task or Service
T1036.005 - Match Legitimate Name or Location
T1036.006 - Space after Filename
T1036.007 - Double File Extension
T1036.008 - Masquerade File Type
T1036.009 - Break Process Trees
T1037 - Boot or Logon Initialization Scripts
T1037.001 - Logon Script (Windows)
T1037.002 - Login Hook
T1037.003 - Network Logon Script
T1037.004 - RC Scripts
T1037.005 - Startup Items
T1038 - DLL Search Order Hijacking
T1039 - Data from Network Shared Drive
T1040 - Network Sniffing
T1041 - Exfiltration Over C2 Channel
T1042 - Change Default File Association
T1043 - Commonly Used Port
T1044 - File System Permissions Weakness
T1045 - Software Packing
T1046 - Network Service Discovery
T1047 - Windows Management Instrumentation
T1048 - Exfiltration Over Alternative Protocol
T1048.001 - Exfiltration Over Symmetric Encrypted Non-C2 Protocol
T1048.002 - Exfiltration Over Asymmetric Encrypted Non-C2 Protocol
T1048.003 - Exfiltration Over Unencrypted Non-C2 Protocol
T1049 - System Network Connections Discovery
T1050 - New Service
T1051 - Shared Webroot
T1052 - Exfiltration Over Physical Medium
T1052.001 - Exfiltration over USB
T1053 - Scheduled Task/Job
T1053.001 - At (Linux) Execution
T1053.002 - At
T1053.003 - Cron
T1053.004 - Launchd
T1053.005 - Scheduled Task
T1053.006 - Systemd Timers
T1053.007 - Container Orchestration Job
T1054 - Indicator Blocking
T1055 - Process Injection
T1055.001 - Dynamic-link Library Injection
T1055.002 - Portable Executable Injection
T1055.003 - Thread Execution Hijacking
T1055.004 - Asynchronous Procedure Call
T1055.005 - Thread Local Storage
T1055.008 - Ptrace System Calls
T1055.009 - Proc Memory
T1055.011 - Extra Window Memory Injection
T1055.012 - Process Hollowing
T1055.013 - Process Doppelgänging
T1055.014 - VDSO Hijacking
T1055.015 - ListPlanting
T1056 - Input Capture
T1056.001 - Keylogging
T1056.002 - GUI Input Capture
T1056.003 - Web Portal Capture
T1056.004 - Credential API Hooking
T1057 - Process Discovery
T1058 - Service Registry Permissions Weakness
T1059 - Command and Scripting Interpreter
T1059.001 - PowerShell
T1059.002 - AppleScript
T1059.003 - Windows Command Shell
T1059.004 - Unix Shell
T1059.005 - Visual Basic
T1059.006 - Python
T1059.007 - JavaScript
T1059.008 - Network Device CLI
T1059.009 - Cloud API
T1059.010 - AutoHotKey & AutoIT
T1060 - Registry Run Keys / Startup Folder
T1061 - Graphical User Interface
T1062 - Hypervisor
T1063 - Security Software Discovery
T1064 - Scripting
T1065 - Uncommonly Used Port
T1066 - Indicator Removal from Tools
T1067 - Bootkit
T1068 - Exploitation for Privilege Escalation
T1069 - Permission Groups Discovery
T1069.001 - Local Groups
T1069.002 - Domain Groups
T1069.003 - Cloud Groups
T1070 - Indicator Removal
T1070.001 - Clear Windows Event Logs
T1070.002 - Clear Linux or Mac System Logs
T1070.003 - Clear Command History
T1070.004 - File Deletion
T1070.005 - Network Share Connection Removal
T1070.006 - Timestomp
T1070.007 - Clear Network Connection History and Configurations
T1070.008 - Clear Mailbox Data
T1070.009 - Clear Persistence
T1071 - Application Layer Protocol
T1071.001 - Web Protocols
T1071.002 - File Transfer Protocols
T1071.003 - Mail Protocols
T1071.004 - DNS
T1072 - Software Deployment Tools
T1073 - DLL Side-Loading
T1074 - Data Staged
T1074.001 - Local Data Staging
T1074.002 - Remote Data Staging
T1075 - Pass the Hash
T1076 - Remote Desktop Protocol
T1077 - Windows Admin Shares
T1078 - Valid Accounts
T1078.001 - Default Accounts
T1078.002 - Domain Accounts
T1078.003 - Local Accounts
T1078.004 - Cloud Accounts
T1079 - Multilayer Encryption
T1080 - Taint Shared Content
T1081 - Credentials in Files
T1082 - System Information Discovery
T1083 - File and Directory Discovery
T1084 - Windows Management Instrumentation Event Subscription
T1085 - Rundll32
T1086 - PowerShell
T1087 - Account Discovery
T1087.001 - Local Account
T1087.002 - Domain Account
T1087.003 - Email Account
T1087.004 - Cloud Account
T1088 - Bypass User Account Control
T1089 - Disabling Security Tools
T1090 - Proxy
T1090.001 - Internal Proxy
T1090.002 - External Proxy
T1090.003 - Multi-hop Proxy
T1090.004 - Domain Fronting
T1091 - Replication Through Removable Media
T1092 - Communication Through Removable Media
T1093 - Process Hollowing
T1094 - Custom Command and Control Protocol
T1095 - Non-Application Layer Protocol
T1096 - NTFS File Attributes
T1097 - Pass the Ticket
T1098 - Account Manipulation
T1098.001 - Additional Cloud Credentials
T1098.002 - Additional Email Delegate Permissions
T1098.003 - Additional Cloud Roles
T1098.004 - SSH Authorized Keys
T1098.005 - Device Registration
T1098.006 - Additional Container Cluster Roles
T1099 - Timestomp
T1100 - Web Shell
T1101 - Security Support Provider
T1102 - Web Service
T1102.001 - Dead Drop Resolver
T1102.002 - Bidirectional Communication
T1102.003 - One-Way Communication
T1103 - AppInit DLLs
T1104 - Multi-Stage Channels
T1105 - Ingress Tool Transfer
T1106 - Native API
T1107 - File Deletion
T1108 - Redundant Access
T1109 - Component Firmware
T1110 - Brute Force
T1110.001 - Password Guessing
T1110.002 - Password Cracking
T1110.003 - Password Spraying
T1110.004 - Credential Stuffing
T1111 - Multi-Factor Authentication Interception
T1112 - Modify Registry
T1113 - Screen Capture
T1114 - Email Collection
T1114.001 - Local Email Collection
T1114.002 - Remote Email Collection
T1114.003 - Email Forwarding Rule
T1115 - Clipboard Data
T1116 - Code Signing
T1117 - Regsvr32
T1118 - InstallUtil
T1119 - Automated Collection
T1120 - Peripheral Device Discovery
T1121 - Regsvcs/Regasm
T1122 - Component Object Model Hijacking
T1123 - Audio Capture
T1124 - System Time Discovery
T1125 - Video Capture
T1126 - Network Share Connection Removal
T1127 - Trusted Developer Utilities Proxy Execution
T1127.001 - MSBuild
T1128 - Netsh Helper DLL
T1129 - Shared Modules
T1130 - Install Root Certificate
T1131 - Authentication Package
T1132 - Data Encoding
T1132.001 - Standard Encoding
T1132.002 - Non-Standard Encoding
T1133 - External Remote Services
T1134 - Access Token Manipulation
T1134.001 - Token Impersonation/Theft
T1134.002 - Create Process with Token
T1134.003 - Make and Impersonate Token
T1134.004 - Parent PID Spoofing
T1134.005 - SID-History Injection
T1135 - Network Share Discovery
T1136 - Create Account
T1136.001 - Local Account
T1136.002 - Domain Account
T1136.003 - Cloud Account
T1137 - Office Application Startup
T1137.001 - Office Template Macros
T1137.002 - Office Test
T1137.003 - Outlook Forms
T1137.004 - Outlook Home Page
T1137.005 - Outlook Rules
T1137.006 - Add-ins
T1138 - Application Shimming
T1139 - Bash History
T1140 - Deobfuscate/Decode Files or Information
T1141 - Input Prompt
T1142 - Keychain
T1143 - Hidden Window
T1144 - Gatekeeper Bypass
T1145 - Private Keys
T1146 - Clear Command History
T1147 - Hidden Users
T1148 - HISTCONTROL
T1149 - LC_MAIN Hijacking
T1150 - Plist Modification
T1151 - Space after Filename
T1152 - Launchctl
T1153 - Source
T1154 - Trap
T1155 - AppleScript
T1156 - Malicious Shell Modification
T1157 - Dylib Hijacking
T1158 - Hidden Files and Directories
T1159 - Launch Agent
T1160 - Launch Daemon
T1161 - LC_LOAD_DYLIB Addition
T1162 - Login Item
T1163 - Rc.common
T1164 - Re-opened Applications
T1165 - Startup Items
T1166 - Setuid and Setgid
T1167 - Securityd Memory
T1168 - Local Job Scheduling
T1169 - Sudo
T1170 - Mshta
T1171 - LLMNR/NBT-NS Poisoning and Relay
T1172 - Domain Fronting
T1173 - Dynamic Data Exchange
T1174 - Password Filter DLL
T1175 - Component Object Model and Distributed COM
T1176 - Browser Extensions
T1177 - LSASS Driver
T1178 - SID-History Injection
T1179 - Hooking
T1180 - Screensaver
T1181 - Extra Window Memory Injection
T1182 - AppCert DLLs
T1183 - Image File Execution Options Injection
T1184 - SSH Hijacking
T1185 - Browser Session Hijacking
T1186 - Process Doppelgänging
T1187 - Forced Authentication
T1188 - Multi-hop Proxy
T1189 - Drive-by Compromise
T1190 - Exploit Public-Facing Application
T1191 - CMSTP
T1192 - Spearphishing Link
T1193 - Spearphishing Attachment
T1194 - Spearphishing via Service
T1195 - Supply Chain Compromise
T1195.001 - Compromise Software Dependencies and Development Tools
T1195.002 - Compromise Software Supply Chain
T1195.003 - Compromise Hardware Supply Chain
T1196 - Control Panel Items
T1197 - BITS Jobs
T1198 - SIP and Trust Provider Hijacking
T1199 - Trusted Relationship
T1200 - Hardware Additions
T1201 - Password Policy Discovery
T1202 - Indirect Command Execution
T1203 - Exploitation for Client Execution
T1204 - User Execution
T1204.001 - Malicious Link
T1204.002 - Malicious File
T1204.003 - Malicious Image
T1205 - Traffic Signaling
T1205.001 - Port Knocking
T1205.002 - Socket Filters
T1206 - Sudo Caching
T1207 - Rogue Domain Controller
T1208 - Kerberoasting
T1209 - Time Providers
T1210 - Exploitation of Remote Services
T1211 - Exploitation for Defense Evasion
T1212 - Exploitation for Credential Access
T1213 - Data from Information Repositories
T1213.001 - Confluence
T1213.002 - Sharepoint
T1213.003 - Code Repositories
T1214 - Credentials in Registry
T1215 - Kernel Modules and Extensions
T1216 - System Script Proxy Execution
T1216.001 - PubPrn
T1216.002 - SyncAppvPublishingServer
T1217 - Browser Information Discovery
T1218 - System Binary Proxy Execution
T1218.001 - Compiled HTML File
T1218.002 - Control Panel
T1218.003 - CMSTP
T1218.004 - InstallUtil
T1218.005 - Mshta
T1218.007 - Msiexec
T1218.008 - Odbcconf
T1218.009 - Regsvcs/Regasm
T1218.010 - Regsvr32
T1218.011 - Rundll32
T1218.012 - Verclsid
T1218.013 - Mavinject
T1218.014 - MMC
T1218.015 - Electron Applications
T1219 - Remote Access Software
T1220 - XSL Script Processing
T1221 - Template Injection
T1222 - File and Directory Permissions Modification
T1222.001 - Windows File and Directory Permissions Modification
T1222.002 - Linux and Mac File and Directory Permissions Modification
T1223 - Compiled HTML File
T1480 - Execution Guardrails
T1480.001 - Environmental Keying
T1482 - Domain Trust Discovery
T1483 - Domain Generation Algorithms
T1484 - Domain or Tenant Policy Modification
T1484.001 - Group Policy Modification
T1484.002 - Trust Modification
T1485 - Data Destruction
T1486 - Data Encrypted for Impact
T1487 - Disk Structure Wipe
T1488 - Disk Content Wipe
T1489 - Service Stop
T1490 - Inhibit System Recovery
T1491 - Defacement
T1491.001 - Internal Defacement
T1491.002 - External Defacement
T1492 - Stored Data Manipulation
T1493 - Transmitted Data Manipulation
T1494 - Runtime Data Manipulation
T1495 - Firmware Corruption
T1496 - Resource Hijacking
T1497 - Virtualization/Sandbox Evasion
T1497.001 - System Checks
T1497.002 - User Activity Based Checks
T1497.003 - Time Based Evasion
T1498 - Network Denial of Service
T1498.001 - Direct Network Flood
T1498.002 - Reflection Amplification
T1499 - Endpoint Denial of Service
T1499.001 - OS Exhaustion Flood
T1499.002 - Service Exhaustion Flood
T1499.003 - Application Exhaustion Flood
T1499.004 - Application or System Exploitation
T1500 - Compile After Delivery
T1501 - Systemd Service
T1502 - Parent PID Spoofing
T1503 - Credentials from Web Browsers
T1504 - PowerShell Profile
T1505 - Server Software Component
T1505.001 - SQL Stored Procedures
T1505.002 - Transport Agent
T1505.003 - Web Shell
T1505.004 - IIS Components
T1505.005 - Terminal Services DLL
T1506 - Web Session Cookie
T1514 - Elevated Execution with Prompt
T1518 - Software Discovery
T1518.001 - Security Software Discovery
T1519 - Emond
T1522 - Cloud Instance Metadata API
T1525 - Implant Internal Image
T1526 - Cloud Service Discovery
T1527 - Application Access Token
T1528 - Steal Application Access Token
T1529 - System Shutdown/Reboot
T1530 - Data from Cloud Storage
T1531 - Account Access Removal
T1534 - Internal Spearphishing
T1535 - Unused/Unsupported Cloud Regions
T1536 - Revert Cloud Instance
T1537 - Transfer Data to Cloud Account
T1538 - Cloud Service Dashboard
T1539 - Steal Web Session Cookie
T1542 - Pre-OS Boot
T1542.001 - System Firmware
T1542.002 - Component Firmware
T1542.003 - Bootkit
T1542.004 - ROMMONkit
T1542.005 - TFTP Boot
T1543 - Create or Modify System Process
T1543.001 - Launch Agent
T1543.002 - Systemd Service
T1543.003 - Windows Service
T1543.004 - Launch Daemon
T1543.005 - Container Service
T1546 - Event Triggered Execution
T1546.001 - Change Default File Association
T1546.002 - Screensaver
T1546.003 - Windows Management Instrumentation Event Subscription
T1546.004 - Unix Shell Configuration Modification
T1546.005 - Trap
T1546.006 - LC_LOAD_DYLIB Addition
T1546.007 - Netsh Helper DLL
T1546.008 - Accessibility Features
T1546.009 - AppCert DLLs
T1546.010 - AppInit DLLs
T1546.011 - Application Shimming
T1546.012 - Image File Execution Options Injection
T1546.013 - PowerShell Profile
T1546.014 - Emond
T1546.015 - Component Object Model Hijacking
T1546.016 - Installer Packages
T1547 - Boot or Logon Autostart Execution
T1547.001 - Registry Run Keys / Startup Folder
T1547.002 - Authentication Package
T1547.003 - Time Providers
T1547.004 - Winlogon Helper DLL
T1547.005 - Security Support Provider
T1547.006 - Kernel Modules and Extensions
T1547.007 - Re-opened Applications
T1547.008 - LSASS Driver
T1547.009 - Shortcut Modification
T1547.010 - Port Monitors
T1547.011 - Plist Modification
T1547.012 - Print Processors
T1547.013 - XDG Autostart Entries
T1547.014 - Active Setup
T1547.015 - Login Items
T1548 - Abuse Elevation Control Mechanism
T1548.001 - Setuid and Setgid
T1548.002 - Bypass User Account Control
T1548.003 - Sudo and Sudo Caching
T1548.004 - Elevated Execution with Prompt
T1548.005 - Temporary Elevated Cloud Access
T1548.006 - TCC Manipulation
T1550 - Use Alternate Authentication Material
T1550.001 - Application Access Token
T1550.002 - Pass the Hash
T1550.003 - Pass the Ticket
T1550.004 - Web Session Cookie
T1552 - Unsecured Credentials
T1552.001 - Credentials In Files
T1552.002 - Credentials in Registry
T1552.003 - Bash History
T1552.004 - Private Keys
T1552.005 - Cloud Instance Metadata API
T1552.006 - Group Policy Preferences
T1552.007 - Container API
T1552.008 - Chat Messages
T1553 - Subvert Trust Controls
T1553.001 - Gatekeeper Bypass
T1553.002 - Code Signing
T1553.003 - SIP and Trust Provider Hijacking
T1553.004 - Install Root Certificate
T1553.005 - Mark-of-the-Web Bypass
T1553.006 - Code Signing Policy Modification
T1554 - Compromise Host Software Binary
T1555 - Credentials from Password Stores
T1555.001 - Keychain
T1555.002 - Securityd Memory
T1555.003 - Credentials from Web Browsers
T1555.004 - Windows Credential Manager
T1555.005 - Password Managers
T1555.006 - Cloud Secrets Management Stores
T1556 - Modify Authentication Process
T1556.001 - Domain Controller Authentication
T1556.002 - Password Filter DLL
T1556.003 - Pluggable Authentication Modules
T1556.004 - Network Device Authentication
T1556.005 - Reversible Encryption
T1556.006 - Multi-Factor Authentication
T1556.007 - Hybrid Identity
T1556.008 - Network Provider DLL
T1556.009 - Conditional Access Policies
T1557 - Adversary-in-the-Middle
T1557.001 - LLMNR/NBT-NS Poisoning and SMB Relay
T1557.002 - ARP Cache Poisoning
T1557.003 - DHCP Spoofing
T1558 - Steal or Forge Kerberos Tickets
T1558.001 - Golden Ticket
T1558.002 - Silver Ticket
T1558.003 - Kerberoasting
T1558.004 - AS-REP Roasting
T1559 - Inter-Process Communication
T1559.001 - Component Object Model
T1559.002 - Dynamic Data Exchange
T1559.003 - XPC Services
T1560 - Archive Collected Data
T1560.001 - Archive via Utility
T1560.002 - Archive via Library
T1560.003 - Archive via Custom Method
T1561 - Disk Wipe
T1561.001 - Disk Content Wipe
T1561.002 - Disk Structure Wipe
T1562 - Impair Defenses
T1562.001 - Disable or Modify Tools
T1562.002 - Disable Windows Event Logging
T1562.003 - Impair Command History Logging
T1562.004 - Disable or Modify System Firewall
T1562.006 - Indicator Blocking
T1562.007 - Disable or Modify Cloud Firewall
T1562.008 - Disable or Modify Cloud Logs
T1562.009 - Safe Mode Boot
T1562.010 - Downgrade Attack
T1562.011 - Spoof Security Alerting
T1562.012 - Disable or Modify Linux Audit System
T1563 - Remote Service Session Hijacking
T1563.001 - SSH Hijacking
T1563.002 - RDP Hijacking
T1564 - Hide Artifacts
T1564.001 - Hidden Files and Directories
T1564.002 - Hidden Users
T1564.003 - Hidden Window
T1564.004 - NTFS File Attributes
T1564.005 - Hidden File System
T1564.006 - Run Virtual Instance
T1564.007 - VBA Stomping
T1564.008 - Email Hiding Rules
T1564.009 - Resource Forking
T1564.010 - Process Argument Spoofing
T1564.011 - Ignore Process Interrupts
T1564.012 - File/Path Exclusions
T1565 - Data Manipulation
T1565.001 - Stored Data Manipulation
T1565.002 - Transmitted Data Manipulation
T1565.003 - Runtime Data Manipulation
T1566 - Phishing
T1566.001 - Spearphishing Attachment
T1566.002 - Spearphishing Link
T1566.003 - Spearphishing via Service
T1566.004 - Spearphishing Voice
T1567 - Exfiltration Over Web Service
T1567.001 - Exfiltration to Code Repository
T1567.002 - Exfiltration to Cloud Storage
T1567.003 - Exfiltration to Text Storage Sites
T1567.004 - Exfiltration Over Webhook
T1568 - Dynamic Resolution
T1568.001 - Fast Flux DNS
T1568.002 - Domain Generation Algorithms
T1568.003 - DNS Calculation
T1569 - System Services
T1569.001 - Launchctl
T1569.002 - Service Execution
T1570 - Lateral Tool Transfer
T1571 - Non-Standard Port
T1572 - Protocol Tunneling
T1573 - Encrypted Channel
T1573.001 - Symmetric Cryptography
T1573.002 - Asymmetric Cryptography
T1574 - Hijack Execution Flow
T1574.001 - DLL Search Order Hijacking
T1574.002 - DLL Side-Loading
T1574.004 - Dylib Hijacking
T1574.005 - Executable Installer File Permissions Weakness
T1574.006 - Dynamic Linker Hijacking
T1574.007 - Path Interception by PATH Environment Variable
T1574.008 - Path Interception by Search Order Hijacking
T1574.009 - Path Interception by Unquoted Path
T1574.010 - Services File Permissions Weakness
T1574.011 - Services Registry Permissions Weakness
T1574.012 - COR_PROFILER
T1574.013 - KernelCallbackTable
T1574.014 - AppDomainManager
T1578 - Modify Cloud Compute Infrastructure
T1578.001 - Create Snapshot
T1578.002 - Create Cloud Instance
T1578.003 - Delete Cloud Instance
T1578.004 - Revert Cloud Instance
T1578.005 - Modify Cloud Compute Configurations
T1580 - Cloud Infrastructure Discovery
T1583 - Acquire Infrastructure
T1583.001 - Domains
T1583.002 - DNS Server
T1583.003 - Virtual Private Server
T1583.004 - Server
T1583.005 - Botnet
T1583.006 - Web Services
T1583.007 - Serverless
T1583.008 - Malvertising
T1584 - Compromise Infrastructure
T1584.001 - Domains
T1584.002 - DNS Server
T1584.003 - Virtual Private Server
T1584.004 - Server
T1584.005 - Botnet
T1584.006 - Web Services
T1584.007 - Serverless
T1584.008 - Network Devices
T1585 - Establish Accounts
T1585.001 - Social Media Accounts
T1585.002 - Email Accounts
T1585.003 - Cloud Accounts
T1586 - Compromise Accounts
T1586.001 - Social Media Accounts
T1586.002 - Email Accounts
T1586.003 - Cloud Accounts
T1587 - Develop Capabilities
T1587.001 - Malware
T1587.002 - Code Signing Certificates
T1587.003 - Digital Certificates
T1587.004 - Exploits
T1588 - Obtain Capabilities
T1588.001 - Malware
T1588.002 - Tool
T1588.003 - Code Signing Certificates
T1588.004 - Digital Certificates
T1588.005 - Exploits
T1588.006 - Vulnerabilities
T1588.007 - Artificial Intelligence
T1589 - Gather Victim Identity Information
T1589.001 - Credentials
T1589.002 - Email Addresses
T1589.003 - Employee Names
T1590 - Gather Victim Network Information
T1590.001 - Domain Properties
T1590.002 - DNS
T1590.003 - Network Trust Dependencies
T1590.004 - Network Topology
T1590.005 - IP Addresses
T1590.006 - Network Security Appliances
T1591 - Gather Victim Org Information
T1591.001 - Determine Physical Locations
T1591.002 - Business Relationships
T1591.003 - Identify Business Tempo
T1591.004 - Identify Roles
T1592 - Gather Victim Host Information
T1592.001 - Hardware
T1592.002 - Software
T1592.003 - Firmware
T1592.004 - Client Configurations
T1593 - Search Open Websites/Domains
T1593.001 - Social Media
T1593.002 - Search Engines
T1593.003 - Code Repositories
T1594 - Search Victim-Owned Websites
T1595 - Active Scanning
T1595.001 - Scanning IP Blocks
T1595.002 - Vulnerability Scanning
T1595.003 - Wordlist Scanning
T1596 - Search Open Technical Databases
T1596.001 - DNS/Passive DNS
T1596.002 - WHOIS
T1596.003 - Digital Certificates
T1596.004 - CDNs
T1596.005 - Scan Databases
T1597 - Search Closed Sources
T1597.001 - Threat Intel Vendors
T1597.002 - Purchase Technical Data
T1598 - Phishing for Information
T1598.001 - Spearphishing Service
T1598.002 - Spearphishing Attachment
T1598.003 - Spearphishing Link
T1598.004 - Spearphishing Voice
T1599 - Network Boundary Bridging
T1599.001 - Network Address Translation Traversal
T1600 - Weaken Encryption
T1600.001 - Reduce Key Space
T1600.002 - Disable Crypto Hardware
T1601 - Modify System Image
T1601.001 - Patch System Image
T1601.002 - Downgrade System Image
T1602 - Data from Configuration Repository
T1602.001 - SNMP (MIB Dump)
T1602.002 - Network Device Configuration Dump
T1606 - Forge Web Credentials
T1606.001 - Web Cookies
T1606.002 - SAML Tokens
T1608 - Stage Capabilities
T1608.001 - Upload Malware
T1608.002 - Upload Tool
T1608.003 - Install Digital Certificate
T1608.004 - Drive-by Target
T1608.005 - Link Target
T1608.006 - SEO Poisoning
T1609 - Container Administration Command
T1610 - Deploy Container
T1611 - Escape to Host
T1612 - Build Image on Host
T1613 - Container and Resource Discovery
T1614 - System Location Discovery
T1614.001 - System Language Discovery
T1615 - Group Policy Discovery
T1619 - Cloud Storage Object Discovery
T1620 - Reflective Code Loading
T1621 - Multi-Factor Authentication Request Generation
T1622 - Debugger Evasion
T1647 - Plist File Modification
T1648 - Serverless Execution
T1649 - Steal or Forge Authentication Certificates
T1650 - Acquire Access
T1651 - Cloud Administration Command
T1652 - Device Driver Discovery
T1653 - Power Settings
T1654 - Log Enumeration
T1656 - Impersonation
T1657 - Financial Theft
T1659 - Content Injection
T1665 - Hide Infrastructure
Access Control Configuration
Access Control Group
Access Control List
Access Mediator
Access Process
Access Token
Activity Dependency
Address Space
Administrative Network Traffic
Alias
Allocate Memory
Application
Application Configuration
Application Configuration Database
Application Configuration Database Record
Application Configuration File
Application Installer
Application Inventory Sensor
Application Layer Firewall
Application Layer Link
Application Process
Application Process Configuration
Application Rule
Application Shim
Archive File
Artifact Server
Asymmetric Key
Audio Input Device
Authenticate User
Authentication
Authentication Function
Authentication Log
Authentication Server
Authentication Service
Authorization
Authorization Log
Authorization Service
Barcode Scanner Input Device
Binary Large Object
Binary Segment
Block Device
Boot Loader
Boot Record
Boot Sector
Browser
Browser Extension
Build Tool
Business Communication Platform Client
CA Certificate File
Processor Cache Memory
Call Stack
Central Processing Unit
Certificate
Certificate File
Certificate Trust Store
Chatroom Client
Child Process
Client Application
Client Computer
Clipboard
Cloud Configuration
Cloud Instance Metadata
Cloud Service Authentication
Cloud Service Authorization
Cloud Service Sensor
Cloud Storage
Cloud User Account
Code Analyzer
Code Repository
Collaborative Software
Network Agent
Command
Command History Log
Command History Log File
Command Line Interface
Compiler
Compiler Configuration File
Computer Network Node
Computer Platform
Computing Server
Configuration Database
Configuration Database Record
Configuration File
Configuration Management Database
Configuration Resource
Connect Socket
Console Output Function
Container Build Tool
Container Image
Container Orchestration Software
Container Process
Container Runtime
Copy Memory Function
Copy Token
Create File
Create Process
Create Socket
Create Thread
Credential
Credential Management System
Cryptographic Key
Custom Archive File
Cyber Sensor
DHCP Network Traffic
DHCP Server
DNS Lookup
DNS Network Traffic
DNS Record
DNS Server
Data Artifact Server
Data Dependency
Data Link Link
Database
Database File
Database Query
Database Server
Decoy Artifact
Default User Account
Delete File
Dependency
Deserialization Function
Desktop Computer
Developer Application
Dial Up Modem
Digital Artifact
Digital Fingerprint
Digital Information
Digital Information Bearer
Digital System
Directory
Directory Service
Display Adapter
Display Device Driver
Display Server
Document File
Domain Name
Domain Registration
Domain User Account
Dynamic Analysis Tool
Email
Email Attachment
Email Rule
Embedded Computer
Enclave
Encrypted Credential
Encrypted Password
Endpoint Sensor
Eval Function
Event Log
Exception Handler
Exec
Executable Binary
Executable File
Executable Script
External Content Inclusion Function
Fast Symbolic Link
File
File Hash
File Path Open Function
File Section
File Server
File Share Service
File System
File System Link
File System Metadata
File System Sensor
File Transfer Network Traffic
Finger Print Scanner Input Device
Firewall
Firmware
Firmware Sensor
First-stage Boot Loader
Flash Memory
Forward Proxy Server
Free Memory
Get Open Sockets
Get Open Windows
Get Running Processes
Get Screen Capture
Get System Config Value
Get System Network Config Value
Get System Time
Get Thread Context
Global User Account
Graphical User Interface
Graphics Card Firmware
Graphics Processing Unit
Group Policy
HTML File
Hard Disk Firmware
Hard Link
Hardware Device
Hardware Driver
Heap Segment
Host
Host-based Firewall
Host Configuration Sensor
Host Group
Hostname
Human Input Device Firmware
IP Address
IPC Network Traffic
IP Phone
Identifier
Image Code Segment
Image Data Segment
Image Scanner Input Device
Image Segment
Impersonate User
Import Library Function
In-memory Password Store
Inbound Internet DNS Response Traffic
Inbound Internet Mail Traffic
Inbound Internet Network Traffic
Inbound Network Traffic
Init Script
Input Device
Input Function
Instant Messaging Client
Integration Test Execution Tool
Internet DNS Lookup
Internet File Transfer Traffic
Internet Network
Internet Network Traffic
Interprocess Communication
Intranet Administrative Network Traffic
Intranet DNS Lookup
Intranet File Transfer Traffic
Intranet IPC Network Traffic
Intranet Multicast Network Traffic
Intranet Network
Intranet Network Traffic
Intranet RPC Network Traffic
Intranet Web Network Traffic
Intrusion Detection System
Intrusion Prevention System
Java Archive
JavaScript Blob
Job Schedule
Job Scheduler Software
Kerberos Ticket
Kerberos Ticket Granting Service Ticket
Kerberos Ticket Granting Ticket
Kerberos Ticket Granting Ticket Account
Kernel
Kernel API Sensor
Kernel Module
Kernel Process Table
Keyboard Input Device
Kiosk Computer
Laptop Computer
Legacy System
Link
Linux Clone
Linux Clone3
Linux Clone3 Argument CLONE_THREAD
Linux Clone Argument CLONE_THREAD
Linux Connect
Linux Creat
Linux Delete Module
Linux Execve
Linux Execveat
Linux Fork
Linux Init Module
Linux Kill Argument SIGKILL
Linux Mmap
Linux Mmap2
Linux Munmap
Linux Open Argument O_CREAT
Linux Open Argument O_RDONLY, O_WRONLY, O_RDWR
Linux OpenAt2 Argument O_CREAT
Linux OpenAt2 Argument O_RDONLY, O_WRONLY, O_RDWR
Linux OpenAt Argument O_CREAT
Linux OpenAt Argument O_RDONLY, O_WRONLY, O_RDWR
Linux Pause Process
Linux Pause Thread
Linux Ptrace Argument PTRACE_ATTACH
Linux Ptrace Argument PTRACE_CONT
Linux Ptrace Argument PTRACE_GETREGS
Linux Ptrace Argument PTRACE_INTERRUPT
Linux Ptrace Argument PTRACE_PEEKTEXT
Linux Ptrace Argument PTRACE_POKETEXT
Linux Ptrace Argument PTRACE_SETREGS
Linux Ptrace Argument PTRACE_DETACH
Linux Ptrace Argument PTRACE_TRACEME
Linux Read
Linux Readv
Linux Rename
Linux Renameat
Linux Renameat2
Linux Socket
Linux Socketcall Argument SYS_CONNECT
Linux Socketcall Argument SYS_SOCKET
Linux Time
Linux Unlink
Linux Unlinkat
Linux Vfork
Linux Write
Linux Writev
Linux _Exit
Load Module
Local Area Network
Local Area Network Traffic
Local Authentication Service
Local Authorization Service
Local Resource
Local Resource Access
Local User Account
Log
Log File
Log Message Function
Logical Link
Login Session
Logon User
MacOS Keychain
Mail Network Traffic
Mail Server
Mail Service
Mathematical Function
Media Server
Memory Address
Memory Address Space
Memory Allocation Function
Memory Block
Memory Extent
Memory Free Function
Memory Management Unit
Memory Management Unit Component
Memory Pool
Memory Protection Unit
Memory Word
Message Transfer Agent
Metadata
Microcode
Microsoft HTML Application
Mobile Phone
Modem
Mouse Input Device
Move File
Multimedia Document File
NTFS Hard Link
NTFS Junction Point
NTFS Link
NTFS Symbolic Link
Network
Network Card Firmware
Network Directory Resource
Network File Resource
Network File Share Resource
Network Flow
Network Flow Sensor
Network Init Script File Resource
Network Link
Network Node
Network Packet
Network Printer
Network Protocol Analyzer
Network Resource
Network Resource Access
Network Sensor
Network Service
Network Session
Network Time Server
Network Traffic
Network Traffic Analysis Software
OS API Access Process
OS API Allocate Memory
OS API Connect Socket
OS API Copy Token
OS API Create File
OS API Create Process
OS API Create Socket
OS API Create Thread
OS API Delete File
OS API Exec
OS API Free Memory
OS API Function
OS API Get System Time
OS API Get Thread Context
OS API Load Module
OS API Move File
OS API Open File
OS API Read File
OS API Read Memory
OS API Resume Process
OS API Resume Thread
OS API Save Registers
OS API Set Registers
OS API Set Thread Context
OS API Suspend Process
OS API Suspend Thread
OS API System Function
OS API Terminate Process
OS API Trace Process
OS API Trace Thread
OS API Unload Module
OS API Write File
OS API Write Memory
Object File
Office Application
Office Application File
Open File
Operating System
Operating System Configuration
Operating System Configuration Component
Operating System Configuration File
Operating System Executable File
Operating System File
Operating System Log File
Operating System Packaging Tool
Operating System Process
Operating System Shared Library File
Operations Center Computer
Optical Modem
Orchestration Controller
Orchestration Server
Orchestration Worker
Outbound Internet DNS Lookup Traffic
Outbound Internet Encrypted Remote Terminal Traffic
Outbound Internet Encrypted Traffic
Outbound Internet Encrypted Web Traffic
Outbound Internet File Transfer Traffic
Outbound Internet Mail Traffic
Outbound Internet Network Traffic
Outbound Internet RPC Traffic
Outbound Internet Web Traffic
Outbound Network Traffic
Output Device
POSIX Symbolic Link
Packet Log
Page
Page Frame
Page Table
Parent Process
Partition
Partition Table
Password
Password Database
Password File
Password Manager
Password Store
Peripheral Firmware
Peripheral Hub Firmware
Personal Computer
Physical Address
Physical Link
Pipe
Pointer
Pointer Dereferencing Function
PowerShell Profile Script
Primary Storage
Print Server
Private Key
Privileged User Account
Process
Process Code Segment
Process Data Segment
Process Environment Variable
Process Image
Process Segment
Process Start Function
Process Tree
Processor
Processor Component
Processor Register
Property List File
Proxy Server
Public Key
Python Package
Python Script File
RAM
RDP Session
RF Node
RF Receiver
RF Transceiver
RF Transmitter
ROM
RPC Network Traffic
Radio Modem
Raw Memory Access Function
Read File
Read Memory
Record
Remote Authentication Service
Remote Authorization Service
Remote Command
Remote Database Query
Remote Procedure Call
Remote Resource
Remote Session
Remote Terminal Session
Removable Media Device
Resource
Resource Access
Resource Fork
Resume Process
Resume Thread
Reverse Proxy Server
Router
SSH Session
Save Registers
Saved Instruction Pointer
Scheduled Job
Script Application Process
Second-stage Boot Loader
Secondary Storage
Security Token
Sensor
Serialization Function
Server
Service Account
Service Application
Service Application Process
Service Dependency
Session
Session Cookie
Set Registers
Set System Config Value
Set Thread Context
Shadow Stack
Shared Computer
Shared Library File
Shared Resource Access Function
Shim
Shim Database
Shortcut File
Slow Symbolic Link
Software
Software Artifact Server
Software Deployment Tool
Software Library
Software Library File
Software Package
Software Packaging Tool
Software Patch
Source Code Analyzer Tool
Stack Component
Stack Frame
Stack Frame Canary
Stack Segment
Startup Directory
Static Analysis Tool
Storage
Stored Procedure
String Format Function
Subroutine
Suspend Process
Suspend Thread
Switch
Symbolic Link
Symmetric Key
System Call
System Config System Call
System Configuration Database
System Configuration Database Record
System Configuration Init Database Record
System Configuration Init Resource
System Dependency
System Firewall Configuration
System Firmware
System Init Configuration
System Init Process
System Init Script
System Password Database
System Service Software
System Software
System Startup Directory
System Time Application
System Utilization Record
TFTP Network Traffic
TFTP Server
Tablet Computer
Terminate Process
Tertiary Storage
Test Execution Tool
Thin Client Computer
Thread
Thread Start Function
Ticket Granting Ticket
Trace Process
Trace Thread
Transducer Sensor
Translation Lookaside Buffer
Transport Link
Trust Store
URL
Unit Test Execution Tool
Unix Hard Link
Unix Link
User
User Account
User Action
User Application
User Behavior
User Group
User Init Configuration File
User Init Script
User Input Function
User Interface
User Logon Init Resource
User Process
User Startup Directory
User Startup Script File
User to User Message
Utility Software
VPN Server
Version Control Tool
Video Input Device
Virtual Address
Virtual Memory Space
Virtualization Software
Volume
Volume Boot Record
Web API Resource
Web Application Firewall
Web Application Server
Web Authentication
Web File Resource
Web Network Traffic
Web Resource
Web Resource Access
Web Script File
Web Server
Web Server Application
Wide Area Network
Windows OpenFile
Windows CreateFileA
Windows CreateProcessA
Windows CreateRemoteThread
Windows CreateThread
Windows DeleteFile
Windows DuplicateToken
Windows GetThreadContext
Windows NtGetThreadContext
Windows NtAllocateVirtualMemory
Windows NtAllocateVirtualMemoryEx
Windows NtCreateFile
Windows NtCreateMailslotFile
Windows NtCreateNamedPipeFile
Windows NtCreatePagingFile
Windows NtCreateProcess
Windows NtCreateProcessEx
Windows NtCreateThread
Windows NtCreateThreadEx
Windows NtDeleteFile
Windows NtDuplicateToken
Windows NtFlushInstructionCache
Windows NtFreeVirtualMemory
Windows NtOpenFile
Windows NtOpenProcess
Windows NtOpenThread
Windows NtProtectVirtualMemory
Windows NtQuerySystemTime
Windows NtReadFile
Windows NtReadFileScatter
Windows NtResumeThread
Windows NtSetInformationFile Argument FileDispositionInformation
Windows NtSetThreadContext
Windows NtSuspendProcess
Windows NtSuspendThread
Windows NtTerminateProcess
Windows NtWriteFile
Windows NtWriteFileGather
Windows NtWriteVirtualMemory
Windows OpenProcess
Windows OpenThread
Windows QueryPerformanceCounter
Windows ReadFile
Windows Registry
Windows Registry Key
Windows Registry Value
Windows ResumeThread
Windows SetThreadContext
Windows Shortcut File
Windows SuspendThread
Windows TerminateProcess
Windows VirtualAllocEx
Windows VirtualFree
Windows VirtualProtectEx
Windows WriteFile
Windows WriteProcessMemory
Wireless Access Point
Wireless Router
Write File
Write Memory
Zero Client Computer
D3-AM - Access Modeling
D3-AL - Account Locking
D3-ACA - Active Certificate Analysis
D3-ALLM - Active Logical Link Mapping
D3-APLM - Active Physical Link Mapping
D3-ANAA - Administrative Network Activity Analysis
D3-ACH - Application Configuration Hardening
D3-AH - Application Hardening
D3-AI - Asset Inventory
D3-AVE - Asset Vulnerability Enumeration
D3-ANCI - Authentication Cache Invalidation
D3-ANET - Authentication Event Thresholding
D3-AZET - Authorization Event Thresholding
D3-BAN - Biometric Authentication
D3-BA - Bootloader Authentication
D3-BDI - Broadcast Domain Isolation
D3-BSE - Byte Sequence Emulation
D3-CBAN - Certificate-based Authentication
D3-CA - Certificate Analysis
D3-CP - Certificate Pinning
D3-CSPP - Client-server Payload Profiling
D3-CI - Configuration Inventory
D3-CHN - Connected Honeynet
D3-CAA - Connection Attempt Analysis
D3-CIA - Container Image Analysis
D3-CCSA - Credential Compromise Scope Analysis
D3-CE - Credential Eviction
D3-CH - Credential Hardening
D3-CR - Credential Revocation
D3-CRO - Credential Rotation
D3-CTS - Credential Transmission Scoping
D3-DNSAL - DNS Allowlisting
D3-DNSCE - DNS Cache Eviction
D3-DNSDL - DNS Denylisting
D3-DNSTA - DNS Traffic Analysis
D3-DEM - Data Exchange Mapping
D3-DI - Data Inventory
D3-DQSA - Database Query String Analysis
D3-DCE - Dead Code Elimination
D3-DE - Decoy Environment
D3-DF - Decoy File
D3-DNR - Decoy Network Resource
D3-DO - Decoy Object
D3-DP - Decoy Persona
D3-DPR - Decoy Public Release
D3-DST - Decoy Session Token
D3-DUC - Decoy User Credential
D3-DPLM - Direct Physical Link Mapping
D3-DENCR - Disk Encryption
D3-DKE - Disk Erasure
D3-DKF - Disk Formatting
D3-DKP - Disk Partitioning
D3-DAM - Domain Account Monitoring
D3-DNRA - Domain Name Reputation Analysis
D3-DRT - Domain Registration Takedown
D3-DTP - Domain Trust Policy
D3-DLIC - Driver Load Integrity Checking
D3-DA - Dynamic Analysis
D3-EF - Email Filtering
D3-ER - Email Removal
D3-EFA - Emulated File Analysis
D3-ET - Encrypted Tunnels
D3-EHB - Endpoint Health Beacon
D3-EHPV - Exception Handler Pointer Validation
D3-EAL - Executable Allowlisting
D3-EDL - Executable Denylisting
D3-EI - Execution Isolation
D3-FAPA - File Access Pattern Analysis
D3-FA - File Analysis
D3-FC - File Carving
D3-FCOA - File Content Analysis
D3-FCR - File Content Rules
D3-FCA - File Creation Analysis
D3-FE - File Encryption
D3-FEV - File Eviction
D3-FHRA - File Hash Reputation Analysis
D3-FH - File Hashing
D3-FIM - File Integrity Monitoring
D3-FBA - Firmware Behavior Analysis
D3-FEMC - Firmware Embedded Monitoring Code
D3-FV - Firmware Verification
D3-FRDDL - Forward Resolution Domain Denylisting
D3-FRIDL - Forward Resolution IP Denylisting
D3-HBPI - Hardware-based Process Isolation
D3-HCI - Hardware Component Inventory
D3-HDDL - Hierarchical Domain Denylisting
D3-HDL - Homoglyph Denylisting
D3-HD - Homoglyph Detection
D3-HR - Host Reboot
D3-HS - Host Shutdown
D3-IOPR - IO Port Restriction
D3-IPCTA - IPC Traffic Analysis
D3-IPRA - IP Reputation Analysis
D3-IAA - Identifier Activity Analysis
D3-ID - Identifier Analysis
D3-IRA - Identifier Reputation Analysis
D3-ISVA - Inbound Session Volume Analysis
D3-ITF - Inbound Traffic Filtering
D3-IBCA - Indirect Branch Call Analysis
D3-IDA - Input Device Analysis
D3-IHN - Integrated Honeynet
D3-JFAPA - Job Function Access Pattern Analysis
D3-KBPI - Kernel-based Process Isolation
D3-LAM - Local Account Monitoring
D3-LFP - Local File Permissions
D3-LLM - Logical Link Mapping
D3-MAC - Mandatory Access Control
D3-MBT - Memory Boundary Tracking
D3-MA - Message Analysis
D3-MAN - Message Authentication
D3-MENCR - Message Encryption
D3-MH - Message Hardening
D3-MFA - Multi-factor Authentication
D3-NI - Network Isolation
D3-NM - Network Mapping
D3-NNI - Network Node Inventory
D3-NTA - Network Traffic Analysis
D3-NTCD - Network Traffic Community Deviation
D3-NTF - Network Traffic Filtering
D3-NTPM - Network Traffic Policy Mapping
D3-NTSA - Network Traffic Signature Analysis
D3-NVA - Network Vulnerability Assessment
D3-OE - Object Eviction
D3-OTP - One-time Password
D3-OSM - Operating System Monitoring
D3-OAM - Operational Activity Mapping
D3-ODM - Operational Dependency Mapping
D3-ORA - Operational Risk Assessment
D3-OM - Organization Mapping
D3-OTF - Outbound Traffic Filtering
D3-PCA - Passive Certificate Analysis
D3-PLLM - Passive Logical Link Mapping
D3-PHDURA - Per Host Download-Upload Ratio Analysis
D3-PFV - Peripheral Firmware Verification
D3-PLM - Physical Link Mapping
D3-PH - Platform Hardening
D3-PM - Platform Monitoring
D3-PAN - Pointer Authentication
D3-PA - Process Analysis
D3-PCSV - Process Code Segment Verification
D3-PE - Process Eviction
D3-PLA - Process Lineage Analysis
D3-PSEP - Process Segment Execution Prevention
D3-PSMD - Process Self-Modification Detection
D3-PSA - Process Spawn Analysis
D3-PS - Process Suspension
D3-PT - Process Termination
D3-PMAD - Protocol Metadata Anomaly Detection
D3-RFS - RF Shielding
D3-RTA - RPC Traffic Analysis
D3-RKD - Registry Key Deletion
D3-RIC - Reissue Credential
D3-RPA - Relay Pattern Analysis
D3-RTSD - Remote Terminal Session Detection
D3-RAPA - Resource Access Pattern Analysis
D3-RA - Restore Access
D3-RC - Restore Configuration
D3-RD - Restore Database
D3-RDI - Restore Disk Image
D3-RE - Restore Email
D3-RF - Restore File
D3-RNA - Restore Network Access
D3-RO - Restore Object
D3-RS - Restore Software
D3-RUAA - Restore User Account Access
D3-RRID - Reverse Resolution IP Denylisting
D3-SJA - Scheduled Job Analysis
D3-SEA - Script Execution Analysis
D3-SAOR - Segment Address Offset Randomization
D3-SMRA - Sender MTA Reputation Analysis
D3-SRA - Sender Reputation Analysis
D3-SBV - Service Binary Verification
D3-SVCDM - Service Dependency Mapping
D3-SDA - Session Duration Analysis
D3-ST - Session Termination
D3-SSC - Shadow Stack Comparisons
D3-SWI - Software Inventory
D3-SU - Software Update
D3-SFCV - Stack Frame Canary Validation
D3-SHN - Standalone Honeynet
D3-SPP - Strong Password Policy
D3-SCA - System Call Analysis
D3-SCF - System Call Filtering
D3-SCP - System Configuration Permissions
D3-SDM - System Daemon Monitoring
D3-SYSDM - System Dependency Mapping
D3-SFA - System File Analysis
D3-SFV - System Firmware Verification
D3-SICA - System Init Config Analysis
D3-SYSM - System Mapping
D3-SYSVA - System Vulnerability Assessment
D3-TBI - TPM Boot Integrity
D3-TAAN - Transfer Agent Authentication
D3-UA - URL Analysis
D3-URA - URL Reputation Analysis
D3-ULA - Unlock Account
D3-UAP - User Account Permissions
D3-UBA - User Behavior Analysis
D3-UDTA - User Data Transfer Analysis
D3-UGLPA - User Geolocation Logon Pattern Analysis
D3-USICA - User Session Init Config Analysis
D3-WSAA - Web Session Activity Analysis