ATT&CK Changes Between v18.1 and v19.0

[T1683.002] Generate Content: Audio-Visual Content

Current version: 1.0

Description:

Adversaries may create or manipulate audio, image, and video content to support targeting and malicious operations. Adversaries may also use synthetic voice recordings, real-time altered audio or video during live interactions, fabricated profile photos and identity documents, or video content depicting fabricated or impersonated individuals.(Citation: Nov AI Threat Tracker)

Content may be produced manually through editing tools, generated using AI-assisted tools, or produced using third-party synthetic services.(Citation: FBI 2025 AI Generate Content)(Citation: Europol Deepfakes) AI-assisted tools have enabled adversaries to produce synthetic media at scale and generate content that is more difficult to identify as inauthentic.

Audio-visual content produced through these methods may be used in support of other techniques, such as Phishing, Spearphishing via Service, Phishing for Information, Internal Spearphishing, Social Engineering, Financial Theft, or Establish Accounts.

[T1685.006] Disable or Modify Tools: Clear Linux or Mac System Logs

Current version: 1.0

Description:

Adversaries may clear system logs to hide evidence of an intrusion. macOS and Linux both keep track of system or user-initiated actions via system logs. The majority of native system logging is stored under the /var/log/ directory. Subfolders in this directory categorize logs by their related functions, such as:(Citation: Linux Logs)

• /var/log/messages:: General and system-related messages
• /var/log/secure or /var/log/auth.log: Authentication logs
• /var/log/utmp or /var/log/wtmp: Login records
• /var/log/kern.log: Kernel logs
• /var/log/cron.log: Crond logs
• /var/log/maillog: Mail server logs
• /var/log/httpd/: Web server access and error logs

[T1685.005] Disable or Modify Tools: Clear Windows Event Logs

Current version: 1.0

Description:

Adversaries may clear Windows Event Logs to hide the activity of an intrusion. Windows Event Logs are a record of a computer's alerts and notifications. There are three system-defined sources of events: System, Application, and Security, with five event types: Error, Warning, Information, Success Audit, and Failure Audit.

With administrator privileges, the event logs can be cleared with the following utility commands:

• wevtutil cl system
• wevtutil cl application
• wevtutil cl security

These logs may also be cleared through other mechanisms, such as the event viewer GUI or PowerShell. For example, adversaries may use the PowerShell command Remove-EventLog -LogName Security to delete the Security EventLog and after reboot, disable future logging. Note: events may still be generated and logged in the .evtx file between the time the command is run and the reboot.(Citation: disable_win_evt_logging)

Adversaries may also attempt to clear logs by directly deleting the stored log files within C:\Windows\System32\winevt\logs\.

[T1686.001] Disable or Modify System Firewall: Cloud Firewall

Current version: 1.0

Description:

Adversaries may disable or modify a firewall within a cloud environment to bypass controls that limit access to cloud resources.

Cloud environments typically utilize restrictive security groups and firewall rules that only allow network activity from trusted IP addresses via expected ports and protocols. An adversary with appropriate permissions may introduce new firewall rules or policies to allow access into a victim cloud environment and/or move laterally from the cloud control plane to the data plane.

For example, an adversary may use a script or utility that creates new ingress rules in existing security groups (or creates new security groups entirely) to allow any TCP/IP connectivity to a cloud-hosted instance. They may also remove networking limitations to support traffic associated with malicious activity (such as cryptomining).(Citation: Palo Alto Unit 42 Compromised Cloud Compute Credentials 2022)(Citation: Expel AWS)

[T1685.002] Disable or Modify Tools: Disable or Modify Cloud Log

Current version: 1.0

Description:

An adversary may disable or modify cloud logging capabilities and integrations to limit what data is collected on their activities and avoid detection. Cloud environments allow for collection and analysis of audit and application logs that provide insight into what activities a user does within the environment. If an adversary has sufficient permissions, they can disable or modify logging to avoid detection of their activities.

For example, in AWS an adversary may disable CloudWatch/CloudTrail integrations prior to conducting further malicious activity. They may alternatively tamper with logging functionality, for example, by removing any associated SNS topics, disabling multi-region logging, or disabling settings that validate and/or encrypt log files.(Citation: AWS Cloud Trail)(Citation: Pacu Detection Disruption Module) In Office 365, an adversary may disable logging on mail collection activities for specific users by using the Set-MailboxAuditBypassAssociation cmdlet, by disabling M365 Advanced Auditing for the user, or by downgrading the user’s license from an Enterprise E5 to an Enterprise E3 license.(Citation: Dark Reading)

[T1685.004] Disable or Modify Tools: Disable or Modify Linux Audit System Log

Current version: 1.0

Description:

Adversaries may disable or modify the Linux Audit system to hide malicious activity and avoid detection. Linux admins use the Linux Audit system to track security-relevant information on a system. The Linux Audit system operates at the kernel-level and maintains event logs on application and system activity such as process, network, file, and login events based on pre-configured rules.

Often referred to as auditd, this is the name of the daemon used to write events to disk and is governed by the parameters set in the audit.conf configuration file. Two primary ways to configure the log generation rules are through the command line auditctl utility and the file /etc/audit/audit.rules, containing a sequence of auditctl commands loaded at boot time.(Citation: IzyKnows auditd threat detection 2022)(Citation: Red Hat Linux Disable or Mod)

With root privileges, adversaries may be able to ensure their activity is not logged through disabling the Audit system service, editing the configuration/rule files, or by hooking the Audit system library functions. Using the command line, adversaries can disable the Audit system service through killing processes associated with auditd daemon or use systemctl to stop the Audit service. Adversaries can also hook Audit system functions to disable logging or modify the rules contained in the /etc/audit/audit.rules or audit.conf files to ignore malicious activity.(Citation: ESET Ebury Feb 2014)

[T1686] Disable or Modify System Firewall

Current version: 1.0

Description:

Adversaries may disable or modify host-based or network firewalls to impair defensive mechanisms and enable further action. Once an adversary has gathered sufficient privileges, they can tamper with firewall services, policies, or rule sets to remove restrictions on inbound or outbound traffic. For example, this may include turning off firewall profiles, altering existing rules to permit previously blocked ports or protocols, or adding new rules that create covert communication paths (e.g., adding a new firewall rule for a well-known protocol (such as RDP) using a non-traditional and potentially less securitized port.(Citation: change_rdp_port_conti)

Adversaries may disable or modify firewalls using different behaviors, depending on the platform. For example, in ESXi, firewall rules may be modified directly via the esxcli (e.g., via esxcli network firewall set) or via the vCenter user interface.(Citation: Broadcom ESXi Firewall)(Citation: Trellix Rnasomhouse 2024)

[T1685] Disable or Modify Tools

Current version: 1.0

Description:

Adversaries may disable, degrade, or tamper with security tools or applications (e.g., endpoint detection and response (EDR) tools, intrusion detection systems (IDS), antivirus, logging agents, sensors, etc.) to impair or reduce visibility of defensive capabilities. This may include stopping specific services, killing processes, modifying or deleting tool configuration files and Registry keys, or preventing tools from updating. This may also include impairing defenses more broadly by disrupting preventative, detection, and response mechanisms across host, network, and cloud environments.(Citation: SCADAfence_ransomware)

In addition to directly targeting tools, adversaries may block or manipulate indicators and telemetry used for detection. This includes maliciously disabling or redirecting sensors such as Event Tracing for Windows (ETW), modifying event log configurations (e.g., redirecting Security logs), or interfering with logging pipelines and forwarding mechanisms (e.g., SIEM ingestion).(Citation: Microsoft Lamin Sept 2017)(Citation: ETW Palantir)

More advanced techniques include leveraging legitimate drivers or debugging mechanisms to render tools non-functional, bypassing anti-tampering protections, and targeting specific defenses such as Sysmon or cloud monitoring agents. Adversaries may also disrupt broader defensive operations, including update mechanisms, logging infrastructure (e.g., syslog), or event aggregation, further degrading an organization’s ability to detect and respond to malicious activity.(Citation: Cocomazzi FIN7 Reboot)

[T1685.001] Disable or Modify Tools: Disable or Modify Windows Event Log

Current version: 1.0

Description:

Adversaries may disable or modify the Windows Event Log to limit data that can be leveraged for detections and audits. Windows Event Log records user and system activity such as login attempts and process creation.(Citation: EventLog_Core_Technologies) This data is used by security tools and analysts to generate detections.

The EventLog service maintains event logs from various system components and applications. By default, the service automatically starts when a system powers on. An audit policy, maintained by the Local Security Policy (secpol.msc), defines which system events the EventLog service logs. Security audit policy settings can be changed by running secpol.msc, then navigating to Security Settings\Local Policies\Audit Policy for basic audit policy settings or Security Settings\Advanced Audit Policy Configuration for advanced audit policy settings.(Citation: Microsoft Audit Policy)(Citation: Microsoft Adv Security Settings) auditpol.exe may also be used to set audit policies.(Citation: Microsoft auditpol)

Adversaries may target system-wide logging or just that of a particular application. For example, the Windows EventLog service may be disabled using the Set-Service -Name EventLog -Status Stopped or sc config eventlog start=disabled commands (followed by manually stopping the service using Stop-Service -Name EventLog). Additionally, the service may be disabled by modifying the "Start" value in HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog then restarting the system for the change to take effect.(Citation: Disable_Win_Event_Logging)(Citation: disable_win_evt_logging)

There are several ways to disable the EventLog service via registry key modification. Without Administrator privileges, adversaries may modify the "Start" value in the key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WMI\Autologger\EventLog-Security, then reboot the system to disable the Security EventLog.(Citation: winser19_file_overwrite_bug_twitter) With Administrator privilege, adversaries may modify the same values in HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WMI\Autologger\EventLog-System and HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WMI\Autologger\EventLog-Application to disable the entire EventLog.

Additionally, adversaries may use auditpol and its sub-commands in a command prompt to disable auditing or clear the audit policy. To enable or disable a specified setting or audit category, adversaries may use the /success or /failure parameters. For example, auditpol /set /category:"Account Logon" /success:disable /failure:disable turns off auditing for the Account Logon category.(Citation: auditpol.exe_STRONTIC) To clear the audit policy, adversaries may run the following lines: auditpol /clear /y or auditpol /remove /allusers.(Citation: T1562.002_redcanaryco)

[T1689] Downgrade Attack

Current version: 1.0

Description:

Adversaries may downgrade or use a version of system features that may be outdated, vulnerable, and/or does not support updated security controls. Downgrade attacks typically take advantage of a system’s backward compatibility to force it into less secure modes of operation.

Adversaries may downgrade and use various less-secure versions of features of a system, such as Command and Scripting Interpreter or even network protocols that can be abused to enable Adversary-in-the-Middle or Network Sniffing.(Citation: Praetorian TLS Downgrade Attack 2014) For example, PowerShell versions 5+ includes Script Block Logging (SBL), which can record executed script content. However, adversaries may attempt to execute a previous version of PowerShell that does not support SBL with the intent to impair defenses while running malicious scripts that may have otherwise been detected.(Citation: CrowdStrike downgrade attack)(Citation: Google Cloud downgrade attack)(Citation: att_def_ps_logging)

Adversaries may similarly target network traffic to downgrade from an encrypted HTTPS connection to an unsecured HTTP connection that exposes network data in clear text.(Citation: Targeted SSL Stripping Attacks Are Real)(Citation: CrowdStrike Downgrade attack 2) On Windows systems, adversaries may downgrade the boot manager to a vulnerable version that bypasses Secure Boot, granting the ability to disable various operating system security mechanisms.(Citation: SafeBreach)

[T1684.002] Social Engineering: Email Spoofing

Current version: 1.0

Description:

Adversaries may fake, or spoof, a sender’s identity by modifying the value of relevant email headers in order to establish contact with victims under false pretenses.(Citation: Proofpoint TA427 April 2024) In addition to actual email content, email headers (such as the FROM header, which contains the email address of the sender) may also be modified. Email clients display these headers when emails appear in a victim's inbox, which may cause modified emails to appear as if they were from the spoofed entity.

Enterprise environments can use Domain-based Message Authentication, Reporting, and Conformance (DMARC) as an email authentication protocol that references results of the Sender Policy Framework (SPF) and DomainKeys Identified Mail (DKIM) configurations. SPF and DKIM are configured separately in DNS: SPF verifies that the sending server is authorized for the domain, while DKIM uses a digital signature to verify email integrity and domain authentication. Together, they validate email authenticity and specify how receiving servers should handle authentication failures. Without enforced identity authentication, adversaries may compromise the integrity of an authentication check with altered headers that would not have otherwise passed.(Citation: Cloudflare DMARC, DKIM, and SPF)(Citation: DMARC-overview)(Citation: Proofpoint-DMARC)

An example of a weak or absent DMARC policy is v=DMARC1; p=none; fo=1;. The p=none. The p=none indicates no action should be taken, and therefore no filtering action will take place, even if an email fails authentication checks (i.e., SPF and/or DKIM fail). When a DMARC policy indicates no action, the email will still be delivered to the victim’s inbox.(Citation: ic3-dprk)

Adversaries have abused weak or absent DMARC policies to circumvent authentication checks and conceal social engineering attempts. Adversaries can alter email headers to include legitimate domain names with fake usernames or impersonate legitimate users via Impersonation for Phishing. Additionally, adversaries may abuse Microsoft 365’s Direct Send functionality to spoof internal users by using internal devices like printers to send emails without authentication.(Citation: Barnea DirectSend)

[T1687] Exploitation for Defense Impairment

Current version: 1.0

Description:

Adversaries may exploit vulnerabilities in security software, infrastructure, or defensive components to degrade, disable, or otherwise continue to impair their ability to prevent, detect, or respond to malicious activity.

Adversaries may exploit a system or application vulnerability to directly interfere with defensive mechanisms. Exploitation occurs when an adversary takes advantage of a programming error in software, services, or the operating system to execute adversary-controlled code, often with the goal of weakening or disabling protections.

Vulnerabilities may exist in security tools such as antivirus, endpoint detection and response (EDR), firewalls, or other monitoring solutions. Adversaries may use prior reconnaissance or perform discovery activities (e.g., Software Discovery) to identify defensive tools present in an environment and target them for exploitation.

Successful exploitation may allow adversaries to terminate security processes, disable protections, bypass enforcement mechanisms, or reduce the effectiveness of defensive controls. In some cases, vulnerabilities in cloud-based or SaaS infrastructure may also be leveraged to bypass built-in security boundaries or disrupt visibility and enforcement across environments.(Citation: Salesforce zero-day in facebook phishing attack)

[T1683] Generate Content

Current version: 1.0

Description:

Adversaries may create or generate content to support targeting and operations. This content may be used to establish personas, impersonate known individuals or organizations, and support Social Engineering, fraud, or influence activities. Written materials, audio, images, video, or other media may be developed and tailored to the target and objective.(Citation: IBM AI-Generated Content)

Content development may occur prior to or during an operation. Adversaries may develop or generate content in-house, source it through third parties, or produce it using AI-assisted tools. Adversaries may use AI to research targets, develop pretexts, and better understand the organizations and individuals they intend to target or deceive prior to generating content (i.e., Query Public AI Services); for obtaining access to AI tools used in content generation, see Artificial Intelligence.

Content may be leveraged in support of techniques such as Phishing, Phishing for Information, Social Engineering, Financial Theft, or Establish Accounts. Generated or developed content does not include malicious code or scripts (i.e., Develop Capabilities and Artificial Intelligence).

[T1684.001] Social Engineering: Impersonation

Current version: 1.0

Description:

Adversaries may impersonate a trusted person or organization in order to persuade and trick a target into performing some action on their behalf. For example, adversaries may communicate with victims (via Phishing for Information, Phishing, or Internal Spearphishing) while impersonating a known sender such as an executive, colleague, or third-party vendor. Established trust can then be leveraged to accomplish an adversary’s ultimate goals, possibly against multiple victims.

In many cases of business email compromise or email fraud campaigns, adversaries use impersonation to defraud victims -- deceiving them into sending money or divulging information that ultimately enables Financial Theft.

Adversaries will often also use social engineering techniques such as manipulative and persuasive language in email subject lines and body text such as payment, request, or urgent to push the victim to act quickly before malicious activity is detected. These campaigns are often specifically targeted against people who, due to job roles and/or accesses, can carry out the adversary’s goal.  

Impersonation is typically preceded by reconnaissance techniques such as Gather Victim Identity Information and Gather Victim Org Information as well as acquiring infrastructure such as email domains (i.e. Domains) to substantiate their false identity.(Citation: Crowdstrike BEC)

There is the potential for multiple victims in campaigns involving impersonation. For example, an adversary may Compromise Accounts targeting one organization which can then be used to support impersonation against other entities.(Citation: VEC)

[T1027.018] Obfuscated Files or Information: Invisible Unicode

Current version: 1.0

Description:

Adversaries may abuse invisible or non-printing Unicode characters to conceal malicious content within files, scripts, or text. By inserting characters that do not visibly render, adversaries may hide data, alter how content is interpreted, or make malicious code appear as benign text or whitespace. Adversaries may encode these malicious payloads, using binary, Base64, or custom schemes, to be reconstructed at runtime through scripting features such as JavaScript Proxy traps, eval(), or other dynamic execution methods. This technique enables adversaries to evade visual inspection and basic static analysis by hiding malicious encoded content in innocuous text.(Citation: PUAs Unicode - Eriksen)(Citation: Tycoon2FA - Unicode)(Citation: Unicode - Veracode)

Unicode is a standardized character encoding model that assigns a unique numerical value, known as a code point, to every character across writing systems, enabling consistent text representation across platforms, applications, and languages. Code points are represented as U+ followed by a hexadecimal value and may be encoded using formats such as UTF-8 or UTF-16. Adversaries may abuse the valid code points in Unicode that are not visibly rendered but still take up bytes, such as zero-width spaces, variation selectors, or bidirectional formatting controls, to conceal malicious payloads.(Citation: Tycoon2FA - Unicode)(Citation: GlassWorm - Unicode)(Citation: Unicode and Hidden Prompts - Perets)

Adversaries may additionally exploit Private Use Area (PUA) characters, a range of code points reserved for custom assignment. PUA characters that are not defined by a font or application are typically rendered blank.(Citation: PUAs Unicode - Eriksen)

Unicode characters may also be leveraged in support of other techniques such as Phishing, Right-to-Left Override, or User Execution. For example, some adversaries may embed artificial intelligence (AI) prompt injections using invisible Unicode characters in emails or documents that appear benign when processed by AI systems.(Citation: LLMs and Unicode - Medium)(Citation: Invisible Prompt Injection - Trend Micro)

[T1685.003] Disable or Modify Tools: Modify or Spoof Tool UI

Current version: 1.0

Description:

Adversaries may spoof or manipulate security tool user interfaces (UIs) to falsely indicate tools are functioning normally and delay detection and response.

Adversaries may present misleading or falsified security tool interfaces (UIs) that display normal or healthy status indicators, even when underlying security tools have been disabled, degraded, or otherwise tampered with. Security tools typically provide visibility into system health, alerting, and operational status; by misrepresenting this information, adversaries can undermine defender trust in these signals and obscure the true security posture of the system.

This behavior is often used in conjunction with efforts to disable or modify tools, where adversaries first impair the functionality of defenses (e.g., EDR, logging agents) and then replace or mimic their interfaces to conceal the loss of visibility. By maintaining the appearance of normal operations, such as showing active protection, successful updates, or absence of threats, adversaries can delay investigation and response, enabling continued malicious activity.

For example, adversaries may display a fake Windows Security interface or system tray icon indicating a “protected” or “healthy” state after disabling Windows Defender or related services.(Citation: BlackBasta)

[T1686.002] Disable or Modify System Firewall: Network Device Firewall

Current version: 1.0

Description:

Adversaries may disable network device-based firewall mechanisms entirely or add, delete, or modify particular rules in order to bypass controls limiting network usage.

Adversaries may obtain access to devices such as routers, switches, or other perimeter/network devices and change access control lists (ACLs), security zones, or policy rules to permit otherwise blocked traffic. For example, adversaries may add new network firewall rules to allow access to all internal network subnets without restrictions. Allowing access to internal network subsets may enable unrestricted inbound/outbound connectivity or open paths for command and control and lateral movement.

Adversaries may obtain access to network device management interfaces via Valid Accounts or by exploiting vulnerabilities. In some cases, threat actors may target firewalls and other network infrastructure that are exposed to the internet by leveraging weaknesses in public-facing applications (Exploit Public-Facing Application).(Citation: CVE-2024-55591 Detail)

Adversaries may also modify host networking configurations that indirectly manipulate system firewalls, such as adjusting interface bandwidth or network connection request thresholds.

[T1690] Prevent Command History Logging

Current version: 1.0

Description:

Adversaries may impair command history logging to hide commands they run on a compromised system. Various command interpreters keep track of the commands users type in their terminal so that users can retrace what they have done.

On Linux and macOS, command history is tracked in a file pointed to by the environment variable HISTFILE. When a user logs off a system, this information is flushed to a file in the user's home directory called ~/.bash_history. The HISTCONTROL environment variable keeps track of what should be saved by the history command and eventually into the ~/.bash_history file when a user logs out. HISTCONTROL does not exist by default on macOS, but can be set by the user and will be respected. The HISTFILE environment variable is also used in some ESXi systems.(Citation: Google Cloud Threat Intelligence ESXi VIBs 2022)

Adversaries may clear the history environment variable (unset HISTFILE) or set the command history size to zero (export HISTFILESIZE=0) to prevent logging of commands. Additionally, HISTCONTROL can be configured to ignore commands that start with a space by simply setting it to "ignorespace". HISTCONTROL can also be set to ignore duplicate commands by setting it to "ignoredups". In some Linux systems, this is set by default to "ignoreboth" which covers both of the previous examples. This means that " ls" will not be saved, but "ls" would be saved by history. Adversaries can abuse this to operate without leaving traces by simply prepending a space to all of their terminal commands.

On Windows systems, the PSReadLine module tracks commands used in all PowerShell sessions and writes them to a file ($env:APPDATA\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt by default). Adversaries may change where these logs are saved using Set-PSReadLineOption -HistorySavePath {File Path}. This will cause ConsoleHost_history.txt to stop receiving logs. Additionally, it is possible to turn off logging to this file using the PowerShell command Set-PSReadlineOption -HistorySaveStyle SaveNothing.(Citation: Microsoft about_History prevent command history)(Citation: Sophos PowerShell Command History Forensics)

Adversaries may also leverage a Network Device CLI on network devices to disable historical command logging (e.g. no logging).

[T1682] Query Public AI Services

Current version: 1.0

Description:

Adversaries may query publicly accessible artificial intelligence (AI) services, such as large language models (LLMs), to support targeting and operations. In addition to searching websites or databases directly (i.e., Search Open Websites/Domains), adversaries may use AI services to synthesize, aggregate, and analyze publicly available information at scale. This may include identifying individuals or organizations to target, researching organizational structures and personnel, identifying technologies used by target organizations, researching business relationships to develop plausible pretexts for Social Engineering approaches, identifying contact information for use in Phishing or Phishing for Information, or gathering derogatory or sensitive information about individuals that may be used for extortion or coercion.(Citation: MSFT-AI)(Citation: GTIG AI Threat Tracker)

Information gathered through AI services may be leveraged for other behaviors, such as establishing operational resources (i.e., Generate Content or Establish Accounts. For obtaining access to AI tools and services, see Artificial Intelligence.

[T1688] Safe Mode Boot

Current version: 1.0

Description:

Adversaries may abuse Windows safe mode to disable endpoint defenses. Safe mode starts up the Windows operating system with a limited set of drivers and services. Third-party security software such as endpoint detection and response (EDR) tools may not start after booting Windows in safe mode. There are two versions of safe mode: Safe Mode and Safe Mode with Networking. It is possible to start additional services after a safe mode boot.(Citation: Microsoft Windows Startup Settings)(Citation: Sophos Safe Mode Boot)

Adversaries may abuse safe mode to disable endpoint defenses that may not start with a limited boot. Hosts can be forced into safe mode after the next reboot via modifications to Boot Configuration Data (BCD) stores, which are files that manage boot application settings.(Citation: Microsoft bcdedit)

Adversaries may also add their malicious applications to the list of minimal services that start in safe mode by modifying relevant Registry values (i.e. Modify Registry). Malicious Component Object Model (COM) objects may also be registered and loaded in safe mode.(Citation: CyberArk Labs Safe Mode 2016)(Citation: Cybereason safe mode boot)(Citation: BleepingComputer REvil 2021)

[T1684] Social Engineering

Current version: 1.0

Description:

Adversaries may use social engineering techniques to influence users to take actions that result in unauthorized access, approval of changes, disclosure of sensitive information, or execution of adversary-supplied instructions (i.e., introduction of malicious payloads or software), while minimizing technical indicators.

Adversaries may leverage trust-building methods across multiple channels (e.g., executive, vendor, or help desk scenarios, including AI-enabled voice interactions) to prompt user-authorized actions such as password resets, MFA changes, financial approvals, or the disclosure of sensitive information. Adversaries may also leverage common business communications and workflows such as email, collaboration platforms, voice communications, recruiting processes, help desk interactions, and SaaS consent mechanisms to make malicious requests appear routine and legitimate.(Citation: Proofpoint TA427 April 2024)(Citation: SE SentinelOne 2)(Citation: SE - Hackers Target Workday)

Additionally, adversaries have persuaded victims to take actions through references of current events, harnessing relevant themes to the work role or the organizations mission. For example, adversaries may use scare tactics (i.e., threaten repercussions for non-compliance) or otherwise incite victims’ emotions in order to generate a sense of urgency to take action.(Citation: SE Proofpoint)(Citation: SE SentinelOne)

This technique may include common social engineering patterns such as Phishing and Spearphishing Voice, often supported by convincing and targeted narratives.(Citation: SE SentinelOne 2)(Citation: Fortinet Trends 25-26)

[T1686.003] Disable or Modify System Firewall: Windows Host Firewall

Current version: 1.0

Description:

Adversaries may disable or modify the Windows host firewall to bypass controls limiting network usage. This can include disabling the Windows host firewall entirely, suppressing specific profiles (domain, private, public), or adding, deleting, and modifying firewall rules to allow or restrict traffic.(Citation: Nearest Neighbor Volexity)

Adversaries may perform these modifications through multiple mechanisms depending on the Windows operating system and access level. For example, adversaries may use command-line utilities (e.g., netsh advfirewall or PowerShell cmdlets like Set-NetFirewallProfile, New-NetFirewallRule), Windows Registry modifications (e.g., altering firewall states and rule configurations via registry keys), or the Windows Control Panel to modify firewall settings through the Windows Security interface.

By disabling or modifying Windows firewall services, adversaries may enable access to remote services, open ports for command and control traffic, or configure rules for further actions.

[T1683.001] Generate Content: Written Content

Current version: 1.0

Description:

Adversaries may create or tailor written materials to support targeting and malicious operations. Content may include phishing lures, fraudulent financial communications, fabricated job postings, fabricated employment credentials and documentation, decoy documents, social media persona content, and supporting narratives used to sustain fabricated personas over time.(Citation: GenAI Phishing)(Citation: GTIG AI Threat Tracker) Content may be authored manually, commissioned through third parties, or produced using AI-assisted tools.

Written materials may impersonate legitimate government correspondence, diplomatic communications, or internal organizational documents to support targeting efforts. AI-assisted tools may also be used to tailor content to specific targets, industries, or regions. For example, adversaries may leverage AI to translate content into a target's native language or mimic the communication style of trusted senders.

Written content produced through these methods may be used in support of other techniques, such as Phishing, Spearphishing via Service, Phishing for Information, Internal Spearphishing, Social Engineering, Financial Theft, or Establish Accounts.

Written content does not include malicious code or scripts; for development of malicious code and scripts, see Develop Capabilities.

[T1548] Abuse Elevation Control Mechanism

Current version: 2.0

Version changed from: 1.5 → 2.0

[T1134] Access Token Manipulation

Current version: 3.0

Version changed from: 2.1 → 3.0

[T1574.014] Hijack Execution Flow: AppDomainManager

Current version: 2.0

Version changed from: 1.0 → 2.0

[T1550.001] Use Alternate Authentication Material: Application Access Token

Current version: 2.0

Version changed from: 1.8 → 2.0

[T1055.004] Process Injection: Asynchronous Procedure Call

Current version: 2.0

Version changed from: 1.2 → 2.0

[T1197] BITS Jobs

Current version: 2.0

Version changed from: 1.5 → 2.0

[T1027.001] Obfuscated Files or Information: Binary Padding

Current version: 2.0

Version changed from: 1.3 → 2.0

[T1564.013] Hide Artifacts: Bind Mounts

Current version: 2.0

Version changed from: 1.0 → 2.0

[T1542.003] Pre-OS Boot: Bootkit

Current version: 2.0

Version changed from: 1.2 → 2.0

[T1036.009] Masquerading: Break Process Trees

Current version: 2.0

Version changed from: 1.0 → 2.0

[T1036.012] Masquerading: Browser Fingerprint

Current version: 2.0

Version changed from: 1.0 → 2.0

[T1612] Build Image on Host

Current version: 2.0

Version changed from: 1.3 → 2.0

[T1548.002] Abuse Elevation Control Mechanism: Bypass User Account Control

Current version: 3.0

Version changed from: 2.2 → 3.0

[T1218.003] System Binary Proxy Execution: CMSTP

Current version: 3.0

Version changed from: 2.2 → 3.0

[T1574.012] Hijack Execution Flow: COR_PROFILER

Current version: 2.0

Version changed from: 1.1 → 2.0

[T1070.003] Indicator Removal: Clear Command History

Current version: 2.0

Version changed from: 1.6 → 2.0

[T1070.008] Indicator Removal: Clear Mailbox Data

Current version: 2.0

Version changed from: 1.2 → 2.0

[T1070.007] Indicator Removal: Clear Network Connection History and Configurations

Current version: 2.0

Version changed from: 1.2 → 2.0

[T1070.009] Indicator Removal: Clear Persistence

Current version: 2.0

Version changed from: 1.2 → 2.0

[T1127.002] Trusted Developer Utilities Proxy Execution: ClickOnce

Current version: 2.0

Version changed from: 1.1 → 2.0

[T1078.004] Valid Accounts: Cloud Accounts

Current version: 2.0

Version changed from: 1.9 → 2.0

[T1553.002] Subvert Trust Controls: Code Signing

Current version: 2.0

Version changed from: 1.2 → 2.0

[T1553.006] Subvert Trust Controls: Code Signing Policy Modification

Current version: 2.0

Version changed from: 1.1 → 2.0

[T1027.010] Obfuscated Files or Information: Command Obfuscation

Current version: 2.0

Version changed from: 1.0 → 2.0

[T1027.004] Obfuscated Files or Information: Compile After Delivery

Current version: 2.0

Version changed from: 1.2 → 2.0

[T1218.001] System Binary Proxy Execution: Compiled HTML File

Current version: 3.0

Version changed from: 2.2 → 3.0

[T1542.002] Pre-OS Boot: Component Firmware

Current version: 2.0

Version changed from: 1.2 → 2.0

[T1027.015] Obfuscated Files or Information: Compression

Current version: 2.0

Version changed from: 1.0 → 2.0

[T1556.009] Modify Authentication Process: Conditional Access Policies

Current version: 2.0

Version changed from: 1.1 → 2.0

[T1218.002] System Binary Proxy Execution: Control Panel

Current version: 3.0

Version changed from: 2.1 → 3.0

[T1578.002] Modify Cloud Compute Infrastructure: Create Cloud Instance

Current version: 2.0

Version changed from: 1.2 → 2.0

[T1134.002] Access Token Manipulation: Create Process with Token

Current version: 2.0

Version changed from: 1.3 → 2.0

[T1578.001] Modify Cloud Compute Infrastructure: Create Snapshot

Current version: 2.0

Version changed from: 1.2 → 2.0

[T1574.001] Hijack Execution Flow: DLL

Current version: 3.0

Version changed from: 2.1 → 3.0

[T1622] Debugger Evasion

Current version: 2.0

Version changed from: 1.1 → 2.0

[T1078.001] Valid Accounts: Default Accounts

Current version: 2.0

Version changed from: 1.5 → 2.0

[T1678] Delay Execution

Current version: 2.0

Version changed from: 1.0 → 2.0

[T1578.003] Modify Cloud Compute Infrastructure: Delete Cloud Instance

Current version: 2.0

Version changed from: 1.2 → 2.0

[T1140] Deobfuscate/Decode Files or Information

Current version: 2.0

Version changed from: 1.4 → 2.0

[T1610] Deploy Container

Current version: 2.0

Version changed from: 1.4 → 2.0

[T1006] Direct Volume Access

Current version: 3.0

Version changed from: 2.3 → 3.0

[T1600.002] Weaken Encryption: Disable Crypto Hardware

Current version: 2.0

Version changed from: 1.1 → 2.0

[T1078.002] Valid Accounts: Domain Accounts

Current version: 2.0

Version changed from: 1.5 → 2.0

[T1556.001] Modify Authentication Process: Domain Controller Authentication

Current version: 3.0

Version changed from: 2.1 → 3.0

[T1484] Domain or Tenant Policy Modification

Current version: 4.0

Version changed from: 3.2 → 4.0

[T1036.007] Masquerading: Double File Extension

Current version: 2.0

Version changed from: 1.0 → 2.0

[T1601.002] Modify System Image: Downgrade System Image

Current version: 2.0

Version changed from: 1.1 → 2.0

[T1574.004] Hijack Execution Flow: Dylib Hijacking

Current version: 3.0

Version changed from: 2.1 → 3.0

[T1027.007] Obfuscated Files or Information: Dynamic API Resolution

Current version: 2.0

Version changed from: 1.0 → 2.0

[T1574.006] Hijack Execution Flow: Dynamic Linker Hijacking

Current version: 3.0

Version changed from: 2.1 → 3.0

[T1055.001] Process Injection: Dynamic-link Library Injection

Current version: 2.0

Version changed from: 1.4 → 2.0

[T1218.015] System Binary Proxy Execution: Electron Applications

Current version: 2.0

Version changed from: 1.0 → 2.0

[T1548.004] Abuse Elevation Control Mechanism: Elevated Execution with Prompt

Current version: 2.0

Version changed from: 1.1 → 2.0

[T1564.008] Hide Artifacts: Email Hiding Rules

Current version: 2.0

Version changed from: 1.4 → 2.0

[T1027.009] Obfuscated Files or Information: Embedded Payloads

Current version: 2.0

Version changed from: 1.2 → 2.0

[T1027.013] Obfuscated Files or Information: Encrypted/Encoded File

Current version: 2.0

Version changed from: 1.1 → 2.0

[T1480.001] Execution Guardrails: Environmental Keying

Current version: 2.0

Version changed from: 1.1 → 2.0

[T1574.005] Hijack Execution Flow: Executable Installer File Permissions Weakness

Current version: 2.0

Version changed from: 1.1 → 2.0

[T1480] Execution Guardrails

Current version: 2.0

Version changed from: 1.3 → 2.0

[T1211] Exploitation for Stealth

Current version: 2.0

Version changed from: 1.5 → 2.0

[T1564.014] Hide Artifacts: Extended Attributes

Current version: 2.0

Version changed from: 1.0 → 2.0

[T1055.011] Process Injection: Extra Window Memory Injection

Current version: 2.0

Version changed from: 1.1 → 2.0

[T1070.004] Indicator Removal: File Deletion

Current version: 2.0

Version changed from: 1.2 → 2.0

[T1222] File and Directory Permissions Modification

Current version: 3.0

Version changed from: 2.3 → 3.0

[T1564.012] Hide Artifacts: File/Path Exclusions

Current version: 2.0

Version changed from: 1.0 → 2.0

[T1027.011] Obfuscated Files or Information: Fileless Storage

Current version: 3.0

Version changed from: 2.1 → 3.0

[T1553.001] Subvert Trust Controls: Gatekeeper Bypass

Current version: 2.0

Version changed from: 1.3 → 2.0

[T1484.001] Domain or Tenant Policy Modification: Group Policy Modification

Current version: 2.0

Version changed from: 1.1 → 2.0

[T1027.006] Obfuscated Files or Information: HTML Smuggling

Current version: 2.0

Version changed from: 1.3 → 2.0

[T1564.005] Hide Artifacts: Hidden File System

Current version: 2.0

Version changed from: 1.1 → 2.0

[T1564.001] Hide Artifacts: Hidden Files and Directories

Current version: 2.0

Version changed from: 1.2 → 2.0

[T1564.002] Hide Artifacts: Hidden Users

Current version: 2.0

Version changed from: 1.2 → 2.0

[T1564.003] Hide Artifacts: Hidden Window

Current version: 2.0

Version changed from: 1.4 → 2.0

[T1564] Hide Artifacts

Current version: 2.0

Version changed from: 1.4 → 2.0

[T1574] Hijack Execution Flow

Current version: 2.0

Version changed from: 1.3 → 2.0

[T1556.007] Modify Authentication Process: Hybrid Identity

Current version: 2.0

Version changed from: 1.1 → 2.0

[T1564.011] Hide Artifacts: Ignore Process Interrupts

Current version: 2.0

Version changed from: 1.0 → 2.0

[T1070] Indicator Removal

Current version: 3.0

Version changed from: 2.4 → 3.0

[T1027.005] Obfuscated Files or Information: Indicator Removal from Tools

Current version: 2.0

Version changed from: 1.2 → 2.0

[T1202] Indirect Command Execution

Current version: 2.0

Version changed from: 1.3 → 2.0

[T1553.004] Subvert Trust Controls: Install Root Certificate

Current version: 2.0

Version changed from: 1.3 → 2.0

[T1218.004] System Binary Proxy Execution: InstallUtil

Current version: 3.0

Version changed from: 2.1 → 3.0

[T1036.001] Masquerading: Invalid Code Signature

Current version: 2.0

Version changed from: 1.0 → 2.0

[T1127.003] Trusted Developer Utilities Proxy Execution: JamPlus

Current version: 2.0

Version changed from: 1.0 → 2.0

[T1027.016] Obfuscated Files or Information: Junk Code Insertion

Current version: 2.0

Version changed from: 1.0 → 2.0

[T1574.013] Hijack Execution Flow: KernelCallbackTable

Current version: 2.0

Version changed from: 1.0 → 2.0

[T1027.012] Obfuscated Files or Information: LNK Icon Smuggling

Current version: 2.0