| Old Description | New Description | ||||
|---|---|---|---|---|---|
| t | 1 | Adversaries may circumvent mechanisms designed to control el | t | 1 | Adversaries may circumvent mechanisms designed to control pr |
| > | evate privileges to gain higher-level permissions. Most mode | > | ivilege elevation to gain higher-level permissions. Most mod | ||
| > | rn systems contain native elevation control mechanisms that | > | ern systems contain native elevation control mechanisms that | ||
| > | are intended to limit privileges that a user can perform on | > | are intended to limit privileges that a user can perform on | ||
| > | a machine. Authorization has to be granted to specific users | > | a machine. Authorization has to be granted to specific user | ||
| > | in order to perform tasks that can be considered of higher | > | s in order to perform tasks that can be considered of higher | ||
| > | risk.(Citation: TechNet How UAC Works)(Citation: sudo man pa | > | risk.(Citation: TechNet How UAC Works)(Citation: sudo man p | ||
| > | ge 2018) An adversary can perform several methods to take ad | > | age 2018) An adversary can perform several methods to take a | ||
| > | vantage of built-in control mechanisms in order to escalate | > | dvantage of built-in control mechanisms in order to escalate | ||
| > | privileges on a system.(Citation: OSX Keydnap malware)(Citat | > | privileges on a system.(Citation: OSX Keydnap malware)(Cita | ||
| > | ion: Fortinet Fareit) | > | tion: Fortinet Fareit) |
eventvwr.exe can auto-elevate and execute a specified binary or script.(Citation: enigma0x3 Fileless UAC Bypass)(Citation: Fortinet Fareit)\n\nAnother bypass is possible through some lateral movement techniques if credentials for an account with administrator privileges are known, since UAC is a single system security mechanism, and the privilege or integrity of a process running on one system will be unknown on remote systems and default to high integrity.(Citation: SANS UAC Bypass)",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "privilege-escalation"
}
],
"revoked": false,
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T1548/002",
"external_id": "T1548.002"
},
{
"source_name": "Davidson Windows",
"description": "Davidson, L. (n.d.). Windows 7 UAC whitelist. Retrieved November 12, 2014.",
"url": "http://www.pretentiousname.com/misc/win7_uac_whitelist2.html"
},
{
"source_name": "TechNet How UAC Works",
"description": "Lich, B. (2016, May 31). How User Account Control Works. Retrieved June 3, 2016.",
"url": "https://technet.microsoft.com/en-us/itpro/windows/keep-secure/how-user-account-control-works"
},
{
"source_name": "SANS UAC Bypass",
"description": "Medin, T. (2013, August 8). PsExec UAC Bypass. Retrieved June 3, 2016.",
"url": "http://pen-testing.sans.org/blog/pen-testing/2013/08/08/psexec-uac-bypass"
},
{
"source_name": "MSDN COM Elevation",
"description": "Microsoft. (n.d.). The COM Elevation Moniker. Retrieved July 26, 2016.",
"url": "https://msdn.microsoft.com/en-us/library/ms679687.aspx"
},
{
"source_name": "enigma0x3 Fileless UAC Bypass",
"description": "Nelson, M. (2016, August 15). \"Fileless\" UAC Bypass using eventvwr.exe and Registry Hijacking. Retrieved December 27, 2016.",
"url": "https://enigma0x3.net/2016/08/15/fileless-uac-bypass-using-eventvwr-exe-and-registry-hijacking/"
},
{
"source_name": "TechNet Inside UAC",
"description": "Russinovich, M. (2009, July). User Account Control: Inside Windows 7 User Account Control. Retrieved July 26, 2016.",
"url": "https://technet.microsoft.com/en-US/magazine/2009.07.uac.aspx"
},
{
"source_name": "Fortinet Fareit",
"description": "Salvio, J., Joven, R. (2016, December 16). Malicious Macro Bypasses UAC to Elevate Privilege for Fareit Malware. Retrieved December 27, 2016.",
"url": "https://blog.fortinet.com/2016/12/16/malicious-macro-bypasses-uac-to-elevate-privilege-for-fareit-malware"
},
{
"source_name": "Github UACMe",
"description": "UACME Project. (2016, June 16). UACMe. Retrieved July 26, 2016.",
"url": "https://github.com/hfiref0x/UACME"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_attack_spec_version": "3.3.0",
"x_mitre_contributors": [
"Stefan Kanthak",
"Casey Smith"
],
"x_mitre_deprecated": false,
"x_mitre_domains": [
"enterprise-attack"
],
"x_mitre_is_subtechnique": true,
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"Windows"
],
"x_mitre_version": "3.0",
"detailed_diff": "{\"dictionary_item_removed\": {\"root['x_mitre_detection']\": \"\"}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-04-15 19:51:31.419000+00:00\", \"old_value\": \"2025-10-24 17:48:25.823000+00:00\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.3.0\", \"old_value\": \"3.2.0\"}, \"root['x_mitre_version']\": {\"new_value\": \"3.0\", \"old_value\": \"2.2\"}}, \"iterable_item_removed\": {\"root['kill_chain_phases'][1]\": {\"kill_chain_name\": \"mitre-attack\", \"phase_name\": \"defense-evasion\"}, \"root['external_references'][6]\": {\"source_name\": \"enigma0x3 sdclt app paths\", \"description\": \"Nelson, M. (2017, March 14). Bypassing UAC using App Paths. Retrieved May 25, 2017.\", \"url\": \"https://enigma0x3.net/2017/03/14/bypassing-uac-using-app-paths/\"}, \"root['external_references'][7]\": {\"source_name\": \"enigma0x3 sdclt bypass\", \"description\": \"Nelson, M. (2017, March 17). \\\"Fileless\\\" UAC Bypass Using sdclt.exe. Retrieved May 25, 2017.\", \"url\": \"https://enigma0x3.net/2017/03/17/fileless-uac-bypass-using-sdclt-exe/\"}}}",
"previous_version": "2.2",
"version_change": "2.2 \u2192 3.0",
"changelog_mitigations": {
"shared": [
"M1026: Privileged Account Management",
"M1047: Audit",
"M1051: Update Software",
"M1052: User Account Control"
],
"new": [],
"dropped": []
},
"changelog_datacomponent_detections": {
"shared": [],
"new": [],
"dropped": []
},
"changelog_detectionstrategy_detections": {
"shared": [
"DET0388: Detection Strategy for T1548.002 \u2013 Bypass User Account Control (UAC)"
],
"new": [],
"dropped": []
}
},
{
"type": "attack-pattern",
"id": "attack-pattern--b84903f0-c7d5-435d-a69e-de47cc3578c0",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2020-01-30 14:40:20.187000+00:00",
"modified": "2026-04-15 19:51:53.527000+00:00",
"name": "Elevated Execution with Prompt",
"description": "Adversaries may leverage the AuthorizationExecuteWithPrivileges API to escalate privileges by prompting the user for credentials.(Citation: AppleDocs AuthorizationExecuteWithPrivileges) The purpose of this API is to give application developers an easy way to perform operations with root privileges, such as for application installation or updating. This API does not validate that the program requesting root privileges comes from a reputable source or has been maliciously modified. \n\nAlthough this API is deprecated, it still fully functions in the latest releases of macOS. When calling this API, the user will be prompted to enter their credentials but no checks on the origin or integrity of the program are made. The program calling the API may also load world writable files which can be modified to perform malicious behavior with elevated privileges.\n\nAdversaries may abuse AuthorizationExecuteWithPrivileges to obtain root privileges in order to install malicious software on victims and install persistence mechanisms.(Citation: Death by 1000 installers; it's all broken!)(Citation: Carbon Black Shlayer Feb 2019)(Citation: OSX Coldroot RAT) This technique may be combined with [Masquerading](https://attack.mitre.org/techniques/T1036) to trick the user into granting escalated privileges to malicious code.(Citation: Death by 1000 installers; it's all broken!)(Citation: Carbon Black Shlayer Feb 2019) This technique has also been shown to work by modifying legitimate programs present on the machine that make use of this API.(Citation: Death by 1000 installers; it's all broken!)",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "privilege-escalation"
}
],
"revoked": false,
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T1548/004",
"external_id": "T1548.004"
},
{
"source_name": "AppleDocs AuthorizationExecuteWithPrivileges",
"description": "Apple. (n.d.). Apple Developer Documentation - AuthorizationExecuteWithPrivileges. Retrieved August 8, 2019.",
"url": "https://developer.apple.com/documentation/security/1540038-authorizationexecutewithprivileg"
},
{
"source_name": "Carbon Black Shlayer Feb 2019",
"description": "Carbon Black Threat Analysis Unit. (2019, February 12). New macOS Malware Variant of Shlayer (OSX) Discovered. Retrieved August 8, 2019.",
"url": "https://blogs.vmware.com/security/2020/02/vmware-carbon-black-tau-threat-analysis-shlayer-macos.html"
},
{
"source_name": "Death by 1000 installers; it's all broken!",
"description": "Patrick Wardle. (2017). Death by 1000 installers; it's all broken!. Retrieved August 8, 2019.",
"url": "https://speakerdeck.com/patrickwardle/defcon-2017-death-by-1000-installers-its-all-broken?slide=8"
},
{
"source_name": "OSX Coldroot RAT",
"description": "Patrick Wardle. (2018, February 17). Tearing Apart the Undetected (OSX)Coldroot RAT. Retrieved August 8, 2019.",
"url": "https://objective-see.com/blog/blog_0x2A.html"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_attack_spec_version": "3.3.0",
"x_mitre_contributors": [
"Jimmy Astle, @AstleJimmy, Carbon Black",
"Erika Noerenberg, @gutterchurl, Carbon Black"
],
"x_mitre_deprecated": false,
"x_mitre_domains": [
"enterprise-attack"
],
"x_mitre_is_subtechnique": true,
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"macOS"
],
"x_mitre_version": "2.0",
"detailed_diff": "{\"dictionary_item_removed\": {\"root['x_mitre_detection']\": \"\"}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-04-15 19:51:53.527000+00:00\", \"old_value\": \"2025-10-24 17:49:16.860000+00:00\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.3.0\", \"old_value\": \"3.2.0\"}, \"root['x_mitre_version']\": {\"new_value\": \"2.0\", \"old_value\": \"1.1\"}}, \"iterable_item_removed\": {\"root['kill_chain_phases'][1]\": {\"kill_chain_name\": \"mitre-attack\", \"phase_name\": \"defense-evasion\"}}}",
"previous_version": "1.1",
"version_change": "1.1 \u2192 2.0",
"changelog_mitigations": {
"shared": [
"M1038: Execution Prevention"
],
"new": [],
"dropped": []
},
"changelog_datacomponent_detections": {
"shared": [],
"new": [],
"dropped": []
},
"changelog_detectionstrategy_detections": {
"shared": [
"DET0395: macOS AuthorizationExecuteWithPrivileges Elevation Prompt Detection"
],
"new": [],
"dropped": []
}
},
{
"type": "attack-pattern",
"id": "attack-pattern--6831414d-bb70-42b7-8030-d4e06b2660c9",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2020-01-30 14:11:41.212000+00:00",
"modified": "2026-04-15 19:52:13.675000+00:00",
"name": "Setuid and Setgid",
"description": "An adversary may abuse configurations where an application has the setuid or setgid bits set in order to get code running in a different (and possibly more privileged) user\u2019s context. On Linux or macOS, when the setuid or setgid bits are set for an application binary, the application will run with the privileges of the owning user or group respectively.(Citation: setuid man page) Normally an application is run in the current user\u2019s context, regardless of which user or group owns the application. However, there are instances where programs need to be executed in an elevated context to function properly, but the user running them may not have the specific required privileges.\n\nInstead of creating an entry in the sudoers file, which must be done by root, any user can specify the setuid or setgid flag to be set for their own applications (i.e. [Linux and Mac Permissions](https://attack.mitre.org/techniques/T1222/002)). The chmod command can set these bits with bitmasking, chmod 4777 [file] or via shorthand naming, chmod u+s [file]. This will enable the setuid bit. To enable the setgid bit, chmod 2775 and chmod g+s can be used.\n\nAdversaries can use this mechanism on their own malware to make sure they're able to execute in elevated contexts in the future.(Citation: OSX Keydnap malware) This abuse is often part of a \"shell escape\" or other actions to bypass an execution environment with restricted permissions.\n\nAlternatively, adversaries may choose to find and target vulnerable binaries with the setuid or setgid bits already enabled (i.e. [File and Directory Discovery](https://attack.mitre.org/techniques/T1083)). The setuid and setguid bits are indicated with an \"s\" instead of an \"x\" when viewing a file's attributes via ls -l. The find command can also be used to search for such files. For example, find / -perm +4000 2>/dev/null can be used to find files with setuid set and find / -perm +2000 2>/dev/null may be used for setgid. Binaries that have these bits set may then be abused by adversaries.(Citation: GTFOBins Suid)",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "privilege-escalation"
}
],
"revoked": false,
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T1548/001",
"external_id": "T1548.001"
},
{
"source_name": "GTFOBins Suid",
"description": "Emilio Pinna, Andrea Cardaci. (n.d.). GTFOBins. Retrieved January 28, 2022.",
"url": "https://gtfobins.github.io/#+suid"
},
{
"source_name": "OSX Keydnap malware",
"description": "Marc-Etienne M.Leveille. (2016, July 6). New OSX/Keydnap malware is hungry for credentials. Retrieved July 3, 2017.",
"url": "https://www.welivesecurity.com/2016/07/06/new-osxkeydnap-malware-hungry-credentials/"
},
{
"source_name": "setuid man page",
"description": "Michael Kerrisk. (2017, September 15). Linux Programmer's Manual. Retrieved September 21, 2018.",
"url": "http://man7.org/linux/man-pages/man2/setuid.2.html"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_attack_spec_version": "3.3.0",
"x_mitre_deprecated": false,
"x_mitre_domains": [
"enterprise-attack"
],
"x_mitre_is_subtechnique": true,
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"Linux",
"macOS"
],
"x_mitre_version": "2.0",
"detailed_diff": "{\"dictionary_item_removed\": {\"root['x_mitre_detection']\": \"\"}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-04-15 19:52:13.675000+00:00\", \"old_value\": \"2025-10-24 17:48:53.456000+00:00\"}, \"root['description']\": {\"new_value\": \"An adversary may abuse configurations where an application has the setuid or setgid bits set in order to get code running in a different (and possibly more privileged) user\\u2019s context. On Linux or macOS, when the setuid or setgid bits are set for an application binary, the application will run with the privileges of the owning user or group respectively.(Citation: setuid man page) Normally an application is run in the current user\\u2019s context, regardless of which user or group owns the application. However, there are instances where programs need to be executed in an elevated context to function properly, but the user running them may not have the specific required privileges.\\n\\nInstead of creating an entry in the sudoers file, which must be done by root, any user can specify the setuid or setgid flag to be set for their own applications (i.e. [Linux and Mac Permissions](https://attack.mitre.org/techniques/T1222/002)). The chmod command can set these bits with bitmasking, chmod 4777 [file] or via shorthand naming, chmod u+s [file]. This will enable the setuid bit. To enable the setgid bit, chmod 2775 and chmod g+s can be used.\\n\\nAdversaries can use this mechanism on their own malware to make sure they're able to execute in elevated contexts in the future.(Citation: OSX Keydnap malware) This abuse is often part of a \\\"shell escape\\\" or other actions to bypass an execution environment with restricted permissions.\\n\\nAlternatively, adversaries may choose to find and target vulnerable binaries with the setuid or setgid bits already enabled (i.e. [File and Directory Discovery](https://attack.mitre.org/techniques/T1083)). The setuid and setguid bits are indicated with an \\\"s\\\" instead of an \\\"x\\\" when viewing a file's attributes via ls -l. The find command can also be used to search for such files. For example, find / -perm +4000 2>/dev/null can be used to find files with setuid set and find / -perm +2000 2>/dev/null may be used for setgid. Binaries that have these bits set may then be abused by adversaries.(Citation: GTFOBins Suid)\", \"old_value\": \"An adversary may abuse configurations where an application has the setuid or setgid bits set in order to get code running in a different (and possibly more privileged) user\\u2019s context. On Linux or macOS, when the setuid or setgid bits are set for an application binary, the application will run with the privileges of the owning user or group respectively.(Citation: setuid man page) Normally an application is run in the current user\\u2019s context, regardless of which user or group owns the application. However, there are instances where programs need to be executed in an elevated context to function properly, but the user running them may not have the specific required privileges.\\n\\nInstead of creating an entry in the sudoers file, which must be done by root, any user can specify the setuid or setgid flag to be set for their own applications (i.e. [Linux and Mac File and Directory Permissions Modification](https://attack.mitre.org/techniques/T1222/002)). The chmod command can set these bits with bitmasking, chmod 4777 [file] or via shorthand naming, chmod u+s [file]. This will enable the setuid bit. To enable the setgid bit, chmod 2775 and chmod g+s can be used.\\n\\nAdversaries can use this mechanism on their own malware to make sure they're able to execute in elevated contexts in the future.(Citation: OSX Keydnap malware) This abuse is often part of a \\\"shell escape\\\" or other actions to bypass an execution environment with restricted permissions.\\n\\nAlternatively, adversaries may choose to find and target vulnerable binaries with the setuid or setgid bits already enabled (i.e. [File and Directory Discovery](https://attack.mitre.org/techniques/T1083)). The setuid and setguid bits are indicated with an \\\"s\\\" instead of an \\\"x\\\" when viewing a file's attributes via ls -l. The find command can also be used to search for such files. For example, find / -perm +4000 2>/dev/null can be used to find files with setuid set and find / -perm +2000 2>/dev/null may be used for setgid. Binaries that have these bits set may then be abused by adversaries.(Citation: GTFOBins Suid)\", \"diff\": \"--- \\n+++ \\n@@ -1,6 +1,6 @@\\n An adversary may abuse configurations where an application has the setuid or setgid bits set in order to get code running in a different (and possibly more privileged) user\\u2019s context. On Linux or macOS, when the setuid or setgid bits are set for an application binary, the application will run with the privileges of the owning user or group respectively.(Citation: setuid man page) Normally an application is run in the current user\\u2019s context, regardless of which user or group owns the application. However, there are instances where programs need to be executed in an elevated context to function properly, but the user running them may not have the specific required privileges.\\n \\n-Instead of creating an entry in the sudoers file, which must be done by root, any user can specify the setuid or setgid flag to be set for their own applications (i.e. [Linux and Mac File and Directory Permissions Modification](https://attack.mitre.org/techniques/T1222/002)). The chmod command can set these bits with bitmasking, chmod 4777 [file] or via shorthand naming, chmod u+s [file]. This will enable the setuid bit. To enable the setgid bit, chmod 2775 and chmod g+s can be used.\\n+Instead of creating an entry in the sudoers file, which must be done by root, any user can specify the setuid or setgid flag to be set for their own applications (i.e. [Linux and Mac Permissions](https://attack.mitre.org/techniques/T1222/002)). The chmod command can set these bits with bitmasking, chmod 4777 [file] or via shorthand naming, chmod u+s [file]. This will enable the setuid bit. To enable the setgid bit, chmod 2775 and chmod g+s can be used.\\n \\n Adversaries can use this mechanism on their own malware to make sure they're able to execute in elevated contexts in the future.(Citation: OSX Keydnap malware) This abuse is often part of a \\\"shell escape\\\" or other actions to bypass an execution environment with restricted permissions.\\n \"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.3.0\", \"old_value\": \"3.2.0\"}, \"root['x_mitre_version']\": {\"new_value\": \"2.0\", \"old_value\": \"1.2\"}}, \"iterable_item_removed\": {\"root['kill_chain_phases'][1]\": {\"kill_chain_name\": \"mitre-attack\", \"phase_name\": \"defense-evasion\"}}}",
"previous_version": "1.2",
"version_change": "1.2 \u2192 2.0",
"description_change_table": "\n | Old Description | New Description | ||||
|---|---|---|---|---|---|
| t | 1 | An adversary may abuse configurations where an application h | t | 1 | An adversary may abuse configurations where an application h |
| > | as the setuid or setgid bits set in order to get code runnin | > | as the setuid or setgid bits set in order to get code runnin | ||
| > | g in a different (and possibly more privileged) user\u2019s conte | > | g in a different (and possibly more privileged) user\u2019s conte | ||
| > | xt. On Linux or macOS, when the setuid or setgid bits are se | > | xt. On Linux or macOS, when the setuid or setgid bits are se | ||
| > | t for an application binary, the application will run with t | > | t for an application binary, the application will run with t | ||
| > | he privileges of the owning user or group respectively.(Cita | > | he privileges of the owning user or group respectively.(Cita | ||
| > | tion: setuid man page) Normally an application is run in the | > | tion: setuid man page) Normally an application is run in the | ||
| > | current user\u2019s context, regardless of which user or group o | > | current user\u2019s context, regardless of which user or group o | ||
| > | wns the application. However, there are instances where prog | > | wns the application. However, there are instances where prog | ||
| > | rams need to be executed in an elevated context to function | > | rams need to be executed in an elevated context to function | ||
| > | properly, but the user running them may not have the specifi | > | properly, but the user running them may not have the specifi | ||
| > | c required privileges. Instead of creating an entry in the | > | c required privileges. Instead of creating an entry in the | ||
| > | sudoers file, which must be done by root, any user can speci | > | sudoers file, which must be done by root, any user can speci | ||
| > | fy the setuid or setgid flag to be set for their own applica | > | fy the setuid or setgid flag to be set for their own applica | ||
| > | tions (i.e. [Linux and Mac File and Directory Permissions Mo | > | tions (i.e. [Linux and Mac Permissions](https://attack.mitre | ||
| > | dification](https://attack.mitre.org/techniques/T1222/002)). | > | .org/techniques/T1222/002)). The <code>chmod</code> command | ||
| > | The <code>chmod</code> command can set these bits with bitm | > | can set these bits with bitmasking, <code>chmod 4777 [file]< | ||
| > | asking, <code>chmod 4777 [file]</code> or via shorthand nami | > | /code> or via shorthand naming, <code>chmod u+s [file]</code | ||
| > | ng, <code>chmod u+s [file]</code>. This will enable the setu | > | >. This will enable the setuid bit. To enable the setgid bit | ||
| > | id bit. To enable the setgid bit, <code>chmod 2775</code> an | > | , <code>chmod 2775</code> and <code>chmod g+s</code> can be | ||
| > | d <code>chmod g+s</code> can be used. Adversaries can use t | > | used. Adversaries can use this mechanism on their own malwa | ||
| > | his mechanism on their own malware to make sure they're able | > | re to make sure they're able to execute in elevated contexts | ||
| > | to execute in elevated contexts in the future.(Citation: OS | > | in the future.(Citation: OSX Keydnap malware) This abuse is | ||
| > | X Keydnap malware) This abuse is often part of a \"shell esca | > | often part of a \"shell escape\" or other actions to bypass a | ||
| > | pe\" or other actions to bypass an execution environment with | > | n execution environment with restricted permissions. Altern | ||
| > | restricted permissions. Alternatively, adversaries may cho | > | atively, adversaries may choose to find and target vulnerabl | ||
| > | ose to find and target vulnerable binaries with the setuid o | > | e binaries with the setuid or setgid bits already enabled (i | ||
| > | r setgid bits already enabled (i.e. [File and Directory Disc | > | .e. [File and Directory Discovery](https://attack.mitre.org/ | ||
| > | overy](https://attack.mitre.org/techniques/T1083)). The setu | > | techniques/T1083)). The setuid and setguid bits are indicate | ||
| > | id and setguid bits are indicated with an \"s\" instead of an | > | d with an \"s\" instead of an \"x\" when viewing a file's attrib | ||
| > | \"x\" when viewing a file's attributes via <code>ls -l</code>. | > | utes via <code>ls -l</code>. The <code>find</code> command c | ||
| > | The <code>find</code> command can also be used to search fo | > | an also be used to search for such files. For example, <code | ||
| > | r such files. For example, <code>find / -perm +4000 2>/dev/n | > | >find / -perm +4000 2>/dev/null</code> can be used to find f | ||
| > | ull</code> can be used to find files with setuid set and <co | > | iles with setuid set and <code>find / -perm +2000 2>/dev/nul | ||
| > | de>find / -perm +2000 2>/dev/null</code> may be used for set | > | l</code> may be used for setgid. Binaries that have these bi | ||
| > | gid. Binaries that have these bits set may then be abused by | > | ts set may then be abused by adversaries.(Citation: GTFOBins | ||
| > | adversaries.(Citation: GTFOBins Suid) | > | Suid) |
sudo command \"allows a system administrator to delegate authority to give certain users (or groups of users) the ability to run some (or all) commands as root or another user while providing an audit trail of the commands and their arguments.\"(Citation: sudo man page 2018) Since sudo was made for the system administrator, it has some useful configuration features such as a timestamp_timeout, which is the amount of time in minutes between instances of sudo before it will re-prompt for a password. This is because sudo has the ability to cache credentials for a period of time. Sudo creates (or touches) a file at /var/db/sudo with a timestamp of when sudo was last run to determine this timeout. Additionally, there is a tty_tickets variable that treats each new tty (terminal session) in isolation. This means that, for example, the sudo timeout of one tty will not affect another tty (you will have to type the password again).\n\nThe sudoers file, /etc/sudoers, describes which users can run which commands and from which terminals. This also describes which commands users can run as other users or groups. This provides the principle of least privilege such that users are running in their lowest possible permissions for most of the time and only elevate to other users or permissions as needed, typically by prompting for a password. However, the sudoers file can also specify when to not prompt users for passwords with a line like user1 ALL=(ALL) NOPASSWD: ALL.(Citation: OSX.Dok Malware) Elevated privileges are required to edit this file though.\n\nAdversaries can also abuse poor configurations of these mechanisms to escalate privileges without needing the user's password. For example, /var/db/sudo's timestamp can be monitored to see if it falls within the timestamp_timeout range. If it does, then malware can execute sudo commands without needing to supply the user's password. Additional, if tty_tickets is disabled, adversaries can do this from any tty for that user.\n\nIn the wild, malware has disabled tty_tickets to potentially make scripting easier by issuing echo \\'Defaults !tty_tickets\\' >> /etc/sudoers.(Citation: cybereason osx proton) In order for this change to be reflected, the malware also issued killall Terminal. As of macOS Sierra, the sudoers file has tty_tickets enabled by default.",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "privilege-escalation"
}
],
"revoked": false,
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T1548/003",
"external_id": "T1548.003"
},
{
"source_name": "cybereason osx proton",
"description": "Amit Serper. (2018, May 10). ProtonB What this Mac Malware Actually Does. Retrieved March 19, 2018.",
"url": "https://www.cybereason.com/blog/labs-proton-b-what-this-mac-malware-actually-does"
},
{
"source_name": "OSX.Dok Malware",
"description": "Thomas Reed. (2017, July 7). New OSX.Dok malware intercepts web traffic. Retrieved July 10, 2017.",
"url": "https://blog.malwarebytes.com/threat-analysis/2017/04/new-osx-dok-malware-intercepts-web-traffic/"
},
{
"source_name": "sudo man page 2018",
"description": "Todd C. Miller. (2018). Sudo Man Page. Retrieved March 19, 2018.",
"url": "https://www.sudo.ws/"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_attack_spec_version": "3.3.0",
"x_mitre_deprecated": false,
"x_mitre_domains": [
"enterprise-attack"
],
"x_mitre_is_subtechnique": true,
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"Linux",
"macOS"
],
"x_mitre_version": "2.0",
"detailed_diff": "{\"dictionary_item_removed\": {\"root['x_mitre_detection']\": \"\"}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-04-15 19:52:35.310000+00:00\", \"old_value\": \"2025-10-24 17:48:26.105000+00:00\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.3.0\", \"old_value\": \"3.2.0\"}, \"root['x_mitre_version']\": {\"new_value\": \"2.0\", \"old_value\": \"1.1\"}}, \"iterable_item_removed\": {\"root['kill_chain_phases'][1]\": {\"kill_chain_name\": \"mitre-attack\", \"phase_name\": \"defense-evasion\"}}}",
"previous_version": "1.1",
"version_change": "1.1 \u2192 2.0",
"changelog_mitigations": {
"shared": [
"M1022: Restrict File and Directory Permissions",
"M1026: Privileged Account Management",
"M1028: Operating System Configuration"
],
"new": [],
"dropped": []
},
"changelog_datacomponent_detections": {
"shared": [],
"new": [],
"dropped": []
},
"changelog_detectionstrategy_detections": {
"shared": [
"DET0052: Behavioral Detection Strategy for Abuse of Sudo and Sudo Caching"
],
"new": [],
"dropped": []
}
},
{
"type": "attack-pattern",
"id": "attack-pattern--e8a0a025-3601-4755-abfb-8d08283329fb",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2024-03-21 21:10:57.322000+00:00",
"modified": "2026-04-15 19:52:55.058000+00:00",
"name": "TCC Manipulation",
"description": "Adversaries can manipulate or abuse the Transparency, Consent, & Control (TCC) service or database to grant malicious executables elevated permissions. TCC is a Privacy & Security macOS control mechanism used to determine if the running process has permission to access the data or services protected by TCC, such as screen sharing, camera, microphone, or Full Disk Access (FDA).\n\nWhen an application requests to access data or a service protected by TCC, the TCC daemon (`tccd`) checks the TCC database, located at `/Library/Application Support/com.apple.TCC/TCC.db` (and `~/` equivalent), and an overwrites file (if connected to an MDM) for existing permissions. If permissions do not exist, then the user is prompted to grant permission. Once permissions are granted, the database stores the application's permissions and will not prompt the user again unless reset. For example, when a web browser requests permissions to the user's webcam, once granted the web browser may not explicitly prompt the user again.(Citation: welivesecurity TCC)\n\nAdversaries may access restricted data or services protected by TCC through abusing applications previously granted permissions through [Process Injection](https://attack.mitre.org/techniques/T1055) or executing a malicious binary using another application. For example, adversaries can use Finder, a macOS native app with FDA permissions, to execute a malicious [AppleScript](https://attack.mitre.org/techniques/T1059/002). When executing under the Finder App, the malicious [AppleScript](https://attack.mitre.org/techniques/T1059/002) inherits access to all files on the system without requiring a user prompt. When System Integrity Protection (SIP) is disabled, TCC protections are also disabled. For a system without SIP enabled, adversaries can manipulate the TCC database to add permissions to their malicious executable through loading an adversary controlled TCC database using environment variables and [Launchctl](https://attack.mitre.org/techniques/T1569/001).(Citation: TCC macOS bypass)(Citation: TCC Database)\n\n",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "privilege-escalation"
}
],
"revoked": false,
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T1548/006",
"external_id": "T1548.006"
},
{
"source_name": "welivesecurity TCC",
"description": "Marc-Etienne M.L\u00e9veill\u00e9. (2022, July 19). I see what you did there: A look at the CloudMensis macOS spyware. Retrieved March 21, 2024.",
"url": "https://www.welivesecurity.com/2022/07/19/i-see-what-you-did-there-look-cloudmensis-macos-spyware/"
},
{
"source_name": "TCC Database",
"description": "Marina Liang. (2024, April 23). Return of the mac(OS): Transparency, Consent, and Control (TCC) Database Manipulation. Retrieved March 28, 2024.",
"url": "https://web.archive.org/web/20240411112413/https://interpressecurity.com/resources/return-of-the-macos-tcc/"
},
{
"source_name": "TCC macOS bypass",
"description": "Phil Stokes. (2021, July 1). Bypassing macOS TCC User Privacy Protections By Accident and Design. Retrieved March 21, 2024.",
"url": "https://www.sentinelone.com/labs/bypassing-macos-tcc-user-privacy-protections-by-accident-and-design/"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_attack_spec_version": "3.3.0",
"x_mitre_contributors": [
"Marina Liang",
"Wojciech Regu\u0142a @_r3ggi",
"Csaba Fitzl @theevilbit of Kandji"
],
"x_mitre_deprecated": false,
"x_mitre_domains": [
"enterprise-attack"
],
"x_mitre_is_subtechnique": true,
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"macOS"
],
"x_mitre_version": "2.0",
"detailed_diff": "{\"dictionary_item_removed\": {\"root['x_mitre_detection']\": \"\"}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-04-15 19:52:55.058000+00:00\", \"old_value\": \"2025-04-15 23:14:58.393000+00:00\"}, \"root['external_references'][2]['url']\": {\"new_value\": \"https://web.archive.org/web/20240411112413/https://interpressecurity.com/resources/return-of-the-macos-tcc/\", \"old_value\": \"https://interpressecurity.com/resources/return-of-the-macos-tcc/\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.3.0\", \"old_value\": \"3.2.0\"}, \"root['x_mitre_version']\": {\"new_value\": \"2.0\", \"old_value\": \"1.1\"}}, \"iterable_item_removed\": {\"root['kill_chain_phases'][0]\": {\"kill_chain_name\": \"mitre-attack\", \"phase_name\": \"defense-evasion\"}}}",
"previous_version": "1.1",
"version_change": "1.1 \u2192 2.0",
"changelog_mitigations": {
"shared": [
"M1022: Restrict File and Directory Permissions",
"M1026: Privileged Account Management",
"M1047: Audit"
],
"new": [],
"dropped": []
},
"changelog_datacomponent_detections": {
"shared": [],
"new": [],
"dropped": []
},
"changelog_detectionstrategy_detections": {
"shared": [
"DET0534: TCC Database Manipulation via Launchctl and Unprotected SIP"
],
"new": [],
"dropped": []
}
},
{
"type": "attack-pattern",
"id": "attack-pattern--6fa224c7-5091-4595-bf15-3fc9fe2f2c7c",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2023-07-10 16:37:15.672000+00:00",
"modified": "2026-04-15 19:53:18.398000+00:00",
"name": "Temporary Elevated Cloud Access",
"description": "Adversaries may abuse permission configurations that allow them to gain temporarily elevated access to cloud resources. Many cloud environments allow administrators to grant user or service accounts permission to request just-in-time access to roles, impersonate other accounts, pass roles onto resources and services, or otherwise gain short-term access to a set of privileges that may be distinct from their own. \n\nJust-in-time access is a mechanism for granting additional roles to cloud accounts in a granular, temporary manner. This allows accounts to operate with only the permissions they need on a daily basis, and to request additional permissions as necessary. Sometimes just-in-time access requests are configured to require manual approval, while other times the desired permissions are automatically granted.(Citation: Azure Just in Time Access 2023)\n\nAccount impersonation allows user or service accounts to temporarily act with the permissions of another account. For example, in GCP users with the `iam.serviceAccountTokenCreator` role can create temporary access tokens or sign arbitrary payloads with the permissions of a service account, while service accounts with domain-wide delegation permission are permitted to impersonate Google Workspace accounts.(Citation: Google Cloud Service Account Authentication Roles)(Citation: Hunters Domain Wide Delegation Google Workspace 2023)(Citation: Google Cloud Just in Time Access 2023)(Citation: Palo Alto Unit 42 Google Workspace Domain Wide Delegation 2023) In Exchange Online, the `ApplicationImpersonation` role allows a service account to use the permissions associated with specified user accounts.(Citation: Microsoft Impersonation and EWS in Exchange) \n\nMany cloud environments also include mechanisms for users to pass roles to resources that allow them to perform tasks and authenticate to other services. While the user that creates the resource does not directly assume the role they pass to it, they may still be able to take advantage of the role's access -- for example, by configuring the resource to perform certain actions with the permissions it has been granted. In AWS, users with the `PassRole` permission can allow a service they create to assume a given role, while in GCP, users with the `iam.serviceAccountUser` role can attach a service account to a resource.(Citation: AWS PassRole)(Citation: Google Cloud Service Account Authentication Roles)\n\nWhile users require specific role assignments in order to use any of these features, cloud administrators may misconfigure permissions. This could result in escalation paths that allow adversaries to gain access to resources beyond what was originally intended.(Citation: Rhino Google Cloud Privilege Escalation)(Citation: Rhino Security Labs AWS Privilege Escalation)\n\n**Note:** this technique is distinct from [Additional Cloud Roles](https://attack.mitre.org/techniques/T1098/003), which involves assigning permanent roles to accounts rather than abusing existing permissions structures to gain temporarily elevated access to resources. However, adversaries that compromise a sufficiently privileged account may grant another account they control [Additional Cloud Roles](https://attack.mitre.org/techniques/T1098/003) that would allow them to also abuse these features. This may also allow for greater stealth than would be had by directly using the highly privileged account, especially when logs do not clarify when role impersonation is taking place.(Citation: CrowdStrike StellarParticle January 2022)",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "privilege-escalation"
}
],
"revoked": false,
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T1548/005",
"external_id": "T1548.005"
},
{
"source_name": "AWS PassRole",
"description": "AWS. (n.d.). Granting a user permissions to pass a role to an AWS service. Retrieved July 10, 2023.",
"url": "https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use_passrole.html"
},
{
"source_name": "CrowdStrike StellarParticle January 2022",
"description": "CrowdStrike. (2022, January 27). Early Bird Catches the Wormhole: Observations from the StellarParticle Campaign. Retrieved February 7, 2022.",
"url": "https://www.crowdstrike.com/blog/observations-from-the-stellarparticle-campaign/"
},
{
"source_name": "Google Cloud Just in Time Access 2023",
"description": "Google Cloud. (n.d.). Manage just-in-time privileged access to projects. Retrieved September 21, 2023.",
"url": "https://cloud.google.com/architecture/manage-just-in-time-privileged-access-to-project"
},
{
"source_name": "Google Cloud Service Account Authentication Roles",
"description": "Google Cloud. (n.d.). Roles for service account authentication. Retrieved July 10, 2023.",
"url": "https://cloud.google.com/iam/docs/service-account-permissions"
},
{
"source_name": "Microsoft Impersonation and EWS in Exchange",
"description": "Microsoft. (2022, September 13). Impersonation and EWS in Exchange. Retrieved July 10, 2023.",
"url": "https://learn.microsoft.com/en-us/exchange/client-developer/exchange-web-services/impersonation-and-ews-in-exchange"
},
{
"source_name": "Azure Just in Time Access 2023",
"description": "Microsoft. (2023, August 29). Configure and approve just-in-time access for Azure Managed Applications. Retrieved September 21, 2023.",
"url": "https://learn.microsoft.com/en-us/azure/azure-resource-manager/managed-applications/approve-just-in-time-access"
},
{
"source_name": "Rhino Security Labs AWS Privilege Escalation",
"description": "Spencer Gietzen. (n.d.). AWS IAM Privilege Escalation \u2013 Methods and Mitigation. Retrieved May 27, 2022.",
"url": "https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/"
},
{
"source_name": "Rhino Google Cloud Privilege Escalation",
"description": "Spencer Gietzen. (n.d.). Privilege Escalation in Google Cloud Platform \u2013 Part 1 (IAM). Retrieved September 21, 2023.",
"url": "https://rhinosecuritylabs.com/gcp/privilege-escalation-google-cloud-platform-part-1/"
},
{
"source_name": "Hunters Domain Wide Delegation Google Workspace 2023",
"description": "Yonatan Khanashvilli. (2023, November 28). DeleFriend: Severe design flaw in Domain Wide Delegation could leave Google Workspace vulnerable for takeover. Retrieved January 16, 2024.",
"url": "https://www.hunters.security/en/blog/delefriend-a-newly-discovered-design-flaw-in-domain-wide-delegation-could-leave-google-workspace-vulnerable-for-takeover"
},
{
"source_name": "Palo Alto Unit 42 Google Workspace Domain Wide Delegation 2023",
"description": "Zohar Zigdon. (2023, November 30). Exploring a Critical Risk in Google Workspace's Domain-Wide Delegation Feature. Retrieved January 16, 2024.",
"url": "https://unit42.paloaltonetworks.com/critical-risk-in-google-workspace-delegation-feature/"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_attack_spec_version": "3.3.0",
"x_mitre_contributors": [
"Arad Inbar, Fidelis Security"
],
"x_mitre_deprecated": false,
"x_mitre_domains": [
"enterprise-attack"
],
"x_mitre_is_subtechnique": true,
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"IaaS",
"Office Suite",
"Identity Provider"
],
"x_mitre_version": "2.0",
"detailed_diff": "{\"dictionary_item_removed\": {\"root['x_mitre_detection']\": \"\"}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-04-15 19:53:18.398000+00:00\", \"old_value\": \"2025-04-15 23:15:17.608000+00:00\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.3.0\", \"old_value\": \"3.2.0\"}, \"root['x_mitre_version']\": {\"new_value\": \"2.0\", \"old_value\": \"1.2\"}}, \"iterable_item_removed\": {\"root['kill_chain_phases'][1]\": {\"kill_chain_name\": \"mitre-attack\", \"phase_name\": \"defense-evasion\"}}}",
"previous_version": "1.2",
"version_change": "1.2 \u2192 2.0",
"changelog_mitigations": {
"shared": [
"M1018: User Account Management"
],
"new": [],
"dropped": []
},
"changelog_datacomponent_detections": {
"shared": [],
"new": [],
"dropped": []
},
"changelog_detectionstrategy_detections": {
"shared": [
"DET0393: Detection Strategy for Temporary Elevated Cloud Access Abuse (T1548.005)"
],
"new": [],
"dropped": []
}
},
{
"type": "attack-pattern",
"id": "attack-pattern--dcaa092b-7de9-4a21-977f-7fcb77e89c48",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-12-14 16:46:06.044000+00:00",
"modified": "2026-04-15 19:53:44.334000+00:00",
"name": "Access Token Manipulation",
"description": "Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.\n\nAn adversary can use built-in Windows API functions to copy access tokens from existing processes; this is known as token stealing. These token can then be applied to an existing process (i.e. [Token Impersonation/Theft](https://attack.mitre.org/techniques/T1134/001)) or used to spawn a new process (i.e. [Create Process with Token](https://attack.mitre.org/techniques/T1134/002)). An adversary must already be in a privileged user context (i.e. administrator) to steal a token. However, adversaries commonly use token stealing to elevate their security context from the administrator level to the SYSTEM level. An adversary can then use a token to authenticate to a remote system as the account for that token if the account has appropriate permissions on the remote system.(Citation: Pentestlab Token Manipulation)\n\nAny standard user can use the runas command, and the Windows API functions, to create impersonation tokens; it does not require access to an administrator account. There are also other mechanisms, such as Active Directory fields, that can be used to modify access tokens.",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "stealth"
},
{
"kill_chain_name": "mitre-attack",
"phase_name": "privilege-escalation"
}
],
"revoked": false,
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T1134",
"external_id": "T1134"
},
{
"source_name": "Pentestlab Token Manipulation",
"description": "netbiosX. (2017, April 3). Token Manipulation. Retrieved April 21, 2017.",
"url": "https://pentestlab.blog/2017/04/03/token-manipulation/"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_attack_spec_version": "3.3.0",
"x_mitre_contributors": [
"Tom Ueltschi @c_APT_ure",
"Travis Smith, Tripwire",
"Robby Winchester, @robwinchester3",
"Jared Atkinson, @jaredcatkinson"
],
"x_mitre_deprecated": false,
"x_mitre_domains": [
"enterprise-attack"
],
"x_mitre_is_subtechnique": false,
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"Windows"
],
"x_mitre_version": "3.0",
"detailed_diff": "{\"dictionary_item_removed\": {\"root['x_mitre_detection']\": \"\"}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-04-15 19:53:44.334000+00:00\", \"old_value\": \"2025-10-24 17:49:29.051000+00:00\"}, \"root['kill_chain_phases'][0]['phase_name']\": {\"new_value\": \"stealth\", \"old_value\": \"defense-evasion\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.3.0\", \"old_value\": \"3.2.0\"}, \"root['x_mitre_version']\": {\"new_value\": \"3.0\", \"old_value\": \"2.1\"}}, \"iterable_item_removed\": {\"root['external_references'][1]\": {\"source_name\": \"BlackHat Atkinson Winchester Token Manipulation\", \"description\": \"Atkinson, J., Winchester, R. (2017, December 7). A Process is No One: Hunting for Token Manipulation. Retrieved December 21, 2017.\", \"url\": \"https://www.blackhat.com/docs/eu-17/materials/eu-17-Atkinson-A-Process-Is-No-One-Hunting-For-Token-Manipulation.pdf\"}, \"root['external_references'][2]\": {\"source_name\": \"Microsoft Command-line Logging\", \"description\": \"Mathers, B. (2017, March 7). Command line process auditing. Retrieved April 21, 2017.\", \"url\": \"https://technet.microsoft.com/en-us/windows-server-docs/identity/ad-ds/manage/component-updates/command-line-process-auditing\"}, \"root['external_references'][3]\": {\"source_name\": \"Microsoft LogonUser\", \"description\": \"Microsoft TechNet. (n.d.). Retrieved April 25, 2017.\", \"url\": \"https://msdn.microsoft.com/en-us/library/windows/desktop/aa378184(v=vs.85).aspx\"}, \"root['external_references'][4]\": {\"source_name\": \"Microsoft DuplicateTokenEx\", \"description\": \"Microsoft TechNet. (n.d.). Retrieved April 25, 2017.\", \"url\": \"https://msdn.microsoft.com/en-us/library/windows/desktop/aa446617(v=vs.85).aspx\"}, \"root['external_references'][5]\": {\"source_name\": \"Microsoft ImpersonateLoggedOnUser\", \"description\": \"Microsoft TechNet. (n.d.). Retrieved April 25, 2017.\", \"url\": \"https://msdn.microsoft.com/en-us/library/windows/desktop/aa378612(v=vs.85).aspx\"}}}",
"previous_version": "2.1",
"version_change": "2.1 \u2192 3.0",
"changelog_mitigations": {
"shared": [
"M1018: User Account Management",
"M1026: Privileged Account Management"
],
"new": [],
"dropped": []
},
"changelog_datacomponent_detections": {
"shared": [],
"new": [],
"dropped": []
},
"changelog_detectionstrategy_detections": {
"shared": [
"DET0283: Behavior-chain detection for T1134 Access Token Manipulation on Windows"
],
"new": [],
"dropped": []
}
},
{
"type": "attack-pattern",
"id": "attack-pattern--677569f9-a8b0-459e-ab24-7f18091fa7bf",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2020-02-18 16:48:56.582000+00:00",
"modified": "2026-04-15 19:55:37.484000+00:00",
"name": "Create Process with Token",
"description": "Adversaries may create a new process with an existing token to escalate privileges and bypass access controls. Processes can be created with the token and resulting security context of another user using features such as CreateProcessWithTokenW and runas.(Citation: Microsoft RunAs)\n\nCreating processes with a token not associated with the current user may require the credentials of the target user, specific privileges to impersonate that user, or access to the token to be used. For example, the token could be duplicated via [Token Impersonation/Theft](https://attack.mitre.org/techniques/T1134/001) or created via [Make and Impersonate Token](https://attack.mitre.org/techniques/T1134/003) before being used to create a process.\n\nWhile this technique is distinct from [Token Impersonation/Theft](https://attack.mitre.org/techniques/T1134/001), the techniques can be used in conjunction where a token is duplicated and then used to create a new process.",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "stealth"
},
{
"kill_chain_name": "mitre-attack",
"phase_name": "privilege-escalation"
}
],
"revoked": false,
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T1134/002",
"external_id": "T1134.002"
},
{
"source_name": "Microsoft RunAs",
"description": "Microsoft. (2016, August 31). Runas. Retrieved October 1, 2021.",
"url": "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc771525(v=ws.11)"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_attack_spec_version": "3.3.0",
"x_mitre_contributors": [
"Jonny Johnson",
"Vadim Khrykov"
],
"x_mitre_deprecated": false,
"x_mitre_domains": [
"enterprise-attack"
],
"x_mitre_is_subtechnique": true,
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"Windows"
],
"x_mitre_version": "2.0",
"detailed_diff": "{\"dictionary_item_removed\": {\"root['x_mitre_detection']\": \"\"}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-04-15 19:55:37.484000+00:00\", \"old_value\": \"2025-10-24 17:48:53.370000+00:00\"}, \"root['kill_chain_phases'][0]['phase_name']\": {\"new_value\": \"stealth\", \"old_value\": \"defense-evasion\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.3.0\", \"old_value\": \"3.2.0\"}, \"root['x_mitre_version']\": {\"new_value\": \"2.0\", \"old_value\": \"1.3\"}}, \"iterable_item_removed\": {\"root['external_references'][1]\": {\"source_name\": \"Microsoft Command-line Logging\", \"description\": \"Mathers, B. (2017, March 7). Command line process auditing. Retrieved April 21, 2017.\", \"url\": \"https://technet.microsoft.com/en-us/windows-server-docs/identity/ad-ds/manage/component-updates/command-line-process-auditing\"}}}",
"previous_version": "1.3",
"version_change": "1.3 \u2192 2.0",
"changelog_mitigations": {
"shared": [
"M1018: User Account Management",
"M1026: Privileged Account Management"
],
"new": [],
"dropped": []
},
"changelog_datacomponent_detections": {
"shared": [],
"new": [],
"dropped": []
},
"changelog_detectionstrategy_detections": {
"shared": [
"DET0456: Behavior-chain detection for T1134.002 Create Process with Token (Windows)"
],
"new": [],
"dropped": []
}
},
{
"type": "attack-pattern",
"id": "attack-pattern--8cdeb020-e31e-4f88-a582-f53dcfbda819",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2020-02-18 18:03:37.481000+00:00",
"modified": "2026-04-15 19:56:16.233000+00:00",
"name": "Make and Impersonate Token",
"description": "Adversaries may make new tokens and impersonate users to escalate privileges and bypass access controls. For example, if an adversary has a username and password but the user is not logged onto the system the adversary can then create a logon session for the user using the `LogonUser` function.(Citation: LogonUserW function) The function will return a copy of the new session's access token and the adversary can use `SetThreadToken` to assign the token to a thread.\n\nThis behavior is distinct from [Token Impersonation/Theft](https://attack.mitre.org/techniques/T1134/001) in that this refers to creating a new user token instead of stealing or duplicating an existing one.",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "stealth"
},
{
"kill_chain_name": "mitre-attack",
"phase_name": "privilege-escalation"
}
],
"revoked": false,
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T1134/003",
"external_id": "T1134.003"
},
{
"source_name": "LogonUserW function",
"description": "Microsoft. (2023, March 10). LogonUserW function (winbase.h). Retrieved January 8, 2024.",
"url": "https://learn.microsoft.com/en-us/windows/win32/api/winbase/nf-winbase-logonuserw"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_attack_spec_version": "3.3.0",
"x_mitre_contributors": [
"Jonny Johnson"
],
"x_mitre_deprecated": false,
"x_mitre_domains": [
"enterprise-attack"
],
"x_mitre_is_subtechnique": true,
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"Windows"
],
"x_mitre_version": "2.0",
"detailed_diff": "{\"dictionary_item_removed\": {\"root['x_mitre_detection']\": \"\"}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-04-15 19:56:16.233000+00:00\", \"old_value\": \"2025-10-24 17:49:05.200000+00:00\"}, \"root['kill_chain_phases'][0]['phase_name']\": {\"new_value\": \"stealth\", \"old_value\": \"defense-evasion\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.3.0\", \"old_value\": \"3.2.0\"}, \"root['x_mitre_version']\": {\"new_value\": \"2.0\", \"old_value\": \"1.2\"}}, \"iterable_item_removed\": {\"root['external_references'][1]\": {\"source_name\": \"Microsoft Command-line Logging\", \"description\": \"Mathers, B. (2017, March 7). Command line process auditing. Retrieved April 21, 2017.\", \"url\": \"https://technet.microsoft.com/en-us/windows-server-docs/identity/ad-ds/manage/component-updates/command-line-process-auditing\"}}}",
"previous_version": "1.2",
"version_change": "1.2 \u2192 2.0",
"changelog_mitigations": {
"shared": [
"M1018: User Account Management",
"M1026: Privileged Account Management"
],
"new": [],
"dropped": []
},
"changelog_datacomponent_detections": {
"shared": [],
"new": [],
"dropped": []
},
"changelog_detectionstrategy_detections": {
"shared": [
"DET0498: Behavior\u2011chain detection for T1134.003 Make and Impersonate Token (Windows)"
],
"new": [],
"dropped": []
}
},
{
"type": "attack-pattern",
"id": "attack-pattern--93591901-3172-4e94-abf8-6034ab26f44a",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2020-02-18 18:22:41.448000+00:00",
"modified": "2026-04-15 19:54:42.976000+00:00",
"name": "Parent PID Spoofing",
"description": "Adversaries may spoof the parent process identifier (PPID) of a new process to evade process-monitoring defenses or to elevate privileges. New processes are typically spawned directly from their parent, or calling, process unless explicitly specified. One way of explicitly assigning the PPID of a new process is via the CreateProcess API call, which supports a parameter that defines the PPID to use.(Citation: DidierStevens SelectMyParent Nov 2009) This functionality is used by Windows features such as User Account Control (UAC) to correctly set the PPID after a requested elevated process is spawned by SYSTEM (typically via svchost.exe or consent.exe) rather than the current user context.(Citation: Microsoft UAC Nov 2018)\n\nAdversaries may abuse these mechanisms to evade defenses, such as those blocking processes spawning directly from Office documents, and analysis targeting unusual/potentially malicious parent-child process relationships, such as spoofing the PPID of [PowerShell](https://attack.mitre.org/techniques/T1059/001)/[Rundll32](https://attack.mitre.org/techniques/T1218/011) to be explorer.exe rather than an Office document delivered as part of [Spearphishing Attachment](https://attack.mitre.org/techniques/T1566/001).(Citation: CounterCept PPID Spoofing Dec 2018) This spoofing could be executed via [Visual Basic](https://attack.mitre.org/techniques/T1059/005) within a malicious Office document or any code that can perform [Native API](https://attack.mitre.org/techniques/T1106).(Citation: CTD PPID Spoofing Macro Mar 2019)(Citation: CounterCept PPID Spoofing Dec 2018)\n\nExplicitly assigning the PPID may also enable elevated privileges given appropriate access rights to the parent process. For example, an adversary in a privileged user context (i.e. administrator) may spawn a new process and assign the parent as a process running as SYSTEM (such as lsass.exe), causing the new process to be elevated via the inherited access token.(Citation: XPNSec PPID Nov 2017)",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "stealth"
},
{
"kill_chain_name": "mitre-attack",
"phase_name": "privilege-escalation"
}
],
"revoked": false,
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T1134/004",
"external_id": "T1134.004"
},
{
"source_name": "XPNSec PPID Nov 2017",
"description": "Chester, A. (2017, November 20). Alternative methods of becoming SYSTEM. Retrieved June 4, 2019.",
"url": "https://blog.xpnsec.com/becoming-system/"
},
{
"source_name": "CounterCept PPID Spoofing Dec 2018",
"description": "Loh, I. (2018, December 21). Detecting Parent PID Spoofing. Retrieved June 3, 2019.",
"url": "https://web.archive.org/web/20200726110643/https://blog.f-secure.com/detecting-parent-pid-spoofing/"
},
{
"source_name": "Microsoft UAC Nov 2018",
"description": "Montemayor, D. et al.. (2018, November 15). How User Account Control works. Retrieved June 3, 2019.",
"url": "https://docs.microsoft.com/windows/security/identity-protection/user-account-control/how-user-account-control-works"
},
{
"source_name": "DidierStevens SelectMyParent Nov 2009",
"description": "Stevens, D. (2009, November 22). Quickpost: SelectMyParent or Playing With the Windows Process Tree. Retrieved June 3, 2019.",
"url": "https://blog.didierstevens.com/2009/11/22/quickpost-selectmyparent-or-playing-with-the-windows-process-tree/"
},
{
"source_name": "CTD PPID Spoofing Macro Mar 2019",
"description": "Tafani-Dereeper, C. (2019, March 12). Building an Office macro to spoof parent processes and command line arguments. Retrieved June 3, 2019.",
"url": "https://blog.christophetd.fr/building-an-office-macro-to-spoof-process-parent-and-command-line/"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_attack_spec_version": "3.3.0",
"x_mitre_contributors": [
"Wayne Silva, F-Secure Countercept"
],
"x_mitre_deprecated": false,
"x_mitre_domains": [
"enterprise-attack"
],
"x_mitre_is_subtechnique": true,
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"Windows"
],
"x_mitre_version": "2.0",
"detailed_diff": "{\"dictionary_item_removed\": {\"root['x_mitre_detection']\": \"\"}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-04-15 19:54:42.976000+00:00\", \"old_value\": \"2025-10-24 17:49:06.759000+00:00\"}, \"root['kill_chain_phases'][0]['phase_name']\": {\"new_value\": \"stealth\", \"old_value\": \"defense-evasion\"}, \"root['external_references'][2]['url']\": {\"new_value\": \"https://web.archive.org/web/20200726110643/https://blog.f-secure.com/detecting-parent-pid-spoofing/\", \"old_value\": \"https://www.countercept.com/blog/detecting-parent-pid-spoofing/\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.3.0\", \"old_value\": \"3.2.0\"}, \"root['x_mitre_version']\": {\"new_value\": \"2.0\", \"old_value\": \"1.1\"}}, \"iterable_item_removed\": {\"root['external_references'][4]\": {\"source_name\": \"Microsoft Process Creation Flags May 2018\", \"description\": \"Schofield, M. & Satran, M. (2018, May 30). Process Creation Flags. Retrieved June 4, 2019.\", \"url\": \"https://docs.microsoft.com/windows/desktop/ProcThread/process-creation-flags\"}, \"root['external_references'][5]\": {\"source_name\": \"Secuirtyinbits Ataware3 May 2019\", \"description\": \"Secuirtyinbits . (2019, May 14). Parent PID Spoofing (Stage 2) Ataware Ransomware Part 3. Retrieved June 6, 2019.\", \"url\": \"https://www.securityinbits.com/malware-analysis/parent-pid-spoofing-stage-2-ataware-ransomware-part-3\"}}}",
"previous_version": "1.1",
"version_change": "1.1 \u2192 2.0",
"changelog_mitigations": {
"shared": [],
"new": [],
"dropped": []
},
"changelog_datacomponent_detections": {
"shared": [],
"new": [],
"dropped": []
},
"changelog_detectionstrategy_detections": {
"shared": [
"DET0489: Behavior-chain detection for T1134.004 Access Token Manipulation: Parent PID Spoofing (Windows)"
],
"new": [],
"dropped": []
}
},
{
"type": "attack-pattern",
"id": "attack-pattern--b7dc639b-24cd-482d-a7f1-8897eda21023",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2020-02-18 18:34:49.414000+00:00",
"modified": "2026-04-15 19:55:14.114000+00:00",
"name": "SID-History Injection",
"description": "Adversaries may use SID-History Injection to escalate privileges and bypass access controls. The Windows security identifier (SID) is a unique value that identifies a user or group account. SIDs are used by Windows security in both security descriptors and access tokens. (Citation: Microsoft SID) An account can hold additional SIDs in the SID-History Active Directory attribute (Citation: Microsoft SID-History Attribute), allowing inter-operable account migration between domains (e.g., all values in SID-History are included in access tokens).\n\nWith Domain Administrator (or equivalent) rights, harvested or well-known SID values (Citation: Microsoft Well Known SIDs Jun 2017) may be inserted into SID-History to enable impersonation of arbitrary users/groups such as Enterprise Administrators. This manipulation may result in elevated access to local resources and/or access to otherwise inaccessible domains via lateral movement techniques such as [Remote Services](https://attack.mitre.org/techniques/T1021), [SMB/Windows Admin Shares](https://attack.mitre.org/techniques/T1021/002), or [Windows Remote Management](https://attack.mitre.org/techniques/T1021/006).",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "stealth"
},
{
"kill_chain_name": "mitre-attack",
"phase_name": "privilege-escalation"
}
],
"revoked": false,
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T1134/005",
"external_id": "T1134.005"
},
{
"source_name": "Microsoft Well Known SIDs Jun 2017",
"description": "Microsoft. (2017, June 23). Well-known security identifiers in Windows operating systems. Retrieved November 30, 2017.",
"url": "https://support.microsoft.com/help/243330/well-known-security-identifiers-in-windows-operating-systems"
},
{
"source_name": "Microsoft SID-History Attribute",
"description": "Microsoft. (n.d.). Active Directory Schema - SID-History attribute. Retrieved November 30, 2017.",
"url": "https://msdn.microsoft.com/library/ms679833.aspx"
},
{
"source_name": "Microsoft SID",
"description": "Microsoft. (n.d.). Security Identifiers. Retrieved November 30, 2017.",
"url": "https://msdn.microsoft.com/library/windows/desktop/aa379571.aspx"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_attack_spec_version": "3.3.0",
"x_mitre_contributors": [
"Alain Homewood, Insomnia Security",
"Vincent Le Toux"
],
"x_mitre_deprecated": false,
"x_mitre_domains": [
"enterprise-attack"
],
"x_mitre_is_subtechnique": true,
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"Windows"
],
"x_mitre_version": "2.0",
"detailed_diff": "{\"dictionary_item_removed\": {\"root['x_mitre_detection']\": \"\"}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-04-15 19:55:14.114000+00:00\", \"old_value\": \"2025-10-24 17:49:16.316000+00:00\"}, \"root['kill_chain_phases'][0]['phase_name']\": {\"new_value\": \"stealth\", \"old_value\": \"defense-evasion\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.3.0\", \"old_value\": \"3.2.0\"}, \"root['x_mitre_version']\": {\"new_value\": \"2.0\", \"old_value\": \"1.1\"}}, \"iterable_item_removed\": {\"root['external_references'][4]\": {\"source_name\": \"Microsoft Get-ADUser\", \"description\": \"Microsoft. (n.d.). Active Directory Cmdlets - Get-ADUser. Retrieved November 30, 2017.\", \"url\": \"https://technet.microsoft.com/library/ee617241.aspx\"}, \"root['external_references'][5]\": {\"source_name\": \"AdSecurity SID History Sept 2015\", \"description\": \"Metcalf, S. (2015, September 19). Sneaky Active Directory Persistence #14: SID History. Retrieved November 30, 2017.\", \"url\": \"https://adsecurity.org/?p=1772\"}, \"root['external_references'][6]\": {\"source_name\": \"Microsoft DsAddSidHistory\", \"description\": \"Microsoft. (n.d.). Using DsAddSidHistory. Retrieved November 30, 2017.\", \"url\": \"https://msdn.microsoft.com/library/ms677982.aspx\"}}}",
"previous_version": "1.1",
"version_change": "1.1 \u2192 2.0",
"changelog_mitigations": {
"shared": [
"M1015: Active Directory Configuration"
],
"new": [],
"dropped": []
},
"changelog_datacomponent_detections": {
"shared": [],
"new": [],
"dropped": []
},
"changelog_detectionstrategy_detections": {
"shared": [
"DET0136: Behavior-chain detection for T1134.005 Access Token Manipulation: SID-History Injection (Windows)"
],
"new": [],
"dropped": []
}
},
{
"type": "attack-pattern",
"id": "attack-pattern--86850eff-2729-40c3-b85e-c4af26da4a2d",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2020-02-18 16:39:06.289000+00:00",
"modified": "2026-04-15 19:54:20.663000+00:00",
"name": "Token Impersonation/Theft",
"description": "Adversaries may duplicate then impersonate another user's existing token to escalate privileges and bypass access controls. For example, an adversary can duplicate an existing token using `DuplicateToken` or `DuplicateTokenEx`.(Citation: DuplicateToken function) The token can then be used with `ImpersonateLoggedOnUser` to allow the calling thread to impersonate a logged on user's security context, or with `SetThreadToken` to assign the impersonated token to a thread.\n\nAn adversary may perform [Token Impersonation/Theft](https://attack.mitre.org/techniques/T1134/001) when they have a specific, existing process they want to assign the duplicated token to. For example, this may be useful for when the target user has a non-network logon session on the system.\n\nWhen an adversary would instead use a duplicated token to create a new process rather than attaching to an existing process, they can additionally [Create Process with Token](https://attack.mitre.org/techniques/T1134/002) using `CreateProcessWithTokenW` or `CreateProcessAsUserW`. [Token Impersonation/Theft](https://attack.mitre.org/techniques/T1134/001) is also distinct from [Make and Impersonate Token](https://attack.mitre.org/techniques/T1134/003) in that it refers to duplicating an existing token, rather than creating a new one.",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "stealth"
},
{
"kill_chain_name": "mitre-attack",
"phase_name": "privilege-escalation"
}
],
"revoked": false,
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T1134/001",
"external_id": "T1134.001"
},
{
"source_name": "DuplicateToken function",
"description": "Microsoft. (2021, October 12). DuplicateToken function (securitybaseapi.h). Retrieved January 8, 2024.",
"url": "https://learn.microsoft.com/en-us/windows/win32/api/securitybaseapi/nf-securitybaseapi-duplicatetoken"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_attack_spec_version": "3.3.0",
"x_mitre_contributors": [
"Jonny Johnson"
],
"x_mitre_deprecated": false,
"x_mitre_domains": [
"enterprise-attack"
],
"x_mitre_is_subtechnique": true,
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"Windows"
],
"x_mitre_version": "2.0",
"detailed_diff": "{\"dictionary_item_removed\": {\"root['x_mitre_detection']\": \"\"}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-04-15 19:54:20.663000+00:00\", \"old_value\": \"2025-10-24 17:49:04.117000+00:00\"}, \"root['kill_chain_phases'][0]['phase_name']\": {\"new_value\": \"stealth\", \"old_value\": \"defense-evasion\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.3.0\", \"old_value\": \"3.2.0\"}, \"root['x_mitre_version']\": {\"new_value\": \"2.0\", \"old_value\": \"1.3\"}}, \"iterable_item_removed\": {\"root['external_references'][1]\": {\"source_name\": \"Microsoft Command-line Logging\", \"description\": \"Mathers, B. (2017, March 7). Command line process auditing. Retrieved April 21, 2017.\", \"url\": \"https://technet.microsoft.com/en-us/windows-server-docs/identity/ad-ds/manage/component-updates/command-line-process-auditing\"}}}",
"previous_version": "1.3",
"version_change": "1.3 \u2192 2.0",
"changelog_mitigations": {
"shared": [
"M1018: User Account Management",
"M1026: Privileged Account Management"
],
"new": [],
"dropped": []
},
"changelog_datacomponent_detections": {
"shared": [],
"new": [],
"dropped": []
},
"changelog_detectionstrategy_detections": {
"shared": [
"DET0482: Behavior-chain detection for T1134.001 Access Token Manipulation: Token Impersonation/Theft on Windows"
],
"new": [],
"dropped": []
}
},
{
"type": "attack-pattern",
"id": "attack-pattern--650c784b-7504-4df7-ab2c-4ea882384d1e",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2020-02-11 19:08:51.677000+00:00",
"modified": "2026-02-03 16:53:09.295000+00:00",
"name": "Name Resolution Poisoning and SMB Relay",
"description": "By responding to LLMNR/NBT-NS/mDNS network traffic, adversaries may spoof an authoritative source for name resolution to force communication with an adversary controlled system.(Citation: BlackCat ransomware) This activity may be used to collect or relay authentication materials. \n\nLink-Local Multicast Name Resolution (LLMNR) and NetBIOS Name Service (NBT-NS) are Microsoft Windows components that serve as alternate methods of host identification. LLMNR is based upon the Domain Name System (DNS) format and allows hosts on the same local link to perform name resolution for other hosts. NBT-NS identifies systems on a local network by their NetBIOS name.(Citation: Wikipedia LLMNR)(Citation: TechNet NetBIOS)\n\nMulticast Domain Name System(mDNS) is a zero-configuration service used to resolve hostnames to IP addresses with \u201c.local\u201d as a top-level domain. MDNS is based upon Domain Name System (DNS) format and allows hosts on the same network segment to perform name resolution for other hosts, using multicast.(Citation: mDNS RFC)\n\nAdversaries can spoof an authoritative source for name resolution on a victim network by responding to LLMNR (UDP 5355)/NBT-NS (UDP 137)/mDNS (UDP 5353) traffic as if they know the identity of the requested host, effectively poisoning the service so that the victims will communicate with the adversary controlled system. If the requested host belongs to a resource that requires identification/authentication, the username and NTLMv2 hash will then be sent to the adversary controlled system. The adversary can then collect the hash information sent over the wire through tools that monitor the ports for traffic or through [Network Sniffing](https://attack.mitre.org/techniques/T1040) and crack the hashes offline through [Brute Force](https://attack.mitre.org/techniques/T1110) to obtain the plaintext passwords.\n\nIn some cases where an adversary has access to a system that is in the authentication path between systems or when automated scans that use credentials attempt to authenticate to an adversary controlled system, the NTLMv1/v2 hashes can be intercepted and relayed to access and execute code against a target system. The relay step can happen in conjunction with poisoning but may also be independent of it.(Citation: byt3bl33d3r NTLM Relaying)(Citation: Secure Ideas SMB Relay) Additionally, adversaries may encapsulate the NTLMv1/v2 hashes into various other protocols, such as LDAP, MSSQL and HTTP, to expand and use multiple services with the valid NTLM response.\u00a0\n\nSeveral tools may be used to poison name services within local networks such as NBNSpoof, Metasploit, and [Responder](https://attack.mitre.org/software/S0174).(Citation: GitHub NBNSpoof)(Citation: Rapid7 LLMNR Spoofer)(Citation: GitHub Responder)",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "credential-access"
},
{
"kill_chain_name": "mitre-attack",
"phase_name": "collection"
}
],
"revoked": false,
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T1557/001",
"external_id": "T1557.001"
},
{
"source_name": "Rapid7 LLMNR Spoofer",
"description": "Francois, R. (n.d.). LLMNR Spoofer. Retrieved November 17, 2017.",
"url": "https://www.rapid7.com/db/modules/auxiliary/spoof/llmnr/llmnr_response"
},
{
"source_name": "GitHub Responder",
"description": "Gaffie, L. (2016, August 25). Responder. Retrieved November 17, 2017.",
"url": "https://github.com/SpiderLabs/Responder"
},
{
"source_name": "Secure Ideas SMB Relay",
"description": "Kuehn, E. (2018, April 11). Ever Run a Relay? Why SMB Relays Should Be On Your Mind. Retrieved February 7, 2019.",
"url": "https://blog.secureideas.com/2018/04/ever-run-a-relay-why-smb-relays-should-be-on-your-mind.html"
},
{
"source_name": "BlackCat ransomware",
"description": "Lucas Silva, Leandro Froes. (2022, April 18). An Investigation of the BlackCat Ransomware via Trend Micro Vision One. Retrieved February 2, 2026.",
"url": "https://www.trendmicro.com/en_us/research/22/d/an-investigation-of-the-blackcat-ransomware.html"
},
{
"source_name": "TechNet NetBIOS",
"description": "Microsoft. (n.d.). NetBIOS Name Resolution. Retrieved November 17, 2017.",
"url": "https://technet.microsoft.com/library/cc958811.aspx"
},
{
"source_name": "GitHub NBNSpoof",
"description": "Nomex. (2014, February 7). NBNSpoof. Retrieved November 17, 2017.",
"url": "https://github.com/nomex/nbnspoof"
},
{
"source_name": "mDNS RFC",
"description": "S. Cheshire, M. Krochmal. (2013, February). Multicast DNS. Retrieved February 2, 2026.",
"url": "https://datatracker.ietf.org/doc/html/rfc6762"
},
{
"source_name": "byt3bl33d3r NTLM Relaying",
"description": "Salvati, M. (2017, June 2). Practical guide to NTLM Relaying in 2017 (A.K.A getting a foothold in under 5 minutes). Retrieved February 7, 2019.",
"url": "https://byt3bl33d3r.github.io/practical-guide-to-ntlm-relaying-in-2017-aka-getting-a-foothold-in-under-5-minutes.html"
},
{
"source_name": "Wikipedia LLMNR",
"description": "Wikipedia. (2016, July 7). Link-Local Multicast Name Resolution. Retrieved November 17, 2017.",
"url": "https://en.wikipedia.org/wiki/Link-Local_Multicast_Name_Resolution"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_attack_spec_version": "3.3.0",
"x_mitre_contributors": [
"Eric Kuehn, Secure Ideas",
"Matthew Demaske, Adaptforward",
"Andrew Allen, @whitehat_zero",
"Arad Inbar"
],
"x_mitre_deprecated": false,
"x_mitre_domains": [
"enterprise-attack"
],
"x_mitre_is_subtechnique": true,
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"Windows"
],
"x_mitre_version": "2.0",
"detailed_diff": "{\"dictionary_item_removed\": {\"root['x_mitre_detection']\": \"\"}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-02-03 16:53:09.295000+00:00\", \"old_value\": \"2025-10-24 17:48:52.462000+00:00\"}, \"root['name']\": {\"new_value\": \"Name Resolution Poisoning and SMB Relay\", \"old_value\": \"LLMNR/NBT-NS Poisoning and SMB Relay\"}, \"root['description']\": {\"new_value\": \"By responding to LLMNR/NBT-NS/mDNS network traffic, adversaries may spoof an authoritative source for name resolution to force communication with an adversary controlled system.(Citation: BlackCat ransomware) This activity may be used to collect or relay authentication materials. \\n\\nLink-Local Multicast Name Resolution (LLMNR) and NetBIOS Name Service (NBT-NS) are Microsoft Windows components that serve as alternate methods of host identification. LLMNR is based upon the Domain Name System (DNS) format and allows hosts on the same local link to perform name resolution for other hosts. NBT-NS identifies systems on a local network by their NetBIOS name.(Citation: Wikipedia LLMNR)(Citation: TechNet NetBIOS)\\n\\nMulticast Domain Name System(mDNS) is a zero-configuration service used to resolve hostnames to IP addresses with \\u201c.local\\u201d as a top-level domain. MDNS is based upon Domain Name System (DNS) format and allows hosts on the same network segment to perform name resolution for other hosts, using multicast.(Citation: mDNS RFC)\\n\\nAdversaries can spoof an authoritative source for name resolution on a victim network by responding to LLMNR (UDP 5355)/NBT-NS (UDP 137)/mDNS (UDP 5353) traffic as if they know the identity of the requested host, effectively poisoning the service so that the victims will communicate with the adversary controlled system. If the requested host belongs to a resource that requires identification/authentication, the username and NTLMv2 hash will then be sent to the adversary controlled system. The adversary can then collect the hash information sent over the wire through tools that monitor the ports for traffic or through [Network Sniffing](https://attack.mitre.org/techniques/T1040) and crack the hashes offline through [Brute Force](https://attack.mitre.org/techniques/T1110) to obtain the plaintext passwords.\\n\\nIn some cases where an adversary has access to a system that is in the authentication path between systems or when automated scans that use credentials attempt to authenticate to an adversary controlled system, the NTLMv1/v2 hashes can be intercepted and relayed to access and execute code against a target system. The relay step can happen in conjunction with poisoning but may also be independent of it.(Citation: byt3bl33d3r NTLM Relaying)(Citation: Secure Ideas SMB Relay) Additionally, adversaries may encapsulate the NTLMv1/v2 hashes into various other protocols, such as LDAP, MSSQL and HTTP, to expand and use multiple services with the valid NTLM response.\\u00a0\\n\\nSeveral tools may be used to poison name services within local networks such as NBNSpoof, Metasploit, and [Responder](https://attack.mitre.org/software/S0174).(Citation: GitHub NBNSpoof)(Citation: Rapid7 LLMNR Spoofer)(Citation: GitHub Responder)\", \"old_value\": \"By responding to LLMNR/NBT-NS network traffic, adversaries may spoof an authoritative source for name resolution to force communication with an adversary controlled system. This activity may be used to collect or relay authentication materials. \\n\\nLink-Local Multicast Name Resolution (LLMNR) and NetBIOS Name Service (NBT-NS) are Microsoft Windows components that serve as alternate methods of host identification. LLMNR is based upon the Domain Name System (DNS) format and allows hosts on the same local link to perform name resolution for other hosts. NBT-NS identifies systems on a local network by their NetBIOS name. (Citation: Wikipedia LLMNR)(Citation: TechNet NetBIOS)\\n\\nAdversaries can spoof an authoritative source for name resolution on a victim network by responding to LLMNR (UDP 5355)/NBT-NS (UDP 137) traffic as if they know the identity of the requested host, effectively poisoning the service so that the victims will communicate with the adversary controlled system. If the requested host belongs to a resource that requires identification/authentication, the username and NTLMv2 hash will then be sent to the adversary controlled system. The adversary can then collect the hash information sent over the wire through tools that monitor the ports for traffic or through [Network Sniffing](https://attack.mitre.org/techniques/T1040) and crack the hashes offline through [Brute Force](https://attack.mitre.org/techniques/T1110) to obtain the plaintext passwords.\\n\\nIn some cases where an adversary has access to a system that is in the authentication path between systems or when automated scans that use credentials attempt to authenticate to an adversary controlled system, the NTLMv1/v2 hashes can be intercepted and relayed to access and execute code against a target system. The relay step can happen in conjunction with poisoning but may also be independent of it.(Citation: byt3bl33d3r NTLM Relaying)(Citation: Secure Ideas SMB Relay) Additionally, adversaries may encapsulate the NTLMv1/v2 hashes into various protocols, such as LDAP, SMB, MSSQL and HTTP, to expand and use multiple services with the valid NTLM response.\\u00a0\\n\\nSeveral tools may be used to poison name services within local networks such as NBNSpoof, Metasploit, and [Responder](https://attack.mitre.org/software/S0174).(Citation: GitHub NBNSpoof)(Citation: Rapid7 LLMNR Spoofer)(Citation: GitHub Responder)\", \"diff\": \"--- \\n+++ \\n@@ -1,9 +1,11 @@\\n-By responding to LLMNR/NBT-NS network traffic, adversaries may spoof an authoritative source for name resolution to force communication with an adversary controlled system. This activity may be used to collect or relay authentication materials. \\n+By responding to LLMNR/NBT-NS/mDNS network traffic, adversaries may spoof an authoritative source for name resolution to force communication with an adversary controlled system.(Citation: BlackCat ransomware) This activity may be used to collect or relay authentication materials. \\n \\n-Link-Local Multicast Name Resolution (LLMNR) and NetBIOS Name Service (NBT-NS) are Microsoft Windows components that serve as alternate methods of host identification. LLMNR is based upon the Domain Name System (DNS) format and allows hosts on the same local link to perform name resolution for other hosts. NBT-NS identifies systems on a local network by their NetBIOS name. (Citation: Wikipedia LLMNR)(Citation: TechNet NetBIOS)\\n+Link-Local Multicast Name Resolution (LLMNR) and NetBIOS Name Service (NBT-NS) are Microsoft Windows components that serve as alternate methods of host identification. LLMNR is based upon the Domain Name System (DNS) format and allows hosts on the same local link to perform name resolution for other hosts. NBT-NS identifies systems on a local network by their NetBIOS name.(Citation: Wikipedia LLMNR)(Citation: TechNet NetBIOS)\\n \\n-Adversaries can spoof an authoritative source for name resolution on a victim network by responding to LLMNR (UDP 5355)/NBT-NS (UDP 137) traffic as if they know the identity of the requested host, effectively poisoning the service so that the victims will communicate with the adversary controlled system. If the requested host belongs to a resource that requires identification/authentication, the username and NTLMv2 hash will then be sent to the adversary controlled system. The adversary can then collect the hash information sent over the wire through tools that monitor the ports for traffic or through [Network Sniffing](https://attack.mitre.org/techniques/T1040) and crack the hashes offline through [Brute Force](https://attack.mitre.org/techniques/T1110) to obtain the plaintext passwords.\\n+Multicast Domain Name System(mDNS) is a zero-configuration service used to resolve hostnames to IP addresses with \\u201c.local\\u201d as a top-level domain. MDNS is based upon Domain Name System (DNS) format and allows hosts on the same network segment to perform name resolution for other hosts, using multicast.(Citation: mDNS RFC)\\n \\n-In some cases where an adversary has access to a system that is in the authentication path between systems or when automated scans that use credentials attempt to authenticate to an adversary controlled system, the NTLMv1/v2 hashes can be intercepted and relayed to access and execute code against a target system. The relay step can happen in conjunction with poisoning but may also be independent of it.(Citation: byt3bl33d3r NTLM Relaying)(Citation: Secure Ideas SMB Relay) Additionally, adversaries may encapsulate the NTLMv1/v2 hashes into various protocols, such as LDAP, SMB, MSSQL and HTTP, to expand and use multiple services with the valid NTLM response.\\u00a0\\n+Adversaries can spoof an authoritative source for name resolution on a victim network by responding to LLMNR (UDP 5355)/NBT-NS (UDP 137)/mDNS (UDP 5353) traffic as if they know the identity of the requested host, effectively poisoning the service so that the victims will communicate with the adversary controlled system. If the requested host belongs to a resource that requires identification/authentication, the username and NTLMv2 hash will then be sent to the adversary controlled system. The adversary can then collect the hash information sent over the wire through tools that monitor the ports for traffic or through [Network Sniffing](https://attack.mitre.org/techniques/T1040) and crack the hashes offline through [Brute Force](https://attack.mitre.org/techniques/T1110) to obtain the plaintext passwords.\\n+\\n+In some cases where an adversary has access to a system that is in the authentication path between systems or when automated scans that use credentials attempt to authenticate to an adversary controlled system, the NTLMv1/v2 hashes can be intercepted and relayed to access and execute code against a target system. The relay step can happen in conjunction with poisoning but may also be independent of it.(Citation: byt3bl33d3r NTLM Relaying)(Citation: Secure Ideas SMB Relay) Additionally, adversaries may encapsulate the NTLMv1/v2 hashes into various other protocols, such as LDAP, MSSQL and HTTP, to expand and use multiple services with the valid NTLM response.\\u00a0\\n \\n Several tools may be used to poison name services within local networks such as NBNSpoof, Metasploit, and [Responder](https://attack.mitre.org/software/S0174).(Citation: GitHub NBNSpoof)(Citation: Rapid7 LLMNR Spoofer)(Citation: GitHub Responder)\"}, \"root['external_references'][6]['source_name']\": {\"new_value\": \"mDNS RFC\", \"old_value\": \"GitHub Conveigh\", \"new_path\": \"root['external_references'][7]['source_name']\"}, \"root['external_references'][6]['description']\": {\"new_value\": \"S. Cheshire, M. Krochmal. (2013, February). Multicast DNS. Retrieved February 2, 2026.\", \"old_value\": \"Robertson, K. (2016, August 28). Conveigh. Retrieved November 17, 2017.\", \"new_path\": \"root['external_references'][7]['description']\"}, \"root['external_references'][6]['url']\": {\"new_value\": \"https://datatracker.ietf.org/doc/html/rfc6762\", \"old_value\": \"https://github.com/Kevin-Robertson/Conveigh\", \"new_path\": \"root['external_references'][7]['url']\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.3.0\", \"old_value\": \"3.2.0\"}, \"root['x_mitre_version']\": {\"new_value\": \"2.0\", \"old_value\": \"1.4\"}}, \"iterable_item_added\": {\"root['external_references'][4]\": {\"source_name\": \"BlackCat ransomware\", \"description\": \"Lucas Silva, Leandro Froes. (2022, April 18). An Investigation of the BlackCat Ransomware via Trend Micro Vision One. Retrieved February 2, 2026.\", \"url\": \"https://www.trendmicro.com/en_us/research/22/d/an-investigation-of-the-blackcat-ransomware.html\"}, \"root['x_mitre_contributors'][3]\": \"Arad Inbar\"}, \"iterable_item_removed\": {\"root['external_references'][8]\": {\"source_name\": \"Sternsecurity LLMNR-NBTNS\", \"description\": \"Sternstein, J. (2013, November). Local Network Attacks: LLMNR and NBT-NS Poisoning. Retrieved November 17, 2017.\", \"url\": \"https://www.sternsecurity.com/blog/local-network-attacks-llmnr-and-nbt-ns-poisoning\"}}}",
"previous_version": "1.4",
"version_change": "1.4 \u2192 2.0",
"description_change_table": "\n | Old Description | New Description | ||||
|---|---|---|---|---|---|
| t | 1 | By responding to LLMNR/NBT-NS network traffic, adversaries m | t | 1 | By responding to LLMNR/NBT-NS/mDNS network traffic, adversar |
| > | ay spoof an authoritative source for name resolution to forc | > | ies may spoof an authoritative source for name resolution to | ||
| > | e communication with an adversary controlled system. This ac | > | force communication with an adversary controlled system.(Ci | ||
| > | tivity may be used to collect or relay authentication materi | > | tation: BlackCat ransomware) This activity may be used to co | ||
| > | als. Link-Local Multicast Name Resolution (LLMNR) and NetB | > | llect or relay authentication materials. Link-Local Multic | ||
| > | IOS Name Service (NBT-NS) are Microsoft Windows components t | > | ast Name Resolution (LLMNR) and NetBIOS Name Service (NBT-NS | ||
| > | hat serve as alternate methods of host identification. LLMNR | > | ) are Microsoft Windows components that serve as alternate m | ||
| > | is based upon the Domain Name System (DNS) format and allow | > | ethods of host identification. LLMNR is based upon the Domai | ||
| > | s hosts on the same local link to perform name resolution fo | > | n Name System (DNS) format and allows hosts on the same loca | ||
| > | r other hosts. NBT-NS identifies systems on a local network | > | l link to perform name resolution for other hosts. NBT-NS id | ||
| > | by their NetBIOS name. (Citation: Wikipedia LLMNR)(Citation: | > | entifies systems on a local network by their NetBIOS name.(C | ||
| > | TechNet NetBIOS) Adversaries can spoof an authoritative so | > | itation: Wikipedia LLMNR)(Citation: TechNet NetBIOS) Multic | ||
| > | urce for name resolution on a victim network by responding t | > | ast Domain Name System(mDNS) is a zero-configuration service | ||
| > | o LLMNR (UDP 5355)/NBT-NS (UDP 137) traffic as if they know | > | used to resolve hostnames to IP addresses with \u201c.local\u201d as | ||
| > | the identity of the requested host, effectively poisoning th | > | a top-level domain. MDNS is based upon Domain Name System (D | ||
| > | e service so that the victims will communicate with the adve | > | NS) format and allows hosts on the same network segment to p | ||
| > | rsary controlled system. If the requested host belongs to a | > | erform name resolution for other hosts, using multicast.(Cit | ||
| > | resource that requires identification/authentication, the us | > | ation: mDNS RFC) Adversaries can spoof an authoritative sou | ||
| > | ername and NTLMv2 hash will then be sent to the adversary co | > | rce for name resolution on a victim network by responding to | ||
| > | ntrolled system. The adversary can then collect the hash inf | > | LLMNR (UDP 5355)/NBT-NS (UDP 137)/mDNS (UDP 5353) traffic a | ||
| > | ormation sent over the wire through tools that monitor the p | > | s if they know the identity of the requested host, effective | ||
| > | orts for traffic or through [Network Sniffing](https://attac | > | ly poisoning the service so that the victims will communicat | ||
| > | k.mitre.org/techniques/T1040) and crack the hashes offline t | > | e with the adversary controlled system. If the requested hos | ||
| > | hrough [Brute Force](https://attack.mitre.org/techniques/T11 | > | t belongs to a resource that requires identification/authent | ||
| > | 10) to obtain the plaintext passwords. In some cases where | > | ication, the username and NTLMv2 hash will then be sent to t | ||
| > | an adversary has access to a system that is in the authentic | > | he adversary controlled system. The adversary can then colle | ||
| > | ation path between systems or when automated scans that use | > | ct the hash information sent over the wire through tools tha | ||
| > | credentials attempt to authenticate to an adversary controll | > | t monitor the ports for traffic or through [Network Sniffing | ||
| > | ed system, the NTLMv1/v2 hashes can be intercepted and relay | > | ](https://attack.mitre.org/techniques/T1040) and crack the h | ||
| > | ed to access and execute code against a target system. The r | > | ashes offline through [Brute Force](https://attack.mitre.org | ||
| > | elay step can happen in conjunction with poisoning but may a | > | /techniques/T1110) to obtain the plaintext passwords. In so | ||
| > | lso be independent of it.(Citation: byt3bl33d3r NTLM Relayin | > | me cases where an adversary has access to a system that is i | ||
| > | g)(Citation: Secure Ideas SMB Relay) Additionally, adversari | > | n the authentication path between systems or when automated | ||
| > | es may encapsulate the NTLMv1/v2 hashes into various protoco | > | scans that use credentials attempt to authenticate to an adv | ||
| > | ls, such as LDAP, SMB, MSSQL and HTTP, to expand and use mul | > | ersary controlled system, the NTLMv1/v2 hashes can be interc | ||
| > | tiple services with the valid NTLM response.\u00a0 Several tools | > | epted and relayed to access and execute code against a targe | ||
| > | may be used to poison name services within local networks s | > | t system. The relay step can happen in conjunction with pois | ||
| > | uch as NBNSpoof, Metasploit, and [Responder](https://attack. | > | oning but may also be independent of it.(Citation: byt3bl33d | ||
| > | mitre.org/software/S0174).(Citation: GitHub NBNSpoof)(Citati | > | 3r NTLM Relaying)(Citation: Secure Ideas SMB Relay) Addition | ||
| > | on: Rapid7 LLMNR Spoofer)(Citation: GitHub Responder) | > | ally, adversaries may encapsulate the NTLMv1/v2 hashes into | ||
| > | various other protocols, such as LDAP, MSSQL and HTTP, to ex | ||||
| > | pand and use multiple services with the valid NTLM response. | ||||
| > | \u00a0 Several tools may be used to poison name services within | ||||
| > | local networks such as NBNSpoof, Metasploit, and [Responder] | ||||
| > | (https://attack.mitre.org/software/S0174).(Citation: GitHub | ||||
| > | NBNSpoof)(Citation: Rapid7 LLMNR Spoofer)(Citation: GitHub R | ||||
| > | esponder) |
build request may be sent to the Docker API that includes a Dockerfile that pulls a vanilla base image, such as alpine, from a public or local registry and then builds a custom image upon it.(Citation: Docker Build Image)\n\nAn adversary may take advantage of that build API to build a custom image on the host that includes malware downloaded from their C2 server, and then they may utilize [Deploy Container](https://attack.mitre.org/techniques/T1610) using that custom image.(Citation: Aqua Build Images on Hosts)(Citation: Aqua Security Cloud Native Threat Report June 2021) If the base image is pulled from a public registry, defenses will likely not detect the image as malicious since it\u2019s a vanilla image. If the base image already resides in a local registry, the pull may be considered even less suspicious since the image is already in the environment. ",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "stealth"
}
],
"revoked": false,
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T1612",
"external_id": "T1612"
},
{
"source_name": "Aqua Build Images on Hosts",
"description": "Assaf Morag. (2020, July 15). Threat Alert: Attackers Building Malicious Images on Your Hosts. Retrieved March 29, 2021.",
"url": "https://blog.aquasec.com/malicious-container-image-docker-container-host"
},
{
"source_name": "Docker Build Image",
"description": "Docker. ( null). Docker Engine API v1.41 Reference - Build an Image. Retrieved March 30, 2021.",
"url": "https://docs.docker.com/engine/api/v1.41/#operation/ImageBuild"
},
{
"source_name": "Aqua Security Cloud Native Threat Report June 2021",
"description": "Team Nautilus. (2021, June). Attacks in the Wild on the Container Supply Chain and Infrastructure. Retrieved August 26, 2021.",
"url": "https://info.aquasec.com/hubfs/Threat%20reports/AquaSecurity_Cloud_Native_Threat_Report_2021.pdf?utm_campaign=WP%20-%20Jun2021%20Nautilus%202021%20Threat%20Research%20Report&utm_medium=email&_hsmi=132931006&_hsenc=p2ANqtz-_8oopT5Uhqab8B7kE0l3iFo1koirxtyfTehxF7N-EdGYrwk30gfiwp5SiNlW3G0TNKZxUcDkYOtwQ9S6nNVNyEO-Dgrw&utm_content=132931006&utm_source=hs_automation"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_attack_spec_version": "3.3.0",
"x_mitre_contributors": [
"Assaf Morag, @MoragAssaf, Team Nautilus Aqua Security",
"Roi Kol, @roykol1, Team Nautilus Aqua Security",
"Michael Katchinskiy, @michael64194968, Team Nautilus Aqua Security",
"Vishwas Manral, McAfee"
],
"x_mitre_deprecated": false,
"x_mitre_domains": [
"enterprise-attack"
],
"x_mitre_is_subtechnique": false,
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"Containers"
],
"x_mitre_version": "2.0",
"detailed_diff": "{\"dictionary_item_removed\": {\"root['x_mitre_detection']\": \"\"}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-04-15 19:56:51.027000+00:00\", \"old_value\": \"2025-10-24 17:49:01.646000+00:00\"}, \"root['kill_chain_phases'][0]['phase_name']\": {\"new_value\": \"stealth\", \"old_value\": \"defense-evasion\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.3.0\", \"old_value\": \"3.2.0\"}, \"root['x_mitre_version']\": {\"new_value\": \"2.0\", \"old_value\": \"1.3\"}}}",
"previous_version": "1.3",
"version_change": "1.3 \u2192 2.0",
"changelog_mitigations": {
"shared": [
"M1026: Privileged Account Management",
"M1030: Network Segmentation",
"M1035: Limit Access to Resource Over Network",
"M1047: Audit"
],
"new": [],
"dropped": []
},
"changelog_datacomponent_detections": {
"shared": [],
"new": [],
"dropped": []
},
"changelog_detectionstrategy_detections": {
"shared": [
"DET0459: Detection Strategy for Build Image on Host"
],
"new": [],
"dropped": []
}
},
{
"type": "attack-pattern",
"id": "attack-pattern--e4dc8c01-417f-458d-9ee0-bb0617c1b391",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2022-04-01 17:59:46.156000+00:00",
"modified": "2026-04-15 19:57:49.208000+00:00",
"name": "Debugger Evasion",
"description": "Adversaries may employ various means to detect and avoid debuggers. Debuggers are typically used by defenders to trace and/or analyze the execution of potential malware payloads.(Citation: ProcessHacker Github)\n\nDebugger evasion may include changing behaviors based on the results of the checks for the presence of artifacts indicative of a debugged environment. Similar to [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497), if the adversary detects a debugger, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for debugger artifacts before dropping secondary or additional payloads.\n\nSpecific checks will vary based on the target and/or adversary. On Windows, this may involve [Native API](https://attack.mitre.org/techniques/T1106) function calls such as IsDebuggerPresent() and NtQueryInformationProcess(), or manually checking the BeingDebugged flag of the Process Environment Block (PEB). On Linux, this may involve querying `/proc/self/status` for the `TracerPID` field, which indicates whether or not the process is being traced by dynamic analysis tools.(Citation: Cado Security P2PInfect 2023)(Citation: Positive Technologies Hellhounds 2023) Other checks for debugging artifacts may also seek to enumerate hardware breakpoints, interrupt assembly opcodes, time checks, or measurements if exceptions are raised in the current process (assuming a present debugger would \u201cswallow\u201d or handle the potential error).(Citation: hasherezade debug)(Citation: AlKhaser Debug)(Citation: vxunderground debug)\n\nMalware may also leverage Structured Exception Handling (SEH) to detect debuggers by throwing an exception and detecting whether the process is suspended. SEH handles both hardware and software expectations, providing control over the exceptions including support for debugging. If a debugger is present, the program\u2019s control will be transferred to the debugger, and the execution of the code will be suspended. If the debugger is not present, control will be transferred to the SEH handler, which will automatically handle the exception and allow the program\u2019s execution to continue.(Citation: Apriorit)\n\nAdversaries may use the information learned from these debugger checks during automated discovery to shape follow-on behaviors. Debuggers can also be evaded by detaching the process or flooding debug logs with meaningless data via messages produced by looping [Native API](https://attack.mitre.org/techniques/T1106) function calls such as OutputDebugStringW().(Citation: wardle evilquest partii)(Citation: Checkpoint Dridex Jan 2021)",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "stealth"
},
{
"kill_chain_name": "mitre-attack",
"phase_name": "discovery"
}
],
"revoked": false,
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T1622",
"external_id": "T1622"
},
{
"source_name": "Apriorit",
"description": "Apriorit. (2024, June 4). Anti Debugging Protection Techniques with Examples. Retrieved March 4, 2025.",
"url": "https://www.apriorit.com/dev-blog/367-anti-reverse-engineering-protection-techniques-to-use-before-releasing-software"
},
{
"source_name": "Checkpoint Dridex Jan 2021",
"description": "Check Point Research. (2021, January 4). Stopping Serial Killer: Catching the Next Strike. Retrieved September 7, 2021.",
"url": "https://research.checkpoint.com/2021/stopping-serial-killer-catching-the-next-strike/"
},
{
"source_name": "hasherezade debug",
"description": "hasherezade. (2021, June 30). Module 3 - Understanding and countering malware's evasion and self-defence. Retrieved April 1, 2022.",
"url": "https://github.com/hasherezade/malware_training_vol1/blob/main/slides/module3/Module3_2_fingerprinting.pdf"
},
{
"source_name": "Cado Security P2PInfect 2023",
"description": "jbowen. (2023, December 4). P2Pinfect - New Variant Targets MIPS Devices. Retrieved March 18, 2025.",
"url": "https://www.cadosecurity.com/blog/p2pinfect-new-variant-targets-mips-devices"
},
{
"source_name": "AlKhaser Debug",
"description": "Noteworthy. (2019, January 6). Al-Khaser. Retrieved April 1, 2022.",
"url": "https://github.com/LordNoteworthy/al-khaser/tree/master/al-khaser/AntiDebug"
},
{
"source_name": "wardle evilquest partii",
"description": "Patrick Wardle. (2020, July 3). OSX.EvilQuest Uncovered part ii: insidious capabilities. Retrieved March 21, 2021.",
"url": "https://objective-see.com/blog/blog_0x60.html"
},
{
"source_name": "ProcessHacker Github",
"description": "ProcessHacker. (2009, October 27). Process Hacker. Retrieved April 11, 2022.",
"url": "https://github.com/processhacker/processhacker"
},
{
"source_name": "Positive Technologies Hellhounds 2023",
"description": "PT Expert Security Center. (2023, November 29). Hellhounds: operation Lahat. Retrieved March 18, 2025.",
"url": "https://global.ptsecurity.com/analytics/pt-esc-threat-intelligence/hellhounds-operation-lahat"
},
{
"source_name": "vxunderground debug",
"description": "vxunderground. (2021, June 30). VX-API. Retrieved April 1, 2022.",
"url": "https://web.archive.org/web/20250904153443/https://github.com/vxunderground/VX-API/tree/main#anti-debug"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_attack_spec_version": "3.3.0",
"x_mitre_contributors": [
"Joas Antonio dos Santos, @C0d3Cr4zy",
"TruKno"
],
"x_mitre_deprecated": false,
"x_mitre_domains": [
"enterprise-attack"
],
"x_mitre_is_subtechnique": false,
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"Linux",
"macOS",
"Windows"
],
"x_mitre_version": "2.0",
"detailed_diff": "{\"dictionary_item_removed\": {\"root['x_mitre_detection']\": \"\"}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-04-15 19:57:49.208000+00:00\", \"old_value\": \"2025-10-24 17:49:32.196000+00:00\"}, \"root['kill_chain_phases'][0]['phase_name']\": {\"new_value\": \"stealth\", \"old_value\": \"defense-evasion\"}, \"root['external_references'][9]['url']\": {\"new_value\": \"https://web.archive.org/web/20250904153443/https://github.com/vxunderground/VX-API/tree/main#anti-debug\", \"old_value\": \"https://github.com/vxunderground/VX-API/tree/main/Anti%20Debug\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.3.0\", \"old_value\": \"3.2.0\"}, \"root['x_mitre_version']\": {\"new_value\": \"2.0\", \"old_value\": \"1.1\"}}}",
"previous_version": "1.1",
"version_change": "1.1 \u2192 2.0",
"changelog_mitigations": {
"shared": [],
"new": [],
"dropped": []
},
"changelog_datacomponent_detections": {
"shared": [],
"new": [],
"dropped": []
},
"changelog_detectionstrategy_detections": {
"shared": [
"DET0371: Detection Strategy for Debugger Evasion (T1622)"
],
"new": [],
"dropped": []
}
},
{
"type": "attack-pattern",
"id": "attack-pattern--a1df809c-7d0e-459f-8fe5-25474bab770b",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2025-09-24 18:03:15.021000+00:00",
"modified": "2026-04-15 19:57:37.301000+00:00",
"name": "Delay Execution",
"description": "Adversaries may employ various time-based methods to evade detection and analysis. These techniques often exploit system clocks, delays, or timing mechanisms to obscure malicious activity, blend in with benign activity, and avoid scrutiny. Adversaries can perform this behavior within virtualization/sandbox environments or natively on host systems. \n\nAdversaries may utilize programmatic `sleep` commands or native system scheduling functionality, for example [Scheduled Task/Job](https://attack.mitre.org/techniques/T1053). Benign commands or other operations may also be used to delay malware execution or ensure prior commands have had time to execute properly. Loops or otherwise needless repetitions of commands, such as `ping`, may be used to delay malware execution and potentially exceed time thresholds of automated analysis environments.(Citation: Revil Independence Day)(Citation: Netskope Nitol) Another variation, commonly referred to as API hammering, involves making various calls to Native API functions in order to delay execution (while also potentially overloading analysis environments with junk data).(Citation: Joe Sec Nymaim)(Citation: Joe Sec Trickbot)",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "stealth"
}
],
"revoked": false,
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T1678",
"external_id": "T1678"
},
{
"source_name": "Joe Sec Nymaim",
"description": "Joe Security. (2016, April 21). Nymaim - evading Sandboxes with API hammering. Retrieved September 30, 2021.",
"url": "https://www.joesecurity.org/blog/3660886847485093803"
},
{
"source_name": "Joe Sec Trickbot",
"description": "Joe Security. (2020, July 13). TrickBot's new API-Hammering explained. Retrieved September 30, 2021.",
"url": "https://www.joesecurity.org/blog/498839998833561473"
},
{
"source_name": "Revil Independence Day",
"description": "Loman, M. et al. (2021, July 4). Independence Day: REvil uses supply chain exploit to attack hundreds of businesses. Retrieved September 30, 2021.",
"url": "https://news.sophos.com/en-us/2021/07/04/independence-day-revil-uses-supply-chain-exploit-to-attack-hundreds-of-businesses/"
},
{
"source_name": "Netskope Nitol",
"description": "Malik, A. (2016, October 14). Nitol Botnet makes a resurgence with evasive sandbox analysis technique. Retrieved September 30, 2021.",
"url": "https://www.netskope.com/blog/nitol-botnet-makes-resurgence-evasive-sandbox-analysis-technique"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_attack_spec_version": "3.3.0",
"x_mitre_contributors": [
"Deloitte Threat Library Team",
"Jeff Felling, Red Canary",
"Jorge Orchilles, SCYTHE",
"Ruben Dodge, @shotgunner101"
],
"x_mitre_deprecated": false,
"x_mitre_domains": [
"enterprise-attack"
],
"x_mitre_is_subtechnique": false,
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"Linux",
"macOS",
"Windows"
],
"x_mitre_version": "2.0",
"detailed_diff": "{\"dictionary_item_removed\": {\"root['x_mitre_detection']\": \"\"}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-04-15 19:57:37.301000+00:00\", \"old_value\": \"2025-10-21 23:58:09.956000+00:00\"}, \"root['kill_chain_phases'][0]['phase_name']\": {\"new_value\": \"stealth\", \"old_value\": \"defense-evasion\"}, \"root['x_mitre_version']\": {\"new_value\": \"2.0\", \"old_value\": \"1.0\"}}}",
"previous_version": "1.0",
"version_change": "1.0 \u2192 2.0",
"changelog_mitigations": {
"shared": [],
"new": [],
"dropped": []
},
"changelog_datacomponent_detections": {
"shared": [],
"new": [],
"dropped": []
},
"changelog_detectionstrategy_detections": {
"shared": [
"DET0372: Multi-Platform Detection Strategy for T1678 - Delay Execution"
],
"new": [],
"dropped": []
}
},
{
"type": "attack-pattern",
"id": "attack-pattern--3ccef7ae-cb5e-48f6-8302-897105fbf55c",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-12-14 16:46:06.044000+00:00",
"modified": "2026-04-15 19:58:25.069000+00:00",
"name": "Deobfuscate/Decode Files or Information",
"description": "Adversaries may use [Obfuscated Files or Information](https://attack.mitre.org/techniques/T1027) to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.\n\nOne such example is the use of [certutil](https://attack.mitre.org/software/S0160) to decode a remote access tool portable executable file that has been hidden inside a certificate file.(Citation: Malwarebytes Targeted Attack against Saudi Arabia) Another example is using the Windows copy /b or type command to reassemble binary fragments into a malicious payload.(Citation: Carbon Black Obfuscation Sept 2016)(Citation: Sentinel One Tainted Love 2023)\n\nSometimes a user's action may be required to open it for deobfuscation or decryption as part of [User Execution](https://attack.mitre.org/techniques/T1204). The user may also be required to input a password to open a password protected compressed/encrypted file that was provided by the adversary.(Citation: Volexity PowerDuke November 2016)",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "stealth"
}
],
"revoked": false,
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T1140",
"external_id": "T1140"
},
{
"source_name": "Volexity PowerDuke November 2016",
"description": "Adair, S.. (2016, November 9). PowerDuke: Widespread Post-Election Spear Phishing Campaigns Targeting Think Tanks and NGOs. Retrieved January 11, 2017.",
"url": "https://www.volexity.com/blog/2016/11/09/powerduke-post-election-spear-phishing-campaigns-targeting-think-tanks-and-ngos/"
},
{
"source_name": "Sentinel One Tainted Love 2023",
"description": "Aleksandar Milenkoski, Juan Andres Guerrero-Saade, and Joey Chen. (2023, March 23). Operation Tainted Love | Chinese APTs Target Telcos in New Attacks. Retrieved March 18, 2025.",
"url": "https://www.sentinelone.com/labs/operation-tainted-love-chinese-apts-target-telcos-in-new-attacks/"
},
{
"source_name": "Malwarebytes Targeted Attack against Saudi Arabia",
"description": "Malwarebytes Labs. (2017, March 27). New targeted attack against Saudi Arabia Government. Retrieved July 3, 2017.",
"url": "https://blog.malwarebytes.com/cybercrime/social-engineering-cybercrime/2017/03/new-targeted-attack-saudi-arabia-government/"
},
{
"source_name": "Carbon Black Obfuscation Sept 2016",
"description": "Tedesco, B. (2016, September 23). Security Alert Summary. Retrieved February 12, 2018.",
"url": "https://www.carbonblack.com/2016/09/23/security-advisory-variants-well-known-adware-families-discovered-include-sophisticated-obfuscation-techniques-previously-associated-nation-state-attacks/"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_attack_spec_version": "3.3.0",
"x_mitre_contributors": [
"Crist\u00f3bal Mart\u00ednez Mart\u00edn",
"Matthew Demaske, Adaptforward",
"Red Canary"
],
"x_mitre_deprecated": false,
"x_mitre_domains": [
"enterprise-attack"
],
"x_mitre_is_subtechnique": false,
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"ESXi",
"Linux",
"macOS",
"Windows"
],
"x_mitre_version": "2.0",
"detailed_diff": "{\"dictionary_item_removed\": {\"root['x_mitre_detection']\": \"\"}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-04-15 19:58:25.069000+00:00\", \"old_value\": \"2025-10-24 17:48:40.925000+00:00\"}, \"root['kill_chain_phases'][0]['phase_name']\": {\"new_value\": \"stealth\", \"old_value\": \"defense-evasion\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.3.0\", \"old_value\": \"3.2.0\"}, \"root['x_mitre_version']\": {\"new_value\": \"2.0\", \"old_value\": \"1.4\"}}}",
"previous_version": "1.4",
"version_change": "1.4 \u2192 2.0",
"changelog_mitigations": {
"shared": [],
"new": [],
"dropped": []
},
"changelog_datacomponent_detections": {
"shared": [],
"new": [],
"dropped": []
},
"changelog_detectionstrategy_detections": {
"shared": [
"DET0275: Detect Adversary Deobfuscation or Decoding of Files and Payloads"
],
"new": [],
"dropped": []
}
},
{
"type": "attack-pattern",
"id": "attack-pattern--56e0d8b8-3e25-49dd-9050-3aa252f5aa92",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2021-03-29 16:51:26.020000+00:00",
"modified": "2026-04-15 19:59:11.024000+00:00",
"name": "Deploy Container",
"description": "Adversaries may deploy a container into an environment to facilitate execution or evade defenses. In some cases, adversaries may deploy a new container to execute processes associated with a particular image or deployment, such as processes that execute or download malware. In others, an adversary may deploy a new container configured without network rules, user limitations, etc. to bypass existing defenses within the environment. In Kubernetes environments, an adversary may attempt to deploy a privileged or vulnerable container into a specific node in order to [Escape to Host](https://attack.mitre.org/techniques/T1611) and access other containers running on the node. (Citation: AppSecco Kubernetes Namespace Breakout 2020)\n\nContainers can be deployed by various means, such as via Docker's create and start APIs or via a web application such as the Kubernetes dashboard or Kubeflow. (Citation: Docker Container)(Citation: Kubernetes Dashboard)(Citation: Kubeflow Pipelines) In Kubernetes environments, containers may be deployed through workloads such as ReplicaSets or DaemonSets, which can allow containers to be deployed across multiple nodes.(Citation: Kubernetes Workload Management) Adversaries may deploy containers based on retrieved or built malicious images or from benign images that download and execute malicious payloads at runtime.(Citation: Aqua Build Images on Hosts)",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "execution"
}
],
"revoked": false,
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T1610",
"external_id": "T1610"
},
{
"source_name": "AppSecco Kubernetes Namespace Breakout 2020",
"description": "Abhisek Datta. (2020, March 18). Kubernetes Namespace Breakout using Insecure Host Path Volume \u2014 Part 1. Retrieved January 16, 2024.",
"url": "https://blog.appsecco.com/kubernetes-namespace-breakout-using-insecure-host-path-volume-part-1-b382f2a6e216"
},
{
"source_name": "Aqua Build Images on Hosts",
"description": "Assaf Morag. (2020, July 15). Threat Alert: Attackers Building Malicious Images on Your Hosts. Retrieved March 29, 2021.",
"url": "https://blog.aquasec.com/malicious-container-image-docker-container-host"
},
{
"source_name": "Docker Container",
"description": "DockerDocs. (n.d.). Retrieved December 8, 2025.",
"url": "https://docs.docker.com/reference/cli/docker/container/create/"
},
{
"source_name": "Kubernetes Workload Management",
"description": "Kubernetes. (n.d.). Workload Management. Retrieved March 28, 2024.",
"url": "https://kubernetes.io/docs/concepts/workloads/controllers/"
},
{
"source_name": "Kubeflow Pipelines",
"description": "The Kubeflow Authors. (n.d.). Overview of Kubeflow Pipelines. Retrieved March 29, 2021.",
"url": "https://www.kubeflow.org/docs/components/pipelines/overview/pipelines-overview/"
},
{
"source_name": "Kubernetes Dashboard",
"description": "The Kubernetes Authors. (n.d.). Kubernetes Web UI (Dashboard). Retrieved March 29, 2021.",
"url": "https://kubernetes.io/docs/tasks/access-application-cluster/web-ui-dashboard/"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_attack_spec_version": "3.3.0",
"x_mitre_contributors": [
"Alfredo Oliveira, Trend Micro",
"Ariel Shuper, Cisco",
"Center for Threat-Informed Defense (CTID)",
"Idan Frimark, Cisco",
"Joas Antonio dos Santos, @C0d3Cr4zy",
"Magno Logan, @magnologan, Trend Micro",
"Pawan Kinger, @kingerpawan, Trend Micro",
"Vishwas Manral, McAfee",
"Yossi Weizman, Azure Defender Research Team"
],
"x_mitre_deprecated": false,
"x_mitre_domains": [
"enterprise-attack"
],
"x_mitre_is_subtechnique": false,
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"Containers"
],
"x_mitre_remote_support": false,
"x_mitre_version": "2.0",
"detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_remote_support']\": false}, \"dictionary_item_removed\": {\"root['x_mitre_detection']\": \"\"}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-04-15 19:59:11.024000+00:00\", \"old_value\": \"2025-10-24 17:48:49.017000+00:00\"}, \"root['description']\": {\"new_value\": \"Adversaries may deploy a container into an environment to facilitate execution or evade defenses. In some cases, adversaries may deploy a new container to execute processes associated with a particular image or deployment, such as processes that execute or download malware. In others, an adversary may deploy a new container configured without network rules, user limitations, etc. to bypass existing defenses within the environment. In Kubernetes environments, an adversary may attempt to deploy a privileged or vulnerable container into a specific node in order to [Escape to Host](https://attack.mitre.org/techniques/T1611) and access other containers running on the node. (Citation: AppSecco Kubernetes Namespace Breakout 2020)\\n\\nContainers can be deployed by various means, such as via Docker's create and start APIs or via a web application such as the Kubernetes dashboard or Kubeflow. (Citation: Docker Container)(Citation: Kubernetes Dashboard)(Citation: Kubeflow Pipelines) In Kubernetes environments, containers may be deployed through workloads such as ReplicaSets or DaemonSets, which can allow containers to be deployed across multiple nodes.(Citation: Kubernetes Workload Management) Adversaries may deploy containers based on retrieved or built malicious images or from benign images that download and execute malicious payloads at runtime.(Citation: Aqua Build Images on Hosts)\", \"old_value\": \"Adversaries may deploy a container into an environment to facilitate execution or evade defenses. In some cases, adversaries may deploy a new container to execute processes associated with a particular image or deployment, such as processes that execute or download malware. In others, an adversary may deploy a new container configured without network rules, user limitations, etc. to bypass existing defenses within the environment. In Kubernetes environments, an adversary may attempt to deploy a privileged or vulnerable container into a specific node in order to [Escape to Host](https://attack.mitre.org/techniques/T1611) and access other containers running on the node. (Citation: AppSecco Kubernetes Namespace Breakout 2020)\\n\\nContainers can be deployed by various means, such as via Docker's create and start APIs or via a web application such as the Kubernetes dashboard or Kubeflow. (Citation: Docker Containers API)(Citation: Kubernetes Dashboard)(Citation: Kubeflow Pipelines) In Kubernetes environments, containers may be deployed through workloads such as ReplicaSets or DaemonSets, which can allow containers to be deployed across multiple nodes.(Citation: Kubernetes Workload Management) Adversaries may deploy containers based on retrieved or built malicious images or from benign images that download and execute malicious payloads at runtime.(Citation: Aqua Build Images on Hosts)\", \"diff\": \"--- \\n+++ \\n@@ -1,3 +1,3 @@\\n Adversaries may deploy a container into an environment to facilitate execution or evade defenses. In some cases, adversaries may deploy a new container to execute processes associated with a particular image or deployment, such as processes that execute or download malware. In others, an adversary may deploy a new container configured without network rules, user limitations, etc. to bypass existing defenses within the environment. In Kubernetes environments, an adversary may attempt to deploy a privileged or vulnerable container into a specific node in order to [Escape to Host](https://attack.mitre.org/techniques/T1611) and access other containers running on the node. (Citation: AppSecco Kubernetes Namespace Breakout 2020)\\n \\n-Containers can be deployed by various means, such as via Docker's create and start APIs or via a web application such as the Kubernetes dashboard or Kubeflow. (Citation: Docker Containers API)(Citation: Kubernetes Dashboard)(Citation: Kubeflow Pipelines) In Kubernetes environments, containers may be deployed through workloads such as ReplicaSets or DaemonSets, which can allow containers to be deployed across multiple nodes.(Citation: Kubernetes Workload Management) Adversaries may deploy containers based on retrieved or built malicious images or from benign images that download and execute malicious payloads at runtime.(Citation: Aqua Build Images on Hosts)\\n+Containers can be deployed by various means, such as via Docker's create and start APIs or via a web application such as the Kubernetes dashboard or Kubeflow. (Citation: Docker Container)(Citation: Kubernetes Dashboard)(Citation: Kubeflow Pipelines) In Kubernetes environments, containers may be deployed through workloads such as ReplicaSets or DaemonSets, which can allow containers to be deployed across multiple nodes.(Citation: Kubernetes Workload Management) Adversaries may deploy containers based on retrieved or built malicious images or from benign images that download and execute malicious payloads at runtime.(Citation: Aqua Build Images on Hosts)\"}, \"root['external_references'][3]['source_name']\": {\"new_value\": \"Docker Container\", \"old_value\": \"Docker Containers API\"}, \"root['external_references'][3]['description']\": {\"new_value\": \"DockerDocs. (n.d.). Retrieved December 8, 2025.\", \"old_value\": \"Docker. (n.d.). Docker Engine API v1.41 Reference - Container. Retrieved March 29, 2021.\"}, \"root['external_references'][3]['url']\": {\"new_value\": \"https://docs.docker.com/reference/cli/docker/container/create/\", \"old_value\": \"https://docs.docker.com/engine/api/v1.41/#tag/Container\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.3.0\", \"old_value\": \"3.2.0\"}, \"root['x_mitre_version']\": {\"new_value\": \"2.0\", \"old_value\": \"1.4\"}}, \"iterable_item_removed\": {\"root['kill_chain_phases'][0]\": {\"kill_chain_name\": \"mitre-attack\", \"phase_name\": \"defense-evasion\"}}}",
"previous_version": "1.4",
"version_change": "1.4 \u2192 2.0",
"description_change_table": "\n | Old Description | New Description | ||||
|---|---|---|---|---|---|
| t | 1 | Adversaries may deploy a container into an environment to fa | t | 1 | Adversaries may deploy a container into an environment to fa |
| > | cilitate execution or evade defenses. In some cases, adversa | > | cilitate execution or evade defenses. In some cases, adversa | ||
| > | ries may deploy a new container to execute processes associa | > | ries may deploy a new container to execute processes associa | ||
| > | ted with a particular image or deployment, such as processes | > | ted with a particular image or deployment, such as processes | ||
| > | that execute or download malware. In others, an adversary m | > | that execute or download malware. In others, an adversary m | ||
| > | ay deploy a new container configured without network rules, | > | ay deploy a new container configured without network rules, | ||
| > | user limitations, etc. to bypass existing defenses within th | > | user limitations, etc. to bypass existing defenses within th | ||
| > | e environment. In Kubernetes environments, an adversary may | > | e environment. In Kubernetes environments, an adversary may | ||
| > | attempt to deploy a privileged or vulnerable container into | > | attempt to deploy a privileged or vulnerable container into | ||
| > | a specific node in order to [Escape to Host](https://attack. | > | a specific node in order to [Escape to Host](https://attack. | ||
| > | mitre.org/techniques/T1611) and access other containers runn | > | mitre.org/techniques/T1611) and access other containers runn | ||
| > | ing on the node. (Citation: AppSecco Kubernetes Namespace Br | > | ing on the node. (Citation: AppSecco Kubernetes Namespace Br | ||
| > | eakout 2020) Containers can be deployed by various means, s | > | eakout 2020) Containers can be deployed by various means, s | ||
| > | uch as via Docker's <code>create</code> and <code>start</cod | > | uch as via Docker's <code>create</code> and <code>start</cod | ||
| > | e> APIs or via a web application such as the Kubernetes dash | > | e> APIs or via a web application such as the Kubernetes dash | ||
| > | board or Kubeflow. (Citation: Docker Containers API)(Citatio | > | board or Kubeflow. (Citation: Docker Container)(Citation: Ku | ||
| > | n: Kubernetes Dashboard)(Citation: Kubeflow Pipelines) In Ku | > | bernetes Dashboard)(Citation: Kubeflow Pipelines) In Kuberne | ||
| > | bernetes environments, containers may be deployed through wo | > | tes environments, containers may be deployed through workloa | ||
| > | rkloads such as ReplicaSets or DaemonSets, which can allow c | > | ds such as ReplicaSets or DaemonSets, which can allow contai | ||
| > | ontainers to be deployed across multiple nodes.(Citation: Ku | > | ners to be deployed across multiple nodes.(Citation: Kuberne | ||
| > | bernetes Workload Management) Adversaries may deploy contain | > | tes Workload Management) Adversaries may deploy containers b | ||
| > | ers based on retrieved or built malicious images or from ben | > | ased on retrieved or built malicious images or from benign i | ||
| > | ign images that download and execute malicious payloads at r | > | mages that download and execute malicious payloads at runtim | ||
| > | untime.(Citation: Aqua Build Images on Hosts) | > | e.(Citation: Aqua Build Images on Hosts) |
New-GPOImmediateTask can be leveraged to automate the creation of a malicious [Scheduled Task/Job](https://attack.mitre.org/techniques/T1053) by modifying GPO settings, in this case modifying <GPO_PATH>\\Machine\\Preferences\\ScheduledTasks\\ScheduledTasks.xml.(Citation: Wald0 Guide to GPOs)(Citation: Harmj0y Abusing GPO Permissions) In some cases an adversary might modify specific user rights like SeEnableDelegationPrivilege, set in <GPO_PATH>\\MACHINE\\Microsoft\\Windows NT\\SecEdit\\GptTmpl.inf, to achieve a subtle AD backdoor with complete control of the domain because the user account under the adversary's control would then be able to modify GPOs.(Citation: Harmj0y SeEnableDelegationPrivilege Right)",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "defense-impairment"
},
{
"kill_chain_name": "mitre-attack",
"phase_name": "privilege-escalation"
}
],
"revoked": false,
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T1484/001",
"external_id": "T1484.001"
},
{
"source_name": "Mandiant M Trends 2016",
"description": "Mandiant. (2016, February 25). Mandiant M-Trends 2016. Retrieved November 17, 2024.",
"url": "https://web.archive.org/web/20211024160454/https://www.fireeye.com/content/dam/fireeye-www/current-threats/pdfs/rpt-mtrends-2016.pdf"
},
{
"source_name": "ADSecurity GPO Persistence 2016",
"description": "Metcalf, S. (2016, March 14). Sneaky Active Directory Persistence #17: Group Policy. Retrieved March 5, 2019.",
"url": "https://adsecurity.org/?p=2716"
},
{
"source_name": "Microsoft Hacking Team Breach",
"description": "Microsoft Secure Team. (2016, June 1). Hacking Team Breach: A Cyber Jurassic Park. Retrieved March 5, 2019.",
"url": "https://www.microsoft.com/security/blog/2016/06/01/hacking-team-breach-a-cyber-jurassic-park/"
},
{
"source_name": "Wald0 Guide to GPOs",
"description": "Robbins, A. (2018, April 2). A Red Teamer\u2019s Guide to GPOs and OUs. Retrieved March 5, 2019.",
"url": "https://wald0.com/?p=179"
},
{
"source_name": "Harmj0y Abusing GPO Permissions",
"description": "Schroeder, W. (2016, March 17). Abusing GPO Permissions. Retrieved September 23, 2024.",
"url": "https://blog.harmj0y.net/redteaming/abusing-gpo-permissions/"
},
{
"source_name": "Harmj0y SeEnableDelegationPrivilege Right",
"description": "Schroeder, W. (2017, January 10). The Most Dangerous User Right You (Probably) Have Never Heard Of. Retrieved September 23, 2024.",
"url": "https://blog.harmj0y.net/activedirectory/the-most-dangerous-user-right-you-probably-have-never-heard-of/"
},
{
"source_name": "TechNet Group Policy Basics",
"description": "srachui. (2012, February 13). Group Policy Basics \u2013 Part 1: Understanding the Structure of a Group Policy Object. Retrieved March 5, 2019.",
"url": "https://blogs.technet.microsoft.com/musings_of_a_technical_tam/2012/02/13/group-policy-basics-part-1-understanding-the-structure-of-a-group-policy-object/"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_attack_spec_version": "3.3.0",
"x_mitre_contributors": [
"Itamar Mizrahi, Cymptom",
"Tristan Bennett, Seamless Intelligence"
],
"x_mitre_deprecated": false,
"x_mitre_domains": [
"enterprise-attack"
],
"x_mitre_is_subtechnique": true,
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"Windows"
],
"x_mitre_version": "2.0",
"detailed_diff": "{\"dictionary_item_removed\": {\"root['x_mitre_detection']\": \"\"}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-04-16 20:07:52.883000+00:00\", \"old_value\": \"2025-10-24 17:48:50.475000+00:00\"}, \"root['description']\": {\"new_value\": \"Adversaries may modify Group Policy Objects (GPOs) to subvert the intended discretionary access controls for a domain, usually with the intention of escalating privileges on the domain. Group policy allows for centralized management of user and computer settings in Active Directory (AD). GPOs are containers for group policy settings made up of files stored within a predictable network path `\\\\New-GPOImmediateTask can be leveraged to automate the creation of a malicious [Scheduled Task/Job](https://attack.mitre.org/techniques/T1053) by modifying GPO settings, in this case modifying <GPO_PATH>\\\\Machine\\\\Preferences\\\\ScheduledTasks\\\\ScheduledTasks.xml.(Citation: Wald0 Guide to GPOs)(Citation: Harmj0y Abusing GPO Permissions) In some cases an adversary might modify specific user rights like SeEnableDelegationPrivilege, set in <GPO_PATH>\\\\MACHINE\\\\Microsoft\\\\Windows NT\\\\SecEdit\\\\GptTmpl.inf, to achieve a subtle AD backdoor with complete control of the domain because the user account under the adversary's control would then be able to modify GPOs.(Citation: Harmj0y SeEnableDelegationPrivilege Right)\", \"old_value\": \"Adversaries may modify Group Policy Objects (GPOs) to subvert the intended discretionary access controls for a domain, usually with the intention of escalating privileges on the domain. Group policy allows for centralized management of user and computer settings in Active Directory (AD). GPOs are containers for group policy settings made up of files stored within a predictable network path `\\\\New-GPOImmediateTask can be leveraged to automate the creation of a malicious [Scheduled Task/Job](https://attack.mitre.org/techniques/T1053) by modifying GPO settings, in this case modifying <GPO_PATH>\\\\Machine\\\\Preferences\\\\ScheduledTasks\\\\ScheduledTasks.xml.(Citation: Wald0 Guide to GPOs)(Citation: Harmj0y Abusing GPO Permissions) In some cases an adversary might modify specific user rights like SeEnableDelegationPrivilege, set in <GPO_PATH>\\\\MACHINE\\\\Microsoft\\\\Windows NT\\\\SecEdit\\\\GptTmpl.inf, to achieve a subtle AD backdoor with complete control of the domain because the user account under the adversary's control would then be able to modify GPOs.(Citation: Harmj0y SeEnableDelegationPrivilege Right)\", \"diff\": \"--- \\n+++ \\n@@ -2,6 +2,6 @@\\n \\n Like other objects in AD, GPOs have access controls associated with them. By default all user accounts in the domain have permission to read GPOs. It is possible to delegate GPO access control permissions, e.g. write access, to specific users or groups in the domain.\\n \\n-Malicious GPO modifications can be used to implement many other malicious behaviors such as [Scheduled Task/Job](https://attack.mitre.org/techniques/T1053), [Disable or Modify Tools](https://attack.mitre.org/techniques/T1562/001), [Ingress Tool Transfer](https://attack.mitre.org/techniques/T1105), [Create Account](https://attack.mitre.org/techniques/T1136), [Service Execution](https://attack.mitre.org/techniques/T1569/002), and more.(Citation: ADSecurity GPO Persistence 2016)(Citation: Wald0 Guide to GPOs)(Citation: Harmj0y Abusing GPO Permissions)(Citation: Mandiant M Trends 2016)(Citation: Microsoft Hacking Team Breach) Since GPOs can control so many user and machine settings in the AD environment, there are a great number of potential attacks that can stem from this GPO abuse.(Citation: Wald0 Guide to GPOs)\\n+Malicious GPO modifications can be used to implement many other malicious behaviors such as [Scheduled Task/Job](https://attack.mitre.org/techniques/T1053), [Disable or Modify Tools](https://attack.mitre.org/techniques/T1685), [Ingress Tool Transfer](https://attack.mitre.org/techniques/T1105), [Create Account](https://attack.mitre.org/techniques/T1136), [Service Execution](https://attack.mitre.org/techniques/T1569/002), and more.(Citation: ADSecurity GPO Persistence 2016)(Citation: Wald0 Guide to GPOs)(Citation: Harmj0y Abusing GPO Permissions)(Citation: Mandiant M Trends 2016)(Citation: Microsoft Hacking Team Breach) Since GPOs can control so many user and machine settings in the AD environment, there are a great number of potential attacks that can stem from this GPO abuse.(Citation: Wald0 Guide to GPOs)\\n \\n For example, publicly available scripts such as New-GPOImmediateTask can be leveraged to automate the creation of a malicious [Scheduled Task/Job](https://attack.mitre.org/techniques/T1053) by modifying GPO settings, in this case modifying <GPO_PATH>\\\\Machine\\\\Preferences\\\\ScheduledTasks\\\\ScheduledTasks.xml.(Citation: Wald0 Guide to GPOs)(Citation: Harmj0y Abusing GPO Permissions) In some cases an adversary might modify specific user rights like SeEnableDelegationPrivilege, set in <GPO_PATH>\\\\MACHINE\\\\Microsoft\\\\Windows NT\\\\SecEdit\\\\GptTmpl.inf, to achieve a subtle AD backdoor with complete control of the domain because the user account under the adversary's control would then be able to modify GPOs.(Citation: Harmj0y SeEnableDelegationPrivilege Right)\"}, \"root['kill_chain_phases'][0]['phase_name']\": {\"new_value\": \"defense-impairment\", \"old_value\": \"defense-evasion\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.3.0\", \"old_value\": \"3.2.0\"}, \"root['x_mitre_version']\": {\"new_value\": \"2.0\", \"old_value\": \"1.1\"}}}",
"previous_version": "1.1",
"version_change": "1.1 \u2192 2.0",
"description_change_table": "\n | Old Description | New Description | ||||
|---|---|---|---|---|---|
| t | 1 | Adversaries may modify Group Policy Objects (GPOs) to subver | t | 1 | Adversaries may modify Group Policy Objects (GPOs) to subver |
| > | t the intended discretionary access controls for a domain, u | > | t the intended discretionary access controls for a domain, u | ||
| > | sually with the intention of escalating privileges on the do | > | sually with the intention of escalating privileges on the do | ||
| > | main. Group policy allows for centralized management of user | > | main. Group policy allows for centralized management of user | ||
| > | and computer settings in Active Directory (AD). GPOs are co | > | and computer settings in Active Directory (AD). GPOs are co | ||
| > | ntainers for group policy settings made up of files stored w | > | ntainers for group policy settings made up of files stored w | ||
| > | ithin a predictable network path `\\<DOMAIN>\\SYSVOL\\<DOMAIN>\\ | > | ithin a predictable network path `\\<DOMAIN>\\SYSVOL\\<DOMAIN>\\ | ||
| > | Policies\\`.(Citation: TechNet Group Policy Basics)(Citation: | > | Policies\\`.(Citation: TechNet Group Policy Basics)(Citation: | ||
| > | ADSecurity GPO Persistence 2016) Like other objects in AD | > | ADSecurity GPO Persistence 2016) Like other objects in AD | ||
| > | , GPOs have access controls associated with them. By default | > | , GPOs have access controls associated with them. By default | ||
| > | all user accounts in the domain have permission to read GPO | > | all user accounts in the domain have permission to read GPO | ||
| > | s. It is possible to delegate GPO access control permissions | > | s. It is possible to delegate GPO access control permissions | ||
| > | , e.g. write access, to specific users or groups in the doma | > | , e.g. write access, to specific users or groups in the doma | ||
| > | in. Malicious GPO modifications can be used to implement ma | > | in. Malicious GPO modifications can be used to implement ma | ||
| > | ny other malicious behaviors such as [Scheduled Task/Job](ht | > | ny other malicious behaviors such as [Scheduled Task/Job](ht | ||
| > | tps://attack.mitre.org/techniques/T1053), [Disable or Modify | > | tps://attack.mitre.org/techniques/T1053), [Disable or Modify | ||
| > | Tools](https://attack.mitre.org/techniques/T1562/001), [Ing | > | Tools](https://attack.mitre.org/techniques/T1685), [Ingress | ||
| > | ress Tool Transfer](https://attack.mitre.org/techniques/T110 | > | Tool Transfer](https://attack.mitre.org/techniques/T1105), | ||
| > | 5), [Create Account](https://attack.mitre.org/techniques/T11 | > | [Create Account](https://attack.mitre.org/techniques/T1136), | ||
| > | 36), [Service Execution](https://attack.mitre.org/techniques | > | [Service Execution](https://attack.mitre.org/techniques/T15 | ||
| > | /T1569/002), and more.(Citation: ADSecurity GPO Persistence | > | 69/002), and more.(Citation: ADSecurity GPO Persistence 201 | ||
| > | 2016)(Citation: Wald0 Guide to GPOs)(Citation: Harmj0y Abus | > | 6)(Citation: Wald0 Guide to GPOs)(Citation: Harmj0y Abusing | ||
| > | ing GPO Permissions)(Citation: Mandiant M Trends 2016)(Citat | > | GPO Permissions)(Citation: Mandiant M Trends 2016)(Citation: | ||
| > | ion: Microsoft Hacking Team Breach) Since GPOs can control s | > | Microsoft Hacking Team Breach) Since GPOs can control so ma | ||
| > | o many user and machine settings in the AD environment, ther | > | ny user and machine settings in the AD environment, there ar | ||
| > | e are a great number of potential attacks that can stem from | > | e a great number of potential attacks that can stem from thi | ||
| > | this GPO abuse.(Citation: Wald0 Guide to GPOs) For example | > | s GPO abuse.(Citation: Wald0 Guide to GPOs) For example, pu | ||
| > | , publicly available scripts such as <code>New-GPOImmediateT | > | blicly available scripts such as <code>New-GPOImmediateTask< | ||
| > | ask</code> can be leveraged to automate the creation of a ma | > | /code> can be leveraged to automate the creation of a malici | ||
| > | licious [Scheduled Task/Job](https://attack.mitre.org/techni | > | ous [Scheduled Task/Job](https://attack.mitre.org/techniques | ||
| > | ques/T1053) by modifying GPO settings, in this case modifyin | > | /T1053) by modifying GPO settings, in this case modifying <c | ||
| > | g <code><GPO_PATH>\\Machine\\Preferences\\ScheduledTasks\\ | > | ode><GPO_PATH>\\Machine\\Preferences\\ScheduledTasks\\Sche | ||
| > | ScheduledTasks.xml</code>.(Citation: Wald0 Guide to GPOs)(Ci | > | duledTasks.xml</code>.(Citation: Wald0 Guide to GPOs)(Citati | ||
| > | tation: Harmj0y Abusing GPO Permissions) In some cases an ad | > | on: Harmj0y Abusing GPO Permissions) In some cases an advers | ||
| > | versary might modify specific user rights like SeEnableDeleg | > | ary might modify specific user rights like SeEnableDelegatio | ||
| > | ationPrivilege, set in <code><GPO_PATH>\\MACHINE\\Micros | > | nPrivilege, set in <code><GPO_PATH>\\MACHINE\\Microsoft\\ | ||
| > | oft\\Windows NT\\SecEdit\\GptTmpl.inf</code>, to achieve a subt | > | Windows NT\\SecEdit\\GptTmpl.inf</code>, to achieve a subtle A | ||
| > | le AD backdoor with complete control of the domain because t | > | D backdoor with complete control of the domain because the u | ||
| > | he user account under the adversary's control would then be | > | ser account under the adversary's control would then be able | ||
| > | able to modify GPOs.(Citation: Harmj0y SeEnableDelegationPri | > | to modify GPOs.(Citation: Harmj0y SeEnableDelegationPrivile | ||
| > | vilege Right) | > | ge Right) |
| Old Description | New Description | ||||
|---|---|---|---|---|---|
| t | 1 | Adversaries may add new domain trusts, modify the properties | t | 1 | Adversaries may add new domain trusts, modify the properties |
| > | of existing domain trusts, or otherwise change the configur | > | of existing domain trusts, or otherwise change the configur | ||
| > | ation of trust relationships between domains and tenants to | > | ation of trust relationships between domains and tenants to | ||
| > | evade defenses and/or elevate privileges.Trust details, such | > | evade defenses and/or elevate privileges.Trust details, such | ||
| > | as whether or not user identities are federated, allow auth | > | as whether or not user identities are federated, allow auth | ||
| > | entication and authorization properties to apply between dom | > | entication and authorization properties to apply between dom | ||
| > | ains or tenants for the purpose of accessing shared resource | > | ains or tenants for the purpose of accessing shared resource | ||
| > | s.(Citation: Microsoft - Azure AD Federation) These trust ob | > | s.(Citation: Microsoft - Azure AD Federation) These trust ob | ||
| > | jects may include accounts, credentials, and other authentic | > | jects may include accounts, credentials, and other authentic | ||
| > | ation material applied to servers, tokens, and domains. Man | > | ation material applied to servers, tokens, and domains. Man | ||
| > | ipulating these trusts may allow an adversary to escalate pr | > | ipulating these trusts may allow an adversary to escalate pr | ||
| > | ivileges and/or evade defenses by modifying settings to add | > | ivileges and/or evade defenses by modifying settings to add | ||
| > | objects which they control. For example, in Microsoft Active | > | objects which they control. For example, in Microsoft Active | ||
| > | Directory (AD) environments, this may be used to forge [SAM | > | Directory (AD) environments, this may be used to forge [SAM | ||
| > | L Tokens](https://attack.mitre.org/techniques/T1606/002) wit | > | L Tokens](https://attack.mitre.org/techniques/T1606/002) wit | ||
| > | hout the need to compromise the signing certificate to forge | > | hout the need to compromise the signing certificate to forge | ||
| > | new credentials. Instead, an adversary can manipulate domai | > | new credentials. Instead, an adversary can manipulate domai | ||
| > | n trusts to add their own signing certificate. An adversary | > | n trusts to add their own signing certificate. An adversary | ||
| > | may also convert an AD domain to a federated domain using Ac | > | may also convert an AD domain to a federated domain using Ac | ||
| > | tive Directory Federation Services (AD FS), which may enable | > | tive Directory Federation Services (AD FS), which may enable | ||
| > | malicious trust modifications such as altering the claim is | > | malicious trust modifications such as altering the claim is | ||
| > | suance rules to log in any valid set of credentials as a spe | > | suance rules to log in any valid set of credentials as a spe | ||
| > | cified user.(Citation: AADInternals zure AD Federated Domain | > | cified user.(Citation: AADInternals zure AD Federated Domain | ||
| > | ) An adversary may also add a new federated identity provi | > | ) An adversary may also add a new federated identity provi | ||
| > | der to an identity tenant such as Okta or AWS IAM Identity C | > | der to an identity tenant such as Okta or AWS IAM Identity C | ||
| > | enter, which may enable the adversary to authenticate as any | > | enter, which may enable the adversary to authenticate as any | ||
| > | user of the tenant.(Citation: Okta Cross-Tenant Impersonati | > | user of the tenant.(Citation: Okta Cross-Tenant Impersonati | ||
| > | on 2023) This may enable the threat actor to gain broad acce | > | on 2023) This may enable the threat actor to gain broad acce | ||
| > | ss into a variety of cloud-based services that leverage the | > | ss into a variety of cloud-based services that leverage the | ||
| > | identity tenant. For example, in AWS environments, an advers | > | identity tenant. For example, in AWS environments, an advers | ||
| > | ary that creates a new identity provider for an AWS Organiza | > | ary that creates a new identity provider for an AWS Organiza | ||
| > | tion will be able to federate into all of the AWS Organizati | > | tion will be able to federate into all of the AWS Organizati | ||
| > | on member accounts without creating identities for each of t | > | on member accounts without creating identities for each of t | ||
| > | he member accounts.(Citation: AWS RE:Inforce Threat Detectio | > | he member accounts.(Citation: AWS re Inforce Trust Mod) | ||
| > | n 2024) |
| Old Description | New Description | ||||
|---|---|---|---|---|---|
| t | 1 | Adversaries may environmentally key payloads or other featur | t | 1 | Adversaries may environmentally key payloads or other featur |
| > | es of malware to evade defenses and constraint execution to | > | es of malware to evade defenses and constraint execution to | ||
| > | a specific target environment. Environmental keying uses cry | > | a specific target environment. Environmental keying uses cry | ||
| > | ptography to constrain execution or actions based on adversa | > | ptography to constrain execution or actions based on adversa | ||
| > | ry supplied environment specific conditions that are expecte | > | ry supplied environment specific conditions that are expecte | ||
| > | d to be present on the target. Environmental keying is an im | > | d to be present on the target. Environmental keying is an im | ||
| > | plementation of [Execution Guardrails](https://attack.mitre. | > | plementation of [Execution Guardrails](https://attack.mitre. | ||
| > | org/techniques/T1480) that utilizes cryptographic techniques | > | org/techniques/T1480) that utilizes cryptographic techniques | ||
| > | for deriving encryption/decryption keys from specific types | > | for deriving encryption/decryption keys from specific types | ||
| > | of values in a given computing environment.(Citation: EK Cl | > | of values in a given computing environment.(Citation: EK Cl | ||
| > | ueless Agents) Values can be derived from target-specific e | > | ueless Agents) Values can be derived from target-specific e | ||
| > | lements and used to generate a decryption key for an encrypt | > | lements and used to generate a decryption key for an encrypt | ||
| > | ed payload. Target-specific values can be derived from speci | > | ed payload. Target-specific values can be derived from speci | ||
| > | fic network shares, physical devices, software/software vers | > | fic network shares, physical devices, software/software vers | ||
| > | ions, files, joined AD domains, system time, and local/exter | > | ions, files, joined AD domains, system time, and local/exter | ||
| > | nal IP addresses.(Citation: Kaspersky Gauss Whitepaper)(Cita | > | nal IP addresses.(Citation: Kaspersky Gauss Whitepaper)(Cita | ||
| > | tion: Proofpoint Router Malvertising)(Citation: EK Impeding | > | tion: Proofpoint Router Malvertising)(Citation: EK Impeding | ||
| > | Malware Analysis)(Citation: Environmental Keyed HTA)(Citatio | > | Malware Analysis)(Citation: Environmental Keyed HTA) By gene | ||
| > | n: Ebowla: Genetic Malware) By generating the decryption key | > | rating the decryption keys from target-specific environmenta | ||
| > | s from target-specific environmental values, environmental k | > | l values, environmental keying can make sandbox detection, a | ||
| > | eying can make sandbox detection, anti-virus detection, crow | > | nti-virus detection, crowdsourcing of information, and rever | ||
| > | dsourcing of information, and reverse engineering difficult. | > | se engineering difficult.(Citation: Kaspersky Gauss Whitepap | ||
| > | (Citation: Kaspersky Gauss Whitepaper)(Citation: Ebowla: Gen | > | er) These difficulties can slow down the incident response p | ||
| > | etic Malware) These difficulties can slow down the incident | > | rocess and help adversaries hide their tactics, techniques, | ||
| > | response process and help adversaries hide their tactics, te | > | and procedures (TTPs). Similar to [Obfuscated Files or Info | ||
| > | chniques, and procedures (TTPs). Similar to [Obfuscated Fil | > | rmation](https://attack.mitre.org/techniques/T1027), adversa | ||
| > | es or Information](https://attack.mitre.org/techniques/T1027 | > | ries may use environmental keying to help protect their TTPs | ||
| > | ), adversaries may use environmental keying to help protect | > | and evade detection. Environmental keying may be used to de | ||
| > | their TTPs and evade detection. Environmental keying may be | > | liver an encrypted payload to the target that will use targe | ||
| > | used to deliver an encrypted payload to the target that will | > | t-specific values to decrypt the payload before execution.(C | ||
| > | use target-specific values to decrypt the payload before ex | > | itation: Kaspersky Gauss Whitepaper)(Citation: EK Impeding M | ||
| > | ecution.(Citation: Kaspersky Gauss Whitepaper)(Citation: EK | > | alware Analysis)(Citation: Environmental Keyed HTA)(Citation | ||
| > | Impeding Malware Analysis)(Citation: Environmental Keyed HTA | > | : Demiguise Guardrail Router Logo) By utilizing target-speci | ||
| > | )(Citation: Ebowla: Genetic Malware)(Citation: Demiguise Gua | > | fic values to decrypt the payload the adversary can avoid pa | ||
| > | rdrail Router Logo) By utilizing target-specific values to d | > | ckaging the decryption key with the payload or sending it ov | ||
| > | ecrypt the payload the adversary can avoid packaging the dec | > | er a potentially monitored network connection. Depending on | ||
| > | ryption key with the payload or sending it over a potentiall | > | the technique for gathering target-specific values, reverse | ||
| > | y monitored network connection. Depending on the technique f | > | engineering of the encrypted payload can be exceptionally di | ||
| > | or gathering target-specific values, reverse engineering of | > | fficult.(Citation: Kaspersky Gauss Whitepaper) This can be u | ||
| > | the encrypted payload can be exceptionally difficult.(Citati | > | sed to prevent exposure of capabilities in environments that | ||
| > | on: Kaspersky Gauss Whitepaper) This can be used to prevent | > | are not intended to be compromised or operated within. Lik | ||
| > | exposure of capabilities in environments that are not intend | > | e other [Execution Guardrails](https://attack.mitre.org/tech | ||
| > | ed to be compromised or operated within. Like other [Execut | > | niques/T1480), environmental keying can be used to prevent e | ||
| > | ion Guardrails](https://attack.mitre.org/techniques/T1480), | > | xposure of capabilities in environments that are not intende | ||
| > | environmental keying can be used to prevent exposure of capa | > | d to be compromised or operated within. This activity is dis | ||
| > | bilities in environments that are not intended to be comprom | > | tinct from typical [Virtualization/Sandbox Evasion](https:// | ||
| > | ised or operated within. This activity is distinct from typi | > | attack.mitre.org/techniques/T1497). While use of [Virtualiza | ||
| > | cal [Virtualization/Sandbox Evasion](https://attack.mitre.or | > | tion/Sandbox Evasion](https://attack.mitre.org/techniques/T1 | ||
| > | g/techniques/T1497). While use of [Virtualization/Sandbox Ev | > | 497) may involve checking for known sandbox values and conti | ||
| > | asion](https://attack.mitre.org/techniques/T1497) may involv | > | nuing with execution only if there is no match, the use of e | ||
| > | e checking for known sandbox values and continuing with exec | > | nvironmental keying will involve checking for an expected ta | ||
| > | ution only if there is no match, the use of environmental ke | > | rget-specific value that must match for decryption and subse | ||
| > | ying will involve checking for an expected target-specific v | > | quent execution to be successful. | ||
| > | alue that must match for decryption and subsequent execution | ||||
| > | to be successful. |
| Old Description | New Description | ||||
|---|---|---|---|---|---|
| t | 1 | Adversaries may exploit a system or application vulnerabilit | t | 1 | Adversaries may exploit vulnerabilities to evade detection b |
| > | y to bypass security features. Exploitation of a vulnerabili | > | y hiding activity, suppressing logging, or operating within | ||
| > | ty occurs when an adversary takes advantage of a programming | > | trusted or unmonitored components. Adversaries may exploit | ||
| > | error in a program, service, or within the operating system | > | a system or application vulnerability to avoid detection wh | ||
| > | software or kernel itself to execute adversary-controlled c | > | ile maintaining access within an environment. Exploitation o | ||
| > | ode.\u00a0Vulnerabilities may exist in defensive security softwar | > | ccurs when an adversary leverages a programming flaw to exec | ||
| > | e that can be used to disable or circumvent them. Adversari | > | ute code in a manner that minimizes visibility or blends in | ||
| > | es may have prior knowledge through reconnaissance that secu | > | with legitimate activity. Rather than directly disabling d | ||
| > | rity software exists within an environment or they may perfo | > | efenses, adversaries may use exploitation to circumvent moni | ||
| > | rm checks during or shortly after the system is compromised | > | toring and logging mechanisms. This can include abusing vuln | ||
| > | for [Security Software Discovery](https://attack.mitre.org/t | > | erabilities in logging pipelines, security tools, or cloud i | ||
| > | echniques/T1518/001). The security software will likely be t | > | nfrastructure to evade audit trails, suppress alerts, or ope | ||
| > | argeted directly for exploitation. There are examples of ant | > | rate without generating telemetry. Adversaries may identif | ||
| > | ivirus software being targeted by persistent threat groups t | > | y these opportunities through prior reconnaissance or by per | ||
| > | o avoid detection. There have also been examples of vulnera | > | forming discovery of security controls after initial access. | ||
| > | bilities in public cloud infrastructure of SaaS applications | > | In some cases, vulnerabilities in SaaS or public cloud envi | ||
| > | that may bypass defense boundaries (Citation: Salesforce ze | > | ronments may be exploited to evade logging, obscure activity | ||
| > | ro-day in facebook phishing attack), evade security logs (Ci | > | , or deploy infrastructure that remains hidden from standard | ||
| > | tation: Bypassing CloudTrail in AWS Service Catalog), or dep | > | monitoring tools.(Citation: Bypassing CloudTrail in AWS Ser | ||
| > | loy hidden infrastructure.(Citation: GhostToken GCP flaw) | > | vice Catalog)(Citation: GhostToken GCP flaw) |
chown (short for change owner), and chmod (short for change mode).\n\nAdversarial may use these commands to make themselves the owner of files and directories or change the mode if current permissions allow it. They could subsequently lock others out of the file. Specific file and directory modifications may be a required step for many techniques, such as establishing Persistence via [Unix Shell Configuration Modification](https://attack.mitre.org/techniques/T1546/004) or tainting/hijacking other instrumental binary/configuration files via [Hijack Execution Flow](https://attack.mitre.org/techniques/T1574).(Citation: 20 macOS Common Tools and Techniques) ",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "defense-impairment"
}
],
"revoked": false,
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T1222/002",
"external_id": "T1222.002"
},
{
"source_name": "Hybrid Analysis Icacls1 June 2018",
"description": "Hybrid Analysis. (2018, June 12). c9b65b764985dfd7a11d3faf599c56b8.exe. Retrieved August 19, 2018.",
"url": "https://www.hybrid-analysis.com/sample/ef0d2628823e8e0a0de3b08b8eacaf41cf284c086a948bdfd67f4e4373c14e4d?environmentId=100"
},
{
"source_name": "Hybrid Analysis Icacls2 May 2018",
"description": "Hybrid Analysis. (2018, May 30). 2a8efbfadd798f6111340f7c1c956bee.dll. Retrieved August 19, 2018.",
"url": "https://www.hybrid-analysis.com/sample/22dab012c3e20e3d9291bce14a2bfc448036d3b966c6e78167f4626f5f9e38d6?environmentId=110"
},
{
"source_name": "20 macOS Common Tools and Techniques",
"description": "Phil Stokes. (2021, February 16). 20 Common Tools & Techniques Used by macOS Threat Actors & Malware. Retrieved August 23, 2021.",
"url": "https://labs.sentinelone.com/20-common-tools-techniques-used-by-macos-threat-actors-malware/"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_attack_spec_version": "3.3.0",
"x_mitre_deprecated": false,
"x_mitre_domains": [
"enterprise-attack"
],
"x_mitre_is_subtechnique": true,
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"Linux",
"macOS"
],
"x_mitre_version": "2.0",
"detailed_diff": "{\"dictionary_item_removed\": {\"root['x_mitre_detection']\": \"\"}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-04-22 15:51:53.173000+00:00\", \"old_value\": \"2025-10-24 17:48:21.839000+00:00\"}, \"root['name']\": {\"new_value\": \"Linux and Mac Permissions\", \"old_value\": \"Linux and Mac File and Directory Permissions Modification\"}, \"root['kill_chain_phases'][0]['phase_name']\": {\"new_value\": \"defense-impairment\", \"old_value\": \"defense-evasion\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.3.0\", \"old_value\": \"3.2.0\"}, \"root['x_mitre_version']\": {\"new_value\": \"2.0\", \"old_value\": \"1.2\"}}}",
"previous_version": "1.2",
"version_change": "1.2 \u2192 2.0",
"changelog_mitigations": {
"shared": [
"M1022: Restrict File and Directory Permissions",
"M1026: Privileged Account Management"
],
"new": [],
"dropped": []
},
"changelog_datacomponent_detections": {
"shared": [],
"new": [],
"dropped": []
},
"changelog_detectionstrategy_detections": {
"shared": [
"DET0351: Unix-like File Permission Manipulation Behavioral Chain Detection Strategy"
],
"new": [],
"dropped": []
}
},
{
"type": "attack-pattern",
"id": "attack-pattern--34e793de-0274-4982-9c1a-246ed1c19dee",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2020-02-04 19:17:41.767000+00:00",
"modified": "2026-04-22 15:51:17.272000+00:00",
"name": "Windows Permissions",
"description": "Adversaries may modify file or directory permissions/attributes to evade access control lists (ACLs) and access protected files.(Citation: Hybrid Analysis Icacls1 June 2018)(Citation: Hybrid Analysis Icacls2 May 2018) File and directory permissions are commonly managed by ACLs configured by the file or directory owner, or users with the appropriate permissions. File and directory ACL implementations vary by platform, but generally explicitly designate which users or groups can perform which actions (read, write, execute, etc.).\n\nWindows implements file and directory ACLs as Discretionary Access Control Lists (DACLs).(Citation: Microsoft DACL May 2018) Similar to a standard ACL, DACLs identifies the accounts that are allowed or denied access to a securable object. When an attempt is made to access a securable object, the system checks the access control entries in the DACL in order. If a matching entry is found, access to the object is granted. Otherwise, access is denied.(Citation: Microsoft Access Control Lists May 2018)\n\nAdversaries can interact with the DACLs using built-in Windows commands, such as `icacls`, `cacls`, `takeown`, and `attrib`, which can grant adversaries higher permissions on specific files and folders. Further, [PowerShell](https://attack.mitre.org/techniques/T1059/001) provides cmdlets that can be used to retrieve or modify file and directory DACLs. Specific file and directory modifications may be a required step for many techniques, such as establishing Persistence via [Accessibility Features](https://attack.mitre.org/techniques/T1546/008), [Boot or Logon Initialization Scripts](https://attack.mitre.org/techniques/T1037), or tainting/hijacking other instrumental binary/configuration files via [Hijack Execution Flow](https://attack.mitre.org/techniques/T1574).",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "defense-impairment"
}
],
"revoked": false,
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T1222/001",
"external_id": "T1222.001"
},
{
"source_name": "Hybrid Analysis Icacls1 June 2018",
"description": "Hybrid Analysis. (2018, June 12). c9b65b764985dfd7a11d3faf599c56b8.exe. Retrieved August 19, 2018.",
"url": "https://www.hybrid-analysis.com/sample/ef0d2628823e8e0a0de3b08b8eacaf41cf284c086a948bdfd67f4e4373c14e4d?environmentId=100"
},
{
"source_name": "Hybrid Analysis Icacls2 May 2018",
"description": "Hybrid Analysis. (2018, May 30). 2a8efbfadd798f6111340f7c1c956bee.dll. Retrieved August 19, 2018.",
"url": "https://www.hybrid-analysis.com/sample/22dab012c3e20e3d9291bce14a2bfc448036d3b966c6e78167f4626f5f9e38d6?environmentId=110"
},
{
"source_name": "Microsoft Access Control Lists May 2018",
"description": "M. Satran, M. Jacobs. (2018, May 30). Access Control Lists. Retrieved February 4, 2020.",
"url": "https://docs.microsoft.com/en-us/windows/win32/secauthz/access-control-lists"
},
{
"source_name": "Microsoft DACL May 2018",
"description": "Microsoft. (2018, May 30). DACLs and ACEs. Retrieved August 19, 2018.",
"url": "https://docs.microsoft.com/windows/desktop/secauthz/dacls-and-aces"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_attack_spec_version": "3.3.0",
"x_mitre_deprecated": false,
"x_mitre_domains": [
"enterprise-attack"
],
"x_mitre_is_subtechnique": true,
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"Windows"
],
"x_mitre_version": "2.0",
"detailed_diff": "{\"dictionary_item_removed\": {\"root['x_mitre_detection']\": \"\"}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-04-22 15:51:17.272000+00:00\", \"old_value\": \"2025-10-24 17:48:37.826000+00:00\"}, \"root['name']\": {\"new_value\": \"Windows Permissions\", \"old_value\": \"Windows File and Directory Permissions Modification\"}, \"root['kill_chain_phases'][0]['phase_name']\": {\"new_value\": \"defense-impairment\", \"old_value\": \"defense-evasion\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.3.0\", \"old_value\": \"3.2.0\"}, \"root['x_mitre_version']\": {\"new_value\": \"2.0\", \"old_value\": \"1.2\"}}, \"iterable_item_removed\": {\"root['external_references'][5]\": {\"source_name\": \"EventTracker File Permissions Feb 2014\", \"description\": \"Netsurion. (2014, February 19). Monitoring File Permission Changes with the Windows Security Log. Retrieved August 19, 2018.\", \"url\": \"https://www.eventtracker.com/tech-articles/monitoring-file-permission-changes-windows-security-log/\"}}}",
"previous_version": "1.2",
"version_change": "1.2 \u2192 2.0",
"changelog_mitigations": {
"shared": [
"M1022: Restrict File and Directory Permissions",
"M1026: Privileged Account Management"
],
"new": [],
"dropped": []
},
"changelog_datacomponent_detections": {
"shared": [],
"new": [],
"dropped": []
},
"changelog_detectionstrategy_detections": {
"shared": [
"DET0418: Windows DACL Manipulation Behavioral Chain Detection Strategy"
],
"new": [],
"dropped": []
}
},
{
"type": "attack-pattern",
"id": "attack-pattern--22905430-4901-4c2a-84f6-98243cb173f8",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2020-02-26 17:41:25.933000+00:00",
"modified": "2026-04-15 20:17:25.231000+00:00",
"name": "Hide Artifacts",
"description": "Adversaries may attempt to hide artifacts associated with their behaviors to evade detection. Operating systems may have features to hide various artifacts, such as important system files and administrative task execution, to avoid disrupting user work environments and prevent users from changing files or features on the system. Adversaries may abuse these features to hide artifacts such as files, directories, user accounts, or other system activity to evade detection.(Citation: Sofacy Komplex Trojan)(Citation: Cybereason OSX Pirrit)(Citation: MalwareBytes ADS July 2015)\n\nAdversaries may also attempt to hide artifacts associated with malicious behavior by creating computing regions that are isolated from common security instrumentation, such as through the use of virtualization technology.(Citation: Sophos Ragnar May 2020)",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "stealth"
}
],
"revoked": false,
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T1564",
"external_id": "T1564"
},
{
"source_name": "Cybereason OSX Pirrit",
"description": "Amit Serper. (2016). Cybereason Lab Analysis OSX.Pirrit. Retrieved December 10, 2021.",
"url": "https://cdn2.hubspot.net/hubfs/3354902/Content%20PDFs/Cybereason-Lab-Analysis-OSX-Pirrit-4-6-16.pdf"
},
{
"source_name": "MalwareBytes ADS July 2015",
"description": "Arntz, P. (2015, July 22). Introduction to Alternate Data Streams. Retrieved March 21, 2018.",
"url": "https://blog.malwarebytes.com/101/2015/07/introduction-to-alternate-data-streams/"
},
{
"source_name": "Sofacy Komplex Trojan",
"description": "Dani Creus, Tyler Halfpop, Robert Falcone. (2016, September 26). Sofacy's 'Komplex' OS X Trojan. Retrieved July 8, 2017.",
"url": "https://researchcenter.paloaltonetworks.com/2016/09/unit42-sofacys-komplex-os-x-trojan/"
},
{
"source_name": "Sophos Ragnar May 2020",
"description": "SophosLabs. (2020, May 21). Ragnar Locker ransomware deploys virtual machine to dodge security. Retrieved June 29, 2020.",
"url": "https://news.sophos.com/en-us/2020/05/21/ragnar-locker-ransomware-deploys-virtual-machine-to-dodge-security/"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_attack_spec_version": "3.3.0",
"x_mitre_deprecated": false,
"x_mitre_domains": [
"enterprise-attack"
],
"x_mitre_is_subtechnique": false,
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"ESXi",
"Linux",
"macOS",
"Office Suite",
"Windows"
],
"x_mitre_version": "2.0",
"detailed_diff": "{\"dictionary_item_removed\": {\"root['x_mitre_detection']\": \"\"}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-04-15 20:17:25.231000+00:00\", \"old_value\": \"2025-10-24 17:48:31.407000+00:00\"}, \"root['kill_chain_phases'][0]['phase_name']\": {\"new_value\": \"stealth\", \"old_value\": \"defense-evasion\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.3.0\", \"old_value\": \"3.2.0\"}, \"root['x_mitre_version']\": {\"new_value\": \"2.0\", \"old_value\": \"1.4\"}}}",
"previous_version": "1.4",
"version_change": "1.4 \u2192 2.0",
"changelog_mitigations": {
"shared": [
"M1013: Application Developer Guidance",
"M1033: Limit Software Installation",
"M1047: Audit",
"M1049: Antivirus/Antimalware"
],
"new": [],
"dropped": []
},
"changelog_datacomponent_detections": {
"shared": [],
"new": [],
"dropped": []
},
"changelog_detectionstrategy_detections": {
"shared": [
"DET0502: Detection Strategy for Hidden Artifacts Across Platforms"
],
"new": [],
"dropped": []
}
},
{
"type": "attack-pattern",
"id": "attack-pattern--5bd41255-a224-4425-a2e2-e9d293eafe1c",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2025-01-30 21:01:16.340000+00:00",
"modified": "2026-04-15 20:17:48.263000+00:00",
"name": "Bind Mounts",
"description": "Adversaries may abuse bind mounts on file structures to hide their activity and artifacts from native utilities. A bind mount maps a directory or file from one location on the filesystem to another, similar to a shortcut on Windows. It\u2019s commonly used to provide access to specific files or directories across different environments, such as inside containers or chroot environments, and requires sudo access. \n\nAdversaries may use bind mounts to map either an empty directory or a benign `/proc` directory to a malicious process\u2019s `/proc` directory. Using the commands `mount \u2013o bind /proc/benign-process /proc/malicious-process` (or `mount \u2013B`), the malicious process's `/proc` directory is overlayed with the contents of a benign process's `/proc` directory. When system utilities query process activity, such as `ps` and `top`, the kernel follows the bind mount and presents the benign directory\u2019s contents instead of the malicious process's actual `/proc` directory. As a result, these utilities display information that appears to come from the benign process, effectively hiding the malicious process's metadata, executable, or other artifacts from detection.(Citation: Cado Security Commando Cat 2024)(Citation: Ahn Lab CoinMiner 2023)",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "stealth"
}
],
"revoked": false,
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T1564/013",
"external_id": "T1564.013"
},
{
"source_name": "Ahn Lab CoinMiner 2023",
"description": "Ahn Lab. (2023, April 24). CoinMiner (KONO DIO DA) Distributed to Linux SSH Servers. Retrieved April 4, 2025.",
"url": "https://asec.ahnlab.com/en/51908/"
},
{
"source_name": "Cado Security Commando Cat 2024",
"description": "Nate Bill & Matt Muir. (2024, February 1). The Nine Lives of Commando Cat: Analysing a Novel Malware Campaign Targeting Docker. Retrieved April 4, 2025.",
"url": "https://www.cadosecurity.com/blog/the-nine-lives-of-commando-cat-analysing-a-novel-malware-campaign-targeting-docker"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_attack_spec_version": "3.3.0",
"x_mitre_contributors": [
"L\u00ea Ph\u01b0\u01a1ng Nam, Group-IB"
],
"x_mitre_deprecated": false,
"x_mitre_domains": [
"enterprise-attack"
],
"x_mitre_is_subtechnique": true,
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"Linux"
],
"x_mitre_version": "2.0",
"detailed_diff": "{\"dictionary_item_removed\": {\"root['x_mitre_detection']\": \"\"}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-04-15 20:17:48.263000+00:00\", \"old_value\": \"2025-04-15 19:58:34.469000+00:00\"}, \"root['kill_chain_phases'][0]['phase_name']\": {\"new_value\": \"stealth\", \"old_value\": \"defense-evasion\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.3.0\", \"old_value\": \"3.2.0\"}, \"root['x_mitre_version']\": {\"new_value\": \"2.0\", \"old_value\": \"1.0\"}}}",
"previous_version": "1.0",
"version_change": "1.0 \u2192 2.0",
"changelog_mitigations": {
"shared": [],
"new": [],
"dropped": []
},
"changelog_datacomponent_detections": {
"shared": [],
"new": [],
"dropped": []
},
"changelog_detectionstrategy_detections": {
"shared": [
"DET0428: Detection Strategy for Bind Mounts on Linux"
],
"new": [],
"dropped": []
}
},
{
"type": "attack-pattern",
"id": "attack-pattern--0cf55441-b176-4332-89e7-2c4c7799d0ff",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2021-06-07 13:20:23.767000+00:00",
"modified": "2026-04-15 20:18:10.251000+00:00",
"name": "Email Hiding Rules",
"description": "Adversaries may use email rules to hide inbound emails in a compromised user's mailbox. Many email clients allow users to create inbox rules for various email functions, including moving emails to other folders, marking emails as read, or deleting emails. Rules may be created or modified within email clients or through external features such as the New-InboxRule or Set-InboxRule [PowerShell](https://attack.mitre.org/techniques/T1059/001) cmdlets on Windows systems.(Citation: Microsoft Inbox Rules)(Citation: MacOS Email Rules)(Citation: Microsoft New-InboxRule)(Citation: Microsoft Set-InboxRule)\n\nAdversaries may utilize email rules within a compromised user's mailbox to delete and/or move emails to less noticeable folders. Adversaries may do this to hide security alerts, C2 communication, or responses to [Internal Spearphishing](https://attack.mitre.org/techniques/T1534) emails sent from the compromised account.\n\nAny user or administrator within the organization (or adversary with valid credentials) may be able to create rules to automatically move or delete emails. These rules can be abused to impair/delay detection had the email content been immediately seen by a user or defender. Malicious rules commonly filter out emails based on key words (such as malware, suspicious, phish, and hack) found in message bodies and subject lines. (Citation: Microsoft Cloud App Security)\n\nIn some environments, administrators may be able to enable email rules that operate organization-wide rather than on individual inboxes. For example, Microsoft Exchange supports transport rules that evaluate all mail an organization receives against user-specified conditions, then performs a user-specified action on mail that adheres to those conditions.(Citation: Microsoft Mail Flow Rules 2023) Adversaries that abuse such features may be able to automatically modify or delete all emails related to specific topics (such as internal security incident notifications).",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "stealth"
}
],
"revoked": false,
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T1564/008",
"external_id": "T1564.008"
},
{
"source_name": "MacOS Email Rules",
"description": "Apple. (n.d.). Use rules to manage emails you receive in Mail on Mac. Retrieved June 14, 2021.",
"url": "https://support.apple.com/guide/mail/use-rules-to-manage-emails-you-receive-mlhlp1017/mac"
},
{
"source_name": "Microsoft Mail Flow Rules 2023",
"description": "Microsoft. (2023, February 22). Mail flow rules (transport rules) in Exchange Online. Retrieved March 13, 2023.",
"url": "https://learn.microsoft.com/en-us/exchange/security-and-compliance/mail-flow-rules/mail-flow-rules"
},
{
"source_name": "Microsoft Inbox Rules",
"description": "Microsoft. (n.d.). Manage email messages by using rules. Retrieved June 11, 2021.",
"url": "https://support.microsoft.com/en-us/office/manage-email-messages-by-using-rules-c24f5dea-9465-4df4-ad17-a50704d66c59"
},
{
"source_name": "Microsoft New-InboxRule",
"description": "Microsoft. (n.d.). New-InboxRule. Retrieved June 7, 2021.",
"url": "https://docs.microsoft.com/en-us/powershell/module/exchange/new-inboxrule?view=exchange-ps"
},
{
"source_name": "Microsoft Set-InboxRule",
"description": "Microsoft. (n.d.). Set-InboxRule. Retrieved June 7, 2021.",
"url": "https://docs.microsoft.com/en-us/powershell/module/exchange/set-inboxrule?view=exchange-ps"
},
{
"source_name": "Microsoft Cloud App Security",
"description": "Niv Goldenberg. (2018, December 12). Rule your inbox with Microsoft Cloud App Security. Retrieved June 7, 2021.",
"url": "https://techcommunity.microsoft.com/t5/security-compliance-and-identity/rule-your-inbox-with-microsoft-cloud-app-security/ba-p/299154"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_attack_spec_version": "3.3.0",
"x_mitre_contributors": [
"Dor Edry, Microsoft",
"Liran Ravich, CardinalOps"
],
"x_mitre_deprecated": false,
"x_mitre_domains": [
"enterprise-attack"
],
"x_mitre_is_subtechnique": true,
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"Windows",
"Linux",
"macOS",
"Office Suite"
],
"x_mitre_version": "2.0",
"detailed_diff": "{\"dictionary_item_removed\": {\"root['x_mitre_detection']\": \"\"}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-04-15 20:18:10.251000+00:00\", \"old_value\": \"2025-10-24 17:48:23.364000+00:00\"}, \"root['kill_chain_phases'][0]['phase_name']\": {\"new_value\": \"stealth\", \"old_value\": \"defense-evasion\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.3.0\", \"old_value\": \"3.2.0\"}, \"root['x_mitre_version']\": {\"new_value\": \"2.0\", \"old_value\": \"1.4\"}}, \"iterable_item_removed\": {\"root['external_references'][2]\": {\"source_name\": \"Microsoft BEC Campaign\", \"description\": \"Carr, N., Sellmer, S. (2021, June 14). Behind the scenes of business email compromise: Using cross-domain threat data to disrupt a large BEC campaign. Retrieved June 15, 2021.\", \"url\": \"https://www.microsoft.com/security/blog/2021/06/14/behind-the-scenes-of-business-email-compromise-using-cross-domain-threat-data-to-disrupt-a-large-bec-infrastructure/\"}}}",
"previous_version": "1.4",
"version_change": "1.4 \u2192 2.0",
"changelog_mitigations": {
"shared": [
"M1047: Audit"
],
"new": [],
"dropped": []
},
"changelog_datacomponent_detections": {
"shared": [],
"new": [],
"dropped": []
},
"changelog_detectionstrategy_detections": {
"shared": [
"DET0192: Detection Strategy for Email Hiding Rules"
],
"new": [],
"dropped": []
}
},
{
"type": "attack-pattern",
"id": "attack-pattern--762e6f29-a62f-4d96-91ed-d0073181431f",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2025-03-27 19:40:00.716000+00:00",
"modified": "2026-04-15 20:19:25.896000+00:00",
"name": "Extended Attributes",
"description": "Adversaries may abuse extended attributes (xattrs) on macOS and Linux to hide their malicious data in order to evade detection. Extended attributes are key-value pairs of file and directory metadata used by both macOS and Linux. They are not visible through standard tools like `Finder`, `ls`, or `cat` and require utilities such as `xattr` (macOS) or `getfattr` (Linux) for inspection. Operating systems and applications use xattrs for tagging, integrity checks, and access control. On Linux, xattrs are organized into namespaces such as `user.` (user permissions), `trusted.` (root permissions), `security.`, and `system.`, each with specific permissions. On macOS, xattrs are flat strings without namespace prefixes, commonly prefixed with `com.apple.*` (e.g., `com.apple.quarantine`, `com.apple.metadata:_kMDItemUserTags`) and used by system features like Gatekeeper and Spotlight.(Citation: Establishing persistence using extended attributes on Linux)\n\nAn adversary may leverage xattrs by embedding a second-stage payload into the extended attribute of a legitimate file. On macOS, a payload can be embedded into a custom attribute using the `xattr` command. A separate loader can retrieve the attribute with `xattr -p`, decode the content, and execute it using a scripting interpreter. On Linux, an adversary may use `setfattr` to write a payload into the `user.` namespace of a legitimate file. A loader script can later extract the payload with `getfattr --only-values`, decode it, and execute it using bash or another interpreter. In both cases, because the primary file content remains unchanged, security tools and integrity checks that do not inspect extended attributes will observe the original file hash, allowing the malicious payload to evade detection.(Citation: Low GroupIB xattrs nov 2024)",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "stealth"
}
],
"revoked": false,
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T1564/014",
"external_id": "T1564.014"
},
{
"source_name": "Establishing persistence using extended attributes on Linux",
"description": "Irem Kuyucu. (2024, August 6). Establishing persistence using extended attributes on Linux. Retrieved March 27, 2025.",
"url": "https://kernal.eu/posts/linux-xattr-persistence/"
},
{
"source_name": "Low GroupIB xattrs nov 2024",
"description": "Sharmine Low. (2024, November 13). Stealthy Attributes of Lazarus APT Group: Evading Detection with Extended Attributes. Retrieved March 27, 2025.",
"url": "https://www.group-ib.com/blog/stealthy-attributes-of-apt-lazarus/"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_attack_spec_version": "3.3.0",
"x_mitre_contributors": [
"Sharmine Low, Group-IB",
"Rouven Bissinger (SySS GmbH)",
"RoseSecurity"
],
"x_mitre_deprecated": false,
"x_mitre_domains": [
"enterprise-attack"
],
"x_mitre_is_subtechnique": true,
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"Linux",
"macOS"
],
"x_mitre_version": "2.0",
"detailed_diff": "{\"dictionary_item_removed\": {\"root['x_mitre_detection']\": \"\"}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-04-15 20:19:25.896000+00:00\", \"old_value\": \"2025-09-17 17:58:26.729000+00:00\"}, \"root['kill_chain_phases'][0]['phase_name']\": {\"new_value\": \"stealth\", \"old_value\": \"defense-evasion\"}, \"root['x_mitre_version']\": {\"new_value\": \"2.0\", \"old_value\": \"1.0\"}}}",
"previous_version": "1.0",
"version_change": "1.0 \u2192 2.0",
"changelog_mitigations": {
"shared": [
"M1040: Behavior Prevention on Endpoint"
],
"new": [],
"dropped": []
},
"changelog_datacomponent_detections": {
"shared": [],
"new": [],
"dropped": []
},
"changelog_detectionstrategy_detections": {
"shared": [
"DET0406: Detection Strategy for Extended Attributes Abuse"
],
"new": [],
"dropped": []
}
},
{
"type": "attack-pattern",
"id": "attack-pattern--09b008a9-b4eb-462a-a751-a0eb58050cd9",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2024-03-29 16:59:10.374000+00:00",
"modified": "2026-04-16 19:21:42.768000+00:00",
"name": "File/Path Exclusions",
"description": "Adversaries may attempt to hide their file-based artifacts by writing them to specific folders or file names excluded from antivirus (AV) scanning and other defensive capabilities. AV and other file-based scanners often include exclusions to optimize performance as well as ease installation and legitimate use of applications. These exclusions may be contextual (e.g., scans are only initiated in response to specific triggering events/alerts), but are also often hardcoded strings referencing specific folders and/or files assumed to be trusted and legitimate.(Citation: Microsoft File Folder Exclusions)\n\nAdversaries may abuse these exclusions to hide their file-based artifacts. For example, rather than tampering with tool settings to add a new exclusion (i.e., [Disable or Modify Tools](https://attack.mitre.org/techniques/T1685)), adversaries may drop their file-based payloads in default or otherwise well-known exclusions. Adversaries may also use [Security Software Discovery](https://attack.mitre.org/techniques/T1518/001) and other [Discovery](https://attack.mitre.org/tactics/TA0007)/[Reconnaissance](https://attack.mitre.org/tactics/TA0043) activities to both discover and verify existing exclusions in a victim environment.",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "stealth"
}
],
"revoked": false,
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T1564/012",
"external_id": "T1564.012"
},
{
"source_name": "Microsoft File Folder Exclusions",
"description": "Microsoft. (2024, February 27). Contextual file and folder exclusions. Retrieved March 29, 2024.",
"url": "https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/configure-contextual-file-folder-exclusions-microsoft-defender-antivirus"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_attack_spec_version": "3.3.0",
"x_mitre_deprecated": false,
"x_mitre_domains": [
"enterprise-attack"
],
"x_mitre_is_subtechnique": true,
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"Linux",
"macOS",
"Windows"
],
"x_mitre_version": "2.0",
"detailed_diff": "{\"dictionary_item_removed\": {\"root['x_mitre_detection']\": \"\"}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-04-16 19:21:42.768000+00:00\", \"old_value\": \"2025-04-15 22:35:31.731000+00:00\"}, \"root['description']\": {\"new_value\": \"Adversaries may attempt to hide their file-based artifacts by writing them to specific folders or file names excluded from antivirus (AV) scanning and other defensive capabilities. AV and other file-based scanners often include exclusions to optimize performance as well as ease installation and legitimate use of applications. These exclusions may be contextual (e.g., scans are only initiated in response to specific triggering events/alerts), but are also often hardcoded strings referencing specific folders and/or files assumed to be trusted and legitimate.(Citation: Microsoft File Folder Exclusions)\\n\\nAdversaries may abuse these exclusions to hide their file-based artifacts. For example, rather than tampering with tool settings to add a new exclusion (i.e., [Disable or Modify Tools](https://attack.mitre.org/techniques/T1685)), adversaries may drop their file-based payloads in default or otherwise well-known exclusions. Adversaries may also use [Security Software Discovery](https://attack.mitre.org/techniques/T1518/001) and other [Discovery](https://attack.mitre.org/tactics/TA0007)/[Reconnaissance](https://attack.mitre.org/tactics/TA0043) activities to both discover and verify existing exclusions in a victim environment.\", \"old_value\": \"Adversaries may attempt to hide their file-based artifacts by writing them to specific folders or file names excluded from antivirus (AV) scanning and other defensive capabilities. AV and other file-based scanners often include exclusions to optimize performance as well as ease installation and legitimate use of applications. These exclusions may be contextual (e.g., scans are only initiated in response to specific triggering events/alerts), but are also often hardcoded strings referencing specific folders and/or files assumed to be trusted and legitimate.(Citation: Microsoft File Folder Exclusions)\\n\\nAdversaries may abuse these exclusions to hide their file-based artifacts. For example, rather than tampering with tool settings to add a new exclusion (i.e., [Disable or Modify Tools](https://attack.mitre.org/techniques/T1562/001)), adversaries may drop their file-based payloads in default or otherwise well-known exclusions. Adversaries may also use [Security Software Discovery](https://attack.mitre.org/techniques/T1518/001) and other [Discovery](https://attack.mitre.org/tactics/TA0007)/[Reconnaissance](https://attack.mitre.org/tactics/TA0043) activities to both discover and verify existing exclusions in a victim environment.\", \"diff\": \"--- \\n+++ \\n@@ -1,3 +1,3 @@\\n Adversaries may attempt to hide their file-based artifacts by writing them to specific folders or file names excluded from antivirus (AV) scanning and other defensive capabilities. AV and other file-based scanners often include exclusions to optimize performance as well as ease installation and legitimate use of applications. These exclusions may be contextual (e.g., scans are only initiated in response to specific triggering events/alerts), but are also often hardcoded strings referencing specific folders and/or files assumed to be trusted and legitimate.(Citation: Microsoft File Folder Exclusions)\\n \\n-Adversaries may abuse these exclusions to hide their file-based artifacts. For example, rather than tampering with tool settings to add a new exclusion (i.e., [Disable or Modify Tools](https://attack.mitre.org/techniques/T1562/001)), adversaries may drop their file-based payloads in default or otherwise well-known exclusions. Adversaries may also use [Security Software Discovery](https://attack.mitre.org/techniques/T1518/001) and other [Discovery](https://attack.mitre.org/tactics/TA0007)/[Reconnaissance](https://attack.mitre.org/tactics/TA0043) activities to both discover and verify existing exclusions in a victim environment.\\n+Adversaries may abuse these exclusions to hide their file-based artifacts. For example, rather than tampering with tool settings to add a new exclusion (i.e., [Disable or Modify Tools](https://attack.mitre.org/techniques/T1685)), adversaries may drop their file-based payloads in default or otherwise well-known exclusions. Adversaries may also use [Security Software Discovery](https://attack.mitre.org/techniques/T1518/001) and other [Discovery](https://attack.mitre.org/tactics/TA0007)/[Reconnaissance](https://attack.mitre.org/tactics/TA0043) activities to both discover and verify existing exclusions in a victim environment.\"}, \"root['kill_chain_phases'][0]['phase_name']\": {\"new_value\": \"stealth\", \"old_value\": \"defense-evasion\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.3.0\", \"old_value\": \"3.2.0\"}, \"root['x_mitre_version']\": {\"new_value\": \"2.0\", \"old_value\": \"1.0\"}}}",
"previous_version": "1.0",
"version_change": "1.0 \u2192 2.0",
"description_change_table": "\n | Old Description | New Description | ||||
|---|---|---|---|---|---|
| t | 1 | Adversaries may attempt to hide their file-based artifacts b | t | 1 | Adversaries may attempt to hide their file-based artifacts b |
| > | y writing them to specific folders or file names excluded fr | > | y writing them to specific folders or file names excluded fr | ||
| > | om antivirus (AV) scanning and other defensive capabilities. | > | om antivirus (AV) scanning and other defensive capabilities. | ||
| > | AV and other file-based scanners often include exclusions t | > | AV and other file-based scanners often include exclusions t | ||
| > | o optimize performance as well as ease installation and legi | > | o optimize performance as well as ease installation and legi | ||
| > | timate use of applications. These exclusions may be contextu | > | timate use of applications. These exclusions may be contextu | ||
| > | al (e.g., scans are only initiated in response to specific t | > | al (e.g., scans are only initiated in response to specific t | ||
| > | riggering events/alerts), but are also often hardcoded strin | > | riggering events/alerts), but are also often hardcoded strin | ||
| > | gs referencing specific folders and/or files assumed to be t | > | gs referencing specific folders and/or files assumed to be t | ||
| > | rusted and legitimate.(Citation: Microsoft File Folder Exclu | > | rusted and legitimate.(Citation: Microsoft File Folder Exclu | ||
| > | sions) Adversaries may abuse these exclusions to hide their | > | sions) Adversaries may abuse these exclusions to hide their | ||
| > | file-based artifacts. For example, rather than tampering w | > | file-based artifacts. For example, rather than tampering w | ||
| > | ith tool settings to add a new exclusion (i.e., [Disable or | > | ith tool settings to add a new exclusion (i.e., [Disable or | ||
| > | Modify Tools](https://attack.mitre.org/techniques/T1562/001) | > | Modify Tools](https://attack.mitre.org/techniques/T1685)), a | ||
| > | ), adversaries may drop their file-based payloads in default | > | dversaries may drop their file-based payloads in default or | ||
| > | or otherwise well-known exclusions. Adversaries may also us | > | otherwise well-known exclusions. Adversaries may also use [S | ||
| > | e [Security Software Discovery](https://attack.mitre.org/tec | > | ecurity Software Discovery](https://attack.mitre.org/techniq | ||
| > | hniques/T1518/001) and other [Discovery](https://attack.mitr | > | ues/T1518/001) and other [Discovery](https://attack.mitre.or | ||
| > | e.org/tactics/TA0007)/[Reconnaissance](https://attack.mitre. | > | g/tactics/TA0007)/[Reconnaissance](https://attack.mitre.org/ | ||
| > | org/tactics/TA0043) activities to both discover and verify e | > | tactics/TA0043) activities to both discover and verify exist | ||
| > | xisting exclusions in a victim environment. | > | ing exclusions in a victim environment. |
dir /a for Windows and ls \u2013a for Linux and macOS).\n\nOn Linux and Mac, users can mark specific files as hidden simply by putting a \u201c.\u201d as the first character in the file or folder name (Citation: Sofacy Komplex Trojan) (Citation: Antiquated Mac Malware). Files and folders that start with a period, \u2018.\u2019, are by default hidden from being viewed in the Finder application and standard command-line utilities like \u201cls\u201d. Users must specifically change settings to have these files viewable.\n\nFiles on macOS can also be marked with the UF_HIDDEN flag which prevents them from being seen in Finder.app, but still allows them to be seen in Terminal.app (Citation: WireLurker). On Windows, users can mark specific files as hidden by using the attrib.exe binary. Many applications create these hidden files and folders to store information so that it doesn\u2019t clutter up the user\u2019s workspace. For example, SSH utilities create a .ssh folder that\u2019s hidden and contains the user\u2019s known hosts and keys.\n\nAdditionally, adversaries may name files in a manner that would allow the file to be hidden such as naming a file only a \u201cspace\u201d character.\n\nAdversaries can use this to their advantage to hide files and folders anywhere on the system and evading a typical user or system analysis that does not incorporate investigation of hidden files.",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "stealth"
}
],
"revoked": false,
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T1564/001",
"external_id": "T1564.001"
},
{
"source_name": "WireLurker",
"description": "Claud Xiao. (n.d.). WireLurker: A New Era in iOS and OS X Malware. Retrieved July 10, 2017.",
"url": "https://www.paloaltonetworks.com/content/dam/pan/en_US/assets/pdf/reports/Unit_42/unit42-wirelurker.pdf"
},
{
"source_name": "Sofacy Komplex Trojan",
"description": "Dani Creus, Tyler Halfpop, Robert Falcone. (2016, September 26). Sofacy's 'Komplex' OS X Trojan. Retrieved July 8, 2017.",
"url": "https://researchcenter.paloaltonetworks.com/2016/09/unit42-sofacys-komplex-os-x-trojan/"
},
{
"source_name": "Antiquated Mac Malware",
"description": "Thomas Reed. (2017, January 18). New Mac backdoor using antiquated code. Retrieved July 5, 2017.",
"url": "https://blog.malwarebytes.com/threat-analysis/2017/01/new-mac-backdoor-using-antiquated-code/"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_attack_spec_version": "3.3.0",
"x_mitre_contributors": [
"Gr@ve_Rose (tcpdump101.com on bsky)"
],
"x_mitre_deprecated": false,
"x_mitre_domains": [
"enterprise-attack"
],
"x_mitre_is_subtechnique": true,
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"Linux",
"macOS",
"Windows"
],
"x_mitre_version": "2.0",
"detailed_diff": "{\"dictionary_item_removed\": {\"root['x_mitre_detection']\": \"\"}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-04-15 20:23:13.914000+00:00\", \"old_value\": \"2025-10-24 17:49:34.244000+00:00\"}, \"root['kill_chain_phases'][0]['phase_name']\": {\"new_value\": \"stealth\", \"old_value\": \"defense-evasion\"}, \"root['x_mitre_version']\": {\"new_value\": \"2.0\", \"old_value\": \"1.2\"}}}",
"previous_version": "1.2",
"version_change": "1.2 \u2192 2.0",
"changelog_mitigations": {
"shared": [],
"new": [],
"dropped": []
},
"changelog_datacomponent_detections": {
"shared": [],
"new": [],
"dropped": []
},
"changelog_detectionstrategy_detections": {
"shared": [
"DET0032: Detection Strategy for Hidden Files and Directories"
],
"new": [],
"dropped": []
}
},
{
"type": "attack-pattern",
"id": "attack-pattern--8c4aef43-48d5-49aa-b2af-c0cd58d30c3d",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2020-03-13 20:12:40.876000+00:00",
"modified": "2026-04-15 20:23:44.205000+00:00",
"name": "Hidden Users",
"description": "Adversaries may use hidden users to hide the presence of user accounts they create or modify. Administrators may want to hide users when there are many user accounts on a given system or if they want to hide their administrative or other management accounts from other users. \n\nIn macOS, adversaries can create or modify a user to be hidden through manipulating plist files, folder attributes, and user attributes. To prevent a user from being shown on the login screen and in System Preferences, adversaries can set the userID to be under 500 and set the key value Hide500Users to TRUE in the /Library/Preferences/com.apple.loginwindow plist file.(Citation: Cybereason OSX Pirrit) Every user has a userID associated with it. When the Hide500Users key value is set to TRUE, users with a userID under 500 do not appear on the login screen and in System Preferences. Using the command line, adversaries can use the dscl utility to create hidden user accounts by setting the IsHidden attribute to 1. Adversaries can also hide a user\u2019s home folder by changing the chflags to hidden.(Citation: Apple Support Hide a User Account) \n\nAdversaries may similarly hide user accounts in Windows. Adversaries can set the HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\SpecialAccounts\\UserList Registry key value to 0 for a specific user to prevent that user from being listed on the logon screen.(Citation: FireEye SMOKEDHAM June 2021)(Citation: US-CERT TA18-074A)\n\nOn Linux systems, adversaries may hide user accounts from the login screen, also referred to as the greeter. The method an adversary may use depends on which Display Manager the distribution is currently using. For example, on an Ubuntu system using the GNOME Display Manger (GDM), accounts may be hidden from the greeter using the gsettings command (ex: sudo -u gdm gsettings set org.gnome.login-screen disable-user-list true).(Citation: Hide GDM User Accounts) Display Managers are not anchored to specific distributions and may be changed by a user or adversary.",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "stealth"
}
],
"revoked": false,
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T1564/002",
"external_id": "T1564.002"
},
{
"source_name": "Cybereason OSX Pirrit",
"description": "Amit Serper. (2016). Cybereason Lab Analysis OSX.Pirrit. Retrieved December 10, 2021.",
"url": "https://cdn2.hubspot.net/hubfs/3354902/Content%20PDFs/Cybereason-Lab-Analysis-OSX-Pirrit-4-6-16.pdf"
},
{
"source_name": "Apple Support Hide a User Account",
"description": "Apple. (2020, November 30). Hide a user account in macOS. Retrieved December 10, 2021.",
"url": "https://support.apple.com/en-us/HT203998"
},
{
"source_name": "FireEye SMOKEDHAM June 2021",
"description": "FireEye. (2021, June 16). Smoking Out a DARKSIDE Affiliate\u2019s Supply Chain Software Compromise. Retrieved September 22, 2021.",
"url": "https://www.fireeye.com/blog/threat-research/2021/06/darkside-affiliate-supply-chain-software-compromise.html"
},
{
"source_name": "Hide GDM User Accounts",
"description": "Ji Mingkui. (2021, June 17). How to Hide All The User Accounts in Ubuntu 20.04, 21.04 Login Screen. Retrieved March 15, 2022.",
"url": "https://ubuntuhandbook.org/index.php/2021/06/hide-user-accounts-ubuntu-20-04-login-screen/"
},
{
"source_name": "US-CERT TA18-074A",
"description": "US-CERT. (2018, March 16). Alert (TA18-074A): Russian Government Cyber Activity Targeting Energy and Other Critical Infrastructure Sectors. Retrieved June 6, 2018.",
"url": "https://www.us-cert.gov/ncas/alerts/TA18-074A"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_attack_spec_version": "3.3.0",
"x_mitre_contributors": [
"Omkar Gudhate"
],
"x_mitre_deprecated": false,
"x_mitre_domains": [
"enterprise-attack"
],
"x_mitre_is_subtechnique": true,
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"Linux",
"macOS",
"Windows"
],
"x_mitre_version": "2.0",
"detailed_diff": "{\"dictionary_item_removed\": {\"root['x_mitre_detection']\": \"\"}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-04-15 20:23:44.205000+00:00\", \"old_value\": \"2025-10-24 17:49:05.113000+00:00\"}, \"root['kill_chain_phases'][0]['phase_name']\": {\"new_value\": \"stealth\", \"old_value\": \"defense-evasion\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.3.0\", \"old_value\": \"3.2.0\"}, \"root['x_mitre_version']\": {\"new_value\": \"2.0\", \"old_value\": \"1.2\"}}}",
"previous_version": "1.2",
"version_change": "1.2 \u2192 2.0",
"changelog_mitigations": {
"shared": [
"M1028: Operating System Configuration"
],
"new": [],
"dropped": []
},
"changelog_datacomponent_detections": {
"shared": [],
"new": [],
"dropped": []
},
"changelog_detectionstrategy_detections": {
"shared": [
"DET0353: Detection Strategy for Hidden User Accounts"
],
"new": [],
"dropped": []
}
},
{
"type": "attack-pattern",
"id": "attack-pattern--cbb66055-0325-4111-aca0-40547b6ad5b0",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2020-03-13 20:26:49.433000+00:00",
"modified": "2026-04-15 20:23:51.965000+00:00",
"name": "Hidden Window",
"description": "Adversaries may use hidden windows to conceal malicious activity from the plain sight of users. In some cases, windows that would typically be displayed when an application carries out an operation can be hidden. This may be utilized by system administrators to avoid disrupting user work environments when carrying out administrative tasks. \n\nAdversaries may abuse these functionalities to hide otherwise visible windows from users so as not to alert the user to adversary activity on the system.(Citation: Antiquated Mac Malware)\n\nOn macOS, the configurations for how applications run are listed in property list (plist) files. One of the tags in these files can be apple.awt.UIElement, which allows for Java applications to prevent the application's icon from appearing in the Dock. A common use for this is when applications run in the system tray, but don't also want to show up in the Dock.\n\nSimilarly, on Windows there are a variety of features in scripting languages, such as [PowerShell](https://attack.mitre.org/techniques/T1059/001), Jscript, and [Visual Basic](https://attack.mitre.org/techniques/T1059/005) to make windows hidden. One example of this is powershell.exe -WindowStyle Hidden.(Citation: PowerShell About 2019)\n\nThe Windows Registry can also be edited to hide application windows from the current user. For example, by setting the `WindowPosition` subkey in the `HKEY_CURRENT_USER\\Console\\%SystemRoot%_System32_WindowsPowerShell_v1.0_PowerShell.exe` Registry key to a maximum value, PowerShell windows will open off screen and be hidden.(Citation: Cantoris Computing)\n\nIn addition, Windows supports the `CreateDesktop()` API that can create a hidden desktop window with its own corresponding explorer.exe process.(Citation: Hidden VNC)(Citation: Anatomy of an hVNC Attack) All applications running on the hidden desktop window, such as a hidden VNC (hVNC) session,(Citation: Hidden VNC) will be invisible to other desktops windows.\n\nAdversaries may also leverage cmd.exe(Citation: Cybereason - Hidden Malicious Remote Access) as a parent process, and then utilize a LOLBin, such as DeviceCredentialDeployment.exe,(Citation: LOLBAS Project GitHub Device Cred Dep)(Citation: SecureList BlueNoroff Device Cred Dev) to hide windows.",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "stealth"
}
],
"revoked": false,
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T1564/003",
"external_id": "T1564.003"
},
{
"source_name": "Cantoris Computing",
"description": "Cantoris. (2016, July 22). PowerShell Malware. Retrieved December 12, 2024.",
"url": "https://cantoriscomputing.wordpress.com/2016/07/22/powershell-malware/"
},
{
"source_name": "Cybereason - Hidden Malicious Remote Access",
"description": "Cybereason Security Services Team. (n.d.). Behind Closed Doors: The Rise of Hidden Malicious Remote Access. Retrieved July 22, 2025.",
"url": "https://www.cybereason.com/blog/behind-closed-doors-the-rise-of-hidden-malicious-remote-access"
},
{
"source_name": "LOLBAS Project GitHub Device Cred Dep",
"description": "Elliot Killick. (n.d.). /DeviceCredentialDeployment.exe. Retrieved July 22, 2025.",
"url": "https://lolbas-project.github.io/lolbas/Binaries/DeviceCredentialDeployment/"
},
{
"source_name": "Hidden VNC",
"description": "Hutchins, Marcus. (2015, September 13). Hidden VNC for Beginners. Retrieved November 28, 2023.",
"url": "https://www.malwaretech.com/2015/09/hidden-vnc-for-beginners.html"
},
{
"source_name": "Anatomy of an hVNC Attack",
"description": "Keshet, Lior. Kessem, Limor. (2017, January 25). Anatomy of an hVNC Attack. Retrieved November 28, 2023.",
"url": "https://securityintelligence.com/anatomy-of-an-hvnc-attack/"
},
{
"source_name": "SecureList BlueNoroff Device Cred Dev",
"description": "Seongsu Park. (2022, December 27). BlueNoroff introduces new methods bypassing MoTW. Retrieved July 22, 2025.",
"url": "https://securelist.com/bluenoroff-methods-bypass-motw/108383/"
},
{
"source_name": "Antiquated Mac Malware",
"description": "Thomas Reed. (2017, January 18). New Mac backdoor using antiquated code. Retrieved July 5, 2017.",
"url": "https://blog.malwarebytes.com/threat-analysis/2017/01/new-mac-backdoor-using-antiquated-code/"
},
{
"source_name": "PowerShell About 2019",
"description": "Wheeler, S. et al.. (2019, May 1). About PowerShell.exe. Retrieved October 11, 2019.",
"url": "https://docs.microsoft.com/en-us/powershell/module/Microsoft.PowerShell.Core/About/about_PowerShell_exe?view=powershell-5.1"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_attack_spec_version": "3.3.0",
"x_mitre_contributors": [
"Liran Ravich, CardinalOps",
"Mark Tsipershtein",
"Travis Smith, Tripwire",
"Vijay Lalwani"
],
"x_mitre_deprecated": false,
"x_mitre_domains": [
"enterprise-attack"
],
"x_mitre_is_subtechnique": true,
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"Linux",
"macOS",
"Windows"
],
"x_mitre_version": "2.0",
"detailed_diff": "{\"dictionary_item_removed\": {\"root['x_mitre_detection']\": \"\"}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-04-15 20:23:51.965000+00:00\", \"old_value\": \"2025-10-24 17:49:23.485000+00:00\"}, \"root['kill_chain_phases'][0]['phase_name']\": {\"new_value\": \"stealth\", \"old_value\": \"defense-evasion\"}, \"root['x_mitre_version']\": {\"new_value\": \"2.0\", \"old_value\": \"1.4\"}}}",
"previous_version": "1.4",
"version_change": "1.4 \u2192 2.0",
"changelog_mitigations": {
"shared": [
"M1033: Limit Software Installation",
"M1038: Execution Prevention"
],
"new": [],
"dropped": []
},
"changelog_datacomponent_detections": {
"shared": [],
"new": [],
"dropped": []
},
"changelog_detectionstrategy_detections": {
"shared": [
"DET0128: Detection Strategy for Hidden Windows"
],
"new": [],
"dropped": []
}
},
{
"type": "attack-pattern",
"id": "attack-pattern--4a2975db-414e-4c0c-bd92-775987514b4b",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2023-08-24 17:23:34.470000+00:00",
"modified": "2026-04-15 20:24:37.027000+00:00",
"name": "Ignore Process Interrupts",
"description": "Adversaries may evade defensive mechanisms by executing commands that hide from process interrupt signals. Many operating systems use signals to deliver messages to control process behavior. Command interpreters often include specific commands/flags that ignore errors and other hangups, such as when the user of the active session logs off.(Citation: Linux Signal Man) These interrupt signals may also be used by defensive tools and/or analysts to pause or terminate specified running processes. \n\nAdversaries may invoke processes using `nohup`, [PowerShell](https://attack.mitre.org/techniques/T1059/001) `-ErrorAction SilentlyContinue`, or similar commands that may be immune to hangups.(Citation: nohup Linux Man)(Citation: Microsoft PowerShell SilentlyContinue) This may enable malicious commands and malware to continue execution through system events that would otherwise terminate its execution, such as users logging off or the termination of its C2 network connection.\n\nHiding from process interrupt signals may allow malware to continue execution, but unlike [Trap](https://attack.mitre.org/techniques/T1546/005) this does not establish [Persistence](https://attack.mitre.org/tactics/TA0003) since the process will not be re-invoked once actually terminated.",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "stealth"
}
],
"revoked": false,
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T1564/011",
"external_id": "T1564.011"
},
{
"source_name": "Linux Signal Man",
"description": "Linux man-pages. (2023, April 3). signal(7). Retrieved August 30, 2023.",
"url": "https://man7.org/linux/man-pages/man7/signal.7.html"
},
{
"source_name": "nohup Linux Man",
"description": "Meyering, J. (n.d.). nohup(1). Retrieved August 30, 2023.",
"url": "https://linux.die.net/man/1/nohup"
},
{
"source_name": "Microsoft PowerShell SilentlyContinue",
"description": "Microsoft. (2023, March 2). $DebugPreference. Retrieved August 30, 2023.",
"url": "https://learn.microsoft.com/powershell/module/microsoft.powershell.core/about/about_preference_variables?view=powershell-7.3#debugpreference"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_attack_spec_version": "3.3.0",
"x_mitre_contributors": [
"Viren Chaudhari, Qualys"
],
"x_mitre_deprecated": false,
"x_mitre_domains": [
"enterprise-attack"
],
"x_mitre_is_subtechnique": true,
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"Linux",
"macOS",
"Windows"
],
"x_mitre_version": "2.0",
"detailed_diff": "{\"dictionary_item_removed\": {\"root['x_mitre_detection']\": \"\"}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-04-15 20:24:37.027000+00:00\", \"old_value\": \"2025-04-15 22:41:11.807000+00:00\"}, \"root['kill_chain_phases'][0]['phase_name']\": {\"new_value\": \"stealth\", \"old_value\": \"defense-evasion\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.3.0\", \"old_value\": \"3.2.0\"}, \"root['x_mitre_version']\": {\"new_value\": \"2.0\", \"old_value\": \"1.0\"}}}",
"previous_version": "1.0",
"version_change": "1.0 \u2192 2.0",
"changelog_mitigations": {
"shared": [],
"new": [],
"dropped": []
},
"changelog_datacomponent_detections": {
"shared": [],
"new": [],
"dropped": []
},
"changelog_detectionstrategy_detections": {
"shared": [
"DET0067: Detection Strategy for Ignore Process Interrupts"
],
"new": [],
"dropped": []
}
},
{
"type": "attack-pattern",
"id": "attack-pattern--f2857333-11d4-45bf-b064-2c28d8525be5",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2020-03-13 20:33:00.009000+00:00",
"modified": "2026-04-15 20:24:50.745000+00:00",
"name": "NTFS File Attributes",
"description": "Adversaries may use NTFS file attributes to hide their malicious data in order to evade detection. Every New Technology File System (NTFS) formatted partition contains a Master File Table (MFT) that maintains a record for every file/directory on the partition. (Citation: SpectorOps Host-Based Jul 2017) Within MFT entries are file attributes, (Citation: Microsoft NTFS File Attributes Aug 2010) such as Extended Attributes (EA) and Data [known as Alternate Data Streams (ADSs) when more than one Data attribute is present], that can be used to store arbitrary data (and even complete files). (Citation: SpectorOps Host-Based Jul 2017) (Citation: Microsoft File Streams) (Citation: MalwareBytes ADS July 2015) (Citation: Microsoft ADS Mar 2014)\n\nAdversaries may store malicious data or binaries in file attribute metadata instead of directly in files. This may be done to evade some defenses, such as static indicator scanning tools and anti-virus. (Citation: Journey into IR ZeroAccess NTFS EA) (Citation: MalwareBytes ADS July 2015)",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "stealth"
}
],
"revoked": false,
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T1564/004",
"external_id": "T1564.004"
},
{
"source_name": "MalwareBytes ADS July 2015",
"description": "Arntz, P. (2015, July 22). Introduction to Alternate Data Streams. Retrieved March 21, 2018.",
"url": "https://blog.malwarebytes.com/101/2015/07/introduction-to-alternate-data-streams/"
},
{
"source_name": "SpectorOps Host-Based Jul 2017",
"description": "Atkinson, J. (2017, July 18). Host-based Threat Modeling & Indicator Design. Retrieved March 21, 2018.",
"url": "https://posts.specterops.io/host-based-threat-modeling-indicator-design-a9dbbb53d5ea"
},
{
"source_name": "Journey into IR ZeroAccess NTFS EA",
"description": "Harrell, C. (2012, December 11). Extracting ZeroAccess from NTFS Extended Attributes. Retrieved June 3, 2016.",
"url": "http://journeyintoir.blogspot.com/2012/12/extracting-zeroaccess-from-ntfs.html"
},
{
"source_name": "Microsoft NTFS File Attributes Aug 2010",
"description": "Hughes, J. (2010, August 25). NTFS File Attributes. Retrieved March 21, 2018.",
"url": "https://blogs.technet.microsoft.com/askcore/2010/08/25/ntfs-file-attributes/"
},
{
"source_name": "Microsoft ADS Mar 2014",
"description": "Marlin, J. (2013, March 24). Alternate Data Streams in NTFS. Retrieved March 21, 2018.",
"url": "https://blogs.technet.microsoft.com/askcore/2013/03/24/alternate-data-streams-in-ntfs/"
},
{
"source_name": "Microsoft File Streams",
"description": "Microsoft. (n.d.). File Streams. Retrieved September 12, 2024.",
"url": "https://learn.microsoft.com/en-us/windows/win32/fileio/file-streams"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_attack_spec_version": "3.3.0",
"x_mitre_contributors": [
"Oddvar Moe, @oddvarmoe",
"Red Canary"
],
"x_mitre_deprecated": false,
"x_mitre_domains": [
"enterprise-attack"
],
"x_mitre_is_subtechnique": true,
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"Windows"
],
"x_mitre_version": "2.0",
"detailed_diff": "{\"dictionary_item_removed\": {\"root['x_mitre_detection']\": \"\"}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-04-15 20:24:50.745000+00:00\", \"old_value\": \"2025-10-24 17:49:35.944000+00:00\"}, \"root['kill_chain_phases'][0]['phase_name']\": {\"new_value\": \"stealth\", \"old_value\": \"defense-evasion\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.3.0\", \"old_value\": \"3.2.0\"}, \"root['x_mitre_version']\": {\"new_value\": \"2.0\", \"old_value\": \"1.2\"}}, \"iterable_item_removed\": {\"root['external_references'][7]\": {\"source_name\": \"Oddvar Moe ADS2 Apr 2018\", \"description\": \"Moe, O. (2018, April 11). Putting Data in Alternate Data Streams and How to Execute It - Part 2. Retrieved June 30, 2018.\", \"url\": \"https://oddvar.moe/2018/04/11/putting-data-in-alternate-data-streams-and-how-to-execute-it-part-2/\"}, \"root['external_references'][8]\": {\"source_name\": \"Oddvar Moe ADS1 Jan 2018\", \"description\": \"Moe, O. (2018, January 14). Putting Data in Alternate Data Streams and How to Execute It. Retrieved June 30, 2018.\", \"url\": \"https://oddvar.moe/2018/01/14/putting-data-in-alternate-data-streams-and-how-to-execute-it/\"}, \"root['external_references'][9]\": {\"source_name\": \"Symantec ADS May 2009\", \"description\": \"Pravs. (2009, May 25). What you need to know about alternate data streams in windows? Is your Data secure? Can you restore that?. Retrieved March 21, 2018.\", \"url\": \"https://www.symantec.com/connect/articles/what-you-need-know-about-alternate-data-streams-windows-your-data-secure-can-you-restore\"}}}",
"previous_version": "1.2",
"version_change": "1.2 \u2192 2.0",
"changelog_mitigations": {
"shared": [
"M1022: Restrict File and Directory Permissions"
],
"new": [],
"dropped": []
},
"changelog_datacomponent_detections": {
"shared": [],
"new": [],
"dropped": []
},
"changelog_detectionstrategy_detections": {
"shared": [
"DET0432: Detection Strategy for NTFS File Attribute Abuse (ADS/EAs)"
],
"new": [],
"dropped": []
}
},
{
"type": "attack-pattern",
"id": "attack-pattern--ffe59ad3-ad9b-4b9f-b74f-5beb3c309dc1",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2021-11-19 14:13:11.335000+00:00",
"modified": "2026-04-15 20:25:25.946000+00:00",
"name": "Process Argument Spoofing",
"description": "Adversaries may attempt to hide process command-line arguments by overwriting process memory. Process command-line arguments are stored in the process environment block (PEB), a data structure used by Windows to store various information about/used by a process. The PEB includes the process command-line arguments that are referenced when executing the process. When a process is created, defensive tools/sensors that monitor process creations may retrieve the process arguments from the PEB.(Citation: Microsoft PEB 2021)(Citation: Xpn Argue Like Cobalt 2019)\n\nAdversaries may manipulate a process PEB to evade defenses. For example, [Process Hollowing](https://attack.mitre.org/techniques/T1055/012) can be abused to spawn a process in a suspended state with benign arguments. After the process is spawned and the PEB is initialized (and process information is potentially logged by tools/sensors), adversaries may override the PEB to modify the command-line arguments (ex: using the [Native API](https://attack.mitre.org/techniques/T1106) WriteProcessMemory() function) then resume process execution with malicious arguments.(Citation: Cobalt Strike Arguments 2019)(Citation: Xpn Argue Like Cobalt 2019)(Citation: Nviso Spoof Command Line 2020)\n\nAdversaries may also execute a process with malicious command-line arguments then patch the memory with benign arguments that may bypass subsequent process memory analysis.(Citation: FireEye FiveHands April 2021)\n\nThis behavior may also be combined with other tricks (such as [Parent PID Spoofing](https://attack.mitre.org/techniques/T1134/004)) to manipulate or further evade process-based detections.",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "stealth"
}
],
"revoked": false,
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T1564/010",
"external_id": "T1564.010"
},
{
"source_name": "Xpn Argue Like Cobalt 2019",
"description": "Chester, A. (2019, January 28). How to Argue like Cobalt Strike. Retrieved November 19, 2021.",
"url": "https://blog.xpnsec.com/how-to-argue-like-cobalt-strike/"
},
{
"source_name": "Nviso Spoof Command Line 2020",
"description": "Daman, R. (2020, February 4). The return of the spoof part 2: Command line spoofing. Retrieved November 19, 2021.",
"url": "https://blog.nviso.eu/2020/02/04/the-return-of-the-spoof-part-2-command-line-spoofing/"
},
{
"source_name": "FireEye FiveHands April 2021",
"description": "McLellan, T. and Moore, J. et al. (2021, April 29). UNC2447 SOMBRAT and FIVEHANDS Ransomware: A Sophisticated Financial Threat. Retrieved June 2, 2021.",
"url": "https://www.fireeye.com/blog/threat-research/2021/04/unc2447-sombrat-and-fivehands-ransomware-sophisticated-financial-threat.html"
},
{
"source_name": "Microsoft PEB 2021",
"description": "Microsoft. (2021, October 6). PEB structure (winternl.h). Retrieved November 19, 2021.",
"url": "https://docs.microsoft.com/en-us/windows/win32/api/winternl/ns-winternl-peb"
},
{
"source_name": "Cobalt Strike Arguments 2019",
"description": "Mudge, R. (2019, January 2). https://blog.cobaltstrike.com/2019/01/02/cobalt-strike-3-13-why-do-we-argue/. Retrieved November 19, 2021.",
"url": "https://blog.cobaltstrike.com/2019/01/02/cobalt-strike-3-13-why-do-we-argue/"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_attack_spec_version": "3.3.0",
"x_mitre_deprecated": false,
"x_mitre_domains": [
"enterprise-attack"
],
"x_mitre_is_subtechnique": true,
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"Windows"
],
"x_mitre_version": "2.0",
"detailed_diff": "{\"dictionary_item_removed\": {\"root['x_mitre_detection']\": \"\"}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-04-15 20:25:25.946000+00:00\", \"old_value\": \"2025-10-24 17:49:40.325000+00:00\"}, \"root['kill_chain_phases'][0]['phase_name']\": {\"new_value\": \"stealth\", \"old_value\": \"defense-evasion\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.3.0\", \"old_value\": \"3.2.0\"}, \"root['x_mitre_version']\": {\"new_value\": \"2.0\", \"old_value\": \"1.1\"}}, \"iterable_item_removed\": {\"root['external_references'][6]\": {\"source_name\": \"Mandiant Endpoint Evading 2019\", \"description\": \"Pena, E., Erikson, C. (2019, October 10). Staying Hidden on the Endpoint: Evading Detection with Shellcode. Retrieved November 29, 2021.\", \"url\": \"https://www.mandiant.com/resources/staying-hidden-on-the-endpoint-evading-detection-with-shellcode\"}}}",
"previous_version": "1.1",
"version_change": "1.1 \u2192 2.0",
"changelog_mitigations": {
"shared": [],
"new": [],
"dropped": []
},
"changelog_datacomponent_detections": {
"shared": [],
"new": [],
"dropped": []
},
"changelog_detectionstrategy_detections": {
"shared": [
"DET0045: Detection Strategy for Process Argument Spoofing on Windows"
],
"new": [],
"dropped": []
}
},
{
"type": "attack-pattern",
"id": "attack-pattern--b22e5153-ac28-4cc6-865c-2054e36285cb",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2021-10-12 20:02:31.866000+00:00",
"modified": "2026-04-15 20:25:32.891000+00:00",
"name": "Resource Forking",
"description": "Adversaries may abuse resource forks to hide malicious code or executables to evade detection and bypass security applications. A resource fork provides applications a structured way to store resources such as thumbnail images, menu definitions, icons, dialog boxes, and code.(Citation: macOS Hierarchical File System Overview) Usage of a resource fork is identifiable when displaying a file\u2019s extended attributes, using ls -l@ or xattr -l commands. Resource forks have been deprecated and replaced with the application bundle structure. Non-localized resources are placed at the top level directory of an application bundle, while localized resources are placed in the /Resources folder.(Citation: Resource and Data Forks)(Citation: ELC Extended Attributes)\n\nAdversaries can use resource forks to hide malicious data that may otherwise be stored directly in files. Adversaries can execute content with an attached resource fork, at a specified offset, that is moved to an executable location then invoked. Resource fork content may also be obfuscated/encrypted until execution.(Citation: sentinellabs resource named fork 2020)(Citation: tau bundlore erika noerenberg 2020)",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "stealth"
}
],
"revoked": false,
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T1564/009",
"external_id": "T1564.009"
},
{
"source_name": "tau bundlore erika noerenberg 2020",
"description": "Erika Noerenberg. (2020, June 29). TAU Threat Analysis: Bundlore (macOS) mm-install-macos. Retrieved October 12, 2021.",
"url": "https://blogs.vmware.com/security/2020/06/tau-threat-analysis-bundlore-macos-mm-install-macos.html"
},
{
"source_name": "Resource and Data Forks",
"description": "Flylib. (n.d.). Identifying Resource and Data Forks. Retrieved October 12, 2021.",
"url": "https://flylib.com/books/en/4.395.1.192/1/"
},
{
"source_name": "ELC Extended Attributes",
"description": "Howard Oakley. (2020, October 24). There's more to files than data: Extended Attributes. Retrieved October 12, 2021.",
"url": "https://eclecticlight.co/2020/10/24/theres-more-to-files-than-data-extended-attributes/"
},
{
"source_name": "sentinellabs resource named fork 2020",
"description": "Phil Stokes. (2020, November 5). Resourceful macOS Malware Hides in Named Fork. Retrieved October 12, 2021.",
"url": "https://www.sentinelone.com/labs/resourceful-macos-malware-hides-in-named-fork/"
},
{
"source_name": "macOS Hierarchical File System Overview",
"description": "Tenon. (n.d.). Retrieved October 12, 2021.",
"url": "http://tenon.com/products/codebuilder/User_Guide/6_File_Systems.html#anchor520553"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_attack_spec_version": "3.3.0",
"x_mitre_contributors": [
"Ivan Sinyakov",
"Jaron Bradley @jbradley89"
],
"x_mitre_deprecated": false,
"x_mitre_domains": [
"enterprise-attack"
],
"x_mitre_is_subtechnique": true,
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"macOS"
],
"x_mitre_version": "2.0",
"detailed_diff": "{\"dictionary_item_removed\": {\"root['x_mitre_detection']\": \"\"}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-04-15 20:25:32.891000+00:00\", \"old_value\": \"2025-10-24 17:49:14.736000+00:00\"}, \"root['kill_chain_phases'][0]['phase_name']\": {\"new_value\": \"stealth\", \"old_value\": \"defense-evasion\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.3.0\", \"old_value\": \"3.2.0\"}, \"root['x_mitre_version']\": {\"new_value\": \"2.0\", \"old_value\": \"1.1\"}}}",
"previous_version": "1.1",
"version_change": "1.1 \u2192 2.0",
"changelog_mitigations": {
"shared": [
"M1013: Application Developer Guidance"
],
"new": [],
"dropped": []
},
"changelog_datacomponent_detections": {
"shared": [],
"new": [],
"dropped": []
},
"changelog_detectionstrategy_detections": {
"shared": [
"DET0584: Detection Strategy for Resource Forking on macOS"
],
"new": [],
"dropped": []
}
},
{
"type": "attack-pattern",
"id": "attack-pattern--b5327dd1-6bf9-4785-a199-25bcbd1f4a9d",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2020-06-29 15:36:41.535000+00:00",
"modified": "2026-04-15 20:26:04.116000+00:00",
"name": "Run Virtual Instance",
"description": "Adversaries may carry out malicious operations using a virtual instance to avoid detection. A wide variety of virtualization technologies exist that allow for the emulation of a computer or computing environment. By running malicious code inside of a virtual instance, adversaries can hide artifacts associated with their behavior from security tools that are unable to monitor activity inside the virtual instance.(Citation: CyberCX Akira Ransomware) Additionally, depending on the virtual networking implementation (ex: bridged adapter), network traffic generated by the virtual instance can be difficult to trace back to the compromised host as the IP address and hostname might not match known values.(Citation: SingHealth Breach Jan 2019)\n\nAdversaries may utilize native support for virtualization (ex: Hyper-V), deploy lightweight emulators (ex: QEMU), or drop the necessary files to run a virtual instance (ex: VirtualBox binaries).(Citation: Securonix CronTrap 2024) After running a virtual instance, adversaries may create a shared folder between the guest and host with permissions that enable the virtual instance to interact with the host file system.(Citation: Sophos Ragnar May 2020)\n\nThreat actors may also leverage temporary virtualized environments such as the Windows Sandbox, which supports the use of `.wsb` configuration files for defining execution parameters. For example, the `PerformanceCache that stores a separate compiled version of the VBA source code known as p-code. The p-code is executed when the MS Office version specified in the _VBA_PROJECT stream (which contains the version-dependent description of the VBA project) matches the version of the host MS Office application.(Citation: Evil Clippy May 2019)(Citation: Microsoft _VBA_PROJECT Stream)\n\nAn adversary may hide malicious VBA code by overwriting the VBA source code location with zero\u2019s, benign code, or random bytes while leaving the previously compiled malicious p-code. Tools that scan for malicious VBA source code may be bypassed as the unwanted code is hidden in the compiled p-code. If the VBA source code is removed, some tools might even think that there are no macros present. If there is a version match between the _VBA_PROJECT stream and host MS Office application, the p-code will be executed, otherwise the benign VBA source code will be decompressed and recompiled to p-code, thus removing malicious p-code and potentially bypassing dynamic analysis.(Citation: Walmart Roberts Oct 2018)(Citation: FireEye VBA stomp Feb 2020)(Citation: pcodedmp Bontchev)",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "stealth"
}
],
"revoked": false,
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T1564/007",
"external_id": "T1564.007"
},
{
"source_name": "pcodedmp Bontchev",
"description": "Bontchev, V. (2019, July 30). pcodedmp.py - A VBA p-code disassembler. Retrieved September 17, 2020.",
"url": "https://github.com/bontchev/pcodedmp"
},
{
"source_name": "FireEye VBA stomp Feb 2020",
"description": "Cole, R., Moore, A., Stark, G., Stancill, B. (2020, February 5). STOMP 2 DIS: Brilliance in the (Visual) Basics. Retrieved September 17, 2020.",
"url": "https://www.fireeye.com/blog/threat-research/2020/01/stomp-2-dis-brilliance-in-the-visual-basics.html"
},
{
"source_name": "Evil Clippy May 2019",
"description": "Hegt, S. (2019, May 5). Evil Clippy: MS Office maldoc assistant. Retrieved September 17, 2020.",
"url": "https://outflank.nl/blog/2019/05/05/evil-clippy-ms-office-maldoc-assistant/"
},
{
"source_name": "Microsoft _VBA_PROJECT Stream",
"description": "Microsoft. (2020, February 19). 2.3.4.1 _VBA_PROJECT Stream: Version Dependent Project Information. Retrieved September 18, 2020.",
"url": "https://docs.microsoft.com/en-us/openspecs/office_file_formats/ms-ovba/ef7087ac-3974-4452-aab2-7dba2214d239"
},
{
"source_name": "Walmart Roberts Oct 2018",
"description": "Sayre, K., Ogden, H., Roberts, C. (2018, October 10). VBA Stomping \u2014 Advanced Maldoc Techniques. Retrieved September 17, 2020.",
"url": "https://medium.com/walmartglobaltech/vba-stomping-advanced-maldoc-techniques-612c484ab278"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_attack_spec_version": "3.3.0",
"x_mitre_contributors": [
"Rick Cole, Mandiant"
],
"x_mitre_deprecated": false,
"x_mitre_domains": [
"enterprise-attack"
],
"x_mitre_is_subtechnique": true,
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"Linux",
"macOS",
"Windows"
],
"x_mitre_version": "2.0",
"detailed_diff": "{\"dictionary_item_removed\": {\"root['x_mitre_detection']\": \"\"}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-04-15 20:26:09.220000+00:00\", \"old_value\": \"2025-10-24 17:49:22.623000+00:00\"}, \"root['kill_chain_phases'][0]['phase_name']\": {\"new_value\": \"stealth\", \"old_value\": \"defense-evasion\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.3.0\", \"old_value\": \"3.2.0\"}, \"root['x_mitre_version']\": {\"new_value\": \"2.0\", \"old_value\": \"1.2\"}}, \"iterable_item_removed\": {\"root['external_references'][6]\": {\"source_name\": \"oletools toolkit\", \"description\": \"decalage2. (2019, December 3). python-oletools. Retrieved September 18, 2020.\", \"url\": \"https://github.com/decalage2/oletools\"}}}",
"previous_version": "1.2",
"version_change": "1.2 \u2192 2.0",
"changelog_mitigations": {
"shared": [
"M1042: Disable or Remove Feature or Program"
],
"new": [],
"dropped": []
},
"changelog_datacomponent_detections": {
"shared": [],
"new": [],
"dropped": []
},
"changelog_detectionstrategy_detections": {
"shared": [
"DET0012: Detection Strategy for VBA Stomping"
],
"new": [],
"dropped": []
}
},
{
"type": "attack-pattern",
"id": "attack-pattern--aedfca76-3b30-4866-b2aa-0f1d7fd1e4b6",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2020-03-12 20:38:12.465000+00:00",
"modified": "2026-04-20 21:18:17.156000+00:00",
"name": "Hijack Execution Flow",
"description": "Adversaries may execute their own malicious payloads by hijacking the way operating systems run programs. Hijacking execution flow can be for the purposes of persistence, since this hijacked execution may reoccur over time. Adversaries may also use these mechanisms to elevate privileges or evade defenses, such as application control or other restrictions on execution.\n\nThere are many ways an adversary may hijack the flow of execution, including by manipulating how the operating system locates programs to be executed. How the operating system locates libraries to be used by a program can also be intercepted. Locations where the operating system looks for programs/resources, such as file directories and in the case of Windows the Registry, could also be poisoned to include malicious payloads.",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "stealth"
},
{
"kill_chain_name": "mitre-attack",
"phase_name": "execution"
}
],
"revoked": false,
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T1574",
"external_id": "T1574"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_attack_spec_version": "3.3.0",
"x_mitre_deprecated": false,
"x_mitre_domains": [
"enterprise-attack"
],
"x_mitre_is_subtechnique": false,
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"Linux",
"macOS",
"Windows"
],
"x_mitre_remote_support": false,
"x_mitre_version": "2.0",
"detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_remote_support']\": false}, \"dictionary_item_removed\": {\"root['x_mitre_detection']\": \"\"}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-04-20 21:18:17.156000+00:00\", \"old_value\": \"2025-10-24 17:49:13.820000+00:00\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.3.0\", \"old_value\": \"3.2.0\"}, \"root['x_mitre_version']\": {\"new_value\": \"2.0\", \"old_value\": \"1.3\"}, \"root['kill_chain_phases'][1]\": {\"new_value\": {\"kill_chain_name\": \"mitre-attack\", \"phase_name\": \"execution\"}, \"old_value\": {\"kill_chain_name\": \"mitre-attack\", \"phase_name\": \"privilege-escalation\"}}, \"root['kill_chain_phases'][0]\": {\"new_value\": {\"kill_chain_name\": \"mitre-attack\", \"phase_name\": \"stealth\"}, \"old_value\": {\"kill_chain_name\": \"mitre-attack\", \"phase_name\": \"persistence\"}}}, \"iterable_item_removed\": {\"root['kill_chain_phases'][2]\": {\"kill_chain_name\": \"mitre-attack\", \"phase_name\": \"defense-evasion\"}, \"root['external_references'][1]\": {\"source_name\": \"Autoruns for Windows\", \"description\": \"Mark Russinovich. (2019, June 28). Autoruns for Windows v13.96. Retrieved March 13, 2020.\", \"url\": \"https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns\"}}}",
"previous_version": "1.3",
"version_change": "1.3 \u2192 2.0",
"changelog_mitigations": {
"shared": [
"M1013: Application Developer Guidance",
"M1018: User Account Management",
"M1022: Restrict File and Directory Permissions",
"M1024: Restrict Registry Permissions",
"M1038: Execution Prevention",
"M1040: Behavior Prevention on Endpoint",
"M1044: Restrict Library Loading",
"M1047: Audit",
"M1051: Update Software",
"M1052: User Account Control"
],
"new": [],
"dropped": []
},
"changelog_datacomponent_detections": {
"shared": [],
"new": [],
"dropped": []
},
"changelog_detectionstrategy_detections": {
"shared": [
"DET0218: Detection Strategy for Hijack Execution Flow across OS platforms."
],
"new": [],
"dropped": []
}
},
{
"type": "attack-pattern",
"id": "attack-pattern--356662f7-e315-4759-86c9-6214e2a50ff8",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2024-03-28 15:36:34.141000+00:00",
"modified": "2026-04-15 22:57:09.601000+00:00",
"name": "AppDomainManager",
"description": "Adversaries may execute their own malicious payloads by hijacking how the .NET `AppDomainManager` loads assemblies. The .NET framework uses the `AppDomainManager` class to create and manage one or more isolated runtime environments (called application domains) inside a process to host the execution of .NET applications. Assemblies (`.exe` or `.dll` binaries compiled to run as .NET code) may be loaded into an application domain as executable code.(Citation: Microsoft App Domains) \n\nKnown as \"AppDomainManager injection,\" adversaries may execute arbitrary code by hijacking how .NET applications load assemblies. For example, malware may create a custom application domain inside a target process to load and execute an arbitrary assembly. Alternatively, configuration files (`.config`) or process environment variables that define .NET runtime settings may be tampered with to instruct otherwise benign .NET applications to load a malicious assembly (identified by name) into the target process.(Citation: PenTestLabs AppDomainManagerInject)(Citation: PwC Yellow Liderc)(Citation: Rapid7 AppDomain Manager Injection)",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "stealth"
},
{
"kill_chain_name": "mitre-attack",
"phase_name": "execution"
}
],
"revoked": false,
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T1574/014",
"external_id": "T1574.014"
},
{
"source_name": "PenTestLabs AppDomainManagerInject",
"description": "Administrator. (2020, May 26). APPDOMAINMANAGER INJECTION AND DETECTION. Retrieved March 28, 2024.",
"url": "https://pentestlaboratories.com/2020/05/26/appdomainmanager-injection-and-detection/"
},
{
"source_name": "Microsoft App Domains",
"description": "Microsoft. (2021, September 15). Application domains. Retrieved March 28, 2024.",
"url": "https://learn.microsoft.com/dotnet/framework/app-domains/application-domains"
},
{
"source_name": "PwC Yellow Liderc",
"description": "PwC Threat Intelligence. (2023, October 25). Yellow Liderc ships its scripts and delivers IMAPLoader malware. Retrieved March 29, 2024.",
"url": "https://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/yellow-liderc-ships-its-scripts-delivers-imaploader-malware.html"
},
{
"source_name": "Rapid7 AppDomain Manager Injection",
"description": "Spagnola, N. (2023, May 5). AppDomain Manager Injection: New Techniques For Red Teams. Retrieved March 29, 2024.",
"url": "https://www.rapid7.com/blog/post/2023/05/05/appdomain-manager-injection-new-techniques-for-red-teams/"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_attack_spec_version": "3.3.0",
"x_mitre_contributors": [
"Ivy Drexel",
"Thomas B"
],
"x_mitre_deprecated": false,
"x_mitre_domains": [
"enterprise-attack"
],
"x_mitre_is_subtechnique": true,
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"Windows"
],
"x_mitre_remote_support": false,
"x_mitre_version": "2.0",
"detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_remote_support']\": false}, \"dictionary_item_removed\": {\"root['x_mitre_detection']\": \"\"}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-04-15 22:57:09.601000+00:00\", \"old_value\": \"2025-04-15 21:48:08.401000+00:00\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.3.0\", \"old_value\": \"3.2.0\"}, \"root['x_mitre_version']\": {\"new_value\": \"2.0\", \"old_value\": \"1.0\"}, \"root['kill_chain_phases'][1]\": {\"new_value\": {\"kill_chain_name\": \"mitre-attack\", \"phase_name\": \"execution\"}, \"old_value\": {\"kill_chain_name\": \"mitre-attack\", \"phase_name\": \"privilege-escalation\"}}, \"root['kill_chain_phases'][0]\": {\"new_value\": {\"kill_chain_name\": \"mitre-attack\", \"phase_name\": \"stealth\"}, \"old_value\": {\"kill_chain_name\": \"mitre-attack\", \"phase_name\": \"persistence\"}}}, \"iterable_item_removed\": {\"root['kill_chain_phases'][2]\": {\"kill_chain_name\": \"mitre-attack\", \"phase_name\": \"defense-evasion\"}}}",
"previous_version": "1.0",
"version_change": "1.0 \u2192 2.0",
"changelog_mitigations": {
"shared": [
"M1022: Restrict File and Directory Permissions"
],
"new": [],
"dropped": []
},
"changelog_datacomponent_detections": {
"shared": [],
"new": [],
"dropped": []
},
"changelog_detectionstrategy_detections": {
"shared": [
"DET0517: Detection Strategy for Hijack Execution Flow through the AppDomainManager on Windows."
],
"new": [],
"dropped": []
}
},
{
"type": "attack-pattern",
"id": "attack-pattern--ffeb0780-356e-4261-b036-cfb6bd234335",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2020-06-24 22:30:55.843000+00:00",
"modified": "2026-04-16 18:58:17.752000+00:00",
"name": "COR_PROFILER",
"description": "Adversaries may leverage the COR_PROFILER environment variable to hijack the execution flow of programs that load the .NET CLR. The COR_PROFILER is a .NET Framework feature which allows developers to specify an unmanaged (or external of .NET) profiling DLL to be loaded into each .NET process that loads the Common Language Runtime (CLR). These profilers are designed to monitor, troubleshoot, and debug managed code executed by the .NET CLR.(Citation: Microsoft Profiling Mar 2017)(Citation: Microsoft COR_PROFILER Feb 2013)\n\nThe COR_PROFILER environment variable can be set at various scopes (system, user, or process) resulting in different levels of influence. System and user-wide environment variable scopes are specified in the Registry, where a [Component Object Model](https://attack.mitre.org/techniques/T1559/001) (COM) object can be registered as a profiler DLL. A process scope COR_PROFILER can also be created in-memory without modifying the Registry. Starting with .NET Framework 4, the profiling DLL does not need to be registered as long as the location of the DLL is specified in the COR_PROFILER_PATH environment variable.(Citation: Microsoft COR_PROFILER Feb 2013)\n\nAdversaries may abuse COR_PROFILER to establish persistence that executes a malicious DLL in the context of all .NET processes every time the CLR is invoked. The COR_PROFILER can also be used to elevate privileges (ex: [Bypass User Account Control](https://attack.mitre.org/techniques/T1548/002)) if the victim .NET process executes at a higher permission level, as well as to hook and impair defenses provided by .NET processes.(Citation: RedCanary Mockingbird May 2020)(Citation: Red Canary COR_PROFILER May 2020)(Citation: Almond COR_PROFILER Apr 2019)(Citation: GitHub OmerYa Invisi-Shell)(Citation: subTee .NET Profilers May 2017)",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "stealth"
},
{
"kill_chain_name": "mitre-attack",
"phase_name": "execution"
}
],
"revoked": false,
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T1574/012",
"external_id": "T1574.012"
},
{
"source_name": "Almond COR_PROFILER Apr 2019",
"description": "Almond. (2019, April 30). UAC bypass via elevated .NET applications. Retrieved June 24, 2020.",
"url": "https://offsec.almond.consulting/UAC-bypass-dotnet.html"
},
{
"source_name": "Red Canary COR_PROFILER May 2020",
"description": "Brown, J. (2020, May 7). Detecting COR_PROFILER manipulation for persistence. Retrieved June 24, 2020.",
"url": "https://redcanary.com/blog/cor_profiler-for-persistence/"
},
{
"source_name": "RedCanary Mockingbird May 2020",
"description": "Lambert, T. (2020, May 7). Introducing Blue Mockingbird. Retrieved May 26, 2020.",
"url": "https://redcanary.com/blog/blue-mockingbird-cryptominer/"
},
{
"source_name": "Microsoft COR_PROFILER Feb 2013",
"description": "Microsoft. (2013, February 4). Registry-Free Profiler Startup and Attach. Retrieved June 24, 2020.",
"url": "https://docs.microsoft.com/en-us/previous-versions/dotnet/netframework-4.0/ee471451(v=vs.100)"
},
{
"source_name": "Microsoft Profiling Mar 2017",
"description": "Microsoft. (2017, March 30). Profiling Overview. Retrieved June 24, 2020.",
"url": "https://docs.microsoft.com/en-us/dotnet/framework/unmanaged-api/profiling/profiling-overview"
},
{
"source_name": "subTee .NET Profilers May 2017",
"description": "Smith, C. (2017, May 18). Subvert CLR Process Listing With .NET Profilers. Retrieved June 24, 2020.",
"url": "https://web.archive.org/web/20170720041203/http://subt0x10.blogspot.com/2017/05/subvert-clr-process-listing-with-net.html"
},
{
"source_name": "GitHub OmerYa Invisi-Shell",
"description": "Yair, O. (2019, August 19). Invisi-Shell. Retrieved June 24, 2020.",
"url": "https://github.com/OmerYa/Invisi-Shell"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_attack_spec_version": "3.3.0",
"x_mitre_contributors": [
"Jesse Brown, Red Canary"
],
"x_mitre_deprecated": false,
"x_mitre_domains": [
"enterprise-attack"
],
"x_mitre_is_subtechnique": true,
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"Windows"
],
"x_mitre_remote_support": false,
"x_mitre_version": "2.0",
"detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_remote_support']\": false}, \"dictionary_item_removed\": {\"root['x_mitre_detection']\": \"\"}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-04-16 18:58:17.752000+00:00\", \"old_value\": \"2025-10-24 17:49:40.510000+00:00\"}, \"root['description']\": {\"new_value\": \"Adversaries may leverage the COR_PROFILER environment variable to hijack the execution flow of programs that load the .NET CLR. The COR_PROFILER is a .NET Framework feature which allows developers to specify an unmanaged (or external of .NET) profiling DLL to be loaded into each .NET process that loads the Common Language Runtime (CLR). These profilers are designed to monitor, troubleshoot, and debug managed code executed by the .NET CLR.(Citation: Microsoft Profiling Mar 2017)(Citation: Microsoft COR_PROFILER Feb 2013)\\n\\nThe COR_PROFILER environment variable can be set at various scopes (system, user, or process) resulting in different levels of influence. System and user-wide environment variable scopes are specified in the Registry, where a [Component Object Model](https://attack.mitre.org/techniques/T1559/001) (COM) object can be registered as a profiler DLL. A process scope COR_PROFILER can also be created in-memory without modifying the Registry. Starting with .NET Framework 4, the profiling DLL does not need to be registered as long as the location of the DLL is specified in the COR_PROFILER_PATH environment variable.(Citation: Microsoft COR_PROFILER Feb 2013)\\n\\nAdversaries may abuse COR_PROFILER to establish persistence that executes a malicious DLL in the context of all .NET processes every time the CLR is invoked. The COR_PROFILER can also be used to elevate privileges (ex: [Bypass User Account Control](https://attack.mitre.org/techniques/T1548/002)) if the victim .NET process executes at a higher permission level, as well as to hook and impair defenses provided by .NET processes.(Citation: RedCanary Mockingbird May 2020)(Citation: Red Canary COR_PROFILER May 2020)(Citation: Almond COR_PROFILER Apr 2019)(Citation: GitHub OmerYa Invisi-Shell)(Citation: subTee .NET Profilers May 2017)\", \"old_value\": \"Adversaries may leverage the COR_PROFILER environment variable to hijack the execution flow of programs that load the .NET CLR. The COR_PROFILER is a .NET Framework feature which allows developers to specify an unmanaged (or external of .NET) profiling DLL to be loaded into each .NET process that loads the Common Language Runtime (CLR). These profilers are designed to monitor, troubleshoot, and debug managed code executed by the .NET CLR.(Citation: Microsoft Profiling Mar 2017)(Citation: Microsoft COR_PROFILER Feb 2013)\\n\\nThe COR_PROFILER environment variable can be set at various scopes (system, user, or process) resulting in different levels of influence. System and user-wide environment variable scopes are specified in the Registry, where a [Component Object Model](https://attack.mitre.org/techniques/T1559/001) (COM) object can be registered as a profiler DLL. A process scope COR_PROFILER can also be created in-memory without modifying the Registry. Starting with .NET Framework 4, the profiling DLL does not need to be registered as long as the location of the DLL is specified in the COR_PROFILER_PATH environment variable.(Citation: Microsoft COR_PROFILER Feb 2013)\\n\\nAdversaries may abuse COR_PROFILER to establish persistence that executes a malicious DLL in the context of all .NET processes every time the CLR is invoked. The COR_PROFILER can also be used to elevate privileges (ex: [Bypass User Account Control](https://attack.mitre.org/techniques/T1548/002)) if the victim .NET process executes at a higher permission level, as well as to hook and [Impair Defenses](https://attack.mitre.org/techniques/T1562) provided by .NET processes.(Citation: RedCanary Mockingbird May 2020)(Citation: Red Canary COR_PROFILER May 2020)(Citation: Almond COR_PROFILER Apr 2019)(Citation: GitHub OmerYa Invisi-Shell)(Citation: subTee .NET Profilers May 2017)\", \"diff\": \"--- \\n+++ \\n@@ -2,4 +2,4 @@\\n \\n The COR_PROFILER environment variable can be set at various scopes (system, user, or process) resulting in different levels of influence. System and user-wide environment variable scopes are specified in the Registry, where a [Component Object Model](https://attack.mitre.org/techniques/T1559/001) (COM) object can be registered as a profiler DLL. A process scope COR_PROFILER can also be created in-memory without modifying the Registry. Starting with .NET Framework 4, the profiling DLL does not need to be registered as long as the location of the DLL is specified in the COR_PROFILER_PATH environment variable.(Citation: Microsoft COR_PROFILER Feb 2013)\\n \\n-Adversaries may abuse COR_PROFILER to establish persistence that executes a malicious DLL in the context of all .NET processes every time the CLR is invoked. The COR_PROFILER can also be used to elevate privileges (ex: [Bypass User Account Control](https://attack.mitre.org/techniques/T1548/002)) if the victim .NET process executes at a higher permission level, as well as to hook and [Impair Defenses](https://attack.mitre.org/techniques/T1562) provided by .NET processes.(Citation: RedCanary Mockingbird May 2020)(Citation: Red Canary COR_PROFILER May 2020)(Citation: Almond COR_PROFILER Apr 2019)(Citation: GitHub OmerYa Invisi-Shell)(Citation: subTee .NET Profilers May 2017)\\n+Adversaries may abuse COR_PROFILER to establish persistence that executes a malicious DLL in the context of all .NET processes every time the CLR is invoked. The COR_PROFILER can also be used to elevate privileges (ex: [Bypass User Account Control](https://attack.mitre.org/techniques/T1548/002)) if the victim .NET process executes at a higher permission level, as well as to hook and impair defenses provided by .NET processes.(Citation: RedCanary Mockingbird May 2020)(Citation: Red Canary COR_PROFILER May 2020)(Citation: Almond COR_PROFILER Apr 2019)(Citation: GitHub OmerYa Invisi-Shell)(Citation: subTee .NET Profilers May 2017)\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.3.0\", \"old_value\": \"3.2.0\"}, \"root['x_mitre_version']\": {\"new_value\": \"2.0\", \"old_value\": \"1.1\"}, \"root['kill_chain_phases'][1]\": {\"new_value\": {\"kill_chain_name\": \"mitre-attack\", \"phase_name\": \"execution\"}, \"old_value\": {\"kill_chain_name\": \"mitre-attack\", \"phase_name\": \"privilege-escalation\"}}, \"root['kill_chain_phases'][0]\": {\"new_value\": {\"kill_chain_name\": \"mitre-attack\", \"phase_name\": \"stealth\"}, \"old_value\": {\"kill_chain_name\": \"mitre-attack\", \"phase_name\": \"persistence\"}}}, \"iterable_item_removed\": {\"root['kill_chain_phases'][2]\": {\"kill_chain_name\": \"mitre-attack\", \"phase_name\": \"defense-evasion\"}}}",
"previous_version": "1.1",
"version_change": "1.1 \u2192 2.0",
"description_change_table": "\n | Old Description | New Description | ||||
|---|---|---|---|---|---|
| t | 1 | Adversaries may leverage the COR_PROFILER environment variab | t | 1 | Adversaries may leverage the COR_PROFILER environment variab |
| > | le to hijack the execution flow of programs that load the .N | > | le to hijack the execution flow of programs that load the .N | ||
| > | ET CLR. The COR_PROFILER is a .NET Framework feature which a | > | ET CLR. The COR_PROFILER is a .NET Framework feature which a | ||
| > | llows developers to specify an unmanaged (or external of .NE | > | llows developers to specify an unmanaged (or external of .NE | ||
| > | T) profiling DLL to be loaded into each .NET process that lo | > | T) profiling DLL to be loaded into each .NET process that lo | ||
| > | ads the Common Language Runtime (CLR). These profilers are d | > | ads the Common Language Runtime (CLR). These profilers are d | ||
| > | esigned to monitor, troubleshoot, and debug managed code exe | > | esigned to monitor, troubleshoot, and debug managed code exe | ||
| > | cuted by the .NET CLR.(Citation: Microsoft Profiling Mar 201 | > | cuted by the .NET CLR.(Citation: Microsoft Profiling Mar 201 | ||
| > | 7)(Citation: Microsoft COR_PROFILER Feb 2013) The COR_PROFI | > | 7)(Citation: Microsoft COR_PROFILER Feb 2013) The COR_PROFI | ||
| > | LER environment variable can be set at various scopes (syste | > | LER environment variable can be set at various scopes (syste | ||
| > | m, user, or process) resulting in different levels of influe | > | m, user, or process) resulting in different levels of influe | ||
| > | nce. System and user-wide environment variable scopes are sp | > | nce. System and user-wide environment variable scopes are sp | ||
| > | ecified in the Registry, where a [Component Object Model](ht | > | ecified in the Registry, where a [Component Object Model](ht | ||
| > | tps://attack.mitre.org/techniques/T1559/001) (COM) object ca | > | tps://attack.mitre.org/techniques/T1559/001) (COM) object ca | ||
| > | n be registered as a profiler DLL. A process scope COR_PROFI | > | n be registered as a profiler DLL. A process scope COR_PROFI | ||
| > | LER can also be created in-memory without modifying the Regi | > | LER can also be created in-memory without modifying the Regi | ||
| > | stry. Starting with .NET Framework 4, the profiling DLL does | > | stry. Starting with .NET Framework 4, the profiling DLL does | ||
| > | not need to be registered as long as the location of the DL | > | not need to be registered as long as the location of the DL | ||
| > | L is specified in the COR_PROFILER_PATH environment variable | > | L is specified in the COR_PROFILER_PATH environment variable | ||
| > | .(Citation: Microsoft COR_PROFILER Feb 2013) Adversaries ma | > | .(Citation: Microsoft COR_PROFILER Feb 2013) Adversaries ma | ||
| > | y abuse COR_PROFILER to establish persistence that executes | > | y abuse COR_PROFILER to establish persistence that executes | ||
| > | a malicious DLL in the context of all .NET processes every t | > | a malicious DLL in the context of all .NET processes every t | ||
| > | ime the CLR is invoked. The COR_PROFILER can also be used to | > | ime the CLR is invoked. The COR_PROFILER can also be used to | ||
| > | elevate privileges (ex: [Bypass User Account Control](https | > | elevate privileges (ex: [Bypass User Account Control](https | ||
| > | ://attack.mitre.org/techniques/T1548/002)) if the victim .NE | > | ://attack.mitre.org/techniques/T1548/002)) if the victim .NE | ||
| > | T process executes at a higher permission level, as well as | > | T process executes at a higher permission level, as well as | ||
| > | to hook and [Impair Defenses](https://attack.mitre.org/techn | > | to hook and impair defenses provided by .NET processes.(Cita | ||
| > | iques/T1562) provided by .NET processes.(Citation: RedCanary | > | tion: RedCanary Mockingbird May 2020)(Citation: Red Canary C | ||
| > | Mockingbird May 2020)(Citation: Red Canary COR_PROFILER May | > | OR_PROFILER May 2020)(Citation: Almond COR_PROFILER Apr 2019 | ||
| > | 2020)(Citation: Almond COR_PROFILER Apr 2019)(Citation: Git | > | )(Citation: GitHub OmerYa Invisi-Shell)(Citation: subTee .NE | ||
| > | Hub OmerYa Invisi-Shell)(Citation: subTee .NET Profilers May | > | T Profilers May 2017) | ||
| > | 2017) |
@rpath, which allows developers to use relative paths to specify an array of search paths used at runtime based on the location of the executable. Additionally, if weak linking is used, such as the LC_LOAD_WEAK_DYLIB function, an application will still execute even if an expected dylib is not present. Weak linking enables developers to run an application on multiple macOS versions as new APIs are added.\n\nAdversaries may gain execution by inserting malicious dylibs with the name of the missing dylib in the identified path.(Citation: Wardle Dylib Hijack Vulnerable Apps)(Citation: Wardle Dylib Hijacking OSX 2015)(Citation: Github EmpireProject HijackScanner)(Citation: Github EmpireProject CreateHijacker Dylib) Dylibs are loaded into an application's address space allowing the malicious dylib to inherit the application's privilege level and resources. Based on the application, this could result in privilege escalation and uninhibited network access. This method may also evade detection from security products since the execution is masked under a legitimate process.(Citation: Writing Bad Malware for OSX)(Citation: wardle artofmalware volume1)(Citation: MalwareUnicorn macOS Dylib Injection MachO)",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "stealth"
},
{
"kill_chain_name": "mitre-attack",
"phase_name": "execution"
}
],
"revoked": false,
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T1574/004",
"external_id": "T1574.004"
},
{
"source_name": "MalwareUnicorn macOS Dylib Injection MachO",
"description": "Amanda Rousseau. (2020, April 4). MacOS Dylib Injection Workshop. Retrieved March 29, 2021.",
"url": "https://malwareunicorn.org/workshops/macos_dylib_injection.html#5"
},
{
"source_name": "Wardle Dylib Hijacking OSX 2015",
"description": "Patrick Wardle. (2015, March 1). Dylib Hijacking on OS X. Retrieved March 29, 2021.",
"url": "https://www.virusbulletin.com/uploads/pdf/magazine/2015/vb201503-dylib-hijacking.pdf"
},
{
"source_name": "Writing Bad Malware for OSX",
"description": "Patrick Wardle. (2015). Writing Bad @$$ Malware for OS X. Retrieved July 10, 2017.",
"url": "https://www.blackhat.com/docs/us-15/materials/us-15-Wardle-Writing-Bad-A-Malware-For-OS-X.pdf"
},
{
"source_name": "Wardle Dylib Hijack Vulnerable Apps",
"description": "Patrick Wardle. (2019, July 2). Getting Root with Benign AppStore Apps. Retrieved March 31, 2021.",
"url": "https://objective-see.com/blog/blog_0x46.html"
},
{
"source_name": "wardle artofmalware volume1",
"description": "Patrick Wardle. (2020, August 5). The Art of Mac Malware Volume 0x1: Analysis. Retrieved November 17, 2024.",
"url": "https://taomm.org/vol1/read.html"
},
{
"source_name": "Github EmpireProject HijackScanner",
"description": "Wardle, P., Ross, C. (2017, September 21). Empire Project Dylib Hijack Vulnerability Scanner. Retrieved April 1, 2021.",
"url": "https://github.com/EmpireProject/Empire/blob/master/lib/modules/python/situational_awareness/host/osx/HijackScanner.py"
},
{
"source_name": "Github EmpireProject CreateHijacker Dylib",
"description": "Wardle, P., Ross, C. (2018, April 8). EmpireProject Create Dylib Hijacker. Retrieved April 1, 2021.",
"url": "https://github.com/EmpireProject/Empire/blob/08cbd274bef78243d7a8ed6443b8364acd1fc48b/lib/modules/python/persistence/osx/CreateHijacker.py"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_attack_spec_version": "3.3.0",
"x_mitre_deprecated": false,
"x_mitre_domains": [
"enterprise-attack"
],
"x_mitre_is_subtechnique": true,
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"macOS"
],
"x_mitre_remote_support": false,
"x_mitre_version": "3.0",
"detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_remote_support']\": false}, \"dictionary_item_removed\": {\"root['x_mitre_detection']\": \"\"}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-04-15 22:58:27.104000+00:00\", \"old_value\": \"2025-10-24 17:49:39.243000+00:00\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.3.0\", \"old_value\": \"3.2.0\"}, \"root['x_mitre_version']\": {\"new_value\": \"3.0\", \"old_value\": \"2.1\"}, \"root['kill_chain_phases'][1]\": {\"new_value\": {\"kill_chain_name\": \"mitre-attack\", \"phase_name\": \"execution\"}, \"old_value\": {\"kill_chain_name\": \"mitre-attack\", \"phase_name\": \"privilege-escalation\"}}, \"root['kill_chain_phases'][0]\": {\"new_value\": {\"kill_chain_name\": \"mitre-attack\", \"phase_name\": \"stealth\"}, \"old_value\": {\"kill_chain_name\": \"mitre-attack\", \"phase_name\": \"persistence\"}}}, \"iterable_item_removed\": {\"root['kill_chain_phases'][2]\": {\"kill_chain_name\": \"mitre-attack\", \"phase_name\": \"defense-evasion\"}, \"root['external_references'][2]\": {\"source_name\": \"Apple Developer Doco Archive Run-Path\", \"description\": \"Apple Inc.. (2012, July 7). Run-Path Dependent Libraries. Retrieved March 31, 2021.\", \"url\": \"https://developer.apple.com/library/archive/documentation/DeveloperTools/Conceptual/DynamicLibraries/100-Articles/RunpathDependentLibraries.html\"}}}",
"previous_version": "2.1",
"version_change": "2.1 \u2192 3.0",
"changelog_mitigations": {
"shared": [
"M1022: Restrict File and Directory Permissions"
],
"new": [],
"dropped": []
},
"changelog_datacomponent_detections": {
"shared": [],
"new": [],
"dropped": []
},
"changelog_detectionstrategy_detections": {
"shared": [
"DET0152: Detection Strategy for Hijack Execution Flow: Dylib Hijacking"
],
"new": [],
"dropped": []
}
},
{
"type": "attack-pattern",
"id": "attack-pattern--633a100c-b2c9-41bf-9be5-905c1b16c825",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2020-03-13 20:09:59.569000+00:00",
"modified": "2026-04-15 22:57:21.530000+00:00",
"name": "Dynamic Linker Hijacking",
"description": "Adversaries may execute their own malicious payloads by hijacking environment variables the dynamic linker uses to load shared libraries. During the execution preparation phase of a program, the dynamic linker loads specified absolute paths of shared libraries from various environment variables and files, such as LD_PRELOAD on Linux or DYLD_INSERT_LIBRARIES on macOS.(Citation: TheEvilBit DYLD_INSERT_LIBRARIES)(Citation: Timac DYLD_INSERT_LIBRARIES)(Citation: Gabilondo DYLD_INSERT_LIBRARIES Catalina Bypass) Libraries specified in environment variables are loaded first, taking precedence over system libraries with the same function name.(Citation: Man LD.SO)(Citation: TLDP Shared Libraries)(Citation: Apple Doco Archive Dynamic Libraries) Each platform's linker uses an extensive list of environment variables at different points in execution. These variables are often used by developers to debug binaries without needing to recompile, deconflict mapped symbols, and implement custom functions in the original library.(Citation: Baeldung LD_PRELOAD)\n\nHijacking dynamic linker variables may grant access to the victim process's memory, system/network resources, and possibly elevated privileges. On Linux, adversaries may set LD_PRELOAD to point to malicious libraries that match the name of legitimate libraries which are requested by a victim program, causing the operating system to load the adversary's malicious code upon execution of the victim program. For example, adversaries have used `LD_PRELOAD` to inject a malicious library into every descendant process of the `sshd` daemon, resulting in execution under a legitimate process. When the executing sub-process calls the `execve` function, for example, the malicious library\u2019s `execve` function is executed rather than the system function `execve` contained in the system library on disk. This allows adversaries to [Hide Artifacts](https://attack.mitre.org/techniques/T1564) from detection, as hooking system functions such as `execve` and `readdir` enables malware to scrub its own artifacts from the results of commands such as `ls`, `ldd`, `iptables`, and `dmesg`.(Citation: ESET Ebury Oct 2017)(Citation: Intezer Symbiote 2022)(Citation: Elastic Security Labs Pumakit 2024)\n\nHijacking dynamic linker variables may grant access to the victim process's memory, system/network resources, and possibly elevated privileges.",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "stealth"
},
{
"kill_chain_name": "mitre-attack",
"phase_name": "execution"
}
],
"revoked": false,
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T1574/006",
"external_id": "T1574.006"
},
{
"source_name": "Apple Doco Archive Dynamic Libraries",
"description": "Apple Inc.. (2012, July 23). Overview of Dynamic Libraries. Retrieved March 24, 2021.",
"url": "https://developer.apple.com/library/archive/documentation/DeveloperTools/Conceptual/DynamicLibraries/100-Articles/OverviewOfDynamicLibraries.html"
},
{
"source_name": "Baeldung LD_PRELOAD",
"description": "baeldung. (2020, August 9). What Is the LD_PRELOAD Trick?. Retrieved March 24, 2021.",
"url": "https://www.baeldung.com/linux/ld_preload-trick-what-is"
},
{
"source_name": "TheEvilBit DYLD_INSERT_LIBRARIES",
"description": "Fitzl, C. (2019, July 9). DYLD_INSERT_LIBRARIES DYLIB injection in macOS / OSX. Retrieved March 26, 2020.",
"url": "https://theevilbit.github.io/posts/dyld_insert_libraries_dylib_injection_in_macos_osx_deep_dive/"
},
{
"source_name": "Intezer Symbiote 2022",
"description": "Joakim Kennedy and The BlackBerry Threat Research & Intelligence Team. (2022, June 9). Symbiote Deep-Dive: Analysis of a New, Nearly-Impossible-to-Detect Linux Threat. Retrieved March 24, 2025.",
"url": "https://intezer.com/blog/research/new-linux-threat-symbiote/"
},
{
"source_name": "Gabilondo DYLD_INSERT_LIBRARIES Catalina Bypass",
"description": "Jon Gabilondo. (2019, September 22). How to Inject Code into Mach-O Apps. Part II.. Retrieved March 24, 2021.",
"url": "https://jon-gabilondo-angulo-7635.medium.com/how-to-inject-code-into-mach-o-apps-part-ii-ddb13ebc8191"
},
{
"source_name": "Man LD.SO",
"description": "Kerrisk, M. (2020, June 13). Linux Programmer's Manual. Retrieved June 15, 2020.",
"url": "https://www.man7.org/linux/man-pages/man8/ld.so.8.html"
},
{
"source_name": "Elastic Security Labs Pumakit 2024",
"description": "Remco Sprooten and Ruben Groenewoud. (2024, December 11). Declawing PUMAKIT. Retrieved March 24, 2025.",
"url": "https://www.elastic.co/security-labs/declawing-pumakit"
},
{
"source_name": "TLDP Shared Libraries",
"description": "The Linux Documentation Project. (n.d.). Shared Libraries. Retrieved January 31, 2020.",
"url": "https://www.tldp.org/HOWTO/Program-Library-HOWTO/shared-libraries.html"
},
{
"source_name": "Timac DYLD_INSERT_LIBRARIES",
"description": "Timac. (2012, December 18). Simple code injection using DYLD_INSERT_LIBRARIES. Retrieved March 26, 2020.",
"url": "https://blog.timac.org/2012/1218-simple-code-injection-using-dyld_insert_libraries/"
},
{
"source_name": "ESET Ebury Oct 2017",
"description": "Vachon, F. (2017, October 30). Windigo Still not Windigone: An Ebury Update . Retrieved February 10, 2021.",
"url": "https://www.welivesecurity.com/2017/10/30/windigo-ebury-update-2/"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_attack_spec_version": "3.3.0",
"x_mitre_deprecated": false,
"x_mitre_domains": [
"enterprise-attack"
],
"x_mitre_is_subtechnique": true,
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"Linux",
"macOS"
],
"x_mitre_remote_support": false,
"x_mitre_version": "3.0",
"detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_remote_support']\": false}, \"dictionary_item_removed\": {\"root['x_mitre_detection']\": \"\"}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-04-15 22:57:21.530000+00:00\", \"old_value\": \"2025-10-24 17:48:51.810000+00:00\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.3.0\", \"old_value\": \"3.2.0\"}, \"root['x_mitre_version']\": {\"new_value\": \"3.0\", \"old_value\": \"2.1\"}, \"root['kill_chain_phases'][1]\": {\"new_value\": {\"kill_chain_name\": \"mitre-attack\", \"phase_name\": \"execution\"}, \"old_value\": {\"kill_chain_name\": \"mitre-attack\", \"phase_name\": \"privilege-escalation\"}}, \"root['kill_chain_phases'][0]\": {\"new_value\": {\"kill_chain_name\": \"mitre-attack\", \"phase_name\": \"stealth\"}, \"old_value\": {\"kill_chain_name\": \"mitre-attack\", \"phase_name\": \"persistence\"}}}, \"iterable_item_removed\": {\"root['kill_chain_phases'][2]\": {\"kill_chain_name\": \"mitre-attack\", \"phase_name\": \"defense-evasion\"}}}",
"previous_version": "2.1",
"version_change": "2.1 \u2192 3.0",
"changelog_mitigations": {
"shared": [
"M1028: Operating System Configuration",
"M1038: Execution Prevention"
],
"new": [],
"dropped": []
},
"changelog_datacomponent_detections": {
"shared": [],
"new": [],
"dropped": []
},
"changelog_detectionstrategy_detections": {
"shared": [
"DET0435: Detection Strategy for Hijack Execution Flow: Dynamic Linker Hijacking"
],
"new": [],
"dropped": []
}
},
{
"type": "attack-pattern",
"id": "attack-pattern--70d81154-b187-45f9-8ec5-295d01255979",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2020-03-13 11:12:18.558000+00:00",
"modified": "2026-04-15 23:02:03.423000+00:00",
"name": "Executable Installer File Permissions Weakness",
"description": "Adversaries may execute their own malicious payloads by hijacking the binaries used by an installer. These processes may automatically execute specific binaries as part of their functionality or to perform other actions. If the permissions on the file system directory containing a target binary, or permissions on the binary itself, are improperly set, then the target binary may be overwritten with another binary using user-level permissions and executed by the original process. If the original process and thread are running under a higher permissions level, then the replaced binary will also execute under higher-level permissions, which could include SYSTEM.\n\nAnother variation of this technique can be performed by taking advantage of a weakness that is common in executable, self-extracting installers. During the installation process, it is common for installers to use a subdirectory within the %TEMP% directory to unpack binaries such as DLLs, EXEs, or other payloads. When installers create subdirectories and files they often do not set appropriate permissions to restrict write access, which allows for execution of untrusted code placed in the subdirectories or overwriting of binaries used in the installation process. This behavior is related to and may take advantage of [DLL](https://attack.mitre.org/techniques/T1574/001) search order hijacking.\n\nAdversaries may use this technique to replace legitimate binaries with malicious ones as a means of executing code at a higher permissions level. Some installers may also require elevated privileges that will result in privilege escalation when executing adversary controlled code. This behavior is related to [Bypass User Account Control](https://attack.mitre.org/techniques/T1548/002). Several examples of this weakness in existing common installers have been reported to software vendors.(Citation: mozilla_sec_adv_2012) (Citation: Executable Installers are Vulnerable) If the executing process is set to run at a specific time or during a certain event (e.g., system bootup) then this technique can also be used for persistence.",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "stealth"
},
{
"kill_chain_name": "mitre-attack",
"phase_name": "execution"
}
],
"revoked": false,
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T1574/005",
"external_id": "T1574.005"
},
{
"source_name": "mozilla_sec_adv_2012",
"description": "Robert Kugler. (2012, November 20). Mozilla Foundation Security Advisory 2012-98. Retrieved March 10, 2017.",
"url": "https://www.mozilla.org/en-US/security/advisories/mfsa2012-98/"
},
{
"source_name": "Executable Installers are Vulnerable",
"description": "Stefan Kanthak. (2015, December 8). Executable installers are vulnerable^WEVIL (case 7): 7z*.exe allows remote code execution with escalation of privilege. Retrieved December 4, 2014.",
"url": "https://seclists.org/fulldisclosure/2015/Dec/34"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_attack_spec_version": "3.3.0",
"x_mitre_contributors": [
"Stefan Kanthak",
"Travis Smith, Tripwire"
],
"x_mitre_deprecated": false,
"x_mitre_domains": [
"enterprise-attack"
],
"x_mitre_is_subtechnique": true,
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"Windows"
],
"x_mitre_remote_support": false,
"x_mitre_version": "2.0",
"detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_remote_support']\": false}, \"dictionary_item_removed\": {\"root['x_mitre_detection']\": \"\"}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-04-15 23:02:03.423000+00:00\", \"old_value\": \"2025-10-24 17:48:56.875000+00:00\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.3.0\", \"old_value\": \"3.2.0\"}, \"root['x_mitre_version']\": {\"new_value\": \"2.0\", \"old_value\": \"1.1\"}, \"root['kill_chain_phases'][1]\": {\"new_value\": {\"kill_chain_name\": \"mitre-attack\", \"phase_name\": \"execution\"}, \"old_value\": {\"kill_chain_name\": \"mitre-attack\", \"phase_name\": \"privilege-escalation\"}}, \"root['kill_chain_phases'][0]\": {\"new_value\": {\"kill_chain_name\": \"mitre-attack\", \"phase_name\": \"stealth\"}, \"old_value\": {\"kill_chain_name\": \"mitre-attack\", \"phase_name\": \"persistence\"}}}, \"iterable_item_removed\": {\"root['kill_chain_phases'][2]\": {\"kill_chain_name\": \"mitre-attack\", \"phase_name\": \"defense-evasion\"}}}",
"previous_version": "1.1",
"version_change": "1.1 \u2192 2.0",
"changelog_mitigations": {
"shared": [
"M1018: User Account Management",
"M1047: Audit",
"M1052: User Account Control"
],
"new": [],
"dropped": []
},
"changelog_datacomponent_detections": {
"shared": [],
"new": [],
"dropped": []
},
"changelog_detectionstrategy_detections": {
"shared": [
"DET0038: Detection Strategy for Hijack Execution Flow using Executable Installer File Permissions Weakness"
],
"new": [],
"dropped": []
}
},
{
"type": "attack-pattern",
"id": "attack-pattern--a4657bc9-d22f-47d2-a7b7-dd6ec33f3dde",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2022-02-25 15:27:44.927000+00:00",
"modified": "2026-04-15 23:01:58.951000+00:00",
"name": "KernelCallbackTable",
"description": "Adversaries may abuse the KernelCallbackTable of a process to hijack its execution flow in order to run their own payloads.(Citation: Lazarus APT January 2022)(Citation: FinFisher exposed ) The KernelCallbackTable can be found in the Process Environment Block (PEB) and is initialized to an array of graphic functions available to a GUI process once user32.dll is loaded.(Citation: Windows Process Injection KernelCallbackTable)\n\nAn adversary may hijack the execution flow of a process using the KernelCallbackTable by replacing an original callback function with a malicious payload. Modifying callback functions can be achieved in various ways involving related behaviors such as [Reflective Code Loading](https://attack.mitre.org/techniques/T1620) or [Process Injection](https://attack.mitre.org/techniques/T1055) into another process.\n\nA pointer to the memory address of the KernelCallbackTable can be obtained by locating the PEB (ex: via a call to the NtQueryInformationProcess() [Native API](https://attack.mitre.org/techniques/T1106) function).(Citation: NtQueryInformationProcess) Once the pointer is located, the KernelCallbackTable can be duplicated, and a function in the table (e.g., fnCOPYDATA) set to the address of a malicious payload (ex: via WriteProcessMemory()). The PEB is then updated with the new address of the table. Once the tampered function is invoked, the malicious payload will be triggered.(Citation: Lazarus APT January 2022)\n\nThe tampered function is typically invoked using a Windows message. After the process is hijacked and malicious code is executed, the KernelCallbackTable may also be restored to its original state by the rest of the malicious payload.(Citation: Lazarus APT January 2022) Use of the KernelCallbackTable to hijack execution flow may evade detection from security products since the execution can be masked under a legitimate process.",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "stealth"
},
{
"kill_chain_name": "mitre-attack",
"phase_name": "execution"
}
],
"revoked": false,
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T1574/013",
"external_id": "T1574.013"
},
{
"source_name": "FinFisher exposed ",
"description": "Microsoft Defender Security Research Team. (2018, March 1). FinFisher exposed: A researcher\u2019s tale of defeating traps, tricks, and complex virtual machines. Retrieved January 27, 2022.",
"url": "https://www.microsoft.com/security/blog/2018/03/01/finfisher-exposed-a-researchers-tale-of-defeating-traps-tricks-and-complex-virtual-machines/"
},
{
"source_name": "NtQueryInformationProcess",
"description": "Microsoft. (2021, November 23). NtQueryInformationProcess function (winternl.h). Retrieved February 4, 2022.",
"url": "https://docs.microsoft.com/en-us/windows/win32/api/winternl/nf-winternl-ntqueryinformationprocess"
},
{
"source_name": "Windows Process Injection KernelCallbackTable",
"description": "odzhan. (2019, May 25). Windows Process Injection: KernelCallbackTable used by FinFisher / FinSpy. Retrieved February 4, 2022.",
"url": "https://modexp.wordpress.com/2019/05/25/windows-injection-finspy/"
},
{
"source_name": "Lazarus APT January 2022",
"description": "Saini, A. and Hossein, J. (2022, January 27). North Korea\u2019s Lazarus APT leverages Windows Update client, GitHub in latest campaign. Retrieved January 27, 2022.",
"url": "https://blog.malwarebytes.com/threat-intelligence/2022/01/north-koreas-lazarus-apt-leverages-windows-update-client-github-in-latest-campaign/"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_attack_spec_version": "3.3.0",
"x_mitre_deprecated": false,
"x_mitre_domains": [
"enterprise-attack"
],
"x_mitre_is_subtechnique": true,
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"Windows"
],
"x_mitre_remote_support": false,
"x_mitre_version": "2.0",
"detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_remote_support']\": false}, \"dictionary_item_removed\": {\"root['x_mitre_detection']\": \"\"}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-04-15 23:01:58.951000+00:00\", \"old_value\": \"2025-10-24 17:49:11.077000+00:00\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.3.0\", \"old_value\": \"3.2.0\"}, \"root['x_mitre_version']\": {\"new_value\": \"2.0\", \"old_value\": \"1.0\"}, \"root['kill_chain_phases'][1]\": {\"new_value\": {\"kill_chain_name\": \"mitre-attack\", \"phase_name\": \"execution\"}, \"old_value\": {\"kill_chain_name\": \"mitre-attack\", \"phase_name\": \"privilege-escalation\"}}, \"root['kill_chain_phases'][0]\": {\"new_value\": {\"kill_chain_name\": \"mitre-attack\", \"phase_name\": \"stealth\"}, \"old_value\": {\"kill_chain_name\": \"mitre-attack\", \"phase_name\": \"persistence\"}}}, \"iterable_item_removed\": {\"root['kill_chain_phases'][2]\": {\"kill_chain_name\": \"mitre-attack\", \"phase_name\": \"defense-evasion\"}}}",
"previous_version": "1.0",
"version_change": "1.0 \u2192 2.0",
"changelog_mitigations": {
"shared": [
"M1040: Behavior Prevention on Endpoint"
],
"new": [],
"dropped": []
},
"changelog_datacomponent_detections": {
"shared": [],
"new": [],
"dropped": []
},
"changelog_detectionstrategy_detections": {
"shared": [
"DET0577: Detection Strategy for Hijack Execution Flow through the KernelCallbackTable on Windows."
],
"new": [],
"dropped": []
}
},
{
"type": "attack-pattern",
"id": "attack-pattern--0c2d00da-7742-49e7-9928-4514e5075d32",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2020-03-13 14:10:43.424000+00:00",
"modified": "2026-04-15 23:01:52.753000+00:00",
"name": "Path Interception by PATH Environment Variable",
"description": "Adversaries may execute their own malicious payloads by hijacking environment variables used to load libraries. The PATH environment variable contains a list of directories (User and System) that the OS searches sequentially through in search of the binary that was called from a script or the command line. \n\nAdversaries can place a malicious program in an earlier entry in the list of directories stored in the PATH environment variable, resulting in the operating system executing the malicious binary rather than the legitimate binary when it searches sequentially through that PATH listing.\n\nFor example, on Windows if an adversary places a malicious program named \"net.exe\" in `C:\\example path`, which by default precedes `C:\\Windows\\system32\\net.exe` in the PATH environment variable, when \"net\" is executed from the command-line the `C:\\example path` will be called instead of the system's legitimate executable at `C:\\Windows\\system32\\net.exe`. Some methods of executing a program rely on the PATH environment variable to determine the locations that are searched when the path for the program is not given, such as executing programs from a [Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059).(Citation: ExpressVPN PATH env Windows 2021)\n\nAdversaries may also directly modify the $PATH variable specifying the directories to be searched. An adversary can modify the `$PATH` variable to point to a directory they have write access. When a program using the $PATH variable is called, the OS searches the specified directory and executes the malicious binary. On macOS, this can also be performed through modifying the $HOME variable. These variables can be modified using the command-line, launchctl, [Unix Shell Configuration Modification](https://attack.mitre.org/techniques/T1546/004), or modifying the `/etc/paths.d` folder contents.(Citation: uptycs Fake POC linux malware 2023)(Citation: nixCraft macOS PATH variables)(Citation: Elastic Rules macOS launchctl 2022)",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "stealth"
},
{
"kill_chain_name": "mitre-attack",
"phase_name": "execution"
}
],
"revoked": false,
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T1574/007",
"external_id": "T1574.007"
},
{
"source_name": "Elastic Rules macOS launchctl 2022",
"description": "Elastic Security 7.17. (2022, February 1). Modification of Environment Variable via Launchctl. Retrieved September 28, 2023.",
"url": "https://www.elastic.co/guide/en/security/7.17/prebuilt-rule-7-16-4-modification-of-environment-variable-via-launchctl.html"
},
{
"source_name": "ExpressVPN PATH env Windows 2021",
"description": "ExpressVPN Security Team. (2021, November 16). Cybersecurity lessons: A PATH vulnerability in Windows. Retrieved September 28, 2023.",
"url": "https://www.expressvpn.com/blog/cybersecurity-lessons-a-path-vulnerability-in-windows/"
},
{
"source_name": "uptycs Fake POC linux malware 2023",
"description": "Nischay Hegde and Siddartha Malladi. (2023, July 12). PoC Exploit: Fake Proof of Concept with Backdoor Malware. Retrieved September 28, 2023.",
"url": "https://www.uptycs.com/blog/new-poc-exploit-backdoor-malware"
},
{
"source_name": "nixCraft macOS PATH variables",
"description": "Vivek Gite. (2023, August 22). MacOS \u2013 Set / Change $PATH Variable Command. Retrieved September 28, 2023.",
"url": "https://www.cyberciti.biz/faq/appleosx-bash-unix-change-set-path-environment-variable/"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_attack_spec_version": "3.3.0",
"x_mitre_contributors": [
"Stefan Kanthak"
],
"x_mitre_deprecated": false,
"x_mitre_domains": [
"enterprise-attack"
],
"x_mitre_is_subtechnique": true,
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"Linux",
"macOS",
"Windows"
],
"x_mitre_remote_support": false,
"x_mitre_version": "2.0",
"detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_remote_support']\": false}, \"dictionary_item_removed\": {\"root['x_mitre_detection']\": \"\"}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-04-15 23:01:52.753000+00:00\", \"old_value\": \"2025-10-24 17:48:22.736000+00:00\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.3.0\", \"old_value\": \"3.2.0\"}, \"root['x_mitre_version']\": {\"new_value\": \"2.0\", \"old_value\": \"1.2\"}, \"root['kill_chain_phases'][1]\": {\"new_value\": {\"kill_chain_name\": \"mitre-attack\", \"phase_name\": \"execution\"}, \"old_value\": {\"kill_chain_name\": \"mitre-attack\", \"phase_name\": \"privilege-escalation\"}}, \"root['kill_chain_phases'][0]\": {\"new_value\": {\"kill_chain_name\": \"mitre-attack\", \"phase_name\": \"stealth\"}, \"old_value\": {\"kill_chain_name\": \"mitre-attack\", \"phase_name\": \"persistence\"}}}, \"iterable_item_removed\": {\"root['kill_chain_phases'][2]\": {\"kill_chain_name\": \"mitre-attack\", \"phase_name\": \"defense-evasion\"}}}",
"previous_version": "1.2",
"version_change": "1.2 \u2192 2.0",
"changelog_mitigations": {
"shared": [
"M1022: Restrict File and Directory Permissions",
"M1038: Execution Prevention",
"M1047: Audit"
],
"new": [],
"dropped": []
},
"changelog_datacomponent_detections": {
"shared": [],
"new": [],
"dropped": []
},
"changelog_detectionstrategy_detections": {
"shared": [
"DET0004: Detection Strategy for Hijack Execution Flow using Path Interception by PATH Environment Variable."
],
"new": [],
"dropped": []
}
},
{
"type": "attack-pattern",
"id": "attack-pattern--58af3705-8740-4c68-9329-ec015a7013c2",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2020-03-13 17:48:58.999000+00:00",
"modified": "2026-04-15 23:01:48.263000+00:00",
"name": "Path Interception by Search Order Hijacking",
"description": "Adversaries may execute their own malicious payloads by hijacking the search order used to load other programs. Because some programs do not call other programs using the full path, adversaries may place their own file in the directory where the calling program is located, causing the operating system to launch their malicious software at the request of the calling program.\n\nSearch order hijacking occurs when an adversary abuses the order in which Windows searches for programs that are not given a path. Unlike [DLL](https://attack.mitre.org/techniques/T1574/001) search order hijacking, the search order differs depending on the method that is used to execute the program. (Citation: Microsoft CreateProcess) (Citation: Windows NT Command Shell) (Citation: Microsoft WinExec) However, it is common for Windows to search in the directory of the initiating program before searching through the Windows system directory. An adversary who finds a program vulnerable to search order hijacking (i.e., a program that does not specify the path to an executable) may take advantage of this vulnerability by creating a program named after the improperly specified program and placing it within the initiating program's directory.\n\nFor example, \"example.exe\" runs \"cmd.exe\" with the command-line argument net user. An adversary may place a program called \"net.exe\" within the same directory as example.exe, \"net.exe\" will be run instead of the Windows system utility net. In addition, if an adversary places a program called \"net.com\" in the same directory as \"net.exe\", then cmd.exe /C net user will execute \"net.com\" instead of \"net.exe\" due to the order of executable extensions defined under PATHEXT. (Citation: Microsoft Environment Property)\n\nSearch order hijacking is also a common practice for hijacking DLL loads and is covered in [DLL](https://attack.mitre.org/techniques/T1574/001).",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "stealth"
},
{
"kill_chain_name": "mitre-attack",
"phase_name": "execution"
}
],
"revoked": false,
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T1574/008",
"external_id": "T1574.008"
},
{
"source_name": "Microsoft Environment Property",
"description": "Microsoft. (2011, October 24). Environment Property. Retrieved July 27, 2016.",
"url": "https://docs.microsoft.com/en-us/previous-versions//fd7hxfdd(v=vs.85)?redirectedfrom=MSDN"
},
{
"source_name": "Microsoft CreateProcess",
"description": "Microsoft. (n.d.). CreateProcess function. Retrieved September 12, 2024.",
"url": "https://learn.microsoft.com/en-us/windows/win32/api/processthreadsapi/nf-processthreadsapi-createprocessa"
},
{
"source_name": "Microsoft WinExec",
"description": "Microsoft. (n.d.). WinExec function. Retrieved September 12, 2024.",
"url": "https://learn.microsoft.com/en-us/windows/win32/api/winbase/nf-winbase-winexec"
},
{
"source_name": "Windows NT Command Shell",
"description": "Tim Hill. (2014, February 2). The Windows NT Command Shell. Retrieved December 5, 2014.",
"url": "https://docs.microsoft.com/en-us/previous-versions//cc723564(v=technet.10)?redirectedfrom=MSDN#XSLTsection127121120120"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_attack_spec_version": "3.3.0",
"x_mitre_contributors": [
"Stefan Kanthak"
],
"x_mitre_deprecated": false,
"x_mitre_domains": [
"enterprise-attack"
],
"x_mitre_is_subtechnique": true,
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"Windows"
],
"x_mitre_remote_support": false,
"x_mitre_version": "2.0",
"detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_remote_support']\": false}, \"dictionary_item_removed\": {\"root['x_mitre_detection']\": \"\"}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-04-15 23:01:48.263000+00:00\", \"old_value\": \"2025-10-24 17:48:49.665000+00:00\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.3.0\", \"old_value\": \"3.2.0\"}, \"root['x_mitre_version']\": {\"new_value\": \"2.0\", \"old_value\": \"1.1\"}, \"root['kill_chain_phases'][1]\": {\"new_value\": {\"kill_chain_name\": \"mitre-attack\", \"phase_name\": \"execution\"}, \"old_value\": {\"kill_chain_name\": \"mitre-attack\", \"phase_name\": \"privilege-escalation\"}}, \"root['kill_chain_phases'][0]\": {\"new_value\": {\"kill_chain_name\": \"mitre-attack\", \"phase_name\": \"stealth\"}, \"old_value\": {\"kill_chain_name\": \"mitre-attack\", \"phase_name\": \"persistence\"}}}, \"iterable_item_removed\": {\"root['kill_chain_phases'][2]\": {\"kill_chain_name\": \"mitre-attack\", \"phase_name\": \"defense-evasion\"}}}",
"previous_version": "1.1",
"version_change": "1.1 \u2192 2.0",
"changelog_mitigations": {
"shared": [
"M1022: Restrict File and Directory Permissions",
"M1038: Execution Prevention",
"M1047: Audit"
],
"new": [],
"dropped": []
},
"changelog_datacomponent_detections": {
"shared": [],
"new": [],
"dropped": []
},
"changelog_detectionstrategy_detections": {
"shared": [
"DET0564: Detection Strategy for Hijack Execution Flow using Path Interception by Search Order Hijacking"
],
"new": [],
"dropped": []
}
},
{
"type": "attack-pattern",
"id": "attack-pattern--bf96a5a3-3bce-43b7-8597-88545984c07b",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2020-03-13 13:51:58.519000+00:00",
"modified": "2026-04-15 23:01:45.477000+00:00",
"name": "Path Interception by Unquoted Path",
"description": "Adversaries may execute their own malicious payloads by hijacking vulnerable file path references. Adversaries can take advantage of paths that lack surrounding quotations by placing an executable in a higher level directory within the path, so that Windows will choose the adversary's executable to launch.\n\nService paths (Citation: Microsoft CurrentControlSet Services) and shortcut paths may also be vulnerable to path interception if the path has one or more spaces and is not surrounded by quotation marks (e.g., C:\\unsafe path with space\\program.exe vs. \"C:\\safe path with space\\program.exe\"). (Citation: Help eliminate unquoted path) (stored in Windows Registry keys) An adversary can place an executable in a higher level directory of the path, and Windows will resolve that executable instead of the intended executable. For example, if the path in a shortcut is C:\\program files\\myapp.exe, an adversary may create a program at C:\\program.exe that will be run instead of the intended program. (Citation: Windows Unquoted Services) (Citation: Windows Privilege Escalation Guide)\n\nThis technique can be used for persistence if executables are called on a regular basis, as well as privilege escalation if intercepted executables are started by a higher privileged process.",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "stealth"
},
{
"kill_chain_name": "mitre-attack",
"phase_name": "execution"
}
],
"revoked": false,
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T1574/009",
"external_id": "T1574.009"
},
{
"source_name": "Windows Privilege Escalation Guide",
"description": "absolomb. (2018, January 26). Windows Privilege Escalation Guide. Retrieved August 10, 2018.",
"url": "https://www.absolomb.com/2018-01-26-Windows-Privilege-Escalation-Guide/"
},
{
"source_name": "Windows Unquoted Services",
"description": "HackHappy. (2018, April 23). Windows Privilege Escalation \u2013 Unquoted Services. Retrieved August 10, 2018.",
"url": "https://securityboulevard.com/2018/04/windows-privilege-escalation-unquoted-services/"
},
{
"source_name": "Help eliminate unquoted path",
"description": "Mark Baggett. (2012, November 8). Help eliminate unquoted path vulnerabilities. Retrieved November 8, 2012.",
"url": "https://isc.sans.edu/diary/Help+eliminate+unquoted+path+vulnerabilities/14464"
},
{
"source_name": "Microsoft CurrentControlSet Services",
"description": "Microsoft. (2017, April 20). HKLM\\SYSTEM\\CurrentControlSet\\Services Registry Tree. Retrieved March 16, 2020.",
"url": "https://docs.microsoft.com/en-us/windows-hardware/drivers/install/hklm-system-currentcontrolset-services-registry-tree"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_attack_spec_version": "3.3.0",
"x_mitre_contributors": [
"Stefan Kanthak"
],
"x_mitre_deprecated": false,
"x_mitre_domains": [
"enterprise-attack"
],
"x_mitre_is_subtechnique": true,
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"Windows"
],
"x_mitre_remote_support": false,
"x_mitre_version": "2.0",
"detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_remote_support']\": false}, \"dictionary_item_removed\": {\"root['x_mitre_detection']\": \"\"}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-04-15 23:01:45.477000+00:00\", \"old_value\": \"2025-10-24 17:49:19.228000+00:00\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.3.0\", \"old_value\": \"3.2.0\"}, \"root['x_mitre_version']\": {\"new_value\": \"2.0\", \"old_value\": \"1.1\"}, \"root['kill_chain_phases'][1]\": {\"new_value\": {\"kill_chain_name\": \"mitre-attack\", \"phase_name\": \"execution\"}, \"old_value\": {\"kill_chain_name\": \"mitre-attack\", \"phase_name\": \"privilege-escalation\"}}, \"root['kill_chain_phases'][0]\": {\"new_value\": {\"kill_chain_name\": \"mitre-attack\", \"phase_name\": \"stealth\"}, \"old_value\": {\"kill_chain_name\": \"mitre-attack\", \"phase_name\": \"persistence\"}}}, \"iterable_item_removed\": {\"root['kill_chain_phases'][2]\": {\"kill_chain_name\": \"mitre-attack\", \"phase_name\": \"defense-evasion\"}}}",
"previous_version": "1.1",
"version_change": "1.1 \u2192 2.0",
"changelog_mitigations": {
"shared": [
"M1022: Restrict File and Directory Permissions",
"M1038: Execution Prevention",
"M1047: Audit"
],
"new": [],
"dropped": []
},
"changelog_datacomponent_detections": {
"shared": [],
"new": [],
"dropped": []
},
"changelog_detectionstrategy_detections": {
"shared": [
"DET0064: Detection Strategy for Hijack Execution Flow through Path Interception by Unquoted Path"
],
"new": [],
"dropped": []
}
},
{
"type": "attack-pattern",
"id": "attack-pattern--9e8b28c9-35fe-48ac-a14d-e6cc032dcbcd",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2020-03-12 20:43:53.998000+00:00",
"modified": "2026-04-15 23:02:37.539000+00:00",
"name": "Services File Permissions Weakness",
"description": "Adversaries may execute their own malicious payloads by hijacking the binaries used by services. Adversaries may use flaws in the permissions of Windows services to replace the binary that is executed upon service start. These service processes may automatically execute specific binaries as part of their functionality or to perform other actions. If the permissions on the file system directory containing a target binary, or permissions on the binary itself are improperly set, then the target binary may be overwritten with another binary using user-level permissions and executed by the original process. If the original process and thread are running under a higher permissions level, then the replaced binary will also execute under higher-level permissions, which could include SYSTEM.\n\nAdversaries may use this technique to replace legitimate binaries with malicious ones as a means of executing code at a higher permissions level. If the executing process is set to run at a specific time or during a certain event (e.g., system bootup) then this technique can also be used for persistence.",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "stealth"
},
{
"kill_chain_name": "mitre-attack",
"phase_name": "execution"
}
],
"revoked": false,
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T1574/010",
"external_id": "T1574.010"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_attack_spec_version": "3.3.0",
"x_mitre_contributors": [
"Stefan Kanthak",
"Travis Smith, Tripwire"
],
"x_mitre_deprecated": false,
"x_mitre_domains": [
"enterprise-attack"
],
"x_mitre_is_subtechnique": true,
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"Windows"
],
"x_mitre_remote_support": false,
"x_mitre_version": "2.0",
"detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_remote_support']\": false}, \"dictionary_item_removed\": {\"root['x_mitre_detection']\": \"\"}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-04-15 23:02:37.539000+00:00\", \"old_value\": \"2025-10-24 17:49:09.575000+00:00\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.3.0\", \"old_value\": \"3.2.0\"}, \"root['x_mitre_version']\": {\"new_value\": \"2.0\", \"old_value\": \"1.1\"}, \"root['kill_chain_phases'][1]\": {\"new_value\": {\"kill_chain_name\": \"mitre-attack\", \"phase_name\": \"execution\"}, \"old_value\": {\"kill_chain_name\": \"mitre-attack\", \"phase_name\": \"privilege-escalation\"}}, \"root['kill_chain_phases'][0]\": {\"new_value\": {\"kill_chain_name\": \"mitre-attack\", \"phase_name\": \"stealth\"}, \"old_value\": {\"kill_chain_name\": \"mitre-attack\", \"phase_name\": \"persistence\"}}}, \"iterable_item_removed\": {\"root['kill_chain_phases'][2]\": {\"kill_chain_name\": \"mitre-attack\", \"phase_name\": \"defense-evasion\"}}}",
"previous_version": "1.1",
"version_change": "1.1 \u2192 2.0",
"changelog_mitigations": {
"shared": [
"M1018: User Account Management",
"M1047: Audit",
"M1052: User Account Control"
],
"new": [],
"dropped": []
},
"changelog_datacomponent_detections": {
"shared": [],
"new": [],
"dropped": []
},
"changelog_detectionstrategy_detections": {
"shared": [
"DET0436: Detection Strategy for Hijack Execution Flow through Services File Permissions Weakness."
],
"new": [],
"dropped": []
}
},
{
"type": "attack-pattern",
"id": "attack-pattern--17cc750b-e95b-4d7d-9dde-49e0de24148c",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2020-03-13 11:42:14.444000+00:00",
"modified": "2026-04-15 23:02:58.258000+00:00",
"name": "Services Registry Permissions Weakness",
"description": "Adversaries may execute their own malicious payloads by hijacking the Registry entries used by services. Flaws in the permissions for Registry keys related to services can allow adversaries to redirect the originally specified executable to one they control, launching their own code when a service starts. Windows stores local service configuration information in the Registry under HKLM\\SYSTEM\\CurrentControlSet\\Services. The information stored under a service's Registry keys can be manipulated to modify a service's execution parameters through tools such as the service controller, sc.exe, [PowerShell](https://attack.mitre.org/techniques/T1059/001), or [Reg](https://attack.mitre.org/software/S0075). Access to Registry keys is controlled through access control lists and user permissions. (Citation: Registry Key Security)(Citation: malware_hides_service)\n\nIf the permissions for users and groups are not properly set and allow access to the Registry keys for a service, adversaries may change the service's binPath/ImagePath to point to a different executable under their control. When the service starts or is restarted, the adversary-controlled program will execute, allowing the adversary to establish persistence and/or privilege escalation to the account context the service is set to execute under (local/domain account, SYSTEM, LocalService, or NetworkService).\n\nAdversaries may also alter other Registry keys in the service\u2019s Registry tree. For example, the FailureCommand key may be changed so that the service is executed in an elevated context anytime the service fails or is intentionally corrupted.(Citation: Kansa Service related collectors)(Citation: Tweet Registry Perms Weakness)\n\nThe Performance key contains the name of a driver service's performance DLL and the names of several exported functions in the DLL.(Citation: microsoft_services_registry_tree) If the Performance key is not already present and if an adversary-controlled user has the Create Subkey permission, adversaries may create the Performance key in the service\u2019s Registry tree to point to a malicious DLL.(Citation: insecure_reg_perms)\n\nAdversaries may also add the Parameters key, which can reference malicious drivers file paths. This technique has been identified to be a method of abuse by configuring DLL file paths within the Parameters key of a given services registry configuration. By placing and configuring the Parameters key to reference a malicious DLL, adversaries can ensure that their code is loaded persistently whenever the associated service or library is invoked.\n\nFor example, the registry path(Citation: MDSec) HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\WinSock2\\Parameters(Citation: hexacorn)(Citation: gendigital) contains the AutodiaDLL value, which specifies the DLL to be loaded for autodial funcitionality. An adversary could set the AutodiaDLL to point to a hijacked or malicious DLL:\n\n\"AutodialDLL\"=\"c:\\temp\\foo.dll\"\n\nThis ensures persistence, as it causes the DLL (in this case, foo.dll) to be loaded each time the Winsock 2 library is invoked.",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "stealth"
},
{
"kill_chain_name": "mitre-attack",
"phase_name": "execution"
}
],
"revoked": false,
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T1574/011",
"external_id": "T1574.011"
},
{
"source_name": "Tweet Registry Perms Weakness",
"description": "@r0wdy_. (2017, November 30). Service Recovery Parameters. Retrieved September 12, 2024.",
"url": "https://x.com/r0wdy_/status/936365549553991680"
},
{
"source_name": "insecure_reg_perms",
"description": "Cl\u00e9ment Labro. (2020, November 12). Windows RpcEptMapper Service Insecure Registry Permissions EoP. Retrieved August 25, 2021.",
"url": "https://itm4n.github.io/windows-registry-rpceptmapper-eop/"
},
{
"source_name": "hexacorn",
"description": "hexacorn. (2015, January 13). Beyond good ol\u2019 Run key, Part 24. Retrieved September 25, 2025.",
"url": "https://www.hexacorn.com/blog/2015/01/13/beyond-good-ol-run-key-part-24/"
},
{
"source_name": "Kansa Service related collectors",
"description": "Hull, D.. (2014, May 3). Kansa: Service related collectors and analysis. Retrieved October 10, 2019.",
"url": "https://trustedsignal.blogspot.com/2014/05/kansa-service-related-collectors-and.html"
},
{
"source_name": "malware_hides_service",
"description": "Lawrence Abrams. (2004, September 10). How Malware hides and is installed as a Service. Retrieved August 30, 2021.",
"url": "https://www.bleepingcomputer.com/tutorials/how-malware-hides-as-a-service/"
},
{
"source_name": "MDSec",
"description": "MDSec. (n.d.). Autodial(DLL)ing Your Way. Retrieved September 25, 2025.",
"url": "https://www.mdsec.co.uk/2022/10/autodialdlling-your-way/"
},
{
"source_name": "Registry Key Security",
"description": "Microsoft. (2018, May 31). Registry Key Security and Access Rights. Retrieved March 16, 2017.",
"url": "https://docs.microsoft.com/en-us/windows/win32/sysinfo/registry-key-security-and-access-rights?redirectedfrom=MSDN"
},
{
"source_name": "microsoft_services_registry_tree",
"description": "Microsoft. (2021, August 5). HKLM\\SYSTEM\\CurrentControlSet\\Services Registry Tree. Retrieved August 25, 2021.",
"url": "https://docs.microsoft.com/en-us/windows-hardware/drivers/install/hklm-system-currentcontrolset-services-registry-tree"
},
{
"source_name": "gendigital",
"description": "Threat Research Team. (2022, March 22). Operation Dragon Castling: APT group targeting betting companies. Retrieved September 25, 2025.",
"url": "https://www.gendigital.com/blog/insights/research/operation-dragon-castling-apt-group-targeting-betting-companies"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_attack_spec_version": "3.3.0",
"x_mitre_contributors": [
"Joe Gumke, U.S. Bank",
"Matthew Demaske, Adaptforward",
"Travis Smith, Tripwire"
],
"x_mitre_deprecated": false,
"x_mitre_domains": [
"enterprise-attack"
],
"x_mitre_is_subtechnique": true,
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"Windows"
],
"x_mitre_remote_support": false,
"x_mitre_version": "2.0",
"detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_remote_support']\": false}, \"dictionary_item_removed\": {\"root['x_mitre_detection']\": \"\"}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-04-15 23:02:58.258000+00:00\", \"old_value\": \"2025-10-24 17:48:27.075000+00:00\"}, \"root['x_mitre_version']\": {\"new_value\": \"2.0\", \"old_value\": \"1.3\"}, \"root['kill_chain_phases'][1]\": {\"new_value\": {\"kill_chain_name\": \"mitre-attack\", \"phase_name\": \"execution\"}, \"old_value\": {\"kill_chain_name\": \"mitre-attack\", \"phase_name\": \"privilege-escalation\"}}, \"root['kill_chain_phases'][0]\": {\"new_value\": {\"kill_chain_name\": \"mitre-attack\", \"phase_name\": \"stealth\"}, \"old_value\": {\"kill_chain_name\": \"mitre-attack\", \"phase_name\": \"persistence\"}}}, \"iterable_item_removed\": {\"root['kill_chain_phases'][2]\": {\"kill_chain_name\": \"mitre-attack\", \"phase_name\": \"defense-evasion\"}, \"root['external_references'][6]\": {\"source_name\": \"Autoruns for Windows\", \"description\": \"Mark Russinovich. (2019, June 28). Autoruns for Windows v13.96. Retrieved March 13, 2020.\", \"url\": \"https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns\"}}}",
"previous_version": "1.3",
"version_change": "1.3 \u2192 2.0",
"changelog_mitigations": {
"shared": [
"M1024: Restrict Registry Permissions"
],
"new": [],
"dropped": []
},
"changelog_datacomponent_detections": {
"shared": [],
"new": [],
"dropped": []
},
"changelog_detectionstrategy_detections": {
"shared": [
"DET0427: Detection Strategy for Hijack Execution Flow through Service Registry Premission Weakness."
],
"new": [],
"dropped": []
}
},
{
"type": "attack-pattern",
"id": "attack-pattern--799ace7f-e227-4411-baa0-8868704f2a69",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-05-31 21:30:55.892000+00:00",
"modified": "2026-04-15 15:10:02.929000+00:00",
"name": "Indicator Removal",
"description": "Adversaries may selectively delete or modify artifacts generated to reduce indications of their presence and blend in with legitimate activity. Rather than broadly removing evidence, adversaries may target specific artifacts that appear anomalous or are likely to draw scrutiny, while leaving sufficient data intact to maintain the appearance of normal system behavior.\n\nArtifacts such as command histories, log entries, or file metadata may be altered in ways that align with expected user or system activity. Location, format, and type of artifact (such as command or login history) are often platform-specific, allowing adversaries to tailor modifications that minimize suspicion.\n\nThese actions may not prevent detection entirely but can delay recognition of malicious activity or reduce the fidelity of alerts by making events appear benign or consistent with routine operations. Additionally, selectively removed or modified artifacts may still be recoverable through deeper forensic analysis, though their absence or alteration can complicate timeline reconstruction and attribution.",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "stealth"
}
],
"revoked": false,
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T1070",
"external_id": "T1070"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_attack_spec_version": "3.3.0",
"x_mitre_contributors": [
"Brad Geesaman, @bradgeesaman",
"Ed Williams, Trustwave, SpiderLabs",
"Blake Strom, Microsoft 365 Defender"
],
"x_mitre_deprecated": false,
"x_mitre_domains": [
"enterprise-attack"
],
"x_mitre_is_subtechnique": false,
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"Containers",
"ESXi",
"Linux",
"macOS",
"Network Devices",
"Office Suite",
"Windows"
],
"x_mitre_version": "3.0",
"detailed_diff": "{\"dictionary_item_removed\": {\"root['x_mitre_detection']\": \"\"}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-04-15 15:10:02.929000+00:00\", \"old_value\": \"2025-10-24 17:48:59.237000+00:00\"}, \"root['description']\": {\"new_value\": \"Adversaries may selectively delete or modify artifacts generated to reduce indications of their presence and blend in with legitimate activity. Rather than broadly removing evidence, adversaries may target specific artifacts that appear anomalous or are likely to draw scrutiny, while leaving sufficient data intact to maintain the appearance of normal system behavior.\\n\\nArtifacts such as command histories, log entries, or file metadata may be altered in ways that align with expected user or system activity. Location, format, and type of artifact (such as command or login history) are often platform-specific, allowing adversaries to tailor modifications that minimize suspicion.\\n\\nThese actions may not prevent detection entirely but can delay recognition of malicious activity or reduce the fidelity of alerts by making events appear benign or consistent with routine operations. Additionally, selectively removed or modified artifacts may still be recoverable through deeper forensic analysis, though their absence or alteration can complicate timeline reconstruction and attribution.\", \"old_value\": \"Adversaries may delete or modify artifacts generated within systems to remove evidence of their presence or hinder defenses. Various artifacts may be created by an adversary or something that can be attributed to an adversary\\u2019s actions. Typically these artifacts are used as defensive indicators related to monitored events, such as strings from downloaded files, logs that are generated from user actions, and other data analyzed by defenders. Location, format, and type of artifact (such as command or login history) are often specific to each platform.\\n\\nRemoval of these indicators may interfere with event collection, reporting, or other processes used to detect intrusion activity. This may compromise the integrity of security solutions by causing notable events to go unreported. This activity may also impede forensic analysis and incident response, due to lack of sufficient data to determine what occurred.\", \"diff\": \"--- \\n+++ \\n@@ -1,3 +1,5 @@\\n-Adversaries may delete or modify artifacts generated within systems to remove evidence of their presence or hinder defenses. Various artifacts may be created by an adversary or something that can be attributed to an adversary\\u2019s actions. Typically these artifacts are used as defensive indicators related to monitored events, such as strings from downloaded files, logs that are generated from user actions, and other data analyzed by defenders. Location, format, and type of artifact (such as command or login history) are often specific to each platform.\\n+Adversaries may selectively delete or modify artifacts generated to reduce indications of their presence and blend in with legitimate activity. Rather than broadly removing evidence, adversaries may target specific artifacts that appear anomalous or are likely to draw scrutiny, while leaving sufficient data intact to maintain the appearance of normal system behavior.\\n \\n-Removal of these indicators may interfere with event collection, reporting, or other processes used to detect intrusion activity. This may compromise the integrity of security solutions by causing notable events to go unreported. This activity may also impede forensic analysis and incident response, due to lack of sufficient data to determine what occurred.\\n+Artifacts such as command histories, log entries, or file metadata may be altered in ways that align with expected user or system activity. Location, format, and type of artifact (such as command or login history) are often platform-specific, allowing adversaries to tailor modifications that minimize suspicion.\\n+\\n+These actions may not prevent detection entirely but can delay recognition of malicious activity or reduce the fidelity of alerts by making events appear benign or consistent with routine operations. Additionally, selectively removed or modified artifacts may still be recoverable through deeper forensic analysis, though their absence or alteration can complicate timeline reconstruction and attribution.\"}, \"root['kill_chain_phases'][0]['phase_name']\": {\"new_value\": \"stealth\", \"old_value\": \"defense-evasion\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.3.0\", \"old_value\": \"3.2.0\"}, \"root['x_mitre_version']\": {\"new_value\": \"3.0\", \"old_value\": \"2.4\"}}}",
"previous_version": "2.4",
"version_change": "2.4 \u2192 3.0",
"description_change_table": "\n | Old Description | New Description | ||||
|---|---|---|---|---|---|
| t | 1 | Adversaries may delete or modify artifacts generated within | t | 1 | Adversaries may selectively delete or modify artifacts gener |
| > | systems to remove evidence of their presence or hinder defen | > | ated to reduce indications of their presence and blend in wi | ||
| > | ses. Various artifacts may be created by an adversary or som | > | th legitimate activity. Rather than broadly removing evidenc | ||
| > | ething that can be attributed to an adversary\u2019s actions. Typ | > | e, adversaries may target specific artifacts that appear ano | ||
| > | ically these artifacts are used as defensive indicators rela | > | malous or are likely to draw scrutiny, while leaving suffici | ||
| > | ted to monitored events, such as strings from downloaded fil | > | ent data intact to maintain the appearance of normal system | ||
| > | es, logs that are generated from user actions, and other dat | > | behavior. Artifacts such as command histories, log entries, | ||
| > | a analyzed by defenders. Location, format, and type of artif | > | or file metadata may be altered in ways that align with exp | ||
| > | act (such as command or login history) are often specific to | > | ected user or system activity. Location, format, and type of | ||
| > | each platform. Removal of these indicators may interfere w | > | artifact (such as command or login history) are often platf | ||
| > | ith event collection, reporting, or other processes used to | > | orm-specific, allowing adversaries to tailor modifications t | ||
| > | detect intrusion activity. This may compromise the integrity | > | hat minimize suspicion. These actions may not prevent detec | ||
| > | of security solutions by causing notable events to go unrep | > | tion entirely but can delay recognition of malicious activit | ||
| > | orted. This activity may also impede forensic analysis and i | > | y or reduce the fidelity of alerts by making events appear b | ||
| > | ncident response, due to lack of sufficient data to determin | > | enign or consistent with routine operations. Additionally, s | ||
| > | e what occurred. | > | electively removed or modified artifacts may still be recove | ||
| > | rable through deeper forensic analysis, though their absence | ||||
| > | or alteration can complicate timeline reconstruction and at | ||||
| > | tribution. |
HISTFILE. When a user logs off a system, this information is flushed to a file in the user's home directory called ~/.bash_history. The benefit of this is that it allows users to go back to commands they've used before in different sessions. Adversaries may delete their commands from these logs by manually clearing the history (history -c) or deleting the bash history file rm ~/.bash_history. \n\nAdversaries may also leverage a [Network Device CLI](https://attack.mitre.org/techniques/T1059/008) on network devices to clear command history data (clear logging and/or clear history).(Citation: US-CERT-TA18-106A) On ESXi servers, command history may be manually removed from the `/var/log/shell.log` file.(Citation: Broadcom ESXi Shell Audit)\n\nOn Windows hosts, PowerShell has two different command history providers: the built-in history and the command history managed by the PSReadLine module. The built-in history only tracks the commands used in the current session. This command history is not available to other sessions and is deleted when the session ends.\n\nThe PSReadLine command history tracks the commands used in all PowerShell sessions and writes them to a file ($env:APPDATA\\Microsoft\\Windows\\PowerShell\\PSReadLine\\ConsoleHost_history.txt by default). This history file is available to all sessions and contains all past history since the file is not deleted when the session ends.(Citation: Microsoft PowerShell Command History)\n\nAdversaries may run the PowerShell command Clear-History to flush the entire command history from a current PowerShell session. This, however, will not delete/flush the ConsoleHost_history.txt file. Adversaries may also delete the ConsoleHost_history.txt file or edit its contents to hide PowerShell commands they have run.(Citation: Sophos PowerShell command audit)(Citation: Sophos PowerShell Command History Forensics)",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "stealth"
}
],
"revoked": false,
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T1070/003",
"external_id": "T1070.003"
},
{
"source_name": "Broadcom ESXi Shell Audit",
"description": "Broadcom. (2025, February 20). Auditing ESXi Shell logins and commands. Retrieved March 26, 2025.",
"url": "https://knowledge.broadcom.com/external/article/321910/auditing-esxi-shell-logins-and-commands.html"
},
{
"source_name": "Sophos PowerShell command audit",
"description": "jak. (2020, June 27). Live Discover - PowerShell command audit. Retrieved August 21, 2020.",
"url": "https://community.sophos.com/products/intercept/early-access-program/f/live-discover-response-queries/121529/live-discover---powershell-command-audit"
},
{
"source_name": "Microsoft PowerShell Command History",
"description": "Microsoft. (2020, May 13). About History. Retrieved September 4, 2020.",
"url": "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_history?view=powershell-7"
},
{
"source_name": "US-CERT-TA18-106A",
"description": "US-CERT. (2018, April 20). Alert (TA18-106A) Russian State-Sponsored Cyber Actors Targeting Network Infrastructure Devices. Retrieved October 19, 2020.",
"url": "https://www.us-cert.gov/ncas/alerts/TA18-106A"
},
{
"source_name": "Sophos PowerShell Command History Forensics",
"description": "Vikas, S. (2020, August 26). PowerShell Command History Forensics. Retrieved November 17, 2024.",
"url": "https://community.sophos.com/sophos-labs/b/blog/posts/powershell-command-history-forensics"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_attack_spec_version": "3.3.0",
"x_mitre_contributors": [
"Vikas Singh, Sophos",
"Emile Kenning, Sophos",
"Austin Clark, @c2defense"
],
"x_mitre_deprecated": false,
"x_mitre_domains": [
"enterprise-attack"
],
"x_mitre_is_subtechnique": true,
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"ESXi",
"Linux",
"macOS",
"Network Devices",
"Windows"
],
"x_mitre_version": "2.0",
"detailed_diff": "{\"dictionary_item_removed\": {\"root['x_mitre_detection']\": \"\"}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-04-15 20:27:09.604000+00:00\", \"old_value\": \"2025-10-24 17:48:40.313000+00:00\"}, \"root['kill_chain_phases'][0]['phase_name']\": {\"new_value\": \"stealth\", \"old_value\": \"defense-evasion\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.3.0\", \"old_value\": \"3.2.0\"}, \"root['x_mitre_version']\": {\"new_value\": \"2.0\", \"old_value\": \"1.6\"}}}",
"previous_version": "1.6",
"version_change": "1.6 \u2192 2.0",
"changelog_mitigations": {
"shared": [
"M1022: Restrict File and Directory Permissions",
"M1029: Remote Data Storage",
"M1039: Environment Variable Permissions"
],
"new": [],
"dropped": []
},
"changelog_datacomponent_detections": {
"shared": [],
"new": [],
"dropped": []
},
"changelog_detectionstrategy_detections": {
"shared": [
"DET0165: Behavioral Detection of Command History Clearing"
],
"new": [],
"dropped": []
}
},
{
"type": "attack-pattern",
"id": "attack-pattern--438c967d-3996-4870-bfc2-3954752a1927",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2022-07-08 21:04:03.739000+00:00",
"modified": "2026-04-15 20:27:22.074000+00:00",
"name": "Clear Mailbox Data",
"description": "Adversaries may modify mail and mail application data to remove evidence of their activity. Email applications allow users and other programs to export and delete mailbox data via command line tools or use of APIs. Mail application data can be emails, email metadata, or logs generated by the application or operating system, such as export requests. \n\nAdversaries may manipulate emails and mailbox data to remove logs, artifacts, and metadata, such as evidence of [Phishing](https://attack.mitre.org/techniques/T1566)/[Internal Spearphishing](https://attack.mitre.org/techniques/T1534), [Email Collection](https://attack.mitre.org/techniques/T1114), [Mail Protocols](https://attack.mitre.org/techniques/T1071/003) for command and control, or email-based exfiltration such as [Exfiltration Over Alternative Protocol](https://attack.mitre.org/techniques/T1048). For example, to remove evidence on Exchange servers adversaries have used the ExchangePowerShell [PowerShell](https://attack.mitre.org/techniques/T1059/001) module, including Remove-MailboxExportRequest to remove evidence of mailbox exports.(Citation: Volexity SolarWinds)(Citation: ExchangePowerShell Module) On Linux and macOS, adversaries may also delete emails through a command line utility called mail or use [AppleScript](https://attack.mitre.org/techniques/T1059/002) to interact with APIs on macOS.(Citation: Cybereason Cobalt Kitty 2017)(Citation: mailx man page)\n\nAdversaries may also remove emails and metadata/headers indicative of spam or suspicious activity (for example, through the use of organization-wide transport rules) to reduce the likelihood of malicious emails being detected by security products.(Citation: Microsoft OAuth Spam 2022)",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "stealth"
}
],
"revoked": false,
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T1070/008",
"external_id": "T1070.008"
},
{
"source_name": "Volexity SolarWinds",
"description": "Cash, D. et al. (2020, December 14). Dark Halo Leverages SolarWinds Compromise to Breach Organizations. Retrieved December 29, 2020.",
"url": "https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/"
},
{
"source_name": "Cybereason Cobalt Kitty 2017",
"description": "Dahan, A. (2017). Operation Cobalt Kitty. Retrieved December 27, 2018.",
"url": "https://cdn2.hubspot.net/hubfs/3354902/Cybereason%20Labs%20Analysis%20Operation%20Cobalt%20Kitty.pdf"
},
{
"source_name": "mailx man page",
"description": "Michael Kerrisk. (2021, August 27). mailx(1p) \u2014 Linux manual page. Retrieved June 10, 2022.",
"url": "https://man7.org/linux/man-pages/man1/mailx.1p.html"
},
{
"source_name": "ExchangePowerShell Module",
"description": "Microsoft. (2017, September 25). ExchangePowerShell. Retrieved June 10, 2022.",
"url": "https://docs.microsoft.com/en-us/powershell/module/exchange/?view=exchange-ps#mailboxes"
},
{
"source_name": "Microsoft OAuth Spam 2022",
"description": "Microsoft. (2023, September 22). Malicious OAuth applications abuse cloud email services to spread spam. Retrieved March 13, 2023.",
"url": "https://www.microsoft.com/en-us/security/blog/2022/09/22/malicious-oauth-applications-used-to-compromise-email-servers-and-spread-spam/"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_attack_spec_version": "3.3.0",
"x_mitre_contributors": [
"Liran Ravich, CardinalOps"
],
"x_mitre_deprecated": false,
"x_mitre_domains": [
"enterprise-attack"
],
"x_mitre_is_subtechnique": true,
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"Linux",
"macOS",
"Office Suite",
"Windows"
],
"x_mitre_version": "2.0",
"detailed_diff": "{\"dictionary_item_removed\": {\"root['x_mitre_detection']\": \"\"}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-04-15 20:27:22.074000+00:00\", \"old_value\": \"2025-04-15 21:56:59.810000+00:00\"}, \"root['kill_chain_phases'][0]['phase_name']\": {\"new_value\": \"stealth\", \"old_value\": \"defense-evasion\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.3.0\", \"old_value\": \"3.2.0\"}, \"root['x_mitre_version']\": {\"new_value\": \"2.0\", \"old_value\": \"1.2\"}}}",
"previous_version": "1.2",
"version_change": "1.2 \u2192 2.0",
"changelog_mitigations": {
"shared": [
"M1022: Restrict File and Directory Permissions",
"M1029: Remote Data Storage",
"M1047: Audit"
],
"new": [],
"dropped": []
},
"changelog_datacomponent_detections": {
"shared": [],
"new": [],
"dropped": []
},
"changelog_detectionstrategy_detections": {
"shared": [
"DET0266: Behavioral Detection of Mailbox Data and Log Deletion for Anti-Forensics"
],
"new": [],
"dropped": []
}
},
{
"type": "attack-pattern",
"id": "attack-pattern--3975dbb5-0e1e-4f5b-bae1-cf2ab84b46dc",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2022-06-15 18:00:04.219000+00:00",
"modified": "2026-04-16 19:27:07.242000+00:00",
"name": "Clear Network Connection History and Configurations",
"description": "Adversaries may clear or remove evidence of malicious network connections in order to clean up traces of their operations. Configuration settings as well as various artifacts that highlight connection history may be created on a system and/or in application logs from behaviors that require network connections, such as [Remote Services](https://attack.mitre.org/techniques/T1021) or [External Remote Services](https://attack.mitre.org/techniques/T1133). Defenders may use these artifacts to monitor or otherwise analyze network connections created by adversaries.\n\nNetwork connection history may be stored in various locations. For example, RDP connection history may be stored in Windows Registry values under (Citation: Microsoft RDP Removal):\n\n* HKEY_CURRENT_USER\\Software\\Microsoft\\Terminal Server Client\\Default\n* HKEY_CURRENT_USER\\Software\\Microsoft\\Terminal Server Client\\Servers\n\nWindows may also store information about recent RDP connections in files such as C:\\Users\\\\%username%\\Documents\\Default.rdp and `C:\\Users\\%username%\\AppData\\Local\\Microsoft\\Terminal\nServer Client\\Cache\\`.(Citation: Moran RDPieces) Similarly, macOS and Linux hosts may store information highlighting connection history in system logs (such as those stored in `/Library/Logs` and/or `/var/log/`).(Citation: Apple Culprit Access)(Citation: FreeDesktop Journal)(Citation: Apple Unified Log Analysis Remote Login and Screen Sharing)\n\nMalicious network connections may also require changes to third-party applications or network configuration settings, such as [Disable or Modify System Firewall](https://attack.mitre.org/techniques/T1686) or tampering to enable [Proxy](https://attack.mitre.org/techniques/T1090). Adversaries may delete or modify this data to conceal indicators and/or impede defensive analysis.",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "stealth"
}
],
"revoked": false,
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T1070/007",
"external_id": "T1070.007"
},
{
"source_name": "FreeDesktop Journal",
"description": "freedesktop.org. (n.d.). systemd-journald.service. Retrieved June 15, 2022.",
"url": "https://www.freedesktop.org/software/systemd/man/systemd-journald.service.html"
},
{
"source_name": "Microsoft RDP Removal",
"description": "Microsoft. (2021, September 24). How to remove entries from the Remote Desktop Connection Computer box. Retrieved June 15, 2022.",
"url": "https://docs.microsoft.com/troubleshoot/windows-server/remote/remove-entries-from-remote-desktop-connection-computer"
},
{
"source_name": "Moran RDPieces",
"description": "Moran, B. (2020, November 18). Putting Together the RDPieces. Retrieved October 17, 2022.",
"url": "https://www.osdfcon.org/presentations/2020/Brian-Moran_Putting-Together-the-RDPieces.pdf"
},
{
"source_name": "Apple Culprit Access",
"description": "rjben. (2012, May 30). How do you find the culprit when unauthorized access to a computer is a problem?. Retrieved August 3, 2022.",
"url": "https://discussions.apple.com/thread/3991574"
},
{
"source_name": "Apple Unified Log Analysis Remote Login and Screen Sharing",
"description": "Sarah Edwards. (2020, April 30). Analysis of Apple Unified Logs: Quarantine Edition [Entry 6] \u2013 Working From Home? Remote Logins. Retrieved August 19, 2021.",
"url": "https://sarah-edwards-xzkc.squarespace.com/blog/2020/4/30/analysis-of-apple-unified-logs-quarantine-edition-entry-6-working-from-home-remote-logins"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_attack_spec_version": "3.3.0",
"x_mitre_contributors": [
"CrowdStrike Falcon OverWatch"
],
"x_mitre_deprecated": false,
"x_mitre_domains": [
"enterprise-attack"
],
"x_mitre_is_subtechnique": true,
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"Linux",
"macOS",
"Windows",
"Network Devices"
],
"x_mitre_version": "2.0",
"detailed_diff": "{\"dictionary_item_removed\": {\"root['x_mitre_detection']\": \"\"}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-04-16 19:27:07.242000+00:00\", \"old_value\": \"2025-04-16 20:37:16.734000+00:00\"}, \"root['description']\": {\"new_value\": \"Adversaries may clear or remove evidence of malicious network connections in order to clean up traces of their operations. Configuration settings as well as various artifacts that highlight connection history may be created on a system and/or in application logs from behaviors that require network connections, such as [Remote Services](https://attack.mitre.org/techniques/T1021) or [External Remote Services](https://attack.mitre.org/techniques/T1133). Defenders may use these artifacts to monitor or otherwise analyze network connections created by adversaries.\\n\\nNetwork connection history may be stored in various locations. For example, RDP connection history may be stored in Windows Registry values under (Citation: Microsoft RDP Removal):\\n\\n* HKEY_CURRENT_USER\\\\Software\\\\Microsoft\\\\Terminal Server Client\\\\Default\\n* HKEY_CURRENT_USER\\\\Software\\\\Microsoft\\\\Terminal Server Client\\\\Servers\\n\\nWindows may also store information about recent RDP connections in files such as C:\\\\Users\\\\\\\\%username%\\\\Documents\\\\Default.rdp and `C:\\\\Users\\\\%username%\\\\AppData\\\\Local\\\\Microsoft\\\\Terminal\\nServer Client\\\\Cache\\\\`.(Citation: Moran RDPieces) Similarly, macOS and Linux hosts may store information highlighting connection history in system logs (such as those stored in `/Library/Logs` and/or `/var/log/`).(Citation: Apple Culprit Access)(Citation: FreeDesktop Journal)(Citation: Apple Unified Log Analysis Remote Login and Screen Sharing)\\n\\nMalicious network connections may also require changes to third-party applications or network configuration settings, such as [Disable or Modify System Firewall](https://attack.mitre.org/techniques/T1686) or tampering to enable [Proxy](https://attack.mitre.org/techniques/T1090). Adversaries may delete or modify this data to conceal indicators and/or impede defensive analysis.\", \"old_value\": \"Adversaries may clear or remove evidence of malicious network connections in order to clean up traces of their operations. Configuration settings as well as various artifacts that highlight connection history may be created on a system and/or in application logs from behaviors that require network connections, such as [Remote Services](https://attack.mitre.org/techniques/T1021) or [External Remote Services](https://attack.mitre.org/techniques/T1133). Defenders may use these artifacts to monitor or otherwise analyze network connections created by adversaries.\\n\\nNetwork connection history may be stored in various locations. For example, RDP connection history may be stored in Windows Registry values under (Citation: Microsoft RDP Removal):\\n\\n* HKEY_CURRENT_USER\\\\Software\\\\Microsoft\\\\Terminal Server Client\\\\Default\\n* HKEY_CURRENT_USER\\\\Software\\\\Microsoft\\\\Terminal Server Client\\\\Servers\\n\\nWindows may also store information about recent RDP connections in files such as C:\\\\Users\\\\\\\\%username%\\\\Documents\\\\Default.rdp and `C:\\\\Users\\\\%username%\\\\AppData\\\\Local\\\\Microsoft\\\\Terminal\\nServer Client\\\\Cache\\\\`.(Citation: Moran RDPieces) Similarly, macOS and Linux hosts may store information highlighting connection history in system logs (such as those stored in `/Library/Logs` and/or `/var/log/`).(Citation: Apple Culprit Access)(Citation: FreeDesktop Journal)(Citation: Apple Unified Log Analysis Remote Login and Screen Sharing)\\n\\nMalicious network connections may also require changes to third-party applications or network configuration settings, such as [Disable or Modify System Firewall](https://attack.mitre.org/techniques/T1562/004) or tampering to enable [Proxy](https://attack.mitre.org/techniques/T1090). Adversaries may delete or modify this data to conceal indicators and/or impede defensive analysis.\", \"diff\": \"--- \\n+++ \\n@@ -8,4 +8,4 @@\\n Windows may also store information about recent RDP connections in files such as C:\\\\Users\\\\\\\\%username%\\\\Documents\\\\Default.rdp and `C:\\\\Users\\\\%username%\\\\AppData\\\\Local\\\\Microsoft\\\\Terminal\\n Server Client\\\\Cache\\\\`.(Citation: Moran RDPieces) Similarly, macOS and Linux hosts may store information highlighting connection history in system logs (such as those stored in `/Library/Logs` and/or `/var/log/`).(Citation: Apple Culprit Access)(Citation: FreeDesktop Journal)(Citation: Apple Unified Log Analysis Remote Login and Screen Sharing)\\n \\n-Malicious network connections may also require changes to third-party applications or network configuration settings, such as [Disable or Modify System Firewall](https://attack.mitre.org/techniques/T1562/004) or tampering to enable [Proxy](https://attack.mitre.org/techniques/T1090). Adversaries may delete or modify this data to conceal indicators and/or impede defensive analysis.\\n+Malicious network connections may also require changes to third-party applications or network configuration settings, such as [Disable or Modify System Firewall](https://attack.mitre.org/techniques/T1686) or tampering to enable [Proxy](https://attack.mitre.org/techniques/T1090). Adversaries may delete or modify this data to conceal indicators and/or impede defensive analysis.\"}, \"root['kill_chain_phases'][0]['phase_name']\": {\"new_value\": \"stealth\", \"old_value\": \"defense-evasion\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.3.0\", \"old_value\": \"3.2.0\"}, \"root['x_mitre_version']\": {\"new_value\": \"2.0\", \"old_value\": \"1.2\"}}}",
"previous_version": "1.2",
"version_change": "1.2 \u2192 2.0",
"description_change_table": "\n | Old Description | New Description | ||||
|---|---|---|---|---|---|
| t | 1 | Adversaries may clear or remove evidence of malicious networ | t | 1 | Adversaries may clear or remove evidence of malicious networ |
| > | k connections in order to clean up traces of their operation | > | k connections in order to clean up traces of their operation | ||
| > | s. Configuration settings as well as various artifacts that | > | s. Configuration settings as well as various artifacts that | ||
| > | highlight connection history may be created on a system and/ | > | highlight connection history may be created on a system and/ | ||
| > | or in application logs from behaviors that require network c | > | or in application logs from behaviors that require network c | ||
| > | onnections, such as [Remote Services](https://attack.mitre.o | > | onnections, such as [Remote Services](https://attack.mitre.o | ||
| > | rg/techniques/T1021) or [External Remote Services](https://a | > | rg/techniques/T1021) or [External Remote Services](https://a | ||
| > | ttack.mitre.org/techniques/T1133). Defenders may use these a | > | ttack.mitre.org/techniques/T1133). Defenders may use these a | ||
| > | rtifacts to monitor or otherwise analyze network connections | > | rtifacts to monitor or otherwise analyze network connections | ||
| > | created by adversaries. Network connection history may be | > | created by adversaries. Network connection history may be | ||
| > | stored in various locations. For example, RDP connection his | > | stored in various locations. For example, RDP connection his | ||
| > | tory may be stored in Windows Registry values under (Citatio | > | tory may be stored in Windows Registry values under (Citatio | ||
| > | n: Microsoft RDP Removal): * <code>HKEY_CURRENT_USER\\Softwa | > | n: Microsoft RDP Removal): * <code>HKEY_CURRENT_USER\\Softwa | ||
| > | re\\Microsoft\\Terminal Server Client\\Default</code> * <code>H | > | re\\Microsoft\\Terminal Server Client\\Default</code> * <code>H | ||
| > | KEY_CURRENT_USER\\Software\\Microsoft\\Terminal Server Client\\S | > | KEY_CURRENT_USER\\Software\\Microsoft\\Terminal Server Client\\S | ||
| > | ervers</code> Windows may also store information about rece | > | ervers</code> Windows may also store information about rece | ||
| > | nt RDP connections in files such as <code>C:\\Users\\\\%usernam | > | nt RDP connections in files such as <code>C:\\Users\\\\%usernam | ||
| > | e%\\Documents\\Default.rdp</code> and `C:\\Users\\%username%\\App | > | e%\\Documents\\Default.rdp</code> and `C:\\Users\\%username%\\App | ||
| > | Data\\Local\\Microsoft\\Terminal Server Client\\Cache\\`.(Citatio | > | Data\\Local\\Microsoft\\Terminal Server Client\\Cache\\`.(Citatio | ||
| > | n: Moran RDPieces) Similarly, macOS and Linux hosts may stor | > | n: Moran RDPieces) Similarly, macOS and Linux hosts may stor | ||
| > | e information highlighting connection history in system logs | > | e information highlighting connection history in system logs | ||
| > | (such as those stored in `/Library/Logs` and/or `/var/log/` | > | (such as those stored in `/Library/Logs` and/or `/var/log/` | ||
| > | ).(Citation: Apple Culprit Access)(Citation: FreeDesktop Jou | > | ).(Citation: Apple Culprit Access)(Citation: FreeDesktop Jou | ||
| > | rnal)(Citation: Apple Unified Log Analysis Remote Login and | > | rnal)(Citation: Apple Unified Log Analysis Remote Login and | ||
| > | Screen Sharing) Malicious network connections may also requ | > | Screen Sharing) Malicious network connections may also requ | ||
| > | ire changes to third-party applications or network configura | > | ire changes to third-party applications or network configura | ||
| > | tion settings, such as [Disable or Modify System Firewall](h | > | tion settings, such as [Disable or Modify System Firewall](h | ||
| > | ttps://attack.mitre.org/techniques/T1562/004) or tampering t | > | ttps://attack.mitre.org/techniques/T1686) or tampering to en | ||
| > | o enable [Proxy](https://attack.mitre.org/techniques/T1090). | > | able [Proxy](https://attack.mitre.org/techniques/T1090). Adv | ||
| > | Adversaries may delete or modify this data to conceal indic | > | ersaries may delete or modify this data to conceal indicator | ||
| > | ators and/or impede defensive analysis. | > | s and/or impede defensive analysis. |
del on Windows, rm or unlink on Linux and macOS, and `rm` on ESXi.",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "stealth"
}
],
"revoked": false,
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T1070/004",
"external_id": "T1070.004"
},
{
"source_name": "Microsoft SDelete July 2016",
"description": "Russinovich, M. (2016, July 4). SDelete v2.0. Retrieved February 8, 2018.",
"url": "https://docs.microsoft.com/en-us/sysinternals/downloads/sdelete"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_attack_spec_version": "3.3.0",
"x_mitre_contributors": [
"Walker Johnson"
],
"x_mitre_deprecated": false,
"x_mitre_domains": [
"enterprise-attack"
],
"x_mitre_is_subtechnique": true,
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"ESXi",
"Linux",
"macOS",
"Windows"
],
"x_mitre_version": "2.0",
"detailed_diff": "{\"dictionary_item_removed\": {\"root['x_mitre_detection']\": \"\"}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-04-15 20:28:46.342000+00:00\", \"old_value\": \"2025-10-24 17:49:27.978000+00:00\"}, \"root['kill_chain_phases'][0]['phase_name']\": {\"new_value\": \"stealth\", \"old_value\": \"defense-evasion\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.3.0\", \"old_value\": \"3.2.0\"}, \"root['x_mitre_version']\": {\"new_value\": \"2.0\", \"old_value\": \"1.2\"}}}",
"previous_version": "1.2",
"version_change": "1.2 \u2192 2.0",
"changelog_mitigations": {
"shared": [],
"new": [],
"dropped": []
},
"changelog_datacomponent_detections": {
"shared": [],
"new": [],
"dropped": []
},
"changelog_detectionstrategy_detections": {
"shared": [
"DET0140: Behavioral Detection of Malicious File Deletion"
],
"new": [],
"dropped": []
}
},
{
"type": "attack-pattern",
"id": "attack-pattern--a750a9f6-0bde-4bb3-9aae-1e2786e9780c",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2020-01-31 12:39:18.816000+00:00",
"modified": "2026-04-15 20:29:50.512000+00:00",
"name": "Network Share Connection Removal",
"description": "Adversaries may remove share connections that are no longer useful in order to clean up traces of their operation. Windows shared drive and [SMB/Windows Admin Shares](https://attack.mitre.org/techniques/T1021/002) connections can be removed when no longer needed. [Net](https://attack.mitre.org/software/S0039) is an example utility that can be used to remove network share connections with the net use \\\\system\\share /delete command. (Citation: Technet Net Use)",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "stealth"
}
],
"revoked": false,
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T1070/005",
"external_id": "T1070.005"
},
{
"source_name": "Technet Net Use",
"description": "Microsoft. (n.d.). Net Use. Retrieved November 25, 2016.",
"url": "https://technet.microsoft.com/bb490717.aspx"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_attack_spec_version": "3.3.0",
"x_mitre_deprecated": false,
"x_mitre_domains": [
"enterprise-attack"
],
"x_mitre_is_subtechnique": true,
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"Windows"
],
"x_mitre_version": "2.0",
"detailed_diff": "{\"dictionary_item_removed\": {\"root['x_mitre_detection']\": \"\"}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-04-15 20:29:50.512000+00:00\", \"old_value\": \"2025-10-24 17:49:11.691000+00:00\"}, \"root['kill_chain_phases'][0]['phase_name']\": {\"new_value\": \"stealth\", \"old_value\": \"defense-evasion\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.3.0\", \"old_value\": \"3.2.0\"}, \"root['x_mitre_version']\": {\"new_value\": \"2.0\", \"old_value\": \"1.2\"}}}",
"previous_version": "1.2",
"version_change": "1.2 \u2192 2.0",
"changelog_mitigations": {
"shared": [],
"new": [],
"dropped": []
},
"changelog_datacomponent_detections": {
"shared": [],
"new": [],
"dropped": []
},
"changelog_detectionstrategy_detections": {
"shared": [
"DET0103: Behavioral Detection of Network Share Connection Removal via CLI and SMB Disconnects"
],
"new": [],
"dropped": []
}
},
{
"type": "attack-pattern",
"id": "attack-pattern--cc36eeae-2209-4e63-89d3-c97e19edf280",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2024-05-31 11:07:57.406000+00:00",
"modified": "2026-04-15 20:29:55.911000+00:00",
"name": "Relocate Malware",
"description": "Once a payload is delivered, adversaries may reproduce copies of the same malware on the victim system to remove evidence of their presence and/or avoid defenses. Copying malware payloads to new locations may also be combined with [File Deletion](https://attack.mitre.org/techniques/T1070/004) to cleanup older artifacts.\n\nRelocating malware may be a part of many actions intended to evade defenses. For example, adversaries may copy and rename payloads to better blend into the local environment (i.e., [Match Legitimate Resource Name or Location](https://attack.mitre.org/techniques/T1036/005)).(Citation: DFIR Report Trickbot June 2023) Payloads may also be repositioned to target [File/Path Exclusions](https://attack.mitre.org/techniques/T1564/012) as well as specific locations associated with establishing [Persistence](https://attack.mitre.org/tactics/TA0003).(Citation: Latrodectus APR 2024)\n\nRelocating malicious payloads may also hinder defensive analysis, especially to separate these payloads from earlier events (such as [User Execution](https://attack.mitre.org/techniques/T1204) and [Phishing](https://attack.mitre.org/techniques/T1566)) that may have generated alerts or otherwise drawn attention from defenders. Moving payloads into target directories does not alter the Creation timestamp, thereby evading detection logic reliant on modifications to this artifact (i.e., [Timestomp](https://attack.mitre.org/techniques/T1070/006)).",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "stealth"
}
],
"revoked": false,
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T1070/010",
"external_id": "T1070.010"
},
{
"source_name": "Latrodectus APR 2024",
"description": "Proofpoint Threat Research and Team Cymru S2 Threat Research. (2024, April 4). Latrodectus: This Spider Bytes Like Ice . Retrieved May 31, 2024.",
"url": "https://www.proofpoint.com/us/blog/threat-insight/latrodectus-spider-bytes-ice"
},
{
"source_name": "DFIR Report Trickbot June 2023",
"description": "The DFIR Report. (2023, June 12). A Truly Graceful Wipe Out. Retrieved May 31, 2024.",
"url": "https://thedfirreport.com/2023/06/12/a-truly-graceful-wipe-out/"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_attack_spec_version": "3.3.0",
"x_mitre_contributors": [
"Gregory Frey",
"Matt Anderson, @\u200cnosecurething, Huntress"
],
"x_mitre_deprecated": false,
"x_mitre_domains": [
"enterprise-attack"
],
"x_mitre_is_subtechnique": true,
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"Linux",
"macOS",
"Network Devices",
"Windows"
],
"x_mitre_version": "2.0",
"detailed_diff": "{\"dictionary_item_removed\": {\"root['x_mitre_detection']\": \"\"}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-04-15 20:29:55.911000+00:00\", \"old_value\": \"2025-10-05 16:08:40.119000+00:00\"}, \"root['kill_chain_phases'][0]['phase_name']\": {\"new_value\": \"stealth\", \"old_value\": \"defense-evasion\"}, \"root['x_mitre_version']\": {\"new_value\": \"2.0\", \"old_value\": \"1.2\"}}}",
"previous_version": "1.2",
"version_change": "1.2 \u2192 2.0",
"changelog_mitigations": {
"shared": [],
"new": [],
"dropped": []
},
"changelog_datacomponent_detections": {
"shared": [],
"new": [],
"dropped": []
},
"changelog_detectionstrategy_detections": {
"shared": [
"DET0439: Detection of Malware Relocation via Suspicious File Movement"
],
"new": [],
"dropped": []
}
},
{
"type": "attack-pattern",
"id": "attack-pattern--47f2d673-ca62-47e9-929b-1b0be9657611",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2020-01-31 12:42:44.103000+00:00",
"modified": "2026-04-15 20:30:57.770000+00:00",
"name": "Timestomp",
"description": "Adversaries may modify file time attributes to hide new files or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder and blend malicious files with legitimate files.\n\nIn Windows systems, both the `$STANDARD_INFORMATION` (`$SI`) and `$FILE_NAME` (`$FN`) attributes record times in a Master File Table (MFT) file.(Citation: Inversecos Timestomping 2022) `$SI` (dates/time stamps) is displayed to the end user, including in the File System view, while `$FN` is dealt with by the kernel.(Citation: Magnet Forensics)\n\nModifying the `$SI` attribute is the most common method of timestomping because it can be modified at the user level using API calls. `$FN` timestomping, however, typically requires interacting with the system kernel or moving or renaming a file.(Citation: Inversecos Timestomping 2022)\n\nAdversaries modify timestamps on files so that they do not appear conspicuous to forensic investigators or file analysis tools. In order to evade detections that rely on identifying discrepancies between the `$SI` and `$FN` attributes, adversaries may also engage in \u201cdouble timestomping\u201d by modifying times on both attributes simultaneously.(Citation: Double Timestomping)\n\nIn Linux systems and on ESXi servers, threat actors may attempt to perform timestomping using commands such as `touch -a -m -t | Old Description | New Description | ||||
|---|---|---|---|---|---|
| t | 1 | Adversaries may abuse utilities that allow for command execu | t | 1 | Adversaries may abuse utilities that allow for command execu |
| > | tion to bypass security restrictions that limit the use of c | > | tion to bypass security restrictions that limit the use of c | ||
| > | ommand-line interpreters. Various Windows utilities may be u | > | ommand-line interpreters. Various Windows utilities may be u | ||
| > | sed to execute commands, possibly without invoking [cmd](htt | > | sed to execute commands, possibly without invoking [cmd](htt | ||
| > | ps://attack.mitre.org/software/S0106). For example, [Forfile | > | ps://attack.mitre.org/software/S0106). For example, [Forfile | ||
| > | s](https://attack.mitre.org/software/S0193), the Program Com | > | s](https://attack.mitre.org/software/S0193), the Program Com | ||
| > | patibility Assistant (`pcalua.exe`), components of the Windo | > | patibility Assistant (`pcalua.exe`), components of the Windo | ||
| > | ws Subsystem for Linux (WSL), `Scriptrunner.exe`, as well as | > | ws Subsystem for Linux (WSL), `Scriptrunner.exe`, as well as | ||
| > | other utilities may invoke the execution of programs and co | > | other utilities may invoke the execution of programs and co | ||
| > | mmands from a [Command and Scripting Interpreter](https://at | > | mmands from a [Command and Scripting Interpreter](https://at | ||
| > | tack.mitre.org/techniques/T1059), Run window, or via scripts | > | tack.mitre.org/techniques/T1059), Run window, or via scripts | ||
| > | .(Citation: VectorSec ForFiles Aug 2017)(Citation: Evi1cg Fo | > | .(Citation: VectorSec ForFiles Aug 2017)(Citation: Evi1cg Fo | ||
| > | rfiles Nov 2017)(Citation: Secure Team - Scriptrunner.exe)(C | > | rfiles Nov 2017)(Citation: Secure Team - Scriptrunner.exe)(C | ||
| > | itation: SS64)(Citation: Bleeping Computer - Scriptrunner.ex | > | itation: SS64)(Citation: Bleeping Computer - Scriptrunner.ex | ||
| > | e) Adversaries may also abuse the `ssh.exe` binary to execut | > | e) Adversaries may also abuse the `ssh.exe` binary to execut | ||
| > | e malicious commands via the `ProxyCommand` and `LocalComman | > | e malicious commands via the `ProxyCommand` and `LocalComman | ||
| > | d` options, which can be invoked via the `-o` flag or by mod | > | d` options, which can be invoked via the `-o` flag or by mod | ||
| > | ifying the SSH config file.(Citation: Threat Actor Targets t | > | ifying the SSH config file.(Citation: Threat Actor Targets t | ||
| > | he Manufacturing industry with Lumma Stealer and Amadey Bot) | > | he Manufacturing industry with Lumma Stealer and Amadey Bot) | ||
| > | Adversaries may abuse these features for [Defense Evasion] | > | Adversaries may abuse these features for [Stealth](https:/ | ||
| > | (https://attack.mitre.org/tactics/TA0005), specifically to p | > | /attack.mitre.org/tactics/TA0005), specifically to perform a | ||
| > | erform arbitrary execution while subverting detections and/o | > | rbitrary execution while subverting detections and/or mitiga | ||
| > | r mitigation controls (such as Group Policy) that limit/prev | > | tion controls (such as Group Policy) that limit/prevent the | ||
| > | ent the usage of [cmd](https://attack.mitre.org/software/S01 | > | usage of [cmd](https://attack.mitre.org/software/S0106) or f | ||
| > | 06) or file extensions more commonly associated with malicio | > | ile extensions more commonly associated with malicious paylo | ||
| > | us payloads. | > | ads. |
| Old Description | New Description | ||||
|---|---|---|---|---|---|
| t | 1 | Adversaries may attempt to blend in with legitimate traffic | t | 1 | Adversaries may attempt to blend in with legitimate traffic |
| > | by spoofing browser and system attributes like operating sys | > | by spoofing browser and system attributes like operating sys | ||
| > | tem, system language, platform, user-agent string, resolutio | > | tem, system language, platform, user-agent string, resolutio | ||
| > | n, time zone, etc. The HTTP\u00a0User-Agent\u00a0request header\u00a0is a | > | n, time zone, etc. The HTTP\u00a0User-Agent\u00a0request header\u00a0is a | ||
| > | string that lets servers and network peers identify the appl | > | string that lets servers and network peers identify the appl | ||
| > | ication, operating system, vendor, and/or version of the req | > | ication, operating system, vendor, and/or version of the req | ||
| > | uesting\u00a0user agent.(Citation: Mozilla User Agent) Adversari | > | uesting\u00a0user agent.(Citation: Mozilla User Agent) Adversari | ||
| > | es may gather this information through [System Information D | > | es may gather this information through [System Information D | ||
| > | iscovery](https://attack.mitre.org/techniques/T1082) or by u | > | iscovery](https://attack.mitre.org/techniques/T1082) or by u | ||
| > | sers navigating to adversary-controlled websites, and then u | > | sers navigating to adversary-controlled websites, and then u | ||
| > | se that information to craft their web traffic to evade defe | > | se that information to craft their web traffic to evade defe | ||
| > | nses.(Citation: Gummy Browsers: Targeted Browser Spoofing ag | > | nses.(Citation: Gummy Browsers Targeted Browser Spoofing aga | ||
| > | ainst State-of-the-Art Fingerprinting Techniques) | > | inst State-of-the-Art Fingerprinting Techniques) |
File.txt.exe may render in some views as just File.txt). However, the second extension is the true file type that determines how the file is opened and executed. The real file extension may be hidden by the operating system in the file browser (ex: explorer.exe), as well as in any software configured using or similar to the system\u2019s policies.(Citation: PCMag DoubleExtension)(Citation: SOCPrime DoubleExtension) \n\nAdversaries may abuse double extensions to attempt to conceal dangerous file types of payloads. A very common usage involves tricking a user into opening what they think is a benign file type but is actually executable code. Such files often pose as email attachments and allow an adversary to gain [Initial Access](https://attack.mitre.org/tactics/TA0001) into a user\u2019s system via [Spearphishing Attachment](https://attack.mitre.org/techniques/T1566/001) then [User Execution](https://attack.mitre.org/techniques/T1204). For example, an executable file attachment named Evil.txt.exe may display as Evil.txt to a user. The user may then view it as a benign text file and open it, inadvertently executing the hidden malware.(Citation: SOCPrime DoubleExtension)\n\nCommon file types, such as text files (.txt, .doc, etc.) and image files (.jpg, .gif, etc.) are typically used as the first extension to appear benign. Executable extensions commonly regarded as dangerous, such as .exe, .lnk, .hta, and .scr, often appear as the second extension and true file type.",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "stealth"
}
],
"revoked": false,
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T1036/007",
"external_id": "T1036.007"
},
{
"source_name": "SOCPrime DoubleExtension",
"description": "Eugene Tkachenko. (2020, May 1). Rule of the Week: Possible Malicious File Double Extension. Retrieved July 27, 2021.",
"url": "https://socprime.com/blog/rule-of-the-week-possible-malicious-file-double-extension/"
},
{
"source_name": "PCMag DoubleExtension",
"description": "PCMag. (n.d.). Encyclopedia: double extension. Retrieved August 4, 2021.",
"url": "https://www.pcmag.com/encyclopedia/term/double-extension"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_attack_spec_version": "3.3.0",
"x_mitre_deprecated": false,
"x_mitre_domains": [
"enterprise-attack"
],
"x_mitre_is_subtechnique": true,
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"Windows"
],
"x_mitre_version": "2.0",
"detailed_diff": "{\"dictionary_item_removed\": {\"root['x_mitre_detection']\": \"\"}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-04-15 20:33:07.592000+00:00\", \"old_value\": \"2025-10-24 17:48:25.732000+00:00\"}, \"root['kill_chain_phases'][0]['phase_name']\": {\"new_value\": \"stealth\", \"old_value\": \"defense-evasion\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.3.0\", \"old_value\": \"3.2.0\"}, \"root['x_mitre_version']\": {\"new_value\": \"2.0\", \"old_value\": \"1.0\"}}, \"iterable_item_removed\": {\"root['external_references'][3]\": {\"source_name\": \"Seqrite DoubleExtension\", \"description\": \"Seqrite. (n.d.). How to avoid dual attack and vulnerable files with double extension?. Retrieved July 27, 2021.\", \"url\": \"https://www.seqrite.com/blog/how-to-avoid-dual-attack-and-vulnerable-files-with-double-extension/\"}}}",
"previous_version": "1.0",
"version_change": "1.0 \u2192 2.0",
"changelog_mitigations": {
"shared": [
"M1017: User Training",
"M1028: Operating System Configuration"
],
"new": [],
"dropped": []
},
"changelog_datacomponent_detections": {
"shared": [],
"new": [],
"dropped": []
},
"changelog_detectionstrategy_detections": {
"shared": [
"DET0366: Detection Strategy for Double File Extension Masquerading"
],
"new": [],
"dropped": []
}
},
{
"type": "attack-pattern",
"id": "attack-pattern--b4b7458f-81f2-4d38-84be-1c5ba0167a52",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2020-02-10 19:49:46.752000+00:00",
"modified": "2026-04-15 20:38:13.564000+00:00",
"name": "Invalid Code Signature",
"description": "Adversaries may attempt to mimic features of valid code signatures to increase the chance of deceiving a user, analyst, or tool. Code signing provides a level of authenticity on a binary from the developer and a guarantee that the binary has not been tampered with. Adversaries can copy the metadata and signature information from a signed program, then use it as a template for an unsigned program. Files with invalid code signatures will fail digital signature validation checks, but they may appear more legitimate to users and security tools may improperly handle these files.(Citation: Threatexpress MetaTwin 2017)\n\nUnlike [Code Signing](https://attack.mitre.org/techniques/T1553/002), this activity will not result in a valid signature.",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "stealth"
}
],
"revoked": false,
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T1036/001",
"external_id": "T1036.001"
},
{
"source_name": "Threatexpress MetaTwin 2017",
"description": "Vest, J. (2017, October 9). Borrowing Microsoft MetaData and Signatures to Hide Binary Payloads. Retrieved September 10, 2019.",
"url": "https://threatexpress.com/blogs/2017/metatwin-borrowing-microsoft-metadata-and-digital-signatures-to-hide-binaries/"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_attack_spec_version": "3.3.0",
"x_mitre_deprecated": false,
"x_mitre_domains": [
"enterprise-attack"
],
"x_mitre_is_subtechnique": true,
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"macOS",
"Windows"
],
"x_mitre_version": "2.0",
"detailed_diff": "{\"dictionary_item_removed\": {\"root['x_mitre_detection']\": \"\"}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-04-15 20:38:13.564000+00:00\", \"old_value\": \"2025-10-24 17:49:15.520000+00:00\"}, \"root['kill_chain_phases'][0]['phase_name']\": {\"new_value\": \"stealth\", \"old_value\": \"defense-evasion\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.3.0\", \"old_value\": \"3.2.0\"}, \"root['x_mitre_version']\": {\"new_value\": \"2.0\", \"old_value\": \"1.0\"}}}",
"previous_version": "1.0",
"version_change": "1.0 \u2192 2.0",
"changelog_mitigations": {
"shared": [
"M1045: Code Signing"
],
"new": [],
"dropped": []
},
"changelog_datacomponent_detections": {
"shared": [],
"new": [],
"dropped": []
},
"changelog_detectionstrategy_detections": {
"shared": [
"DET0031: Invalid Code Signature Execution Detection via Metadata and Behavioral Context"
],
"new": [],
"dropped": []
}
},
{
"type": "attack-pattern",
"id": "attack-pattern--d349c66e-18e1-4d8b-a2d7-65af7cbd2ba0",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2024-08-05 21:39:16.274000+00:00",
"modified": "2026-04-17 14:21:43.719000+00:00",
"name": "Masquerade Account Name",
"description": "Adversaries may match or approximate the names of legitimate accounts to make newly created ones appear benign. This will typically occur during [Create Account](https://attack.mitre.org/techniques/T1136), although accounts may also be renamed at a later date. This may also coincide with [Account Access Removal](https://attack.mitre.org/techniques/T1531) if the actor first deletes an account before re-creating one with the same name.(Citation: Huntress MOVEit 2023)\n\nOften, adversaries will attempt to masquerade as service accounts, such as those associated with legitimate software, data backups, or container cluster management.(Citation: Elastic CUBA Ransomware 2022)(Citation: Aquasec Kubernetes Attack 2023) They may also give accounts generic, trustworthy names, such as \u201cadmin\u201d, \u201chelp\u201d, or \u201croot.\u201d(Citation: Invictus IR Cloud Ransomware 2024) Sometimes adversaries may model account names off of those already existing in the system, as a follow-on behavior to [Account Discovery](https://attack.mitre.org/techniques/T1087). \n\nNote that this is distinct from [Impersonation](https://attack.mitre.org/techniques/T1684/001), which describes impersonating specific trusted individuals or organizations, rather than user or service account names. ",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "stealth"
}
],
"revoked": false,
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T1036/010",
"external_id": "T1036.010"
},
{
"source_name": "Elastic CUBA Ransomware 2022",
"description": "Daniel Stepanic, Derek Ditch, Seth Goodwin, Salim Bitam, Andrew Pease. (2022, September 7). CUBA Ransomware Campaign Analysis. Retrieved August 5, 2024.",
"url": "https://www.elastic.co/security-labs/cuba-ransomware-campaign-analysis"
},
{
"source_name": "Invictus IR Cloud Ransomware 2024",
"description": "Invictus IR. (2024, January 11). Ransomware in the cloud. Retrieved August 5, 2024.",
"url": "https://www.invictus-ir.com/news/ransomware-in-the-cloud"
},
{
"source_name": "Huntress MOVEit 2023",
"description": "John Hammond. (2023, June 1). MOVEit Transfer Critical Vulnerability CVE-2023-34362 Rapid Response. Retrieved August 5, 2024.",
"url": "https://www.huntress.com/blog/moveit-transfer-critical-vulnerability-rapid-response"
},
{
"source_name": "Aquasec Kubernetes Attack 2023",
"description": "Michael Katchinskiy, Assaf Morag. (2023, April 21). First-Ever Attack Leveraging Kubernetes RBAC to Backdoor Clusters. Retrieved July 14, 2023.",
"url": "https://blog.aquasec.com/leveraging-kubernetes-rbac-to-backdoor-clusters"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_attack_spec_version": "3.3.0",
"x_mitre_contributors": [
"Menachem Goldstein"
],
"x_mitre_deprecated": false,
"x_mitre_domains": [
"enterprise-attack"
],
"x_mitre_is_subtechnique": true,
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"Containers",
"IaaS",
"Identity Provider",
"Linux",
"macOS",
"Office Suite",
"SaaS",
"Windows"
],
"x_mitre_version": "2.0",
"detailed_diff": "{\"dictionary_item_removed\": {\"root['x_mitre_detection']\": \"\"}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-04-17 14:21:43.719000+00:00\", \"old_value\": \"2025-04-15 22:48:14.966000+00:00\"}, \"root['description']\": {\"new_value\": \"Adversaries may match or approximate the names of legitimate accounts to make newly created ones appear benign. This will typically occur during [Create Account](https://attack.mitre.org/techniques/T1136), although accounts may also be renamed at a later date. This may also coincide with [Account Access Removal](https://attack.mitre.org/techniques/T1531) if the actor first deletes an account before re-creating one with the same name.(Citation: Huntress MOVEit 2023)\\n\\nOften, adversaries will attempt to masquerade as service accounts, such as those associated with legitimate software, data backups, or container cluster management.(Citation: Elastic CUBA Ransomware 2022)(Citation: Aquasec Kubernetes Attack 2023) They may also give accounts generic, trustworthy names, such as \\u201cadmin\\u201d, \\u201chelp\\u201d, or \\u201croot.\\u201d(Citation: Invictus IR Cloud Ransomware 2024) Sometimes adversaries may model account names off of those already existing in the system, as a follow-on behavior to [Account Discovery](https://attack.mitre.org/techniques/T1087). \\n\\nNote that this is distinct from [Impersonation](https://attack.mitre.org/techniques/T1684/001), which describes impersonating specific trusted individuals or organizations, rather than user or service account names. \", \"old_value\": \"Adversaries may match or approximate the names of legitimate accounts to make newly created ones appear benign. This will typically occur during [Create Account](https://attack.mitre.org/techniques/T1136), although accounts may also be renamed at a later date. This may also coincide with [Account Access Removal](https://attack.mitre.org/techniques/T1531) if the actor first deletes an account before re-creating one with the same name.(Citation: Huntress MOVEit 2023)\\n\\nOften, adversaries will attempt to masquerade as service accounts, such as those associated with legitimate software, data backups, or container cluster management.(Citation: Elastic CUBA Ransomware 2022)(Citation: Aquasec Kubernetes Attack 2023) They may also give accounts generic, trustworthy names, such as \\u201cadmin\\u201d, \\u201chelp\\u201d, or \\u201croot.\\u201d(Citation: Invictus IR Cloud Ransomware 2024) Sometimes adversaries may model account names off of those already existing in the system, as a follow-on behavior to [Account Discovery](https://attack.mitre.org/techniques/T1087). \\n\\nNote that this is distinct from [Impersonation](https://attack.mitre.org/techniques/T1656), which describes impersonating specific trusted individuals or organizations, rather than user or service account names. \", \"diff\": \"--- \\n+++ \\n@@ -2,4 +2,4 @@\\n \\n Often, adversaries will attempt to masquerade as service accounts, such as those associated with legitimate software, data backups, or container cluster management.(Citation: Elastic CUBA Ransomware 2022)(Citation: Aquasec Kubernetes Attack 2023) They may also give accounts generic, trustworthy names, such as \\u201cadmin\\u201d, \\u201chelp\\u201d, or \\u201croot.\\u201d(Citation: Invictus IR Cloud Ransomware 2024) Sometimes adversaries may model account names off of those already existing in the system, as a follow-on behavior to [Account Discovery](https://attack.mitre.org/techniques/T1087). \\n \\n-Note that this is distinct from [Impersonation](https://attack.mitre.org/techniques/T1656), which describes impersonating specific trusted individuals or organizations, rather than user or service account names. \\n+Note that this is distinct from [Impersonation](https://attack.mitre.org/techniques/T1684/001), which describes impersonating specific trusted individuals or organizations, rather than user or service account names. \"}, \"root['kill_chain_phases'][0]['phase_name']\": {\"new_value\": \"stealth\", \"old_value\": \"defense-evasion\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.3.0\", \"old_value\": \"3.2.0\"}, \"root['x_mitre_version']\": {\"new_value\": \"2.0\", \"old_value\": \"1.0\"}}}",
"previous_version": "1.0",
"version_change": "1.0 \u2192 2.0",
"description_change_table": "\n | Old Description | New Description | ||||
|---|---|---|---|---|---|
| t | 1 | Adversaries may match or approximate the names of legitimate | t | 1 | Adversaries may match or approximate the names of legitimate |
| > | accounts to make newly created ones appear benign. This wil | > | accounts to make newly created ones appear benign. This wil | ||
| > | l typically occur during [Create Account](https://attack.mit | > | l typically occur during [Create Account](https://attack.mit | ||
| > | re.org/techniques/T1136), although accounts may also be rena | > | re.org/techniques/T1136), although accounts may also be rena | ||
| > | med at a later date. This may also coincide with [Account Ac | > | med at a later date. This may also coincide with [Account Ac | ||
| > | cess Removal](https://attack.mitre.org/techniques/T1531) if | > | cess Removal](https://attack.mitre.org/techniques/T1531) if | ||
| > | the actor first deletes an account before re-creating one wi | > | the actor first deletes an account before re-creating one wi | ||
| > | th the same name.(Citation: Huntress MOVEit 2023) Often, ad | > | th the same name.(Citation: Huntress MOVEit 2023) Often, ad | ||
| > | versaries will attempt to masquerade as service accounts, su | > | versaries will attempt to masquerade as service accounts, su | ||
| > | ch as those associated with legitimate software, data backup | > | ch as those associated with legitimate software, data backup | ||
| > | s, or container cluster management.(Citation: Elastic CUBA R | > | s, or container cluster management.(Citation: Elastic CUBA R | ||
| > | ansomware 2022)(Citation: Aquasec Kubernetes Attack 2023) Th | > | ansomware 2022)(Citation: Aquasec Kubernetes Attack 2023) Th | ||
| > | ey may also give accounts generic, trustworthy names, such a | > | ey may also give accounts generic, trustworthy names, such a | ||
| > | s \u201cadmin\u201d, \u201chelp\u201d, or \u201croot.\u201d(Citation: Invictus IR Cloud Ra | > | s \u201cadmin\u201d, \u201chelp\u201d, or \u201croot.\u201d(Citation: Invictus IR Cloud Ra | ||
| > | nsomware 2024) Sometimes adversaries may model account names | > | nsomware 2024) Sometimes adversaries may model account names | ||
| > | off of those already existing in the system, as a follow-on | > | off of those already existing in the system, as a follow-on | ||
| > | behavior to [Account Discovery](https://attack.mitre.org/te | > | behavior to [Account Discovery](https://attack.mitre.org/te | ||
| > | chniques/T1087). Note that this is distinct from [Imperso | > | chniques/T1087). Note that this is distinct from [Imperso | ||
| > | nation](https://attack.mitre.org/techniques/T1656), which de | > | nation](https://attack.mitre.org/techniques/T1684/001), whic | ||
| > | scribes impersonating specific trusted individuals or organi | > | h describes impersonating specific trusted individuals or or | ||
| > | zations, rather than user or service account names. | > | ganizations, rather than user or service account names. |
0xFF 0xD8 and the file extension is either `.JPE`, `.JPEG` or `.JPG`. \n\nAdversaries may edit the header\u2019s hex code and/or the file extension of a malicious payload in order to bypass file validation checks and/or input sanitization. This behavior is commonly used when payload files are transferred (e.g., [Ingress Tool Transfer](https://attack.mitre.org/techniques/T1105)) and stored (e.g., [Upload Malware](https://attack.mitre.org/techniques/T1608/001)) so that adversaries may move their malware without triggering detections. \n\nCommon non-executable file types and extensions, such as text files (`.txt`) and image files (`.jpg`, `.gif`, etc.) may be typically treated as benign. Based on this, adversaries may use a file extension to disguise malware, such as naming a PHP backdoor code with a file name of test.gif. A user may not know that a file is malicious due to the benign appearance and file extension.\n\nPolyglot files, which are files that have multiple different file types and that function differently based on the application that will execute them, may also be used to disguise malicious malware and capabilities.(Citation: polygot_icedID)",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "stealth"
}
],
"revoked": false,
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T1036/008",
"external_id": "T1036.008"
},
{
"source_name": "polygot_icedID",
"description": "Lim, M. (2022, September 27). More Than Meets the Eye: Exposing a Polyglot File That Delivers IcedID. Retrieved September 29, 2022.",
"url": "https://unit42.paloaltonetworks.com/polyglot-file-icedid-payload"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_attack_spec_version": "3.3.0",
"x_mitre_contributors": [
"Ben Smith",
"CrowdStrike Falcon OverWatch"
],
"x_mitre_deprecated": false,
"x_mitre_domains": [
"enterprise-attack"
],
"x_mitre_is_subtechnique": true,
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"Linux",
"macOS",
"Windows"
],
"x_mitre_version": "2.0",
"detailed_diff": "{\"dictionary_item_removed\": {\"root['x_mitre_detection']\": \"\"}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-04-15 20:39:13.971000+00:00\", \"old_value\": \"2025-10-08 17:44:11.183000+00:00\"}, \"root['kill_chain_phases'][0]['phase_name']\": {\"new_value\": \"stealth\", \"old_value\": \"defense-evasion\"}, \"root['x_mitre_version']\": {\"new_value\": \"2.0\", \"old_value\": \"1.1\"}}}",
"previous_version": "1.1",
"version_change": "1.1 \u2192 2.0",
"changelog_mitigations": {
"shared": [
"M1038: Execution Prevention",
"M1040: Behavior Prevention on Endpoint",
"M1049: Antivirus/Antimalware"
],
"new": [],
"dropped": []
},
"changelog_datacomponent_detections": {
"shared": [],
"new": [],
"dropped": []
},
"changelog_detectionstrategy_detections": {
"shared": [
"DET0226: Detection Strategy for Masquerading via File Type Modification"
],
"new": [],
"dropped": []
}
},
{
"type": "attack-pattern",
"id": "attack-pattern--7bdca9d5-d500-4d7d-8c52-5fd47baf4c0c",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2020-02-10 20:30:07.426000+00:00",
"modified": "2026-04-15 20:39:39.311000+00:00",
"name": "Masquerade Task or Service",
"description": "Adversaries may attempt to manipulate the name of a task or service to make it appear legitimate or benign. Tasks/services executed by the Task Scheduler or systemd will typically be given a name and/or description.(Citation: TechNet Schtasks)(Citation: Systemd Service Units) Windows services will have a service name as well as a display name. Many benign tasks and services exist that have commonly associated names. Adversaries may give tasks or services names that are similar or identical to those of legitimate ones.\n\nTasks or services contain other fields, such as a description, that adversaries may attempt to make appear legitimate.(Citation: Palo Alto Shamoon Nov 2016)(Citation: Fysbis Dr Web Analysis)",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "stealth"
}
],
"revoked": false,
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T1036/004",
"external_id": "T1036.004"
},
{
"source_name": "Fysbis Dr Web Analysis",
"description": "Doctor Web. (2014, November 21). Linux.BackDoor.Fysbis.1. Retrieved December 7, 2017.",
"url": "https://vms.drweb.com/virus/?i=4276269"
},
{
"source_name": "Palo Alto Shamoon Nov 2016",
"description": "Falcone, R.. (2016, November 30). Shamoon 2: Return of the Disttrack Wiper. Retrieved January 11, 2017.",
"url": "http://researchcenter.paloaltonetworks.com/2016/11/unit42-shamoon-2-return-disttrack-wiper/"
},
{
"source_name": "Systemd Service Units",
"description": "Freedesktop.org. (n.d.). systemd.service \u2014 Service unit configuration. Retrieved March 16, 2020.",
"url": "https://www.freedesktop.org/software/systemd/man/systemd.service.html"
},
{
"source_name": "TechNet Schtasks",
"description": "Microsoft. (n.d.). Schtasks. Retrieved April 28, 2016.",
"url": "https://technet.microsoft.com/en-us/library/bb490996.aspx"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_attack_spec_version": "3.3.0",
"x_mitre_deprecated": false,
"x_mitre_domains": [
"enterprise-attack"
],
"x_mitre_is_subtechnique": true,
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"Linux",
"macOS",
"Windows"
],
"x_mitre_version": "2.0",
"detailed_diff": "{\"dictionary_item_removed\": {\"root['x_mitre_detection']\": \"\"}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-04-15 20:39:39.311000+00:00\", \"old_value\": \"2025-10-24 17:49:00.215000+00:00\"}, \"root['kill_chain_phases'][0]['phase_name']\": {\"new_value\": \"stealth\", \"old_value\": \"defense-evasion\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.3.0\", \"old_value\": \"3.2.0\"}, \"root['x_mitre_version']\": {\"new_value\": \"2.0\", \"old_value\": \"1.2\"}}}",
"previous_version": "1.2",
"version_change": "1.2 \u2192 2.0",
"changelog_mitigations": {
"shared": [],
"new": [],
"dropped": []
},
"changelog_datacomponent_detections": {
"shared": [],
"new": [],
"dropped": []
},
"changelog_detectionstrategy_detections": {
"shared": [
"DET0117: Detection of Masqueraded Tasks or Services with Suspicious Naming and Execution"
],
"new": [],
"dropped": []
}
},
{
"type": "attack-pattern",
"id": "attack-pattern--1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2020-02-10 20:43:10.239000+00:00",
"modified": "2026-04-15 20:39:41.881000+00:00",
"name": "Match Legitimate Resource Name or Location",
"description": "Adversaries may match or approximate the name or location of legitimate files, Registry keys, or other resources when naming/placing them. This is done for the sake of evading defenses and observation. \n\nThis may be done by placing an executable in a commonly trusted directory (ex: under System32) or giving it the name of a legitimate, trusted program (ex: `svchost.exe`). Alternatively, a Windows Registry key may be given a close approximation to a key used by a legitimate program. In containerized environments, a threat actor may create a resource in a trusted namespace or one that matches the naming convention of a container pod or cluster.(Citation: Aquasec Kubernetes Backdoor 2023)",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "stealth"
}
],
"revoked": false,
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T1036/005",
"external_id": "T1036.005"
},
{
"source_name": "Aquasec Kubernetes Backdoor 2023",
"description": "Michael Katchinskiy and Assaf Morag. (2023, April 21). First-Ever Attack Leveraging Kubernetes RBAC to Backdoor Clusters. Retrieved March 24, 2025.",
"url": "https://www.aquasec.com/blog/leveraging-kubernetes-rbac-to-backdoor-clusters/"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_attack_spec_version": "3.3.0",
"x_mitre_contributors": [
"Vishwas Manral, McAfee",
"Yossi Weizman, Azure Defender Research Team"
],
"x_mitre_deprecated": false,
"x_mitre_domains": [
"enterprise-attack"
],
"x_mitre_is_subtechnique": true,
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"Containers",
"ESXi",
"Linux",
"macOS",
"Windows"
],
"x_mitre_version": "3.0",
"detailed_diff": "{\"dictionary_item_removed\": {\"root['x_mitre_detection']\": \"\"}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-04-15 20:39:41.881000+00:00\", \"old_value\": \"2025-10-24 17:48:28.950000+00:00\"}, \"root['kill_chain_phases'][0]['phase_name']\": {\"new_value\": \"stealth\", \"old_value\": \"defense-evasion\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.3.0\", \"old_value\": \"3.2.0\"}, \"root['x_mitre_version']\": {\"new_value\": \"3.0\", \"old_value\": \"2.0\"}}, \"iterable_item_removed\": {\"root['external_references'][1]\": {\"source_name\": \"Twitter ItsReallyNick Masquerading Update\", \"description\": \"Carr, N.. (2018, October 25). Nick Carr Status Update Masquerading. Retrieved September 12, 2024.\", \"url\": \"https://x.com/ItsReallyNick/status/1055321652777619457\"}, \"root['external_references'][2]\": {\"source_name\": \"Docker Images\", \"description\": \"Docker. (n.d.). Docker Images. Retrieved April 6, 2021.\", \"url\": \"https://docs.docker.com/engine/reference/commandline/images/\"}, \"root['external_references'][3]\": {\"source_name\": \"Elastic Masquerade Ball\", \"description\": \"Ewing, P. (2016, October 31). How to Hunt: The Masquerade Ball. Retrieved October 31, 2016.\", \"url\": \"https://www.elastic.co/blog/how-hunt-masquerade-ball\"}}}",
"previous_version": "2.0",
"version_change": "2.0 \u2192 3.0",
"changelog_mitigations": {
"shared": [
"M1022: Restrict File and Directory Permissions",
"M1038: Execution Prevention",
"M1045: Code Signing"
],
"new": [],
"dropped": []
},
"changelog_datacomponent_detections": {
"shared": [],
"new": [],
"dropped": []
},
"changelog_detectionstrategy_detections": {
"shared": [
"DET0347: Detection Strategy for Masquerading via Legitimate Resource Name or Location"
],
"new": [],
"dropped": []
}
},
{
"type": "attack-pattern",
"id": "attack-pattern--514dc7b3-0b80-4382-80a9-2e2d294f5019",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2025-03-27 20:37:52.269000+00:00",
"modified": "2026-04-15 20:40:03.475000+00:00",
"name": "Overwrite Process Arguments",
"description": "Adversaries may modify a process's in-memory arguments to change its name in order to appear as a legitimate or benign process. On Linux, the operating system stores command-line arguments in the process\u2019s stack and passes them to the `main()` function as the `argv` array. The first element, `argv[0]`, typically contains the process name or path - by default, the command used to actually start the process (e.g., `cat /etc/passwd`). By default, the Linux `/proc` filesystem uses this value to represent the process name. The `/proc/rundll32.exe).(Citation: Elastic Masquerade Ball) An alternative case occurs when a legitimate utility is copied or moved to a different directory and renamed to avoid detections based on these utilities executing from non-standard paths.(Citation: F-Secure CozyDuke)",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "stealth"
}
],
"revoked": false,
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T1036/003",
"external_id": "T1036.003"
},
{
"source_name": "Elastic Masquerade Ball",
"description": "Ewing, P. (2016, October 31). How to Hunt: The Masquerade Ball. Retrieved October 31, 2016.",
"url": "https://www.elastic.co/blog/how-hunt-masquerade-ball"
},
{
"source_name": "F-Secure CozyDuke",
"description": "F-Secure Labs. (2015, April 22). CozyDuke: Malware Analysis. Retrieved December 10, 2015.",
"url": "https://www.f-secure.com/documents/996508/1030745/CozyDuke"
},
{
"source_name": "LOLBAS Main Site",
"description": "LOLBAS. (n.d.). Living Off The Land Binaries and Scripts (and also Libraries). Retrieved February 10, 2020.",
"url": "https://lolbas-project.github.io/"
},
{
"source_name": "Huntress Python Malware 2025",
"description": "Matthew Brennan. (2024, July 5). Snakes on a Domain: An Analysis of a Python Malware Loader. Retrieved April 3, 2025.",
"url": "https://www.huntress.com/blog/snakes-on-a-domain-an-analysis-of-a-python-malware-loader"
},
{
"source_name": "Splunk Detect Renamed PSExec",
"description": "Splunk. (2025, February 24). Detection: Detect Renamed PSExec. Retrieved April 3, 2025.",
"url": "https://research.splunk.com/endpoint/683e6196-b8e8-11eb-9a79-acde48001122/"
},
{
"source_name": "The DFIR Report AutoHotKey 2023",
"description": "The DFIR Report. (2023, February 6). Collect, Exfiltrate, Sleep, Repeat. Retrieved April 3, 2025.",
"url": "https://thedfirreport.com/2023/02/06/collect-exfiltrate-sleep-repeat/"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_attack_spec_version": "3.3.0",
"x_mitre_contributors": [
"Matt Anderson, @\u200cnosecurething, Huntress"
],
"x_mitre_deprecated": false,
"x_mitre_domains": [
"enterprise-attack"
],
"x_mitre_is_subtechnique": true,
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"Linux",
"macOS",
"Windows"
],
"x_mitre_version": "3.0",
"detailed_diff": "{\"dictionary_item_removed\": {\"root['x_mitre_detection']\": \"\"}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-04-15 20:40:54.471000+00:00\", \"old_value\": \"2025-10-24 17:49:18.517000+00:00\"}, \"root['kill_chain_phases'][0]['phase_name']\": {\"new_value\": \"stealth\", \"old_value\": \"defense-evasion\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.3.0\", \"old_value\": \"3.2.0\"}, \"root['x_mitre_version']\": {\"new_value\": \"3.0\", \"old_value\": \"2.0\"}}, \"iterable_item_removed\": {\"root['external_references'][1]\": {\"source_name\": \"Twitter ItsReallyNick Masquerading Update\", \"description\": \"Carr, N.. (2018, October 25). Nick Carr Status Update Masquerading. Retrieved September 12, 2024.\", \"url\": \"https://x.com/ItsReallyNick/status/1055321652777619457\"}}}",
"previous_version": "2.0",
"version_change": "2.0 \u2192 3.0",
"changelog_mitigations": {
"shared": [
"M1022: Restrict File and Directory Permissions"
],
"new": [],
"dropped": []
},
"changelog_datacomponent_detections": {
"shared": [],
"new": [],
"dropped": []
},
"changelog_detectionstrategy_detections": {
"shared": [
"DET0005: Renamed Legitimate Utility Execution with Metadata Mismatch and Suspicious Path"
],
"new": [],
"dropped": []
}
},
{
"type": "attack-pattern",
"id": "attack-pattern--77eae145-55db-4519-8ae5-77b0c7215d69",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2020-02-10 19:55:29.385000+00:00",
"modified": "2026-04-15 20:41:03.753000+00:00",
"name": "Right-to-Left Override",
"description": "Adversaries may abuse the right-to-left override (RTLO or RLO) character (U+202E) to disguise a string and/or file name to make it appear benign. RTLO is a non-printing Unicode character that causes the text that follows it to be displayed in reverse. For example, a Windows screensaver executable named March 25 \\u202Excod.scr will display as March 25 rcs.docx. A JavaScript file named photo_high_re\\u202Egnp.js will be displayed as photo_high_resj.png.(Citation: Infosecinstitute RTLO Technique)\n\nAdversaries may abuse the RTLO character as a means of tricking a user into executing what they think is a benign file type. A common use of this technique is with [Spearphishing Attachment](https://attack.mitre.org/techniques/T1566/001)/[Malicious File](https://attack.mitre.org/techniques/T1204/002) since it can trick both end users and defenders if they are not aware of how their tools display and render the RTLO character. Use of the RTLO character has been seen in many targeted intrusion attempts and criminal activity.(Citation: Trend Micro PLEAD RTLO)(Citation: Kaspersky RTLO Cyber Crime) RTLO can be used in the Windows Registry as well, where regedit.exe displays the reversed characters but the command line tool reg.exe does not by default.",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "stealth"
}
],
"revoked": false,
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T1036/002",
"external_id": "T1036.002"
},
{
"source_name": "Trend Micro PLEAD RTLO",
"description": "Alintanahin, K.. (2014, May 23). PLEAD Targeted Attacks Against Taiwanese Government Agencies. Retrieved April 22, 2019.",
"url": "https://blog.trendmicro.com/trendlabs-security-intelligence/plead-targeted-attacks-against-taiwanese-government-agencies-2/"
},
{
"source_name": "Kaspersky RTLO Cyber Crime",
"description": "Firsh, A.. (2018, February 13). Zero-day vulnerability in Telegram - Cybercriminals exploited Telegram flaw to launch multipurpose attacks. Retrieved April 22, 2019.",
"url": "https://securelist.com/zero-day-vulnerability-in-telegram/83800/"
},
{
"source_name": "Infosecinstitute RTLO Technique",
"description": "Security Ninja. (2015, April 16). Spoof Using Right to Left Override (RTLO) Technique. Retrieved April 22, 2019.",
"url": "https://web.archive.org/web/20151102094333/https://resources.infosecinstitute.com/spoof-using-right-to-left-override-rtlo-technique-2/"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_attack_spec_version": "3.3.0",
"x_mitre_deprecated": false,
"x_mitre_domains": [
"enterprise-attack"
],
"x_mitre_is_subtechnique": true,
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"Linux",
"macOS",
"Windows"
],
"x_mitre_version": "2.0",
"detailed_diff": "{\"dictionary_item_removed\": {\"root['x_mitre_detection']\": \"\"}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-04-15 20:41:03.753000+00:00\", \"old_value\": \"2025-10-24 17:48:58.683000+00:00\"}, \"root['kill_chain_phases'][0]['phase_name']\": {\"new_value\": \"stealth\", \"old_value\": \"defense-evasion\"}, \"root['external_references'][3]['url']\": {\"new_value\": \"https://web.archive.org/web/20151102094333/https://resources.infosecinstitute.com/spoof-using-right-to-left-override-rtlo-technique-2/\", \"old_value\": \"https://resources.infosecinstitute.com/spoof-using-right-to-left-override-rtlo-technique-2/\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.3.0\", \"old_value\": \"3.2.0\"}, \"root['x_mitre_version']\": {\"new_value\": \"2.0\", \"old_value\": \"1.1\"}}}",
"previous_version": "1.1",
"version_change": "1.1 \u2192 2.0",
"changelog_mitigations": {
"shared": [],
"new": [],
"dropped": []
},
"changelog_datacomponent_detections": {
"shared": [],
"new": [],
"dropped": []
},
"changelog_detectionstrategy_detections": {
"shared": [
"DET0527: Right-to-Left Override Masquerading Detection via Filename and Execution Context"
],
"new": [],
"dropped": []
}
},
{
"type": "attack-pattern",
"id": "attack-pattern--e51137a5-1cdc-499e-911a-abaedaa5ac86",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2020-02-10 20:47:10.082000+00:00",
"modified": "2026-04-15 20:41:09.462000+00:00",
"name": "Space after Filename",
"description": "Adversaries can hide a program's true filetype by changing the extension of a file. With certain file types (specifically this does not work with .app extensions), appending a space to the end of a filename will change how the file is processed by the operating system.\n\nFor example, if there is a Mach-O executable file called evil.bin, when it is double clicked by a user, it will launch Terminal.app and execute. If this file is renamed to evil.txt, then when double clicked by a user, it will launch with the default text editing application (not executing the binary). However, if the file is renamed to evil.txt (note the space at the end), then when double clicked by a user, the true file type is determined by the OS and handled appropriately and the binary will be executed (Citation: Mac Backdoors are back).\n\nAdversaries can use this feature to trick users into double clicking benign-looking files of any format and ultimately executing something malicious.",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "stealth"
}
],
"revoked": false,
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T1036/006",
"external_id": "T1036.006"
},
{
"source_name": "Mac Backdoors are back",
"description": "Dan Goodin. (2016, July 6). After hiatus, in-the-wild Mac backdoors are suddenly back. Retrieved July 8, 2017.",
"url": "https://arstechnica.com/security/2016/07/after-hiatus-in-the-wild-mac-backdoors-are-suddenly-back/"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_attack_spec_version": "3.3.0",
"x_mitre_contributors": [
"Erye Hernandez, Palo Alto Networks"
],
"x_mitre_deprecated": false,
"x_mitre_domains": [
"enterprise-attack"
],
"x_mitre_is_subtechnique": true,
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"Linux",
"macOS"
],
"x_mitre_version": "2.0",
"detailed_diff": "{\"dictionary_item_removed\": {\"root['x_mitre_detection']\": \"\"}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-04-15 20:41:09.462000+00:00\", \"old_value\": \"2025-10-24 17:49:32.287000+00:00\"}, \"root['kill_chain_phases'][0]['phase_name']\": {\"new_value\": \"stealth\", \"old_value\": \"defense-evasion\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.3.0\", \"old_value\": \"3.2.0\"}, \"root['x_mitre_version']\": {\"new_value\": \"2.0\", \"old_value\": \"1.1\"}}}",
"previous_version": "1.1",
"version_change": "1.1 \u2192 2.0",
"changelog_mitigations": {
"shared": [],
"new": [],
"dropped": []
},
"changelog_datacomponent_detections": {
"shared": [],
"new": [],
"dropped": []
},
"changelog_detectionstrategy_detections": {
"shared": [
"DET0292: Masquerading via Space After Filename - Behavioral Detection Strategy"
],
"new": [],
"dropped": []
}
},
{
"type": "attack-pattern",
"id": "attack-pattern--f4c1826f-a322-41cd-9557-562100848c84",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2020-02-11 19:01:56.887000+00:00",
"modified": "2026-04-16 20:07:52.977000+00:00",
"name": "Modify Authentication Process",
"description": "Adversaries may modify authentication mechanisms and processes to access user credentials or enable otherwise unwarranted access to accounts. The authentication process is handled by mechanisms, such as the Local Security Authentication Server (LSASS) process and the Security Accounts Manager (SAM) on Windows, pluggable authentication modules (PAM) on Unix-based systems, and authorization plugins on MacOS systems, responsible for gathering, storing, and validating credentials. By modifying an authentication process, an adversary may be able to authenticate to a service or system without using [Valid Accounts](https://attack.mitre.org/techniques/T1078).\n\nAdversaries may maliciously modify a part of this process to either reveal credentials or bypass authentication mechanisms. Compromised credentials or access may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access and remote desktop.",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "defense-impairment"
},
{
"kill_chain_name": "mitre-attack",
"phase_name": "persistence"
},
{
"kill_chain_name": "mitre-attack",
"phase_name": "credential-access"
}
],
"revoked": false,
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T1556",
"external_id": "T1556"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_attack_spec_version": "3.3.0",
"x_mitre_contributors": [
"Chris Ross @xorrior"
],
"x_mitre_deprecated": false,
"x_mitre_domains": [
"enterprise-attack"
],
"x_mitre_is_subtechnique": false,
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"IaaS",
"Identity Provider",
"Linux",
"macOS",
"Network Devices",
"Office Suite",
"SaaS",
"Windows"
],
"x_mitre_version": "3.0",
"detailed_diff": "{\"dictionary_item_removed\": {\"root['x_mitre_detection']\": \"\"}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-04-16 20:07:52.977000+00:00\", \"old_value\": \"2025-10-24 17:49:36.944000+00:00\"}, \"root['kill_chain_phases'][1]['phase_name']\": {\"new_value\": \"defense-impairment\", \"old_value\": \"defense-evasion\", \"new_path\": \"root['kill_chain_phases'][0]['phase_name']\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.3.0\", \"old_value\": \"3.2.0\"}, \"root['x_mitre_version']\": {\"new_value\": \"3.0\", \"old_value\": \"2.6\"}}, \"iterable_item_removed\": {\"root['external_references'][1]\": {\"source_name\": \"Clymb3r Function Hook Passwords Sept 2013\", \"description\": \"Bialek, J. (2013, September 15). Intercepting Password Changes With Function Hooking. Retrieved November 21, 2017.\", \"url\": \"https://clymb3r.wordpress.com/2013/09/15/intercepting-password-changes-with-function-hooking/\"}, \"root['external_references'][2]\": {\"source_name\": \"Xorrior Authorization Plugins\", \"description\": \"Chris Ross. (2018, October 17). Persistent Credential Theft with Authorization Plugins. Retrieved April 22, 2021.\", \"url\": \"https://xorrior.com/persistent-credential-theft/\"}, \"root['external_references'][3]\": {\"source_name\": \"Dell Skeleton\", \"description\": \"Dell SecureWorks. (2015, January 12). Skeleton Key Malware Analysis. Retrieved April 8, 2019.\", \"url\": \"https://www.secureworks.com/research/skeleton-key-malware-analysis\"}, \"root['external_references'][4]\": {\"source_name\": \"dump_pwd_dcsync\", \"description\": \"Metcalf, S. (2015, November 22). Dump Clear-Text Passwords for All Admins in the Domain Using Mimikatz DCSync. Retrieved November 15, 2021.\", \"url\": \"https://adsecurity.org/?p=2053\"}, \"root['external_references'][5]\": {\"source_name\": \"TechNet Audit Policy\", \"description\": \"Microsoft. (2016, April 15). Audit Policy Recommendations. Retrieved June 3, 2016.\", \"url\": \"https://technet.microsoft.com/en-us/library/dn487457.aspx\"}}}",
"previous_version": "2.6",
"version_change": "2.6 \u2192 3.0",
"changelog_mitigations": {
"shared": [
"M1018: User Account Management",
"M1022: Restrict File and Directory Permissions",
"M1024: Restrict Registry Permissions",
"M1025: Privileged Process Integrity",
"M1026: Privileged Account Management",
"M1027: Password Policies",
"M1028: Operating System Configuration",
"M1032: Multi-factor Authentication",
"M1047: Audit"
],
"new": [],
"dropped": []
},
"changelog_datacomponent_detections": {
"shared": [],
"new": [],
"dropped": []
},
"changelog_detectionstrategy_detections": {
"shared": [
"DET0104: Detect Modification of Authentication Processes Across Platforms"
],
"new": [],
"dropped": []
}
},
{
"type": "attack-pattern",
"id": "attack-pattern--ceaeb6d8-95ee-4da2-9d42-dc6aa6ca43ae",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2024-01-02 13:43:37.389000+00:00",
"modified": "2026-04-16 20:07:53.111000+00:00",
"name": "Conditional Access Policies",
"description": "Adversaries may disable or modify conditional access policies to enable persistent access to compromised accounts. Conditional access policies are additional verifications used by identity providers and identity and access management systems to determine whether a user should be granted access to a resource.\n\nFor example, in Entra ID, Okta, and JumpCloud, users can be denied access to applications based on their IP address, device enrollment status, and use of multi-factor authentication.(Citation: Microsoft Conditional Access)(Citation: JumpCloud Conditional Access Policies)(Citation: Okta Conditional Access Policies) In some cases, identity providers may also support the use of risk-based metrics to deny sign-ins based on a variety of indicators. In AWS and GCP, IAM policies can contain `condition` attributes that verify arbitrary constraints such as the source IP, the date the request was made, and the nature of the resources or regions being requested.(Citation: AWS IAM Conditions)(Citation: GCP IAM Conditions) These measures help to prevent compromised credentials from resulting in unauthorized access to data or resources, as well as limit user permissions to only those required. \n\nBy modifying conditional access policies, such as adding additional trusted IP ranges, removing [Multi-Factor Authentication](https://attack.mitre.org/techniques/T1556/006) requirements, or allowing additional [Unused/Unsupported Cloud Regions](https://attack.mitre.org/techniques/T1535), adversaries may be able to ensure persistent access to accounts and circumvent defensive measures.",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "defense-impairment"
},
{
"kill_chain_name": "mitre-attack",
"phase_name": "persistence"
},
{
"kill_chain_name": "mitre-attack",
"phase_name": "credential-access"
}
],
"revoked": false,
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T1556/009",
"external_id": "T1556.009"
},
{
"source_name": "AWS IAM Conditions",
"description": "AWS. (n.d.). IAM JSON policy elements: Condition. Retrieved January 2, 2024.",
"url": "https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_condition.html"
},
{
"source_name": "GCP IAM Conditions",
"description": "Google Cloud. (n.d.). Overview of IAM Conditions. Retrieved January 2, 2024.",
"url": "https://cloud.google.com/iam/docs/conditions-overview"
},
{
"source_name": "JumpCloud Conditional Access Policies",
"description": "JumpCloud. (n.d.). Get Started: Conditional Access Policies. Retrieved January 2, 2024.",
"url": "https://jumpcloud.com/support/get-started-conditional-access-policies"
},
{
"source_name": "Microsoft Conditional Access",
"description": "Microsoft. (2023, November 15). What is Conditional Access?. Retrieved January 2, 2024.",
"url": "https://learn.microsoft.com/en-us/entra/identity/conditional-access/overview"
},
{
"source_name": "Okta Conditional Access Policies",
"description": "Okta. (2023, November 30). Conditional Access Based on Device Security Posture. Retrieved January 2, 2024.",
"url": "https://support.okta.com/help/s/article/Conditional-access-based-on-device-security-posture?language=en_US"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_attack_spec_version": "3.3.0",
"x_mitre_contributors": [
"Gavin Knapp",
"Joshua Penny"
],
"x_mitre_deprecated": false,
"x_mitre_domains": [
"enterprise-attack"
],
"x_mitre_is_subtechnique": true,
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"IaaS",
"Identity Provider"
],
"x_mitre_version": "2.0",
"detailed_diff": "{\"dictionary_item_removed\": {\"root['x_mitre_detection']\": \"\"}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-04-16 20:07:53.111000+00:00\", \"old_value\": \"2025-04-15 22:09:03.621000+00:00\"}, \"root['kill_chain_phases'][1]['phase_name']\": {\"new_value\": \"defense-impairment\", \"old_value\": \"defense-evasion\", \"new_path\": \"root['kill_chain_phases'][0]['phase_name']\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.3.0\", \"old_value\": \"3.2.0\"}, \"root['x_mitre_version']\": {\"new_value\": \"2.0\", \"old_value\": \"1.1\"}}}",
"previous_version": "1.1",
"version_change": "1.1 \u2192 2.0",
"changelog_mitigations": {
"shared": [
"M1018: User Account Management"
],
"new": [],
"dropped": []
},
"changelog_datacomponent_detections": {
"shared": [],
"new": [],
"dropped": []
},
"changelog_detectionstrategy_detections": {
"shared": [
"DET0030: Detect Conditional Access Policy Modification in Identity and Cloud Platforms"
],
"new": [],
"dropped": []
}
},
{
"type": "attack-pattern",
"id": "attack-pattern--d4b96d2c-1032-4b22-9235-2b5b649d0605",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2020-02-11 19:05:02.399000+00:00",
"modified": "2026-04-16 20:07:53.091000+00:00",
"name": "Domain Controller Authentication",
"description": "Adversaries may patch the authentication process on a domain controller to bypass the typical authentication mechanisms and enable access to accounts. \n\nMalware may be used to inject false credentials into the authentication process on a domain controller with the intent of creating a backdoor used to access any user\u2019s account and/or credentials (ex: [Skeleton Key](https://attack.mitre.org/software/S0007)). Skeleton key works through a patch on an enterprise domain controller authentication process (LSASS) with credentials that adversaries may use to bypass the standard authentication system. Once patched, an adversary can use the injected password to successfully authenticate as any domain user account (until the the skeleton key is erased from memory by a reboot of the domain controller). Authenticated access may enable unfettered access to hosts and/or resources within single-factor authentication environments.(Citation: Dell Skeleton)",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "defense-impairment"
},
{
"kill_chain_name": "mitre-attack",
"phase_name": "persistence"
},
{
"kill_chain_name": "mitre-attack",
"phase_name": "credential-access"
}
],
"revoked": false,
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T1556/001",
"external_id": "T1556.001"
},
{
"source_name": "Dell Skeleton",
"description": "Dell SecureWorks. (2015, January 12). Skeleton Key Malware Analysis. Retrieved April 8, 2019.",
"url": "https://www.secureworks.com/research/skeleton-key-malware-analysis"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_attack_spec_version": "3.3.0",
"x_mitre_deprecated": false,
"x_mitre_domains": [
"enterprise-attack"
],
"x_mitre_is_subtechnique": true,
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"Windows"
],
"x_mitre_version": "3.0",
"detailed_diff": "{\"dictionary_item_removed\": {\"root['x_mitre_detection']\": \"\"}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-04-16 20:07:53.091000+00:00\", \"old_value\": \"2025-10-24 17:49:27.324000+00:00\"}, \"root['kill_chain_phases'][1]['phase_name']\": {\"new_value\": \"defense-impairment\", \"old_value\": \"defense-evasion\", \"new_path\": \"root['kill_chain_phases'][0]['phase_name']\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.3.0\", \"old_value\": \"3.2.0\"}, \"root['x_mitre_version']\": {\"new_value\": \"3.0\", \"old_value\": \"2.1\"}}, \"iterable_item_removed\": {\"root['external_references'][2]\": {\"source_name\": \"TechNet Audit Policy\", \"description\": \"Microsoft. (2016, April 15). Audit Policy Recommendations. Retrieved June 3, 2016.\", \"url\": \"https://technet.microsoft.com/en-us/library/dn487457.aspx\"}}}",
"previous_version": "2.1",
"version_change": "2.1 \u2192 3.0",
"changelog_mitigations": {
"shared": [
"M1017: User Training",
"M1025: Privileged Process Integrity",
"M1026: Privileged Account Management",
"M1032: Multi-factor Authentication"
],
"new": [],
"dropped": []
},
"changelog_datacomponent_detections": {
"shared": [],
"new": [],
"dropped": []
},
"changelog_detectionstrategy_detections": {
"shared": [
"DET0271: Detect Domain Controller Authentication Process Modification (Skeleton Key)"
],
"new": [],
"dropped": []
}
},
{
"type": "attack-pattern",
"id": "attack-pattern--54ca26f3-c172-4231-93e5-ccebcac2161f",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2022-09-28 13:29:53.354000+00:00",
"modified": "2026-04-16 20:07:52.922000+00:00",
"name": "Hybrid Identity",
"description": "Adversaries may patch, modify, or otherwise backdoor cloud authentication processes that are tied to on-premises user identities in order to bypass typical authentication mechanisms, access credentials, and enable persistent access to accounts. \n\nMany organizations maintain hybrid user and device identities that are shared between on-premises and cloud-based environments. These can be maintained in a number of ways. For example, Microsoft Entra ID includes three options for synchronizing identities between Active Directory and Entra ID(Citation: Azure AD Hybrid Identity):\n\n* Password Hash Synchronization (PHS), in which a privileged on-premises account synchronizes user password hashes between Active Directory and Entra ID, allowing authentication to Entra ID to take place entirely in the cloud \n* Pass Through Authentication (PTA), in which Entra ID authentication attempts are forwarded to an on-premises PTA agent, which validates the credentials against Active Directory \n* Active Directory Federation Services (AD FS), in which a trust relationship is established between Active Directory and Entra ID \n\nAD FS can also be used with other SaaS and cloud platforms such as AWS and GCP, which will hand off the authentication process to AD FS and receive a token containing the hybrid users\u2019 identity and privileges. \n\nBy modifying authentication processes tied to hybrid identities, an adversary may be able to establish persistent privileged access to cloud resources. For example, adversaries who compromise an on-premises server running a PTA agent may inject a malicious DLL into the `AzureADConnectAuthenticationAgentService` process that authorizes all attempts to authenticate to Entra ID, as well as records user credentials.(Citation: Azure AD Connect for Read Teamers)(Citation: AADInternals Azure AD On-Prem to Cloud) In environments using AD FS, an adversary may edit the `Microsoft.IdentityServer.Servicehost` configuration file to load a malicious DLL that generates authentication tokens for any user with any set of claims, thereby bypassing multi-factor authentication and defined AD FS policies.(Citation: MagicWeb)\n\nIn some cases, adversaries may be able to modify the hybrid identity authentication process from the cloud. For example, adversaries who compromise a Global Administrator account in an Entra ID tenant may be able to register a new PTA agent via the web console, similarly allowing them to harvest credentials and log into the Entra ID environment as any user.(Citation: Mandiant Azure AD Backdoors)",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "defense-impairment"
},
{
"kill_chain_name": "mitre-attack",
"phase_name": "persistence"
},
{
"kill_chain_name": "mitre-attack",
"phase_name": "credential-access"
}
],
"revoked": false,
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T1556/007",
"external_id": "T1556.007"
},
{
"source_name": "Azure AD Connect for Read Teamers",
"description": "Adam Chester. (2019, February 18). Azure AD Connect for Red Teamers. Retrieved September 28, 2022.",
"url": "https://blog.xpnsec.com/azuread-connect-for-redteam/"
},
{
"source_name": "AADInternals Azure AD On-Prem to Cloud",
"description": "Dr. Nestori Syynimaa. (2020, July 13). Unnoticed sidekick: Getting access to cloud as an on-prem admin. Retrieved September 28, 2022.",
"url": "https://o365blog.com/post/on-prem_admin/"
},
{
"source_name": "MagicWeb",
"description": "Microsoft Threat Intelligence Center, Microsoft Detection and Response Team, Microsoft 365 Defender Research Team . (2022, August 24). MagicWeb: NOBELIUM\u2019s post-compromise trick to authenticate as anyone. Retrieved September 28, 2022.",
"url": "https://www.microsoft.com/security/blog/2022/08/24/magicweb-nobeliums-post-compromise-trick-to-authenticate-as-anyone/"
},
{
"source_name": "Azure AD Hybrid Identity",
"description": "Microsoft. (2022, August 26). Choose the right authentication method for your Azure Active Directory hybrid identity solution. Retrieved September 28, 2022.",
"url": "https://learn.microsoft.com/en-us/azure/active-directory/hybrid/choose-ad-authn"
},
{
"source_name": "Mandiant Azure AD Backdoors",
"description": "Mike Burns. (2020, September 30). Detecting Microsoft 365 and Azure Active Directory Backdoors. Retrieved September 28, 2022.",
"url": "https://www.mandiant.com/resources/detecting-microsoft-365-azure-active-directory-backdoors"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_attack_spec_version": "3.3.0",
"x_mitre_contributors": [
"Praetorian"
],
"x_mitre_deprecated": false,
"x_mitre_domains": [
"enterprise-attack"
],
"x_mitre_is_subtechnique": true,
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"IaaS",
"Identity Provider",
"Office Suite",
"SaaS",
"Windows"
],
"x_mitre_version": "2.0",
"detailed_diff": "{\"dictionary_item_removed\": {\"root['x_mitre_detection']\": \"\"}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-04-16 20:07:52.922000+00:00\", \"old_value\": \"2025-04-15 22:40:10.913000+00:00\"}, \"root['kill_chain_phases'][1]['phase_name']\": {\"new_value\": \"defense-impairment\", \"old_value\": \"defense-evasion\", \"new_path\": \"root['kill_chain_phases'][0]['phase_name']\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.3.0\", \"old_value\": \"3.2.0\"}, \"root['x_mitre_version']\": {\"new_value\": \"2.0\", \"old_value\": \"1.1\"}}}",
"previous_version": "1.1",
"version_change": "1.1 \u2192 2.0",
"changelog_mitigations": {
"shared": [
"M1026: Privileged Account Management",
"M1032: Multi-factor Authentication",
"M1047: Audit"
],
"new": [],
"dropped": []
},
"changelog_datacomponent_detections": {
"shared": [],
"new": [],
"dropped": []
},
"changelog_detectionstrategy_detections": {
"shared": [
"DET0293: Detect Hybrid Identity Authentication Process Modification"
],
"new": [],
"dropped": []
}
},
{
"type": "attack-pattern",
"id": "attack-pattern--b4409cd8-0da9-46e1-a401-a241afd4d1cc",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2022-05-31 19:31:38.431000+00:00",
"modified": "2026-04-16 20:07:52.875000+00:00",
"name": "Multi-Factor Authentication",
"description": "Adversaries may disable or modify multi-factor authentication (MFA) mechanisms to enable persistent access to compromised accounts.\n\nOnce adversaries have gained access to a network by either compromising an account lacking MFA or by employing an MFA bypass method such as [Multi-Factor Authentication Request Generation](https://attack.mitre.org/techniques/T1621), adversaries may leverage their access to modify or completely disable MFA defenses. This can be accomplished by abusing legitimate features, such as excluding users from Azure AD Conditional Access Policies, registering a new yet vulnerable/adversary-controlled MFA method, or by manually patching MFA programs and configuration files to bypass expected functionality.(Citation: Mandiant APT42)(Citation: Azure AD Conditional Access Exclusions)\n\nFor example, modifying the Windows hosts file (`C:\\windows\\system32\\drivers\\etc\\hosts`) to redirect MFA calls to localhost instead of an MFA server may cause the MFA process to fail. If a \"fail open\" policy is in place, any otherwise successful authentication attempt may be granted access without enforcing MFA. (Citation: Russians Exploit Default MFA Protocol - CISA March 2022) \n\nDepending on the scope, goals, and privileges of the adversary, MFA defenses may be disabled for individual accounts or for all accounts tied to a larger group, such as all domain accounts in a victim's network environment.(Citation: Russians Exploit Default MFA Protocol - CISA March 2022) ",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "defense-impairment"
},
{
"kill_chain_name": "mitre-attack",
"phase_name": "persistence"
},
{
"kill_chain_name": "mitre-attack",
"phase_name": "credential-access"
}
],
"revoked": false,
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T1556/006",
"external_id": "T1556.006"
},
{
"source_name": "Russians Exploit Default MFA Protocol - CISA March 2022",
"description": "Cyber Security Infrastructure Agency. (2022, March 15). Russian State-Sponsored Cyber Actors Gain Network Access by Exploiting Default Multifactor Authentication Protocols and \u201cPrintNightmare\u201d Vulnerability. Retrieved May 31, 2022.",
"url": "https://www.cisa.gov/uscert/ncas/alerts/aa22-074a"
},
{
"source_name": "Mandiant APT42",
"description": "Mandiant. (n.d.). APT42: Crooked Charms, Cons and Compromise. Retrieved September 16, 2022.",
"url": "https://www.mandiant.com/media/17826"
},
{
"source_name": "Azure AD Conditional Access Exclusions",
"description": "Microsoft. (2022, August 26). Use Azure AD access reviews to manage users excluded from Conditional Access policies. Retrieved August 30, 2022.",
"url": "https://docs.microsoft.com/en-us/azure/active-directory/governance/conditional-access-exclusion"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_attack_spec_version": "3.3.0",
"x_mitre_contributors": [
"Arun Seelagan, CISA",
"Liran Ravich, CardinalOps",
"Muhammad Moiz Arshad, @5T34L7H"
],
"x_mitre_deprecated": false,
"x_mitre_domains": [
"enterprise-attack"
],
"x_mitre_is_subtechnique": true,
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"IaaS",
"Identity Provider",
"Linux",
"macOS",
"Office Suite",
"SaaS",
"Windows"
],
"x_mitre_version": "2.0",
"detailed_diff": "{\"dictionary_item_removed\": {\"root['x_mitre_detection']\": \"\"}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-04-16 20:07:52.875000+00:00\", \"old_value\": \"2025-04-15 19:58:59.338000+00:00\"}, \"root['kill_chain_phases'][1]['phase_name']\": {\"new_value\": \"defense-impairment\", \"old_value\": \"defense-evasion\", \"new_path\": \"root['kill_chain_phases'][0]['phase_name']\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.3.0\", \"old_value\": \"3.2.0\"}, \"root['x_mitre_version']\": {\"new_value\": \"2.0\", \"old_value\": \"1.4\"}}}",
"previous_version": "1.4",
"version_change": "1.4 \u2192 2.0",
"changelog_mitigations": {
"shared": [
"M1018: User Account Management",
"M1032: Multi-factor Authentication",
"M1047: Audit"
],
"new": [],
"dropped": []
},
"changelog_datacomponent_detections": {
"shared": [],
"new": [],
"dropped": []
},
"changelog_detectionstrategy_detections": {
"shared": [
"DET0190: Detect MFA Modification or Disabling Across Platforms"
],
"new": [],
"dropped": []
}
},
{
"type": "attack-pattern",
"id": "attack-pattern--fa44a152-ac48-441e-a524-dd7b04b8adcd",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2020-10-19 17:58:04.155000+00:00",
"modified": "2026-04-16 20:07:53.117000+00:00",
"name": "Network Device Authentication",
"description": "Adversaries may use [Patch System Image](https://attack.mitre.org/techniques/T1601/001) to hard code a password in the operating system, thus bypassing of native authentication mechanisms for local accounts on network devices.\n\n[Modify System Image](https://attack.mitre.org/techniques/T1601) may include implanted code to the operating system for network devices to provide access for adversaries using a specific password. The modification includes a specific password which is implanted in the operating system image via the patch. Upon authentication attempts, the inserted code will first check to see if the user input is the password. If so, access is granted. Otherwise, the implanted code will pass the credentials on for verification of potentially valid credentials.(Citation: Mandiant - Synful Knock)",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "defense-impairment"
},
{
"kill_chain_name": "mitre-attack",
"phase_name": "persistence"
},
{
"kill_chain_name": "mitre-attack",
"phase_name": "credential-access"
}
],
"revoked": false,
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T1556/004",
"external_id": "T1556.004"
},
{
"source_name": "Mandiant - Synful Knock",
"description": "Bill Hau, Tony Lee, Josh Homan. (2015, September 15). SYNful Knock - A Cisco router implant - Part I. Retrieved November 17, 2024.",
"url": "https://cloud.google.com/blog/topics/threat-intelligence/synful-knock-acis/"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_attack_spec_version": "3.3.0",
"x_mitre_deprecated": false,
"x_mitre_domains": [
"enterprise-attack"
],
"x_mitre_is_subtechnique": true,
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"Network Devices"
],
"x_mitre_version": "3.0",
"detailed_diff": "{\"dictionary_item_removed\": {\"root['x_mitre_detection']\": \"\"}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-04-16 20:07:53.117000+00:00\", \"old_value\": \"2025-10-24 17:49:38.719000+00:00\"}, \"root['kill_chain_phases'][1]['phase_name']\": {\"new_value\": \"defense-impairment\", \"old_value\": \"defense-evasion\", \"new_path\": \"root['kill_chain_phases'][0]['phase_name']\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.3.0\", \"old_value\": \"3.2.0\"}, \"root['x_mitre_version']\": {\"new_value\": \"3.0\", \"old_value\": \"2.1\"}}, \"iterable_item_removed\": {\"root['external_references'][2]\": {\"source_name\": \"Cisco IOS Software Integrity Assurance - Image File Verification\", \"description\": \"Cisco. (n.d.). Cisco IOS Software Integrity Assurance - Cisco IOS Image File Verification. Retrieved October 19, 2020.\", \"url\": \"https://tools.cisco.com/security/center/resources/integrity_assurance.html#7\"}, \"root['external_references'][3]\": {\"source_name\": \"Cisco IOS Software Integrity Assurance - Run-Time Memory Verification\", \"description\": \"Cisco. (n.d.). Cisco IOS Software Integrity Assurance - Cisco IOS Run-Time Memory Integrity Verification. Retrieved October 19, 2020.\", \"url\": \"https://tools.cisco.com/security/center/resources/integrity_assurance.html#13\"}}}",
"previous_version": "2.1",
"version_change": "2.1 \u2192 3.0",
"changelog_mitigations": {
"shared": [
"M1026: Privileged Account Management",
"M1032: Multi-factor Authentication"
],
"new": [],
"dropped": []
},
"changelog_datacomponent_detections": {
"shared": [],
"new": [],
"dropped": []
},
"changelog_detectionstrategy_detections": {
"shared": [
"DET0272: Detect Modification of Network Device Authentication via Patched System Images"
],
"new": [],
"dropped": []
}
},
{
"type": "attack-pattern",
"id": "attack-pattern--90c4a591-d02d-490b-92aa-619d9701ac04",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2023-03-30 22:45:00.431000+00:00",
"modified": "2026-04-16 20:07:53.025000+00:00",
"name": "Network Provider DLL",
"description": "Adversaries may register malicious network provider dynamic link libraries (DLLs) to capture cleartext user credentials during the authentication process. Network provider DLLs allow Windows to interface with specific network protocols and can also support add-on credential management functions.(Citation: Network Provider API) During the logon process, Winlogon (the interactive logon module) sends credentials to the local `mpnotify.exe` process via RPC. The `mpnotify.exe` process then shares the credentials in cleartext with registered credential managers when notifying that a logon event is happening.(Citation: NPPSPY - Huntress)(Citation: NPPSPY Video)(Citation: NPLogonNotify) \n\nAdversaries can configure a malicious network provider DLL to receive credentials from `mpnotify.exe`.(Citation: NPPSPY) Once installed as a credential manager (via the Registry), a malicious DLL can receive and save credentials each time a user logs onto a Windows workstation or domain via the `NPLogonNotify()` function.(Citation: NPLogonNotify)\n\nAdversaries may target planting malicious network provider DLLs on systems known to have increased logon activity and/or administrator logon activity, such as servers and domain controllers.(Citation: NPPSPY - Huntress)",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "defense-impairment"
},
{
"kill_chain_name": "mitre-attack",
"phase_name": "persistence"
},
{
"kill_chain_name": "mitre-attack",
"phase_name": "credential-access"
}
],
"revoked": false,
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T1556/008",
"external_id": "T1556.008"
},
{
"source_name": "NPPSPY - Huntress",
"description": " Dray Agha. (2022, August 16). Cleartext Shenanigans: Gifting User Passwords to Adversaries With NPPSPY. Retrieved March 30, 2023.",
"url": "https://www.huntress.com/blog/cleartext-shenanigans-gifting-user-passwords-to-adversaries-with-nppspy"
},
{
"source_name": "NPPSPY Video",
"description": "Grzegorz Tworek. (2021, December 14). How winlogon.exe shares the cleartext password with custom DLLs. Retrieved March 30, 2023.",
"url": "https://www.youtube.com/watch?v=ggY3srD9dYs"
},
{
"source_name": "NPPSPY",
"description": "Grzegorz Tworek. (2021, December 15). NPPSpy. Retrieved March 30, 2023.",
"url": "https://github.com/gtworek/PSBits/tree/master/PasswordStealing/NPPSpy"
},
{
"source_name": "Network Provider API",
"description": "Microsoft. (2021, January 7). Network Provider API. Retrieved March 30, 2023.",
"url": "https://learn.microsoft.com/en-us/windows/win32/secauthn/network-provider-api"
},
{
"source_name": "NPLogonNotify",
"description": "Microsoft. (2021, October 21). NPLogonNotify function (npapi.h). Retrieved March 30, 2023.",
"url": "https://learn.microsoft.com/en-us/windows/win32/api/npapi/nf-npapi-nplogonnotify"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_attack_spec_version": "3.3.0",
"x_mitre_contributors": [
"CrowdStrike Falcon OverWatch",
"Jai Minton"
],
"x_mitre_deprecated": false,
"x_mitre_domains": [
"enterprise-attack"
],
"x_mitre_is_subtechnique": true,
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"Windows"
],
"x_mitre_version": "2.0",
"detailed_diff": "{\"dictionary_item_removed\": {\"root['x_mitre_detection']\": \"\"}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-04-16 20:07:53.025000+00:00\", \"old_value\": \"2025-04-15 22:51:56.379000+00:00\"}, \"root['kill_chain_phases'][1]['phase_name']\": {\"new_value\": \"defense-impairment\", \"old_value\": \"defense-evasion\", \"new_path\": \"root['kill_chain_phases'][0]['phase_name']\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.3.0\", \"old_value\": \"3.2.0\"}, \"root['x_mitre_version']\": {\"new_value\": \"2.0\", \"old_value\": \"1.0\"}}}",
"previous_version": "1.0",
"version_change": "1.0 \u2192 2.0",
"changelog_mitigations": {
"shared": [
"M1024: Restrict Registry Permissions",
"M1028: Operating System Configuration",
"M1047: Audit"
],
"new": [],
"dropped": []
},
"changelog_datacomponent_detections": {
"shared": [],
"new": [],
"dropped": []
},
"changelog_detectionstrategy_detections": {
"shared": [
"DET0580: Detect Network Provider DLL Registration and Credential Capture"
],
"new": [],
"dropped": []
}
},
{
"type": "attack-pattern",
"id": "attack-pattern--3731fbcd-0e43-47ae-ae6c-d15e510f0d42",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2020-02-11 19:05:45.829000+00:00",
"modified": "2026-04-16 20:07:53.031000+00:00",
"name": "Password Filter DLL",
"description": "Adversaries may register malicious password filter dynamic link libraries (DLLs) into the authentication process to acquire user credentials as they are validated. \n\nWindows password filters are password policy enforcement mechanisms for both domain and local accounts. Filters are implemented as DLLs containing a method to validate potential passwords against password policies. Filter DLLs can be positioned on local computers for local accounts and/or domain controllers for domain accounts. Before registering new passwords in the Security Accounts Manager (SAM), the Local Security Authority (LSA) requests validation from each registered filter. Any potential changes cannot take effect until every registered filter acknowledges validation. \n\nAdversaries can register malicious password filters to harvest credentials from local computers and/or entire domains. To perform proper validation, filters must receive plain-text credentials from the LSA. A malicious password filter would receive these plain-text credentials every time a password request is made.(Citation: Carnal Ownage Password Filters Sept 2013)",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "defense-impairment"
},
{
"kill_chain_name": "mitre-attack",
"phase_name": "persistence"
},
{
"kill_chain_name": "mitre-attack",
"phase_name": "credential-access"
}
],
"revoked": false,
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T1556/002",
"external_id": "T1556.002"
},
{
"source_name": "Carnal Ownage Password Filters Sept 2013",
"description": "Fuller, R. (2013, September 11). Stealing passwords every time they change. Retrieved November 21, 2017.",
"url": "http://carnal0wnage.attackresearch.com/2013/09/stealing-passwords-every-time-they.html"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_attack_spec_version": "3.3.0",
"x_mitre_contributors": [
"Vincent Le Toux"
],
"x_mitre_deprecated": false,
"x_mitre_domains": [
"enterprise-attack"
],
"x_mitre_is_subtechnique": true,
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"Windows"
],
"x_mitre_version": "3.0",
"detailed_diff": "{\"dictionary_item_removed\": {\"root['x_mitre_detection']\": \"\"}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-04-16 20:07:53.031000+00:00\", \"old_value\": \"2025-10-24 17:48:39.067000+00:00\"}, \"root['kill_chain_phases'][1]['phase_name']\": {\"new_value\": \"defense-impairment\", \"old_value\": \"defense-evasion\", \"new_path\": \"root['kill_chain_phases'][0]['phase_name']\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.3.0\", \"old_value\": \"3.2.0\"}, \"root['x_mitre_version']\": {\"new_value\": \"3.0\", \"old_value\": \"2.1\"}}, \"iterable_item_removed\": {\"root['external_references'][1]\": {\"source_name\": \"Clymb3r Function Hook Passwords Sept 2013\", \"description\": \"Bialek, J. (2013, September 15). Intercepting Password Changes With Function Hooking. Retrieved November 21, 2017.\", \"url\": \"https://clymb3r.wordpress.com/2013/09/15/intercepting-password-changes-with-function-hooking/\"}}}",
"previous_version": "2.1",
"version_change": "2.1 \u2192 3.0",
"changelog_mitigations": {
"shared": [
"M1028: Operating System Configuration"
],
"new": [],
"dropped": []
},
"changelog_datacomponent_detections": {
"shared": [],
"new": [],
"dropped": []
},
"changelog_detectionstrategy_detections": {
"shared": [
"DET0472: Detect Malicious Password Filter DLL Registration"
],
"new": [],
"dropped": []
}
},
{
"type": "attack-pattern",
"id": "attack-pattern--06c00069-771a-4d57-8ef5-d3718c1a8771",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2020-06-26 04:01:09.648000+00:00",
"modified": "2026-04-16 20:07:53.037000+00:00",
"name": "Pluggable Authentication Modules",
"description": "Adversaries may modify pluggable authentication modules (PAM) to access user credentials or enable otherwise unwarranted access to accounts. PAM is a modular system of configuration files, libraries, and executable files which guide authentication for many services. The most common authentication module is pam_unix.so, which retrieves, sets, and verifies account authentication information in /etc/passwd and /etc/shadow.(Citation: Apple PAM)(Citation: Man Pam_Unix)(Citation: Red Hat PAM)\n\nAdversaries may modify components of the PAM system to create backdoors. PAM components, such as pam_unix.so, can be patched to accept arbitrary adversary supplied values as legitimate credentials.(Citation: PAM Backdoor)\n\nMalicious modifications to the PAM system may also be abused to steal credentials. Adversaries may infect PAM resources with code to harvest user credentials, since the values exchanged with PAM components may be plain-text since PAM does not store passwords.(Citation: PAM Creds)(Citation: Apple PAM)",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "defense-impairment"
},
{
"kill_chain_name": "mitre-attack",
"phase_name": "persistence"
},
{
"kill_chain_name": "mitre-attack",
"phase_name": "credential-access"
}
],
"revoked": false,
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T1556/003",
"external_id": "T1556.003"
},
{
"source_name": "Apple PAM",
"description": "Apple. (2011, May 11). PAM - Pluggable Authentication Modules. Retrieved June 25, 2020.",
"url": "https://opensource.apple.com/source/dovecot/dovecot-239/dovecot/doc/wiki/PasswordDatabase.PAM.txt"
},
{
"source_name": "Man Pam_Unix",
"description": "die.net. (n.d.). pam_unix(8) - Linux man page. Retrieved June 25, 2020.",
"url": "https://linux.die.net/man/8/pam_unix"
},
{
"source_name": "PAM Creds",
"description": "Fern\u00e1ndez, J. M. (2018, June 27). Exfiltrating credentials via PAM backdoors & DNS requests. Retrieved November 17, 2024.",
"url": "https://web.archive.org/web/20240303094335/https://x-c3ll.github.io/posts/PAM-backdoor-DNS/"
},
{
"source_name": "Red Hat PAM",
"description": "Red Hat. (n.d.). CHAPTER 2. USING PLUGGABLE AUTHENTICATION MODULES (PAM). Retrieved June 25, 2020.",
"url": "https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/managing_smart_cards/pluggable_authentication_modules"
},
{
"source_name": "PAM Backdoor",
"description": "zephrax. (2018, August 3). linux-pam-backdoor. Retrieved June 25, 2020.",
"url": "https://github.com/zephrax/linux-pam-backdoor"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_attack_spec_version": "3.3.0",
"x_mitre_contributors": [
"George Allen, VMware Carbon Black",
"Scott Knight, @sdotknight, VMware Carbon Black"
],
"x_mitre_deprecated": false,
"x_mitre_domains": [
"enterprise-attack"
],
"x_mitre_is_subtechnique": true,
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"Linux",
"macOS"
],
"x_mitre_version": "3.0",
"detailed_diff": "{\"dictionary_item_removed\": {\"root['x_mitre_detection']\": \"\"}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-04-16 20:07:53.037000+00:00\", \"old_value\": \"2025-10-24 17:48:21.118000+00:00\"}, \"root['kill_chain_phases'][1]['phase_name']\": {\"new_value\": \"defense-impairment\", \"old_value\": \"defense-evasion\", \"new_path\": \"root['kill_chain_phases'][0]['phase_name']\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.3.0\", \"old_value\": \"3.2.0\"}, \"root['x_mitre_version']\": {\"new_value\": \"3.0\", \"old_value\": \"2.1\"}}}",
"previous_version": "2.1",
"version_change": "2.1 \u2192 3.0",
"changelog_mitigations": {
"shared": [
"M1026: Privileged Account Management",
"M1032: Multi-factor Authentication"
],
"new": [],
"dropped": []
},
"changelog_datacomponent_detections": {
"shared": [],
"new": [],
"dropped": []
},
"changelog_detectionstrategy_detections": {
"shared": [
"DET0454: Detect Malicious Modification of Pluggable Authentication Modules (PAM)"
],
"new": [],
"dropped": []
}
},
{
"type": "attack-pattern",
"id": "attack-pattern--d50955c2-272d-4ac8-95da-10c29dda1c48",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2022-01-13 20:02:28.349000+00:00",
"modified": "2026-04-16 20:07:53.082000+00:00",
"name": "Reversible Encryption",
"description": "An adversary may abuse Active Directory authentication encryption properties to gain access to credentials on Windows systems. The AllowReversiblePasswordEncryption property specifies whether reversible password encryption for an account is enabled or disabled. By default this property is disabled (instead storing user credentials as the output of one-way hashing functions) and should not be enabled unless legacy or other software require it.(Citation: store_pwd_rev_enc)\n\nIf the property is enabled and/or a user changes their password after it is enabled, an adversary may be able to obtain the plaintext of passwords created/changed after the property was enabled. To decrypt the passwords, an adversary needs four components:\n\n1. Encrypted password (G$RADIUSCHAP) from the Active Directory user-structure userParameters\n2. 16 byte randomly-generated value (G$RADIUSCHAPKEY) also from userParameters\n3. Global LSA secret (G$MSRADIUSCHAPKEY)\n4. Static key hardcoded in the Remote Access Subauthentication DLL (RASSFM.DLL)\n\nWith this information, an adversary may be able to reproduce the encryption key and subsequently decrypt the encrypted password value.(Citation: how_pwd_rev_enc_1)(Citation: how_pwd_rev_enc_2)\n\nAn adversary may set this property at various scopes through Local Group Policy Editor, user properties, Fine-Grained Password Policy (FGPP), or via the ActiveDirectory [PowerShell](https://attack.mitre.org/techniques/T1059/001) module. For example, an adversary may implement and apply a FGPP to users or groups if the Domain Functional Level is set to \"Windows Server 2008\" or higher.(Citation: dump_pwd_dcsync) In PowerShell, an adversary may make associated changes to user settings using commands similar to Set-ADUser -AllowReversiblePasswordEncryption $true.",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "defense-impairment"
},
{
"kill_chain_name": "mitre-attack",
"phase_name": "persistence"
},
{
"kill_chain_name": "mitre-attack",
"phase_name": "credential-access"
}
],
"revoked": false,
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T1556/005",
"external_id": "T1556.005"
},
{
"source_name": "dump_pwd_dcsync",
"description": "Metcalf, S. (2015, November 22). Dump Clear-Text Passwords for All Admins in the Domain Using Mimikatz DCSync. Retrieved November 15, 2021.",
"url": "https://adsecurity.org/?p=2053"
},
{
"source_name": "store_pwd_rev_enc",
"description": "Microsoft. (2021, October 28). Store passwords using reversible encryption. Retrieved January 3, 2022.",
"url": "https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/store-passwords-using-reversible-encryption"
},
{
"source_name": "how_pwd_rev_enc_1",
"description": "Teusink, N. (2009, August 25). Passwords stored using reversible encryption: how it works (part 1). Retrieved November 17, 2021.",
"url": "http://blog.teusink.net/2009/08/passwords-stored-using-reversible.html"
},
{
"source_name": "how_pwd_rev_enc_2",
"description": "Teusink, N. (2009, August 26). Passwords stored using reversible encryption: how it works (part 2). Retrieved November 17, 2021.",
"url": "http://blog.teusink.net/2009/08/passwords-stored-using-reversible_26.html"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_attack_spec_version": "3.3.0",
"x_mitre_deprecated": false,
"x_mitre_domains": [
"enterprise-attack"
],
"x_mitre_is_subtechnique": true,
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"Windows"
],
"x_mitre_version": "2.0",
"detailed_diff": "{\"dictionary_item_removed\": {\"root['x_mitre_detection']\": \"\"}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-04-16 20:07:53.082000+00:00\", \"old_value\": \"2025-10-24 17:49:27.587000+00:00\"}, \"root['kill_chain_phases'][1]['phase_name']\": {\"new_value\": \"defense-impairment\", \"old_value\": \"defense-evasion\", \"new_path\": \"root['kill_chain_phases'][0]['phase_name']\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.3.0\", \"old_value\": \"3.2.0\"}, \"root['x_mitre_version']\": {\"new_value\": \"2.0\", \"old_value\": \"1.1\"}}}",
"previous_version": "1.1",
"version_change": "1.1 \u2192 2.0",
"changelog_mitigations": {
"shared": [
"M1026: Privileged Account Management",
"M1027: Password Policies"
],
"new": [],
"dropped": []
},
"changelog_datacomponent_detections": {
"shared": [],
"new": [],
"dropped": []
},
"changelog_detectionstrategy_detections": {
"shared": [
"DET0589: Detect Modification of Authentication Process via Reversible Encryption"
],
"new": [],
"dropped": []
}
},
{
"type": "attack-pattern",
"id": "attack-pattern--144e007b-e638-431d-a894-45d90c54ab90",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2019-08-30 18:03:05.864000+00:00",
"modified": "2026-04-16 20:07:52.919000+00:00",
"name": "Modify Cloud Compute Infrastructure",
"description": "An adversary may attempt to modify a cloud account's compute service infrastructure to evade defenses. A modification to the compute service infrastructure can include the creation, deletion, or modification of one or more components such as compute instances, virtual machines, and snapshots.\n\nPermissions gained from the modification of infrastructure components may bypass restrictions that prevent access to existing infrastructure. Modifying infrastructure components may also allow an adversary to evade detection and remove evidence of their presence.(Citation: Mandiant M-Trends 2020)",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "defense-impairment"
}
],
"revoked": false,
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T1578",
"external_id": "T1578"
},
{
"source_name": "Mandiant M-Trends 2020",
"description": "Mandiant. (2020, February). M-Trends 2020. Retrieved November 17, 2024.",
"url": "https://www.mandiant.com/sites/default/files/2021-09/mtrends-2020.pdf"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_attack_spec_version": "3.3.0",
"x_mitre_deprecated": false,
"x_mitre_domains": [
"enterprise-attack"
],
"x_mitre_is_subtechnique": false,
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"IaaS"
],
"x_mitre_version": "2.0",
"detailed_diff": "{\"dictionary_item_removed\": {\"root['x_mitre_detection']\": \"\"}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-04-16 20:07:52.919000+00:00\", \"old_value\": \"2025-10-24 17:48:26.284000+00:00\"}, \"root['kill_chain_phases'][0]['phase_name']\": {\"new_value\": \"defense-impairment\", \"old_value\": \"defense-evasion\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.3.0\", \"old_value\": \"3.2.0\"}, \"root['x_mitre_version']\": {\"new_value\": \"2.0\", \"old_value\": \"1.2\"}}}",
"previous_version": "1.2",
"version_change": "1.2 \u2192 2.0",
"changelog_mitigations": {
"shared": [
"M1018: User Account Management",
"M1047: Audit"
],
"new": [],
"dropped": []
},
"changelog_datacomponent_detections": {
"shared": [],
"new": [],
"dropped": []
},
"changelog_detectionstrategy_detections": {
"shared": [
"DET0308: Detection Strategy for Modify Cloud Compute Infrastructure"
],
"new": [],
"dropped": []
}
},
{
"type": "attack-pattern",
"id": "attack-pattern--cf1c2504-433f-4c4e-a1f8-91de45a0318c",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2020-05-14 14:45:15.978000+00:00",
"modified": "2026-04-16 20:07:52.862000+00:00",
"name": "Create Cloud Instance",
"description": "An adversary may create a new instance or virtual machine (VM) within the compute service of a cloud account to evade defenses. Creating a new instance may allow an adversary to bypass firewall rules and permissions that exist on instances currently residing within an account. An adversary may [Create Snapshot](https://attack.mitre.org/techniques/T1578/001) of one or more volumes in an account, create a new instance, mount the snapshots, and then apply a less restrictive security policy to collect [Data from Local System](https://attack.mitre.org/techniques/T1005) or for [Remote Data Staging](https://attack.mitre.org/techniques/T1074/002).(Citation: Mandiant M-Trends 2020)\n\nCreating a new instance may also allow an adversary to carry out malicious activity within an environment without affecting the execution of current running instances.",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "defense-impairment"
}
],
"revoked": false,
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T1578/002",
"external_id": "T1578.002"
},
{
"source_name": "Mandiant M-Trends 2020",
"description": "Mandiant. (2020, February). M-Trends 2020. Retrieved November 17, 2024.",
"url": "https://www.mandiant.com/sites/default/files/2021-09/mtrends-2020.pdf"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_attack_spec_version": "3.3.0",
"x_mitre_contributors": [
"Arun Seelagan, CISA"
],
"x_mitre_deprecated": false,
"x_mitre_domains": [
"enterprise-attack"
],
"x_mitre_is_subtechnique": true,
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"IaaS"
],
"x_mitre_version": "2.0",
"detailed_diff": "{\"dictionary_item_removed\": {\"root['x_mitre_detection']\": \"\"}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-04-16 20:07:52.862000+00:00\", \"old_value\": \"2025-10-24 17:49:24.804000+00:00\"}, \"root['kill_chain_phases'][0]['phase_name']\": {\"new_value\": \"defense-impairment\", \"old_value\": \"defense-evasion\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.3.0\", \"old_value\": \"3.2.0\"}, \"root['x_mitre_version']\": {\"new_value\": \"2.0\", \"old_value\": \"1.2\"}}, \"iterable_item_removed\": {\"root['external_references'][1]\": {\"source_name\": \"AWS CloudTrail Search\", \"description\": \"Amazon. (n.d.). Search CloudTrail logs for API calls to EC2 Instances. Retrieved June 17, 2020.\", \"url\": \"https://aws.amazon.com/premiumsupport/knowledge-center/cloudtrail-search-api-calls/\"}, \"root['external_references'][2]\": {\"source_name\": \"Cloud Audit Logs\", \"description\": \"Google. (n.d.). Audit Logs. Retrieved June 1, 2020.\", \"url\": \"https://cloud.google.com/logging/docs/audit#admin-activity\"}, \"root['external_references'][4]\": {\"source_name\": \"Azure Activity Logs\", \"description\": \"Microsoft. (n.d.). View Azure activity logs. Retrieved June 17, 2020.\", \"url\": \"https://docs.microsoft.com/en-us/azure/azure-resource-manager/management/view-activity-logs\"}}}",
"previous_version": "1.2",
"version_change": "1.2 \u2192 2.0",
"changelog_mitigations": {
"shared": [
"M1018: User Account Management",
"M1047: Audit"
],
"new": [],
"dropped": []
},
"changelog_datacomponent_detections": {
"shared": [],
"new": [],
"dropped": []
},
"changelog_detectionstrategy_detections": {
"shared": [
"DET0449: Detection Strategy for Modify Cloud Compute Infrastructure: Create Cloud Instance"
],
"new": [],
"dropped": []
}
},
{
"type": "attack-pattern",
"id": "attack-pattern--ed2e45f9-d338-4eb2-8ce5-3a2e03323bc1",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2020-06-09 15:33:13.563000+00:00",
"modified": "2026-04-16 20:07:52.934000+00:00",
"name": "Create Snapshot",
"description": "An adversary may create a snapshot or data backup within a cloud account to evade defenses. A snapshot is a point-in-time copy of an existing cloud compute component such as a virtual machine (VM), virtual hard drive, or volume. An adversary may leverage permissions to create a snapshot in order to bypass restrictions that prevent access to existing compute service infrastructure, unlike in [Revert Cloud Instance](https://attack.mitre.org/techniques/T1578/004) where an adversary may revert to a snapshot to evade detection and remove evidence of their presence.\n\nAn adversary may [Create Cloud Instance](https://attack.mitre.org/techniques/T1578/002), mount one or more created snapshots to that instance, and then apply a policy that allows the adversary access to the created instance, such as a firewall policy that allows them inbound and outbound SSH access.(Citation: Mandiant M-Trends 2020)",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "defense-impairment"
}
],
"revoked": false,
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T1578/001",
"external_id": "T1578.001"
},
{
"source_name": "Mandiant M-Trends 2020",
"description": "Mandiant. (2020, February). M-Trends 2020. Retrieved November 17, 2024.",
"url": "https://www.mandiant.com/sites/default/files/2021-09/mtrends-2020.pdf"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_attack_spec_version": "3.3.0",
"x_mitre_contributors": [
"Praetorian"
],
"x_mitre_deprecated": false,
"x_mitre_domains": [
"enterprise-attack"
],
"x_mitre_is_subtechnique": true,
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"IaaS"
],
"x_mitre_version": "2.0",
"detailed_diff": "{\"dictionary_item_removed\": {\"root['x_mitre_detection']\": \"\"}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-04-16 20:07:52.934000+00:00\", \"old_value\": \"2025-10-24 17:49:34.416000+00:00\"}, \"root['kill_chain_phases'][0]['phase_name']\": {\"new_value\": \"defense-impairment\", \"old_value\": \"defense-evasion\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.3.0\", \"old_value\": \"3.2.0\"}, \"root['x_mitre_version']\": {\"new_value\": \"2.0\", \"old_value\": \"1.2\"}}, \"iterable_item_removed\": {\"root['external_references'][1]\": {\"source_name\": \"AWS Cloud Trail Backup API\", \"description\": \"Amazon. (2020). Logging AWS Backup API Calls with AWS CloudTrail. Retrieved April 27, 2020.\", \"url\": \"https://docs.aws.amazon.com/aws-backup/latest/devguide/logging-using-cloudtrail.html\"}, \"root['external_references'][2]\": {\"source_name\": \"GCP - Creating and Starting a VM\", \"description\": \"Google. (2020, April 23). Creating and Starting a VM instance. Retrieved May 1, 2020.\", \"url\": \"https://cloud.google.com/compute/docs/instances/create-start-instance#api_2\"}, \"root['external_references'][3]\": {\"source_name\": \"Cloud Audit Logs\", \"description\": \"Google. (n.d.). Audit Logs. Retrieved June 1, 2020.\", \"url\": \"https://cloud.google.com/logging/docs/audit#admin-activity\"}, \"root['external_references'][5]\": {\"source_name\": \"Azure - Monitor Logs\", \"description\": \"Microsoft. (2019, June 4). Monitor at scale by using Azure Monitor. Retrieved May 1, 2020.\", \"url\": \"https://docs.microsoft.com/en-us/azure/backup/backup-azure-monitoring-use-azuremonitor\"}}}",
"previous_version": "1.2",
"version_change": "1.2 \u2192 2.0",
"changelog_mitigations": {
"shared": [
"M1018: User Account Management",
"M1047: Audit"
],
"new": [],
"dropped": []
},
"changelog_datacomponent_detections": {
"shared": [],
"new": [],
"dropped": []
},
"changelog_detectionstrategy_detections": {
"shared": [
"DET0423: Detection Strategy for Modify Cloud Compute Infrastructure: Create Snapshot"
],
"new": [],
"dropped": []
}
},
{
"type": "attack-pattern",
"id": "attack-pattern--70857657-bd0b-4695-ad3e-b13f92cac1b4",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2020-06-16 17:23:06.508000+00:00",
"modified": "2026-04-16 20:07:52.915000+00:00",
"name": "Delete Cloud Instance",
"description": "An adversary may delete a cloud instance after they have performed malicious activities in an attempt to evade detection and remove evidence of their presence. Deleting an instance or virtual machine can remove valuable forensic artifacts and other evidence of suspicious behavior if the instance is not recoverable.\n\nAn adversary may also [Create Cloud Instance](https://attack.mitre.org/techniques/T1578/002) and later terminate the instance after achieving their objectives.(Citation: Mandiant M-Trends 2020)",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "defense-impairment"
}
],
"revoked": false,
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T1578/003",
"external_id": "T1578.003"
},
{
"source_name": "Mandiant M-Trends 2020",
"description": "Mandiant. (2020, February). M-Trends 2020. Retrieved November 17, 2024.",
"url": "https://www.mandiant.com/sites/default/files/2021-09/mtrends-2020.pdf"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_attack_spec_version": "3.3.0",
"x_mitre_contributors": [
"Arun Seelagan, CISA"
],
"x_mitre_deprecated": false,
"x_mitre_domains": [
"enterprise-attack"
],
"x_mitre_is_subtechnique": true,
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"IaaS"
],
"x_mitre_version": "2.0",
"detailed_diff": "{\"dictionary_item_removed\": {\"root['x_mitre_detection']\": \"\"}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-04-16 20:07:52.915000+00:00\", \"old_value\": \"2025-10-24 17:48:56.705000+00:00\"}, \"root['kill_chain_phases'][0]['phase_name']\": {\"new_value\": \"defense-impairment\", \"old_value\": \"defense-evasion\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.3.0\", \"old_value\": \"3.2.0\"}, \"root['x_mitre_version']\": {\"new_value\": \"2.0\", \"old_value\": \"1.2\"}}, \"iterable_item_removed\": {\"root['external_references'][1]\": {\"source_name\": \"AWS CloudTrail Search\", \"description\": \"Amazon. (n.d.). Search CloudTrail logs for API calls to EC2 Instances. Retrieved June 17, 2020.\", \"url\": \"https://aws.amazon.com/premiumsupport/knowledge-center/cloudtrail-search-api-calls/\"}, \"root['external_references'][2]\": {\"source_name\": \"Cloud Audit Logs\", \"description\": \"Google. (n.d.). Audit Logs. Retrieved June 1, 2020.\", \"url\": \"https://cloud.google.com/logging/docs/audit#admin-activity\"}, \"root['external_references'][4]\": {\"source_name\": \"Azure Activity Logs\", \"description\": \"Microsoft. (n.d.). View Azure activity logs. Retrieved June 17, 2020.\", \"url\": \"https://docs.microsoft.com/en-us/azure/azure-resource-manager/management/view-activity-logs\"}}}",
"previous_version": "1.2",
"version_change": "1.2 \u2192 2.0",
"changelog_mitigations": {
"shared": [
"M1018: User Account Management",
"M1047: Audit"
],
"new": [],
"dropped": []
},
"changelog_datacomponent_detections": {
"shared": [],
"new": [],
"dropped": []
},
"changelog_detectionstrategy_detections": {
"shared": [
"DET0084: Detection Strategy for Modify Cloud Compute Infrastructure: Delete Cloud Instance"
],
"new": [],
"dropped": []
}
},
{
"type": "attack-pattern",
"id": "attack-pattern--ca00366b-83a1-4c7b-a0ce-8ff950a7c87f",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2023-09-05 14:19:17.486000+00:00",
"modified": "2026-04-16 20:07:53.098000+00:00",
"name": "Modify Cloud Compute Configurations",
"description": "Adversaries may modify settings that directly affect the size, locations, and resources available to cloud compute infrastructure in order to evade defenses. These settings may include service quotas, subscription associations, tenant-wide policies, or other configurations that impact available compute. Such modifications may allow adversaries to abuse the victim\u2019s compute resources to achieve their goals, potentially without affecting the execution of running instances and/or revealing their activities to the victim.\n\nFor example, cloud providers often limit customer usage of compute resources via quotas. Customers may request adjustments to these quotas to support increased computing needs, though these adjustments may require approval from the cloud provider. Adversaries who compromise a cloud environment may similarly request quota adjustments in order to support their activities, such as enabling additional [Resource Hijacking](https://attack.mitre.org/techniques/T1496) without raising suspicion by using up a victim\u2019s entire quota.(Citation: Microsoft Cryptojacking 2023) Adversaries may also increase allowed resource usage by modifying any tenant-wide policies that limit the sizes of deployed virtual machines.(Citation: Microsoft Azure Policy)\n\nAdversaries may also modify settings that affect where cloud resources can be deployed, such as enabling [Unused/Unsupported Cloud Regions](https://attack.mitre.org/techniques/T1535). ",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "defense-impairment"
}
],
"revoked": false,
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T1578/005",
"external_id": "T1578.005"
},
{
"source_name": "Microsoft Cryptojacking 2023",
"description": "Microsoft Threat Intelligence. (2023, July 25). Cryptojacking: Understanding and defending against cloud compute resource abuse. Retrieved September 5, 2023.",
"url": "https://www.microsoft.com/en-us/security/blog/2023/07/25/cryptojacking-understanding-and-defending-against-cloud-compute-resource-abuse/"
},
{
"source_name": "Microsoft Azure Policy",
"description": "Microsoft. (2023, August 30). Azure Policy built-in policy definitions. Retrieved September 5, 2023.",
"url": "https://learn.microsoft.com/en-us/azure/governance/policy/samples/built-in-policies#compute"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_attack_spec_version": "3.3.0",
"x_mitre_contributors": [
"Amir Gharib, Microsoft Threat Intelligence",
"Blake Strom, Microsoft Threat Intelligence"
],
"x_mitre_deprecated": false,
"x_mitre_domains": [
"enterprise-attack"
],
"x_mitre_is_subtechnique": true,
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"IaaS"
],
"x_mitre_version": "3.0",
"detailed_diff": "{\"dictionary_item_removed\": {\"root['x_mitre_detection']\": \"\"}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-04-16 20:07:53.098000+00:00\", \"old_value\": \"2025-04-15 22:49:17.012000+00:00\"}, \"root['kill_chain_phases'][0]['phase_name']\": {\"new_value\": \"defense-impairment\", \"old_value\": \"defense-evasion\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.3.0\", \"old_value\": \"3.2.0\"}, \"root['x_mitre_version']\": {\"new_value\": \"3.0\", \"old_value\": \"2.0\"}}}",
"previous_version": "2.0",
"version_change": "2.0 \u2192 3.0",
"changelog_mitigations": {
"shared": [
"M1018: User Account Management",
"M1047: Audit"
],
"new": [],
"dropped": []
},
"changelog_datacomponent_detections": {
"shared": [],
"new": [],
"dropped": []
},
"changelog_detectionstrategy_detections": {
"shared": [
"DET0492: Detection Strategy for Modify Cloud Compute Infrastructure: Modify Cloud Compute Configurations"
],
"new": [],
"dropped": []
}
},
{
"type": "attack-pattern",
"id": "attack-pattern--0708ae90-d0eb-4938-9a76-d0fc94f6eec1",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2020-06-16 18:42:20.734000+00:00",
"modified": "2026-04-16 20:07:52.953000+00:00",
"name": "Revert Cloud Instance",
"description": "An adversary may revert changes made to a cloud instance after they have performed malicious activities in attempt to evade detection and remove evidence of their presence. In highly virtualized environments, such as cloud-based infrastructure, this may be accomplished by restoring virtual machine (VM) or data storage snapshots through the cloud management dashboard or cloud APIs.\n\nAnother variation of this technique is to utilize temporary storage attached to the compute instance. Most cloud providers provide various types of storage including persistent, local, and/or ephemeral, with the ephemeral types often reset upon stop/restart of the VM.(Citation: Tech Republic - Restore AWS Snapshots)(Citation: Google - Restore Cloud Snapshot)",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "defense-impairment"
}
],
"revoked": false,
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T1578/004",
"external_id": "T1578.004"
},
{
"source_name": "Google - Restore Cloud Snapshot",
"description": "Google. (2019, October 7). Restoring and deleting persistent disk snapshots. Retrieved October 8, 2019.",
"url": "https://cloud.google.com/compute/docs/disks/restore-and-delete-snapshots"
},
{
"source_name": "Tech Republic - Restore AWS Snapshots",
"description": "Hardiman, N.. (2012, March 20). Backing up and restoring snapshots on Amazon EC2 machines. Retrieved October 8, 2019.",
"url": "https://www.techrepublic.com/blog/the-enterprise-cloud/backing-up-and-restoring-snapshots-on-amazon-ec2-machines/"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_attack_spec_version": "3.3.0",
"x_mitre_contributors": [
"Netskope"
],
"x_mitre_deprecated": false,
"x_mitre_domains": [
"enterprise-attack"
],
"x_mitre_is_subtechnique": true,
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"IaaS"
],
"x_mitre_version": "2.0",
"detailed_diff": "{\"dictionary_item_removed\": {\"root['x_mitre_detection']\": \"\"}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-04-16 20:07:52.953000+00:00\", \"old_value\": \"2025-10-24 17:48:21.210000+00:00\"}, \"root['kill_chain_phases'][0]['phase_name']\": {\"new_value\": \"defense-impairment\", \"old_value\": \"defense-evasion\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.3.0\", \"old_value\": \"3.2.0\"}, \"root['x_mitre_version']\": {\"new_value\": \"2.0\", \"old_value\": \"1.2\"}}}",
"previous_version": "1.2",
"version_change": "1.2 \u2192 2.0",
"changelog_mitigations": {
"shared": [],
"new": [],
"dropped": []
},
"changelog_datacomponent_detections": {
"shared": [],
"new": [],
"dropped": []
},
"changelog_detectionstrategy_detections": {
"shared": [
"DET0337: Detection Strategy for Modify Cloud Compute Infrastructure: Revert Cloud Instance"
],
"new": [],
"dropped": []
}
},
{
"type": "attack-pattern",
"id": "attack-pattern--0ce73446-8722-4086-9d43-514f1d0f669e",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2024-09-25 14:16:19.234000+00:00",
"modified": "2026-04-16 20:07:52.999000+00:00",
"name": "Modify Cloud Resource Hierarchy",
"description": "Adversaries may attempt to modify hierarchical structures in infrastructure-as-a-service (IaaS) environments in order to evade defenses. \n\nIaaS environments often group resources into a hierarchy, enabling improved resource management and application of policies to relevant groups. Hierarchical structures differ among cloud providers. For example, in AWS environments, multiple accounts can be grouped under a single organization, while in Azure environments, multiple subscriptions can be grouped under a single management group.(Citation: AWS Organizations)(Citation: Microsoft Azure Resources)\n\nAdversaries may add, delete, or otherwise modify resource groups within an IaaS hierarchy. For example, in Azure environments, an adversary who has gained access to a Global Administrator account may create new subscriptions in which to deploy resources. They may also engage in subscription hijacking by transferring an existing pay-as-you-go subscription from a victim tenant to an adversary-controlled tenant. This will allow the adversary to use the victim\u2019s compute resources without generating logs on the victim tenant.(Citation: Microsoft Peach Sandstorm 2023)(Citation: Microsoft Subscription Hijacking 2022)\n\nIn AWS environments, adversaries with appropriate permissions in a given account may call the `LeaveOrganization` API, causing the account to be severed from the AWS Organization to which it was tied and removing any Service Control Policies, guardrails, or restrictions imposed upon it by its former Organization. Alternatively, adversaries may call the `CreateAccount` API in order to create a new account within an AWS Organization. This account will use the same payment methods registered to the payment account but may not be subject to existing detections or Service Control Policies.(Citation: AWS re Inforce Trust Mod)",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "defense-impairment"
}
],
"revoked": false,
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T1666",
"external_id": "T1666"
},
{
"source_name": "AWS re Inforce Trust Mod",
"description": "AWS re Inforce. (2024, June). Retrieved April 15, 2026.",
"url": "https://d1.awsstatic.com/onedam/marketing-channels/website/aws/en_US/events/approved/reinforce-2025/reinforce/2024/slides/TDR432_New-tactics-and-techniques-for-proactive-threat-detection.pdf"
},
{
"source_name": "AWS Organizations",
"description": "AWS. (n.d.). Terminology and concepts for AWS Organizations. Retrieved September 25, 2024.",
"url": "https://docs.aws.amazon.com/organizations/latest/userguide/orgs_getting-started_concepts.html"
},
{
"source_name": "Microsoft Subscription Hijacking 2022",
"description": "Dor Edry. (2022, August 24). Hunt for compromised Azure subscriptions using Microsoft Defender for Cloud Apps. Retrieved September 5, 2023.",
"url": "https://techcommunity.microsoft.com/t5/microsoft-365-defender-blog/hunt-for-compromised-azure-subscriptions-using-microsoft/ba-p/3607121"
},
{
"source_name": "Microsoft Azure Resources",
"description": "Microsoft Azure. (2024, May 31). Organize your Azure resources effectively. Retrieved September 25, 2024.",
"url": "https://learn.microsoft.com/en-us/azure/cloud-adoption-framework/ready/azure-setup-guide/organize-resources"
},
{
"source_name": "Microsoft Peach Sandstorm 2023",
"description": "Microsoft Threat Intelligence. (2023, September 14). Peach Sandstorm password spray campaigns enable intelligence collection at high-value targets. Retrieved September 18, 2023.",
"url": "https://www.microsoft.com/en-us/security/blog/2023/09/14/peach-sandstorm-password-spray-campaigns-enable-intelligence-collection-at-high-value-targets/"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_attack_spec_version": "3.3.0",
"x_mitre_deprecated": false,
"x_mitre_domains": [
"enterprise-attack"
],
"x_mitre_is_subtechnique": false,
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"IaaS"
],
"x_mitre_version": "2.0",
"detailed_diff": "{\"dictionary_item_removed\": {\"root['x_mitre_detection']\": \"\"}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-04-16 20:07:52.999000+00:00\", \"old_value\": \"2025-04-15 22:49:45.874000+00:00\"}, \"root['description']\": {\"new_value\": \"Adversaries may attempt to modify hierarchical structures in infrastructure-as-a-service (IaaS) environments in order to evade defenses. \\n\\nIaaS environments often group resources into a hierarchy, enabling improved resource management and application of policies to relevant groups. Hierarchical structures differ among cloud providers. For example, in AWS environments, multiple accounts can be grouped under a single organization, while in Azure environments, multiple subscriptions can be grouped under a single management group.(Citation: AWS Organizations)(Citation: Microsoft Azure Resources)\\n\\nAdversaries may add, delete, or otherwise modify resource groups within an IaaS hierarchy. For example, in Azure environments, an adversary who has gained access to a Global Administrator account may create new subscriptions in which to deploy resources. They may also engage in subscription hijacking by transferring an existing pay-as-you-go subscription from a victim tenant to an adversary-controlled tenant. This will allow the adversary to use the victim\\u2019s compute resources without generating logs on the victim tenant.(Citation: Microsoft Peach Sandstorm 2023)(Citation: Microsoft Subscription Hijacking 2022)\\n\\nIn AWS environments, adversaries with appropriate permissions in a given account may call the `LeaveOrganization` API, causing the account to be severed from the AWS Organization to which it was tied and removing any Service Control Policies, guardrails, or restrictions imposed upon it by its former Organization. Alternatively, adversaries may call the `CreateAccount` API in order to create a new account within an AWS Organization. This account will use the same payment methods registered to the payment account but may not be subject to existing detections or Service Control Policies.(Citation: AWS re Inforce Trust Mod)\", \"old_value\": \"Adversaries may attempt to modify hierarchical structures in infrastructure-as-a-service (IaaS) environments in order to evade defenses. \\n\\nIaaS environments often group resources into a hierarchy, enabling improved resource management and application of policies to relevant groups. Hierarchical structures differ among cloud providers. For example, in AWS environments, multiple accounts can be grouped under a single organization, while in Azure environments, multiple subscriptions can be grouped under a single management group.(Citation: AWS Organizations)(Citation: Microsoft Azure Resources)\\n\\nAdversaries may add, delete, or otherwise modify resource groups within an IaaS hierarchy. For example, in Azure environments, an adversary who has gained access to a Global Administrator account may create new subscriptions in which to deploy resources. They may also engage in subscription hijacking by transferring an existing pay-as-you-go subscription from a victim tenant to an adversary-controlled tenant. This will allow the adversary to use the victim\\u2019s compute resources without generating logs on the victim tenant.(Citation: Microsoft Peach Sandstorm 2023)(Citation: Microsoft Subscription Hijacking 2022)\\n\\nIn AWS environments, adversaries with appropriate permissions in a given account may call the `LeaveOrganization` API, causing the account to be severed from the AWS Organization to which it was tied and removing any Service Control Policies, guardrails, or restrictions imposed upon it by its former Organization. Alternatively, adversaries may call the `CreateAccount` API in order to create a new account within an AWS Organization. This account will use the same payment methods registered to the payment account but may not be subject to existing detections or Service Control Policies.(Citation: AWS RE:Inforce Threat Detection 2024)\", \"diff\": \"--- \\n+++ \\n@@ -4,4 +4,4 @@\\n \\n Adversaries may add, delete, or otherwise modify resource groups within an IaaS hierarchy. For example, in Azure environments, an adversary who has gained access to a Global Administrator account may create new subscriptions in which to deploy resources. They may also engage in subscription hijacking by transferring an existing pay-as-you-go subscription from a victim tenant to an adversary-controlled tenant. This will allow the adversary to use the victim\\u2019s compute resources without generating logs on the victim tenant.(Citation: Microsoft Peach Sandstorm 2023)(Citation: Microsoft Subscription Hijacking 2022)\\n \\n-In AWS environments, adversaries with appropriate permissions in a given account may call the `LeaveOrganization` API, causing the account to be severed from the AWS Organization to which it was tied and removing any Service Control Policies, guardrails, or restrictions imposed upon it by its former Organization. Alternatively, adversaries may call the `CreateAccount` API in order to create a new account within an AWS Organization. This account will use the same payment methods registered to the payment account but may not be subject to existing detections or Service Control Policies.(Citation: AWS RE:Inforce Threat Detection 2024)\\n+In AWS environments, adversaries with appropriate permissions in a given account may call the `LeaveOrganization` API, causing the account to be severed from the AWS Organization to which it was tied and removing any Service Control Policies, guardrails, or restrictions imposed upon it by its former Organization. Alternatively, adversaries may call the `CreateAccount` API in order to create a new account within an AWS Organization. This account will use the same payment methods registered to the payment account but may not be subject to existing detections or Service Control Policies.(Citation: AWS re Inforce Trust Mod)\"}, \"root['kill_chain_phases'][0]['phase_name']\": {\"new_value\": \"defense-impairment\", \"old_value\": \"defense-evasion\"}, \"root['external_references'][2]['source_name']\": {\"new_value\": \"AWS re Inforce Trust Mod\", \"old_value\": \"AWS RE:Inforce Threat Detection 2024\", \"new_path\": \"root['external_references'][1]['source_name']\"}, \"root['external_references'][2]['description']\": {\"new_value\": \"AWS re Inforce. (2024, June). Retrieved April 15, 2026.\", \"old_value\": \"Ben Fletcher and Steve de Vera. (2024, June). New tactics and techniques for proactive threat detection. Retrieved September 25, 2024.\", \"new_path\": \"root['external_references'][1]['description']\"}, \"root['external_references'][2]['url']\": {\"new_value\": \"https://d1.awsstatic.com/onedam/marketing-channels/website/aws/en_US/events/approved/reinforce-2025/reinforce/2024/slides/TDR432_New-tactics-and-techniques-for-proactive-threat-detection.pdf\", \"old_value\": \"https://reinforce.awsevents.com/content/dam/reinforce/2024/slides/TDR432_New-tactics-and-techniques-for-proactive-threat-detection.pdf\", \"new_path\": \"root['external_references'][1]['url']\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.3.0\", \"old_value\": \"3.2.0\"}, \"root['x_mitre_version']\": {\"new_value\": \"2.0\", \"old_value\": \"1.0\"}}}",
"previous_version": "1.0",
"version_change": "1.0 \u2192 2.0",
"description_change_table": "\n | Old Description | New Description | ||||
|---|---|---|---|---|---|
| t | 1 | Adversaries may attempt to modify hierarchical structures in | t | 1 | Adversaries may attempt to modify hierarchical structures in |
| > | infrastructure-as-a-service (IaaS) environments in order to | > | infrastructure-as-a-service (IaaS) environments in order to | ||
| > | evade defenses. IaaS environments often group resources | > | evade defenses. IaaS environments often group resources | ||
| > | into a hierarchy, enabling improved resource management and | > | into a hierarchy, enabling improved resource management and | ||
| > | application of policies to relevant groups. Hierarchical str | > | application of policies to relevant groups. Hierarchical str | ||
| > | uctures differ among cloud providers. For example, in AWS en | > | uctures differ among cloud providers. For example, in AWS en | ||
| > | vironments, multiple accounts can be grouped under a single | > | vironments, multiple accounts can be grouped under a single | ||
| > | organization, while in Azure environments, multiple subscrip | > | organization, while in Azure environments, multiple subscrip | ||
| > | tions can be grouped under a single management group.(Citati | > | tions can be grouped under a single management group.(Citati | ||
| > | on: AWS Organizations)(Citation: Microsoft Azure Resources) | > | on: AWS Organizations)(Citation: Microsoft Azure Resources) | ||
| > | Adversaries may add, delete, or otherwise modify resource g | > | Adversaries may add, delete, or otherwise modify resource g | ||
| > | roups within an IaaS hierarchy. For example, in Azure enviro | > | roups within an IaaS hierarchy. For example, in Azure enviro | ||
| > | nments, an adversary who has gained access to a Global Admin | > | nments, an adversary who has gained access to a Global Admin | ||
| > | istrator account may create new subscriptions in which to de | > | istrator account may create new subscriptions in which to de | ||
| > | ploy resources. They may also engage in subscription hijacki | > | ploy resources. They may also engage in subscription hijacki | ||
| > | ng by transferring an existing pay-as-you-go subscription fr | > | ng by transferring an existing pay-as-you-go subscription fr | ||
| > | om a victim tenant to an adversary-controlled tenant. This w | > | om a victim tenant to an adversary-controlled tenant. This w | ||
| > | ill allow the adversary to use the victim\u2019s compute resource | > | ill allow the adversary to use the victim\u2019s compute resource | ||
| > | s without generating logs on the victim tenant.(Citation: Mi | > | s without generating logs on the victim tenant.(Citation: Mi | ||
| > | crosoft Peach Sandstorm 2023)(Citation: Microsoft Subscripti | > | crosoft Peach Sandstorm 2023)(Citation: Microsoft Subscripti | ||
| > | on Hijacking 2022) In AWS environments, adversaries with ap | > | on Hijacking 2022) In AWS environments, adversaries with ap | ||
| > | propriate permissions in a given account may call the `Leave | > | propriate permissions in a given account may call the `Leave | ||
| > | Organization` API, causing the account to be severed from th | > | Organization` API, causing the account to be severed from th | ||
| > | e AWS Organization to which it was tied and removing any Ser | > | e AWS Organization to which it was tied and removing any Ser | ||
| > | vice Control Policies, guardrails, or restrictions imposed u | > | vice Control Policies, guardrails, or restrictions imposed u | ||
| > | pon it by its former Organization. Alternatively, adversarie | > | pon it by its former Organization. Alternatively, adversarie | ||
| > | s may call the `CreateAccount` API in order to create a new | > | s may call the `CreateAccount` API in order to create a new | ||
| > | account within an AWS Organization. This account will use th | > | account within an AWS Organization. This account will use th | ||
| > | e same payment methods registered to the payment account but | > | e same payment methods registered to the payment account but | ||
| > | may not be subject to existing detections or Service Contro | > | may not be subject to existing detections or Service Contro | ||
| > | l Policies.(Citation: AWS RE:Inforce Threat Detection 2024) | > | l Policies.(Citation: AWS re Inforce Trust Mod) |
| Old Description | New Description | ||||
|---|---|---|---|---|---|
| t | 1 | Adversaries may interact with the Windows Registry as part o | t | 1 | Adversaries may interact with the Windows Registry as part o |
| > | f a variety of other techniques to aid in defense evasion, p | > | f a variety of other techniques to aid in defense evasion, p | ||
| > | ersistence, and execution. Access to specific areas of the | > | ersistence, and execution. Access to specific areas of the | ||
| > | Registry depends on account permissions, with some keys requ | > | Registry depends on account permissions, with some keys requ | ||
| > | iring administrator-level access. The built-in Windows comma | > | iring administrator-level access. The built-in Windows comma | ||
| > | nd-line utility [Reg](https://attack.mitre.org/software/S007 | > | nd-line utility [Reg](https://attack.mitre.org/software/S007 | ||
| > | 5) may be used for local or remote Registry modification.(Ci | > | 5) may be used for local or remote Registry modification.(Ci | ||
| > | tation: Microsoft Reg) Other tools, such as remote access to | > | tation: Microsoft Reg) Other tools, such as remote access to | ||
| > | ols, may also contain functionality to interact with the Reg | > | ols, may also contain functionality to interact with the Reg | ||
| > | istry through the Windows API. The Registry may be modified | > | istry through the Windows API. The Registry may be modified | ||
| > | in order to hide configuration information or malicious pay | > | in order to hide configuration information or malicious pay | ||
| > | loads via [Obfuscated Files or Information](https://attack.m | > | loads via [Obfuscated Files or Information](https://attack.m | ||
| > | itre.org/techniques/T1027).(Citation: Unit42 BabyShark Feb 2 | > | itre.org/techniques/T1027).(Citation: Unit42 BabyShark Feb 2 | ||
| > | 019)(Citation: Avaddon Ransomware 2021)(Citation: Microsoft | > | 019)(Citation: Avaddon Ransomware 2021)(Citation: Microsoft | ||
| > | BlackCat Jun 2022)(Citation: CISA Russian Gov Critical Infra | > | BlackCat Jun 2022)(Citation: CISA Russian Gov Critical Infra | ||
| > | 2018) The Registry may also be modified to [Impair Defenses | > | 2018) The Registry may also be modified to impair defenses, | ||
| > | ](https://attack.mitre.org/techniques/T1562), such as by ena | > | such as by enabling macros for all Microsoft Office product | ||
| > | bling macros for all Microsoft Office products, allowing pri | > | s, allowing privilege escalation without alerting the user, | ||
| > | vilege escalation without alerting the user, increasing the | > | increasing the maximum number of allowed outbound requests, | ||
| > | maximum number of allowed outbound requests, and/or modifyin | > | and/or modifying systems to store plaintext credentials in m | ||
| > | g systems to store plaintext credentials in memory.(Citation | > | emory.(Citation: CISA LockBit 2023)(Citation: Unit42 BabySha | ||
| > | : CISA LockBit 2023)(Citation: Unit42 BabyShark Feb 2019) T | > | rk Feb 2019) The Registry of a remote system may be modifie | ||
| > | he Registry of a remote system may be modified to aid in exe | > | d to aid in execution of files as part of lateral movement. | ||
| > | cution of files as part of lateral movement. It requires the | > | It requires the remote Registry service to be running on the | ||
| > | remote Registry service to be running on the target system. | > | target system.(Citation: Microsoft Remote) Often [Valid Acc | ||
| > | (Citation: Microsoft Remote) Often [Valid Accounts](https:// | > | ounts](https://attack.mitre.org/techniques/T1078) are requir | ||
| > | attack.mitre.org/techniques/T1078) are required, along with | > | ed, along with access to the remote system's [SMB/Windows Ad | ||
| > | access to the remote system's [SMB/Windows Admin Shares](htt | > | min Shares](https://attack.mitre.org/techniques/T1021/002) f | ||
| > | ps://attack.mitre.org/techniques/T1021/002) for RPC communic | > | or RPC communication. Finally, Registry modifications may a | ||
| > | ation. Finally, Registry modifications may also include act | > | lso include actions to hide keys, such as prepending key nam | ||
| > | ions to hide keys, such as prepending key names with a null | > | es with a null character, which will cause an error and/or b | ||
| > | character, which will cause an error and/or be ignored when | > | e ignored when read via [Reg](https://attack.mitre.org/softw | ||
| > | read via [Reg](https://attack.mitre.org/software/S0075) or o | > | are/S0075) or other utilities using the Win32 API.(Citation: | ||
| > | ther utilities using the Win32 API.(Citation: Microsoft Regh | > | Microsoft Reghide NOV 2006) Adversaries may abuse these pse | ||
| > | ide NOV 2006) Adversaries may abuse these pseudo-hidden keys | > | udo-hidden keys to conceal payloads/commands used to maintai | ||
| > | to conceal payloads/commands used to maintain persistence.( | > | n persistence.(Citation: TrendMicro POWELIKS AUG 2014)(Citat | ||
| > | Citation: TrendMicro POWELIKS AUG 2014)(Citation: SpectorOps | > | ion: SpectorOps Hiding Reg Jul 2017) | ||
| > | Hiding Reg Jul 2017) |
| Old Description | New Description | ||||
|---|---|---|---|---|---|
| t | 1 | Adversaries may attempt to make an executable or file diffic | t | 1 | Adversaries may attempt to make an executable or file diffic |
| > | ult to discover or analyze by encrypting, encoding, or other | > | ult to discover or analyze by encrypting, encoding, or other | ||
| > | wise obfuscating its contents on the system or in transit. T | > | wise obfuscating its contents on the system or in transit. T | ||
| > | his is common behavior that can be used across different pla | > | his is common behavior that can be used across different pla | ||
| > | tforms and the network to evade defenses. Payloads may be | > | tforms and the network to evade defenses. Payloads may be | ||
| > | compressed, archived, or encrypted in order to avoid detecti | > | compressed, archived, or encrypted in order to avoid detecti | ||
| > | on. These payloads may be used during Initial Access or late | > | on. These payloads may be used during Initial Access or late | ||
| > | r to mitigate detection. Sometimes a user's action may be re | > | r to mitigate detection. Sometimes a user's action may be re | ||
| > | quired to open and [Deobfuscate/Decode Files or Information] | > | quired to open and [Deobfuscate/Decode Files or Information] | ||
| > | (https://attack.mitre.org/techniques/T1140) for [User Execut | > | (https://attack.mitre.org/techniques/T1140) for [User Execut | ||
| > | ion](https://attack.mitre.org/techniques/T1204). The user ma | > | ion](https://attack.mitre.org/techniques/T1204). The user ma | ||
| > | y also be required to input a password to open a password pr | > | y also be required to input a password to open a password pr | ||
| > | otected compressed/encrypted file that was provided by the a | > | otected compressed/encrypted file that was provided by the a | ||
| > | dversary. (Citation: Volexity PowerDuke November 2016) Adver | > | dversary.(Citation: Volexity PowerDuke November 2016) Advers | ||
| > | saries may also use compressed or archived scripts, such as | > | aries may also use compressed or archived scripts, such as J | ||
| > | JavaScript. Portions of files can also be encoded to hide | > | avaScript. Portions of files can also be encoded to hide t | ||
| > | the plain-text strings that would otherwise help defenders w | > | he plain-text strings that would otherwise help defenders wi | ||
| > | ith discovery. (Citation: Linux/Cdorked.A We Live Security A | > | th discovery.(Citation: Linux/Cdorked.A We Live Security Ana | ||
| > | nalysis) Payloads may also be split into separate, seemingly | > | lysis) Payloads may also be split into separate, seemingly b | ||
| > | benign files that only reveal malicious functionality when | > | enign files that only reveal malicious functionality when re | ||
| > | reassembled. (Citation: Carbon Black Obfuscation Sept 2016) | > | assembled.(Citation: Carbon Black Obfuscation Sept 2016) Ad | ||
| > | Adversaries may also abuse [Command Obfuscation](https://at | > | versaries may also abuse [Command Obfuscation](https://attac | ||
| > | tack.mitre.org/techniques/T1027/010) to obscure commands exe | > | k.mitre.org/techniques/T1027/010) to obscure commands execut | ||
| > | cuted from payloads or directly via [Command and Scripting I | > | ed from payloads or directly via [Command and Scripting Inte | ||
| > | nterpreter](https://attack.mitre.org/techniques/T1059). Envi | > | rpreter](https://attack.mitre.org/techniques/T1059). Environ | ||
| > | ronment variables, aliases, characters, and other platform/l | > | ment variables, aliases, characters, and other platform/lang | ||
| > | anguage specific semantics can be used to evade signature ba | > | uage specific semantics can be used to evade signature based | ||
| > | sed detections and application control mechanisms. (Citation | > | detections and application control mechanisms.(Citation: Fi | ||
| > | : FireEye Obfuscation June 2017) (Citation: FireEye Revoke-O | > | reEye Obfuscation June 2017)(Citation: FireEye Revoke-Obfusc | ||
| > | bfuscation July 2017)(Citation: PaloAlto EncodedCommand Marc | > | ation July 2017)(Citation: PaloAlto EncodedCommand March 201 | ||
| > | h 2017) | > | 7) |
Invoke-Obfuscation and Invoke-DOSfucation have also been used to obfuscate commands.(Citation: Invoke-DOSfuscation)(Citation: Invoke-Obfuscation)",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "stealth"
}
],
"revoked": false,
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T1027/010",
"external_id": "T1027.010"
},
{
"source_name": "Twitter Richard WMIC",
"description": "Ackroyd, R. (2023, March 24). Twitter. Retrieved September 12, 2024.",
"url": "https://x.com/rfackroyd/status/1639136000755765254"
},
{
"source_name": "Invoke-Obfuscation",
"description": "Bohannon, D. (2016, September 24). Invoke-Obfuscation. Retrieved March 17, 2023.",
"url": "https://github.com/danielbohannon/Invoke-Obfuscation"
},
{
"source_name": "Invoke-DOSfuscation",
"description": "Bohannon, D. (2018, March 19). Invoke-DOSfuscation. Retrieved March 17, 2023.",
"url": "https://github.com/danielbohannon/Invoke-DOSfuscation"
},
{
"source_name": "FireEye Obfuscation June 2017",
"description": "Bohannon, D. & Carr N. (2017, June 30). Obfuscation in the Wild: Targeted Attackers Lead the Way in Evasion Techniques. Retrieved February 12, 2018.",
"url": "https://web.archive.org/web/20170923102302/https://www.fireeye.com/blog/threat-research/2017/06/obfuscation-in-the-wild.html"
},
{
"source_name": "Malware Monday VBE",
"description": "Bromiley, M. (2016, December 27). Malware Monday: VBScript and VBE Files. Retrieved March 17, 2023.",
"url": "https://bromiley.medium.com/malware-monday-vbscript-and-vbe-files-292252c1a16"
},
{
"source_name": "Akamai JS",
"description": "Katz, O. (2020, October 26). Catch Me if You Can\u2014JavaScript Obfuscation. Retrieved March 17, 2023.",
"url": "https://www.akamai.com/blog/security/catch-me-if-you-can-javascript-obfuscation"
},
{
"source_name": "Bashfuscator Command Obfuscators",
"description": "LeFevre, A. (n.d.). Bashfuscator Command Obfuscators. Retrieved March 17, 2023.",
"url": "https://bashfuscator.readthedocs.io/en/latest/Mutators/command_obfuscators/index.html"
},
{
"source_name": "Microsoft PowerShellB64",
"description": "Microsoft. (2023, February 8). about_PowerShell_exe: EncodedCommand. Retrieved March 17, 2023.",
"url": "https://learn.microsoft.com/powershell/module/microsoft.powershell.core/about/about_powershell_exe?view=powershell-5.1#-encodedcommand-base64encodedcommand"
},
{
"source_name": "RC PowerShell",
"description": "Red Canary. (n.d.). 2022 Threat Detection Report: PowerShell. Retrieved March 17, 2023.",
"url": "https://redcanary.com/threat-detection-report/techniques/powershell/"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_attack_spec_version": "3.3.0",
"x_mitre_contributors": [
"George Thomas",
"Tim Peck",
"TruKno"
],
"x_mitre_deprecated": false,
"x_mitre_domains": [
"enterprise-attack"
],
"x_mitre_is_subtechnique": true,
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"Linux",
"macOS",
"Windows"
],
"x_mitre_version": "2.0",
"detailed_diff": "{\"dictionary_item_removed\": {\"root['x_mitre_detection']\": \"\"}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-04-15 22:16:39.249000+00:00\", \"old_value\": \"2025-04-15 22:06:13.992000+00:00\"}, \"root['kill_chain_phases'][0]['phase_name']\": {\"new_value\": \"stealth\", \"old_value\": \"defense-evasion\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.3.0\", \"old_value\": \"3.2.0\"}, \"root['x_mitre_version']\": {\"new_value\": \"2.0\", \"old_value\": \"1.0\"}}}",
"previous_version": "1.0",
"version_change": "1.0 \u2192 2.0",
"changelog_mitigations": {
"shared": [
"M1040: Behavior Prevention on Endpoint",
"M1049: Antivirus/Antimalware"
],
"new": [],
"dropped": []
},
"changelog_datacomponent_detections": {
"shared": [],
"new": [],
"dropped": []
},
"changelog_detectionstrategy_detections": {
"shared": [
"DET0505: Detection Strategy for Command Obfuscation"
],
"new": [],
"dropped": []
}
},
{
"type": "attack-pattern",
"id": "attack-pattern--c726e0a2-a57a-4b7b-a973-d0f013246617",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2020-03-16 15:30:57.711000+00:00",
"modified": "2026-04-15 22:16:52.765000+00:00",
"name": "Compile After Delivery",
"description": "Adversaries may attempt to make payloads difficult to discover and analyze by delivering files to victims as uncompiled code. Text-based source code files may subvert analysis and scrutiny from protections targeting executables/binaries. These payloads will need to be compiled before execution; typically via native utilities such as ilasm.exe(Citation: ATTACK IQ), csc.exe, or GCC/MinGW.(Citation: ClearSky MuddyWater Nov 2018)\n\nSource code payloads may also be encrypted, encoded, and/or embedded within other files, such as those delivered as a [Phishing](https://attack.mitre.org/techniques/T1566). Payloads may also be delivered in formats unrecognizable and inherently benign to the native OS (ex: EXEs on macOS/Linux) before later being (re)compiled into a proper executable binary with a bundled compiler and execution framework.(Citation: TrendMicro WindowsAppMac)",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "stealth"
}
],
"revoked": false,
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T1027/004",
"external_id": "T1027.004"
},
{
"source_name": "ClearSky MuddyWater Nov 2018",
"description": "ClearSky Cyber Security. (2018, November). MuddyWater Operations in Lebanon and Oman: Using an Israeli compromised domain for a two-stage campaign. Retrieved November 29, 2018.",
"url": "https://www.clearskysec.com/wp-content/uploads/2018/11/MuddyWater-Operations-in-Lebanon-and-Oman.pdf"
},
{
"source_name": "ATTACK IQ",
"description": "Federico Quattrin, Nick Desler, Tin Tam, & Matthew Rutkoske. (2023, March 16). Hiding in Plain Sight: Monitoring and Testing for Living-Off-the-Land Binaries. Retrieved July 15, 2024.",
"url": "https://www.attackiq.com/2023/03/16/hiding-in-plain-sight/"
},
{
"source_name": "TrendMicro WindowsAppMac",
"description": "Trend Micro. (2019, February 11). Windows App Runs on Mac, Downloads Info Stealer and Adware. Retrieved April 25, 2019.",
"url": "https://blog.trendmicro.com/trendlabs-security-intelligence/windows-app-runs-on-mac-downloads-info-stealer-and-adware/"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_attack_spec_version": "3.3.0",
"x_mitre_contributors": [
"Liran Ravich, CardinalOps",
"Praetorian",
"Ye Yint Min Thu Htut, Offensive Security Team, DBS Bank"
],
"x_mitre_deprecated": false,
"x_mitre_domains": [
"enterprise-attack"
],
"x_mitre_is_subtechnique": true,
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"Linux",
"macOS",
"Windows"
],
"x_mitre_version": "2.0",
"detailed_diff": "{\"dictionary_item_removed\": {\"root['x_mitre_detection']\": \"\"}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-04-15 22:16:52.765000+00:00\", \"old_value\": \"2025-10-24 17:49:22.358000+00:00\"}, \"root['kill_chain_phases'][0]['phase_name']\": {\"new_value\": \"stealth\", \"old_value\": \"defense-evasion\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.3.0\", \"old_value\": \"3.2.0\"}, \"root['x_mitre_version']\": {\"new_value\": \"2.0\", \"old_value\": \"1.2\"}}}",
"previous_version": "1.2",
"version_change": "1.2 \u2192 2.0",
"changelog_mitigations": {
"shared": [],
"new": [],
"dropped": []
},
"changelog_datacomponent_detections": {
"shared": [],
"new": [],
"dropped": []
},
"changelog_detectionstrategy_detections": {
"shared": [
"DET0501: Detection Strategy for Compile After Delivery - Source Code to Executable Transformation"
],
"new": [],
"dropped": []
}
},
{
"type": "attack-pattern",
"id": "attack-pattern--fbd91bfc-75c2-4f0c-8116-3b4e722906b3",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2025-03-04 18:29:33.850000+00:00",
"modified": "2026-04-15 22:16:53.338000+00:00",
"name": "Compression",
"description": "Adversaries may use compression to obfuscate their payloads or files. Compressed file formats such as ZIP, gzip, 7z, and RAR can compress and archive multiple files together to make it easier and faster to transfer files. In addition to compressing files, adversaries may also compress shellcode directly - for example, in order to store it in a Windows Registry key (i.e., [Fileless Storage](https://attack.mitre.org/techniques/T1027/011)).(Citation: Trustwave Pillowmint June 2020)\n\nIn order to further evade detection, adversaries may combine multiple ZIP files into one archive. This process of concatenation creates an archive that appears to be a single archive but in fact contains the central directories of the embedded archives. Some ZIP readers, such as 7zip, may not be able to identify concatenated ZIP files and miss the presence of the malicious payload.(Citation: Perception Point)\n\nFile archives may be sent as one [Spearphishing Attachment](https://attack.mitre.org/techniques/T1566/001) through email. Adversaries have sent malicious payloads as archived files to encourage the user to interact with and extract the malicious payload onto their system (i.e., [Malicious File](https://attack.mitre.org/techniques/T1204/002)).(Citation: NTT Security Flagpro new December 2021) However, some file compression tools, such as 7zip, can be used to produce self-extracting archives. Adversaries may send self-extracting archives to hide the functionality of their payload and launch it without requiring multiple actions from the user.(Citation: The Hacker News)\n\n[Compression](https://attack.mitre.org/techniques/T1027/015) may be used in combination with [Encrypted/Encoded File](https://attack.mitre.org/techniques/T1027/013) where compressed files are encrypted and password-protected.",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "stealth"
}
],
"revoked": false,
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T1027/015",
"external_id": "T1027.015"
},
{
"source_name": "Perception Point",
"description": "Arthur Vaiselbuh, Peleg Cabra. (2024, November 7). Evasive ZIP Concatenation: Trojan Targets Windows Users. Retrieved March 3, 2025.",
"url": "https://perception-point.io/blog/evasive-concatenated-zip-trojan-targets-windows-users/"
},
{
"source_name": "NTT Security Flagpro new December 2021",
"description": "Hada, H. (2021, December 28). Flagpro The new malware used by BlackTech. Retrieved March 25, 2022.",
"url": "https://insight-jp.nttsecurity.com/post/102hf3q/flagpro-the-new-malware-used-by-blacktech"
},
{
"source_name": "The Hacker News",
"description": "Ravie Lakshmanan. (2023, April 5). Hackers Using Self-Extracting Archives Exploit for Stealthy Backdoor Attacks. Retrieved March 3, 2025.",
"url": "https://thehackernews.com/2023/04/hackers-using-self-extracting-archives.html"
},
{
"source_name": "Trustwave Pillowmint June 2020",
"description": "Trustwave SpiderLabs. (2020, June 22). Pillowmint: FIN7\u2019s Monkey Thief . Retrieved July 27, 2020.",
"url": "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/pillowmint-fin7s-monkey-thief/"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_attack_spec_version": "3.3.0",
"x_mitre_contributors": [
"Fernando Bacchin"
],
"x_mitre_deprecated": false,
"x_mitre_domains": [
"enterprise-attack"
],
"x_mitre_is_subtechnique": true,
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"Linux",
"macOS",
"Windows"
],
"x_mitre_version": "2.0",
"detailed_diff": "{\"dictionary_item_removed\": {\"root['x_mitre_detection']\": \"\"}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-04-15 22:16:53.338000+00:00\", \"old_value\": \"2025-04-15 19:59:24.125000+00:00\"}, \"root['kill_chain_phases'][0]['phase_name']\": {\"new_value\": \"stealth\", \"old_value\": \"defense-evasion\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.3.0\", \"old_value\": \"3.2.0\"}, \"root['x_mitre_version']\": {\"new_value\": \"2.0\", \"old_value\": \"1.0\"}}}",
"previous_version": "1.0",
"version_change": "1.0 \u2192 2.0",
"changelog_mitigations": {
"shared": [
"M1049: Antivirus/Antimalware"
],
"new": [],
"dropped": []
},
"changelog_datacomponent_detections": {
"shared": [],
"new": [],
"dropped": []
},
"changelog_detectionstrategy_detections": {
"shared": [
"DET0281: Detection Strategy for Compressed Payload Creation and Execution"
],
"new": [],
"dropped": []
}
},
{
"type": "attack-pattern",
"id": "attack-pattern--ea4c2f9c-9df1-477c-8c42-6da1118f2ac4",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2022-08-22 20:42:08.498000+00:00",
"modified": "2026-04-15 22:17:50.411000+00:00",
"name": "Dynamic API Resolution",
"description": "Adversaries may obfuscate then dynamically resolve API functions called by their malware in order to conceal malicious functionalities and impair defensive analysis. Malware commonly uses various [Native API](https://attack.mitre.org/techniques/T1106) functions provided by the OS to perform various tasks such as those involving processes, files, and other system artifacts.\n\nAPI functions called by malware may leave static artifacts such as strings in payload files. Defensive analysts may also uncover which functions a binary file may execute via an import address table (IAT) or other structures that help dynamically link calling code to the shared modules that provide functions.(Citation: Huntress API Hash)(Citation: IRED API Hashing)\n\nTo avoid static or other defensive analysis, adversaries may use dynamic API resolution to conceal malware characteristics and functionalities. Similar to [Software Packing](https://attack.mitre.org/techniques/T1027/002), dynamic API resolution may change file signatures and obfuscate malicious API function calls until they are resolved and invoked during runtime.\n\nVarious methods may be used to obfuscate malware calls to API functions. For example, hashes of function names are commonly stored in malware in lieu of literal strings. Malware can use these hashes (or other identifiers) to manually reproduce the linking and loading process using functions such as `GetProcAddress()` and `LoadLibrary()`. These hashes/identifiers can also be further obfuscated using encryption or other string manipulation tricks (requiring various forms of [Deobfuscate/Decode Files or Information](https://attack.mitre.org/techniques/T1140) during execution).(Citation: BlackHat API Packers)(Citation: Drakonia HInvoke)(Citation: Huntress API Hash)",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "stealth"
}
],
"revoked": false,
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T1027/007",
"external_id": "T1027.007"
},
{
"source_name": "Huntress API Hash",
"description": "Brennan, M. (2022, February 16). Hackers No Hashing: Randomizing API Hashes to Evade Cobalt Strike Shellcode Detection. Retrieved August 22, 2022.",
"url": "https://www.huntress.com/blog/hackers-no-hashing-randomizing-api-hashes-to-evade-cobalt-strike-shellcode-detection"
},
{
"source_name": "BlackHat API Packers",
"description": "Choi, S. (2015, August 6). Obfuscated API Functions in Modern Packers. Retrieved August 22, 2022.",
"url": "https://www.blackhat.com/docs/us-15/materials/us-15-Choi-API-Deobfuscator-Resolving-Obfuscated-API-Functions-In-Modern-Packers.pdf"
},
{
"source_name": "Drakonia HInvoke",
"description": "drakonia. (2022, August 10). HInvoke and avoiding PInvoke. Retrieved August 22, 2022.",
"url": "https://dr4k0nia.github.io/posts/HInvoke-and-avoiding-PInvoke/"
},
{
"source_name": "IRED API Hashing",
"description": "spotheplanet. (n.d.). Windows API Hashing in Malware. Retrieved August 22, 2022.",
"url": "https://www.ired.team/offensive-security/defense-evasion/windows-api-hashing-in-malware"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_attack_spec_version": "3.3.0",
"x_mitre_deprecated": false,
"x_mitre_domains": [
"enterprise-attack"
],
"x_mitre_is_subtechnique": true,
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"Windows"
],
"x_mitre_version": "2.0",
"detailed_diff": "{\"dictionary_item_removed\": {\"root['x_mitre_detection']\": \"\"}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-04-15 22:17:50.411000+00:00\", \"old_value\": \"2025-04-15 22:24:25.266000+00:00\"}, \"root['kill_chain_phases'][0]['phase_name']\": {\"new_value\": \"stealth\", \"old_value\": \"defense-evasion\"}, \"root['external_references'][3]['url']\": {\"new_value\": \"https://dr4k0nia.github.io/posts/HInvoke-and-avoiding-PInvoke/\", \"old_value\": \"https://dr4k0nia.github.io/dotnet/coding/2022/08/10/HInvoke-and-avoiding-PInvoke.html?s=03\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.3.0\", \"old_value\": \"3.2.0\"}, \"root['x_mitre_version']\": {\"new_value\": \"2.0\", \"old_value\": \"1.0\"}}}",
"previous_version": "1.0",
"version_change": "1.0 \u2192 2.0",
"changelog_mitigations": {
"shared": [],
"new": [],
"dropped": []
},
"changelog_datacomponent_detections": {
"shared": [],
"new": [],
"dropped": []
},
"changelog_detectionstrategy_detections": {
"shared": [
"DET0091: Detection Strategy for Dynamic API Resolution via Hash-Based Function Lookups"
],
"new": [],
"dropped": []
}
},
{
"type": "attack-pattern",
"id": "attack-pattern--0533ab23-3f7d-463f-9bd8-634d27e4dee1",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2022-09-30 18:50:14.351000+00:00",
"modified": "2026-04-15 22:18:17.938000+00:00",
"name": "Embedded Payloads",
"description": "Adversaries may embed payloads within other files to conceal malicious content from defenses. Otherwise seemingly benign files (such as scripts and executables) may be abused to carry and obfuscate malicious payloads and content. In some cases, embedded payloads may also enable adversaries to [Subvert Trust Controls](https://attack.mitre.org/techniques/T1553) by not impacting execution controls such as digital signatures and notarization tickets.(Citation: Sentinel Labs) \n\nAdversaries may embed payloads in various file formats to hide payloads.(Citation: Microsoft Learn) This is similar to [Steganography](https://attack.mitre.org/techniques/T1027/003), though does not involve weaving malicious content into specific bytes and patterns related to legitimate digital media formats.(Citation: GitHub PSImage) \n\nFor example, adversaries have been observed embedding payloads within or as an overlay of an otherwise benign binary.(Citation: Securelist Dtrack2) Adversaries have also been observed nesting payloads (such as executables and run-only scripts) inside a file of the same format.(Citation: SentinelLabs reversing run-only applescripts 2021) \n\nEmbedded content may also be used as [Process Injection](https://attack.mitre.org/techniques/T1055) payloads used to infect benign system processes.(Citation: Trend Micro) These embedded then injected payloads may be used as part of the modules of malware designed to provide specific features such as encrypting C2 communications in support of an orchestrator module. For example, an embedded module may be injected into default browsers, allowing adversaries to then communicate via the network.(Citation: Malware Analysis Report ComRAT)",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "stealth"
}
],
"revoked": false,
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T1027/009",
"external_id": "T1027.009"
},
{
"source_name": "GitHub PSImage",
"description": "Barrett Adams . (n.d.). Invoke-PSImage . Retrieved September 30, 2022.",
"url": "https://github.com/peewpw/Invoke-PSImage"
},
{
"source_name": "Malware Analysis Report ComRAT",
"description": "CISA. (2020, October 29). Malware Analysis Report (AR20-303A) MAR-10310246-2.v1 \u2013 PowerShell Script: ComRAT. Retrieved September 30, 2022.",
"url": "https://www.cisa.gov/uscert/ncas/analysis-reports/ar20-303a"
},
{
"source_name": "Trend Micro",
"description": "Karen Victor. (2020, May 18). Reflective Loading Runs Netwalker Fileless Ransomware. Retrieved September 30, 2022.",
"url": "https://www.trendmicro.com/en_us/research/20/e/netwalker-fileless-ransomware-injected-via-reflective-loading.html"
},
{
"source_name": "Securelist Dtrack2",
"description": "KONSTANTIN ZYKOV. (2019, September 23). Hello! My name is Dtrack. Retrieved September 30, 2022.",
"url": "https://securelist.com/my-name-is-dtrack/93338/"
},
{
"source_name": "Microsoft Learn",
"description": "Microsoft. (2021, April 6). 2.5 ExtraData. Retrieved September 30, 2022.",
"url": "https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-shllink/c41e062d-f764-4f13-bd4f-ea812ab9a4d1"
},
{
"source_name": "SentinelLabs reversing run-only applescripts 2021",
"description": "Phil Stokes. (2021, January 11). FADE DEAD | Adventures in Reversing Malicious Run-Only AppleScripts. Retrieved September 29, 2022.",
"url": "https://www.sentinelone.com/labs/fade-dead-adventures-in-reversing-malicious-run-only-applescripts/"
},
{
"source_name": "Sentinel Labs",
"description": "Phil Stokes. (2021, January 11). FADE DEAD | Adventures in Reversing Malicious Run-Only AppleScripts. Retrieved September 30, 2022.",
"url": "https://www.sentinelone.com/labs/fade-dead-adventures-in-reversing-malicious-run-only-applescripts/"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_attack_spec_version": "3.3.0",
"x_mitre_contributors": [
"Nick Cairns, @grotezinfosec"
],
"x_mitre_deprecated": false,
"x_mitre_domains": [
"enterprise-attack"
],
"x_mitre_is_subtechnique": true,
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"Linux",
"macOS",
"Windows"
],
"x_mitre_version": "2.0",
"detailed_diff": "{\"dictionary_item_removed\": {\"root['x_mitre_detection']\": \"\"}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-04-15 22:18:17.938000+00:00\", \"old_value\": \"2025-04-15 19:58:03.051000+00:00\"}, \"root['kill_chain_phases'][0]['phase_name']\": {\"new_value\": \"stealth\", \"old_value\": \"defense-evasion\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.3.0\", \"old_value\": \"3.2.0\"}, \"root['x_mitre_version']\": {\"new_value\": \"2.0\", \"old_value\": \"1.2\"}}}",
"previous_version": "1.2",
"version_change": "1.2 \u2192 2.0",
"changelog_mitigations": {
"shared": [
"M1040: Behavior Prevention on Endpoint",
"M1049: Antivirus/Antimalware"
],
"new": [],
"dropped": []
},
"changelog_datacomponent_detections": {
"shared": [],
"new": [],
"dropped": []
},
"changelog_detectionstrategy_detections": {
"shared": [
"DET0214: Detection Strategy for Embedded Payloads"
],
"new": [],
"dropped": []
}
},
{
"type": "attack-pattern",
"id": "attack-pattern--0d91b3c0-5e50-47c3-949a-2a796f04d144",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2024-03-29 12:38:17.135000+00:00",
"modified": "2026-04-15 22:18:22.179000+00:00",
"name": "Encrypted/Encoded File",
"description": "Adversaries may encrypt or encode files to obfuscate strings, bytes, and other specific patterns to impede detection. Encrypting and/or encoding file content aims to conceal malicious artifacts within a file used in an intrusion. Many other techniques, such as [Software Packing](https://attack.mitre.org/techniques/T1027/002), [Steganography](https://attack.mitre.org/techniques/T1027/003), and [Embedded Payloads](https://attack.mitre.org/techniques/T1027/009), share this same broad objective. Encrypting and/or encoding files could lead to a lapse in detection of static signatures, only for this malicious content to be revealed (i.e., [Deobfuscate/Decode Files or Information](https://attack.mitre.org/techniques/T1140)) at the time of execution/use.\n\nThis type of file obfuscation can be applied to many file artifacts present on victim hosts, such as malware log/configuration and payload files.(Citation: File obfuscation) Files can be encrypted with a hardcoded or user-supplied key, as well as otherwise obfuscated using standard encoding schemes such as Base64.\n\nThe entire content of a file may be obfuscated, or just specific functions or values (such as C2 addresses). Encryption and encoding may also be applied in redundant layers for additional protection.\n\nFor example, adversaries may abuse password-protected Word documents or self-extracting (SFX) archives as a method of encrypting/encoding a file such as a [Phishing](https://attack.mitre.org/techniques/T1566) payload. These files typically function by attaching the intended archived content to a decompressor stub that is executed when the file is invoked (e.g., [User Execution](https://attack.mitre.org/techniques/T1204)).(Citation: SFX - Encrypted/Encoded File) \n\nAdversaries may also abuse file-specific as well as custom encoding schemes. For example, Byte Order Mark (BOM) headers in text files may be abused to manipulate and obfuscate file content until [Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059) execution.",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "stealth"
}
],
"revoked": false,
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T1027/013",
"external_id": "T1027.013"
},
{
"source_name": "File obfuscation",
"description": "Aspen Lindblom, Joseph Goodwin, and Chris Sheldon. (2021, July 19). Shlayer Malvertising Campaigns Still Using Flash Update Disguise. Retrieved March 29, 2024.",
"url": "https://www.crowdstrike.com/blog/shlayer-malvertising-campaigns-still-using-flash-update-disguise/"
},
{
"source_name": "SFX - Encrypted/Encoded File",
"description": "Jai Minton. (2023, March 31). How Falcon OverWatch Investigates Malicious Self-Extracting Archives, Decoy Files and Their Hidden Payloads. Retrieved March 29, 2024.",
"url": "https://www.crowdstrike.com/blog/self-extracting-archives-decoy-files-and-their-hidden-payloads/"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_attack_spec_version": "3.3.0",
"x_mitre_contributors": [
"Andrew Northern, @ex_raritas",
"David Galazin @themalwareman1",
"Jai Minton, @Cyberraiju"
],
"x_mitre_deprecated": false,
"x_mitre_domains": [
"enterprise-attack"
],
"x_mitre_is_subtechnique": true,
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"Linux",
"macOS",
"Windows"
],
"x_mitre_version": "2.0",
"detailed_diff": "{\"dictionary_item_removed\": {\"root['x_mitre_detection']\": \"\"}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-04-15 22:18:22.179000+00:00\", \"old_value\": \"2025-04-15 19:58:05.840000+00:00\"}, \"root['kill_chain_phases'][0]['phase_name']\": {\"new_value\": \"stealth\", \"old_value\": \"defense-evasion\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.3.0\", \"old_value\": \"3.2.0\"}, \"root['x_mitre_version']\": {\"new_value\": \"2.0\", \"old_value\": \"1.1\"}}}",
"previous_version": "1.1",
"version_change": "1.1 \u2192 2.0",
"changelog_mitigations": {
"shared": [
"M1040: Behavior Prevention on Endpoint",
"M1049: Antivirus/Antimalware"
],
"new": [],
"dropped": []
},
"changelog_datacomponent_detections": {
"shared": [],
"new": [],
"dropped": []
},
"changelog_detectionstrategy_detections": {
"shared": [
"DET0087: Encrypted or Encoded File Payload Detection Strategy"
],
"new": [],
"dropped": []
}
},
{
"type": "attack-pattern",
"id": "attack-pattern--02c5abff-30bf-4703-ab92-1f6072fae939",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2023-03-23 19:55:25.546000+00:00",
"modified": "2026-04-15 22:18:39.119000+00:00",
"name": "Fileless Storage",
"description": "Adversaries may store data in \"fileless\" formats to conceal malicious activity from defenses. Fileless storage can be broadly defined as any format other than a file. Common examples of non-volatile fileless storage in Windows systems include the Windows Registry, event logs, or WMI repository.(Citation: Microsoft Fileless)(Citation: SecureList Fileless) Shared memory directories on Linux systems (`/dev/shm`, `/run/shm`, `/var/run`, and `/var/lock`) and volatile directories on Network Devices (`/tmp` and `/volatile`) may also be considered fileless storage, as files written to these directories are mapped directly to RAM and not stored on the disk.(Citation: Elastic Binary Executed from Shared Memory Directory)(Citation: Akami Frog4Shell 2024)(Citation: Aquasec Muhstik Malware 2024)(Citation: Bitsight 7777 Botnet)(Citation: CISCO Nexus 900 Config).\n\nSimilar to fileless in-memory behaviors such as [Reflective Code Loading](https://attack.mitre.org/techniques/T1620) and [Process Injection](https://attack.mitre.org/techniques/T1055), fileless data storage may remain undetected by antivirus and other endpoint security tools that can only access specific file formats from disk storage. Leveraging fileless storage may also allow adversaries to bypass the protections offered by read-only file systems in Linux.(Citation: Sysdig Fileless Malware 23022)\n\nAdversaries may use fileless storage to conceal various types of stored data, including payloads/shellcode (potentially being used as part of [Persistence](https://attack.mitre.org/tactics/TA0003)) and collected data not yet exfiltrated from the victim (e.g., [Local Data Staging](https://attack.mitre.org/techniques/T1074/001)). Adversaries also often encrypt, encode, splice, or otherwise obfuscate this fileless data when stored. \n\nSome forms of fileless storage activity may indirectly create artifacts in the file system, but in central and otherwise difficult to inspect formats such as the WMI (e.g., `%SystemRoot%\\System32\\Wbem\\Repository`) or Registry (e.g., `%SystemRoot%\\System32\\Config`) physical files.(Citation: Microsoft Fileless) ",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "stealth"
}
],
"revoked": false,
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T1027/011",
"external_id": "T1027.011"
},
{
"source_name": "Aquasec Muhstik Malware 2024",
"description": " Nitzan Yaakov. (2024, June 4). Muhstik Malware Targets Message Queuing Services Applications. Retrieved September 24, 2024.",
"url": "https://www.aquasec.com/blog/muhstik-malware-targets-message-queuing-services-applications/"
},
{
"source_name": "Bitsight 7777 Botnet",
"description": "Batista, Jo\u00e3o. Gi7w0rm. (2024, August 27). Retrieved June 5, 2025.",
"url": "https://www.bitsight.com/blog/7777-botnet-insights-multi-target-botnet"
},
{
"source_name": "CISCO Nexus 900 Config",
"description": "CISCO. (2021, September 14). Cisco Nexus 9000 Series NX-OS Fundamentals Configuration Guide, Release 7.x. Retrieved June 5, 2025.",
"url": "https://www.cisco.com/c/en/us/td/docs/switches/datacenter/nexus9000/sw/7-x/fundamentals/configuration/guide/b_Cisco_Nexus_9000_Series_NX-OS_Fundamentals_Configuration_Guide_7x/b_Cisco_Nexus_9000_Series_NX-OS_Fundamentals_Configuration_Guide_7x_chapter_01000.html"
},
{
"source_name": "Elastic Binary Executed from Shared Memory Directory",
"description": "Elastic. (n.d.). Binary Executed from Shared Memory Directory. Retrieved September 24, 2024.",
"url": "https://www.elastic.co/guide/en/security/7.17/prebuilt-rule-7-16-3-binary-executed-from-shared-memory-directory.html"
},
{
"source_name": "SecureList Fileless",
"description": "Legezo, D. (2022, May 4). A new secret stash for \u201cfileless\u201d malware. Retrieved March 23, 2023.",
"url": "https://securelist.com/a-new-secret-stash-for-fileless-malware/106393/"
},
{
"source_name": "Microsoft Fileless",
"description": "Microsoft. (2023, February 6). Fileless threats. Retrieved March 23, 2023.",
"url": "https://learn.microsoft.com/microsoft-365/security/intelligence/fileless-threats"
},
{
"source_name": "Sysdig Fileless Malware 23022",
"description": "Nicholas Lang. (2022, May 3). Fileless malware mitigation. Retrieved September 24, 2024.",
"url": "https://sysdig.com/blog/containers-read-only-fileless-malware/"
},
{
"source_name": "Akami Frog4Shell 2024",
"description": "Ori David. (2024, February 1). Frog4Shell \u2014 FritzFrog Botnet Adds One-Days to Its Arsenal. Retrieved September 24, 2024.",
"url": "https://www.akamai.com/blog/security-research/fritzfrog-botnet-new-capabilities-log4shell"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_attack_spec_version": "3.3.0",
"x_mitre_contributors": [
"Christopher Peacock",
"Denise Tan",
"Mark Wee",
"Simona David",
"Vito Alfano, Group-IB",
"Xavier Rousseau"
],
"x_mitre_deprecated": false,
"x_mitre_domains": [
"enterprise-attack"
],
"x_mitre_is_subtechnique": true,
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"Linux",
"Windows"
],
"x_mitre_version": "3.0",
"detailed_diff": "{\"dictionary_item_removed\": {\"root['x_mitre_detection']\": \"\"}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-04-15 22:18:39.119000+00:00\", \"old_value\": \"2025-06-05 15:30:20.139000+00:00\"}, \"root['description']\": {\"new_value\": \"Adversaries may store data in \\\"fileless\\\" formats to conceal malicious activity from defenses. Fileless storage can be broadly defined as any format other than a file. Common examples of non-volatile fileless storage in Windows systems include the Windows Registry, event logs, or WMI repository.(Citation: Microsoft Fileless)(Citation: SecureList Fileless) Shared memory directories on Linux systems (`/dev/shm`, `/run/shm`, `/var/run`, and `/var/lock`) and volatile directories on Network Devices (`/tmp` and `/volatile`) may also be considered fileless storage, as files written to these directories are mapped directly to RAM and not stored on the disk.(Citation: Elastic Binary Executed from Shared Memory Directory)(Citation: Akami Frog4Shell 2024)(Citation: Aquasec Muhstik Malware 2024)(Citation: Bitsight 7777 Botnet)(Citation: CISCO Nexus 900 Config).\\n\\nSimilar to fileless in-memory behaviors such as [Reflective Code Loading](https://attack.mitre.org/techniques/T1620) and [Process Injection](https://attack.mitre.org/techniques/T1055), fileless data storage may remain undetected by antivirus and other endpoint security tools that can only access specific file formats from disk storage. Leveraging fileless storage may also allow adversaries to bypass the protections offered by read-only file systems in Linux.(Citation: Sysdig Fileless Malware 23022)\\n\\nAdversaries may use fileless storage to conceal various types of stored data, including payloads/shellcode (potentially being used as part of [Persistence](https://attack.mitre.org/tactics/TA0003)) and collected data not yet exfiltrated from the victim (e.g., [Local Data Staging](https://attack.mitre.org/techniques/T1074/001)). Adversaries also often encrypt, encode, splice, or otherwise obfuscate this fileless data when stored. \\n\\nSome forms of fileless storage activity may indirectly create artifacts in the file system, but in central and otherwise difficult to inspect formats such as the WMI (e.g., `%SystemRoot%\\\\System32\\\\Wbem\\\\Repository`) or Registry (e.g., `%SystemRoot%\\\\System32\\\\Config`) physical files.(Citation: Microsoft Fileless) \", \"old_value\": \"Adversaries may store data in \\\"fileless\\\" formats to conceal malicious activity from defenses. Fileless storage can be broadly defined as any format other than a file. Common examples of non-volatile fileless storage in Windows systems include the Windows Registry, event logs, or WMI repository.(Citation: Microsoft Fileless)(Citation: SecureList Fileless) Shared memory directories on Linux systems (`/dev/shm`, `/run/shm`, `/var/run`, and `/var/lock`) and volatile directories on Network Devices (`/tmp` and `/volatile`) may also be considered fileless storage, as files written to these directories are mapped directly to RAM and not stored on the disk.(Citation: Elastic Binary Executed from Shared Memory Directory)(Citation: Akami Frog4Shell 2024)(Citation: Aquasec Muhstik Malware 2024)(Citation: Bitsight 7777 Botnet)(Citation: CISCO Nexus 900 Config).\\n\\nSimilar to fileless in-memory behaviors such as [Reflective Code Loading](https://attack.mitre.org/techniques/T1620) and [Process Injection](https://attack.mitre.org/techniques/T1055), fileless data storage may remain undetected by anti-virus and other endpoint security tools that can only access specific file formats from disk storage. Leveraging fileless storage may also allow adversaries to bypass the protections offered by read-only file systems in Linux.(Citation: Sysdig Fileless Malware 23022)\\n\\nAdversaries may use fileless storage to conceal various types of stored data, including payloads/shellcode (potentially being used as part of [Persistence](https://attack.mitre.org/tactics/TA0003)) and collected data not yet exfiltrated from the victim (e.g., [Local Data Staging](https://attack.mitre.org/techniques/T1074/001)). Adversaries also often encrypt, encode, splice, or otherwise obfuscate this fileless data when stored. \\n\\nSome forms of fileless storage activity may indirectly create artifacts in the file system, but in central and otherwise difficult to inspect formats such as the WMI (e.g., `%SystemRoot%\\\\System32\\\\Wbem\\\\Repository`) or Registry (e.g., `%SystemRoot%\\\\System32\\\\Config`) physical files.(Citation: Microsoft Fileless) \", \"diff\": \"--- \\n+++ \\n@@ -1,6 +1,6 @@\\n Adversaries may store data in \\\"fileless\\\" formats to conceal malicious activity from defenses. Fileless storage can be broadly defined as any format other than a file. Common examples of non-volatile fileless storage in Windows systems include the Windows Registry, event logs, or WMI repository.(Citation: Microsoft Fileless)(Citation: SecureList Fileless) Shared memory directories on Linux systems (`/dev/shm`, `/run/shm`, `/var/run`, and `/var/lock`) and volatile directories on Network Devices (`/tmp` and `/volatile`) may also be considered fileless storage, as files written to these directories are mapped directly to RAM and not stored on the disk.(Citation: Elastic Binary Executed from Shared Memory Directory)(Citation: Akami Frog4Shell 2024)(Citation: Aquasec Muhstik Malware 2024)(Citation: Bitsight 7777 Botnet)(Citation: CISCO Nexus 900 Config).\\n \\n-Similar to fileless in-memory behaviors such as [Reflective Code Loading](https://attack.mitre.org/techniques/T1620) and [Process Injection](https://attack.mitre.org/techniques/T1055), fileless data storage may remain undetected by anti-virus and other endpoint security tools that can only access specific file formats from disk storage. Leveraging fileless storage may also allow adversaries to bypass the protections offered by read-only file systems in Linux.(Citation: Sysdig Fileless Malware 23022)\\n+Similar to fileless in-memory behaviors such as [Reflective Code Loading](https://attack.mitre.org/techniques/T1620) and [Process Injection](https://attack.mitre.org/techniques/T1055), fileless data storage may remain undetected by antivirus and other endpoint security tools that can only access specific file formats from disk storage. Leveraging fileless storage may also allow adversaries to bypass the protections offered by read-only file systems in Linux.(Citation: Sysdig Fileless Malware 23022)\\n \\n Adversaries may use fileless storage to conceal various types of stored data, including payloads/shellcode (potentially being used as part of [Persistence](https://attack.mitre.org/tactics/TA0003)) and collected data not yet exfiltrated from the victim (e.g., [Local Data Staging](https://attack.mitre.org/techniques/T1074/001)). Adversaries also often encrypt, encode, splice, or otherwise obfuscate this fileless data when stored. \\n \"}, \"root['kill_chain_phases'][0]['phase_name']\": {\"new_value\": \"stealth\", \"old_value\": \"defense-evasion\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.3.0\", \"old_value\": \"3.2.0\"}, \"root['x_mitre_version']\": {\"new_value\": \"3.0\", \"old_value\": \"2.1\"}}}",
"previous_version": "2.1",
"version_change": "2.1 \u2192 3.0",
"description_change_table": "\n | Old Description | New Description | ||||
|---|---|---|---|---|---|
| t | 1 | Adversaries may store data in \"fileless\" formats to conceal | t | 1 | Adversaries may store data in \"fileless\" formats to conceal |
| > | malicious activity from defenses. Fileless storage can be br | > | malicious activity from defenses. Fileless storage can be br | ||
| > | oadly defined as any format other than a file. Common exampl | > | oadly defined as any format other than a file. Common exampl | ||
| > | es of non-volatile fileless storage in Windows systems inclu | > | es of non-volatile fileless storage in Windows systems inclu | ||
| > | de the Windows Registry, event logs, or WMI repository.(Cita | > | de the Windows Registry, event logs, or WMI repository.(Cita | ||
| > | tion: Microsoft Fileless)(Citation: SecureList Fileless) Sha | > | tion: Microsoft Fileless)(Citation: SecureList Fileless) Sha | ||
| > | red memory directories on Linux systems (`/dev/shm`, `/run/s | > | red memory directories on Linux systems (`/dev/shm`, `/run/s | ||
| > | hm`, `/var/run`, and `/var/lock`) and volatile directories o | > | hm`, `/var/run`, and `/var/lock`) and volatile directories o | ||
| > | n Network Devices (`/tmp` and `/volatile`) may also be consi | > | n Network Devices (`/tmp` and `/volatile`) may also be consi | ||
| > | dered fileless storage, as files written to these directorie | > | dered fileless storage, as files written to these directorie | ||
| > | s are mapped directly to RAM and not stored on the disk.(Cit | > | s are mapped directly to RAM and not stored on the disk.(Cit | ||
| > | ation: Elastic Binary Executed from Shared Memory Directory) | > | ation: Elastic Binary Executed from Shared Memory Directory) | ||
| > | (Citation: Akami Frog4Shell 2024)(Citation: Aquasec Muhstik | > | (Citation: Akami Frog4Shell 2024)(Citation: Aquasec Muhstik | ||
| > | Malware 2024)(Citation: Bitsight 7777 Botnet)(Citation: CISC | > | Malware 2024)(Citation: Bitsight 7777 Botnet)(Citation: CISC | ||
| > | O Nexus 900 Config). Similar to fileless in-memory behavior | > | O Nexus 900 Config). Similar to fileless in-memory behavior | ||
| > | s such as [Reflective Code Loading](https://attack.mitre.org | > | s such as [Reflective Code Loading](https://attack.mitre.org | ||
| > | /techniques/T1620) and [Process Injection](https://attack.mi | > | /techniques/T1620) and [Process Injection](https://attack.mi | ||
| > | tre.org/techniques/T1055), fileless data storage may remain | > | tre.org/techniques/T1055), fileless data storage may remain | ||
| > | undetected by anti-virus and other endpoint security tools t | > | undetected by antivirus and other endpoint security tools th | ||
| > | hat can only access specific file formats from disk storage. | > | at can only access specific file formats from disk storage. | ||
| > | Leveraging fileless storage may also allow adversaries to b | > | Leveraging fileless storage may also allow adversaries to by | ||
| > | ypass the protections offered by read-only file systems in L | > | pass the protections offered by read-only file systems in Li | ||
| > | inux.(Citation: Sysdig Fileless Malware 23022) Adversaries | > | nux.(Citation: Sysdig Fileless Malware 23022) Adversaries m | ||
| > | may use fileless storage to conceal various types of stored | > | ay use fileless storage to conceal various types of stored d | ||
| > | data, including payloads/shellcode (potentially being used a | > | ata, including payloads/shellcode (potentially being used as | ||
| > | s part of [Persistence](https://attack.mitre.org/tactics/TA0 | > | part of [Persistence](https://attack.mitre.org/tactics/TA00 | ||
| > | 003)) and collected data not yet exfiltrated from the victim | > | 03)) and collected data not yet exfiltrated from the victim | ||
| > | (e.g., [Local Data Staging](https://attack.mitre.org/techni | > | (e.g., [Local Data Staging](https://attack.mitre.org/techniq | ||
| > | ques/T1074/001)). Adversaries also often encrypt, encode, sp | > | ues/T1074/001)). Adversaries also often encrypt, encode, spl | ||
| > | lice, or otherwise obfuscate this fileless data when stored. | > | ice, or otherwise obfuscate this fileless data when stored. | ||
| > | Some forms of fileless storage activity may indirectly cr | > | Some forms of fileless storage activity may indirectly cre | ||
| > | eate artifacts in the file system, but in central and otherw | > | ate artifacts in the file system, but in central and otherwi | ||
| > | ise difficult to inspect formats such as the WMI (e.g., `%Sy | > | se difficult to inspect formats such as the WMI (e.g., `%Sys | ||
| > | stemRoot%\\System32\\Wbem\\Repository`) or Registry (e.g., `%Sy | > | temRoot%\\System32\\Wbem\\Repository`) or Registry (e.g., `%Sys | ||
| > | stemRoot%\\System32\\Config`) physical files.(Citation: Micros | > | temRoot%\\System32\\Config`) physical files.(Citation: Microso | ||
| > | oft Fileless) | > | ft Fileless) |
text/plain and/or text/html. Malicious files or data can be obfuscated and hidden inside of HTML files through Data URLs and/or JavaScript Blobs and can be deobfuscated when they reach the victim (i.e. [Deobfuscate/Decode Files or Information](https://attack.mitre.org/techniques/T1140)), potentially bypassing content filters.\n\nFor example, JavaScript Blobs can be abused to dynamically generate malicious files in the victim machine and may be dropped to disk by abusing JavaScript functions such as msSaveBlob.(Citation: HTML Smuggling Menlo Security 2020)(Citation: MSTIC NOBELIUM May 2021)(Citation: Outlflank HTML Smuggling 2018)(Citation: nccgroup Smuggling HTA 2017)",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "stealth"
}
],
"revoked": false,
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T1027/006",
"external_id": "T1027.006"
},
{
"source_name": "Outlflank HTML Smuggling 2018",
"description": "Hegt, S. (2018, August 14). HTML smuggling explained. Retrieved May 20, 2021.",
"url": "https://outflank.nl/blog/2018/08/14/html-smuggling-explained/"
},
{
"source_name": "MSTIC NOBELIUM May 2021",
"description": "Microsoft Threat Intelligence Center (MSTIC). (2021, May 27). New sophisticated email-based attack from NOBELIUM. Retrieved May 28, 2021.",
"url": "https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/"
},
{
"source_name": "HTML Smuggling Menlo Security 2020",
"description": "Subramanian, K. (2020, August 18). New HTML Smuggling Attack Alert: Duri. Retrieved May 20, 2021.",
"url": "https://www.menlosecurity.com/blog/new-attack-alert-duri"
},
{
"source_name": "nccgroup Smuggling HTA 2017",
"description": "Warren, R. (2017, August 8). Smuggling HTA files in Internet Explorer/Edge. Retrieved September 12, 2024.",
"url": "https://www.nccgroup.com/us/research-blog/smuggling-hta-files-in-internet-exploreredge/"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_attack_spec_version": "3.3.0",
"x_mitre_contributors": [
"Jonathan Boucher, @crash_wave, Bank of Canada",
"Krishnan Subramanian, @krish203",
"Stan Hegt, Outflank",
"Vinay Pidathala"
],
"x_mitre_deprecated": false,
"x_mitre_domains": [
"enterprise-attack"
],
"x_mitre_is_subtechnique": true,
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"Linux",
"macOS",
"Windows"
],
"x_mitre_version": "2.0",
"detailed_diff": "{\"dictionary_item_removed\": {\"root['x_mitre_detection']\": \"\"}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-04-15 22:19:27.839000+00:00\", \"old_value\": \"2025-10-24 17:49:27.501000+00:00\"}, \"root['kill_chain_phases'][0]['phase_name']\": {\"new_value\": \"stealth\", \"old_value\": \"defense-evasion\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.3.0\", \"old_value\": \"3.2.0\"}, \"root['x_mitre_version']\": {\"new_value\": \"2.0\", \"old_value\": \"1.3\"}}}",
"previous_version": "1.3",
"version_change": "1.3 \u2192 2.0",
"changelog_mitigations": {
"shared": [
"M1048: Application Isolation and Sandboxing"
],
"new": [],
"dropped": []
},
"changelog_datacomponent_detections": {
"shared": [],
"new": [],
"dropped": []
},
"changelog_detectionstrategy_detections": {
"shared": [
"DET0313: Detection Strategy for HTML Smuggling via JavaScript Blob + Dynamic File Drop"
],
"new": [],
"dropped": []
}
},
{
"type": "attack-pattern",
"id": "attack-pattern--b0533c6e-8fea-4788-874f-b799cacc4b92",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2020-03-19 21:27:32.820000+00:00",
"modified": "2026-04-15 22:19:28.558000+00:00",
"name": "Indicator Removal from Tools",
"description": "Adversaries may remove indicators from tools if they believe their malicious tool was detected, quarantined, or otherwise curtailed. They can modify the tool by removing the indicator and using the updated version that is no longer detected by the target's defensive systems or subsequent targets that may use similar systems.\n\nA good example of this is when malware is detected with a file signature and quarantined by anti-virus software. An adversary who can determine that the malware was quarantined because of its file signature may modify the file to explicitly avoid that signature, and then re-use the malware.",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "stealth"
}
],
"revoked": false,
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T1027/005",
"external_id": "T1027.005"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_attack_spec_version": "3.3.0",
"x_mitre_deprecated": false,
"x_mitre_domains": [
"enterprise-attack"
],
"x_mitre_is_subtechnique": true,
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"Linux",
"macOS",
"Windows"
],
"x_mitre_version": "2.0",
"detailed_diff": "{\"dictionary_item_removed\": {\"root['x_mitre_detection']\": \"\"}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-04-15 22:19:28.558000+00:00\", \"old_value\": \"2025-10-24 17:49:13.906000+00:00\"}, \"root['kill_chain_phases'][0]['phase_name']\": {\"new_value\": \"stealth\", \"old_value\": \"defense-evasion\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.3.0\", \"old_value\": \"3.2.0\"}, \"root['x_mitre_version']\": {\"new_value\": \"2.0\", \"old_value\": \"1.2\"}}}",
"previous_version": "1.2",
"version_change": "1.2 \u2192 2.0",
"changelog_mitigations": {
"shared": [],
"new": [],
"dropped": []
},
"changelog_datacomponent_detections": {
"shared": [],
"new": [],
"dropped": []
},
"changelog_detectionstrategy_detections": {
"shared": [
"DET0189: Detection Strategy for Indicator Removal from Tools - Post-AV Evasion Modification"
],
"new": [],
"dropped": []
}
},
{
"type": "attack-pattern",
"id": "attack-pattern--671cd17f-a765-48fd-adc4-dad1941b1ae3",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2025-03-04 21:38:49.913000+00:00",
"modified": "2026-04-15 22:19:48.489000+00:00",
"name": "Junk Code Insertion",
"description": "Adversaries may use junk code / dead code to obfuscate a malware\u2019s functionality. Junk code is code that either does not execute, or if it does execute, does not change the functionality of the code. Junk code makes analysis more difficult and time-consuming, as the analyst steps through non-functional code instead of analyzing the main code. It also may hinder detections that rely on static code analysis due to the use of benign functionality, especially when combined with [Compression](https://attack.mitre.org/techniques/T1027/015) or [Software Packing](https://attack.mitre.org/techniques/T1027/002).(Citation: ReasonLabs)(Citation: ReasonLabs Cyberpedia Junk Code)\n\nNo-Operation (NOP) instructions are an example of dead code commonly used in x86 assembly language. They are commonly used as the 0x90 opcode. When NOPs are added to malware, the disassembler may show the NOP instructions, leading to the analyst needing to step through them.(Citation: ReasonLabs)\n\nThe use of junk / dead code insertion is distinct from [Binary Padding](https://attack.mitre.org/techniques/T1027/001) because the purpose is to obfuscate the functionality of the code, rather than simply to change the malware\u2019s signature. ",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "stealth"
}
],
"revoked": false,
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T1027/016",
"external_id": "T1027.016"
},
{
"source_name": "ReasonLabs",
"description": "ReasonLabs. (n.d.). What is Dead code insertion?. Retrieved March 4, 2025.",
"url": "https://cyberpedia.reasonlabs.com/EN/dead%20code%20insertion.html"
},
{
"source_name": "ReasonLabs Cyberpedia Junk Code",
"description": "What is Junk Code?. (n.d.). ReasonLabs. Retrieved April 4, 2025.",
"url": "https://cyberpedia.reasonlabs.com/EN/junk%20code.html"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_attack_spec_version": "3.3.0",
"x_mitre_contributors": [
"Joas Antonio dos Santos, @C0d3Cr4zy"
],
"x_mitre_deprecated": false,
"x_mitre_domains": [
"enterprise-attack"
],
"x_mitre_is_subtechnique": true,
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"Linux",
"macOS",
"Windows"
],
"x_mitre_version": "2.0",
"detailed_diff": "{\"dictionary_item_removed\": {\"root['x_mitre_detection']\": \"\"}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-04-15 22:19:48.489000+00:00\", \"old_value\": \"2025-04-15 19:58:37.495000+00:00\"}, \"root['kill_chain_phases'][0]['phase_name']\": {\"new_value\": \"stealth\", \"old_value\": \"defense-evasion\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.3.0\", \"old_value\": \"3.2.0\"}, \"root['x_mitre_version']\": {\"new_value\": \"2.0\", \"old_value\": \"1.0\"}}}",
"previous_version": "1.0",
"version_change": "1.0 \u2192 2.0",
"changelog_mitigations": {
"shared": [
"M1049: Antivirus/Antimalware"
],
"new": [],
"dropped": []
},
"changelog_datacomponent_detections": {
"shared": [],
"new": [],
"dropped": []
},
"changelog_detectionstrategy_detections": {
"shared": [
"DET0322: Detection Strategy for Junk Code Obfuscation with Suspicious Execution Patterns"
],
"new": [],
"dropped": []
}
},
{
"type": "attack-pattern",
"id": "attack-pattern--887274fc-2d63-4bdc-82f3-fae56d1d5fdc",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2023-09-29 15:28:42.409000+00:00",
"modified": "2026-04-15 22:20:54.005000+00:00",
"name": "LNK Icon Smuggling",
"description": "Adversaries may smuggle commands to download malicious payloads past content filters by hiding them within otherwise seemingly benign windows shortcut files. Windows shortcut files (.LNK) include many metadata fields, including an icon location field (also known as the `IconEnvironmentDataBlock`) designed to specify the path to an icon file that is to be displayed for the LNK file within a host directory. \n\nAdversaries may abuse this LNK metadata to download malicious payloads. For example, adversaries have been observed using LNK files as phishing payloads to deliver malware. Once invoked (e.g., [Malicious File](https://attack.mitre.org/techniques/T1204/002)), payloads referenced via external URLs within the LNK icon location field may be downloaded. These files may also then be invoked by [Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059)/[System Binary Proxy Execution](https://attack.mitre.org/techniques/T1218) arguments within the target path field of the LNK.(Citation: Unprotect Shortcut)(Citation: Booby Trap Shortcut 2017)\n\nLNK Icon Smuggling may also be utilized post compromise, such as malicious scripts executing an LNK on an infected host to download additional malicious payloads. \n",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "stealth"
}
],
"revoked": false,
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T1027/012",
"external_id": "T1027.012"
},
{
"source_name": "Unprotect Shortcut",
"description": "Unprotect Project. (2019, March 18). Shortcut Hiding. Retrieved October 3, 2023.",
"url": "https://unprotect.it/technique/shortcut-hiding/"
},
{
"source_name": "Booby Trap Shortcut 2017",
"description": "Weyne, F. (2017, April). Booby trap a shortcut with a backdoor. Retrieved October 3, 2023.",
"url": "https://web.archive.org/web/20171225152553/https://www.uperesia.com/booby-trapped-shortcut"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_attack_spec_version": "3.3.0",
"x_mitre_contributors": [
"Michael Raggi @aRtAGGI",
"Andrew Northern, @ex_raritas",
"Gregory Lesnewich, @greglesnewich"
],
"x_mitre_deprecated": false,
"x_mitre_domains": [
"enterprise-attack"
],
"x_mitre_is_subtechnique": true,
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"Windows"
],
"x_mitre_version": "2.0",
"detailed_diff": "{\"dictionary_item_removed\": {\"root['x_mitre_detection']\": \"\"}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-04-15 22:20:54.005000+00:00\", \"old_value\": \"2025-10-24 17:49:04.385000+00:00\"}, \"root['kill_chain_phases'][0]['phase_name']\": {\"new_value\": \"stealth\", \"old_value\": \"defense-evasion\"}, \"root['external_references'][2]['url']\": {\"new_value\": \"https://web.archive.org/web/20171225152553/https://www.uperesia.com/booby-trapped-shortcut\", \"old_value\": \"https://www.uperesia.com/booby-trapped-shortcut\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.3.0\", \"old_value\": \"3.2.0\"}, \"root['x_mitre_version']\": {\"new_value\": \"2.0\", \"old_value\": \"1.0\"}}}",
"previous_version": "1.0",
"version_change": "1.0 \u2192 2.0",
"changelog_mitigations": {
"shared": [
"M1040: Behavior Prevention on Endpoint",
"M1049: Antivirus/Antimalware"
],
"new": [],
"dropped": []
},
"changelog_datacomponent_detections": {
"shared": [],
"new": [],
"dropped": []
},
"changelog_detectionstrategy_detections": {
"shared": [
"DET0405: Detection Strategy for LNK Icon Smuggling"
],
"new": [],
"dropped": []
}
},
{
"type": "attack-pattern",
"id": "attack-pattern--b577dfc1-0177-4522-8d5a-782127c8592b",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2024-09-27 12:28:03.938000+00:00",
"modified": "2026-04-15 22:20:58.199000+00:00",
"name": "Polymorphic Code",
"description": "Adversaries may utilize polymorphic code (also known as metamorphic or mutating code) to evade detection. Polymorphic code is a type of software capable of changing its runtime footprint during code execution.(Citation: polymorphic-blackberry) With each execution of the software, the code is mutated into a different version of itself that achieves the same purpose or objective as the original. This functionality enables the malware to evade traditional signature-based defenses, such as antivirus and antimalware tools.(Citation: polymorphic-sentinelone) \nOther obfuscation techniques can be used in conjunction with polymorphic code to accomplish the intended effects, including using mutation engines to conduct actions such as [Software Packing](https://attack.mitre.org/techniques/T1027/002), [Command Obfuscation](https://attack.mitre.org/techniques/T1027/010), or [Encrypted/Encoded File](https://attack.mitre.org/techniques/T1027/013).(Citation: polymorphic-linkedin)(Citation: polymorphic-medium)\n",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "stealth"
}
],
"revoked": false,
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T1027/014",
"external_id": "T1027.014"
},
{
"source_name": "polymorphic-blackberry",
"description": "Blackberry. (n.d.). What is Polymorphic Malware?. Retrieved September 27, 2024.",
"url": "https://www.blackberry.com/us/en/solutions/endpoint-security/ransomware-protection/polymorphic-malware"
},
{
"source_name": "polymorphic-sentinelone",
"description": "SentinelOne. (2023, March 18). What is Polymorphic Malware? Examples and Challenges. Retrieved September 27, 2024.",
"url": "https://www.sentinelone.com/cybersecurity-101/threat-intelligence/what-is-polymorphic-malware"
},
{
"source_name": "polymorphic-medium",
"description": "Shellseekercyber. (2024, January 7). Explainer: Packed Malware. Retrieved September 27, 2024.",
"url": "https://medium.com/@shellseekerscyber/explainer-packed-malware-16f09cc75035"
},
{
"source_name": "polymorphic-linkedin",
"description": "Sherwin Akshay. (2024, May 28). Techniques for concealing malware and hindering analysis: Packing up and unpacking stuff. Retrieved September 27, 2024.",
"url": "https://www.linkedin.com/pulse/techniques-concealing-malware-hindering-analysis-packing-akshay-unijc"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_attack_spec_version": "3.3.0",
"x_mitre_contributors": [
"TruKno",
"Ye Yint Min Thu Htut, Active Defense Team, DBS Bank"
],
"x_mitre_deprecated": false,
"x_mitre_domains": [
"enterprise-attack"
],
"x_mitre_is_subtechnique": true,
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"Linux",
"macOS",
"Windows"
],
"x_mitre_version": "2.0",
"detailed_diff": "{\"dictionary_item_removed\": {\"root['x_mitre_detection']\": \"\"}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-04-15 22:20:58.199000+00:00\", \"old_value\": \"2025-04-15 19:59:00.006000+00:00\"}, \"root['kill_chain_phases'][0]['phase_name']\": {\"new_value\": \"stealth\", \"old_value\": \"defense-evasion\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.3.0\", \"old_value\": \"3.2.0\"}, \"root['x_mitre_version']\": {\"new_value\": \"2.0\", \"old_value\": \"1.1\"}}}",
"previous_version": "1.1",
"version_change": "1.1 \u2192 2.0",
"changelog_mitigations": {
"shared": [
"M1040: Behavior Prevention on Endpoint",
"M1049: Antivirus/Antimalware"
],
"new": [],
"dropped": []
},
"changelog_datacomponent_detections": {
"shared": [],
"new": [],
"dropped": []
},
"changelog_detectionstrategy_detections": {
"shared": [
"DET0324: Detection Strategy for Polymorphic Code Mutation and Execution"
],
"new": [],
"dropped": []
}
},
{
"type": "attack-pattern",
"id": "attack-pattern--78b9e70d-1605-459c-b23d-e3a25036968c",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2025-03-25 15:31:09.697000+00:00",
"modified": "2026-04-15 22:22:02.298000+00:00",
"name": "SVG Smuggling",
"description": "Adversaries may smuggle data and files past content filters by hiding malicious payloads inside of seemingly benign SVG files.(Citation: Trustwave SVG Smuggling 2025) SVGs, or Scalable Vector Graphics, are vector-based image files constructed using XML. As such, they can legitimately include `