Professional Documents
Culture Documents
ATTCK Matrix For Enterprise
ATTCK Matrix For Enterprise
T1489 - Service Stop T1485 - Data Destruction T1593 - Search Open Websites/Domains Scanning IP Blocks
T1496 - Resource Hijacking T1486 - Data Encrypted for Impact Social Media Vulnerability Scanning
T1498 - Network Denial of Service T1565 - Data Manipulation Search Engines Wordlist Scanning
Direct Network Flood Stored Data Manipulation Code Repositories T1592 - Gather Victim Host Information
Reflection Amplification Transmitted Data Manipulation T1596 - Search Open Technical Databases Hardware
13 Techniques
T1490 - Inhibit System Recovery Runtime Data Manipulation DNS/Passive DNS Software
IP Addresses
ID: TA0010 Exfiltration Network Security Appliances
T1537 - Transfer Data to Cloud Account T1020 - Automated Exfiltration T1591 - Gather Victim Org Information
9 Techniques T1567 - Exfiltration Over Web Service T1030 - Data Transfer Size Limits Business Relationships
Exfiltration to Code Repository T1048 - Exfiltration Over Alternative Protocol Identify Business Tempo
The adversary is trying to steal data. Identify Roles
Exfiltration to Cloud Storage Exfiltration Over Symmetric Encrypted Non-C2 Protocol
T1052 - Exfiltration Over Physical Medium Exfiltration Over Asymmetric Encrypted Non-C2 Protocol
Dead Drop Resolver T1071 - Application Layer Protocol Link Target Botnet
Bidirectional Communication T1102 - Web Service Web Protocols SEO Poisoning Web Services
T1219 - Remote Access Software Digital Certificates Cloud Accounts The adversary is trying to establish resources they can
T1132 - Data Encoding
use to support operations.
T1090 - Proxy Standard Encoding Exploits T1584 - Compromise Infrastructure
16 Techniques Internal Proxy Vulnerabilities Domains
Non-Standard Encoding
External Proxy T1001 - Data Obfuscation T1585 - Establish Accounts DNS Server
The adversary is trying to communicate with
compromised systems to control them. Multi-hop Proxy Junk Data Social Media Accounts Virtual Private Server
T1125 - Video Capture T1557 - Adversary-in-the-Middle Domain Accounts T1133 - External Remote Services
9 Techniques
T1113 - Screen Capture LLMNR/NBT-NS Poisoning and SMB Relay Local Accounts T1200 - Hardware Additions
T1056 - Input Capture ARP Cache Poisoning Cloud Accounts T1566 - Phishing The adversary is trying to get into your network.
Keylogging DHCP Spoofing T1199 - Trusted Relationship Spearphishing Attachment
GUI Input Capture T1560 - Archive Collected Data T1195 - Supply Chain Compromise Spearphishing Link
Web Portal Capture Archive via Utility Compromise Software Dependencies and Development Tools Spearphishing via Service
Credential API Hooking Archive via Library Compromise Software Supply Chain
17 Techniques Compromise Hardware Supply Chain
T1114 - Email Collection Archive via Custom Method
Local Email Collection T1123 - Audio Capture T1091 - Replication Through Removable Media
The adversary is trying to gather data of interest to
their goal. Remote Email Collection T1119 - Automated Collection
Local Data Staging T1530 - Data from Cloud Storage T1204 - User Execution PowerShell
Remote Data Staging T1602 - Data from Configuration Repository Malicious Link AppleScript
T1025 - Data from Removable Media SNMP (MIB Dump) Malicious File Windows Command Shell
T1039 - Data from Network Shared Drive Network Device Configuration Dump Malicious Image Unix Shell
T1005 - Data from Local System T1213 - Data from Information Repositories T1569 - System Services Visual Basic
Pass the Hash T1570 - Lateral Tool Transfer Component Object Model
Pass the Ticket T1563 - Remote Service Session Hijacking Dynamic Data Exchange
9 Techniques
Web Session Cookie SSH Hijacking XPC Services
The adversary is trying to move through your T1080 - Taint Shared Content RDP Hijacking T1106 - Native API
environment.
T1072 - Software Deployment Tools T1021 - Remote Services T1053 - Scheduled Task/Job
T1497 - Virtualization/Sandbox Evasion T1087 - Account Discovery Default Accounts Additional Cloud Credentials
System Checks Local Account Domain Accounts Additional Email Delegate Permissions
User Activity Based Checks Domain Account Local Accounts Additional Cloud Roles
Time Based Evasion Email Account Cloud Accounts SSH Authorized Keys
T1124 - System Time Discovery Cloud Account T1205 - Traffic Signaling Device Registration
T1007 - System Service Discovery T1010 - Application Window Discovery Port Knocking T1197 - BITS Jobs
T1033 - System Owner/User Discovery T1217 - Browser Bookmark Discovery Socket Filters T1547 - Boot or Logon Autostart Execution
T1049 - System Network Connections Discovery T1580 - Cloud Infrastructure Discovery T1505 - Server Software Component Registry Run Keys / Startup Folder
T1016 - System Network Configuration Discovery T1538 - Cloud Service Dashboard SQL Stored Procedures Authentication Package
30 Techniques Transport Agent Time Providers
Internet Connection Discovery T1526 - Cloud Service Discovery
T1614 - System Location Discovery T1619 - Cloud Storage Object Discovery Web Shell Winlogon Helper DLL
The adversary is trying to figure out your
System Language Discovery T1613 - Container and Resource Discovery IIS Components Security Support Provider
environment.
T1082 - System Information Discovery T1622 - Debugger Evasion Terminal Services DLL Kernel Modules and Extensions
T1518 - Software Discovery T1482 - Domain Trust Discovery T1053 - Scheduled Task/Job Re-opened Applications
Security Software Discovery T1083 - File and Directory Discovery At LSASS Driver
T1018 - Remote System Discovery T1615 - Group Policy Discovery Cron Shortcut Modification
T1012 - Query Registry T1046 - Network Service Discovery Scheduled Task Port Monitors
T1057 - Process Discovery T1135 - Network Share Discovery Systemd Timers Print Processors
T1069 - Permission Groups Discovery T1040 - Network Sniffing Container Orchestration Job XDG Autostart Entries
Services File Permissions Weakness T1543 - Create or Modify System Process T1220 - XSL Script Processing T1548 - Abuse Elevation Control Mechanism
Services Registry Permissions Weakness Launch Agent T1600 - Weaken Encryption Setuid and Setgid
COR_PROFILER Systemd Service Reduce Key Space Bypass User Account Control
KernelCallbackTable Windows Service Disable Crypto Hardware Sudo and Sudo Caching
T1068 - Exploitation for Privilege Escalation Launch Daemon T1497 - Virtualization/Sandbox Evasion Elevated Execution with Prompt
T1546 - Event Triggered Execution T1484 - Domain Policy Modification System Checks T1202 - Indirect Command Execution
Change Default File Association Group Policy Modification User Activity Based Checks T1564 - Hide Artifacts
Screensaver Domain Trust Modification Time Based Evasion Hidden Files and Directories
Windows Management Instrumentation Event Subscription T1611 - Escape to Host T1078 - Valid Accounts Hidden Users
Image File Execution Options Injection Web Session Cookie T1134 - Access Token Manipulation
Emond T1127 - Trusted Developer Utilities Proxy Execution Create Process with Token
Install Root Certificate Linux and Mac File and Directory Permissions Modification The adversary is trying to avoid being detected.
Mark-of-the-Web Bypass T1574 - Hijack Execution Flow
Indicator Removal from Tools Clear Network Connection History and Configurations
Hybrid Identity
Create Snapshot
Reversible Encryption
Multi-Factor Authentication
Hybrid Identity