eventvwr.exe can auto-elevate and execute a specified binary or script.(Citation: enigma0x3 Fileless UAC Bypass)(Citation: Fortinet Fareit)\n\nAnother bypass is possible through some lateral movement techniques if credentials for an account with administrator privileges are known, since UAC is a single system security mechanism, and the privilege or integrity of a process running on one system will be unknown on remote systems and default to high integrity.(Citation: SANS UAC Bypass)",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "privilege-escalation"
}
],
"revoked": false,
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T1548/002",
"external_id": "T1548.002"
},
{
"source_name": "Davidson Windows",
"description": "Davidson, L. (n.d.). Windows 7 UAC whitelist. Retrieved November 12, 2014.",
"url": "http://www.pretentiousname.com/misc/win7_uac_whitelist2.html"
},
{
"source_name": "TechNet How UAC Works",
"description": "Lich, B. (2016, May 31). How User Account Control Works. Retrieved June 3, 2016.",
"url": "https://technet.microsoft.com/en-us/itpro/windows/keep-secure/how-user-account-control-works"
},
{
"source_name": "SANS UAC Bypass",
"description": "Medin, T. (2013, August 8). PsExec UAC Bypass. Retrieved June 3, 2016.",
"url": "http://pen-testing.sans.org/blog/pen-testing/2013/08/08/psexec-uac-bypass"
},
{
"source_name": "MSDN COM Elevation",
"description": "Microsoft. (n.d.). The COM Elevation Moniker. Retrieved July 26, 2016.",
"url": "https://msdn.microsoft.com/en-us/library/ms679687.aspx"
},
{
"source_name": "enigma0x3 Fileless UAC Bypass",
"description": "Nelson, M. (2016, August 15). \"Fileless\" UAC Bypass using eventvwr.exe and Registry Hijacking. Retrieved December 27, 2016.",
"url": "https://enigma0x3.net/2016/08/15/fileless-uac-bypass-using-eventvwr-exe-and-registry-hijacking/"
},
{
"source_name": "TechNet Inside UAC",
"description": "Russinovich, M. (2009, July). User Account Control: Inside Windows 7 User Account Control. Retrieved July 26, 2016.",
"url": "https://technet.microsoft.com/en-US/magazine/2009.07.uac.aspx"
},
{
"source_name": "Fortinet Fareit",
"description": "Salvio, J., Joven, R. (2016, December 16). Malicious Macro Bypasses UAC to Elevate Privilege for Fareit Malware. Retrieved December 27, 2016.",
"url": "https://blog.fortinet.com/2016/12/16/malicious-macro-bypasses-uac-to-elevate-privilege-for-fareit-malware"
},
{
"source_name": "Github UACMe",
"description": "UACME Project. (2016, June 16). UACMe. Retrieved July 26, 2016.",
"url": "https://github.com/hfiref0x/UACME"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_attack_spec_version": "3.3.0",
"x_mitre_contributors": [
"Stefan Kanthak",
"Casey Smith"
],
"x_mitre_deprecated": false,
"x_mitre_domains": [
"enterprise-attack"
],
"x_mitre_is_subtechnique": true,
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"Windows"
],
"x_mitre_version": "3.0",
"detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.621000+00:00\", \"old_value\": \"2026-04-15 19:51:31.419000+00:00\"}}}",
"previous_version": "3.0",
"changelog_mitigations": {
"shared": [
"M1026: Privileged Account Management",
"M1047: Audit",
"M1051: Update Software",
"M1052: User Account Control"
],
"new": [],
"dropped": []
},
"changelog_datacomponent_detections": {
"shared": [],
"new": [],
"dropped": []
},
"changelog_detectionstrategy_detections": {
"shared": [
"DET0388: Detection Strategy for T1548.002 \u2013 Bypass User Account Control (UAC)"
],
"new": [],
"dropped": []
}
},
{
"type": "attack-pattern",
"id": "attack-pattern--b84903f0-c7d5-435d-a69e-de47cc3578c0",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2020-01-30 14:40:20.187000+00:00",
"modified": "2026-05-12 15:12:00.709000+00:00",
"name": "Elevated Execution with Prompt",
"description": "Adversaries may leverage the AuthorizationExecuteWithPrivileges API to escalate privileges by prompting the user for credentials.(Citation: AppleDocs AuthorizationExecuteWithPrivileges) The purpose of this API is to give application developers an easy way to perform operations with root privileges, such as for application installation or updating. This API does not validate that the program requesting root privileges comes from a reputable source or has been maliciously modified. \n\nAlthough this API is deprecated, it still fully functions in the latest releases of macOS. When calling this API, the user will be prompted to enter their credentials but no checks on the origin or integrity of the program are made. The program calling the API may also load world writable files which can be modified to perform malicious behavior with elevated privileges.\n\nAdversaries may abuse AuthorizationExecuteWithPrivileges to obtain root privileges in order to install malicious software on victims and install persistence mechanisms.(Citation: Death by 1000 installers; it's all broken!)(Citation: Carbon Black Shlayer Feb 2019)(Citation: OSX Coldroot RAT) This technique may be combined with [Masquerading](https://attack.mitre.org/techniques/T1036) to trick the user into granting escalated privileges to malicious code.(Citation: Death by 1000 installers; it's all broken!)(Citation: Carbon Black Shlayer Feb 2019) This technique has also been shown to work by modifying legitimate programs present on the machine that make use of this API.(Citation: Death by 1000 installers; it's all broken!)",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "privilege-escalation"
}
],
"revoked": false,
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T1548/004",
"external_id": "T1548.004"
},
{
"source_name": "AppleDocs AuthorizationExecuteWithPrivileges",
"description": "Apple. (n.d.). Apple Developer Documentation - AuthorizationExecuteWithPrivileges. Retrieved August 8, 2019.",
"url": "https://developer.apple.com/documentation/security/1540038-authorizationexecutewithprivileg"
},
{
"source_name": "Carbon Black Shlayer Feb 2019",
"description": "Carbon Black Threat Analysis Unit. (2019, February 12). New macOS Malware Variant of Shlayer (OSX) Discovered. Retrieved August 8, 2019.",
"url": "https://blogs.vmware.com/security/2020/02/vmware-carbon-black-tau-threat-analysis-shlayer-macos.html"
},
{
"source_name": "Death by 1000 installers; it's all broken!",
"description": "Patrick Wardle. (2017). Death by 1000 installers; it's all broken!. Retrieved August 8, 2019.",
"url": "https://speakerdeck.com/patrickwardle/defcon-2017-death-by-1000-installers-its-all-broken?slide=8"
},
{
"source_name": "OSX Coldroot RAT",
"description": "Patrick Wardle. (2018, February 17). Tearing Apart the Undetected (OSX)Coldroot RAT. Retrieved August 8, 2019.",
"url": "https://objective-see.com/blog/blog_0x2A.html"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_attack_spec_version": "3.3.0",
"x_mitre_contributors": [
"Jimmy Astle, @AstleJimmy, Carbon Black",
"Erika Noerenberg, @gutterchurl, Carbon Black"
],
"x_mitre_deprecated": false,
"x_mitre_domains": [
"enterprise-attack"
],
"x_mitre_is_subtechnique": true,
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"macOS"
],
"x_mitre_version": "2.0",
"detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.709000+00:00\", \"old_value\": \"2026-04-15 19:51:53.527000+00:00\"}}}",
"previous_version": "2.0",
"changelog_mitigations": {
"shared": [
"M1038: Execution Prevention"
],
"new": [],
"dropped": []
},
"changelog_datacomponent_detections": {
"shared": [],
"new": [],
"dropped": []
},
"changelog_detectionstrategy_detections": {
"shared": [
"DET0395: macOS AuthorizationExecuteWithPrivileges Elevation Prompt Detection"
],
"new": [],
"dropped": []
}
},
{
"type": "attack-pattern",
"id": "attack-pattern--6831414d-bb70-42b7-8030-d4e06b2660c9",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2020-01-30 14:11:41.212000+00:00",
"modified": "2026-05-12 15:12:00.639000+00:00",
"name": "Setuid and Setgid",
"description": "An adversary may abuse configurations where an application has the setuid or setgid bits set in order to get code running in a different (and possibly more privileged) user\u2019s context. On Linux or macOS, when the setuid or setgid bits are set for an application binary, the application will run with the privileges of the owning user or group respectively.(Citation: setuid man page) Normally an application is run in the current user\u2019s context, regardless of which user or group owns the application. However, there are instances where programs need to be executed in an elevated context to function properly, but the user running them may not have the specific required privileges.\n\nInstead of creating an entry in the sudoers file, which must be done by root, any user can specify the setuid or setgid flag to be set for their own applications (i.e. [Linux and Mac Permissions](https://attack.mitre.org/techniques/T1222/002)). The chmod command can set these bits with bitmasking, chmod 4777 [file] or via shorthand naming, chmod u+s [file]. This will enable the setuid bit. To enable the setgid bit, chmod 2775 and chmod g+s can be used.\n\nAdversaries can use this mechanism on their own malware to make sure they're able to execute in elevated contexts in the future.(Citation: OSX Keydnap malware) This abuse is often part of a \"shell escape\" or other actions to bypass an execution environment with restricted permissions.\n\nAlternatively, adversaries may choose to find and target vulnerable binaries with the setuid or setgid bits already enabled (i.e. [File and Directory Discovery](https://attack.mitre.org/techniques/T1083)). The setuid and setguid bits are indicated with an \"s\" instead of an \"x\" when viewing a file's attributes via ls -l. The find command can also be used to search for such files. For example, find / -perm +4000 2>/dev/null can be used to find files with setuid set and find / -perm +2000 2>/dev/null may be used for setgid. Binaries that have these bits set may then be abused by adversaries.(Citation: GTFOBins Suid)",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "privilege-escalation"
}
],
"revoked": false,
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T1548/001",
"external_id": "T1548.001"
},
{
"source_name": "GTFOBins Suid",
"description": "Emilio Pinna, Andrea Cardaci. (n.d.). GTFOBins. Retrieved January 28, 2022.",
"url": "https://gtfobins.github.io/#+suid"
},
{
"source_name": "OSX Keydnap malware",
"description": "Marc-Etienne M.Leveille. (2016, July 6). New OSX/Keydnap malware is hungry for credentials. Retrieved July 3, 2017.",
"url": "https://www.welivesecurity.com/2016/07/06/new-osxkeydnap-malware-hungry-credentials/"
},
{
"source_name": "setuid man page",
"description": "Michael Kerrisk. (2017, September 15). Linux Programmer's Manual. Retrieved September 21, 2018.",
"url": "http://man7.org/linux/man-pages/man2/setuid.2.html"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_attack_spec_version": "3.3.0",
"x_mitre_deprecated": false,
"x_mitre_domains": [
"enterprise-attack"
],
"x_mitre_is_subtechnique": true,
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"Linux",
"macOS"
],
"x_mitre_version": "2.0",
"detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.639000+00:00\", \"old_value\": \"2026-04-15 19:52:13.675000+00:00\"}}}",
"previous_version": "2.0",
"changelog_mitigations": {
"shared": [
"M1028: Operating System Configuration"
],
"new": [],
"dropped": []
},
"changelog_datacomponent_detections": {
"shared": [],
"new": [],
"dropped": []
},
"changelog_detectionstrategy_detections": {
"shared": [
"DET0110: Setuid/Setgid Privilege Abuse Detection (Linux/macOS)"
],
"new": [],
"dropped": []
}
},
{
"type": "attack-pattern",
"id": "attack-pattern--1365fe3b-0f50-455d-b4da-266ce31c23b0",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2020-01-30 14:34:44.992000+00:00",
"modified": "2026-05-12 15:12:00.621000+00:00",
"name": "Sudo and Sudo Caching",
"description": "Adversaries may perform sudo caching and/or use the sudoers file to elevate privileges. Adversaries may do this to execute commands as other users or spawn processes with higher privileges.\n\nWithin Linux and MacOS systems, sudo (sometimes referred to as \"superuser do\") allows users to perform commands from terminals with elevated privileges and to control who can perform these commands on the system. The sudo command \"allows a system administrator to delegate authority to give certain users (or groups of users) the ability to run some (or all) commands as root or another user while providing an audit trail of the commands and their arguments.\"(Citation: sudo man page 2018) Since sudo was made for the system administrator, it has some useful configuration features such as a timestamp_timeout, which is the amount of time in minutes between instances of sudo before it will re-prompt for a password. This is because sudo has the ability to cache credentials for a period of time. Sudo creates (or touches) a file at /var/db/sudo with a timestamp of when sudo was last run to determine this timeout. Additionally, there is a tty_tickets variable that treats each new tty (terminal session) in isolation. This means that, for example, the sudo timeout of one tty will not affect another tty (you will have to type the password again).\n\nThe sudoers file, /etc/sudoers, describes which users can run which commands and from which terminals. This also describes which commands users can run as other users or groups. This provides the principle of least privilege such that users are running in their lowest possible permissions for most of the time and only elevate to other users or permissions as needed, typically by prompting for a password. However, the sudoers file can also specify when to not prompt users for passwords with a line like user1 ALL=(ALL) NOPASSWD: ALL.(Citation: OSX.Dok Malware) Elevated privileges are required to edit this file though.\n\nAdversaries can also abuse poor configurations of these mechanisms to escalate privileges without needing the user's password. For example, /var/db/sudo's timestamp can be monitored to see if it falls within the timestamp_timeout range. If it does, then malware can execute sudo commands without needing to supply the user's password. Additional, if tty_tickets is disabled, adversaries can do this from any tty for that user.\n\nIn the wild, malware has disabled tty_tickets to potentially make scripting easier by issuing echo \\'Defaults !tty_tickets\\' >> /etc/sudoers.(Citation: cybereason osx proton) In order for this change to be reflected, the malware also issued killall Terminal. As of macOS Sierra, the sudoers file has tty_tickets enabled by default.",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "privilege-escalation"
}
],
"revoked": false,
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T1548/003",
"external_id": "T1548.003"
},
{
"source_name": "cybereason osx proton",
"description": "Amit Serper. (2018, May 10). ProtonB What this Mac Malware Actually Does. Retrieved March 19, 2018.",
"url": "https://www.cybereason.com/blog/labs-proton-b-what-this-mac-malware-actually-does"
},
{
"source_name": "OSX.Dok Malware",
"description": "Thomas Reed. (2017, July 7). New OSX.Dok malware intercepts web traffic. Retrieved July 10, 2017.",
"url": "https://blog.malwarebytes.com/threat-analysis/2017/04/new-osx-dok-malware-intercepts-web-traffic/"
},
{
"source_name": "sudo man page 2018",
"description": "Todd C. Miller. (2018). Sudo Man Page. Retrieved March 19, 2018.",
"url": "https://www.sudo.ws/"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_attack_spec_version": "3.3.0",
"x_mitre_deprecated": false,
"x_mitre_domains": [
"enterprise-attack"
],
"x_mitre_is_subtechnique": true,
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"Linux",
"macOS"
],
"x_mitre_version": "2.0",
"detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.621000+00:00\", \"old_value\": \"2026-04-15 19:52:35.310000+00:00\"}}}",
"previous_version": "2.0",
"changelog_mitigations": {
"shared": [
"M1022: Restrict File and Directory Permissions",
"M1026: Privileged Account Management",
"M1028: Operating System Configuration"
],
"new": [],
"dropped": []
},
"changelog_datacomponent_detections": {
"shared": [],
"new": [],
"dropped": []
},
"changelog_detectionstrategy_detections": {
"shared": [
"DET0052: Behavioral Detection Strategy for Abuse of Sudo and Sudo Caching"
],
"new": [],
"dropped": []
}
},
{
"type": "attack-pattern",
"id": "attack-pattern--e8a0a025-3601-4755-abfb-8d08283329fb",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2024-03-21 21:10:57.322000+00:00",
"modified": "2026-05-12 15:12:00.723000+00:00",
"name": "TCC Manipulation",
"description": "Adversaries can manipulate or abuse the Transparency, Consent, & Control (TCC) service or database to grant malicious executables elevated permissions. TCC is a Privacy & Security macOS control mechanism used to determine if the running process has permission to access the data or services protected by TCC, such as screen sharing, camera, microphone, or Full Disk Access (FDA).\n\nWhen an application requests to access data or a service protected by TCC, the TCC daemon (`tccd`) checks the TCC database, located at `/Library/Application Support/com.apple.TCC/TCC.db` (and `~/` equivalent), and an overwrites file (if connected to an MDM) for existing permissions. If permissions do not exist, then the user is prompted to grant permission. Once permissions are granted, the database stores the application's permissions and will not prompt the user again unless reset. For example, when a web browser requests permissions to the user's webcam, once granted the web browser may not explicitly prompt the user again.(Citation: welivesecurity TCC)\n\nAdversaries may access restricted data or services protected by TCC through abusing applications previously granted permissions through [Process Injection](https://attack.mitre.org/techniques/T1055) or executing a malicious binary using another application. For example, adversaries can use Finder, a macOS native app with FDA permissions, to execute a malicious [AppleScript](https://attack.mitre.org/techniques/T1059/002). When executing under the Finder App, the malicious [AppleScript](https://attack.mitre.org/techniques/T1059/002) inherits access to all files on the system without requiring a user prompt. When System Integrity Protection (SIP) is disabled, TCC protections are also disabled. For a system without SIP enabled, adversaries can manipulate the TCC database to add permissions to their malicious executable through loading an adversary controlled TCC database using environment variables and [Launchctl](https://attack.mitre.org/techniques/T1569/001).(Citation: TCC macOS bypass)(Citation: TCC Database)\n\n",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "privilege-escalation"
}
],
"revoked": false,
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T1548/006",
"external_id": "T1548.006"
},
{
"source_name": "welivesecurity TCC",
"description": "Marc-Etienne M.L\u00e9veill\u00e9. (2022, July 19). I see what you did there: A look at the CloudMensis macOS spyware. Retrieved March 21, 2024.",
"url": "https://www.welivesecurity.com/2022/07/19/i-see-what-you-did-there-look-cloudmensis-macos-spyware/"
},
{
"source_name": "TCC Database",
"description": "Marina Liang. (2024, April 23). Return of the mac(OS): Transparency, Consent, and Control (TCC) Database Manipulation. Retrieved March 28, 2024.",
"url": "https://web.archive.org/web/20240411112413/https://interpressecurity.com/resources/return-of-the-macos-tcc/"
},
{
"source_name": "TCC macOS bypass",
"description": "Phil Stokes. (2021, July 1). Bypassing macOS TCC User Privacy Protections By Accident and Design. Retrieved March 21, 2024.",
"url": "https://www.sentinelone.com/labs/bypassing-macos-tcc-user-privacy-protections-by-accident-and-design/"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_attack_spec_version": "3.3.0",
"x_mitre_contributors": [
"Marina Liang",
"Wojciech Regu\u0142a @_r3ggi",
"Csaba Fitzl @theevilbit of Kandji"
],
"x_mitre_deprecated": false,
"x_mitre_domains": [
"enterprise-attack"
],
"x_mitre_is_subtechnique": true,
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"macOS"
],
"x_mitre_version": "2.0",
"detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.723000+00:00\", \"old_value\": \"2026-04-15 19:52:55.058000+00:00\"}}}",
"previous_version": "2.0",
"changelog_mitigations": {
"shared": [
"M1022: Restrict File and Directory Permissions",
"M1026: Privileged Account Management",
"M1047: Audit"
],
"new": [],
"dropped": []
},
"changelog_datacomponent_detections": {
"shared": [],
"new": [],
"dropped": []
},
"changelog_detectionstrategy_detections": {
"shared": [
"DET0534: TCC Database Manipulation via Launchctl and Unprotected SIP"
],
"new": [],
"dropped": []
}
},
{
"type": "attack-pattern",
"id": "attack-pattern--6fa224c7-5091-4595-bf15-3fc9fe2f2c7c",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2023-07-10 16:37:15.672000+00:00",
"modified": "2026-05-12 15:12:00.641000+00:00",
"name": "Temporary Elevated Cloud Access",
"description": "Adversaries may abuse permission configurations that allow them to gain temporarily elevated access to cloud resources. Many cloud environments allow administrators to grant user or service accounts permission to request just-in-time access to roles, impersonate other accounts, pass roles onto resources and services, or otherwise gain short-term access to a set of privileges that may be distinct from their own. \n\nJust-in-time access is a mechanism for granting additional roles to cloud accounts in a granular, temporary manner. This allows accounts to operate with only the permissions they need on a daily basis, and to request additional permissions as necessary. Sometimes just-in-time access requests are configured to require manual approval, while other times the desired permissions are automatically granted.(Citation: Azure Just in Time Access 2023)\n\nAccount impersonation allows user or service accounts to temporarily act with the permissions of another account. For example, in GCP users with the `iam.serviceAccountTokenCreator` role can create temporary access tokens or sign arbitrary payloads with the permissions of a service account, while service accounts with domain-wide delegation permission are permitted to impersonate Google Workspace accounts.(Citation: Google Cloud Service Account Authentication Roles)(Citation: Hunters Domain Wide Delegation Google Workspace 2023)(Citation: Google Cloud Just in Time Access 2023)(Citation: Palo Alto Unit 42 Google Workspace Domain Wide Delegation 2023) In Exchange Online, the `ApplicationImpersonation` role allows a service account to use the permissions associated with specified user accounts.(Citation: Microsoft Impersonation and EWS in Exchange) \n\nMany cloud environments also include mechanisms for users to pass roles to resources that allow them to perform tasks and authenticate to other services. While the user that creates the resource does not directly assume the role they pass to it, they may still be able to take advantage of the role's access -- for example, by configuring the resource to perform certain actions with the permissions it has been granted. In AWS, users with the `PassRole` permission can allow a service they create to assume a given role, while in GCP, users with the `iam.serviceAccountUser` role can attach a service account to a resource.(Citation: AWS PassRole)(Citation: Google Cloud Service Account Authentication Roles)\n\nWhile users require specific role assignments in order to use any of these features, cloud administrators may misconfigure permissions. This could result in escalation paths that allow adversaries to gain access to resources beyond what was originally intended.(Citation: Rhino Google Cloud Privilege Escalation)(Citation: Rhino Security Labs AWS Privilege Escalation)\n\n**Note:** this technique is distinct from [Additional Cloud Roles](https://attack.mitre.org/techniques/T1098/003), which involves assigning permanent roles to accounts rather than abusing existing permissions structures to gain temporarily elevated access to resources. However, adversaries that compromise a sufficiently privileged account may grant another account they control [Additional Cloud Roles](https://attack.mitre.org/techniques/T1098/003) that would allow them to also abuse these features. This may also allow for greater stealth than would be had by directly using the highly privileged account, especially when logs do not clarify when role impersonation is taking place.(Citation: CrowdStrike StellarParticle January 2022)",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "privilege-escalation"
}
],
"revoked": false,
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T1548/005",
"external_id": "T1548.005"
},
{
"source_name": "AWS PassRole",
"description": "AWS. (n.d.). Granting a user permissions to pass a role to an AWS service. Retrieved July 10, 2023.",
"url": "https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use_passrole.html"
},
{
"source_name": "CrowdStrike StellarParticle January 2022",
"description": "CrowdStrike. (2022, January 27). Early Bird Catches the Wormhole: Observations from the StellarParticle Campaign. Retrieved February 7, 2022.",
"url": "https://www.crowdstrike.com/blog/observations-from-the-stellarparticle-campaign/"
},
{
"source_name": "Google Cloud Just in Time Access 2023",
"description": "Google Cloud. (n.d.). Manage just-in-time privileged access to projects. Retrieved September 21, 2023.",
"url": "https://cloud.google.com/architecture/manage-just-in-time-privileged-access-to-project"
},
{
"source_name": "Google Cloud Service Account Authentication Roles",
"description": "Google Cloud. (n.d.). Roles for service account authentication. Retrieved July 10, 2023.",
"url": "https://cloud.google.com/iam/docs/service-account-permissions"
},
{
"source_name": "Microsoft Impersonation and EWS in Exchange",
"description": "Microsoft. (2022, September 13). Impersonation and EWS in Exchange. Retrieved July 10, 2023.",
"url": "https://learn.microsoft.com/en-us/exchange/client-developer/exchange-web-services/impersonation-and-ews-in-exchange"
},
{
"source_name": "Azure Just in Time Access 2023",
"description": "Microsoft. (2023, August 29). Configure and approve just-in-time access for Azure Managed Applications. Retrieved September 21, 2023.",
"url": "https://learn.microsoft.com/en-us/azure/azure-resource-manager/managed-applications/approve-just-in-time-access"
},
{
"source_name": "Rhino Security Labs AWS Privilege Escalation",
"description": "Spencer Gietzen. (n.d.). AWS IAM Privilege Escalation \u2013 Methods and Mitigation. Retrieved May 27, 2022.",
"url": "https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/"
},
{
"source_name": "Rhino Google Cloud Privilege Escalation",
"description": "Spencer Gietzen. (n.d.). Privilege Escalation in Google Cloud Platform \u2013 Part 1 (IAM). Retrieved September 21, 2023.",
"url": "https://rhinosecuritylabs.com/gcp/privilege-escalation-google-cloud-platform-part-1/"
},
{
"source_name": "Hunters Domain Wide Delegation Google Workspace 2023",
"description": "Yonatan Khanashvilli. (2023, November 28). DeleFriend: Severe design flaw in Domain Wide Delegation could leave Google Workspace vulnerable for takeover. Retrieved January 16, 2024.",
"url": "https://www.hunters.security/en/blog/delefriend-a-newly-discovered-design-flaw-in-domain-wide-delegation-could-leave-google-workspace-vulnerable-for-takeover"
},
{
"source_name": "Palo Alto Unit 42 Google Workspace Domain Wide Delegation 2023",
"description": "Zohar Zigdon. (2023, November 30). Exploring a Critical Risk in Google Workspace's Domain-Wide Delegation Feature. Retrieved January 16, 2024.",
"url": "https://unit42.paloaltonetworks.com/critical-risk-in-google-workspace-delegation-feature/"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_attack_spec_version": "3.3.0",
"x_mitre_contributors": [
"Arad Inbar, Fidelis Security"
],
"x_mitre_deprecated": false,
"x_mitre_domains": [
"enterprise-attack"
],
"x_mitre_is_subtechnique": true,
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"IaaS",
"Office Suite",
"Identity Provider"
],
"x_mitre_version": "2.0",
"detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.641000+00:00\", \"old_value\": \"2026-04-15 19:53:18.398000+00:00\"}}}",
"previous_version": "2.0",
"changelog_mitigations": {
"shared": [
"M1018: User Account Management"
],
"new": [],
"dropped": []
},
"changelog_datacomponent_detections": {
"shared": [],
"new": [],
"dropped": []
},
"changelog_detectionstrategy_detections": {
"shared": [
"DET0393: Detection Strategy for Temporary Elevated Cloud Access Abuse (T1548.005)"
],
"new": [],
"dropped": []
}
},
{
"type": "attack-pattern",
"id": "attack-pattern--dcaa092b-7de9-4a21-977f-7fcb77e89c48",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-12-14 16:46:06.044000+00:00",
"modified": "2026-05-12 15:12:00.722000+00:00",
"name": "Access Token Manipulation",
"description": "Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.\n\nAn adversary can use built-in Windows API functions to copy access tokens from existing processes; this is known as token stealing. These token can then be applied to an existing process (i.e. [Token Impersonation/Theft](https://attack.mitre.org/techniques/T1134/001)) or used to spawn a new process (i.e. [Create Process with Token](https://attack.mitre.org/techniques/T1134/002)). An adversary must already be in a privileged user context (i.e. administrator) to steal a token. However, adversaries commonly use token stealing to elevate their security context from the administrator level to the SYSTEM level. An adversary can then use a token to authenticate to a remote system as the account for that token if the account has appropriate permissions on the remote system.(Citation: Pentestlab Token Manipulation)\n\nAny standard user can use the runas command, and the Windows API functions, to create impersonation tokens; it does not require access to an administrator account. There are also other mechanisms, such as Active Directory fields, that can be used to modify access tokens.",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "stealth"
},
{
"kill_chain_name": "mitre-attack",
"phase_name": "privilege-escalation"
}
],
"revoked": false,
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T1134",
"external_id": "T1134"
},
{
"source_name": "Pentestlab Token Manipulation",
"description": "netbiosX. (2017, April 3). Token Manipulation. Retrieved April 21, 2017.",
"url": "https://pentestlab.blog/2017/04/03/token-manipulation/"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_attack_spec_version": "3.3.0",
"x_mitre_contributors": [
"Tom Ueltschi @c_APT_ure",
"Travis Smith, Tripwire",
"Robby Winchester, @robwinchester3",
"Jared Atkinson, @jaredcatkinson"
],
"x_mitre_deprecated": false,
"x_mitre_domains": [
"enterprise-attack"
],
"x_mitre_is_subtechnique": false,
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"Windows"
],
"x_mitre_version": "3.0",
"detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.722000+00:00\", \"old_value\": \"2026-04-15 19:53:44.334000+00:00\"}}}",
"previous_version": "3.0",
"changelog_mitigations": {
"shared": [
"M1018: User Account Management",
"M1026: Privileged Account Management"
],
"new": [],
"dropped": []
},
"changelog_datacomponent_detections": {
"shared": [],
"new": [],
"dropped": []
},
"changelog_detectionstrategy_detections": {
"shared": [
"DET0283: Behavior-chain detection for T1134 Access Token Manipulation on Windows"
],
"new": [],
"dropped": []
}
},
{
"type": "attack-pattern",
"id": "attack-pattern--677569f9-a8b0-459e-ab24-7f18091fa7bf",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2020-02-18 16:48:56.582000+00:00",
"modified": "2026-05-12 15:12:00.639000+00:00",
"name": "Create Process with Token",
"description": "Adversaries may create a new process with an existing token to escalate privileges and bypass access controls. Processes can be created with the token and resulting security context of another user using features such as CreateProcessWithTokenW and runas.(Citation: Microsoft RunAs)\n\nCreating processes with a token not associated with the current user may require the credentials of the target user, specific privileges to impersonate that user, or access to the token to be used. For example, the token could be duplicated via [Token Impersonation/Theft](https://attack.mitre.org/techniques/T1134/001) or created via [Make and Impersonate Token](https://attack.mitre.org/techniques/T1134/003) before being used to create a process.\n\nWhile this technique is distinct from [Token Impersonation/Theft](https://attack.mitre.org/techniques/T1134/001), the techniques can be used in conjunction where a token is duplicated and then used to create a new process.",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "stealth"
},
{
"kill_chain_name": "mitre-attack",
"phase_name": "privilege-escalation"
}
],
"revoked": false,
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T1134/002",
"external_id": "T1134.002"
},
{
"source_name": "Microsoft RunAs",
"description": "Microsoft. (2016, August 31). Runas. Retrieved October 1, 2021.",
"url": "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc771525(v=ws.11)"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_attack_spec_version": "3.3.0",
"x_mitre_contributors": [
"Jonny Johnson",
"Vadim Khrykov"
],
"x_mitre_deprecated": false,
"x_mitre_domains": [
"enterprise-attack"
],
"x_mitre_is_subtechnique": true,
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"Windows"
],
"x_mitre_version": "2.0",
"detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.639000+00:00\", \"old_value\": \"2026-04-15 19:55:37.484000+00:00\"}}}",
"previous_version": "2.0",
"changelog_mitigations": {
"shared": [
"M1018: User Account Management",
"M1026: Privileged Account Management"
],
"new": [],
"dropped": []
},
"changelog_datacomponent_detections": {
"shared": [],
"new": [],
"dropped": []
},
"changelog_detectionstrategy_detections": {
"shared": [
"DET0456: Behavior-chain detection for T1134.002 Create Process with Token (Windows)"
],
"new": [],
"dropped": []
}
},
{
"type": "attack-pattern",
"id": "attack-pattern--8cdeb020-e31e-4f88-a582-f53dcfbda819",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2020-02-18 18:03:37.481000+00:00",
"modified": "2026-05-12 15:12:00.705000+00:00",
"name": "Make and Impersonate Token",
"description": "Adversaries may make new tokens and impersonate users to escalate privileges and bypass access controls. For example, if an adversary has a username and password but the user is not logged onto the system the adversary can then create a logon session for the user using the `LogonUser` function.(Citation: LogonUserW function) The function will return a copy of the new session's access token and the adversary can use `SetThreadToken` to assign the token to a thread.\n\nThis behavior is distinct from [Token Impersonation/Theft](https://attack.mitre.org/techniques/T1134/001) in that this refers to creating a new user token instead of stealing or duplicating an existing one.",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "stealth"
},
{
"kill_chain_name": "mitre-attack",
"phase_name": "privilege-escalation"
}
],
"revoked": false,
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T1134/003",
"external_id": "T1134.003"
},
{
"source_name": "LogonUserW function",
"description": "Microsoft. (2023, March 10). LogonUserW function (winbase.h). Retrieved January 8, 2024.",
"url": "https://learn.microsoft.com/en-us/windows/win32/api/winbase/nf-winbase-logonuserw"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_attack_spec_version": "3.3.0",
"x_mitre_contributors": [
"Jonny Johnson"
],
"x_mitre_deprecated": false,
"x_mitre_domains": [
"enterprise-attack"
],
"x_mitre_is_subtechnique": true,
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"Windows"
],
"x_mitre_version": "2.0",
"detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.705000+00:00\", \"old_value\": \"2026-04-15 19:56:16.233000+00:00\"}}}",
"previous_version": "2.0",
"changelog_mitigations": {
"shared": [
"M1018: User Account Management",
"M1026: Privileged Account Management"
],
"new": [],
"dropped": []
},
"changelog_datacomponent_detections": {
"shared": [],
"new": [],
"dropped": []
},
"changelog_detectionstrategy_detections": {
"shared": [
"DET0498: Behavior\u2011chain detection for T1134.003 Make and Impersonate Token (Windows)"
],
"new": [],
"dropped": []
}
},
{
"type": "attack-pattern",
"id": "attack-pattern--93591901-3172-4e94-abf8-6034ab26f44a",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2020-02-18 18:22:41.448000+00:00",
"modified": "2026-05-12 15:12:00.706000+00:00",
"name": "Parent PID Spoofing",
"description": "Adversaries may spoof the parent process identifier (PPID) of a new process to evade process-monitoring defenses or to elevate privileges. New processes are typically spawned directly from their parent, or calling, process unless explicitly specified. One way of explicitly assigning the PPID of a new process is via the CreateProcess API call, which supports a parameter that defines the PPID to use.(Citation: DidierStevens SelectMyParent Nov 2009) This functionality is used by Windows features such as User Account Control (UAC) to correctly set the PPID after a requested elevated process is spawned by SYSTEM (typically via svchost.exe or consent.exe) rather than the current user context.(Citation: Microsoft UAC Nov 2018)\n\nAdversaries may abuse these mechanisms to evade defenses, such as those blocking processes spawning directly from Office documents, and analysis targeting unusual/potentially malicious parent-child process relationships, such as spoofing the PPID of [PowerShell](https://attack.mitre.org/techniques/T1059/001)/[Rundll32](https://attack.mitre.org/techniques/T1218/011) to be explorer.exe rather than an Office document delivered as part of [Spearphishing Attachment](https://attack.mitre.org/techniques/T1566/001).(Citation: CounterCept PPID Spoofing Dec 2018) This spoofing could be executed via [Visual Basic](https://attack.mitre.org/techniques/T1059/005) within a malicious Office document or any code that can perform [Native API](https://attack.mitre.org/techniques/T1106).(Citation: CTD PPID Spoofing Macro Mar 2019)(Citation: CounterCept PPID Spoofing Dec 2018)\n\nExplicitly assigning the PPID may also enable elevated privileges given appropriate access rights to the parent process. For example, an adversary in a privileged user context (i.e. administrator) may spawn a new process and assign the parent as a process running as SYSTEM (such as lsass.exe), causing the new process to be elevated via the inherited access token.(Citation: XPNSec PPID Nov 2017)",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "stealth"
},
{
"kill_chain_name": "mitre-attack",
"phase_name": "privilege-escalation"
}
],
"revoked": false,
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T1134/004",
"external_id": "T1134.004"
},
{
"source_name": "XPNSec PPID Nov 2017",
"description": "Chester, A. (2017, November 20). Alternative methods of becoming SYSTEM. Retrieved June 4, 2019.",
"url": "https://blog.xpnsec.com/becoming-system/"
},
{
"source_name": "CounterCept PPID Spoofing Dec 2018",
"description": "Loh, I. (2018, December 21). Detecting Parent PID Spoofing. Retrieved June 3, 2019.",
"url": "https://web.archive.org/web/20200726110643/https://blog.f-secure.com/detecting-parent-pid-spoofing/"
},
{
"source_name": "Microsoft UAC Nov 2018",
"description": "Montemayor, D. et al.. (2018, November 15). How User Account Control works. Retrieved June 3, 2019.",
"url": "https://docs.microsoft.com/windows/security/identity-protection/user-account-control/how-user-account-control-works"
},
{
"source_name": "DidierStevens SelectMyParent Nov 2009",
"description": "Stevens, D. (2009, November 22). Quickpost: SelectMyParent or Playing With the Windows Process Tree. Retrieved June 3, 2019.",
"url": "https://blog.didierstevens.com/2009/11/22/quickpost-selectmyparent-or-playing-with-the-windows-process-tree/"
},
{
"source_name": "CTD PPID Spoofing Macro Mar 2019",
"description": "Tafani-Dereeper, C. (2019, March 12). Building an Office macro to spoof parent processes and command line arguments. Retrieved June 3, 2019.",
"url": "https://blog.christophetd.fr/building-an-office-macro-to-spoof-process-parent-and-command-line/"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_attack_spec_version": "3.3.0",
"x_mitre_contributors": [
"Wayne Silva, F-Secure Countercept"
],
"x_mitre_deprecated": false,
"x_mitre_domains": [
"enterprise-attack"
],
"x_mitre_is_subtechnique": true,
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"Windows"
],
"x_mitre_version": "2.0",
"detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.706000+00:00\", \"old_value\": \"2026-04-15 19:54:42.976000+00:00\"}}}",
"previous_version": "2.0",
"changelog_mitigations": {
"shared": [],
"new": [],
"dropped": []
},
"changelog_datacomponent_detections": {
"shared": [],
"new": [],
"dropped": []
},
"changelog_detectionstrategy_detections": {
"shared": [
"DET0489: Behavior-chain detection for T1134.004 Access Token Manipulation: Parent PID Spoofing (Windows)"
],
"new": [],
"dropped": []
}
},
{
"type": "attack-pattern",
"id": "attack-pattern--b7dc639b-24cd-482d-a7f1-8897eda21023",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2020-02-18 18:34:49.414000+00:00",
"modified": "2026-05-12 15:12:00.709000+00:00",
"name": "SID-History Injection",
"description": "Adversaries may use SID-History Injection to escalate privileges and bypass access controls. The Windows security identifier (SID) is a unique value that identifies a user or group account. SIDs are used by Windows security in both security descriptors and access tokens. (Citation: Microsoft SID) An account can hold additional SIDs in the SID-History Active Directory attribute (Citation: Microsoft SID-History Attribute), allowing inter-operable account migration between domains (e.g., all values in SID-History are included in access tokens).\n\nWith Domain Administrator (or equivalent) rights, harvested or well-known SID values (Citation: Microsoft Well Known SIDs Jun 2017) may be inserted into SID-History to enable impersonation of arbitrary users/groups such as Enterprise Administrators. This manipulation may result in elevated access to local resources and/or access to otherwise inaccessible domains via lateral movement techniques such as [Remote Services](https://attack.mitre.org/techniques/T1021), [SMB/Windows Admin Shares](https://attack.mitre.org/techniques/T1021/002), or [Windows Remote Management](https://attack.mitre.org/techniques/T1021/006).",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "stealth"
},
{
"kill_chain_name": "mitre-attack",
"phase_name": "privilege-escalation"
}
],
"revoked": false,
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T1134/005",
"external_id": "T1134.005"
},
{
"source_name": "Microsoft Well Known SIDs Jun 2017",
"description": "Microsoft. (2017, June 23). Well-known security identifiers in Windows operating systems. Retrieved November 30, 2017.",
"url": "https://support.microsoft.com/help/243330/well-known-security-identifiers-in-windows-operating-systems"
},
{
"source_name": "Microsoft SID-History Attribute",
"description": "Microsoft. (n.d.). Active Directory Schema - SID-History attribute. Retrieved November 30, 2017.",
"url": "https://msdn.microsoft.com/library/ms679833.aspx"
},
{
"source_name": "Microsoft SID",
"description": "Microsoft. (n.d.). Security Identifiers. Retrieved November 30, 2017.",
"url": "https://msdn.microsoft.com/library/windows/desktop/aa379571.aspx"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_attack_spec_version": "3.3.0",
"x_mitre_contributors": [
"Alain Homewood, Insomnia Security",
"Vincent Le Toux"
],
"x_mitre_deprecated": false,
"x_mitre_domains": [
"enterprise-attack"
],
"x_mitre_is_subtechnique": true,
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"Windows"
],
"x_mitre_version": "2.0",
"detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.709000+00:00\", \"old_value\": \"2026-04-15 19:55:14.114000+00:00\"}}}",
"previous_version": "2.0",
"changelog_mitigations": {
"shared": [
"M1015: Active Directory Configuration"
],
"new": [],
"dropped": []
},
"changelog_datacomponent_detections": {
"shared": [],
"new": [],
"dropped": []
},
"changelog_detectionstrategy_detections": {
"shared": [
"DET0136: Behavior-chain detection for T1134.005 Access Token Manipulation: SID-History Injection (Windows)"
],
"new": [],
"dropped": []
}
},
{
"type": "attack-pattern",
"id": "attack-pattern--86850eff-2729-40c3-b85e-c4af26da4a2d",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2020-02-18 16:39:06.289000+00:00",
"modified": "2026-05-12 15:12:00.686000+00:00",
"name": "Token Impersonation/Theft",
"description": "Adversaries may duplicate then impersonate another user's existing token to escalate privileges and bypass access controls. For example, an adversary can duplicate an existing token using `DuplicateToken` or `DuplicateTokenEx`.(Citation: DuplicateToken function) The token can then be used with `ImpersonateLoggedOnUser` to allow the calling thread to impersonate a logged on user's security context, or with `SetThreadToken` to assign the impersonated token to a thread.\n\nAn adversary may perform [Token Impersonation/Theft](https://attack.mitre.org/techniques/T1134/001) when they have a specific, existing process they want to assign the duplicated token to. For example, this may be useful for when the target user has a non-network logon session on the system.\n\nWhen an adversary would instead use a duplicated token to create a new process rather than attaching to an existing process, they can additionally [Create Process with Token](https://attack.mitre.org/techniques/T1134/002) using `CreateProcessWithTokenW` or `CreateProcessAsUserW`. [Token Impersonation/Theft](https://attack.mitre.org/techniques/T1134/001) is also distinct from [Make and Impersonate Token](https://attack.mitre.org/techniques/T1134/003) in that it refers to duplicating an existing token, rather than creating a new one.",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "stealth"
},
{
"kill_chain_name": "mitre-attack",
"phase_name": "privilege-escalation"
}
],
"revoked": false,
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T1134/001",
"external_id": "T1134.001"
},
{
"source_name": "DuplicateToken function",
"description": "Microsoft. (2021, October 12). DuplicateToken function (securitybaseapi.h). Retrieved January 8, 2024.",
"url": "https://learn.microsoft.com/en-us/windows/win32/api/securitybaseapi/nf-securitybaseapi-duplicatetoken"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_attack_spec_version": "3.3.0",
"x_mitre_contributors": [
"Jonny Johnson"
],
"x_mitre_deprecated": false,
"x_mitre_domains": [
"enterprise-attack"
],
"x_mitre_is_subtechnique": true,
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"Windows"
],
"x_mitre_version": "2.0",
"detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.686000+00:00\", \"old_value\": \"2026-04-15 19:54:20.663000+00:00\"}}}",
"previous_version": "2.0",
"changelog_mitigations": {
"shared": [
"M1018: User Account Management",
"M1026: Privileged Account Management"
],
"new": [],
"dropped": []
},
"changelog_datacomponent_detections": {
"shared": [],
"new": [],
"dropped": []
},
"changelog_detectionstrategy_detections": {
"shared": [
"DET0482: Behavior-chain detection for T1134.001 Access Token Manipulation: Token Impersonation/Theft on Windows"
],
"new": [],
"dropped": []
}
},
{
"type": "attack-pattern",
"id": "attack-pattern--72b74d71-8169-42aa-92e0-e7b04b9f5a08",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-05-31 21:31:06.988000+00:00",
"modified": "2026-05-12 15:12:00.641000+00:00",
"name": "Account Discovery",
"description": "Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., [Valid Accounts](https://attack.mitre.org/techniques/T1078)).\n\nAdversaries may use several methods to enumerate accounts, including abuse of existing tools, built-in commands, and potential misconfigurations that leak account names and roles or permissions in the targeted environment.\n\nFor examples, cloud environments typically provide easily accessible interfaces to obtain user lists.(Citation: AWS List Users)(Citation: Google Cloud - IAM Servie Accounts List API) On hosts, adversaries can use default [PowerShell](https://attack.mitre.org/techniques/T1059/001) and other command line functionality to identify accounts. Information about email addresses and accounts may also be extracted by searching an infected system\u2019s files.",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "discovery"
}
],
"revoked": false,
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T1087",
"external_id": "T1087"
},
{
"source_name": "AWS List Users",
"description": "Amazon. (n.d.). List Users. Retrieved August 11, 2020.",
"url": "https://docs.aws.amazon.com/cli/latest/reference/iam/list-users.html"
},
{
"source_name": "Google Cloud - IAM Servie Accounts List API",
"description": "Google. (2020, June 23). gcloud iam service-accounts list. Retrieved August 4, 2020.",
"url": "https://cloud.google.com/sdk/gcloud/reference/iam/service-accounts/list"
},
{
"source_name": "Elastic - Koadiac Detection with EQL",
"description": "Stepanic, D.. (2020, January 13). Embracing offensive tooling: Building detections against Koadic using EQL. Retrieved November 17, 2024.",
"url": "https://www.elastic.co/security-labs/embracing-offensive-tooling-building-detections-against-koadic-using-eql"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_attack_spec_version": "3.3.0",
"x_mitre_contributors": [
"Daniel Stepanic, Elastic",
"Microsoft Threat Intelligence Center (MSTIC)",
"Travis Smith, Tripwire"
],
"x_mitre_deprecated": false,
"x_mitre_domains": [
"enterprise-attack"
],
"x_mitre_is_subtechnique": false,
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"ESXi",
"IaaS",
"Identity Provider",
"Linux",
"macOS",
"Office Suite",
"SaaS",
"Windows"
],
"x_mitre_version": "2.6",
"detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.641000+00:00\", \"old_value\": \"2025-10-24 17:48:57.239000+00:00\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.3.0\", \"old_value\": \"3.2.0\"}}}",
"previous_version": "2.6",
"changelog_mitigations": {
"shared": [
"M1018: User Account Management",
"M1028: Operating System Configuration"
],
"new": [],
"dropped": []
},
"changelog_datacomponent_detections": {
"shared": [],
"new": [],
"dropped": []
},
"changelog_detectionstrategy_detections": {
"shared": [
"DET0587: Enumeration of User or Account Information Across Platforms"
],
"new": [],
"dropped": []
}
},
{
"type": "attack-pattern",
"id": "attack-pattern--21875073-b0ee-49e3-9077-1e2a885359af",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2020-02-21 21:08:26.480000+00:00",
"modified": "2026-05-12 15:12:00.622000+00:00",
"name": "Domain Account",
"description": "Adversaries may attempt to get a listing of domain accounts. This information can help adversaries determine which domain accounts exist to aid in follow-on behavior such as targeting specific accounts which possess particular privileges.\n\nCommands such as net user /domain and net group /domain of the [Net](https://attack.mitre.org/software/S0039) utility, dscacheutil -q group on macOS, and ldapsearch on Linux can list domain users and groups. [PowerShell](https://attack.mitre.org/techniques/T1059/001) cmdlets including Get-ADUser and Get-ADGroupMember may enumerate members of Active Directory groups.(Citation: CrowdStrike StellarParticle January 2022) ",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "discovery"
}
],
"revoked": false,
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T1087/002",
"external_id": "T1087.002"
},
{
"source_name": "CrowdStrike StellarParticle January 2022",
"description": "CrowdStrike. (2022, January 27). Early Bird Catches the Wormhole: Observations from the StellarParticle Campaign. Retrieved February 7, 2022.",
"url": "https://www.crowdstrike.com/blog/observations-from-the-stellarparticle-campaign/"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_attack_spec_version": "3.3.0",
"x_mitre_contributors": [
"ExtraHop",
"Miriam Wiesner, @miriamxyra, Microsoft Security"
],
"x_mitre_deprecated": false,
"x_mitre_domains": [
"enterprise-attack"
],
"x_mitre_is_subtechnique": true,
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"Linux",
"macOS",
"Windows"
],
"x_mitre_version": "1.2",
"detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.622000+00:00\", \"old_value\": \"2025-10-24 17:48:31.050000+00:00\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.3.0\", \"old_value\": \"3.2.0\"}}}",
"previous_version": "1.2",
"changelog_mitigations": {
"shared": [
"M1028: Operating System Configuration"
],
"new": [],
"dropped": []
},
"changelog_datacomponent_detections": {
"shared": [],
"new": [],
"dropped": []
},
"changelog_detectionstrategy_detections": {
"shared": [
"DET0129: Domain Account Enumeration Across Platforms"
],
"new": [],
"dropped": []
}
},
{
"type": "attack-pattern",
"id": "attack-pattern--25659dd6-ea12-45c4-97e6-381e3e4b593e",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2020-02-21 21:07:55.393000+00:00",
"modified": "2026-05-12 15:12:00.623000+00:00",
"name": "Local Account",
"description": "Adversaries may attempt to get a listing of local system accounts. This information can help adversaries determine which local accounts exist on a system to aid in follow-on behavior.\n\nCommands such as net user and net localgroup of the [Net](https://attack.mitre.org/software/S0039) utility and id and groups on macOS and Linux can list local users and groups.(Citation: Mandiant APT1)(Citation: id man page)(Citation: groups man page) On Linux, local users can also be enumerated through the use of the /etc/passwd file. On macOS, the dscl . list /Users command can be used to enumerate local accounts. On ESXi servers, the `esxcli system account list` command can list local user accounts.(Citation: Crowdstrike Hypervisor Jackpotting Pt 2 2021)",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "discovery"
}
],
"revoked": false,
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T1087/001",
"external_id": "T1087.001"
},
{
"source_name": "id man page",
"description": "MacKenzie, D. and Robbins, A. (n.d.). id(1) - Linux man page. Retrieved January 11, 2024.",
"url": "https://linux.die.net/man/1/id"
},
{
"source_name": "groups man page",
"description": "MacKenzie, D. and Youngman, J. (n.d.). groups(1) - Linux man page. Retrieved January 11, 2024.",
"url": "https://linux.die.net/man/1/groups"
},
{
"source_name": "Mandiant APT1",
"description": "Mandiant. (n.d.). APT1 Exposing One of China\u2019s Cyber Espionage Units. Retrieved July 18, 2016.",
"url": "https://www.fireeye.com/content/dam/fireeye-www/services/pdfs/mandiant-apt1-report.pdf"
},
{
"source_name": "Crowdstrike Hypervisor Jackpotting Pt 2 2021",
"description": "Michael Dawson. (2021, August 30). Hypervisor Jackpotting, Part 2: eCrime Actors Increase Targeting of ESXi Servers with Ransomware. Retrieved March 26, 2025.",
"url": "https://www.crowdstrike.com/en-us/blog/hypervisor-jackpotting-ecrime-actors-increase-targeting-of-esxi-servers/"
},
{
"source_name": "Elastic - Koadiac Detection with EQL",
"description": "Stepanic, D.. (2020, January 13). Embracing offensive tooling: Building detections against Koadic using EQL. Retrieved November 17, 2024.",
"url": "https://www.elastic.co/security-labs/embracing-offensive-tooling-building-detections-against-koadic-using-eql"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_attack_spec_version": "3.3.0",
"x_mitre_contributors": [
"Daniel Stepanic, Elastic",
"Miriam Wiesner, @miriamxyra, Microsoft Security"
],
"x_mitre_deprecated": false,
"x_mitre_domains": [
"enterprise-attack"
],
"x_mitre_is_subtechnique": true,
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"ESXi",
"Linux",
"macOS",
"Windows"
],
"x_mitre_version": "1.5",
"detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.623000+00:00\", \"old_value\": \"2025-10-24 17:48:32.515000+00:00\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.3.0\", \"old_value\": \"3.2.0\"}}}",
"previous_version": "1.5",
"changelog_mitigations": {
"shared": [
"M1028: Operating System Configuration"
],
"new": [],
"dropped": []
},
"changelog_datacomponent_detections": {
"shared": [],
"new": [],
"dropped": []
},
"changelog_detectionstrategy_detections": {
"shared": [
"DET0303: Local Account Enumeration Across Host Platforms"
],
"new": [],
"dropped": []
}
},
{
"type": "attack-pattern",
"id": "attack-pattern--a10641f4-87b4-45a3-a906-92a149cb2c27",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-05-31 21:31:12.196000+00:00",
"modified": "2026-05-12 15:12:00.706000+00:00",
"name": "Account Manipulation",
"description": "Adversaries may manipulate accounts to maintain and/or elevate access to victim systems. Account manipulation may consist of any action that preserves or modifies adversary access to a compromised account, such as modifying credentials or permission groups.(Citation: FireEye SMOKEDHAM June 2021) These actions could also include account activity designed to subvert security policies, such as performing iterative password updates to bypass password duration policies and preserve the life of compromised credentials. \n\nIn order to create or manipulate accounts, the adversary must already have sufficient permissions on systems or the domain. However, account manipulation may also lead to privilege escalation where modifications grant access to additional roles, permissions, or higher-privileged [Valid Accounts](https://attack.mitre.org/techniques/T1078).",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "persistence"
},
{
"kill_chain_name": "mitre-attack",
"phase_name": "privilege-escalation"
}
],
"revoked": false,
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T1098",
"external_id": "T1098"
},
{
"source_name": "FireEye SMOKEDHAM June 2021",
"description": "FireEye. (2021, June 16). Smoking Out a DARKSIDE Affiliate\u2019s Supply Chain Software Compromise. Retrieved September 22, 2021.",
"url": "https://www.fireeye.com/blog/threat-research/2021/06/darkside-affiliate-supply-chain-software-compromise.html"
},
{
"source_name": "Microsoft Security Event 4670",
"description": "Franklin Smith, R. (n.d.). Windows Security Log Event ID 4670. Retrieved November 4, 2019.",
"url": "https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4670"
},
{
"source_name": "Microsoft User Modified Event",
"description": "Lich, B., Miroshnikov, A. (2017, April 5). 4738(S): A user account was changed. Retrieved June 30, 2017.",
"url": "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4738"
},
{
"source_name": "InsiderThreat ChangeNTLM July 2017",
"description": "Warren, J. (2017, July 11). Manipulating User Passwords with Mimikatz. Retrieved December 4, 2017.",
"url": "https://blog.stealthbits.com/manipulating-user-passwords-with-mimikatz-SetNTLM-ChangeNTLM"
},
{
"source_name": "GitHub Mimikatz Issue 92 June 2017",
"description": "Warren, J. (2017, June 22). lsadump::changentlm and lsadump::setntlm work, but generate Windows events #92. Retrieved December 4, 2017.",
"url": "https://github.com/gentilkiwi/mimikatz/issues/92"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_attack_spec_version": "3.3.0",
"x_mitre_contributors": [
"Jannie Li, Microsoft Threat Intelligence\u202fCenter\u202f(MSTIC)",
"Praetorian",
"Tim MalcomVetter",
"Wojciech Lesicki",
"Arad Inbar, Fidelis Security"
],
"x_mitre_deprecated": false,
"x_mitre_domains": [
"enterprise-attack"
],
"x_mitre_is_subtechnique": false,
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"Containers",
"ESXi",
"IaaS",
"Identity Provider",
"Linux",
"macOS",
"Network Devices",
"Office Suite",
"SaaS",
"Windows"
],
"x_mitre_version": "2.8",
"detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.706000+00:00\", \"old_value\": \"2025-10-24 17:49:10.273000+00:00\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.3.0\", \"old_value\": \"3.2.0\"}}}",
"previous_version": "2.8",
"changelog_mitigations": {
"shared": [
"M1018: User Account Management",
"M1022: Restrict File and Directory Permissions",
"M1026: Privileged Account Management",
"M1028: Operating System Configuration",
"M1030: Network Segmentation",
"M1032: Multi-factor Authentication",
"M1042: Disable or Remove Feature or Program"
],
"new": [],
"dropped": []
},
"changelog_datacomponent_detections": {
"shared": [],
"new": [],
"dropped": []
},
"changelog_detectionstrategy_detections": {
"shared": [
"DET0096: Account Manipulation Behavior Chain Detection"
],
"new": [],
"dropped": []
}
},
{
"type": "attack-pattern",
"id": "attack-pattern--6b57dc31-b814-4a03-8706-28bc20d739c4",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2020-06-24 12:42:35.144000+00:00",
"modified": "2026-05-12 15:12:00.640000+00:00",
"name": "SSH Authorized Keys",
"description": "Adversaries may modify the SSH authorized_keys file to maintain persistence on a victim host. Linux distributions, macOS, and ESXi hypervisors commonly use key-based authentication to secure the authentication process of SSH sessions for remote management. The authorized_keys file in SSH specifies the SSH keys that can be used for logging into the user account for which the file is configured. This file is usually found in the user's home directory under <user-home>/.ssh/authorized_keys (or, on ESXi, `/etc/ssh/keys-/etc/ssh/sshd_config.\n\nAdversaries may modify SSH authorized_keys files directly with scripts or shell commands to add their own adversary-supplied public keys. In cloud environments, adversaries may be able to modify the SSH authorized_keys file of a particular virtual machine via the command line interface or rest API. For example, by using the Google Cloud CLI\u2019s \u201cadd-metadata\u201d command an adversary may add SSH keys to a user account.(Citation: Google Cloud Add Metadata)(Citation: Google Cloud Privilege Escalation) Similarly, in Azure, an adversary may update the authorized_keys file of a virtual machine via a PATCH request to the API.(Citation: Azure Update Virtual Machines) This ensures that an adversary possessing the corresponding private key may log in as an existing user via SSH.(Citation: Venafi SSH Key Abuse)(Citation: Cybereason Linux Exim Worm) It may also lead to privilege escalation where the virtual machine or instance has distinct permissions from the requesting user.\n\nWhere authorized_keys files are modified via cloud APIs or command line interfaces, an adversary may achieve privilege escalation on the target virtual machine if they add a key to a higher-privileged user. \n\nSSH keys can also be added to accounts on network devices, such as with the `ip ssh pubkey-chain` [Network Device CLI](https://attack.mitre.org/techniques/T1059/008) command.(Citation: cisco_ip_ssh_pubkey_ch_cmd)",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "persistence"
},
{
"kill_chain_name": "mitre-attack",
"phase_name": "privilege-escalation"
}
],
"revoked": false,
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T1098/004",
"external_id": "T1098.004"
},
{
"source_name": "Venafi SSH Key Abuse",
"description": "Blachman, Y. (2020, April 22). Growing Abuse of SSH Keys: Commodity Malware Campaigns Now Equipped with SSH Capabilities. Retrieved June 24, 2020.",
"url": "https://www.venafi.com/blog/growing-abuse-ssh-keys-commodity-malware-campaigns-now-equipped-ssh-capabilities"
},
{
"source_name": "Broadcom ESXi SSH",
"description": "Broadcom. (2024, December 12). Allowing SSH access to VMware vSphere ESXi/ESX hosts with public/private key authentication. Retrieved March 26, 2025.",
"url": "https://knowledge.broadcom.com/external/article/313767/allowing-ssh-access-to-vmware-vsphere-es.html"
},
{
"source_name": "Google Cloud Privilege Escalation",
"description": "Chris Moberly. (2020, February 12). Tutorial on privilege escalation and post exploitation tactics in Google Cloud Platform environments. Retrieved April 1, 2022.",
"url": "https://about.gitlab.com/blog/2020/02/12/plundering-gcp-escalating-privileges-in-google-cloud-platform/"
},
{
"source_name": "cisco_ip_ssh_pubkey_ch_cmd",
"description": "Cisco. (2021, August 23). ip ssh pubkey-chain. Retrieved July 13, 2022.",
"url": "https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/d1/sec-d1-cr-book/sec-cr-i3.html#wp1254331478"
},
{
"source_name": "Cybereason Linux Exim Worm",
"description": "Cybereason Nocturnus. (2019, June 13). New Pervasive Worm Exploiting Linux Exim Server Vulnerability. Retrieved June 24, 2020.",
"url": "https://www.cybereason.com/blog/new-pervasive-worm-exploiting-linux-exim-server-vulnerability"
},
{
"source_name": "Google Cloud Add Metadata",
"description": "Google Cloud. (2022, March 31). gcloud compute instances add-metadata. Retrieved April 1, 2022.",
"url": "https://cloud.google.com/sdk/gcloud/reference/compute/instances/add-metadata"
},
{
"source_name": "Azure Update Virtual Machines",
"description": "Microsoft. (n.d.). Virtual Machines - Update. Retrieved April 1, 2022.",
"url": "https://docs.microsoft.com/en-us/rest/api/compute/virtual-machines/update"
},
{
"source_name": "SSH Authorized Keys",
"description": "ssh.com. (n.d.). Authorized_keys File in SSH. Retrieved June 24, 2020.",
"url": "https://www.ssh.com/ssh/authorized_keys/"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_attack_spec_version": "3.3.0",
"x_mitre_contributors": [
"Tony Lambert, Red Canary",
"Dror Alon, Palo Alto Networks",
"Or Kliger, Palo Alto Networks",
"Austin Clark, @c2defense",
"Arad Inbar, Fidelis Security"
],
"x_mitre_deprecated": false,
"x_mitre_domains": [
"enterprise-attack"
],
"x_mitre_is_subtechnique": true,
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"ESXi",
"IaaS",
"Linux",
"macOS",
"Network Devices"
],
"x_mitre_version": "1.4",
"detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.640000+00:00\", \"old_value\": \"2025-10-24 17:48:55.005000+00:00\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.3.0\", \"old_value\": \"3.2.0\"}}}",
"previous_version": "1.4",
"changelog_mitigations": {
"shared": [
"M1018: User Account Management",
"M1022: Restrict File and Directory Permissions",
"M1042: Disable or Remove Feature or Program"
],
"new": [],
"dropped": []
},
"changelog_datacomponent_detections": {
"shared": [],
"new": [],
"dropped": []
},
"changelog_detectionstrategy_detections": {
"shared": [
"DET0126: Detection Strategy for SSH Key Injection in Authorized Keys"
],
"new": [],
"dropped": []
}
},
{
"type": "attack-pattern",
"id": "attack-pattern--40f5caa0-4cb7-4117-89fc-d421bb493df3",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2020-09-30 17:09:31.878000+00:00",
"modified": "2026-05-12 15:12:00.629000+00:00",
"name": "Domains",
"description": "Adversaries may acquire domains that can be used during targeting. Domain names are the human readable names used to represent one or more IP addresses. They can be purchased or, in some cases, acquired for free.\n\nAdversaries may use acquired domains for a variety of purposes, including for [Phishing](https://attack.mitre.org/techniques/T1566), [Drive-by Compromise](https://attack.mitre.org/techniques/T1189), and Command and Control.(Citation: CISA MSS Sep 2020) Adversaries may choose domains that are similar to legitimate domains, including through use of homoglyphs or use of a different top-level domain (TLD).(Citation: FireEye APT28)(Citation: PaypalScam) Typosquatting may be used to aid in delivery of payloads via [Drive-by Compromise](https://attack.mitre.org/techniques/T1189). Adversaries may also use internationalized domain names (IDNs) and different character sets (e.g. Cyrillic, Greek, etc.) to execute \"IDN homograph attacks,\" creating visually similar lookalike domains used to deliver malware to victim machines.(Citation: CISA IDN ST05-016)(Citation: tt_httrack_fake_domains)(Citation: tt_obliqueRAT)(Citation: httrack_unhcr)(Citation: lazgroup_idn_phishing)\n\nDifferent URIs/URLs may also be dynamically generated to uniquely serve malicious content to victims (including one-time, single use domain names).(Citation: iOS URL Scheme)(Citation: URI)(Citation: URI Use)(Citation: URI Unique)\n\nAdversaries may also acquire and repurpose expired domains, which may be potentially already allowlisted/trusted by defenders based on an existing reputation/history.(Citation: Categorisation_not_boundary)(Citation: Domain_Steal_CC)(Citation: Redirectors_Domain_Fronting)(Citation: bypass_webproxy_filtering)\n\nDomain registrars each maintain a publicly viewable database that displays contact information for every registered domain. Private WHOIS services display alternative information, such as their own company data, rather than the owner of the domain. Adversaries may use such private WHOIS services to obscure information about who owns a purchased domain. Adversaries may further interrupt efforts to track their infrastructure by using varied registration information and purchasing domains with different domain registrars.(Citation: Mandiant APT1)\n\nIn addition to legitimately purchasing a domain, an adversary may register a new domain in a compromised environment. For example, in AWS environments, adversaries may leverage the Route53 domain service to register a domain and create hosted zones pointing to resources of the threat actor\u2019s choosing.(Citation: Invictus IR DangerDev 2024)",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "resource-development"
}
],
"revoked": false,
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T1583/001",
"external_id": "T1583.001"
},
{
"source_name": "URI Unique",
"description": "Australian Cyber Security Centre. National Security Agency. (2020, April 21). Detect and Prevent Web Shell Malware. Retrieved February 9, 2024.",
"url": "https://media.defense.gov/2020/Jun/09/2002313081/-1/-1/0/CSI-DETECT-AND-PREVENT-WEB-SHELL-MALWARE-20200422.PDF"
},
{
"source_name": "PaypalScam",
"description": "Bob Sullivan. (2000, July 24). PayPal alert! Beware the 'PaypaI' scam. Retrieved March 2, 2017.",
"url": "https://www.zdnet.com/article/paypal-alert-beware-the-paypai-scam-5000109103/"
},
{
"source_name": "CISA IDN ST05-016",
"description": "CISA. (2019, September 27). Security Tip (ST05-016): Understanding Internationalized Domain Names. Retrieved October 20, 2020.",
"url": "https://us-cert.cisa.gov/ncas/tips/ST05-016"
},
{
"source_name": "CISA MSS Sep 2020",
"description": "CISA. (2020, September 14). Alert (AA20-258A): Chinese Ministry of State Security-Affiliated Cyber Threat Actor Activity. Retrieved October 1, 2020.",
"url": "https://us-cert.cisa.gov/ncas/alerts/aa20-258a"
},
{
"source_name": "bypass_webproxy_filtering",
"description": "Fehrman, B. (2017, April 13). How to Bypass Web-Proxy Filtering. Retrieved September 20, 2019.",
"url": "https://www.blackhillsinfosec.com/bypass-web-proxy-filtering/"
},
{
"source_name": "FireEye APT28",
"description": "FireEye. (2015). APT28: A WINDOW INTO RUSSIA\u2019S CYBER ESPIONAGE OPERATIONS?. Retrieved August 19, 2015.",
"url": "https://web.archive.org/web/20151022204649/https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-apt28.pdf"
},
{
"source_name": "Invictus IR DangerDev 2024",
"description": "Invictus Incident Response. (2024, January 31). The curious case of DangerDev@protonmail.me. Retrieved March 19, 2024.",
"url": "https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me"
},
{
"source_name": "Domain_Steal_CC",
"description": "Krebs, B. (2018, November 13). That Domain You Forgot to Renew? Yeah, it\u2019s Now Stealing Credit Cards. Retrieved September 20, 2019.",
"url": "https://krebsonsecurity.com/2018/11/that-domain-you-forgot-to-renew-yeah-its-now-stealing-credit-cards/"
},
{
"source_name": "tt_obliqueRAT",
"description": "Malhotra, A., McKay, K. et al. (2021, May 13). Transparent Tribe APT expands its Windows malware arsenal . Retrieved July 29, 2022.",
"url": "https://blog.talosintelligence.com/2021/05/transparent-tribe-infra-and-targeting.html"
},
{
"source_name": "tt_httrack_fake_domains",
"description": "Malhotra, A., Thattil, J. et al. (2022, March 29). Transparent Tribe campaign uses new bespoke malware to target Indian government officials . Retrieved September 6, 2022.",
"url": "https://blog.talosintelligence.com/2022/03/transparent-tribe-new-campaign.html"
},
{
"source_name": "Mandiant APT1",
"description": "Mandiant. (n.d.). APT1 Exposing One of China\u2019s Cyber Espionage Units. Retrieved July 18, 2016.",
"url": "https://www.fireeye.com/content/dam/fireeye-www/services/pdfs/mandiant-apt1-report.pdf"
},
{
"source_name": "Categorisation_not_boundary",
"description": "MDSec Research. (2017, July). Categorisation is not a Security Boundary. Retrieved September 20, 2019.",
"url": "https://www.mdsec.co.uk/2017/07/categorisation-is-not-a-security-boundary/"
},
{
"source_name": "URI",
"description": "Michael Cobb. (2007, October 11). Preparing for uniform resource identifier (URI) exploits. Retrieved February 9, 2024.",
"url": "https://www.techtarget.com/searchsecurity/tip/Preparing-for-uniform-resource-identifier-URI-exploits"
},
{
"source_name": "Redirectors_Domain_Fronting",
"description": "Mudge, R. (2017, February 6). High-reputation Redirectors and Domain Fronting. Retrieved July 11, 2022.",
"url": "https://www.cobaltstrike.com/blog/high-reputation-redirectors-and-domain-fronting/"
},
{
"source_name": "URI Use",
"description": "Nathan McFeters. Billy Kim Rios. Rob Carter.. (2008). URI Use and Abuse. Retrieved February 9, 2024.",
"url": "https://www.blackhat.com/presentations/bh-dc-08/McFeters-Rios-Carter/Presentation/bh-dc-08-mcfeters-rios-carter.pdf"
},
{
"source_name": "iOS URL Scheme",
"description": "Ostorlab. (n.d.). iOS URL Scheme Hijacking. Retrieved February 9, 2024.",
"url": "https://docs.ostorlab.co/kb/IPA_URL_SCHEME_HIJACKING/index.html"
},
{
"source_name": "lazgroup_idn_phishing",
"description": "RISKIQ. (2017, December 20). Mining Insights: Infrastructure Analysis of Lazarus Group Cyber Attacks on the Cryptocurrency Industry. Retrieved July 29, 2022.",
"url": "https://web.archive.org/web/20171223000420/https://www.riskiq.com/blog/labs/lazarus-group-cryptocurrency/"
},
{
"source_name": "httrack_unhcr",
"description": "RISKIQ. (2022, March 15). RiskIQ Threat Intelligence Roundup: Campaigns Targeting Ukraine and Global Malware Infrastructure. Retrieved July 29, 2022.",
"url": "https://web.archive.org/web/20220527112908/https://www.riskiq.com/blog/labs/ukraine-malware-infrastructure/"
},
{
"source_name": "ThreatConnect Infrastructure Dec 2020",
"description": "ThreatConnect. (2020, December 15). Infrastructure Research and Hunting: Boiling the Domain Ocean. Retrieved October 12, 2021.",
"url": "https://threatconnect.com/blog/infrastructure-research-hunting/"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_attack_spec_version": "3.3.0",
"x_mitre_contributors": [
"Wes Hurd",
"Vinayak Wadhwa, Lucideus",
"Deloitte Threat Library Team",
"Oleg Kolesnikov, Securonix",
"Menachem Goldstein",
"Nikola Kovac"
],
"x_mitre_deprecated": false,
"x_mitre_domains": [
"enterprise-attack"
],
"x_mitre_is_subtechnique": true,
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"PRE"
],
"x_mitre_version": "1.4",
"detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.629000+00:00\", \"old_value\": \"2025-10-24 17:48:42.246000+00:00\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.3.0\", \"old_value\": \"3.2.0\"}}}",
"previous_version": "1.4",
"changelog_mitigations": {
"shared": [
"M1056: Pre-compromise"
],
"new": [],
"dropped": []
},
"changelog_datacomponent_detections": {
"shared": [],
"new": [],
"dropped": []
},
"changelog_detectionstrategy_detections": {
"shared": [
"DET0892: Detection of Domains"
],
"new": [],
"dropped": []
}
},
{
"type": "attack-pattern",
"id": "attack-pattern--60c4b628-4807-4b0b-bbf5-fdac8643c337",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2020-10-01 00:48:09.578000+00:00",
"modified": "2026-05-12 15:12:00.635000+00:00",
"name": "Server",
"description": "Adversaries may buy, lease, rent, or obtain physical servers\u00a0that can be used during targeting. Use of servers allows an adversary to stage, launch, and execute an operation. During post-compromise activity, adversaries may utilize servers for various tasks, such as watering hole operations in [Drive-by Compromise](https://attack.mitre.org/techniques/T1189), enabling [Phishing](https://attack.mitre.org/techniques/T1566) operations, or facilitating [Command and Control](https://attack.mitre.org/tactics/TA0011). Instead of compromising a third-party [Server](https://attack.mitre.org/techniques/T1584/004) or renting a [Virtual Private Server](https://attack.mitre.org/techniques/T1583/003), adversaries may opt to configure and run their own servers in support of operations. Free trial periods of cloud servers may also be abused.(Citation: Free Trial PurpleUrchin)(Citation: Freejacked) \n\nAdversaries may only need a lightweight setup if most of their activities will take place using online infrastructure. Or, they may need to build extensive infrastructure if they want to test, communicate, and control other aspects of their activities on their own systems.(Citation: NYTStuxnet)",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "resource-development"
}
],
"revoked": false,
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T1583/004",
"external_id": "T1583.004"
},
{
"source_name": "Freejacked",
"description": "Clark, Michael. (2023, August 14). Google\u2019s Vertex AI Platform Gets Freejacked. Retrieved February 28, 2024.",
"url": "https://sysdig.com/blog/googles-vertex-ai-platform-freejacked/"
},
{
"source_name": "Free Trial PurpleUrchin",
"description": "Gamazo, William. Quist, Nathaniel.. (2023, January 5). PurpleUrchin Bypasses CAPTCHA and Steals Cloud Platform Resources. Retrieved February 28, 2024.",
"url": "https://unit42.paloaltonetworks.com/purpleurchin-steals-cloud-resources/"
},
{
"source_name": "Koczwara Beacon Hunting Sep 2021",
"description": "Koczwara, M. (2021, September 7). Hunting Cobalt Strike C2 with Shodan. Retrieved October 12, 2021.",
"url": "https://michaelkoczwara.medium.com/cobalt-strike-c2-hunting-with-shodan-c448d501a6e2"
},
{
"source_name": "Mandiant SCANdalous Jul 2020",
"description": "Stephens, A. (2020, July 13). SCANdalous! (External Detection Using Network Scan Data and Automation). Retrieved November 17, 2024.",
"url": "https://cloud.google.com/blog/topics/threat-intelligence/scandalous-external-detection-using-network-scan-data-and-automation/"
},
{
"source_name": "ThreatConnect Infrastructure Dec 2020",
"description": "ThreatConnect. (2020, December 15). Infrastructure Research and Hunting: Boiling the Domain Ocean. Retrieved October 12, 2021.",
"url": "https://threatconnect.com/blog/infrastructure-research-hunting/"
},
{
"source_name": "NYTStuxnet",
"description": "William J. Broad, John Markoff, and David E. Sanger. (2011, January 15). Israeli Test on Worm Called Crucial in Iran Nuclear Delay. Retrieved March 1, 2017.",
"url": "https://www.nytimes.com/2011/01/16/world/middleeast/16stuxnet.html"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_attack_spec_version": "3.3.0",
"x_mitre_contributors": [
"Dor Edry, Microsoft"
],
"x_mitre_deprecated": false,
"x_mitre_domains": [
"enterprise-attack"
],
"x_mitre_is_subtechnique": true,
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"PRE"
],
"x_mitre_version": "1.3",
"detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.635000+00:00\", \"old_value\": \"2025-10-24 17:48:50.911000+00:00\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.3.0\", \"old_value\": \"3.2.0\"}}}",
"previous_version": "1.3",
"changelog_mitigations": {
"shared": [
"M1056: Pre-compromise"
],
"new": [],
"dropped": []
},
"changelog_datacomponent_detections": {
"shared": [],
"new": [],
"dropped": []
},
"changelog_detectionstrategy_detections": {
"shared": [
"DET0871: Detection of Server"
],
"new": [],
"dropped": []
}
},
{
"type": "attack-pattern",
"id": "attack-pattern--79da0971-3147-4af6-a4f5-e8cd447cd795",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2020-10-01 00:44:23.935000+00:00",
"modified": "2026-05-12 15:12:00.643000+00:00",
"name": "Virtual Private Server",
"description": "Adversaries may rent Virtual Private Servers (VPSs)\u00a0that can be used during targeting. There exist a variety of cloud service providers that will sell virtual machines/containers as a service. By utilizing a VPS, adversaries can make it difficult to physically tie back operations to them. The use of cloud infrastructure can also make it easier for adversaries to rapidly provision, modify, and shut down their infrastructure.\n\nAcquiring a VPS for use in later stages of the adversary lifecycle, such as Command and Control, can allow adversaries to benefit from the ubiquity and trust associated with higher reputation cloud service providers. Adversaries may also acquire infrastructure from VPS service providers that are known for renting VPSs with minimal registration information, allowing for more anonymous acquisitions of infrastructure.(Citation: TrendmicroHideoutsLease)",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "resource-development"
}
],
"revoked": false,
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T1583/003",
"external_id": "T1583.003"
},
{
"source_name": "Koczwara Beacon Hunting Sep 2021",
"description": "Koczwara, M. (2021, September 7). Hunting Cobalt Strike C2 with Shodan. Retrieved October 12, 2021.",
"url": "https://michaelkoczwara.medium.com/cobalt-strike-c2-hunting-with-shodan-c448d501a6e2"
},
{
"source_name": "TrendmicroHideoutsLease",
"description": "Max Goncharov. (2015, July 15). Criminal Hideouts for Lease: Bulletproof Hosting Services. Retrieved March 6, 2017.",
"url": "https://documents.trendmicro.com/assets/wp/wp-criminal-hideouts-for-lease.pdf"
},
{
"source_name": "Mandiant SCANdalous Jul 2020",
"description": "Stephens, A. (2020, July 13). SCANdalous! (External Detection Using Network Scan Data and Automation). Retrieved November 17, 2024.",
"url": "https://cloud.google.com/blog/topics/threat-intelligence/scandalous-external-detection-using-network-scan-data-and-automation/"
},
{
"source_name": "ThreatConnect Infrastructure Dec 2020",
"description": "ThreatConnect. (2020, December 15). Infrastructure Research and Hunting: Boiling the Domain Ocean. Retrieved October 12, 2021.",
"url": "https://threatconnect.com/blog/infrastructure-research-hunting/"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_attack_spec_version": "3.3.0",
"x_mitre_deprecated": false,
"x_mitre_domains": [
"enterprise-attack"
],
"x_mitre_is_subtechnique": true,
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"PRE"
],
"x_mitre_version": "1.1",
"detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.643000+00:00\", \"old_value\": \"2025-10-24 17:48:59.607000+00:00\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.3.0\", \"old_value\": \"3.2.0\"}}}",
"previous_version": "1.1",
"changelog_mitigations": {
"shared": [
"M1056: Pre-compromise"
],
"new": [],
"dropped": []
},
"changelog_datacomponent_detections": {
"shared": [],
"new": [],
"dropped": []
},
"changelog_detectionstrategy_detections": {
"shared": [
"DET0838: Detection of Virtual Private Server"
],
"new": [],
"dropped": []
}
},
{
"type": "attack-pattern",
"id": "attack-pattern--88d31120-5bc7-4ce3-a9c0-7cf147be8e54",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2020-10-01 00:50:29.936000+00:00",
"modified": "2026-05-12 15:12:00.694000+00:00",
"name": "Web Services",
"description": "Adversaries may register for web services\u00a0that can be used during targeting. A variety of popular websites exist for adversaries to register for a web-based service that can be abused during later stages of the adversary lifecycle, such as during Command and Control ([Web Service](https://attack.mitre.org/techniques/T1102)), [Exfiltration Over Web Service](https://attack.mitre.org/techniques/T1567), or [Phishing](https://attack.mitre.org/techniques/T1566). Using common services, such as those offered by Google, GitHub, or Twitter, makes it easier for adversaries to hide in expected noise.(Citation: FireEye APT29)(Citation: Hacker News GitHub Abuse 2024) By utilizing a web service, adversaries can make it difficult to physically tie back operations to them.",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "resource-development"
}
],
"revoked": false,
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T1583/006",
"external_id": "T1583.006"
},
{
"source_name": "Hacker News GitHub Abuse 2024",
"description": "Dvir Sasson. (2024, May 13). GitHub Abuse Flaw Shows Why We Can't Shrug Off Abuse Vulnerabilities in Security. Retrieved March 31, 2025.",
"url": "https://thehackernews.com/expert-insights/2024/05/github-abuse-flaw-shows-why-we-cant.html"
},
{
"source_name": "FireEye APT29",
"description": "FireEye Labs. (2015, July). HAMMERTOSS: Stealthy Tactics Define a Russian Cyber Threat Group. Retrieved November 17, 2024.",
"url": "https://services.google.com/fh/files/misc/rpt-apt29-hammertoss-stealthy-tactics-define-en.pdf"
},
{
"source_name": "ThreatConnect Infrastructure Dec 2020",
"description": "ThreatConnect. (2020, December 15). Infrastructure Research and Hunting: Boiling the Domain Ocean. Retrieved October 12, 2021.",
"url": "https://threatconnect.com/blog/infrastructure-research-hunting/"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_attack_spec_version": "3.3.0",
"x_mitre_contributors": [
"Dor Edry, Microsoft",
"Dvir Sasson, Reco"
],
"x_mitre_deprecated": false,
"x_mitre_domains": [
"enterprise-attack"
],
"x_mitre_is_subtechnique": true,
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"PRE"
],
"x_mitre_version": "1.3",
"detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.694000+00:00\", \"old_value\": \"2025-10-24 17:49:04.554000+00:00\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.3.0\", \"old_value\": \"3.2.0\"}}}",
"previous_version": "1.3",
"changelog_mitigations": {
"shared": [
"M1056: Pre-compromise"
],
"new": [],
"dropped": []
},
"changelog_datacomponent_detections": {
"shared": [],
"new": [],
"dropped": []
},
"changelog_detectionstrategy_detections": {
"shared": [
"DET0896: Detection of Web Services"
],
"new": [],
"dropped": []
}
},
{
"type": "attack-pattern",
"id": "attack-pattern--db8f5003-3b20-48f0-9b76-123e44208120",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2020-10-02 16:54:23.193000+00:00",
"modified": "2026-05-12 15:12:00.721000+00:00",
"name": "Scanning IP Blocks",
"description": "Adversaries may scan victim IP blocks to gather information that can be used during targeting. Public IP addresses may be allocated to organizations by block, or a range of sequential addresses.\n\nAdversaries may scan IP blocks in order to [Gather Victim Network Information](https://attack.mitre.org/techniques/T1590), such as which IP addresses are actively in use as well as more detailed information about hosts assigned these addresses. Scans may range from simple pings (ICMP requests and responses) to more nuanced scans that may reveal host software/versions via server banners or other network artifacts.(Citation: Botnet Scan) Information from these scans may reveal opportunities for other forms of reconnaissance (ex: [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593) or [Search Open Technical Databases](https://attack.mitre.org/techniques/T1596)), establishing operational resources (ex: [Develop Capabilities](https://attack.mitre.org/techniques/T1587) or [Obtain Capabilities](https://attack.mitre.org/techniques/T1588)), and/or initial access (ex: [External Remote Services](https://attack.mitre.org/techniques/T1133)).",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "reconnaissance"
}
],
"revoked": false,
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T1595/001",
"external_id": "T1595.001"
},
{
"source_name": "Botnet Scan",
"description": "Dainotti, A. et al. (2012). Analysis of a \u201c/0\u201d Stealth Scan from a Botnet. Retrieved October 20, 2020.",
"url": "https://www.caida.org/publications/papers/2012/analysis_slash_zero/analysis_slash_zero.pdf"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_attack_spec_version": "3.3.0",
"x_mitre_contributors": [
"Diego Sappa, Securonix"
],
"x_mitre_deprecated": false,
"x_mitre_domains": [
"enterprise-attack"
],
"x_mitre_is_subtechnique": true,
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"PRE"
],
"x_mitre_version": "1.1",
"detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.721000+00:00\", \"old_value\": \"2025-10-24 17:49:28.603000+00:00\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.3.0\", \"old_value\": \"3.2.0\"}}}",
"previous_version": "1.1",
"changelog_mitigations": {
"shared": [
"M1056: Pre-compromise"
],
"new": [],
"dropped": []
},
"changelog_datacomponent_detections": {
"shared": [],
"new": [],
"dropped": []
},
"changelog_detectionstrategy_detections": {
"shared": [
"DET0817: Detection of Scanning IP Blocks"
],
"new": [],
"dropped": []
}
},
{
"type": "attack-pattern",
"id": "attack-pattern--5502c4e9-24ef-4d5f-8ee9-9e906c2f82c4",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2020-10-02 16:55:16.047000+00:00",
"modified": "2026-05-12 15:12:00.633000+00:00",
"name": "Vulnerability Scanning",
"description": "Adversaries may scan victims for vulnerabilities that can be used during targeting. Vulnerability scans typically check if the configuration of a target host/application (ex: software and version) potentially aligns with the target of a specific exploit the adversary may seek to use.\n\nThese scans may also include more broad attempts to [Gather Victim Host Information](https://attack.mitre.org/techniques/T1592) that can be used to identify more commonly known, exploitable vulnerabilities. Vulnerability scans typically harvest running software and version numbers via server banners, listening ports, or other network artifacts.(Citation: OWASP Vuln Scanning) Information from these scans may reveal opportunities for other forms of reconnaissance (ex: [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593) or [Search Open Technical Databases](https://attack.mitre.org/techniques/T1596)), establishing operational resources (ex: [Develop Capabilities](https://attack.mitre.org/techniques/T1587) or [Obtain Capabilities](https://attack.mitre.org/techniques/T1588)), and/or initial access (ex: [Exploit Public-Facing Application](https://attack.mitre.org/techniques/T1190)).",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "reconnaissance"
}
],
"revoked": false,
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T1595/002",
"external_id": "T1595.002"
},
{
"source_name": "OWASP Vuln Scanning",
"description": "OWASP. (n.d.). OAT-014 Vulnerability Scanning. Retrieved October 20, 2020.",
"url": "https://owasp.org/www-project-automated-threats-to-web-applications/assets/oats/EN/OAT-014_Vulnerability_Scanning"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_attack_spec_version": "3.3.0",
"x_mitre_deprecated": false,
"x_mitre_domains": [
"enterprise-attack"
],
"x_mitre_is_subtechnique": true,
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"PRE"
],
"x_mitre_version": "1.0",
"detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.633000+00:00\", \"old_value\": \"2025-10-24 17:48:48.647000+00:00\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.3.0\", \"old_value\": \"3.2.0\"}}}",
"previous_version": "1.0",
"changelog_mitigations": {
"shared": [
"M1056: Pre-compromise"
],
"new": [],
"dropped": []
},
"changelog_datacomponent_detections": {
"shared": [],
"new": [],
"dropped": []
},
"changelog_detectionstrategy_detections": {
"shared": [
"DET0867: Detection of Vulnerability Scanning"
],
"new": [],
"dropped": []
}
},
{
"type": "attack-pattern",
"id": "attack-pattern--035bb001-ab69-4a0b-9f6c-2de8b09e1b9d",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2020-02-11 19:07:12.114000+00:00",
"modified": "2026-05-12 15:12:00.620000+00:00",
"name": "Adversary-in-the-Middle",
"description": "Adversaries may attempt to position themselves between two or more networked devices using an adversary-in-the-middle (AiTM) technique to support follow-on behaviors such as [Network Sniffing](https://attack.mitre.org/techniques/T1040), [Transmitted Data Manipulation](https://attack.mitre.org/techniques/T1565/002), or replay attacks ([Exploitation for Credential Access](https://attack.mitre.org/techniques/T1212)). By abusing features of common networking protocols that can determine the flow of network traffic (e.g. ARP, DNS, LLMNR, etc.), adversaries may force a device to communicate through an adversary controlled system so they can collect information or perform additional actions.(Citation: Rapid7 MiTM Basics)\n\nFor example, adversaries may manipulate victim DNS settings to enable other malicious activities such as preventing/redirecting users from accessing legitimate sites and/or pushing additional malware.(Citation: ttint_rat)(Citation: dns_changer_trojans)(Citation: ad_blocker_with_miner) Adversaries may also manipulate DNS and leverage their position in order to intercept user credentials, including access tokens ([Steal Application Access Token](https://attack.mitre.org/techniques/T1528)) and session cookies ([Steal Web Session Cookie](https://attack.mitre.org/techniques/T1539)).(Citation: volexity_0day_sophos_FW)(Citation: Token tactics) [Downgrade Attack](https://attack.mitre.org/techniques/T1689)s can also be used to establish an AiTM position, such as by negotiating a less secure, deprecated, or weaker version of communication protocol (SSL/TLS) or encryption algorithm.(Citation: mitm_tls_downgrade_att)(Citation: taxonomy_downgrade_att_tls)(Citation: tlseminar_downgrade_att)\n\nAdversaries may also leverage the AiTM position to attempt to monitor and/or modify traffic, such as in [Transmitted Data Manipulation](https://attack.mitre.org/techniques/T1565/002). Adversaries can setup a position similar to AiTM to prevent traffic from flowing to the appropriate destination, potentially to impair defenses and/or in support of a [Network Denial of Service](https://attack.mitre.org/techniques/T1498).",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "credential-access"
},
{
"kill_chain_name": "mitre-attack",
"phase_name": "collection"
}
],
"revoked": false,
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T1557",
"external_id": "T1557"
},
{
"source_name": "dns_changer_trojans",
"description": "Abendan, O. (2012, June 14). How DNS Changer Trojans Direct Users to Threats. Retrieved October 28, 2021.",
"url": "https://www.trendmicro.com/vinfo/us/threat-encyclopedia/web-attack/125/how-dns-changer-trojans-direct-users-to-threats"
},
{
"source_name": "volexity_0day_sophos_FW",
"description": "Adair, S., Lancaster, T., Volexity Threat Research. (2022, June 15). DriftingCloud: Zero-Day Sophos Firewall Exploitation and an Insidious Breach. Retrieved July 1, 2022.",
"url": "https://www.volexity.com/blog/2022/06/15/driftingcloud-zero-day-sophos-firewall-exploitation-and-an-insidious-breach/"
},
{
"source_name": "taxonomy_downgrade_att_tls",
"description": "Alashwali, E. S., Rasmussen, K. (2019, January 26). What's in a Downgrade? A Taxonomy of Downgrade Attacks in the TLS Protocol and Application Protocols Using TLS. Retrieved December 7, 2021.",
"url": "https://arxiv.org/abs/1809.05681"
},
{
"source_name": "ad_blocker_with_miner",
"description": "Kuzmenko, A.. (2021, March 10). Ad blocker with miner included. Retrieved October 28, 2021.",
"url": "https://securelist.com/ad-blocker-with-miner-included/101105/"
},
{
"source_name": "Token tactics",
"description": "Microsoft Incident Response. (2022, November 16). Token tactics: How to prevent, detect, and respond to cloud token theft. Retrieved December 26, 2023.",
"url": "https://www.microsoft.com/en-us/security/blog/2022/11/16/token-tactics-how-to-prevent-detect-and-respond-to-cloud-token-theft/"
},
{
"source_name": "mitm_tls_downgrade_att",
"description": "praetorian Editorial Team. (2014, August 19). Man-in-the-Middle TLS Protocol Downgrade Attack. Retrieved December 8, 2021.",
"url": "https://www.praetorian.com/blog/man-in-the-middle-tls-ssl-protocol-downgrade-attack/"
},
{
"source_name": "Rapid7 MiTM Basics",
"description": "Rapid7. (n.d.). Man-in-the-Middle (MITM) Attacks. Retrieved March 2, 2020.",
"url": "https://www.rapid7.com/fundamentals/man-in-the-middle-attacks/"
},
{
"source_name": "tlseminar_downgrade_att",
"description": "Team Cinnamon. (2017, February 3). Downgrade Attacks. Retrieved December 9, 2021.",
"url": "https://tlseminar.github.io/downgrade-attacks/"
},
{
"source_name": "ttint_rat",
"description": "Tu, L. Ma, Y. Ye, G. (2020, October 1). Ttint: An IoT Remote Access Trojan spread through 2 0-day vulnerabilities. Retrieved October 28, 2021.",
"url": "https://blog.netlab.360.com/ttint-an-iot-remote-control-trojan-spread-through-2-0-day-vulnerabilities/"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_attack_spec_version": "3.3.0",
"x_mitre_contributors": [
"Mayuresh Dani, Qualys",
"Daniil Yugoslavskiy, @yugoslavskiy, Atomic Threat Coverage project",
"NEC"
],
"x_mitre_deprecated": false,
"x_mitre_domains": [
"enterprise-attack"
],
"x_mitre_is_subtechnique": false,
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"Linux",
"macOS",
"Network Devices",
"Windows"
],
"x_mitre_version": "2.5",
"detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.620000+00:00\", \"old_value\": \"2026-04-17 14:18:32.903000+00:00\"}}}",
"previous_version": "2.5",
"changelog_mitigations": {
"shared": [
"M1017: User Training",
"M1030: Network Segmentation",
"M1031: Network Intrusion Prevention",
"M1035: Limit Access to Resource Over Network",
"M1037: Filter Network Traffic",
"M1041: Encrypt Sensitive Information",
"M1042: Disable or Remove Feature or Program"
],
"new": [],
"dropped": []
},
"changelog_datacomponent_detections": {
"shared": [],
"new": [],
"dropped": []
},
"changelog_detectionstrategy_detections": {
"shared": [
"DET0296: Detect Adversary-in-the-Middle via Network and Configuration Anomalies"
],
"new": [],
"dropped": []
}
},
{
"type": "attack-pattern",
"id": "attack-pattern--650c784b-7504-4df7-ab2c-4ea882384d1e",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2020-02-11 19:08:51.677000+00:00",
"modified": "2026-05-12 15:12:00.636000+00:00",
"name": "Name Resolution Poisoning and SMB Relay",
"description": "By responding to LLMNR/NBT-NS/mDNS network traffic, adversaries may spoof an authoritative source for name resolution to force communication with an adversary controlled system.(Citation: BlackCat ransomware) This activity may be used to collect or relay authentication materials. \n\nLink-Local Multicast Name Resolution (LLMNR) and NetBIOS Name Service (NBT-NS) are Microsoft Windows components that serve as alternate methods of host identification. LLMNR is based upon the Domain Name System (DNS) format and allows hosts on the same local link to perform name resolution for other hosts. NBT-NS identifies systems on a local network by their NetBIOS name.(Citation: Wikipedia LLMNR)(Citation: TechNet NetBIOS)\n\nMulticast Domain Name System(mDNS) is a zero-configuration service used to resolve hostnames to IP addresses with \u201c.local\u201d as a top-level domain. MDNS is based upon Domain Name System (DNS) format and allows hosts on the same network segment to perform name resolution for other hosts, using multicast.(Citation: mDNS RFC)\n\nAdversaries can spoof an authoritative source for name resolution on a victim network by responding to LLMNR (UDP 5355)/NBT-NS (UDP 137)/mDNS (UDP 5353) traffic as if they know the identity of the requested host, effectively poisoning the service so that the victims will communicate with the adversary controlled system. If the requested host belongs to a resource that requires identification/authentication, the username and NTLMv2 hash will then be sent to the adversary controlled system. The adversary can then collect the hash information sent over the wire through tools that monitor the ports for traffic or through [Network Sniffing](https://attack.mitre.org/techniques/T1040) and crack the hashes offline through [Brute Force](https://attack.mitre.org/techniques/T1110) to obtain the plaintext passwords.\n\nIn some cases where an adversary has access to a system that is in the authentication path between systems or when automated scans that use credentials attempt to authenticate to an adversary controlled system, the NTLMv1/v2 hashes can be intercepted and relayed to access and execute code against a target system. The relay step can happen in conjunction with poisoning but may also be independent of it.(Citation: byt3bl33d3r NTLM Relaying)(Citation: Secure Ideas SMB Relay) Additionally, adversaries may encapsulate the NTLMv1/v2 hashes into various other protocols, such as LDAP, MSSQL and HTTP, to expand and use multiple services with the valid NTLM response.\u00a0\n\nSeveral tools may be used to poison name services within local networks such as NBNSpoof, Metasploit, and [Responder](https://attack.mitre.org/software/S0174).(Citation: GitHub NBNSpoof)(Citation: Rapid7 LLMNR Spoofer)(Citation: GitHub Responder)",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "credential-access"
},
{
"kill_chain_name": "mitre-attack",
"phase_name": "collection"
}
],
"revoked": false,
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T1557/001",
"external_id": "T1557.001"
},
{
"source_name": "Rapid7 LLMNR Spoofer",
"description": "Francois, R. (n.d.). LLMNR Spoofer. Retrieved November 17, 2017.",
"url": "https://www.rapid7.com/db/modules/auxiliary/spoof/llmnr/llmnr_response"
},
{
"source_name": "GitHub Responder",
"description": "Gaffie, L. (2016, August 25). Responder. Retrieved November 17, 2017.",
"url": "https://github.com/SpiderLabs/Responder"
},
{
"source_name": "Secure Ideas SMB Relay",
"description": "Kuehn, E. (2018, April 11). Ever Run a Relay? Why SMB Relays Should Be On Your Mind. Retrieved February 7, 2019.",
"url": "https://blog.secureideas.com/2018/04/ever-run-a-relay-why-smb-relays-should-be-on-your-mind.html"
},
{
"source_name": "BlackCat ransomware",
"description": "Lucas Silva, Leandro Froes. (2022, April 18). An Investigation of the BlackCat Ransomware via Trend Micro Vision One. Retrieved February 2, 2026.",
"url": "https://www.trendmicro.com/en_us/research/22/d/an-investigation-of-the-blackcat-ransomware.html"
},
{
"source_name": "TechNet NetBIOS",
"description": "Microsoft. (n.d.). NetBIOS Name Resolution. Retrieved November 17, 2017.",
"url": "https://technet.microsoft.com/library/cc958811.aspx"
},
{
"source_name": "GitHub NBNSpoof",
"description": "Nomex. (2014, February 7). NBNSpoof. Retrieved November 17, 2017.",
"url": "https://github.com/nomex/nbnspoof"
},
{
"source_name": "mDNS RFC",
"description": "S. Cheshire, M. Krochmal. (2013, February). Multicast DNS. Retrieved February 2, 2026.",
"url": "https://datatracker.ietf.org/doc/html/rfc6762"
},
{
"source_name": "byt3bl33d3r NTLM Relaying",
"description": "Salvati, M. (2017, June 2). Practical guide to NTLM Relaying in 2017 (A.K.A getting a foothold in under 5 minutes). Retrieved February 7, 2019.",
"url": "https://byt3bl33d3r.github.io/practical-guide-to-ntlm-relaying-in-2017-aka-getting-a-foothold-in-under-5-minutes.html"
},
{
"source_name": "Wikipedia LLMNR",
"description": "Wikipedia. (2016, July 7). Link-Local Multicast Name Resolution. Retrieved November 17, 2017.",
"url": "https://en.wikipedia.org/wiki/Link-Local_Multicast_Name_Resolution"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_attack_spec_version": "3.3.0",
"x_mitre_contributors": [
"Eric Kuehn, Secure Ideas",
"Matthew Demaske, Adaptforward",
"Andrew Allen, @whitehat_zero",
"Arad Inbar"
],
"x_mitre_deprecated": false,
"x_mitre_domains": [
"enterprise-attack"
],
"x_mitre_is_subtechnique": true,
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"Windows"
],
"x_mitre_version": "2.0",
"detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.636000+00:00\", \"old_value\": \"2026-02-03 16:53:09.295000+00:00\"}}}",
"previous_version": "2.0",
"changelog_mitigations": {
"shared": [
"M1030: Network Segmentation",
"M1031: Network Intrusion Prevention",
"M1037: Filter Network Traffic",
"M1042: Disable or Remove Feature or Program"
],
"new": [],
"dropped": []
},
"changelog_datacomponent_detections": {
"shared": [],
"new": [],
"dropped": []
},
"changelog_detectionstrategy_detections": {
"shared": [
"DET0462: Detect LLMNR/NBT-NS Poisoning and SMB Relay on Windows"
],
"new": [],
"dropped": []
}
},
{
"type": "attack-pattern",
"id": "attack-pattern--1996eef1-ced3-4d7f-bf94-33298cabbf72",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2020-03-15 16:27:31.768000+00:00",
"modified": "2026-05-12 15:12:00.622000+00:00",
"name": "DNS",
"description": "Adversaries may communicate using the Domain Name System (DNS) application layer protocol to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server. \n\nThe DNS protocol serves an administrative function in computer networking and thus may be very common in environments. DNS traffic may also be allowed even before network authentication is completed. DNS packets contain many fields and headers in which data can be concealed. Often known as DNS tunneling, adversaries may abuse DNS to communicate with systems under their control within a victim network while also mimicking normal, expected traffic.(Citation: PAN DNS Tunneling)(Citation: Medium DnsTunneling)\n\nDNS beaconing may be used to send commands to remote systems via DNS queries. A DNS beacon is created by tunneling DNS traffic (i.e.\u202f[Protocol Tunneling](https://attack.mitre.org/techniques/T1572)). The commands may be embedded into different DNS records, for example, TXT or A records.(Citation: OilRig Uses Updated BONDUPDATER to Target Middle Eastern Government) DNS beacons may be difficult to detect because the beacons infrequently communicate with infected devices.(Citation: DNS Beacons) Infrequent communication conceals the malicious DNS traffic with normal DNS traffic. ",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "command-and-control"
}
],
"revoked": false,
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T1071/004",
"external_id": "T1071.004"
},
{
"source_name": "Medium DnsTunneling",
"description": "Galobardes, R. (2018, October 30). Learn how easy is to bypass firewalls using DNS tunneling (and also how to block it). Retrieved March 15, 2020.",
"url": "https://medium.com/@galolbardes/learn-how-easy-is-to-bypass-firewalls-using-dns-tunneling-and-also-how-to-block-it-3ed652f4a000"
},
{
"source_name": "University of Birmingham C2",
"description": "Gardiner, J., Cova, M., Nagaraja, S. (2014, February). Command & Control Understanding, Denying and Detecting. Retrieved April 20, 2016.",
"url": "https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf"
},
{
"source_name": "OilRig Uses Updated BONDUPDATER to Target Middle Eastern Government",
"description": "Kyle Wilhoit, Robert Falcone. (2018, September 12). OilRig Uses Updated BONDUPDATER to Target Middle Eastern Government. Retrieved July 21, 2025.",
"url": "https://unit42.paloaltonetworks.com/unit42-oilrig-uses-updated-bondupdater-target-middle-eastern-government/"
},
{
"source_name": "PAN DNS Tunneling",
"description": "Palo Alto Networks. (n.d.). What Is DNS Tunneling?. Retrieved March 15, 2020.",
"url": "https://www.paloaltonetworks.com/cyberpedia/what-is-dns-tunneling"
},
{
"source_name": "DNS Beacons",
"description": "Vercara. (n.d.). Retrieved July 21, 2025.",
"url": "https://vercara.digicert.com/resources/dns-beacons#page_top"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_attack_spec_version": "3.3.0",
"x_mitre_contributors": [
"Jan Petrov, Citi",
"Chris Heald"
],
"x_mitre_deprecated": false,
"x_mitre_domains": [
"enterprise-attack"
],
"x_mitre_is_subtechnique": true,
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"ESXi",
"Linux",
"macOS",
"Network Devices",
"Windows"
],
"x_mitre_version": "1.4",
"detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.622000+00:00\", \"old_value\": \"2025-10-24 17:48:27.877000+00:00\"}}}",
"previous_version": "1.4",
"changelog_mitigations": {
"shared": [
"M1031: Network Intrusion Prevention",
"M1037: Filter Network Traffic"
],
"new": [],
"dropped": []
},
"changelog_datacomponent_detections": {
"shared": [],
"new": [],
"dropped": []
},
"changelog_detectionstrategy_detections": {
"shared": [
"DET0400: Behavioral Detection of DNS Tunneling and Application Layer Abuse"
],
"new": [],
"dropped": []
}
},
{
"type": "attack-pattern",
"id": "attack-pattern--9a60a291-8960-4387-8a4a-2ab5c18bb50b",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2020-03-15 16:16:25.763000+00:00",
"modified": "2026-05-12 15:12:00.706000+00:00",
"name": "File Transfer Protocols",
"description": "Adversaries may communicate using application layer protocols associated with transferring files to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server. \n\nProtocols such as SMB(Citation: US-CERT TA18-074A), FTP(Citation: ESET Machete July 2019), FTPS, and TFTP that transfer files may be very common in environments. Packets produced from these protocols may have many fields and headers in which data can be concealed. Data could also be concealed within the transferred files. An adversary may abuse these protocols to communicate with systems under their control within a victim network while also mimicking normal, expected traffic. ",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "command-and-control"
}
],
"revoked": false,
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T1071/002",
"external_id": "T1071.002"
},
{
"source_name": "ESET Machete July 2019",
"description": "ESET. (2019, July). MACHETE JUST GOT SHARPER Venezuelan government institutions under attack. Retrieved September 13, 2019.",
"url": "https://www.welivesecurity.com/wp-content/uploads/2019/08/ESET_Machete.pdf"
},
{
"source_name": "University of Birmingham C2",
"description": "Gardiner, J., Cova, M., Nagaraja, S. (2014, February). Command & Control Understanding, Denying and Detecting. Retrieved April 20, 2016.",
"url": "https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf"
},
{
"source_name": "US-CERT TA18-074A",
"description": "US-CERT. (2018, March 16). Alert (TA18-074A): Russian Government Cyber Activity Targeting Energy and Other Critical Infrastructure Sectors. Retrieved June 6, 2018.",
"url": "https://www.us-cert.gov/ncas/alerts/TA18-074A"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_attack_spec_version": "3.3.0",
"x_mitre_contributors": [
"Don Le, Stifel Financial"
],
"x_mitre_deprecated": false,
"x_mitre_domains": [
"enterprise-attack"
],
"x_mitre_is_subtechnique": true,
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"ESXi",
"Linux",
"macOS",
"Network Devices",
"Windows"
],
"x_mitre_version": "1.4",
"detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.706000+00:00\", \"old_value\": \"2025-10-24 17:49:08.302000+00:00\"}}}",
"previous_version": "1.4",
"changelog_mitigations": {
"shared": [
"M1031: Network Intrusion Prevention",
"M1037: Filter Network Traffic"
],
"new": [],
"dropped": []
},
"changelog_datacomponent_detections": {
"shared": [],
"new": [],
"dropped": []
},
"changelog_detectionstrategy_detections": {
"shared": [
"DET0416: Detection of File Transfer Protocol-Based C2 (FTP, FTPS, SMB, TFTP)"
],
"new": [],
"dropped": []
}
},
{
"type": "attack-pattern",
"id": "attack-pattern--df8b2a25-8bdf-4856-953c-a04372b1c161",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2020-03-15 16:13:46.151000+00:00",
"modified": "2026-05-12 15:12:00.722000+00:00",
"name": "Web Protocols",
"description": "Adversaries may communicate using application layer protocols associated with web traffic to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server. \n\nProtocols such as HTTP/S(Citation: CrowdStrike Putter Panda) and WebSocket(Citation: Brazking-Websockets) that carry web traffic may be very common in environments. HTTP/S packets have many fields and headers in which data can be concealed. An adversary may abuse these protocols to communicate with systems under their control within a victim network while also mimicking normal, expected traffic. ",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "command-and-control"
}
],
"revoked": false,
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T1071/001",
"external_id": "T1071.001"
},
{
"source_name": "CrowdStrike Putter Panda",
"description": "Crowdstrike Global Intelligence Team. (2014, June 9). CrowdStrike Intelligence Report: Putter Panda. Retrieved January 22, 2016.",
"url": "http://cdn0.vox-cdn.com/assets/4589853/crowdstrike-intelligence-report-putter-panda.original.pdf"
},
{
"source_name": "University of Birmingham C2",
"description": "Gardiner, J., Cova, M., Nagaraja, S. (2014, February). Command & Control Understanding, Denying and Detecting. Retrieved April 20, 2016.",
"url": "https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf"
},
{
"source_name": "Brazking-Websockets",
"description": "Shahar Tavor. (n.d.). BrazKing Android Malware Upgraded and Targeting Brazilian Banks. Retrieved March 24, 2023.",
"url": "https://securityintelligence.com/posts/brazking-android-malware-upgraded-targeting-brazilian-banks/"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_attack_spec_version": "3.3.0",
"x_mitre_contributors": [
"TruKno",
"Don Le, Stifel Financial"
],
"x_mitre_deprecated": false,
"x_mitre_domains": [
"enterprise-attack"
],
"x_mitre_is_subtechnique": true,
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"ESXi",
"Linux",
"macOS",
"Network Devices",
"Windows"
],
"x_mitre_version": "1.5",
"detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.722000+00:00\", \"old_value\": \"2025-10-24 17:49:29.591000+00:00\"}}}",
"previous_version": "1.5",
"changelog_mitigations": {
"shared": [
"M1031: Network Intrusion Prevention",
"M1037: Filter Network Traffic"
],
"new": [],
"dropped": []
},
"changelog_datacomponent_detections": {
"shared": [],
"new": [],
"dropped": []
},
"changelog_detectionstrategy_detections": {
"shared": [
"DET0027: Detection of Web Protocol-Based C2 Over HTTP, HTTPS, or WebSockets"
],
"new": [],
"dropped": []
}
},
{
"type": "attack-pattern",
"id": "attack-pattern--4ae4f953-fe58-4cc8-a327-33257e30a830",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-05-31 21:30:24.512000+00:00",
"modified": "2026-05-12 15:12:00.630000+00:00",
"name": "Application Window Discovery",
"description": "Adversaries may attempt to get a listing of open application windows. Window listings could convey information about how the system is used.(Citation: Prevailion DarkWatchman 2021) For example, information about application windows could be used identify potential data to collect as well as identifying security tooling ([Security Software Discovery](https://attack.mitre.org/techniques/T1518/001)) to evade.(Citation: ESET Grandoreiro April 2020)\n\nAdversaries typically abuse system features for this type of enumeration. For example, they may gather information through native system features such as [Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059) commands and [Native API](https://attack.mitre.org/techniques/T1106) functions.",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "discovery"
}
],
"revoked": false,
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T1010",
"external_id": "T1010"
},
{
"source_name": "ESET Grandoreiro April 2020",
"description": "ESET. (2020, April 28). Grandoreiro: How engorged can an EXE get?. Retrieved November 13, 2020.",
"url": "https://www.welivesecurity.com/2020/04/28/grandoreiro-how-engorged-can-exe-get/"
},
{
"source_name": "Prevailion DarkWatchman 2021",
"description": "Smith, S., Stafford, M. (2021, December 14). DarkWatchman: A new evolution in fileless techniques. Retrieved January 10, 2022.",
"url": "https://web.archive.org/web/20220629230035/https://www.prevailion.com/darkwatchman-new-fileless-techniques/"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_attack_spec_version": "3.3.0",
"x_mitre_deprecated": false,
"x_mitre_domains": [
"enterprise-attack"
],
"x_mitre_is_subtechnique": false,
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"Linux",
"macOS",
"Windows"
],
"x_mitre_version": "1.3",
"detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.630000+00:00\", \"old_value\": \"2025-10-24 17:48:44.488000+00:00\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.3.0\", \"old_value\": \"3.2.0\"}}}",
"previous_version": "1.3",
"changelog_mitigations": {
"shared": [],
"new": [],
"dropped": []
},
"changelog_datacomponent_detections": {
"shared": [],
"new": [],
"dropped": []
},
"changelog_detectionstrategy_detections": {
"shared": [
"DET0097: Detection of Application Window Enumeration via API or Scripting"
],
"new": [],
"dropped": []
}
},
{
"type": "attack-pattern",
"id": "attack-pattern--53ac20cd-aca3-406e-9aa0-9fc7fdc60a5a",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2020-02-20 20:53:45.725000+00:00",
"modified": "2026-05-12 15:12:00.633000+00:00",
"name": "Archive Collected Data",
"description": "An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network.(Citation: DOJ GRU Indictment Jul 2018) Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.\n\nBoth compression and encryption are done prior to exfiltration, and can be performed using a utility, 3rd party library, or custom method.",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "collection"
}
],
"revoked": false,
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T1560",
"external_id": "T1560"
},
{
"source_name": "DOJ GRU Indictment Jul 2018",
"description": "Mueller, R. (2018, July 13). Indictment - United States of America vs. VIKTOR BORISOVICH NETYKSHO, et al. Retrieved November 17, 2024.",
"url": "https://cdn.cnn.com/cnn/2018/images/07/13/gru.indictment.pdf"
},
{
"source_name": "Wikipedia File Header Signatures",
"description": "Wikipedia. (2016, March 31). List of file signatures. Retrieved April 22, 2016.",
"url": "https://en.wikipedia.org/wiki/List_of_file_signatures"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_attack_spec_version": "3.3.0",
"x_mitre_deprecated": false,
"x_mitre_domains": [
"enterprise-attack"
],
"x_mitre_is_subtechnique": false,
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"Linux",
"macOS",
"Windows"
],
"x_mitre_version": "1.0",
"detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.633000+00:00\", \"old_value\": \"2025-10-24 17:48:48.023000+00:00\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.3.0\", \"old_value\": \"3.2.0\"}}}",
"previous_version": "1.0",
"changelog_mitigations": {
"shared": [
"M1047: Audit"
],
"new": [],
"dropped": []
},
"changelog_datacomponent_detections": {
"shared": [],
"new": [],
"dropped": []
},
"changelog_detectionstrategy_detections": {
"shared": [
"DET0526: Detect Archiving and Encryption of Collected Data (T1560)"
],
"new": [],
"dropped": []
}
},
{
"type": "attack-pattern",
"id": "attack-pattern--00f90846-cbd1-4fc5-9233-df5c2bf2a662",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2020-02-20 21:01:25.428000+00:00",
"modified": "2026-05-12 15:12:00.619000+00:00",
"name": "Archive via Utility",
"description": "Adversaries may use utilities to compress and/or encrypt collected data prior to exfiltration. Many utilities include functionalities to compress, encrypt, or otherwise package data into a format that is easier/more secure to transport.\n\nAdversaries may abuse various utilities to compress or encrypt data before exfiltration. Some third party utilities may be preinstalled, such as tar on Linux and macOS or zip on Windows systems. \n\nOn Windows, diantz or makecab may be used to package collected files into a cabinet (.cab) file. diantz may also be used to download and compress files from remote locations (i.e. [Remote Data Staging](https://attack.mitre.org/techniques/T1074/002)).(Citation: diantz.exe_lolbas) xcopy on Windows can copy files and directories with a variety of options. Additionally, adversaries may use [certutil](https://attack.mitre.org/software/S0160) to Base64 encode collected data before exfiltration. \n\nAdversaries may use also third party utilities, such as 7-Zip, WinRAR, and WinZip, to perform similar activities.(Citation: 7zip Homepage)(Citation: WinRAR Homepage)(Citation: WinZip Homepage)",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "collection"
}
],
"revoked": false,
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T1560/001",
"external_id": "T1560.001"
},
{
"source_name": "WinRAR Homepage",
"description": "A. Roshal. (2020). RARLAB. Retrieved February 20, 2020.",
"url": "https://www.rarlab.com/"
},
{
"source_name": "WinZip Homepage",
"description": "Corel Corporation. (2020). WinZip. Retrieved February 20, 2020.",
"url": "https://www.winzip.com/win/en/"
},
{
"source_name": "7zip Homepage",
"description": "I. Pavlov. (2019). 7-Zip. Retrieved February 20, 2020.",
"url": "https://www.7-zip.org/"
},
{
"source_name": "diantz.exe_lolbas",
"description": "Living Off The Land Binaries, Scripts and Libraries (LOLBAS). (n.d.). Diantz.exe. Retrieved October 25, 2021.",
"url": "https://lolbas-project.github.io/lolbas/Binaries/Diantz/"
},
{
"source_name": "Wikipedia File Header Signatures",
"description": "Wikipedia. (2016, March 31). List of file signatures. Retrieved April 22, 2016.",
"url": "https://en.wikipedia.org/wiki/List_of_file_signatures"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_attack_spec_version": "3.3.0",
"x_mitre_contributors": [
"Mayan Arora aka Mayan Mohan",
"Mark Wee"
],
"x_mitre_deprecated": false,
"x_mitre_domains": [
"enterprise-attack"
],
"x_mitre_is_subtechnique": true,
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"Linux",
"macOS",
"Windows"
],
"x_mitre_version": "1.3",
"detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.619000+00:00\", \"old_value\": \"2025-10-24 17:48:19.477000+00:00\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.3.0\", \"old_value\": \"3.2.0\"}}}",
"previous_version": "1.3",
"changelog_mitigations": {
"shared": [
"M1047: Audit"
],
"new": [],
"dropped": []
},
"changelog_datacomponent_detections": {
"shared": [],
"new": [],
"dropped": []
},
"changelog_detectionstrategy_detections": {
"shared": [
"DET0298: Detect Archiving via Utility (T1560.001)"
],
"new": [],
"dropped": []
}
},
{
"type": "attack-pattern",
"id": "attack-pattern--1035cdf2-3e5f-446f-a7a7-e8f6d7925967",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-05-31 21:31:34.528000+00:00",
"modified": "2026-05-12 15:12:00.620000+00:00",
"name": "Audio Capture",
"description": "An adversary can leverage a computer's peripheral devices (e.g., microphones and webcams) or applications (e.g., voice and video call services) to capture audio recordings for the purpose of listening into sensitive conversations to gather information.(Citation: ESET Attor Oct 2019)\n\nMalware or scripts may be used to interact with the devices through an available API provided by the operating system or an application to capture audio. Audio files may be written to disk and exfiltrated later.",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "collection"
}
],
"revoked": false,
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T1123",
"external_id": "T1123"
},
{
"source_name": "ESET Attor Oct 2019",
"description": "Hromcova, Z. (2019, October). AT COMMANDS, TOR-BASED COMMUNICATIONS: MEET ATTOR, A FANTASY CREATURE AND ALSO A SPY PLATFORM. Retrieved May 6, 2020.",
"url": "https://www.welivesecurity.com/wp-content/uploads/2019/10/ESET_Attor.pdf"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_attack_spec_version": "3.3.0",
"x_mitre_deprecated": false,
"x_mitre_domains": [
"enterprise-attack"
],
"x_mitre_is_subtechnique": false,
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"Linux",
"macOS",
"Windows"
],
"x_mitre_version": "1.0",
"detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.620000+00:00\", \"old_value\": \"2025-10-24 17:48:24.702000+00:00\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.3.0\", \"old_value\": \"3.2.0\"}}}",
"previous_version": "1.0",
"changelog_mitigations": {
"shared": [],
"new": [],
"dropped": []
},
"changelog_datacomponent_detections": {
"shared": [],
"new": [],
"dropped": []
},
"changelog_detectionstrategy_detections": {
"shared": [
"DET0221: Behavioral Detection Strategy for T1123 Audio Capture Across Windows, Linux, macOS"
],
"new": [],
"dropped": []
}
},
{
"type": "attack-pattern",
"id": "attack-pattern--30208d3e-0d6b-43c8-883e-44462a514619",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-05-31 21:31:27.985000+00:00",
"modified": "2026-05-12 15:12:00.624000+00:00",
"name": "Automated Collection",
"description": "Once established within a system or network, an adversary may use automated techniques for collecting internal data. Methods for performing this technique could include use of a [Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059) to search for and copy information fitting set criteria such as file type, location, or name at specific time intervals. \n\nIn cloud-based environments, adversaries may also use cloud APIs, data pipelines, command line interfaces, or extract, transform, and load (ETL) services to automatically collect data.(Citation: Mandiant UNC3944 SMS Phishing 2023) \n\nThis functionality could also be built into remote access tools. \n\nThis technique may incorporate use of other techniques such as [File and Directory Discovery](https://attack.mitre.org/techniques/T1083) and [Lateral Tool Transfer](https://attack.mitre.org/techniques/T1570) to identify and move files, as well as [Cloud Service Dashboard](https://attack.mitre.org/techniques/T1538) and [Cloud Storage Object Discovery](https://attack.mitre.org/techniques/T1619) to identify resources in cloud environments.",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "collection"
}
],
"revoked": false,
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T1119",
"external_id": "T1119"
},
{
"source_name": "Mandiant UNC3944 SMS Phishing 2023",
"description": "Mandiant Intelligence. (2023, September 14). Why Are You Texting Me? UNC3944 Leverages SMS Phishing Campaigns for SIM Swapping, Ransomware, Extortion, and Notoriety. Retrieved January 2, 2024.",
"url": "https://www.mandiant.com/resources/blog/unc3944-sms-phishing-sim-swapping-ransomware"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_attack_spec_version": "3.3.0",
"x_mitre_contributors": [
"Praetorian",
"Arun Seelagan, CISA"
],
"x_mitre_deprecated": false,
"x_mitre_domains": [
"enterprise-attack"
],
"x_mitre_is_subtechnique": false,
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"IaaS",
"Linux",
"macOS",
"Office Suite",
"SaaS",
"Windows"
],
"x_mitre_version": "1.4",
"detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.624000+00:00\", \"old_value\": \"2025-10-24 17:48:35.995000+00:00\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.3.0\", \"old_value\": \"3.2.0\"}}}",
"previous_version": "1.4",
"changelog_mitigations": {
"shared": [
"M1029: Remote Data Storage",
"M1041: Encrypt Sensitive Information"
],
"new": [],
"dropped": []
},
"changelog_datacomponent_detections": {
"shared": [],
"new": [],
"dropped": []
},
"changelog_detectionstrategy_detections": {
"shared": [
"DET0186: Automated File and API Collection Detection Across Platforms"
],
"new": [],
"dropped": []
}
},
{
"type": "attack-pattern",
"id": "attack-pattern--774a3188-6ba9-4dc4-879d-d54ee48a5ce9",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-05-31 21:30:29.458000+00:00",
"modified": "2026-05-12 15:12:00.642000+00:00",
"name": "Automated Exfiltration",
"description": "Adversaries may exfiltrate data, such as sensitive documents, through the use of automated processing after being gathered during Collection.(Citation: ESET Gamaredon June 2020) \n\nWhen automated exfiltration is used, other exfiltration techniques likely apply as well to transfer the information out of the network, such as [Exfiltration Over C2 Channel](https://attack.mitre.org/techniques/T1041) and [Exfiltration Over Alternative Protocol](https://attack.mitre.org/techniques/T1048).",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "exfiltration"
}
],
"revoked": false,
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T1020",
"external_id": "T1020"
},
{
"source_name": "ESET Gamaredon June 2020",
"description": "Boutin, J. (2020, June 11). Gamaredon group grows its game. Retrieved June 16, 2020.",
"url": "https://www.welivesecurity.com/2020/06/11/gamaredon-group-grows-its-game/"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_attack_spec_version": "3.3.0",
"x_mitre_contributors": [
"ExtraHop"
],
"x_mitre_deprecated": false,
"x_mitre_domains": [
"enterprise-attack"
],
"x_mitre_is_subtechnique": false,
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"Linux",
"macOS",
"Network Devices",
"Windows"
],
"x_mitre_version": "1.3",
"detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.642000+00:00\", \"old_value\": \"2025-10-24 17:48:58.340000+00:00\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.3.0\", \"old_value\": \"3.2.0\"}}}",
"previous_version": "1.3",
"changelog_mitigations": {
"shared": [],
"new": [],
"dropped": []
},
"changelog_datacomponent_detections": {
"shared": [],
"new": [],
"dropped": []
},
"changelog_detectionstrategy_detections": {
"shared": [
"DET0397: Automated Exfiltration Detection Strategy"
],
"new": [],
"dropped": []
}
},
{
"type": "attack-pattern",
"id": "attack-pattern--c8e87b83-edbb-48d4-9295-4974897525b7",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2018-04-18 17:59:24.739000+00:00",
"modified": "2026-05-12 15:12:00.716000+00:00",
"name": "BITS Jobs",
"description": "Adversaries may abuse BITS jobs to persistently execute code and perform various background tasks. Windows Background Intelligent Transfer Service (BITS) is a low-bandwidth, asynchronous file transfer mechanism exposed through [Component Object Model](https://attack.mitre.org/techniques/T1559/001) (COM).(Citation: Microsoft COM)(Citation: Microsoft BITS) BITS is commonly used by updaters, messengers, and other applications preferred to operate in the background (using available idle bandwidth) without interrupting other networked applications. File transfer tasks are implemented as BITS jobs, which contain a queue of one or more file operations.\n\nThe interface to create and manage BITS jobs is accessible through [PowerShell](https://attack.mitre.org/techniques/T1059/001) and the [BITSAdmin](https://attack.mitre.org/software/S0190) tool.(Citation: Microsoft BITS)(Citation: Microsoft BITSAdmin)\n\nAdversaries may abuse BITS to download (e.g. [Ingress Tool Transfer](https://attack.mitre.org/techniques/T1105)), execute, and even clean up after running malicious code (e.g. [Indicator Removal](https://attack.mitre.org/techniques/T1070)). BITS tasks are self-contained in the BITS job database, without new files or registry modifications, and often permitted by host firewalls.(Citation: CTU BITS Malware June 2016)(Citation: Mondok Windows PiggyBack BITS May 2007)(Citation: Symantec BITS May 2007) BITS enabled execution may also enable persistence by creating long-standing jobs (the default maximum lifetime is 90 days and extendable) or invoking an arbitrary program when a job completes or errors (including after system reboots).(Citation: PaloAlto UBoatRAT Nov 2017)(Citation: CTU BITS Malware June 2016)\n\nBITS upload functionalities can also be used to perform [Exfiltration Over Alternative Protocol](https://attack.mitre.org/techniques/T1048).(Citation: CTU BITS Malware June 2016)",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "stealth"
},
{
"kill_chain_name": "mitre-attack",
"phase_name": "persistence"
},
{
"kill_chain_name": "mitre-attack",
"phase_name": "execution"
}
],
"revoked": false,
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T1197",
"external_id": "T1197"
},
{
"source_name": "CTU BITS Malware June 2016",
"description": "Counter Threat Unit Research Team. (2016, June 6). Malware Lingers with BITS. Retrieved January 12, 2018.",
"url": "https://www.secureworks.com/blog/malware-lingers-with-bits"
},
{
"source_name": "Symantec BITS May 2007",
"description": "Florio, E. (2007, May 9). Malware Update with Windows Update. Retrieved January 12, 2018.",
"url": "https://www.symantec.com/connect/blogs/malware-update-windows-update"
},
{
"source_name": "PaloAlto UBoatRAT Nov 2017",
"description": "Hayashi, K. (2017, November 28). UBoatRAT Navigates East Asia. Retrieved January 12, 2018.",
"url": "https://researchcenter.paloaltonetworks.com/2017/11/unit42-uboatrat-navigates-east-asia/"
},
{
"source_name": "Microsoft BITS",
"description": "Microsoft. (n.d.). Background Intelligent Transfer Service. Retrieved January 12, 2018.",
"url": "https://msdn.microsoft.com/library/windows/desktop/bb968799.aspx"
},
{
"source_name": "Microsoft BITSAdmin",
"description": "Microsoft. (n.d.). BITSAdmin Tool. Retrieved January 12, 2018.",
"url": "https://msdn.microsoft.com/library/aa362813.aspx"
},
{
"source_name": "Microsoft COM",
"description": "Microsoft. (n.d.). Component Object Model (COM). Retrieved November 22, 2017.",
"url": "https://msdn.microsoft.com/library/windows/desktop/ms680573.aspx"
},
{
"source_name": "Mondok Windows PiggyBack BITS May 2007",
"description": "Mondok, M. (2007, May 11). Malware piggybacks on Windows\u2019 Background Intelligent Transfer Service. Retrieved January 12, 2018.",
"url": "https://arstechnica.com/information-technology/2007/05/malware-piggybacks-on-windows-background-intelligent-transfer-service/"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_attack_spec_version": "3.3.0",
"x_mitre_contributors": [
"Brent Murphy, Elastic",
"David French, Elastic",
"Red Canary",
"Ricardo Dias"
],
"x_mitre_deprecated": false,
"x_mitre_domains": [
"enterprise-attack"
],
"x_mitre_is_subtechnique": false,
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"Windows"
],
"x_mitre_remote_support": false,
"x_mitre_version": "2.0",
"detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.716000+00:00\", \"old_value\": \"2026-04-15 19:57:02.003000+00:00\"}}}",
"previous_version": "2.0",
"changelog_mitigations": {
"shared": [
"M1018: User Account Management",
"M1028: Operating System Configuration",
"M1037: Filter Network Traffic"
],
"new": [],
"dropped": []
},
"changelog_datacomponent_detections": {
"shared": [],
"new": [],
"dropped": []
},
"changelog_detectionstrategy_detections": {
"shared": [
"DET0098: Detect abuse of Windows BITS Jobs for download, execution and persistence"
],
"new": [],
"dropped": []
}
},
{
"type": "attack-pattern",
"id": "attack-pattern--9efb1ea7-c37b-4595-9640-b7680cd84279",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2020-01-23 22:02:48.566000+00:00",
"modified": "2026-05-12 15:12:00.706000+00:00",
"name": "Registry Run Keys / Startup Folder",
"description": "Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the \"run keys\" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.(Citation: Microsoft Run Key) These programs will be executed under the context of the user and will have the account's associated permissions level.\n\nThe following run keys are created by default on Windows systems:\n\n* HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\n* HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\n* HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\n* HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\n\nRun keys may exist under multiple hives.(Citation: Microsoft Wow6432Node 2018)(Citation: Malwarebytes Wow6432Node 2016) The HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnceEx is also available but is not created by default on Windows Vista and newer. Registry run key entries can reference programs directly or list them as a dependency.(Citation: Microsoft Run Key) For example, it is possible to load a DLL at logon using a \"Depend\" key with RunOnceEx: reg add HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\RunOnceEx\\0001\\Depend /v 1 /d \"C:\\temp\\evil[.]dll\" (Citation: Oddvar Moe RunOnceEx Mar 2018)\n\nPlacing a program within a startup folder will also cause that program to execute when a user logs in. There is a startup folder location for individual user accounts as well as a system-wide startup folder that will be checked regardless of which user account logs in. The startup folder path for the current user is C:\\Users\\\\[Username]\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup. The startup folder path for all users is C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\StartUp.\n\nThe following Registry keys can be used to set startup folder items for persistence:\n\n* HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders\n* HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Folders\n* HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Folders\n* HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders\n\nThe following Registry keys can control automatic startup of services during boot:\n\n* HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\RunServicesOnce\n* HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\RunServicesOnce\n* HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\RunServices\n* HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\RunServices\n\nUsing policy settings to specify startup programs creates corresponding values in either of two Registry keys:\n\n* HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\Run\n* HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\Run\n\nPrograms listed in the load value of the registry key HKEY_CURRENT_USER\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows run automatically for the currently logged-on user.\n\nBy default, the multistring BootExecute value of the registry key HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Session Manager is set to autocheck autochk *. This value causes Windows, at startup, to check the file-system integrity of the hard disks if the system has been shut down abnormally. Adversaries can add other programs or processes to this registry value which will automatically launch at boot.\n\nAdversaries can use these configuration locations to execute malware, such as remote access tools, to maintain persistence through system reboots. Adversaries may also use [Masquerading](https://attack.mitre.org/techniques/T1036) to make the Registry entries look as if they are associated with legitimate programs.",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "persistence"
},
{
"kill_chain_name": "mitre-attack",
"phase_name": "privilege-escalation"
}
],
"revoked": false,
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T1547/001",
"external_id": "T1547.001"
},
{
"source_name": "Malwarebytes Wow6432Node 2016",
"description": "Arntz, P. (2016, March 30). Hiding in Plain Sight. Retrieved August 3, 2020.",
"url": "https://blog.malwarebytes.com/cybercrime/2013/10/hiding-in-plain-sight/"
},
{
"source_name": "Microsoft Wow6432Node 2018",
"description": "Microsoft. (2018, May 31). 32-bit and 64-bit Application Data in the Registry. Retrieved August 3, 2020.",
"url": "https://docs.microsoft.com/en-us/windows/win32/sysinfo/32-bit-and-64-bit-application-data-in-the-registry"
},
{
"source_name": "Microsoft Run Key",
"description": "Microsoft. (n.d.). Run and RunOnce Registry Keys. Retrieved September 12, 2024.",
"url": "https://learn.microsoft.com/en-us/windows/win32/setupapi/run-and-runonce-registry-keys"
},
{
"source_name": "Oddvar Moe RunOnceEx Mar 2018",
"description": "Moe, O. (2018, March 21). Persistence using RunOnceEx - Hidden from Autoruns.exe. Retrieved June 29, 2018.",
"url": "https://oddvar.moe/2018/03/21/persistence-using-runonceex-hidden-from-autoruns-exe/"
},
{
"source_name": "TechNet Autoruns",
"description": "Russinovich, M. (2016, January 4). Autoruns for Windows v13.51. Retrieved June 6, 2016.",
"url": "https://technet.microsoft.com/en-us/sysinternals/bb963902"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_attack_spec_version": "3.3.0",
"x_mitre_contributors": [
"Oddvar Moe, @oddvarmoe",
"Dray Agha, @Purp1eW0lf, Huntress Labs",
"Harun K\u00fc\u00dfner"
],
"x_mitre_deprecated": false,
"x_mitre_domains": [
"enterprise-attack"
],
"x_mitre_is_subtechnique": true,
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"Windows"
],
"x_mitre_version": "2.1",
"detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.706000+00:00\", \"old_value\": \"2025-10-24 17:49:09.744000+00:00\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.3.0\", \"old_value\": \"3.2.0\"}}}",
"previous_version": "2.1",
"changelog_mitigations": {
"shared": [],
"new": [],
"dropped": []
},
"changelog_datacomponent_detections": {
"shared": [],
"new": [],
"dropped": []
},
"changelog_detectionstrategy_detections": {
"shared": [
"DET0365: Detect Registry and Startup Folder Persistence (Windows)"
],
"new": [],
"dropped": []
}
},
{
"type": "attack-pattern",
"id": "attack-pattern--03259939-0b57-482f-8eb5-87c0e0d54334",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-05-31 21:30:38.910000+00:00",
"modified": "2026-05-12 15:12:00.619000+00:00",
"name": "Boot or Logon Initialization Scripts",
"description": "Adversaries may use scripts automatically executed at boot or logon initialization to establish persistence.(Citation: Mandiant APT29 Eye Spy Email Nov 22)(Citation: Anomali Rocke March 2019) Initialization scripts can be used to perform administrative functions, which may often execute other programs or send information to an internal logging server. These scripts can vary based on operating system and whether applied locally or remotely. \n\nAdversaries may use these scripts to maintain persistence on a single system. Depending on the access configuration of the logon scripts, either local credentials or an administrator account may be necessary. \n\nAn adversary may also be able to escalate their privileges since some boot or logon initialization scripts run with higher privileges.",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "persistence"
},
{
"kill_chain_name": "mitre-attack",
"phase_name": "privilege-escalation"
}
],
"revoked": false,
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T1037",
"external_id": "T1037"
},
{
"source_name": "Anomali Rocke March 2019",
"description": "Anomali Labs. (2019, March 15). Rocke Evolves Its Arsenal With a New Malware Family Written in Golang. Retrieved April 24, 2019.",
"url": "https://www.anomali.com/blog/rocke-evolves-its-arsenal-with-a-new-malware-family-written-in-golang"
},
{
"source_name": "Mandiant APT29 Eye Spy Email Nov 22",
"description": "Mandiant. (2022, May 2). UNC3524: Eye Spy on Your Email. Retrieved August 17, 2023.",
"url": "https://www.mandiant.com/resources/blog/unc3524-eye-spy-email"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_attack_spec_version": "3.3.0",
"x_mitre_deprecated": false,
"x_mitre_domains": [
"enterprise-attack"
],
"x_mitre_is_subtechnique": false,
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"ESXi",
"Linux",
"macOS",
"Network Devices",
"Windows"
],
"x_mitre_version": "2.4",
"detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.619000+00:00\", \"old_value\": \"2025-10-24 17:48:20.077000+00:00\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.3.0\", \"old_value\": \"3.2.0\"}}}",
"previous_version": "2.4",
"changelog_mitigations": {
"shared": [
"M1022: Restrict File and Directory Permissions",
"M1024: Restrict Registry Permissions"
],
"new": [],
"dropped": []
},
"changelog_datacomponent_detections": {
"shared": [],
"new": [],
"dropped": []
},
"changelog_detectionstrategy_detections": {
"shared": [
"DET0112: Boot or Logon Initialization Scripts Detection Strategy"
],
"new": [],
"dropped": []
}
},
{
"type": "attack-pattern",
"id": "attack-pattern--5e4a2073-9643-44cb-a0b5-e7f4048446c7",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2018-04-18 17:59:24.739000+00:00",
"modified": "2026-05-12 15:12:00.635000+00:00",
"name": "Browser Information Discovery",
"description": "Adversaries may enumerate information about browsers to learn more about compromised environments. Data saved by browsers (such as bookmarks, accounts, and browsing history) may reveal a variety of personal information about users (e.g., banking sites, relationships/interests, social media, etc.) as well as details about internal network resources such as servers, tools/dashboards, or other related infrastructure.(Citation: Kaspersky Autofill)\n\nBrowser information may also highlight additional targets after an adversary has access to valid credentials, especially [Credentials In Files](https://attack.mitre.org/techniques/T1552/001) associated with logins cached by a browser.\n\nSpecific storage locations vary based on platform and/or application, but browser information is typically stored in local files and databases (e.g., `%APPDATA%/Google/Chrome`).(Citation: Chrome Roaming Profiles)",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "discovery"
}
],
"revoked": false,
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T1217",
"external_id": "T1217"
},
{
"source_name": "Chrome Roaming Profiles",
"description": "Chrome Enterprise and Education Help. (n.d.). Use Chrome Browser with Roaming User Profiles. Retrieved March 28, 2023.",
"url": "https://support.google.com/chrome/a/answer/7349337"
},
{
"source_name": "Kaspersky Autofill",
"description": "Golubev, S. (n.d.). How malware steals autofill data from browsers. Retrieved March 28, 2023.",
"url": "https://www.kaspersky.com/blog/browser-data-theft/27871/"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_attack_spec_version": "3.3.0",
"x_mitre_contributors": [
"Mike Kemmerer",
"Manikantan Srinivasan, NEC Corporation India",
"Yinon Engelsman, Talon Cyber Security",
"Yonatan Gotlib, Talon Cyber Security"
],
"x_mitre_deprecated": false,
"x_mitre_domains": [
"enterprise-attack"
],
"x_mitre_is_subtechnique": false,
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"Linux",
"macOS",
"Windows"
],
"x_mitre_version": "2.0",
"detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.635000+00:00\", \"old_value\": \"2025-10-24 17:48:50.561000+00:00\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.3.0\", \"old_value\": \"3.2.0\"}}}",
"previous_version": "2.0",
"changelog_mitigations": {
"shared": [],
"new": [],
"dropped": []
},
"changelog_datacomponent_detections": {
"shared": [],
"new": [],
"dropped": []
},
"changelog_detectionstrategy_detections": {
"shared": [
"DET0013: Detection of Local Browser Artifact Access for Reconnaissance"
],
"new": [],
"dropped": []
}
},
{
"type": "attack-pattern",
"id": "attack-pattern--544b0346-29ad-41e1-a808-501bb4193f47",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2018-01-16 16:13:52.465000+00:00",
"modified": "2026-05-12 15:12:00.633000+00:00",
"name": "Browser Session Hijacking",
"description": "Adversaries may take advantage of security vulnerabilities and inherent functionality in browser software to change content, modify user-behaviors, and intercept information as part of various browser session hijacking techniques.(Citation: Wikipedia Man in the Browser)\n\nA specific example is when an adversary injects software into a browser that allows them to inherit cookies, HTTP sessions, and SSL client certificates of a user then use the browser as a way to pivot into an authenticated intranet.(Citation: Cobalt Strike Browser Pivot)(Citation: ICEBRG Chrome Extensions) Executing browser-based behaviors such as pivoting may require specific process permissions, such as SeDebugPrivilege and/or high-integrity/administrator rights.\n\nAnother example involves pivoting browser traffic from the adversary's browser through the user's browser by setting up a proxy which will redirect web traffic. This does not alter the user's traffic in any way, and the proxy connection can be severed as soon as the browser is closed. The adversary assumes the security context of whichever browser process the proxy is injected into. Browsers typically create a new process for each tab that is opened and permissions and certificates are separated accordingly. With these permissions, an adversary could potentially browse to any resource on an intranet, such as [Sharepoint](https://attack.mitre.org/techniques/T1213/002) or webmail, that is accessible through the browser and which the browser has sufficient permissions. Browser pivoting may also bypass security provided by 2-factor authentication.(Citation: cobaltstrike manual)",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "collection"
}
],
"revoked": false,
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T1185",
"external_id": "T1185"
},
{
"source_name": "ICEBRG Chrome Extensions",
"description": "De Tore, M., Warner, J. (2018, January 15). MALICIOUS CHROME EXTENSIONS ENABLE CRIMINALS TO IMPACT OVER HALF A MILLION USERS AND GLOBAL BUSINESSES. Retrieved January 17, 2018.",
"url": "https://www.icebrg.io/blog/malicious-chrome-extensions-enable-criminals-to-impact-over-half-a-million-users-and-global-businesses"
},
{
"source_name": "Cobalt Strike Browser Pivot",
"description": "Mudge, R. (n.d.). Browser Pivoting. Retrieved January 10, 2018.",
"url": "https://www.cobaltstrike.com/help-browser-pivoting"
},
{
"source_name": "cobaltstrike manual",
"description": "Strategic Cyber LLC. (2017, March 14). Cobalt Strike Manual. Retrieved May 24, 2017.",
"url": "https://web.archive.org/web/20210825130434/https://cobaltstrike.com/downloads/csmanual38.pdf"
},
{
"source_name": "Wikipedia Man in the Browser",
"description": "Wikipedia. (2017, October 28). Man-in-the-browser. Retrieved January 10, 2018.",
"url": "https://en.wikipedia.org/wiki/Man-in-the-browser"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_attack_spec_version": "3.3.0",
"x_mitre_contributors": [
"Justin Warner, ICEBRG"
],
"x_mitre_deprecated": false,
"x_mitre_domains": [
"enterprise-attack"
],
"x_mitre_is_subtechnique": false,
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"Windows"
],
"x_mitre_version": "2.1",
"detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.633000+00:00\", \"old_value\": \"2025-10-24 17:48:48.383000+00:00\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.3.0\", \"old_value\": \"3.2.0\"}}}",
"previous_version": "2.1",
"changelog_mitigations": {
"shared": [
"M1017: User Training",
"M1018: User Account Management"
],
"new": [],
"dropped": []
},
"changelog_datacomponent_detections": {
"shared": [],
"new": [],
"dropped": []
},
"changelog_detectionstrategy_detections": {
"shared": [
"DET0507: Detect browser session hijacking via privilege, handle access, and remote thread into browsers"
],
"new": [],
"dropped": []
}
},
{
"type": "attack-pattern",
"id": "attack-pattern--a93494bb-4b80-4ea1-8695-3236a49916fd",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-05-31 21:31:22.767000+00:00",
"modified": "2026-05-12 15:12:00.706000+00:00",
"name": "Brute Force",
"description": "Adversaries may use brute force techniques to gain access to accounts when passwords are unknown or when password hashes are obtained.(Citation: TrendMicro Pawn Storm Dec 2020) Without knowledge of the password for an account or set of accounts, an adversary may systematically guess the password using a repetitive or iterative mechanism.(Citation: Dragos Crashoverride 2018) Brute forcing passwords can take place via interaction with a service that will check the validity of those credentials or offline against previously acquired credential data, such as password hashes.\n\nBrute forcing credentials may take place at various points during a breach. For example, adversaries may attempt to brute force access to [Valid Accounts](https://attack.mitre.org/techniques/T1078) within a victim environment leveraging knowledge gathered from other post-compromise behaviors such as [OS Credential Dumping](https://attack.mitre.org/techniques/T1003), [Account Discovery](https://attack.mitre.org/techniques/T1087), or [Password Policy Discovery](https://attack.mitre.org/techniques/T1201). Adversaries may also combine brute forcing activity with behaviors such as [External Remote Services](https://attack.mitre.org/techniques/T1133) as part of Initial Access. \n\nIf an adversary guesses the correct password but fails to login to a compromised account due to location-based conditional access policies, they may change their infrastructure until they match the victim\u2019s location and therefore bypass those policies.(Citation: ReliaQuest Health Care Social Engineering Campaign 2024)",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "credential-access"
}
],
"revoked": false,
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T1110",
"external_id": "T1110"
},
{
"source_name": "TrendMicro Pawn Storm Dec 2020",
"description": "Hacquebord, F., Remorin, L. (2020, December 17). Pawn Storm\u2019s Lack of Sophistication as a Strategy. Retrieved January 13, 2021.",
"url": "https://www.trendmicro.com/en_us/research/20/l/pawn-storm-lack-of-sophistication-as-a-strategy.html"
},
{
"source_name": "ReliaQuest Health Care Social Engineering Campaign 2024",
"description": "Hayden Evans. (2024, April 4). Health Care Social Engineering Campaign. Retrieved May 22, 2025.",
"url": "https://www.reliaquest.com/blog/health-care-social-engineering-campaign/"
},
{
"source_name": "Dragos Crashoverride 2018",
"description": "Joe Slowik. (2018, October 12). Anatomy of an Attack: Detecting and Defeating CRASHOVERRIDE. Retrieved December 18, 2020.",
"url": "https://www.dragos.com/wp-content/uploads/CRASHOVERRIDE2018.pdf"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_attack_spec_version": "3.3.0",
"x_mitre_contributors": [
"David Fiser, @anu4is, Trend Micro",
"Alfredo Oliveira, Trend Micro",
"Magno Logan, @magnologan, Trend Micro",
"Yossi Weizman, Azure Defender Research Team",
"Ed Williams, Trustwave, SpiderLabs",
"Mohamed Kmal",
"ReliaQuest"
],
"x_mitre_deprecated": false,
"x_mitre_domains": [
"enterprise-attack"
],
"x_mitre_is_subtechnique": false,
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"Containers",
"ESXi",
"IaaS",
"Identity Provider",
"Linux",
"macOS",
"Network Devices",
"Office Suite",
"SaaS",
"Windows"
],
"x_mitre_version": "2.8",
"detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.706000+00:00\", \"old_value\": \"2025-10-24 17:49:12.218000+00:00\"}}}",
"previous_version": "2.8",
"changelog_mitigations": {
"shared": [
"M1018: User Account Management",
"M1027: Password Policies",
"M1032: Multi-factor Authentication",
"M1036: Account Use Policies"
],
"new": [],
"dropped": []
},
"changelog_datacomponent_detections": {
"shared": [],
"new": [],
"dropped": []
},
"changelog_detectionstrategy_detections": {
"shared": [
"DET0463: Brute Force Authentication Failures with Multi-Platform Log Correlation"
],
"new": [],
"dropped": []
}
},
{
"type": "attack-pattern",
"id": "attack-pattern--b2d03cea-aec1-45ca-9744-9ee583c1e1cc",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2020-02-11 18:39:59.959000+00:00",
"modified": "2026-05-12 15:12:00.708000+00:00",
"name": "Credential Stuffing",
"description": "Adversaries may use credentials obtained from breach dumps of unrelated accounts to gain access to target accounts through credential overlap. Occasionally, large numbers of username and password pairs are dumped online when a website or service is compromised and the user account credentials accessed. The information may be useful to an adversary attempting to compromise accounts by taking advantage of the tendency for users to use the same passwords across personal and business accounts.\n\nCredential stuffing is a risky option because it could cause numerous authentication failures and account lockouts, depending on the organization's login failure policies.\n\nTypically, management services over commonly used ports are used when stuffing credentials. Commonly targeted services include the following:\n\n* SSH (22/TCP)\n* Telnet (23/TCP)\n* FTP (21/TCP)\n* NetBIOS / SMB / Samba (139/TCP & 445/TCP)\n* LDAP (389/TCP)\n* Kerberos (88/TCP)\n* RDP / Terminal Services (3389/TCP)\n* HTTP/HTTP Management Services (80/TCP & 443/TCP)\n* MSSQL (1433/TCP)\n* Oracle (1521/TCP)\n* MySQL (3306/TCP)\n* VNC (5900/TCP)\n\nIn addition to management services, adversaries may \"target single sign-on (SSO) and cloud-based applications utilizing federated authentication protocols,\" as well as externally facing email applications, such as Office 365.(Citation: US-CERT TA18-068A 2018)",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "credential-access"
}
],
"revoked": false,
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T1110/004",
"external_id": "T1110.004"
},
{
"source_name": "US-CERT TA18-068A 2018",
"description": "US-CERT. (2018, March 27). TA18-068A Brute Force Attacks Conducted by Cyber Actors. Retrieved October 2, 2019.",
"url": "https://www.us-cert.gov/ncas/alerts/TA18-086A"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_attack_spec_version": "3.3.0",
"x_mitre_contributors": [
"Diogo Fernandes",
"Anastasios Pingios"
],
"x_mitre_deprecated": false,
"x_mitre_domains": [
"enterprise-attack"
],
"x_mitre_is_subtechnique": true,
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"Containers",
"ESXi",
"IaaS",
"Identity Provider",
"Linux",
"macOS",
"Network Devices",
"Office Suite",
"SaaS",
"Windows"
],
"x_mitre_version": "1.7",
"detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.708000+00:00\", \"old_value\": \"2025-10-24 17:49:14.923000+00:00\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.3.0\", \"old_value\": \"3.2.0\"}}}",
"previous_version": "1.7",
"changelog_mitigations": {
"shared": [
"M1018: User Account Management",
"M1027: Password Policies",
"M1032: Multi-factor Authentication",
"M1036: Account Use Policies"
],
"new": [],
"dropped": []
},
"changelog_datacomponent_detections": {
"shared": [],
"new": [],
"dropped": []
},
"changelog_detectionstrategy_detections": {
"shared": [
"DET0460: Credential Stuffing Detection via Reused Breached Credentials Across Services"
],
"new": [],
"dropped": []
}
},
{
"type": "attack-pattern",
"id": "attack-pattern--1d24cdee-9ea2-4189-b08e-af110bf2435d",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2020-02-11 18:38:56.197000+00:00",
"modified": "2026-05-12 15:12:00.622000+00:00",
"name": "Password Cracking",
"description": "Adversaries may use password cracking to attempt to recover usable credentials, such as plaintext passwords, when credential material such as password hashes are obtained. [OS Credential Dumping](https://attack.mitre.org/techniques/T1003) can be used to obtain password hashes, this may only get an adversary so far when [Pass the Hash](https://attack.mitre.org/techniques/T1550/002) is not an option. Further, adversaries may leverage [Data from Configuration Repository](https://attack.mitre.org/techniques/T1602) in order to obtain hashed credentials for network devices.(Citation: US-CERT-TA18-106A) \n\nTechniques to systematically guess the passwords used to compute hashes are available, or the adversary may use a pre-computed rainbow table to crack hashes. Cracking hashes is usually done on adversary-controlled systems outside of the target network.(Citation: Wikipedia Password cracking) The resulting plaintext password resulting from a successfully cracked hash may be used to log into systems, resources, and services in which the account has access.",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "credential-access"
}
],
"revoked": false,
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T1110/002",
"external_id": "T1110.002"
},
{
"source_name": "US-CERT-TA18-106A",
"description": "US-CERT. (2018, April 20). Alert (TA18-106A) Russian State-Sponsored Cyber Actors Targeting Network Infrastructure Devices. Retrieved October 19, 2020.",
"url": "https://www.us-cert.gov/ncas/alerts/TA18-106A"
},
{
"source_name": "Wikipedia Password cracking",
"description": "Wikipedia. (n.d.). Password cracking. Retrieved December 23, 2015.",
"url": "https://en.wikipedia.org/wiki/Password_cracking"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_attack_spec_version": "3.3.0",
"x_mitre_contributors": [
"Mohamed Kmal"
],
"x_mitre_deprecated": false,
"x_mitre_domains": [
"enterprise-attack"
],
"x_mitre_is_subtechnique": true,
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"Identity Provider",
"Linux",
"macOS",
"Network Devices",
"Office Suite",
"Windows"
],
"x_mitre_version": "1.4",
"detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.622000+00:00\", \"old_value\": \"2025-10-24 17:48:29.397000+00:00\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.3.0\", \"old_value\": \"3.2.0\"}}}",
"previous_version": "1.4",
"changelog_mitigations": {
"shared": [
"M1027: Password Policies",
"M1032: Multi-factor Authentication"
],
"new": [],
"dropped": []
},
"changelog_datacomponent_detections": {
"shared": [],
"new": [],
"dropped": []
},
"changelog_detectionstrategy_detections": {
"shared": [
"DET0105: Post-Credential Dump Password Cracking Detection via Suspicious File Access and Hash Analysis Tools"
],
"new": [],
"dropped": []
}
},
{
"type": "attack-pattern",
"id": "attack-pattern--09c4c11e-4fa1-4f8c-8dad-3cf8e69ad119",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2020-02-11 18:38:22.617000+00:00",
"modified": "2026-05-12 15:12:00.620000+00:00",
"name": "Password Guessing",
"description": "Adversaries with no prior knowledge of legitimate credentials within the system or environment may guess passwords to attempt access to accounts. Without knowledge of the password for an account, an adversary may opt to systematically guess the password using a repetitive or iterative mechanism. An adversary may guess login credentials without prior knowledge of system or environment passwords during an operation by using a list of common passwords. Password guessing may or may not take into account the target's policies on password complexity or use policies that may lock accounts out after a number of failed attempts.\n\nGuessing passwords can be a risky option because it could cause numerous authentication failures and account lockouts, depending on the organization's login failure policies. (Citation: Cylance Cleaver)\n\nTypically, management services over commonly used ports are used when guessing passwords. Commonly targeted services include the following:\n\n* SSH (22/TCP)\n* Telnet (23/TCP)\n* FTP (21/TCP)\n* NetBIOS / SMB / Samba (139/TCP & 445/TCP)\n* LDAP (389/TCP)\n* Kerberos (88/TCP)\n* RDP / Terminal Services (3389/TCP)\n* HTTP/HTTP Management Services (80/TCP & 443/TCP)\n* MSSQL (1433/TCP)\n* Oracle (1521/TCP)\n* MySQL (3306/TCP)\n* VNC (5900/TCP)\n* SNMP (161/UDP and 162/TCP/UDP)\n\nIn addition to management services, adversaries may \"target single sign-on (SSO) and cloud-based applications utilizing federated authentication protocols,\" as well as externally facing email applications, such as Office 365.(Citation: US-CERT TA18-068A 2018). Further, adversaries may abuse network device interfaces (such as `wlanAPI`) to brute force accessible wifi-router(s) via wireless authentication protocols.(Citation: Trend Micro Emotet 2020)\n\nIn default environments, LDAP and Kerberos connection attempts are less likely to trigger events over SMB, which creates Windows \"logon failure\" event ID 4625.",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "credential-access"
}
],
"revoked": false,
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T1110/001",
"external_id": "T1110.001"
},
{
"source_name": "Trend Micro Emotet 2020",
"description": "Cybercrime & Digital Threat Team. (2020, February 13). Emotet Now Spreads via Wi-Fi. Retrieved February 16, 2022.",
"url": "https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/emotet-now-spreads-via-wi-fi"
},
{
"source_name": "Cylance Cleaver",
"description": "Cylance. (2014, December). Operation Cleaver. Retrieved September 14, 2017.",
"url": "https://web.archive.org/web/20200302085133/https://www.cylance.com/content/dam/cylance/pages/operation-cleaver/Cylance_Operation_Cleaver_Report.pdf"
},
{
"source_name": "US-CERT TA18-068A 2018",
"description": "US-CERT. (2018, March 27). TA18-068A Brute Force Attacks Conducted by Cyber Actors. Retrieved October 2, 2019.",
"url": "https://www.us-cert.gov/ncas/alerts/TA18-086A"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_attack_spec_version": "3.3.0",
"x_mitre_contributors": [
"Microsoft Threat Intelligence Center (MSTIC)",
"Mohamed Kmal"
],
"x_mitre_deprecated": false,
"x_mitre_domains": [
"enterprise-attack"
],
"x_mitre_is_subtechnique": true,
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"Containers",
"ESXi",
"IaaS",
"Identity Provider",
"Linux",
"macOS",
"Network Devices",
"Office Suite",
"SaaS",
"Windows"
],
"x_mitre_version": "1.7",
"detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.620000+00:00\", \"old_value\": \"2025-10-24 17:48:21.929000+00:00\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.3.0\", \"old_value\": \"3.2.0\"}}}",
"previous_version": "1.7",
"changelog_mitigations": {
"shared": [
"M1027: Password Policies",
"M1032: Multi-factor Authentication",
"M1036: Account Use Policies",
"M1051: Update Software"
],
"new": [],
"dropped": []
},
"changelog_datacomponent_detections": {
"shared": [],
"new": [],
"dropped": []
},
"changelog_detectionstrategy_detections": {
"shared": [
"DET0551: Password Guessing via Multi-Source Authentication Failure Correlation"
],
"new": [],
"dropped": []
}
},
{
"type": "attack-pattern",
"id": "attack-pattern--800f9819-7007-4540-a520-40e655876800",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2021-03-30 17:54:03.944000+00:00",
"modified": "2026-05-12 15:12:00.662000+00:00",
"name": "Build Image on Host",
"description": "Adversaries may build a container image directly on a host to bypass defenses that monitor for the retrieval of malicious images from a public registry. A remote build request may be sent to the Docker API that includes a Dockerfile that pulls a vanilla base image, such as alpine, from a public or local registry and then builds a custom image upon it.(Citation: Docker Build Image)\n\nAn adversary may take advantage of that build API to build a custom image on the host that includes malware downloaded from their C2 server, and then they may utilize [Deploy Container](https://attack.mitre.org/techniques/T1610) using that custom image.(Citation: Aqua Build Images on Hosts)(Citation: Aqua Security Cloud Native Threat Report June 2021) If the base image is pulled from a public registry, defenses will likely not detect the image as malicious since it\u2019s a vanilla image. If the base image already resides in a local registry, the pull may be considered even less suspicious since the image is already in the environment. ",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "stealth"
}
],
"revoked": false,
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T1612",
"external_id": "T1612"
},
{
"source_name": "Aqua Build Images on Hosts",
"description": "Assaf Morag. (2020, July 15). Threat Alert: Attackers Building Malicious Images on Your Hosts. Retrieved March 29, 2021.",
"url": "https://blog.aquasec.com/malicious-container-image-docker-container-host"
},
{
"source_name": "Docker Build Image",
"description": "Docker. ( null). Docker Engine API v1.41 Reference - Build an Image. Retrieved March 30, 2021.",
"url": "https://docs.docker.com/engine/api/v1.41/#operation/ImageBuild"
},
{
"source_name": "Aqua Security Cloud Native Threat Report June 2021",
"description": "Team Nautilus. (2021, June). Attacks in the Wild on the Container Supply Chain and Infrastructure. Retrieved August 26, 2021.",
"url": "https://info.aquasec.com/hubfs/Threat%20reports/AquaSecurity_Cloud_Native_Threat_Report_2021.pdf?utm_campaign=WP%20-%20Jun2021%20Nautilus%202021%20Threat%20Research%20Report&utm_medium=email&_hsmi=132931006&_hsenc=p2ANqtz-_8oopT5Uhqab8B7kE0l3iFo1koirxtyfTehxF7N-EdGYrwk30gfiwp5SiNlW3G0TNKZxUcDkYOtwQ9S6nNVNyEO-Dgrw&utm_content=132931006&utm_source=hs_automation"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_attack_spec_version": "3.3.0",
"x_mitre_contributors": [
"Assaf Morag, @MoragAssaf, Team Nautilus Aqua Security",
"Roi Kol, @roykol1, Team Nautilus Aqua Security",
"Michael Katchinskiy, @michael64194968, Team Nautilus Aqua Security",
"Vishwas Manral, McAfee"
],
"x_mitre_deprecated": false,
"x_mitre_domains": [
"enterprise-attack"
],
"x_mitre_is_subtechnique": false,
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"Containers"
],
"x_mitre_version": "2.0",
"detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.662000+00:00\", \"old_value\": \"2026-04-15 19:56:51.027000+00:00\"}}}",
"previous_version": "2.0",
"changelog_mitigations": {
"shared": [
"M1026: Privileged Account Management",
"M1030: Network Segmentation",
"M1035: Limit Access to Resource Over Network",
"M1047: Audit"
],
"new": [],
"dropped": []
},
"changelog_datacomponent_detections": {
"shared": [],
"new": [],
"dropped": []
},
"changelog_detectionstrategy_detections": {
"shared": [
"DET0459: Detection Strategy for Build Image on Host"
],
"new": [],
"dropped": []
}
},
{
"type": "attack-pattern",
"id": "attack-pattern--30973a08-aed9-4edf-8604-9084ce1b5c4f",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-05-31 21:31:25.967000+00:00",
"modified": "2026-05-12 15:12:00.624000+00:00",
"name": "Clipboard Data",
"description": "Adversaries may collect data stored in the clipboard from users copying information within or between applications. \n\nFor example, on Windows adversaries can access clipboard data by using clip.exe or Get-Clipboard.(Citation: MSDN Clipboard)(Citation: clip_win_server)(Citation: CISA_AA21_200B) Additionally, adversaries may monitor then replace users\u2019 clipboard with their data (e.g., [Transmitted Data Manipulation](https://attack.mitre.org/techniques/T1565/002)).(Citation: mining_ruby_reversinglabs)\n\nmacOS and Linux also have commands, such as pbpaste, to grab clipboard contents.(Citation: Operating with EmPyre)",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "collection"
}
],
"revoked": false,
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T1115",
"external_id": "T1115"
},
{
"source_name": "CISA_AA21_200B",
"description": "CISA. (2021, August 20). Alert (AA21-200B) Chinese State-Sponsored Cyber Operations: Observed TTPs. Retrieved June 21, 2022.",
"url": "https://www.cisa.gov/uscert/ncas/alerts/aa21-200b"
},
{
"source_name": "mining_ruby_reversinglabs",
"description": "Maljic, T. (2020, April 16). Mining for malicious Ruby gems. Retrieved October 15, 2022.",
"url": "https://blog.reversinglabs.com/blog/mining-for-malicious-ruby-gems"
},
{
"source_name": "clip_win_server",
"description": "Microsoft, JasonGerend, et al. (2023, February 3). clip. Retrieved June 21, 2022.",
"url": "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/clip"
},
{
"source_name": "MSDN Clipboard",
"description": "Microsoft. (n.d.). About the Clipboard. Retrieved March 29, 2016.",
"url": "https://msdn.microsoft.com/en-us/library/ms649012"
},
{
"source_name": "Operating with EmPyre",
"description": "rvrsh3ll. (2016, May 18). Operating with EmPyre. Retrieved July 12, 2017.",
"url": "https://medium.com/rvrsh3ll/operating-with-empyre-ea764eda3363"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_attack_spec_version": "3.3.0",
"x_mitre_deprecated": false,
"x_mitre_domains": [
"enterprise-attack"
],
"x_mitre_is_subtechnique": false,
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"Linux",
"macOS",
"Windows"
],
"x_mitre_version": "1.2",
"detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.624000+00:00\", \"old_value\": \"2025-10-24 17:48:36.079000+00:00\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.3.0\", \"old_value\": \"3.2.0\"}}}",
"previous_version": "1.2",
"changelog_mitigations": {
"shared": [],
"new": [],
"dropped": []
},
"changelog_datacomponent_detections": {
"shared": [],
"new": [],
"dropped": []
},
"changelog_detectionstrategy_detections": {
"shared": [
"DET0341: Clipboard Data Access with Anomalous Context"
],
"new": [],
"dropped": []
}
},
{
"type": "attack-pattern",
"id": "attack-pattern--d94b3ae9-8059-4989-8e9f-ea0f601f80a7",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2023-03-13 15:26:11.741000+00:00",
"modified": "2026-05-12 15:12:00.721000+00:00",
"name": "Cloud Administration Command",
"description": "Adversaries may abuse cloud management services to execute commands within virtual machines. Resources such as AWS Systems Manager, Azure RunCommand, and Runbooks allow users to remotely run scripts in virtual machines by leveraging installed virtual machine agents. (Citation: AWS Systems Manager Run Command)(Citation: Microsoft Run Command)\n\nIf an adversary gains administrative access to a cloud environment, they may be able to abuse cloud management services to execute commands in the environment\u2019s virtual machines. Additionally, an adversary that compromises a service provider or delegated administrator account may similarly be able to leverage a [Trusted Relationship](https://attack.mitre.org/techniques/T1199) to execute commands in connected virtual machines.(Citation: MSTIC Nobelium Oct 2021)",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "execution"
}
],
"revoked": false,
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T1651",
"external_id": "T1651"
},
{
"source_name": "AWS Systems Manager Run Command",
"description": "AWS. (n.d.). AWS Systems Manager Run Command. Retrieved March 13, 2023.",
"url": "https://docs.aws.amazon.com/systems-manager/latest/userguide/run-command.html"
},
{
"source_name": "MSTIC Nobelium Oct 2021",
"description": "Microsoft Threat Intelligence Center. (2021, October 25). NOBELIUM targeting delegated administrative privileges to facilitate broader attacks. Retrieved March 25, 2022.",
"url": "https://www.microsoft.com/security/blog/2021/10/25/nobelium-targeting-delegated-administrative-privileges-to-facilitate-broader-attacks/"
},
{
"source_name": "Microsoft Run Command",
"description": "Microsoft. (2023, March 10). Run scripts in your VM by using Run Command. Retrieved March 13, 2023.",
"url": "https://learn.microsoft.com/en-us/azure/virtual-machines/run-command-overview"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_attack_spec_version": "3.3.0",
"x_mitre_contributors": [
"Cisco",
"Nichols Jasper",
"Jared Wilson",
"Caio Silva",
"Adrien Bataille",
"Anders Vejlby",
"Nader Zaveri",
"Tamir Yehuda"
],
"x_mitre_deprecated": false,
"x_mitre_domains": [
"enterprise-attack"
],
"x_mitre_is_subtechnique": false,
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"IaaS"
],
"x_mitre_remote_support": false,
"x_mitre_version": "2.1",
"detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.721000+00:00\", \"old_value\": \"2025-04-15 19:59:13.081000+00:00\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.3.0\", \"old_value\": \"3.2.0\"}}}",
"previous_version": "2.1",
"changelog_mitigations": {
"shared": [
"M1026: Privileged Account Management"
],
"new": [],
"dropped": []
},
"changelog_datacomponent_detections": {
"shared": [],
"new": [],
"dropped": []
},
"changelog_detectionstrategy_detections": {
"shared": [
"DET0545: Detection Strategy for Cloud Administration Command"
],
"new": [],
"dropped": []
}
},
{
"type": "attack-pattern",
"id": "attack-pattern--57a3d31a-d04f-4663-b2da-7df8ec3f8c9d",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2020-08-20 17:51:25.671000+00:00",
"modified": "2026-05-12 15:12:00.635000+00:00",
"name": "Cloud Infrastructure Discovery",
"description": "An adversary may attempt to discover infrastructure and resources that are available within an infrastructure-as-a-service (IaaS) environment. This includes compute service resources such as instances, virtual machines, and snapshots as well as resources of other services including the storage and database services.\n\nCloud providers offer methods such as APIs and commands issued through CLIs to serve information about infrastructure. For example, AWS provides a DescribeInstances API within the Amazon EC2 API that can return information about one or more instances within an account, the ListBuckets API that returns a list of all buckets owned by the authenticated sender of the request, the HeadBucket API to determine a bucket\u2019s existence along with access permissions of the request sender, or the GetPublicAccessBlock API to retrieve access block configuration for a bucket.(Citation: Amazon Describe Instance)(Citation: Amazon Describe Instances API)(Citation: AWS Get Public Access Block)(Citation: AWS Head Bucket) Similarly, GCP's Cloud SDK CLI provides the gcloud compute instances list command to list all Google Compute Engine instances in a project (Citation: Google Compute Instances), and Azure's CLI command az vm list lists details of virtual machines.(Citation: Microsoft AZ CLI) In addition to API commands, adversaries can utilize open source tools to discover cloud storage infrastructure through [Wordlist Scanning](https://attack.mitre.org/techniques/T1595/003).(Citation: Malwarebytes OSINT Leaky Buckets - Hioureas)\n\nAn adversary may enumerate resources using a compromised user's access keys to determine which are available to that user.(Citation: Expel IO Evil in AWS) The discovery of these available resources may help adversaries determine their next steps in the Cloud environment, such as establishing Persistence.(Citation: Mandiant M-Trends 2020)An adversary may also use this information to change the configuration to make the bucket publicly accessible, allowing data to be accessed without authentication. Adversaries have also may use infrastructure discovery APIs such as DescribeDBInstances to determine size, owner, permissions, and network ACLs of database resources. (Citation: AWS Describe DB Instances) Adversaries can use this information to determine the potential value of databases and discover the requirements to access them. Unlike in [Cloud Service Discovery](https://attack.mitre.org/techniques/T1526), this technique focuses on the discovery of components of the provided services rather than the services themselves.",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "discovery"
}
],
"revoked": false,
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T1580",
"external_id": "T1580"
},
{
"source_name": "Expel IO Evil in AWS",
"description": "A. Randazzo, B. Manahan and S. Lipton. (2020, April 28). Finding Evil in AWS. Retrieved June 25, 2020.",
"url": "https://expel.io/blog/finding-evil-in-aws/"
},
{
"source_name": "AWS Head Bucket",
"description": "Amazon Web Services. (n.d.). AWS HeadBucket. Retrieved February 14, 2022.",
"url": "https://docs.aws.amazon.com/AmazonS3/latest/API/API_HeadBucket.html"
},
{
"source_name": "AWS Get Public Access Block",
"description": "Amazon Web Services. (n.d.). Retrieved May 28, 2021.",
"url": "https://docs.aws.amazon.com/AmazonS3/latest/API/API_GetPublicAccessBlock.html"
},
{
"source_name": "AWS Describe DB Instances",
"description": "Amazon Web Services. (n.d.). Retrieved May 28, 2021.",
"url": "https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_DescribeDBInstances.html"
},
{
"source_name": "Amazon Describe Instance",
"description": "Amazon. (n.d.). describe-instance-information. Retrieved March 3, 2020.",
"url": "https://docs.aws.amazon.com/cli/latest/reference/ssm/describe-instance-information.html"
},
{
"source_name": "Amazon Describe Instances API",
"description": "Amazon. (n.d.). DescribeInstances. Retrieved May 26, 2020.",
"url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DescribeInstances.html"
},
{
"source_name": "Google Compute Instances",
"description": "Google. (n.d.). gcloud compute instances list. Retrieved May 26, 2020.",
"url": "https://cloud.google.com/sdk/gcloud/reference/compute/instances/list"
},
{
"source_name": "Mandiant M-Trends 2020",
"description": "Mandiant. (2020, February). M-Trends 2020. Retrieved November 17, 2024.",
"url": "https://www.mandiant.com/sites/default/files/2021-09/mtrends-2020.pdf"
},
{
"source_name": "Microsoft AZ CLI",
"description": "Microsoft. (n.d.). az ad user. Retrieved October 6, 2019.",
"url": "https://docs.microsoft.com/en-us/cli/azure/ad/user?view=azure-cli-latest"
},
{
"source_name": "Malwarebytes OSINT Leaky Buckets - Hioureas",
"description": "Vasilios Hioureas. (2019, September 13). Hacking with AWS: incorporating leaky buckets into your OSINT workflow. Retrieved February 14, 2022.",
"url": "https://blog.malwarebytes.com/researchers-corner/2019/09/hacking-with-aws-incorporating-leaky-buckets-osint-workflow/"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_attack_spec_version": "3.3.0",
"x_mitre_contributors": [
"Regina Elwell",
"Praetorian",
"Isif Ibrahima, Mandiant"
],
"x_mitre_deprecated": false,
"x_mitre_domains": [
"enterprise-attack"
],
"x_mitre_is_subtechnique": false,
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"IaaS"
],
"x_mitre_version": "1.3",
"detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.635000+00:00\", \"old_value\": \"2025-10-24 17:48:49.479000+00:00\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.3.0\", \"old_value\": \"3.2.0\"}}}",
"previous_version": "1.3",
"changelog_mitigations": {
"shared": [
"M1018: User Account Management"
],
"new": [],
"dropped": []
},
"changelog_datacomponent_detections": {
"shared": [],
"new": [],
"dropped": []
},
"changelog_detectionstrategy_detections": {
"shared": [
"DET0169: Detection Strategy for Cloud Infrastructure Discovery"
],
"new": [],
"dropped": []
}
},
{
"type": "attack-pattern",
"id": "attack-pattern--e24fcba8-2557-4442-a139-1ee2f2e784db",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2019-08-30 13:01:10.120000+00:00",
"modified": "2026-05-12 15:12:00.722000+00:00",
"name": "Cloud Service Discovery",
"description": "An adversary may attempt to enumerate the cloud services running on a system after gaining access. These methods can differ from platform-as-a-service (PaaS), to infrastructure-as-a-service (IaaS), or software-as-a-service (SaaS). Many services exist throughout the various cloud providers and can include Continuous Integration and Continuous Delivery (CI/CD), Lambda Functions, Entra ID, etc. They may also include security services, such as AWS GuardDuty and Microsoft Defender for Cloud, and logging services, such as AWS CloudTrail and Google Cloud Audit Logs.\n\nAdversaries may attempt to discover information about the services enabled throughout the environment. Azure tools and APIs, such as the Microsoft Graph API and Azure Resource Manager API, can enumerate resources and services, including applications, management groups, resources and policy definitions, and their relationships that are accessible by an identity.(Citation: Azure - Resource Manager API)(Citation: Azure AD Graph API)\n\nFor example, Stormspotter is an open source tool for enumerating and constructing a graph for Azure resources and services, and Pacu is an open source AWS exploitation framework that supports several methods for discovering cloud services.(Citation: Azure - Stormspotter)(Citation: GitHub Pacu)\n\nAdversaries may use the information gained to shape follow-on behaviors, such as targeting data or credentials from enumerated services or evading identified defenses through [Disable or Modify Tools](https://attack.mitre.org/techniques/T1685) or [Disable or Modify Cloud Log](https://attack.mitre.org/techniques/T1685/002).",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "discovery"
}
],
"revoked": false,
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T1526",
"external_id": "T1526"
},
{
"source_name": "Azure AD Graph API",
"description": "Microsoft. (2016, March 26). Operations overview | Graph API concepts. Retrieved June 18, 2020.",
"url": "https://docs.microsoft.com/en-us/previous-versions/azure/ad/graph/howto/azure-ad-graph-api-operations-overview"
},
{
"source_name": "Azure - Resource Manager API",
"description": "Microsoft. (2019, May 20). Azure Resource Manager. Retrieved June 17, 2020.",
"url": "https://docs.microsoft.com/en-us/rest/api/resources/"
},
{
"source_name": "Azure - Stormspotter",
"description": "Microsoft. (2020). Azure Stormspotter GitHub. Retrieved June 17, 2020.",
"url": "https://github.com/Azure/Stormspotter"
},
{
"source_name": "GitHub Pacu",
"description": "Rhino Security Labs. (2019, August 22). Pacu. Retrieved October 17, 2019.",
"url": "https://github.com/RhinoSecurityLabs/pacu"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_attack_spec_version": "3.3.0",
"x_mitre_contributors": [
"Suzy Schapperle - Microsoft Azure Red Team",
"Praetorian",
"Thanabodi Phrakhun, I-SECURE",
"Arun Seelagan, CISA"
],
"x_mitre_deprecated": false,
"x_mitre_domains": [
"enterprise-attack"
],
"x_mitre_is_subtechnique": false,
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"IaaS",
"Identity Provider",
"Office Suite",
"SaaS"
],
"x_mitre_version": "1.4",
"detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.722000+00:00\", \"old_value\": \"2026-04-17 14:17:35.798000+00:00\"}}}",
"previous_version": "1.4",
"changelog_mitigations": {
"shared": [],
"new": [],
"dropped": []
},
"changelog_datacomponent_detections": {
"shared": [],
"new": [],
"dropped": []
},
"changelog_detectionstrategy_detections": {
"shared": [
"DET0402: Detection Strategy for Cloud Service Discovery"
],
"new": [],
"dropped": []
}
},
{
"type": "attack-pattern",
"id": "attack-pattern--8565825b-21c8-4518-b75e-cbc4c717a156",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2021-10-01 17:58:26.445000+00:00",
"modified": "2026-05-12 15:12:00.685000+00:00",
"name": "Cloud Storage Object Discovery",
"description": "Adversaries may enumerate objects in cloud storage infrastructure. Adversaries may use this information during automated discovery to shape follow-on behaviors, including requesting all or specific objects from cloud storage. Similar to [File and Directory Discovery](https://attack.mitre.org/techniques/T1083) on a local host, after identifying available storage services (i.e. [Cloud Infrastructure Discovery](https://attack.mitre.org/techniques/T1580)) adversaries may access the contents/objects stored in cloud infrastructure.\n\nCloud service providers offer APIs allowing users to enumerate objects stored within cloud storage. Examples include ListObjectsV2 in AWS (Citation: ListObjectsV2) and List Blobs in Azure(Citation: List Blobs) .",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "discovery"
}
],
"revoked": false,
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T1619",
"external_id": "T1619"
},
{
"source_name": "ListObjectsV2",
"description": "Amazon - ListObjectsV2. Retrieved October 4, 2021.",
"url": "https://docs.aws.amazon.com/AmazonS3/latest/API/API_ListObjectsV2.html"
},
{
"source_name": "List Blobs",
"description": "Microsoft - List Blobs. (n.d.). Retrieved October 4, 2021.",
"url": "https://docs.microsoft.com/en-us/rest/api/storageservices/list-blobs"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_attack_spec_version": "3.3.0",
"x_mitre_contributors": [
"Regina Elwell",
"Isif Ibrahima, Mandiant"
],
"x_mitre_deprecated": false,
"x_mitre_domains": [
"enterprise-attack"
],
"x_mitre_is_subtechnique": false,
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"IaaS"
],
"x_mitre_version": "1.0",
"detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.685000+00:00\", \"old_value\": \"2025-10-24 17:49:03.853000+00:00\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.3.0\", \"old_value\": \"3.2.0\"}}}",
"previous_version": "1.0",
"changelog_mitigations": {
"shared": [
"M1018: User Account Management"
],
"new": [],
"dropped": []
},
"changelog_datacomponent_detections": {
"shared": [],
"new": [],
"dropped": []
},
"changelog_detectionstrategy_detections": {
"shared": [
"DET0578: Detection Strategy for Cloud Storage Object Discovery"
],
"new": [],
"dropped": []
}
},
{
"type": "attack-pattern",
"id": "attack-pattern--7385dfaf-6886-4229-9ecd-6fd678040830",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-05-31 21:30:49.546000+00:00",
"modified": "2026-05-12 15:12:00.641000+00:00",
"name": "Command and Scripting Interpreter",
"description": "Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of [Unix Shell](https://attack.mitre.org/techniques/T1059/004) while Windows installations include the [Windows Command Shell](https://attack.mitre.org/techniques/T1059/003) and [PowerShell](https://attack.mitre.org/techniques/T1059/001).\n\nThere are also cross-platform interpreters such as [Python](https://attack.mitre.org/techniques/T1059/006), as well as those commonly associated with client applications such as [JavaScript](https://attack.mitre.org/techniques/T1059/007) and [Visual Basic](https://attack.mitre.org/techniques/T1059/005).\n\nAdversaries may abuse these technologies in various ways as a means of executing arbitrary commands. Commands and scripts can be embedded in [Initial Access](https://attack.mitre.org/tactics/TA0001) payloads delivered to victims as lure documents or as secondary payloads downloaded from an existing C2. Adversaries may also execute commands through interactive terminals/shells, as well as utilize various [Remote Services](https://attack.mitre.org/techniques/T1021) in order to achieve remote Execution.(Citation: Powershell Remote Commands)(Citation: Cisco IOS Software Integrity Assurance - Command History)(Citation: Remote Shell Execution in Python)",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "execution"
}
],
"revoked": false,
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T1059",
"external_id": "T1059"
},
{
"source_name": "Remote Shell Execution in Python",
"description": "Abdou Rockikz. (2020, July). How to Execute Shell Commands in a Remote Machine in Python. Retrieved July 26, 2021.",
"url": "https://www.thepythoncode.com/article/executing-bash-commands-remotely-in-python"
},
{
"source_name": "Cisco IOS Software Integrity Assurance - Command History",
"description": "Cisco. (n.d.). Cisco IOS Software Integrity Assurance - Command History. Retrieved October 21, 2020.",
"url": "https://tools.cisco.com/security/center/resources/integrity_assurance.html#23"
},
{
"source_name": "Powershell Remote Commands",
"description": "Microsoft. (2020, August 21). Running Remote Commands. Retrieved July 26, 2021.",
"url": "https://docs.microsoft.com/en-us/powershell/scripting/learn/remoting/running-remote-commands?view=powershell-7.1"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_attack_spec_version": "3.3.0",
"x_mitre_deprecated": false,
"x_mitre_domains": [
"enterprise-attack"
],
"x_mitre_is_subtechnique": false,
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"Containers",
"ESXi",
"IaaS",
"Identity Provider",
"Linux",
"macOS",
"Network Devices",
"Office Suite",
"SaaS",
"Windows"
],
"x_mitre_remote_support": false,
"x_mitre_version": "2.7",
"detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.641000+00:00\", \"old_value\": \"2026-01-27 20:03:38.098000+00:00\"}}}",
"previous_version": "2.7",
"changelog_mitigations": {
"shared": [
"M1021: Restrict Web-Based Content",
"M1026: Privileged Account Management",
"M1033: Limit Software Installation",
"M1038: Execution Prevention",
"M1040: Behavior Prevention on Endpoint",
"M1042: Disable or Remove Feature or Program",
"M1045: Code Signing",
"M1047: Audit",
"M1049: Antivirus/Antimalware"
],
"new": [],
"dropped": []
},
"changelog_datacomponent_detections": {
"shared": [],
"new": [],
"dropped": []
},
"changelog_detectionstrategy_detections": {
"shared": [
"DET0516: Behavioral Detection of Command and Scripting Interpreter Abuse"
],
"new": [],
"dropped": []
}
},
{
"type": "attack-pattern",
"id": "attack-pattern--37b11151-1776-4f8f-b328-30939fbf2ceb",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2020-03-09 14:07:54.329000+00:00",
"modified": "2026-05-12 15:12:00.626000+00:00",
"name": "AppleScript",
"description": "Adversaries may abuse AppleScript for execution. AppleScript is a macOS scripting language designed to control applications and parts of the OS via inter-application messages called AppleEvents.(Citation: Apple AppleScript) These AppleEvent messages can be sent independently or easily scripted with AppleScript. These events can locate open windows, send keystrokes, and interact with almost any open application locally or remotely.\n\nScripts can be run from the command-line via osascript /path/to/script or osascript -e \"script here\". Aside from the command line, scripts can be executed in numerous ways including Mail rules, Calendar.app alarms, and Automator workflows. AppleScripts can also be executed as plain text shell scripts by adding #!/usr/bin/osascript to the start of the script file.(Citation: SentinelOne AppleScript)\n\nAppleScripts do not need to call osascript to execute. However, they may be executed from within mach-O binaries by using the macOS [Native API](https://attack.mitre.org/techniques/T1106)s\u00a0NSAppleScript\u00a0or\u00a0OSAScript, both of which execute code independent of the /usr/bin/osascript command line utility.\n\nAdversaries may abuse AppleScript to execute various behaviors, such as interacting with an open SSH connection, moving to remote machines, and even presenting users with fake dialog boxes. These events cannot start applications remotely (they can start them locally), but they can interact with applications if they're already running remotely. On macOS 10.10 Yosemite and higher, AppleScript has the ability to execute [Native API](https://attack.mitre.org/techniques/T1106)s, which otherwise would require compilation and execution in a mach-O binary file format.(Citation: SentinelOne macOS Red Team) Since this is a scripting language, it can be used to launch more common techniques as well such as a reverse shell via [Python](https://attack.mitre.org/techniques/T1059/006).(Citation: Macro Malware Targets Macs)",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "execution"
}
],
"revoked": false,
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T1059/002",
"external_id": "T1059.002"
},
{
"source_name": "Apple AppleScript",
"description": "Apple. (2016, January 25). Introduction to AppleScript Language Guide. Retrieved March 28, 2020.",
"url": "https://developer.apple.com/library/archive/documentation/AppleScript/Conceptual/AppleScriptLangGuide/introduction/ASLR_intro.html"
},
{
"source_name": "SentinelOne macOS Red Team",
"description": "Phil Stokes. (2019, December 5). macOS Red Team: Calling Apple APIs Without Building Binaries. Retrieved July 17, 2020.",
"url": "https://www.sentinelone.com/blog/macos-red-team-calling-apple-apis-without-building-binaries/"
},
{
"source_name": "SentinelOne AppleScript",
"description": "Phil Stokes. (2020, March 16). How Offensive Actors Use AppleScript For Attacking macOS. Retrieved July 17, 2020.",
"url": "https://www.sentinelone.com/blog/how-offensive-actors-use-applescript-for-attacking-macos/"
},
{
"source_name": "Macro Malware Targets Macs",
"description": "Yerko Grbic. (2017, February 14). Macro Malware Targets Macs. Retrieved July 8, 2017.",
"url": "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/macro-malware-targets-macs/"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_attack_spec_version": "3.3.0",
"x_mitre_contributors": [
"Phil Stokes, SentinelOne"
],
"x_mitre_deprecated": false,
"x_mitre_domains": [
"enterprise-attack"
],
"x_mitre_is_subtechnique": true,
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"macOS"
],
"x_mitre_remote_support": false,
"x_mitre_version": "1.3",
"detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.626000+00:00\", \"old_value\": \"2025-10-24 17:48:39.348000+00:00\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.3.0\", \"old_value\": \"3.2.0\"}}}",
"previous_version": "1.3",
"changelog_mitigations": {
"shared": [
"M1038: Execution Prevention",
"M1045: Code Signing"
],
"new": [],
"dropped": []
},
"changelog_datacomponent_detections": {
"shared": [],
"new": [],
"dropped": []
},
"changelog_detectionstrategy_detections": {
"shared": [
"DET0414: Detection of AppleScript-Based Execution on macOS"
],
"new": [],
"dropped": []
}
},
{
"type": "attack-pattern",
"id": "attack-pattern--55bb4471-ff1f-43b4-88c1-c9384ec47abf",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2022-03-17 13:28:24.989000+00:00",
"modified": "2026-05-12 15:12:00.634000+00:00",
"name": "Cloud API",
"description": "Adversaries may abuse cloud APIs to execute malicious commands. APIs available in cloud environments provide various functionalities and are a feature-rich method for programmatic access to nearly all aspects of a tenant. These APIs may be utilized through various methods such as command line interpreters (CLIs), in-browser Cloud Shells, [PowerShell](https://attack.mitre.org/techniques/T1059/001) modules like Azure for PowerShell(Citation: Microsoft - Azure PowerShell), or software developer kits (SDKs) available for languages such as [Python](https://attack.mitre.org/techniques/T1059/006). \n\nCloud API functionality may allow for administrative access across all major services in a tenant such as compute, storage, identity and access management (IAM), networking, and security policies.\n\nWith proper permissions (often via use of credentials such as [Application Access Token](https://attack.mitre.org/techniques/T1550/001) and [Web Session Cookie](https://attack.mitre.org/techniques/T1550/004)), adversaries may abuse cloud APIs to invoke various functions that execute malicious actions. For example, CLI and PowerShell functionality may be accessed through binaries installed on cloud-hosted or on-premises hosts or accessed through a browser-based cloud shell offered by many cloud platforms (such as AWS, Azure, and GCP). These cloud shells are often a packaged unified environment to use CLI and/or scripting modules hosted as a container in the cloud environment. ",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "execution"
}
],
"revoked": false,
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T1059/009",
"external_id": "T1059.009"
},
{
"source_name": "Microsoft - Azure PowerShell",
"description": "Microsoft. (2014, December 12). Azure/azure-powershell. Retrieved March 24, 2023.",
"url": "https://github.com/Azure/azure-powershell"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_attack_spec_version": "3.3.0",
"x_mitre_contributors": [
"Ozan Olali",
"Nichols Jasper",
"Jason Sevilla",
"Marcus Weeks",
"Caio Silva"
],
"x_mitre_deprecated": false,
"x_mitre_domains": [
"enterprise-attack"
],
"x_mitre_is_subtechnique": true,
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"IaaS",
"Identity Provider",
"Office Suite",
"SaaS"
],
"x_mitre_remote_support": false,
"x_mitre_version": "1.2",
"detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.634000+00:00\", \"old_value\": \"2025-04-15 19:58:32.612000+00:00\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.3.0\", \"old_value\": \"3.2.0\"}}}",
"previous_version": "1.2",
"changelog_mitigations": {
"shared": [
"M1026: Privileged Account Management",
"M1038: Execution Prevention"
],
"new": [],
"dropped": []
},
"changelog_datacomponent_detections": {
"shared": [],
"new": [],
"dropped": []
},
"changelog_detectionstrategy_detections": {
"shared": [
"DET0078: Behavioral Detection of Malicious Cloud API Scripting"
],
"new": [],
"dropped": []
}
},
{
"type": "attack-pattern",
"id": "attack-pattern--0f4a0c76-ab2d-4cb0-85d3-3f0efb8cba0d",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2020-06-23 19:12:24.924000+00:00",
"modified": "2026-05-12 15:12:00.620000+00:00",
"name": "JavaScript",
"description": "Adversaries may abuse various implementations of JavaScript for execution. JavaScript (JS) is a platform-independent scripting language (compiled just-in-time at runtime) commonly associated with scripts in webpages, though JS can be executed in runtime environments outside the browser.(Citation: NodeJS)\n\nJScript is the Microsoft implementation of the same scripting standard. JScript is interpreted via the Windows Script engine and thus integrated with many components of Windows such as the [Component Object Model](https://attack.mitre.org/techniques/T1559/001) and Internet Explorer HTML Application (HTA) pages.(Citation: JScrip May 2018)(Citation: Microsoft JScript 2007)(Citation: Microsoft Windows Scripts)\n\nJavaScript for Automation (JXA) is a macOS scripting language based on JavaScript, included as part of Apple\u2019s Open Scripting Architecture (OSA), that was introduced in OSX 10.10. Apple\u2019s OSA provides scripting capabilities to control applications, interface with the operating system, and bridge access into the rest of Apple\u2019s internal APIs. As of OSX 10.10, OSA only supports two languages, JXA and [AppleScript](https://attack.mitre.org/techniques/T1059/002). Scripts can be executed via the command line utility osascript, they can be compiled into applications or script files via osacompile, and they can be compiled and executed in memory of other programs by leveraging the OSAKit Framework.(Citation: Apple About Mac Scripting 2016)(Citation: SpecterOps JXA 2020)(Citation: SentinelOne macOS Red Team)(Citation: Red Canary Silver Sparrow Feb2021)(Citation: MDSec macOS JXA and VSCode)\n\nAdversaries may abuse various implementations of JavaScript to execute various behaviors. Common uses include hosting malicious scripts on websites as part of a [Drive-by Compromise](https://attack.mitre.org/techniques/T1189) or downloading and executing these script files as secondary payloads. Since these payloads are text-based, it is also very common for adversaries to obfuscate their content as part of [Obfuscated Files or Information](https://attack.mitre.org/techniques/T1027).",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "execution"
}
],
"revoked": false,
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T1059/007",
"external_id": "T1059.007"
},
{
"source_name": "Apple About Mac Scripting 2016",
"description": "Apple. (2016, June 13). About Mac Scripting. Retrieved April 14, 2021.",
"url": "https://developer.apple.com/library/archive/documentation/LanguagesUtilities/Conceptual/MacAutomationScriptingGuide/index.html"
},
{
"source_name": "MDSec macOS JXA and VSCode",
"description": "Dominic Chell. (2021, January 1). macOS Post-Exploitation Shenanigans with VSCode Extensions. Retrieved April 20, 2021.",
"url": "https://www.mdsec.co.uk/2021/01/macos-post-exploitation-shenanigans-with-vscode-extensions/"
},
{
"source_name": "Microsoft JScript 2007",
"description": "Microsoft. (2007, August 15). The World of JScript, JavaScript, ECMAScript \u2026. Retrieved June 23, 2020.",
"url": "https://docs.microsoft.com/archive/blogs/gauravseth/the-world-of-jscript-javascript-ecmascript"
},
{
"source_name": "Microsoft Windows Scripts",
"description": "Microsoft. (2017, January 18). Windows Script Interfaces. Retrieved June 23, 2020.",
"url": "https://docs.microsoft.com/scripting/winscript/windows-script-interfaces"
},
{
"source_name": "JScrip May 2018",
"description": "Microsoft. (2018, May 31). Translating to JScript. Retrieved June 23, 2020.",
"url": "https://docs.microsoft.com/windows/win32/com/translating-to-jscript"
},
{
"source_name": "NodeJS",
"description": "OpenJS Foundation. (n.d.). Node.js. Retrieved June 23, 2020.",
"url": "https://nodejs.org/"
},
{
"source_name": "SentinelOne macOS Red Team",
"description": "Phil Stokes. (2019, December 5). macOS Red Team: Calling Apple APIs Without Building Binaries. Retrieved July 17, 2020.",
"url": "https://www.sentinelone.com/blog/macos-red-team-calling-apple-apis-without-building-binaries/"
},
{
"source_name": "SpecterOps JXA 2020",
"description": "Pitt, L. (2020, August 6). Persistent JXA. Retrieved April 14, 2021.",
"url": "https://posts.specterops.io/persistent-jxa-66e1c3cd1cf5"
},
{
"source_name": "Red Canary Silver Sparrow Feb2021",
"description": "Tony Lambert. (2021, February 18). Clipping Silver Sparrow\u2019s wings: Outing macOS malware before it takes flight. Retrieved April 20, 2021.",
"url": "https://redcanary.com/blog/clipping-silver-sparrows-wings/"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_attack_spec_version": "3.3.0",
"x_mitre_contributors": [
"Cody Thomas, SpecterOps"
],
"x_mitre_deprecated": false,
"x_mitre_domains": [
"enterprise-attack"
],
"x_mitre_is_subtechnique": true,
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"Linux",
"macOS",
"Windows"
],
"x_mitre_remote_support": false,
"x_mitre_version": "2.2",
"detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.620000+00:00\", \"old_value\": \"2025-10-24 17:48:24.217000+00:00\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.3.0\", \"old_value\": \"3.2.0\"}}}",
"previous_version": "2.2",
"changelog_mitigations": {
"shared": [
"M1021: Restrict Web-Based Content",
"M1038: Execution Prevention",
"M1040: Behavior Prevention on Endpoint",
"M1042: Disable or Remove Feature or Program"
],
"new": [],
"dropped": []
},
"changelog_datacomponent_detections": {
"shared": [],
"new": [],
"dropped": []
},
"changelog_detectionstrategy_detections": {
"shared": [
"DET0264: Cross-Platform Detection of JavaScript Execution Abuse"
],
"new": [],
"dropped": []
}
},
{
"type": "attack-pattern",
"id": "attack-pattern--818302b2-d640-477b-bf88-873120ce85c4",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2020-10-20 00:09:33.072000+00:00",
"modified": "2026-05-12 15:12:00.670000+00:00",
"name": "Network Device CLI",
"description": "Adversaries may abuse scripting or built-in command line interpreters (CLI) on network devices to execute malicious command and payloads. The CLI is the primary means through which users and administrators interact with the device in order to view system information, modify device operations, or perform diagnostic and administrative functions. CLIs typically contain various permission levels required for different commands. \n\nScripting interpreters automate tasks and extend functionality beyond the command set included in the network OS. The CLI and scripting interpreter are accessible through a direct console connection, or through remote means, such as telnet or [SSH](https://attack.mitre.org/techniques/T1021/004).\n\nAdversaries can use the network CLI to change how network devices behave and operate. The CLI may be used to manipulate traffic flows to intercept or manipulate data, modify startup configuration parameters to load malicious system software, or to disable security features or logging to avoid detection.(Citation: Cisco Synful Knock Evolution)",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "execution"
}
],
"revoked": false,
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T1059/008",
"external_id": "T1059.008"
},
{
"source_name": "Cisco IOS Software Integrity Assurance - Command History",
"description": "Cisco. (n.d.). Cisco IOS Software Integrity Assurance - Command History. Retrieved October 21, 2020.",
"url": "https://tools.cisco.com/security/center/resources/integrity_assurance.html#23"
},
{
"source_name": "Cisco Synful Knock Evolution",
"description": "Graham Holmes. (2015, October 8). Evolution of attacks on Cisco IOS devices. Retrieved October 19, 2020.",
"url": "https://blogs.cisco.com/security/evolution-of-attacks-on-cisco-ios-devices"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_attack_spec_version": "3.3.0",
"x_mitre_deprecated": false,
"x_mitre_domains": [
"enterprise-attack"
],
"x_mitre_is_subtechnique": true,
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"Network Devices"
],
"x_mitre_remote_support": false,
"x_mitre_version": "1.2",
"detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.670000+00:00\", \"old_value\": \"2025-10-24 17:49:02.287000+00:00\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.3.0\", \"old_value\": \"3.2.0\"}}}",
"previous_version": "1.2",
"changelog_mitigations": {
"shared": [
"M1018: User Account Management",
"M1026: Privileged Account Management",
"M1038: Execution Prevention"
],
"new": [],
"dropped": []
},
"changelog_datacomponent_detections": {
"shared": [],
"new": [],
"dropped": []
},
"changelog_detectionstrategy_detections": {
"shared": [
"DET0142: Behavioral Detection of CLI Abuse on Network Devices"
],
"new": [],
"dropped": []
}
},
{
"type": "attack-pattern",
"id": "attack-pattern--970a3432-3237-47ad-bcca-7d8cbb217736",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2020-03-09 13:48:55.078000+00:00",
"modified": "2026-05-12 15:12:00.706000+00:00",
"name": "PowerShell",
"description": "Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.(Citation: TechNet PowerShell) Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the Start-Process cmdlet which can be used to run an executable and the Invoke-Command cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).\n\nPowerShell may also be used to download and run executables from the Internet, which can be executed from disk or in memory without touching disk.\n\nA number of PowerShell-based offensive testing tools are available, including [Empire](https://attack.mitre.org/software/S0363), [PowerSploit](https://attack.mitre.org/software/S0194), [PoshC2](https://attack.mitre.org/software/S0378), and PSAttack.(Citation: Github PSAttack)\n\nPowerShell commands/scripts can also be executed without directly invoking the powershell.exe binary through interfaces to PowerShell's underlying System.Management.Automation assembly DLL exposed through the .NET framework and Windows Common Language Interface (CLI).(Citation: Sixdub PowerPick Jan 2016)(Citation: SilentBreak Offensive PS Dec 2015)(Citation: Microsoft PSfromCsharp APR 2014)",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "execution"
}
],
"revoked": false,
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T1059/001",
"external_id": "T1059.001"
},
{
"source_name": "Microsoft PSfromCsharp APR 2014",
"description": "Babinec, K. (2014, April 28). Executing PowerShell scripts from C#. Retrieved April 22, 2019.",
"url": "https://blogs.msdn.microsoft.com/kebab/2014/04/28/executing-powershell-scripts-from-c/"
},
{
"source_name": "SilentBreak Offensive PS Dec 2015",
"description": "Christensen, L.. (2015, December 28). The Evolution of Offensive PowerShell Invocation. Retrieved December 8, 2018.",
"url": "https://web.archive.org/web/20190508170150/https://silentbreaksecurity.com/powershell-jobs-without-powershell-exe/"
},
{
"source_name": "FireEye PowerShell Logging 2016",
"description": "Dunwoody, M. (2016, February 11). GREATER VISIBILITY THROUGH POWERSHELL LOGGING. Retrieved February 16, 2016.",
"url": "https://www.fireeye.com/blog/threat-research/2016/02/greater_visibilityt.html"
},
{
"source_name": "Github PSAttack",
"description": "Haight, J. (2016, April 21). PS>Attack. Retrieved September 27, 2024.",
"url": "https://github.com/Exploit-install/PSAttack-1"
},
{
"source_name": "inv_ps_attacks",
"description": "Hastings, M. (2014, July 16). Investigating PowerShell Attacks. Retrieved December 1, 2021.",
"url": "https://powershellmagazine.com/2014/07/16/investigating-powershell-attacks/"
},
{
"source_name": "Malware Archaeology PowerShell Cheat Sheet",
"description": "Malware Archaeology. (2016, June). WINDOWS POWERSHELL LOGGING CHEAT SHEET - Win 7/Win 2008 or later. Retrieved June 24, 2016.",
"url": "http://www.malwarearchaeology.com/s/Windows-PowerShell-Logging-Cheat-Sheet-ver-June-2016-v2.pdf"
},
{
"source_name": "TechNet PowerShell",
"description": "Microsoft. (n.d.). Windows PowerShell Scripting. Retrieved April 28, 2016.",
"url": "https://technet.microsoft.com/en-us/scriptcenter/dd742419.aspx"
},
{
"source_name": "Sixdub PowerPick Jan 2016",
"description": "Warner, J.. (2015, January 6). Inexorable PowerShell \u2013 A Red Teamer\u2019s Tale of Overcoming Simple AppLocker Policies. Retrieved December 8, 2018.",
"url": "https://web.archive.org/web/20160327101330/http://www.sixdub.net/?p=367"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_attack_spec_version": "3.3.0",
"x_mitre_contributors": [
"Mayuresh Dani, Qualys",
"Praetorian",
"Ross Brittain"
],
"x_mitre_deprecated": false,
"x_mitre_domains": [
"enterprise-attack"
],
"x_mitre_is_subtechnique": true,
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"Windows"
],
"x_mitre_remote_support": false,
"x_mitre_version": "1.5",
"detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.706000+00:00\", \"old_value\": \"2025-10-24 17:49:07.660000+00:00\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.3.0\", \"old_value\": \"3.2.0\"}}}",
"previous_version": "1.5",
"changelog_mitigations": {
"shared": [
"M1026: Privileged Account Management",
"M1038: Execution Prevention",
"M1042: Disable or Remove Feature or Program",
"M1045: Code Signing",
"M1049: Antivirus/Antimalware"
],
"new": [],
"dropped": []
},
"changelog_datacomponent_detections": {
"shared": [],
"new": [],
"dropped": []
},
"changelog_detectionstrategy_detections": {
"shared": [
"DET0455: Abuse of PowerShell for Arbitrary Execution"
],
"new": [],
"dropped": []
}
},
{
"type": "attack-pattern",
"id": "attack-pattern--cc3502b5-30cc-4473-ad48-42d51a6ef6d1",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2020-03-09 14:38:24.334000+00:00",
"modified": "2026-05-12 15:12:00.716000+00:00",
"name": "Python",
"description": "Adversaries may abuse Python commands and scripts for execution. Python is a very popular scripting/programming language, with capabilities to perform many functions. Python can be executed interactively from the command-line (via the python.exe interpreter) or via scripts (.py) that can be written and distributed to different systems. Python code can also be compiled into binary executables.(Citation: Zscaler APT31 Covid-19 October 2020)\n\nPython comes with many built-in packages to interact with the underlying system, such as file operations and device I/O. Adversaries can use these libraries to download and execute commands or other scripts as well as perform various malicious behaviors.",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "execution"
}
],
"revoked": false,
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T1059/006",
"external_id": "T1059.006"
},
{
"source_name": "Zscaler APT31 Covid-19 October 2020",
"description": "Singh, S. and Antil, S. (2020, October 27). APT-31 Leverages COVID-19 Vaccine Theme and Abuses Legitimate Online Services. Retrieved March 24, 2021.",
"url": "https://www.zscaler.com/blogs/security-research/apt-31-leverages-covid-19-vaccine-theme-and-abuses-legitimate-online"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_attack_spec_version": "3.3.0",
"x_mitre_deprecated": false,
"x_mitre_domains": [
"enterprise-attack"
],
"x_mitre_is_subtechnique": true,
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"ESXi",
"Linux",
"macOS",
"Windows"
],
"x_mitre_remote_support": false,
"x_mitre_version": "1.1",
"detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.716000+00:00\", \"old_value\": \"2025-10-24 17:49:23.660000+00:00\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.3.0\", \"old_value\": \"3.2.0\"}}}",
"previous_version": "1.1",
"changelog_mitigations": {
"shared": [
"M1033: Limit Software Installation",
"M1038: Execution Prevention",
"M1047: Audit",
"M1049: Antivirus/Antimalware"
],
"new": [],
"dropped": []
},
"changelog_datacomponent_detections": {
"shared": [],
"new": [],
"dropped": []
},
"changelog_detectionstrategy_detections": {
"shared": [
"DET0063: Cross-Platform Behavioral Detection of Python Execution"
],
"new": [],
"dropped": []
}
},
{
"type": "attack-pattern",
"id": "attack-pattern--a9d4b653-6915-42af-98b2-5758c4ceee56",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2020-03-09 14:15:05.330000+00:00",
"modified": "2026-05-12 15:12:00.707000+00:00",
"name": "Unix Shell",
"description": "Adversaries may abuse Unix shell commands and scripts for execution. Unix shells are the primary command prompt on Linux, macOS, and ESXi systems, though many variations of the Unix shell exist (e.g. sh, ash, bash, zsh, etc.) depending on the specific OS or distribution.(Citation: DieNet Bash)(Citation: Apple ZShell) Unix shells can control every aspect of a system, with certain commands requiring elevated privileges.\n\nUnix shells also support scripts that enable sequential execution of commands as well as other typical programming operations such as conditionals and loops. Common uses of shell scripts include long or repetitive tasks, or the need to run the same set of commands on multiple systems.\n\nAdversaries may abuse Unix shells to execute various commands or payloads. Interactive shells may be accessed through command and control channels or during lateral movement such as with [SSH](https://attack.mitre.org/techniques/T1021/004). Adversaries may also leverage shell scripts to deliver and execute multiple commands on victims or as part of payloads used for persistence.\n\nSome systems, such as embedded devices, lightweight Linux distributions, and ESXi servers, may leverage stripped-down Unix shells via Busybox, a small executable that contains a variety of tools, including a simple shell.",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "execution"
}
],
"revoked": false,
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T1059/004",
"external_id": "T1059.004"
},
{
"source_name": "Apple ZShell",
"description": "Apple. (2020, January 28). Use zsh as the default shell on your Mac. Retrieved June 12, 2020.",
"url": "https://support.apple.com/HT208050"
},
{
"source_name": "DieNet Bash",
"description": "die.net. (n.d.). bash(1) - Linux man page. Retrieved June 12, 2020.",
"url": "https://linux.die.net/man/1/bash"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_attack_spec_version": "3.3.0",
"x_mitre_deprecated": false,
"x_mitre_domains": [
"enterprise-attack"
],
"x_mitre_is_subtechnique": true,
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"ESXi",
"Linux",
"macOS",
"Network Devices"
],
"x_mitre_remote_support": false,
"x_mitre_version": "1.4",
"detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.707000+00:00\", \"old_value\": \"2025-10-24 17:49:12.476000+00:00\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.3.0\", \"old_value\": \"3.2.0\"}}}",
"previous_version": "1.4",
"changelog_mitigations": {
"shared": [
"M1038: Execution Prevention"
],
"new": [],
"dropped": []
},
"changelog_datacomponent_detections": {
"shared": [],
"new": [],
"dropped": []
},
"changelog_detectionstrategy_detections": {
"shared": [
"DET0384: Behavioral Detection of Unix Shell Execution"
],
"new": [],
"dropped": []
}
},
{
"type": "attack-pattern",
"id": "attack-pattern--dfd7cc1d-e1d8-4394-a198-97c4cab8aa67",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2020-03-09 14:29:51.508000+00:00",
"modified": "2026-05-12 15:12:00.722000+00:00",
"name": "Visual Basic",
"description": "Adversaries may abuse Visual Basic (VB) for execution. VB is a programming language created by Microsoft with interoperability with many Windows technologies such as [Component Object Model](https://attack.mitre.org/techniques/T1559/001) and the [Native API](https://attack.mitre.org/techniques/T1106) through the Windows API. Although tagged as legacy with no planned future evolutions, VB is integrated and supported in the .NET Framework and cross-platform .NET Core.(Citation: VB .NET Mar 2020)(Citation: VB Microsoft)\n\nDerivative languages based on VB have also been created, such as Visual Basic for Applications (VBA) and VBScript. VBA is an event-driven programming language built into Microsoft Office, as well as several third-party applications.(Citation: Microsoft VBA)(Citation: Wikipedia VBA) VBA enables documents to contain macros used to automate the execution of tasks and other functionality on the host. VBScript is a default scripting language on Windows hosts and can also be used in place of [JavaScript](https://attack.mitre.org/techniques/T1059/007) on HTML Application (HTA) webpages served to Internet Explorer (though most modern browsers do not come with VBScript support).(Citation: Microsoft VBScript)\n\nAdversaries may use VB payloads to execute malicious commands. Common malicious usage includes automating execution of behaviors with VBScript or embedding VBA content into [Spearphishing Attachment](https://attack.mitre.org/techniques/T1566/001) payloads (which may also involve [Mark-of-the-Web Bypass](https://attack.mitre.org/techniques/T1553/005) to enable execution).(Citation: Default VBS macros Blocking )",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "execution"
}
],
"revoked": false,
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T1059/005",
"external_id": "T1059.005"
},
{
"source_name": "VB .NET Mar 2020",
"description": ".NET Team. (2020, March 11). Visual Basic support planned for .NET 5.0. Retrieved June 23, 2020.",
"url": "https://devblogs.microsoft.com/vbteam/visual-basic-support-planned-for-net-5-0/"
},
{
"source_name": "Default VBS macros Blocking ",
"description": "Kellie Eickmeyer. (2022, February 7). Helping users stay safe: Blocking internet macros by default in Office. Retrieved February 7, 2022.",
"url": "https://techcommunity.microsoft.com/t5/microsoft-365-blog/helping-users-stay-safe-blocking-internet-macros-by-default-in/ba-p/3071805"
},
{
"source_name": "Microsoft VBScript",
"description": "Microsoft. (2011, April 19). What Is VBScript?. Retrieved March 28, 2020.",
"url": "https://docs.microsoft.com/previous-versions//1kw29xwf(v=vs.85)"
},
{
"source_name": "Microsoft VBA",
"description": "Microsoft. (2019, June 11). Office VBA Reference. Retrieved June 23, 2020.",
"url": "https://docs.microsoft.com/office/vba/api/overview/"
},
{
"source_name": "VB Microsoft",
"description": "Microsoft. (n.d.). Visual Basic documentation. Retrieved June 23, 2020.",
"url": "https://docs.microsoft.com/dotnet/visual-basic/"
},
{
"source_name": "Wikipedia VBA",
"description": "Wikipedia. (n.d.). Visual Basic for Applications. Retrieved August 13, 2020.",
"url": "https://en.wikipedia.org/wiki/Visual_Basic_for_Applications"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_attack_spec_version": "3.3.0",
"x_mitre_deprecated": false,
"x_mitre_domains": [
"enterprise-attack"
],
"x_mitre_is_subtechnique": true,
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"Linux",
"macOS",
"Windows"
],
"x_mitre_remote_support": false,
"x_mitre_version": "1.5",
"detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.722000+00:00\", \"old_value\": \"2025-10-24 17:49:29.678000+00:00\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.3.0\", \"old_value\": \"3.2.0\"}}}",
"previous_version": "1.5",
"changelog_mitigations": {
"shared": [
"M1021: Restrict Web-Based Content",
"M1038: Execution Prevention",
"M1040: Behavior Prevention on Endpoint",
"M1042: Disable or Remove Feature or Program",
"M1049: Antivirus/Antimalware"
],
"new": [],
"dropped": []
},
"changelog_datacomponent_detections": {
"shared": [],
"new": [],
"dropped": []
},
"changelog_detectionstrategy_detections": {
"shared": [
"DET0076: Behavioral Detection of Visual Basic Execution (VBS/VBA/VBScript)"
],
"new": [],
"dropped": []
}
},
{
"type": "attack-pattern",
"id": "attack-pattern--d1fcf083-a721-4223-aedf-bf8960798d62",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2020-03-09 14:12:31.196000+00:00",
"modified": "2026-05-12 15:12:00.717000+00:00",
"name": "Windows Command Shell",
"description": "Adversaries may abuse the Windows command shell for execution. The Windows command shell ([cmd](https://attack.mitre.org/software/S0106)) is the primary command prompt on Windows systems. The Windows command prompt can be used to control almost any aspect of a system, with various permission levels required for different subsets of commands. The command prompt can be invoked remotely via [Remote Services](https://attack.mitre.org/techniques/T1021) such as [SSH](https://attack.mitre.org/techniques/T1021/004).(Citation: SSH in Windows)\n\nBatch files (ex: .bat or .cmd) also provide the shell with a list of sequential commands to run, as well as normal scripting operations such as conditionals and loops. Common uses of batch files include long or repetitive tasks, or the need to run the same set of commands on multiple systems.\n\nAdversaries may leverage [cmd](https://attack.mitre.org/software/S0106) to execute various commands and payloads. Common uses include [cmd](https://attack.mitre.org/software/S0106) to execute a single command, or abusing [cmd](https://attack.mitre.org/software/S0106) interactively with input and output forwarded over a command and control channel.",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "execution"
}
],
"revoked": false,
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T1059/003",
"external_id": "T1059.003"
},
{
"source_name": "SSH in Windows",
"description": "Microsoft. (2020, May 19). Tutorial: SSH in Windows Terminal. Retrieved July 26, 2021.",
"url": "https://docs.microsoft.com/en-us/windows/terminal/tutorials/ssh"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_attack_spec_version": "3.3.0",
"x_mitre_deprecated": false,
"x_mitre_domains": [
"enterprise-attack"
],
"x_mitre_is_subtechnique": true,
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"Windows"
],
"x_mitre_remote_support": false,
"x_mitre_version": "1.5",
"detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.717000+00:00\", \"old_value\": \"2025-10-24 17:49:25.722000+00:00\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.3.0\", \"old_value\": \"3.2.0\"}}}",
"previous_version": "1.5",
"changelog_mitigations": {
"shared": [
"M1038: Execution Prevention"
],
"new": [],
"dropped": []
},
"changelog_datacomponent_detections": {
"shared": [],
"new": [],
"dropped": []
},
"changelog_detectionstrategy_detections": {
"shared": [
"DET0202: Behavioral Detection of Windows Command Shell Execution"
],
"new": [],
"dropped": []
}
},
{
"type": "attack-pattern",
"id": "attack-pattern--3d52e51e-f6db-4719-813c-48002a99f43a",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2022-05-27 14:30:01.904000+00:00",
"modified": "2026-05-12 15:12:00.628000+00:00",
"name": "Cloud Accounts",
"description": "Adversaries may compromise cloud accounts that can be used during targeting. Adversaries can use compromised cloud accounts to further their operations, including leveraging cloud storage services such as Dropbox, Microsoft OneDrive, or AWS S3 buckets for [Exfiltration to Cloud Storage](https://attack.mitre.org/techniques/T1567/002) or to [Upload Tool](https://attack.mitre.org/techniques/T1608/002)s. Cloud accounts can also be used in the acquisition of infrastructure, such as [Virtual Private Server](https://attack.mitre.org/techniques/T1583/003)s or [Serverless](https://attack.mitre.org/techniques/T1583/007) infrastructure. Additionally, cloud-based messaging services such as Twilio, SendGrid, AWS End User Messaging, AWS SNS (Simple Notification Service), or AWS SES (Simple Email Service) may be leveraged for spam or [Phishing](https://attack.mitre.org/techniques/T1566).(Citation: Palo Alto Unit 42 Compromised Cloud Compute Credentials 2022)(Citation: Netcraft SendGrid 2024) Compromising cloud accounts may allow adversaries to develop sophisticated capabilities without managing their own servers.(Citation: Awake Security C2 Cloud)\n\nA variety of methods exist for compromising cloud accounts, such as gathering credentials via [Phishing for Information](https://attack.mitre.org/techniques/T1598), purchasing credentials from third-party sites, conducting [Password Spraying](https://attack.mitre.org/techniques/T1110/003) attacks, or attempting to [Steal Application Access Token](https://attack.mitre.org/techniques/T1528)s.(Citation: MSTIC Nobelium Oct 2021) Prior to compromising cloud accounts, adversaries may conduct Reconnaissance to inform decisions about which accounts to compromise to further their operation. In some cases, adversaries may target privileged service provider accounts with the intent of leveraging a [Trusted Relationship](https://attack.mitre.org/techniques/T1199) between service providers and their customers.(Citation: MSTIC Nobelium Oct 2021)",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "resource-development"
}
],
"revoked": false,
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T1586/003",
"external_id": "T1586.003"
},
{
"source_name": "Palo Alto Unit 42 Compromised Cloud Compute Credentials 2022",
"description": "Dror Alon. (2022, December 8). Compromised Cloud Compute Credentials: Case Studies From the Wild. Retrieved March 9, 2023.",
"url": "https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/"
},
{
"source_name": "Awake Security C2 Cloud",
"description": "Gary Golomb and Tory Kei. (n.d.). Threat Hunting Series: Detecting Command & Control in the Cloud. Retrieved May 27, 2022.",
"url": "https://awakesecurity.com/blog/threat-hunting-series-detecting-command-control-in-the-cloud/"
},
{
"source_name": "Netcraft SendGrid 2024",
"description": "Graham Edgecombe. (2024, February 7). Phishception \u2013 SendGrid is abused to host phishing attacks impersonating itself. Retrieved October 15, 2024.",
"url": "https://www.netcraft.com/blog/popular-email-platform-used-to-impersonate-itself/"
},
{
"source_name": "MSTIC Nobelium Oct 2021",
"description": "Microsoft Threat Intelligence Center. (2021, October 25). NOBELIUM targeting delegated administrative privileges to facilitate broader attacks. Retrieved March 25, 2022.",
"url": "https://www.microsoft.com/security/blog/2021/10/25/nobelium-targeting-delegated-administrative-privileges-to-facilitate-broader-attacks/"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_attack_spec_version": "3.3.0",
"x_mitre_contributors": [
"Francesco Bigarella"
],
"x_mitre_deprecated": false,
"x_mitre_domains": [
"enterprise-attack"
],
"x_mitre_is_subtechnique": true,
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"PRE"
],
"x_mitre_version": "1.1",
"detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.628000+00:00\", \"old_value\": \"2025-10-24 17:48:41.215000+00:00\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.3.0\", \"old_value\": \"3.2.0\"}}}",
"previous_version": "1.1",
"changelog_mitigations": {
"shared": [
"M1056: Pre-compromise"
],
"new": [],
"dropped": []
},
"changelog_datacomponent_detections": {
"shared": [],
"new": [],
"dropped": []
},
"changelog_detectionstrategy_detections": {
"shared": [
"DET0879: Detection of Cloud Accounts"
],
"new": [],
"dropped": []
}
},
{
"type": "attack-pattern",
"id": "attack-pattern--3dc8c101-d4db-4f4d-8150-1b5a76ca5f1b",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2020-10-01 01:20:53.104000+00:00",
"modified": "2026-05-12 15:12:00.628000+00:00",
"name": "Email Accounts",
"description": "Adversaries may compromise email accounts that can be used during targeting. Adversaries can use compromised email accounts to further their operations, such as leveraging them to conduct [Phishing for Information](https://attack.mitre.org/techniques/T1598), [Phishing](https://attack.mitre.org/techniques/T1566), or large-scale spam email campaigns. Utilizing an existing persona with a compromised email account may engender a level of trust in a potential victim if they have a relationship with, or knowledge of, the compromised persona. Compromised email accounts can also be used in the acquisition of infrastructure (ex: [Domains](https://attack.mitre.org/techniques/T1583/001)).\n\nA variety of methods exist for compromising email accounts, such as gathering credentials via [Phishing for Information](https://attack.mitre.org/techniques/T1598), purchasing credentials from third-party sites, brute forcing credentials (ex: password reuse from breach credential dumps), or paying employees, suppliers or business partners for access to credentials.(Citation: AnonHBGary)(Citation: Microsoft DEV-0537) Prior to compromising email accounts, adversaries may conduct Reconnaissance to inform decisions about which accounts to compromise to further their operation. Adversaries may target compromising well-known email accounts or domains from which malicious spam or [Phishing](https://attack.mitre.org/techniques/T1566) emails may evade reputation-based email filtering rules.\n\nAdversaries can use a compromised email account to hijack existing email threads with targets of interest.",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "resource-development"
}
],
"revoked": false,
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T1586/002",
"external_id": "T1586.002"
},
{
"source_name": "AnonHBGary",
"description": "Bright, P. (2011, February 15). Anonymous speaks: the inside story of the HBGary hack. Retrieved March 9, 2017.",
"url": "https://arstechnica.com/tech-policy/2011/02/anonymous-speaks-the-inside-story-of-the-hbgary-hack/"
},
{
"source_name": "Microsoft DEV-0537",
"description": "Microsoft. (2022, March 22). DEV-0537 criminal actor targeting organizations for data exfiltration and destruction. Retrieved March 23, 2022.",
"url": "https://www.microsoft.com/security/blog/2022/03/22/dev-0537-criminal-actor-targeting-organizations-for-data-exfiltration-and-destruction/"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_attack_spec_version": "3.3.0",
"x_mitre_contributors": [
"Tristan Bennett, Seamless Intelligence",
"Bryan Onel"
],
"x_mitre_deprecated": false,
"x_mitre_domains": [
"enterprise-attack"
],
"x_mitre_is_subtechnique": true,
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"PRE"
],
"x_mitre_version": "1.1",
"detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.628000+00:00\", \"old_value\": \"2025-10-24 17:48:41.309000+00:00\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.3.0\", \"old_value\": \"3.2.0\"}}}",
"previous_version": "1.1",
"changelog_mitigations": {
"shared": [
"M1056: Pre-compromise"
],
"new": [],
"dropped": []
},
"changelog_datacomponent_detections": {
"shared": [],
"new": [],
"dropped": []
},
"changelog_detectionstrategy_detections": {
"shared": [
"DET0861: Detection of Email Accounts"
],
"new": [],
"dropped": []
}
},
{
"type": "attack-pattern",
"id": "attack-pattern--960c3c86-1480-4d72-b4e0-8c242e84a5c5",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2020-02-11 18:18:34.279000+00:00",
"modified": "2026-05-12 15:12:00.706000+00:00",
"name": "Compromise Host Software Binary",
"description": "Adversaries may modify host software binaries to establish persistent access to systems. Software binaries/executables provide a wide range of system commands or services, programs, and libraries. Common software binaries are SSH clients, FTP clients, email clients, web browsers, and many other user or server applications.\n\nAdversaries may establish persistence though modifications to host software binaries. For example, an adversary may replace or otherwise infect a legitimate application binary (or support files) with a backdoor. Since these binaries may be routinely executed by applications or the user, the adversary can leverage this for persistent access to the host. An adversary may also modify a software binary such as an SSH client in order to persistently collect credentials during logins (i.e., [Modify Authentication Process](https://attack.mitre.org/techniques/T1556)).(Citation: Google Cloud Mandiant UNC3886 2024)\n\nAn adversary may also modify an existing binary by patching in malicious functionality (e.g., IAT Hooking/Entry point patching)(Citation: Unit42 Banking Trojans Hooking 2022) prior to the binary\u2019s legitimate execution. For example, an adversary may modify the entry point of a binary to point to malicious code patched in by the adversary before resuming normal execution flow.(Citation: ESET FontOnLake Analysis 2021)\n\nAfter modifying a binary, an adversary may attempt to impair defenses by preventing it from updating (e.g., via the `yum-versionlock` command or `versionlock.list` file in Linux systems that use the yum package manager).(Citation: Google Cloud Mandiant UNC3886 2024)",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "persistence"
}
],
"revoked": false,
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T1554",
"external_id": "T1554"
},
{
"source_name": "Google Cloud Mandiant UNC3886 2024",
"description": " Punsaen Boonyakarn, Shawn Chew, Logeswaran Nadarajan, Mathew Potaczek, Jakub Jozwiak, and Alex Marvi. (2024, June 18). Cloaked and Covert: Uncovering UNC3886 Espionage Operations. Retrieved September 24, 2024.",
"url": "https://cloud.google.com/blog/topics/threat-intelligence/uncovering-unc3886-espionage-operations"
},
{
"source_name": "Unit42 Banking Trojans Hooking 2022",
"description": "Or Chechik. (2022, October 31). Banking Trojan Techniques: How Financially Motivated Malware Became Infrastructure. Retrieved September 27, 2023.",
"url": "https://unit42.paloaltonetworks.com/banking-trojan-techniques/#post-125550-_rm3d6xxbk52n"
},
{
"source_name": "ESET FontOnLake Analysis 2021",
"description": "Vladislav Hr\u010dka. (2021, January 1). FontOnLake. Retrieved September 27, 2023.",
"url": "https://web-assets.esetstatic.com/wls/2021/10/eset_fontonlake.pdf"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_attack_spec_version": "3.3.0",
"x_mitre_contributors": [
"CrowdStrike Falcon OverWatch",
"Liran Ravich, CardinalOps",
"Jamie Williams (U \u03c9 U), PANW Unit 42"
],
"x_mitre_deprecated": false,
"x_mitre_domains": [
"enterprise-attack"
],
"x_mitre_is_subtechnique": false,
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"ESXi",
"Linux",
"macOS",
"Windows"
],
"x_mitre_version": "2.2",
"detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.706000+00:00\", \"old_value\": \"2026-04-16 18:57:08.883000+00:00\"}}}",
"previous_version": "2.2",
"changelog_mitigations": {
"shared": [
"M1045: Code Signing"
],
"new": [],
"dropped": []
},
"changelog_datacomponent_detections": {
"shared": [],
"new": [],
"dropped": []
},
"changelog_detectionstrategy_detections": {
"shared": [
"DET0336: Detect Compromise of Host Software Binaries"
],
"new": [],
"dropped": []
}
},
{
"type": "attack-pattern",
"id": "attack-pattern--810d8072-afb6-4a56-9ee7-86379ac4a6f3",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2020-10-01 00:58:35.269000+00:00",
"modified": "2026-05-12 15:12:00.669000+00:00",
"name": "Botnet",
"description": "Adversaries may compromise numerous third-party systems to form a botnet\u00a0that can be used during targeting. A botnet is a network of compromised systems that can be instructed to perform coordinated tasks.(Citation: Norton Botnet) Instead of purchasing/renting a botnet from a booter/stresser service, adversaries may build their own botnet by compromising numerous third-party systems.(Citation: Imperva DDoS for Hire) Adversaries may also conduct a takeover of an existing botnet, such as redirecting bots to adversary-controlled C2 servers.(Citation: Dell Dridex Oct 2015) With a botnet at their disposal, adversaries may perform follow-on activity such as large-scale [Phishing](https://attack.mitre.org/techniques/T1566) or Distributed Denial of Service (DDoS).",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "resource-development"
}
],
"revoked": false,
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T1584/005",
"external_id": "T1584.005"
},
{
"source_name": "Dell Dridex Oct 2015",
"description": "Dell SecureWorks Counter Threat Unit Threat Intelligence. (2015, October 13). Dridex (Bugat v5) Botnet Takeover Operation. Retrieved May 31, 2019.",
"url": "https://www.secureworks.com/research/dridex-bugat-v5-botnet-takeover-operation"
},
{
"source_name": "Imperva DDoS for Hire",
"description": "Imperva. (n.d.). Booters, Stressers and DDoSers. Retrieved October 4, 2020.",
"url": "https://www.imperva.com/learn/ddos/booters-stressers-ddosers/"
},
{
"source_name": "Norton Botnet",
"description": "Norton. (n.d.). What is a botnet?. Retrieved October 4, 2020.",
"url": "https://us.norton.com/internetsecurity-malware-what-is-a-botnet.html"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_attack_spec_version": "3.3.0",
"x_mitre_deprecated": false,
"x_mitre_domains": [
"enterprise-attack"
],
"x_mitre_is_subtechnique": true,
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"PRE"
],
"x_mitre_version": "1.0",
"detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.669000+00:00\", \"old_value\": \"2025-10-24 17:49:02.197000+00:00\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.3.0\", \"old_value\": \"3.2.0\"}}}",
"previous_version": "1.0",
"changelog_mitigations": {
"shared": [
"M1056: Pre-compromise"
],
"new": [],
"dropped": []
},
"changelog_datacomponent_detections": {
"shared": [],
"new": [],
"dropped": []
},
"changelog_detectionstrategy_detections": {
"shared": [
"DET0883: Detection of Botnet"
],
"new": [],
"dropped": []
}
},
{
"type": "attack-pattern",
"id": "attack-pattern--f9cc4d06-775f-4ee1-b401-4e2cc0da30ba",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2020-10-01 00:51:28.513000+00:00",
"modified": "2026-05-12 15:12:00.726000+00:00",
"name": "Domains",
"description": "Adversaries may hijack domains and/or subdomains that can be used during targeting. Domain registration hijacking is the act of changing the registration of a domain name without the permission of the original registrant.(Citation: ICANNDomainNameHijacking) Adversaries may gain access to an email account for the person listed as the owner of the domain. The adversary can then claim that they forgot their password in order to make changes to the domain registration. Other possibilities include social engineering a domain registration help desk to gain access to an account, taking advantage of renewal process gaps, or compromising a cloud service that enables managing domains (e.g., AWS Route53).(Citation: Krebs DNS Hijack 2019)\n\nSubdomain hijacking can occur when organizations have DNS entries that point to non-existent or deprovisioned resources. In such cases, an adversary may take control of a subdomain to conduct operations with the benefit of the trust associated with that domain.(Citation: Microsoft Sub Takeover 2020)\n\nAdversaries who compromise a domain may also engage in domain shadowing by creating malicious subdomains under their control while keeping any existing DNS records. As service will not be disrupted, the malicious subdomains may go unnoticed for long periods of time.(Citation: Palo Alto Unit 42 Domain Shadowing 2022)",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "resource-development"
}
],
"revoked": false,
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T1584/001",
"external_id": "T1584.001"
},
{
"source_name": "Krebs DNS Hijack 2019",
"description": "Brian Krebs. (2019, February 18). A Deep Dive on the Recent Widespread DNS Hijacking Attacks. Retrieved February 14, 2022.",
"url": "https://krebsonsecurity.com/2019/02/a-deep-dive-on-the-recent-widespread-dns-hijacking-attacks/"
},
{
"source_name": "ICANNDomainNameHijacking",
"description": "ICANN Security and Stability Advisory Committee. (2005, July 12). Domain Name Hijacking: Incidents, Threats, Risks and Remediation. Retrieved November 17, 2024.",
"url": "https://www.icann.org/en/ssac/registration-services/documents/sac-007-domain-name-hijacking-incidents-threats-risks-and-remediation-12-07-2005-en"
},
{
"source_name": "Palo Alto Unit 42 Domain Shadowing 2022",
"description": "Janos Szurdi, Rebekah Houser and Daiping Liu. (2022, September 21). Domain Shadowing: A Stealthy Use of DNS Compromise for Cybercrime. Retrieved March 7, 2023.",
"url": "https://unit42.paloaltonetworks.com/domain-shadowing/"
},
{
"source_name": "Microsoft Sub Takeover 2020",
"description": "Microsoft. (2020, September 29). Prevent dangling DNS entries and avoid subdomain takeover. Retrieved October 12, 2020.",
"url": "https://docs.microsoft.com/en-us/azure/security/fundamentals/subdomain-takeover"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_attack_spec_version": "3.3.0",
"x_mitre_contributors": [
"Jeremy Galloway"
],
"x_mitre_deprecated": false,
"x_mitre_domains": [
"enterprise-attack"
],
"x_mitre_is_subtechnique": true,
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"PRE"
],
"x_mitre_version": "1.4",
"detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.726000+00:00\", \"old_value\": \"2025-10-24 17:49:38.448000+00:00\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.3.0\", \"old_value\": \"3.2.0\"}}}",
"previous_version": "1.4",
"changelog_mitigations": {
"shared": [
"M1056: Pre-compromise"
],
"new": [],
"dropped": []
},
"changelog_datacomponent_detections": {
"shared": [],
"new": [],
"dropped": []
},
"changelog_detectionstrategy_detections": {
"shared": [
"DET0863: Detection of Domains"
],
"new": [],
"dropped": []
}
},
{
"type": "attack-pattern",
"id": "attack-pattern--149b477f-f364-4824-b1b5-aa1d56115869",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2024-03-28 03:29:35.616000+00:00",
"modified": "2026-05-12 15:12:00.621000+00:00",
"name": "Network Devices",
"description": "Adversaries may compromise third-party network devices that can be used during targeting. Network devices, such as small office/home office (SOHO) routers, may be compromised where the adversary's ultimate goal is not [Initial Access](https://attack.mitre.org/tactics/TA0001) to that environment, but rather to leverage these devices to support additional targeting.\n\nOnce an adversary has control, compromised network devices can be used to launch additional operations, such as hosting payloads for [Phishing](https://attack.mitre.org/techniques/T1566) campaigns (i.e., [Link Target](https://attack.mitre.org/techniques/T1608/005)) or enabling the required access to execute [Content Injection](https://attack.mitre.org/techniques/T1659) operations. Adversaries may also be able to harvest reusable credentials (i.e., [Valid Accounts](https://attack.mitre.org/techniques/T1078)) from compromised network devices.\n\nAdversaries often target Internet-facing edge devices and related network appliances that specifically do not support robust host-based defenses.(Citation: Mandiant Fortinet Zero Day)(Citation: Wired Russia Cyberwar)\n\nCompromised network devices may be used to support subsequent [Command and Control](https://attack.mitre.org/tactics/TA0011) activity, such as [Hide Infrastructure](https://attack.mitre.org/techniques/T1665) through an established [Proxy](https://attack.mitre.org/techniques/T1090) and/or [Botnet](https://attack.mitre.org/techniques/T1584/005) network.(Citation: Justice GRU 2024)",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "resource-development"
}
],
"revoked": false,
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T1584/008",
"external_id": "T1584.008"
},
{
"source_name": "Wired Russia Cyberwar",
"description": "Greenberg, A. (2022, November 10). Russia\u2019s New Cyberwarfare in Ukraine Is Fast, Dirty, and Relentless. Retrieved March 22, 2023.",
"url": "https://www.wired.com/story/russia-ukraine-cyberattacks-mandiant/"
},
{
"source_name": "Mandiant Fortinet Zero Day",
"description": "Marvi, A. et al.. (2023, March 16). Fortinet Zero-Day and Custom Malware Used by Suspected Chinese Actor in Espionage Operation. Retrieved March 22, 2023.",
"url": "https://www.mandiant.com/resources/blog/fortinet-malware-ecosystem"
},
{
"source_name": "Justice GRU 2024",
"description": "Office of Public Affairs. (2024, February 15). Justice Department Conducts Court-Authorized Disruption of Botnet Controlled by the Russian Federation\u2019s Main Intelligence Directorate of the General Staff (GRU). Retrieved March 28, 2024.",
"url": "https://www.justice.gov/opa/pr/justice-department-conducts-court-authorized-disruption-botnet-controlled-russian"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_attack_spec_version": "3.3.0",
"x_mitre_contributors": [
"Gavin Knapp"
],
"x_mitre_deprecated": false,
"x_mitre_domains": [
"enterprise-attack"
],
"x_mitre_is_subtechnique": true,
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"PRE"
],
"x_mitre_version": "1.1",
"detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.621000+00:00\", \"old_value\": \"2025-10-22 03:56:34.319000+00:00\"}}}",
"previous_version": "1.1",
"changelog_mitigations": {
"shared": [
"M1056: Pre-compromise"
],
"new": [],
"dropped": []
},
"changelog_datacomponent_detections": {
"shared": [],
"new": [],
"dropped": []
},
"changelog_detectionstrategy_detections": {
"shared": [
"DET0859: Detection of Network Devices"
],
"new": [],
"dropped": []
}
},
{
"type": "attack-pattern",
"id": "attack-pattern--e196b5c5-8118-4a1c-ab8a-936586ce3db5",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2020-10-01 00:56:25.135000+00:00",
"modified": "2026-05-12 15:12:00.722000+00:00",
"name": "Server",
"description": "Adversaries may compromise third-party servers that can be used during targeting. Use of servers allows an adversary to stage, launch, and execute an operation. During post-compromise activity, adversaries may utilize servers for various tasks, including for Command and Control.(Citation: TrendMicro EarthLusca 2022) Instead of purchasing a [Server](https://attack.mitre.org/techniques/T1583/004) or [Virtual Private Server](https://attack.mitre.org/techniques/T1583/003), adversaries may compromise third-party servers in support of operations.\n\nAdversaries may also compromise web servers to support watering hole operations, as in [Drive-by Compromise](https://attack.mitre.org/techniques/T1189), or email servers to support [Phishing](https://attack.mitre.org/techniques/T1566) operations.",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "resource-development"
}
],
"revoked": false,
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T1584/004",
"external_id": "T1584.004"
},
{
"source_name": "TrendMicro EarthLusca 2022",
"description": "Chen, J., et al. (2022). Delving Deep: An Analysis of Earth Lusca\u2019s Operations. Retrieved July 1, 2022.",
"url": "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/22/a/earth-lusca-employs-sophisticated-infrastructure-varied-tools-and-techniques/technical-brief-delving-deep-an-analysis-of-earth-lusca-operations.pdf"
},
{
"source_name": "Koczwara Beacon Hunting Sep 2021",
"description": "Koczwara, M. (2021, September 7). Hunting Cobalt Strike C2 with Shodan. Retrieved October 12, 2021.",
"url": "https://michaelkoczwara.medium.com/cobalt-strike-c2-hunting-with-shodan-c448d501a6e2"
},
{
"source_name": "Mandiant SCANdalous Jul 2020",
"description": "Stephens, A. (2020, July 13). SCANdalous! (External Detection Using Network Scan Data and Automation). Retrieved November 17, 2024.",
"url": "https://cloud.google.com/blog/topics/threat-intelligence/scandalous-external-detection-using-network-scan-data-and-automation/"
},
{
"source_name": "ThreatConnect Infrastructure Dec 2020",
"description": "ThreatConnect. (2020, December 15). Infrastructure Research and Hunting: Boiling the Domain Ocean. Retrieved October 12, 2021.",
"url": "https://threatconnect.com/blog/infrastructure-research-hunting/"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_attack_spec_version": "3.3.0",
"x_mitre_contributors": [
"Dor Edry, Microsoft"
],
"x_mitre_deprecated": false,
"x_mitre_domains": [
"enterprise-attack"
],
"x_mitre_is_subtechnique": true,
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"PRE"
],
"x_mitre_version": "1.2",
"detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.722000+00:00\", \"old_value\": \"2025-10-24 17:49:30.616000+00:00\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.3.0\", \"old_value\": \"3.2.0\"}}}",
"previous_version": "1.2",
"changelog_mitigations": {
"shared": [
"M1056: Pre-compromise"
],
"new": [],
"dropped": []
},
"changelog_datacomponent_detections": {
"shared": [],
"new": [],
"dropped": []
},
"changelog_detectionstrategy_detections": {
"shared": [
"DET0874: Detection of Server"
],
"new": [],
"dropped": []
}
},
{
"type": "attack-pattern",
"id": "attack-pattern--39cc9f64-cf74-4a48-a4d8-fe98c54a02e0",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2020-10-01 00:55:17.771000+00:00",
"modified": "2026-05-12 15:12:00.627000+00:00",
"name": "Virtual Private Server",
"description": "Adversaries may compromise third-party Virtual Private Servers (VPSs) that can be used during targeting. There exist a variety of cloud service providers that will sell virtual machines/containers as a service. Adversaries may compromise VPSs purchased by third-party entities. By compromising a VPS to use as infrastructure, adversaries can make it difficult to physically tie back operations to themselves.(Citation: NSA NCSC Turla OilRig)\n\nCompromising a VPS for use in later stages of the adversary lifecycle, such as Command and Control, can allow adversaries to benefit from the ubiquity and trust associated with higher reputation cloud service providers as well as that added by the compromised third-party.",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "resource-development"
}
],
"revoked": false,
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T1584/003",
"external_id": "T1584.003"
},
{
"source_name": "Koczwara Beacon Hunting Sep 2021",
"description": "Koczwara, M. (2021, September 7). Hunting Cobalt Strike C2 with Shodan. Retrieved October 12, 2021.",
"url": "https://michaelkoczwara.medium.com/cobalt-strike-c2-hunting-with-shodan-c448d501a6e2"
},
{
"source_name": "NSA NCSC Turla OilRig",
"description": "NSA/NCSC. (2019, October 21). Cybersecurity Advisory: Turla Group Exploits Iranian APT To Expand Coverage Of Victims. Retrieved October 16, 2020.",
"url": "https://media.defense.gov/2019/Oct/18/2002197242/-1/-1/0/NSA_CSA_Turla_20191021%20ver%204%20-%20nsa.gov.pdf"
},
{
"source_name": "Mandiant SCANdalous Jul 2020",
"description": "Stephens, A. (2020, July 13). SCANdalous! (External Detection Using Network Scan Data and Automation). Retrieved November 17, 2024.",
"url": "https://cloud.google.com/blog/topics/threat-intelligence/scandalous-external-detection-using-network-scan-data-and-automation/"
},
{
"source_name": "ThreatConnect Infrastructure Dec 2020",
"description": "ThreatConnect. (2020, December 15). Infrastructure Research and Hunting: Boiling the Domain Ocean. Retrieved October 12, 2021.",
"url": "https://threatconnect.com/blog/infrastructure-research-hunting/"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_attack_spec_version": "3.3.0",
"x_mitre_deprecated": false,
"x_mitre_domains": [
"enterprise-attack"
],
"x_mitre_is_subtechnique": true,
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"PRE"
],
"x_mitre_version": "1.1",
"detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.627000+00:00\", \"old_value\": \"2025-10-24 17:48:40.055000+00:00\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.3.0\", \"old_value\": \"3.2.0\"}}}",
"previous_version": "1.1",
"changelog_mitigations": {
"shared": [
"M1056: Pre-compromise"
],
"new": [],
"dropped": []
},
"changelog_datacomponent_detections": {
"shared": [],
"new": [],
"dropped": []
},
"changelog_detectionstrategy_detections": {
"shared": [
"DET0854: Detection of Virtual Private Server"
],
"new": [],
"dropped": []
}
},
{
"type": "attack-pattern",
"id": "attack-pattern--635cbe30-392d-4e27-978e-66774357c762",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2020-01-28 13:50:22.506000+00:00",
"modified": "2026-05-12 15:12:00.636000+00:00",
"name": "Local Account",
"description": "Adversaries may create a local account to maintain access to victim systems. Local accounts are those configured by an organization for use by users, remote support, services, or for administration on a single system or service. \n\nFor example, with a sufficient level of access, the Windows net user /add command can be used to create a local account. In Linux, the `useradd` command can be used, while on macOS systems, the dscl -create command can be used. Local accounts may also be added to network devices, often via common [Network Device CLI](https://attack.mitre.org/techniques/T1059/008) commands such as username, to ESXi servers via `esxcli system account add`, or to Kubernetes clusters using the `kubectl` utility.(Citation: cisco_username_cmd)(Citation: Kubernetes Service Accounts Security)\n\nAdversaries may also create new local accounts on network firewall management consoles \u2013 for example, by exploiting a vulnerable firewall management system, threat actors may be able to establish super-admin accounts that could be used to modify firewall rules and gain further access to the network.(Citation: Cyber Security News)\n\nSuch accounts may be used to establish secondary credentialed access that do not require persistent remote access tools to be deployed on the system.",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "persistence"
}
],
"revoked": false,
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T1136/001",
"external_id": "T1136.001"
},
{
"source_name": "cisco_username_cmd",
"description": "Cisco. (2023, March 6). username - Cisco IOS Security Command Reference: Commands S to Z. Retrieved July 13, 2022.",
"url": "https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-t2.html#wp1047035630"
},
{
"source_name": "Cyber Security News",
"description": "Kaaviya. (n.d.). SuperBlack Actors Exploiting Two Fortinet Vulnerabilities to Deploy Ransomware. Retrieved September 22, 2025.",
"url": "https://cybersecuritynews.com/superblack-actors-exploiting-two-fortinet-vulnerabilities/"
},
{
"source_name": "Kubernetes Service Accounts Security",
"description": "Kubernetes. (n.d.). Service Accounts. Retrieved July 14, 2023.",
"url": "https://kubernetes.io/docs/concepts/security/service-accounts/"
},
{
"source_name": "Microsoft User Creation Event",
"description": "Lich, B., Miroshnikov, A. (2017, April 5). 4720(S): A user account was created. Retrieved June 30, 2017.",
"url": "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4720"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_attack_spec_version": "3.3.0",
"x_mitre_contributors": [
"Austin Clark, @c2defense"
],
"x_mitre_deprecated": false,
"x_mitre_domains": [
"enterprise-attack"
],
"x_mitre_is_subtechnique": true,
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"Containers",
"ESXi",
"Linux",
"macOS",
"Network Devices",
"Windows"
],
"x_mitre_version": "1.5",
"detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.636000+00:00\", \"old_value\": \"2025-10-24 17:48:51.903000+00:00\"}}}",
"previous_version": "1.5",
"changelog_mitigations": {
"shared": [
"M1026: Privileged Account Management",
"M1032: Multi-factor Authentication"
],
"new": [],
"dropped": []
},
"changelog_datacomponent_detections": {
"shared": [],
"new": [],
"dropped": []
},
"changelog_detectionstrategy_detections": {
"shared": [
"DET0447: T1136.001 Detection Strategy - Local Account Creation Across Platforms"
],
"new": [],
"dropped": []
}
},
{
"type": "attack-pattern",
"id": "attack-pattern--106c0cf6-bf73-4601-9aa8-0945c2715ec5",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2020-01-10 16:03:18.865000+00:00",
"modified": "2026-05-12 15:12:00.621000+00:00",
"name": "Create or Modify System Process",
"description": "Adversaries may create or modify system-level processes to repeatedly execute malicious payloads as part of persistence. When operating systems boot up, they can start processes that perform background system functions. On Windows and Linux, these system processes are referred to as services.(Citation: TechNet Services) On macOS, launchd processes known as [Launch Daemon](https://attack.mitre.org/techniques/T1543/004) and [Launch Agent](https://attack.mitre.org/techniques/T1543/001) are run to finish system initialization and load user specific parameters.(Citation: AppleDocs Launch Agent Daemons) \n\nAdversaries may install new services, daemons, or agents that can be configured to execute at startup or a repeatable interval in order to establish persistence. Similarly, adversaries may modify existing services, daemons, or agents to achieve the same effect. \n\nServices, daemons, or agents may be created with administrator privileges but executed under root/SYSTEM privileges. Adversaries may leverage this functionality to create or modify system processes in order to escalate privileges.(Citation: OSX Malware Detection) ",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "persistence"
},
{
"kill_chain_name": "mitre-attack",
"phase_name": "privilege-escalation"
}
],
"revoked": false,
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T1543",
"external_id": "T1543"
},
{
"source_name": "AppleDocs Launch Agent Daemons",
"description": "Apple. (n.d.). Creating Launch Daemons and Agents. Retrieved July 10, 2017.",
"url": "https://developer.apple.com/library/content/documentation/MacOSX/Conceptual/BPSystemStartup/Chapters/CreatingLaunchdJobs.html"
},
{
"source_name": "TechNet Services",
"description": "Microsoft. (n.d.). Services. Retrieved June 7, 2016.",
"url": "https://technet.microsoft.com/en-us/library/cc772408.aspx"
},
{
"source_name": "OSX Malware Detection",
"description": "Patrick Wardle. (2016, February 29). Let's Play Doctor: Practical OS X Malware Detection & Analysis. Retrieved November 17, 2024.",
"url": "https://papers.put.as/papers/macosx/2016/RSA_OSX_Malware.pdf"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_attack_spec_version": "3.3.0",
"x_mitre_deprecated": false,
"x_mitre_domains": [
"enterprise-attack"
],
"x_mitre_is_subtechnique": false,
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"Containers",
"Linux",
"macOS",
"Windows"
],
"x_mitre_version": "1.2",
"detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.621000+00:00\", \"old_value\": \"2025-10-24 17:48:24.896000+00:00\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.3.0\", \"old_value\": \"3.2.0\"}}}",
"previous_version": "1.2",
"changelog_mitigations": {
"shared": [
"M1018: User Account Management",
"M1022: Restrict File and Directory Permissions",
"M1026: Privileged Account Management",
"M1028: Operating System Configuration",
"M1033: Limit Software Installation",
"M1040: Behavior Prevention on Endpoint",
"M1045: Code Signing",
"M1047: Audit",
"M1054: Software Configuration"
],
"new": [],
"dropped": []
},
"changelog_datacomponent_detections": {
"shared": [],
"new": [],
"dropped": []
},
"changelog_detectionstrategy_detections": {
"shared": [
"DET0571: Detection of System Process Creation or Modification Across Platforms"
],
"new": [],
"dropped": []
}
},
{
"type": "attack-pattern",
"id": "attack-pattern--d10cbd34-42e3-45c0-84d2-535a09849584",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2020-01-17 16:10:58.592000+00:00",
"modified": "2026-05-12 15:12:00.717000+00:00",
"name": "Launch Agent",
"description": "Adversaries may create or modify launch agents to repeatedly execute malicious payloads as part of persistence. When a user logs in, a per-user launchd process is started which loads the parameters for each launch-on-demand user agent from the property list (.plist) file found in /System/Library/LaunchAgents, /Library/LaunchAgents, and ~/Library/LaunchAgents.(Citation: AppleDocs Launch Agent Daemons)(Citation: OSX Keydnap malware) (Citation: Antiquated Mac Malware) Property list files use the Label, ProgramArguments , and RunAtLoad keys to identify the Launch Agent's name, executable location, and execution time.(Citation: OSX.Dok Malware) Launch Agents are often installed to perform updates to programs, launch user specified programs at login, or to conduct other developer tasks.\n\n Launch Agents can also be executed using the [Launchctl](https://attack.mitre.org/techniques/T1569/001) command.\n \nAdversaries may install a new Launch Agent that executes at login by placing a .plist file into the appropriate folders with the RunAtLoad or KeepAlive keys set to true.(Citation: Sofacy Komplex Trojan)(Citation: Methods of Mac Malware Persistence) The Launch Agent name may be disguised by using a name from the related operating system or benign software. Launch Agents are created with user level privileges and execute with user level permissions.(Citation: OSX Malware Detection)(Citation: OceanLotus for OS X) ",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "persistence"
},
{
"kill_chain_name": "mitre-attack",
"phase_name": "privilege-escalation"
}
],
"revoked": false,
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T1543/001",
"external_id": "T1543.001"
},
{
"source_name": "AppleDocs Launch Agent Daemons",
"description": "Apple. (n.d.). Creating Launch Daemons and Agents. Retrieved July 10, 2017.",
"url": "https://developer.apple.com/library/content/documentation/MacOSX/Conceptual/BPSystemStartup/Chapters/CreatingLaunchdJobs.html"
},
{
"source_name": "Sofacy Komplex Trojan",
"description": "Dani Creus, Tyler Halfpop, Robert Falcone. (2016, September 26). Sofacy's 'Komplex' OS X Trojan. Retrieved July 8, 2017.",
"url": "https://researchcenter.paloaltonetworks.com/2016/09/unit42-sofacys-komplex-os-x-trojan/"
},
{
"source_name": "OceanLotus for OS X",
"description": "Eddie Lee. (2016, February 17). OceanLotus for OS X - an Application Bundle Pretending to be an Adobe Flash Update. Retrieved July 5, 2017.",
"url": "https://www.alienvault.com/blogs/labs-research/oceanlotus-for-os-x-an-application-bundle-pretending-to-be-an-adobe-flash-update"
},
{
"source_name": "OSX Keydnap malware",
"description": "Marc-Etienne M.Leveille. (2016, July 6). New OSX/Keydnap malware is hungry for credentials. Retrieved July 3, 2017.",
"url": "https://www.welivesecurity.com/2016/07/06/new-osxkeydnap-malware-hungry-credentials/"
},
{
"source_name": "Methods of Mac Malware Persistence",
"description": "Patrick Wardle. (2014, September). Methods of Malware Persistence on Mac OS X. Retrieved July 5, 2017.",
"url": "https://www.virusbulletin.com/uploads/pdf/conference/vb2014/VB2014-Wardle.pdf"
},
{
"source_name": "OSX Malware Detection",
"description": "Patrick Wardle. (2016, February 29). Let's Play Doctor: Practical OS X Malware Detection & Analysis. Retrieved November 17, 2024.",
"url": "https://papers.put.as/papers/macosx/2016/RSA_OSX_Malware.pdf"
},
{
"source_name": "Antiquated Mac Malware",
"description": "Thomas Reed. (2017, January 18). New Mac backdoor using antiquated code. Retrieved July 5, 2017.",
"url": "https://blog.malwarebytes.com/threat-analysis/2017/01/new-mac-backdoor-using-antiquated-code/"
},
{
"source_name": "OSX.Dok Malware",
"description": "Thomas Reed. (2017, July 7). New OSX.Dok malware intercepts web traffic. Retrieved July 10, 2017.",
"url": "https://blog.malwarebytes.com/threat-analysis/2017/04/new-osx-dok-malware-intercepts-web-traffic/"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_attack_spec_version": "3.3.0",
"x_mitre_contributors": [
"Antonio Piazza, @antman1p"
],
"x_mitre_deprecated": false,
"x_mitre_domains": [
"enterprise-attack"
],
"x_mitre_is_subtechnique": true,
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"macOS"
],
"x_mitre_version": "1.5",
"detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.717000+00:00\", \"old_value\": \"2025-10-24 17:49:25.367000+00:00\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.3.0\", \"old_value\": \"3.2.0\"}}}",
"previous_version": "1.5",
"changelog_mitigations": {
"shared": [
"M1022: Restrict File and Directory Permissions"
],
"new": [],
"dropped": []
},
"changelog_datacomponent_detections": {
"shared": [],
"new": [],
"dropped": []
},
"changelog_detectionstrategy_detections": {
"shared": [
"DET0434: Detection of Launch Agent Creation or Modification on macOS"
],
"new": [],
"dropped": []
}
},
{
"type": "attack-pattern",
"id": "attack-pattern--dfefe2ed-4389-4318-8762-f0272b350a1b",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2020-01-17 16:15:19.870000+00:00",
"modified": "2026-05-12 15:12:00.722000+00:00",
"name": "Systemd Service",
"description": "Adversaries may create or modify systemd services to repeatedly execute malicious payloads as part of persistence. Systemd is a system and service manager commonly used for managing background daemon processes (also known as services) and other system resources.(Citation: Linux man-pages: systemd January 2014) Systemd is the default initialization (init) system on many Linux distributions replacing legacy init systems, including SysVinit and Upstart, while remaining backwards compatible. \n\nSystemd utilizes unit configuration files with the `.service` file extension to encode information about a service's process. By default, system level unit files are stored in the `/systemd/system` directory of the root owned directories (`/`). User level unit files are stored in the `/systemd/user` directories of the user owned directories (`$HOME`).(Citation: lambert systemd 2022) \n\nInside the `.service` unit files, the following directives are used to execute commands:(Citation: freedesktop systemd.service) \n\n* `ExecStart`, `ExecStartPre`, and `ExecStartPost` directives execute when a service is started manually by `systemctl` or on system start if the service is set to automatically start.\n* `ExecReload` directive executes when a service restarts. \n* `ExecStop`, `ExecStopPre`, and `ExecStopPost` directives execute when a service is stopped. \n\nAdversaries have created new service files, altered the commands a `.service` file\u2019s directive executes, and modified the user directive a `.service` file executes as, which could result in privilege escalation. Adversaries may also place symbolic links in these directories, enabling systemd to find these payloads regardless of where they reside on the filesystem.(Citation: Anomali Rocke March 2019)(Citation: airwalk backdoor unix systems)(Citation: Rapid7 Service Persistence 22JUNE2016) \n\nThe `.service` file\u2019s User directive can be used to run service as a specific user, which could result in privilege escalation based on specific user/group permissions. \n\nSystemd services can be created via systemd generators, which support the dynamic generation of unit files. Systemd generators are small executables that run during boot or configuration reloads to dynamically create or modify systemd unit files by converting non-native configurations into services, symlinks, or drop-ins (i.e., [Boot or Logon Initialization Scripts](https://attack.mitre.org/techniques/T1037)).(Citation: Elastic Security Labs Linux Persistence 2024)(Citation: Pepe Berba Systemd 2022)",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "persistence"
},
{
"kill_chain_name": "mitre-attack",
"phase_name": "privilege-escalation"
}
],
"revoked": false,
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T1543/002",
"external_id": "T1543.002"
},
{
"source_name": "airwalk backdoor unix systems",
"description": "airwalk. (2023, January 1). A guide to backdooring Unix systems. Retrieved May 31, 2023.",
"url": "http://www.ouah.org/backdoors.html"
},
{
"source_name": "Anomali Rocke March 2019",
"description": "Anomali Labs. (2019, March 15). Rocke Evolves Its Arsenal With a New Malware Family Written in Golang. Retrieved April 24, 2019.",
"url": "https://www.anomali.com/blog/rocke-evolves-its-arsenal-with-a-new-malware-family-written-in-golang"
},
{
"source_name": "freedesktop systemd.service",
"description": "Free Desktop. (n.d.). systemd.service \u2014 Service unit configuration. Retrieved March 20, 2023.",
"url": "https://www.freedesktop.org/software/systemd/man/systemd.service.html"
},
{
"source_name": "Linux man-pages: systemd January 2014",
"description": "Linux man-pages. (2014, January). systemd(1) - Linux manual page. Retrieved April 23, 2019.",
"url": "http://man7.org/linux/man-pages/man1/systemd.1.html"
},
{
"source_name": "Pepe Berba Systemd 2022",
"description": "Pepe Berba. (2022, February 7). Hunting for Persistence in Linux (Part 5): Systemd Generators. Retrieved April 8, 2025.",
"url": "https://pberba.github.io/security/2022/02/07/linux-threat-hunting-for-persistence-systemd-generators/"
},
{
"source_name": "Berba hunting linux systemd",
"description": "Pepe Berba. (2022, January 30). Hunting for Persistence in Linux (Part 3): Systemd, Timers, and Cron. Retrieved March 20, 2023.",
"url": "https://pberba.github.io/security/2022/01/30/linux-threat-hunting-for-persistence-systemd-timers-cron/"
},
{
"source_name": "Rapid7 Service Persistence 22JUNE2016",
"description": "Rapid7. (2016, June 22). Service Persistence. Retrieved April 23, 2019.",
"url": "https://www.rapid7.com/db/modules/exploit/linux/local/service_persistence"
},
{
"source_name": "Elastic Security Labs Linux Persistence 2024",
"description": "Ruben Groenewoud. (2024, August 20). Linux Detection Engineering - A primer on persistence mechanisms. Retrieved March 18, 2025.",
"url": "https://www.elastic.co/security-labs/primer-on-persistence-mechanisms"
},
{
"source_name": "lambert systemd 2022",
"description": "Tony Lambert. (2022, November 13). ATT&CK T1501: Understanding systemd service persistence. Retrieved March 20, 2023.",
"url": "https://redcanary.com/blog/attck-t1501-understanding-systemd-service-persistence/"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_attack_spec_version": "3.3.0",
"x_mitre_contributors": [
"Tony Lambert, Red Canary",
"Emad Al-Mousa, Saudi Aramco",
"Tim (Wadhwa-)Brown",
"Ruben Groenewoud (@RFGroenewoud)"
],
"x_mitre_deprecated": false,
"x_mitre_domains": [
"enterprise-attack"
],
"x_mitre_is_subtechnique": true,
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"Linux"
],
"x_mitre_version": "1.6",
"detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.722000+00:00\", \"old_value\": \"2025-10-24 17:49:29.942000+00:00\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.3.0\", \"old_value\": \"3.2.0\"}}}",
"previous_version": "1.6",
"changelog_mitigations": {
"shared": [
"M1018: User Account Management",
"M1022: Restrict File and Directory Permissions",
"M1026: Privileged Account Management",
"M1033: Limit Software Installation"
],
"new": [],
"dropped": []
},
"changelog_datacomponent_detections": {
"shared": [],
"new": [],
"dropped": []
},
"changelog_detectionstrategy_detections": {
"shared": [
"DET0253: Detection of Systemd Service Creation or Modification on Linux"
],
"new": [],
"dropped": []
}
},
{
"type": "attack-pattern",
"id": "attack-pattern--2959d63f-73fd-46a1-abd2-109d7dcede32",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2020-01-17 19:13:50.402000+00:00",
"modified": "2026-05-12 15:12:00.623000+00:00",
"name": "Windows Service",
"description": "Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions.(Citation: TechNet Services) Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry.\n\nAdversaries may install a new service or modify an existing service to execute at startup in order to persist on a system. Service configurations can be set or modified using system utilities (such as sc.exe), by directly modifying the Registry, or by interacting directly with the Windows API. \n\nAdversaries may also use services to install and execute malicious drivers. For example, after dropping a driver file (ex: `.sys`) to disk, the payload can be loaded and registered via [Native API](https://attack.mitre.org/techniques/T1106) functions such as `CreateServiceW()` (or manually via functions such as `ZwLoadDriver()` and `ZwSetValueKey()`), by creating the required service Registry values (i.e. [Modify Registry](https://attack.mitre.org/techniques/T1112)), or by using command-line utilities such as `PnPUtil.exe`.(Citation: Symantec W.32 Stuxnet Dossier)(Citation: Crowdstrike DriveSlayer February 2022)(Citation: Unit42 AcidBox June 2020) Adversaries may leverage these drivers as [Rootkit](https://attack.mitre.org/techniques/T1014)s to hide the presence of malicious activity on a system. Adversaries may also load a signed yet vulnerable driver onto a compromised machine (known as \"Bring Your Own Vulnerable Driver\" (BYOVD)) as part of [Exploitation for Privilege Escalation](https://attack.mitre.org/techniques/T1068).(Citation: ESET InvisiMole June 2020)(Citation: Unit42 AcidBox June 2020)\n\nServices may be created with administrator privileges but are executed under SYSTEM privileges, so an adversary may also use a service to escalate privileges. Adversaries may also directly start services through [Service Execution](https://attack.mitre.org/techniques/T1569/002).\n\nTo make detection analysis more challenging, malicious services may also incorporate [Masquerade Task or Service](https://attack.mitre.org/techniques/T1036/004) (ex: using a service and/or payload name related to a legitimate OS or benign software component). Adversaries may also create \u2018hidden\u2019 services (i.e., [Hide Artifacts](https://attack.mitre.org/techniques/T1564)), for example by using the `sc sdset` command to set service permissions via the Service Descriptor Definition Language (SDDL). This may hide a Windows service from the view of standard service enumeration methods such as `Get-Service`, `sc query`, and `services.exe`.(Citation: SANS 1)(Citation: SANS 2)",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "persistence"
},
{
"kill_chain_name": "mitre-attack",
"phase_name": "privilege-escalation"
}
],
"revoked": false,
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T1543/003",
"external_id": "T1543.003"
},
{
"source_name": "Microsoft Windows Event Forwarding FEB 2018",
"description": "Hardy, T. & Hall, J. (2018, February 15). Use Windows Event Forwarding to help with intrusion detection. Retrieved August 7, 2018.",
"url": "https://docs.microsoft.com/windows/security/threat-protection/use-windows-event-forwarding-to-assist-in-intrusion-detection"
},
{
"source_name": "ESET InvisiMole June 2020",
"description": "Hromcova, Z. and Cherpanov, A. (2020, June). INVISIMOLE: THE HIDDEN PART OF THE STORY. Retrieved July 16, 2020.",
"url": "https://www.welivesecurity.com/wp-content/uploads/2020/06/ESET_InvisiMole.pdf"
},
{
"source_name": "SANS 1",
"description": "Joshua Wright. (2020, October 13). Retrieved March 22, 2024.",
"url": "https://www.sans.org/blog/red-team-tactics-hiding-windows-services/"
},
{
"source_name": "SANS 2",
"description": "Joshua Wright. (2020, October 14). Retrieved March 22, 2024.",
"url": "https://www.sans.org/blog/defense-spotlight-finding-hidden-windows-services/"
},
{
"source_name": "TechNet Services",
"description": "Microsoft. (n.d.). Services. Retrieved June 7, 2016.",
"url": "https://technet.microsoft.com/en-us/library/cc772408.aspx"
},
{
"source_name": "Microsoft 4697 APR 2017",
"description": "Miroshnikov, A. & Hall, J. (2017, April 18). 4697(S): A service was installed in the system. Retrieved August 7, 2018.",
"url": "https://docs.microsoft.com/windows/security/threat-protection/auditing/event-4697"
},
{
"source_name": "Symantec W.32 Stuxnet Dossier",
"description": "Nicolas Falliere, Liam O. Murchu, Eric Chien. (2011, February). W32.Stuxnet Dossier. Retrieved December 7, 2020.",
"url": "https://www.wired.com/images_blogs/threatlevel/2010/11/w32_stuxnet_dossier.pdf"
},
{
"source_name": "Unit42 AcidBox June 2020",
"description": "Reichel, D. and Idrizovic, E. (2020, June 17). AcidBox: Rare Malware Repurposing Turla Group Exploit Targeted Russian Organizations. Retrieved March 16, 2021.",
"url": "https://unit42.paloaltonetworks.com/acidbox-rare-malware/"
},
{
"source_name": "TechNet Autoruns",
"description": "Russinovich, M. (2016, January 4). Autoruns for Windows v13.51. Retrieved June 6, 2016.",
"url": "https://technet.microsoft.com/en-us/sysinternals/bb963902"
},
{
"source_name": "Crowdstrike DriveSlayer February 2022",
"description": "Thomas, W. et al. (2022, February 25). CrowdStrike Falcon Protects from New Wiper Malware Used in Ukraine Cyberattacks. Retrieved March 25, 2022.",
"url": "https://www.crowdstrike.com/blog/how-crowdstrike-falcon-protects-against-wiper-malware-used-in-ukraine-attacks/"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_attack_spec_version": "3.3.0",
"x_mitre_contributors": [
"Matthew Demaske, Adaptforward",
"Pedro Harrison",
"Mayuresh Dani, Qualys",
"Wietze Beukema @Wietze",
"Akshat Pradhan, Qualys",
"Wirapong Petshagun"
],
"x_mitre_deprecated": false,
"x_mitre_domains": [
"enterprise-attack"
],
"x_mitre_is_subtechnique": true,
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"Windows"
],
"x_mitre_version": "1.6",
"detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.623000+00:00\", \"old_value\": \"2026-04-23 18:48:07.774000+00:00\"}}}",
"previous_version": "1.6",
"changelog_mitigations": {
"shared": [
"M1018: User Account Management",
"M1028: Operating System Configuration",
"M1040: Behavior Prevention on Endpoint",
"M1045: Code Signing",
"M1047: Audit"
],
"new": [],
"dropped": []
},
"changelog_datacomponent_detections": {
"shared": [],
"new": [],
"dropped": []
},
"changelog_detectionstrategy_detections": {
"shared": [
"DET0552: Detection of Windows Service Creation or Modification"
],
"new": [],
"dropped": []
}
},
{
"type": "attack-pattern",
"id": "attack-pattern--3fc9b85a-2862-4363-a64d-d692e3ffbee0",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2020-02-11 18:48:28.456000+00:00",
"modified": "2026-05-12 15:12:00.628000+00:00",
"name": "Credentials from Password Stores",
"description": "Adversaries may search for common password storage locations to obtain user credentials.(Citation: F-Secure The Dukes) Passwords are stored in several places on a system, depending on the operating system or application holding the credentials. There are also specific applications and services that store passwords to make them easier for users to manage and maintain, such as password managers and cloud secrets vaults. Once credentials are obtained, they can be used to perform lateral movement and access restricted information.",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "credential-access"
}
],
"revoked": false,
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T1555",
"external_id": "T1555"
},
{
"source_name": "F-Secure The Dukes",
"description": "F-Secure Labs. (2015, September 17). The Dukes: 7 years of Russian cyberespionage. Retrieved December 10, 2015.",
"url": "https://www.f-secure.com/documents/996508/1030745/dukes_whitepaper.pdf"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_attack_spec_version": "3.3.0",
"x_mitre_deprecated": false,
"x_mitre_domains": [
"enterprise-attack"
],
"x_mitre_is_subtechnique": false,
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"IaaS",
"Linux",
"macOS",
"Windows"
],
"x_mitre_version": "1.2",
"detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.628000+00:00\", \"old_value\": \"2025-10-24 17:48:41.974000+00:00\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.3.0\", \"old_value\": \"3.2.0\"}}}",
"previous_version": "1.2",
"changelog_mitigations": {
"shared": [
"M1026: Privileged Account Management",
"M1027: Password Policies",
"M1051: Update Software"
],
"new": [],
"dropped": []
},
"changelog_datacomponent_detections": {
"shared": [],
"new": [],
"dropped": []
},
"changelog_detectionstrategy_detections": {
"shared": [
"DET0430: Detect Credentials Access from Password Stores"
],
"new": [],
"dropped": []
}
},
{
"type": "attack-pattern",
"id": "attack-pattern--cfb525cc-5494-401d-a82b-2539ca46a561",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2023-09-25 12:41:26.501000+00:00",
"modified": "2026-05-12 15:12:00.717000+00:00",
"name": "Cloud Secrets Management Stores",
"description": "Adversaries may acquire credentials from cloud-native secret management solutions such as AWS Secrets Manager, GCP Secret Manager, Azure Key Vault, and Terraform Vault. \n\nSecrets managers support the secure centralized management of passwords, API keys, and other credential material. Where secrets managers are in use, cloud services can dynamically acquire credentials via API requests rather than accessing secrets insecurely stored in plain text files or environment variables. \n\nIf an adversary is able to gain sufficient privileges in a cloud environment \u2013 for example, by obtaining the credentials of high-privileged [Cloud Accounts](https://attack.mitre.org/techniques/T1078/004) or compromising a service that has permission to retrieve secrets \u2013 they may be able to request secrets from the secrets manager. This can be accomplished via commands such as `get-secret-value` in AWS, `gcloud secrets describe` in GCP, and `az key vault secret show` in Azure.(Citation: Permiso Scattered Spider 2023)(Citation: Sysdig ScarletEel 2.0 2023)(Citation: AWS Secrets Manager)(Citation: Google Cloud Secrets)(Citation: Microsoft Azure Key Vault)\n\n**Note:** this technique is distinct from [Cloud Instance Metadata API](https://attack.mitre.org/techniques/T1552/005) in that the credentials are being directly requested from the cloud secrets manager, rather than through the medium of the instance metadata API.",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "credential-access"
}
],
"revoked": false,
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T1555/006",
"external_id": "T1555.006"
},
{
"source_name": "Sysdig ScarletEel 2.0 2023",
"description": "Alessandro Brucato. (2023, July 11). SCARLETEEL 2.0: Fargate, Kubernetes, and Crypto. Retrieved September 25, 2023.",
"url": "https://sysdig.com/blog/scarleteel-2-0/"
},
{
"source_name": "AWS Secrets Manager",
"description": "AWS. (n.d.). Retrieve secrets from AWS Secrets Manager. Retrieved September 25, 2023.",
"url": "https://docs.aws.amazon.com/secretsmanager/latest/userguide/retrieving-secrets.html"
},
{
"source_name": "Google Cloud Secrets",
"description": "Google Cloud. (n.d.). List secrets and view secret details. Retrieved September 25, 2023.",
"url": "https://cloud.google.com/secret-manager/docs/view-secret-details"
},
{
"source_name": "Permiso Scattered Spider 2023",
"description": "Ian Ahl. (2023, September 20). LUCR-3: SCATTERED SPIDER GETTING SAAS-Y IN THE CLOUD. Retrieved September 25, 2023.",
"url": "https://permiso.io/blog/lucr-3-scattered-spider-getting-saas-y-in-the-cloud"
},
{
"source_name": "Microsoft Azure Key Vault",
"description": "Microsoft. (2023, January 13). Quickstart: Set and retrieve a secret from Azure Key Vault using Azure CLI. Retrieved September 25, 2023.",
"url": "https://learn.microsoft.com/en-us/azure/key-vault/secrets/quick-create-cli"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_attack_spec_version": "3.3.0",
"x_mitre_contributors": [
"Martin McCloskey, Datadog"
],
"x_mitre_deprecated": false,
"x_mitre_domains": [
"enterprise-attack"
],
"x_mitre_is_subtechnique": true,
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"IaaS"
],
"x_mitre_version": "1.0",
"detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.717000+00:00\", \"old_value\": \"2025-04-15 22:03:00.834000+00:00\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.3.0\", \"old_value\": \"3.2.0\"}}}",
"previous_version": "1.0",
"changelog_mitigations": {
"shared": [
"M1026: Privileged Account Management"
],
"new": [],
"dropped": []
},
"changelog_datacomponent_detections": {
"shared": [],
"new": [],
"dropped": []
},
"changelog_detectionstrategy_detections": {
"shared": [
"DET0130: Detect Unauthorized Access to Cloud Secrets Management Stores"
],
"new": [],
"dropped": []
}
},
{
"type": "attack-pattern",
"id": "attack-pattern--58a3e6aa-4453-4cc8-a51f-4befe80b31a8",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2020-02-12 18:57:36.041000+00:00",
"modified": "2026-05-12 15:12:00.635000+00:00",
"name": "Credentials from Web Browsers",
"description": "Adversaries may acquire credentials from web browsers by reading files specific to the target browser.(Citation: Talos Olympic Destroyer 2018) Web browsers commonly save credentials such as website usernames and passwords so that they do not need to be entered manually in the future. Web browsers typically store the credentials in an encrypted format within a credential store; however, methods exist to extract plaintext credentials from web browsers.\n\nFor example, on Windows systems, encrypted credentials may be obtained from Google Chrome by reading a database file, AppData\\Local\\Google\\Chrome\\User Data\\Default\\Login Data and executing a SQL query: SELECT action_url, username_value, password_value FROM logins;. The plaintext password can then be obtained by passing the encrypted credentials to the Windows API function CryptUnprotectData, which uses the victim\u2019s cached logon credentials as the decryption key.(Citation: Microsoft CryptUnprotectData April 2018)\n \nAdversaries have executed similar procedures for common web browsers such as FireFox, Safari, Edge, etc.(Citation: Proofpoint Vega Credential Stealer May 2018)(Citation: FireEye HawkEye Malware July 2017) Windows stores Internet Explorer and Microsoft Edge credentials in Credential Lockers managed by the [Windows Credential Manager](https://attack.mitre.org/techniques/T1555/004).\n\nAdversaries may also acquire credentials by searching web browser process memory for patterns that commonly match credentials.(Citation: GitHub Mimikittenz July 2016)\n\nAfter acquiring credentials from web browsers, adversaries may attempt to recycle the credentials across different systems and/or accounts in order to expand access. This can result in significantly furthering an adversary's objective in cases where credentials gained from web browsers overlap with privileged accounts (e.g. domain administrator).",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "credential-access"
}
],
"revoked": false,
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T1555/003",
"external_id": "T1555.003"
},
{
"source_name": "GitHub Mimikittenz July 2016",
"description": "Jamieson O'Reilly (putterpanda). (2016, July 4). mimikittenz. Retrieved June 20, 2019.",
"url": "https://github.com/putterpanda/mimikittenz"
},
{
"source_name": "Talos Olympic Destroyer 2018",
"description": "Mercer, W. and Rascagneres, P. (2018, February 12). Olympic Destroyer Takes Aim At Winter Olympics. Retrieved March 14, 2019.",
"url": "https://blog.talosintelligence.com/2018/02/olympic-destroyer.html"
},
{
"source_name": "Microsoft CryptUnprotectData April 2018",
"description": "Microsoft. (2018, April 12). CryptUnprotectData function. Retrieved June 18, 2019.",
"url": "https://docs.microsoft.com/en-us/windows/desktop/api/dpapi/nf-dpapi-cryptunprotectdata"
},
{
"source_name": "Proofpoint Vega Credential Stealer May 2018",
"description": "Proofpoint. (2018, May 10). New Vega Stealer shines brightly in targeted campaign . Retrieved June 18, 2019.",
"url": "https://www.proofpoint.com/us/threat-insight/post/new-vega-stealer-shines-brightly-targeted-campaign"
},
{
"source_name": "FireEye HawkEye Malware July 2017",
"description": "Swapnil Patil, Yogesh Londhe. (2017, July 25). HawkEye Credential Theft Malware Distributed in Recent Phishing Campaign. Retrieved June 18, 2019.",
"url": "https://www.fireeye.com/blog/threat-research/2017/07/hawkeye-malware-distributed-in-phishing-campaign.html"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_attack_spec_version": "3.3.0",
"x_mitre_contributors": [
"Ryan Benson, Exabeam",
"Barry Shteiman, Exabeam",
"Sylvain Gil, Exabeam",
"RedHuntLabs, @redhuntlabs",
"Don Le, Stifel Financial"
],
"x_mitre_deprecated": false,
"x_mitre_domains": [
"enterprise-attack"
],
"x_mitre_is_subtechnique": true,
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"Linux",
"macOS",
"Windows"
],
"x_mitre_version": "1.2",
"detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.635000+00:00\", \"old_value\": \"2025-10-24 17:48:49.577000+00:00\"}}}",
"previous_version": "1.2",
"changelog_mitigations": {
"shared": [
"M1017: User Training",
"M1018: User Account Management",
"M1021: Restrict Web-Based Content",
"M1027: Password Policies",
"M1051: Update Software"
],
"new": [],
"dropped": []
},
"changelog_datacomponent_detections": {
"shared": [],
"new": [],
"dropped": []
},
"changelog_detectionstrategy_detections": {
"shared": [
"DET0037: Detect Suspicious Access to Browser Credential Stores"
],
"new": [],
"dropped": []
}
},
{
"type": "attack-pattern",
"id": "attack-pattern--1eaebf46-e361-4437-bc23-d5d65a3b92e3",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2020-02-12 18:55:24.728000+00:00",
"modified": "2026-05-12 15:12:00.622000+00:00",
"name": "Keychain",
"description": "Adversaries may acquire credentials from Keychain. Keychain (or Keychain Services) is the macOS credential management system that stores account names, passwords, private keys, certificates, sensitive application data, payment data, and secure notes. There are three types of Keychains: Login Keychain, System Keychain, and Local Items (iCloud) Keychain. The default Keychain is the Login Keychain, which stores user passwords and information. The System Keychain stores items accessed by the operating system, such as items shared among users on a host. The Local Items (iCloud) Keychain is used for items synced with Apple\u2019s iCloud service. \n\nKeychains can be viewed and edited through the Keychain Access application or using the command-line utility security. Keychain files are located in ~/Library/Keychains/, /Library/Keychains/, and /Network/Library/Keychains/.(Citation: Keychain Services Apple)(Citation: Keychain Decryption Passware)(Citation: OSX Keychain Schaumann)\n\nAdversaries may gather user credentials from Keychain storage/memory. For example, the command security dump-keychain \u2013d will dump all Login Keychain credentials from ~/Library/Keychains/login.keychain-db. Adversaries may also directly read Login Keychain credentials from the ~/Library/Keychains/login.keychain file. Both methods require a password, where the default password for the Login Keychain is the current user\u2019s password to login to the macOS host.(Citation: External to DA, the OS X Way)(Citation: Empire Keychain Decrypt) ",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "credential-access"
}
],
"revoked": false,
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T1555/001",
"external_id": "T1555.001"
},
{
"source_name": "External to DA, the OS X Way",
"description": "Alex Rymdeko-Harvey, Steve Borosh. (2016, May 14). External to DA, the OS X Way. Retrieved September 12, 2024.",
"url": "https://www.slideshare.net/slideshow/external-to-da-the-os-x-way/62021418"
},
{
"source_name": "Keychain Services Apple",
"description": "Apple. (n.d.). Keychain Services. Retrieved April 11, 2022.",
"url": "https://developer.apple.com/documentation/security/keychain_services"
},
{
"source_name": "Empire Keychain Decrypt",
"description": "Empire. (2018, March 8). Empire keychaindump_decrypt Module. Retrieved April 14, 2022.",
"url": "https://github.com/EmpireProject/Empire/blob/08cbd274bef78243d7a8ed6443b8364acd1fc48b/lib/modules/python/collection/osx/keychaindump_decrypt.py"
},
{
"source_name": "OSX Keychain Schaumann",
"description": "Jan Schaumann. (2015, November 5). Using the OS X Keychain to store and retrieve passwords. Retrieved March 31, 2022.",
"url": "https://www.netmeister.org/blog/keychain-passwords.html"
},
{
"source_name": "Keychain Decryption Passware",
"description": "Yana Gourenko. (n.d.). A Deep Dive into Apple Keychain Decryption. Retrieved April 13, 2022.",
"url": "https://support.passware.com/hc/en-us/articles/4573379868567-A-Deep-Dive-into-Apple-Keychain-Decryption"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_attack_spec_version": "3.3.0",
"x_mitre_deprecated": false,
"x_mitre_domains": [
"enterprise-attack"
],
"x_mitre_is_subtechnique": true,
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"macOS"
],
"x_mitre_version": "1.1",
"detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.622000+00:00\", \"old_value\": \"2025-10-24 17:48:29.756000+00:00\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.3.0\", \"old_value\": \"3.2.0\"}}}",
"previous_version": "1.1",
"changelog_mitigations": {
"shared": [
"M1027: Password Policies"
],
"new": [],
"dropped": []
},
"changelog_datacomponent_detections": {
"shared": [],
"new": [],
"dropped": []
},
"changelog_detectionstrategy_detections": {
"shared": [
"DET0396: Detect Access to macOS Keychain for Credential Theft"
],
"new": [],
"dropped": []
}
},
{
"type": "attack-pattern",
"id": "attack-pattern--d45a3d09-b3cf-48f4-9f0f-f521ee5cb05c",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2019-03-14 18:47:17.701000+00:00",
"modified": "2026-05-12 15:12:00.717000+00:00",
"name": "Data Destruction",
"description": "Adversaries may destroy data and files on specific systems or in large numbers on a network to interrupt availability to systems, services, and network resources. Data destruction is likely to render stored data irrecoverable by forensic techniques through overwriting files or data on local and remote drives.(Citation: Symantec Shamoon 2012)(Citation: FireEye Shamoon Nov 2016)(Citation: Palo Alto Shamoon Nov 2016)(Citation: Kaspersky StoneDrill 2017)(Citation: Unit 42 Shamoon3 2018)(Citation: Talos Olympic Destroyer 2018) Common operating system file deletion commands such as del and rm often only remove pointers to files without wiping the contents of the files themselves, making the files recoverable by proper forensic methodology. This behavior is distinct from [Disk Content Wipe](https://attack.mitre.org/techniques/T1561/001) and [Disk Structure Wipe](https://attack.mitre.org/techniques/T1561/002) because individual files are destroyed rather than sections of a storage disk or the disk's logical structure.\n\nAdversaries may attempt to overwrite files and directories with randomly generated data to make it irrecoverable.(Citation: Kaspersky StoneDrill 2017)(Citation: Unit 42 Shamoon3 2018) In some cases politically oriented image files have been used to overwrite data.(Citation: FireEye Shamoon Nov 2016)(Citation: Palo Alto Shamoon Nov 2016)(Citation: Kaspersky StoneDrill 2017)\n\nTo maximize impact on the target organization in operations where network-wide availability interruption is the goal, malware designed for destroying data may have worm-like features to propagate across a network by leveraging additional techniques like [Valid Accounts](https://attack.mitre.org/techniques/T1078), [OS Credential Dumping](https://attack.mitre.org/techniques/T1003), and [SMB/Windows Admin Shares](https://attack.mitre.org/techniques/T1021/002).(Citation: Symantec Shamoon 2012)(Citation: FireEye Shamoon Nov 2016)(Citation: Palo Alto Shamoon Nov 2016)(Citation: Kaspersky StoneDrill 2017)(Citation: Talos Olympic Destroyer 2018).\n\nIn cloud environments, adversaries may leverage access to delete cloud storage objects, machine images, database instances, and other infrastructure crucial to operations to damage an organization or their customers.(Citation: Data Destruction - Threat Post)(Citation: DOJ - Cisco Insider) Similarly, they may delete virtual machines from on-prem virtualized environments.",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "impact"
}
],
"revoked": false,
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T1485",
"external_id": "T1485"
},
{
"source_name": "DOJ - Cisco Insider",
"description": "DOJ. (2020, August 26). San Jose Man Pleads Guilty To Damaging Cisco\u2019s Network. Retrieved December 15, 2020.",
"url": "https://www.justice.gov/usao-ndca/pr/san-jose-man-pleads-guilty-damaging-cisco-s-network"
},
{
"source_name": "Unit 42 Shamoon3 2018",
"description": "Falcone, R. (2018, December 13). Shamoon 3 Targets Oil and Gas Organization. Retrieved March 14, 2019.",
"url": "https://unit42.paloaltonetworks.com/shamoon-3-targets-oil-gas-organization/"
},
{
"source_name": "Palo Alto Shamoon Nov 2016",
"description": "Falcone, R.. (2016, November 30). Shamoon 2: Return of the Disttrack Wiper. Retrieved January 11, 2017.",
"url": "http://researchcenter.paloaltonetworks.com/2016/11/unit42-shamoon-2-return-disttrack-wiper/"
},
{
"source_name": "FireEye Shamoon Nov 2016",
"description": "FireEye. (2016, November 30). FireEye Responds to Wave of Destructive Cyber Attacks in Gulf Region. Retrieved November 17, 2024.",
"url": "https://web.archive.org/web/20210126065851/https://www.fireeye.com/blog/threat-research/2016/11/fireeye_respondsto.html"
},
{
"source_name": "Kaspersky StoneDrill 2017",
"description": "Kaspersky Lab. (2017, March 7). From Shamoon to StoneDrill: Wipers attacking Saudi organizations and beyond. Retrieved March 14, 2019.",
"url": "https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/07180722/Report_Shamoon_StoneDrill_final.pdf"
},
{
"source_name": "Talos Olympic Destroyer 2018",
"description": "Mercer, W. and Rascagneres, P. (2018, February 12). Olympic Destroyer Takes Aim At Winter Olympics. Retrieved March 14, 2019.",
"url": "https://blog.talosintelligence.com/2018/02/olympic-destroyer.html"
},
{
"source_name": "Data Destruction - Threat Post",
"description": "Mimoso, M.. (2014, June 18). Hacker Puts Hosting Service Code Spaces Out of Business. Retrieved December 15, 2020.",
"url": "https://threatpost.com/hacker-puts-hosting-service-code-spaces-out-of-business/106761/"
},
{
"source_name": "Symantec Shamoon 2012",
"description": "Symantec. (2012, August 16). The Shamoon Attacks. Retrieved March 14, 2019.",
"url": "https://www.symantec.com/connect/blogs/shamoon-attacks"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_attack_spec_version": "3.3.0",
"x_mitre_contributors": [
"Brent Murphy, Elastic",
"David French, Elastic",
"Syed Ummar Farooqh, McAfee",
"Prasad Somasamudram, McAfee",
"Sekhar Sarukkai, McAfee",
"Varonis Threat Labs",
"Joey Lei"
],
"x_mitre_deprecated": false,
"x_mitre_domains": [
"enterprise-attack"
],
"x_mitre_impact_type": [
"Availability"
],
"x_mitre_is_subtechnique": false,
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"Containers",
"ESXi",
"IaaS",
"Linux",
"macOS",
"Windows"
],
"x_mitre_version": "1.4",
"detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.717000+00:00\", \"old_value\": \"2025-10-24 17:49:27.149000+00:00\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.3.0\", \"old_value\": \"3.2.0\"}}}",
"previous_version": "1.4",
"changelog_mitigations": {
"shared": [
"M1018: User Account Management",
"M1032: Multi-factor Authentication",
"M1053: Data Backup"
],
"new": [],
"dropped": []
},
"changelog_datacomponent_detections": {
"shared": [],
"new": [],
"dropped": []
},
"changelog_detectionstrategy_detections": {
"shared": [
"DET0146: Detection of Data Destruction Across Platforms via Mass Overwrite and Deletion Patterns"
],
"new": [],
"dropped": []
}
},
{
"type": "attack-pattern",
"id": "attack-pattern--cc7b8c4e-9be0-47ca-b0bb-83915ec3ee2f",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-05-31 21:31:43.540000+00:00",
"modified": "2026-05-12 15:12:00.717000+00:00",
"name": "Data Encoding",
"description": "Adversaries may encode data to make the content of command and control traffic more difficult to detect. Command and control (C2) information can be encoded using a standard data encoding system. Use of data encoding may adhere to existing protocol specifications and includes use of ASCII, Unicode, Base64, MIME, or other binary-to-text and character encoding systems.(Citation: Wikipedia Binary-to-text Encoding) (Citation: Wikipedia Character Encoding) Some data encoding systems may also result in data compression, such as gzip.",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "command-and-control"
}
],
"revoked": false,
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T1132",
"external_id": "T1132"
},
{
"source_name": "University of Birmingham C2",
"description": "Gardiner, J., Cova, M., Nagaraja, S. (2014, February). Command & Control Understanding, Denying and Detecting. Retrieved April 20, 2016.",
"url": "https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf"
},
{
"source_name": "Wikipedia Binary-to-text Encoding",
"description": "Wikipedia. (2016, December 26). Binary-to-text encoding. Retrieved March 1, 2017.",
"url": "https://en.wikipedia.org/wiki/Binary-to-text_encoding"
},
{
"source_name": "Wikipedia Character Encoding",
"description": "Wikipedia. (2017, February 19). Character Encoding. Retrieved March 1, 2017.",
"url": "https://en.wikipedia.org/wiki/Character_encoding"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_attack_spec_version": "3.3.0",
"x_mitre_contributors": [
"Itzik Kotler, SafeBreach"
],
"x_mitre_deprecated": false,
"x_mitre_domains": [
"enterprise-attack"
],
"x_mitre_is_subtechnique": false,
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"ESXi",
"Linux",
"macOS",
"Windows"
],
"x_mitre_version": "1.3",
"detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.717000+00:00\", \"old_value\": \"2025-10-24 17:49:23.915000+00:00\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.3.0\", \"old_value\": \"3.2.0\"}}}",
"previous_version": "1.3",
"changelog_mitigations": {
"shared": [
"M1031: Network Intrusion Prevention"
],
"new": [],
"dropped": []
},
"changelog_datacomponent_detections": {
"shared": [],
"new": [],
"dropped": []
},
"changelog_detectionstrategy_detections": {
"shared": [
"DET0108: Detection Strategy for Data Encoding in C2 Channels"
],
"new": [],
"dropped": []
}
},
{
"type": "attack-pattern",
"id": "attack-pattern--d467bc38-284b-4a00-96ac-125f447799fc",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2020-03-14 23:39:50.117000+00:00",
"modified": "2026-05-12 15:12:00.717000+00:00",
"name": "Non-Standard Encoding",
"description": "Adversaries may encode data with a non-standard data encoding system to make the content of command and control traffic more difficult to detect. Command and control (C2) information can be encoded using a non-standard data encoding system that diverges from existing protocol specifications. Non-standard data encoding schemes may be based on or related to standard data encoding schemes, such as a modified Base64 encoding for the message body of an HTTP request.(Citation: Wikipedia Binary-to-text Encoding)(Citation: Wikipedia Character Encoding) ",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "command-and-control"
}
],
"revoked": false,
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T1132/002",
"external_id": "T1132.002"
},
{
"source_name": "Wikipedia Binary-to-text Encoding",
"description": "Wikipedia. (2016, December 26). Binary-to-text encoding. Retrieved March 1, 2017.",
"url": "https://en.wikipedia.org/wiki/Binary-to-text_encoding"
},
{
"source_name": "Wikipedia Character Encoding",
"description": "Wikipedia. (2017, February 19). Character Encoding. Retrieved March 1, 2017.",
"url": "https://en.wikipedia.org/wiki/Character_encoding"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_attack_spec_version": "3.3.0",
"x_mitre_deprecated": false,
"x_mitre_domains": [
"enterprise-attack"
],
"x_mitre_is_subtechnique": true,
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"ESXi",
"Linux",
"macOS",
"Windows"
],
"x_mitre_version": "1.1",
"detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.717000+00:00\", \"old_value\": \"2026-04-21 18:10:25.277000+00:00\"}}}",
"previous_version": "1.1",
"changelog_mitigations": {
"shared": [
"M1031: Network Intrusion Prevention"
],
"new": [],
"dropped": []
},
"changelog_datacomponent_detections": {
"shared": [],
"new": [],
"dropped": []
},
"changelog_detectionstrategy_detections": {
"shared": [
"DET0326: Behavior-chain detection for T1132.002 Data Encoding: Non-Standard Encoding across Windows, Linux, macOS, ESXi"
],
"new": [],
"dropped": []
}
},
{
"type": "attack-pattern",
"id": "attack-pattern--04fd5427-79c7-44ea-ae13-11b24778ff1c",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2020-03-14 23:36:52.095000+00:00",
"modified": "2026-05-12 15:12:00.620000+00:00",
"name": "Standard Encoding",
"description": "Adversaries may encode data with a standard data encoding system to make the content of command and control traffic more difficult to detect. Command and control (C2) information can be encoded using a standard data encoding system that adheres to existing protocol specifications. Common data encoding schemes include ASCII, Unicode, hexadecimal, Base64, and MIME.(Citation: Wikipedia Binary-to-text Encoding)(Citation: Wikipedia Character Encoding) Some data encoding systems may also result in data compression, such as gzip.",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "command-and-control"
}
],
"revoked": false,
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T1132/001",
"external_id": "T1132.001"
},
{
"source_name": "University of Birmingham C2",
"description": "Gardiner, J., Cova, M., Nagaraja, S. (2014, February). Command & Control Understanding, Denying and Detecting. Retrieved April 20, 2016.",
"url": "https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf"
},
{
"source_name": "Wikipedia Binary-to-text Encoding",
"description": "Wikipedia. (2016, December 26). Binary-to-text encoding. Retrieved March 1, 2017.",
"url": "https://en.wikipedia.org/wiki/Binary-to-text_encoding"
},
{
"source_name": "Wikipedia Character Encoding",
"description": "Wikipedia. (2017, February 19). Character Encoding. Retrieved March 1, 2017.",
"url": "https://en.wikipedia.org/wiki/Character_encoding"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_attack_spec_version": "3.3.0",
"x_mitre_deprecated": false,
"x_mitre_domains": [
"enterprise-attack"
],
"x_mitre_is_subtechnique": true,
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"ESXi",
"Linux",
"macOS",
"Windows"
],
"x_mitre_version": "1.1",
"detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.620000+00:00\", \"old_value\": \"2025-10-24 17:48:20.938000+00:00\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.3.0\", \"old_value\": \"3.2.0\"}}}",
"previous_version": "1.1",
"changelog_mitigations": {
"shared": [
"M1031: Network Intrusion Prevention"
],
"new": [],
"dropped": []
},
"changelog_datacomponent_detections": {
"shared": [],
"new": [],
"dropped": []
},
"changelog_detectionstrategy_detections": {
"shared": [
"DET0124: Behavior-chain detection for T1132.001 Data Encoding: Standard Encoding (Base64/Hex/MIME) across Windows, Linux, macOS, ESXi"
],
"new": [],
"dropped": []
}
},
{
"type": "attack-pattern",
"id": "attack-pattern--b80d107d-fa0d-4b60-9684-b0433e8bdba0",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2019-03-15 13:59:30.390000+00:00",
"modified": "2026-05-12 15:12:00.709000+00:00",
"name": "Data Encrypted for Impact",
"description": "Adversaries may encrypt data on target systems or on large numbers of systems in a network to interrupt availability to system and network resources. They can attempt to render stored data inaccessible by encrypting files or data on local and remote drives and withholding access to a decryption key. This may be done in order to extract monetary compensation from a victim in exchange for decryption or a decryption key (ransomware) or to render data permanently inaccessible in cases where the key is not saved or transmitted.(Citation: US-CERT Ransomware 2016)(Citation: FireEye WannaCry 2017)(Citation: US-CERT NotPetya 2017)(Citation: US-CERT SamSam 2018)\n\nIn the case of ransomware, it is typical that common user files like Office documents, PDFs, images, videos, audio, text, and source code files will be encrypted (and often renamed and/or tagged with specific file markers). Adversaries may need to first employ other behaviors, such as [File and Directory Permissions Modification](https://attack.mitre.org/techniques/T1222) or [System Shutdown/Reboot](https://attack.mitre.org/techniques/T1529), in order to unlock and/or gain access to manipulate these files.(Citation: CarbonBlack Conti July 2020) In some cases, adversaries may encrypt critical system files, disk partitions, and the MBR.(Citation: US-CERT NotPetya 2017) Adversaries may also encrypt virtual machines hosted on ESXi or other hypervisors.(Citation: Crowdstrike Hypervisor Jackpotting Pt 2 2021) \n\nTo maximize impact on the target organization, malware designed for encrypting data may have worm-like features to propagate across a network by leveraging other attack techniques like [Valid Accounts](https://attack.mitre.org/techniques/T1078), [OS Credential Dumping](https://attack.mitre.org/techniques/T1003), and [SMB/Windows Admin Shares](https://attack.mitre.org/techniques/T1021/002).(Citation: FireEye WannaCry 2017)(Citation: US-CERT NotPetya 2017) Encryption malware may also leverage [Internal Defacement](https://attack.mitre.org/techniques/T1491/001), such as changing victim wallpapers or ESXi server login messages, or otherwise intimidate victims by sending ransom notes or other messages to connected printers (known as \"print bombing\").(Citation: NHS Digital Egregor Nov 2020)(Citation: Varonis)\n\nIn cloud environments, storage objects within compromised accounts may also be encrypted.(Citation: Rhino S3 Ransomware Part 1) For example, in AWS environments, adversaries may leverage services such as AWS\u2019s Server-Side Encryption with Customer Provided Keys (SSE-C) to encrypt data.(Citation: Halcyon AWS Ransomware 2025)",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "impact"
}
],
"revoked": false,
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T1486",
"external_id": "T1486"
},
{
"source_name": "CarbonBlack Conti July 2020",
"description": "Baskin, B. (2020, July 8). TAU Threat Discovery: Conti Ransomware. Retrieved February 17, 2021.",
"url": "https://www.carbonblack.com/blog/tau-threat-discovery-conti-ransomware/"
},
{
"source_name": "FireEye WannaCry 2017",
"description": "Berry, A., Homan, J., and Eitzman, R. (2017, May 23). WannaCry Malware Profile. Retrieved March 15, 2019.",
"url": "https://www.fireeye.com/blog/threat-research/2017/05/wannacry-malware-profile.html"
},
{
"source_name": "Rhino S3 Ransomware Part 1",
"description": "Gietzen, S. (n.d.). S3 Ransomware Part 1: Attack Vector. Retrieved April 14, 2021.",
"url": "https://rhinosecuritylabs.com/aws/s3-ransomware-part-1-attack-vector/"
},
{
"source_name": "Halcyon AWS Ransomware 2025",
"description": "Halcyon RISE Team. (2025, January 13). Abusing AWS Native Services: Ransomware Encrypting S3 Buckets with SSE-C. Retrieved March 18, 2025.",
"url": "https://www.halcyon.ai/blog/abusing-aws-native-services-ransomware-encrypting-s3-buckets-with-sse-c"
},
{
"source_name": "Varonis",
"description": "Jason Hill. (2023, February 8). VMware ESXi in the Line of Ransomware Fire. Retrieved March 26, 2025.",
"url": "https://www.varonis.com/blog/vmware-esxi-in-the-line-of-ransomware-fire"
},
{
"source_name": "Crowdstrike Hypervisor Jackpotting Pt 2 2021",
"description": "Michael Dawson. (2021, August 30). Hypervisor Jackpotting, Part 2: eCrime Actors Increase Targeting of ESXi Servers with Ransomware. Retrieved March 26, 2025.",
"url": "https://www.crowdstrike.com/en-us/blog/hypervisor-jackpotting-ecrime-actors-increase-targeting-of-esxi-servers/"
},
{
"source_name": "NHS Digital Egregor Nov 2020",
"description": "NHS Digital. (2020, November 26). Egregor Ransomware The RaaS successor to Maze. Retrieved December 29, 2020.",
"url": "https://digital.nhs.uk/cyber-alerts/2020/cc-3681#summary"
},
{
"source_name": "US-CERT Ransomware 2016",
"description": "US-CERT. (2016, March 31). Alert (TA16-091A): Ransomware and Recent Variants. Retrieved March 15, 2019.",
"url": "https://www.us-cert.gov/ncas/alerts/TA16-091A"
},
{
"source_name": "US-CERT NotPetya 2017",
"description": "US-CERT. (2017, July 1). Alert (TA17-181A): Petya Ransomware. Retrieved March 15, 2019.",
"url": "https://www.us-cert.gov/ncas/alerts/TA17-181A"
},
{
"source_name": "US-CERT SamSam 2018",
"description": "US-CERT. (2018, December 3). Alert (AA18-337A): SamSam Ransomware. Retrieved March 15, 2019.",
"url": "https://www.us-cert.gov/ncas/alerts/AA18-337A"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_attack_spec_version": "3.3.0",
"x_mitre_contributors": [
"Oleg Kolesnikov, Securonix",
"Mayuresh Dani, Qualys",
"Harshal Tupsamudre, Qualys",
"Travis Smith, Qualys",
"ExtraHop"
],
"x_mitre_deprecated": false,
"x_mitre_domains": [
"enterprise-attack"
],
"x_mitre_impact_type": [
"Availability"
],
"x_mitre_is_subtechnique": false,
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"ESXi",
"IaaS",
"Linux",
"macOS",
"Windows"
],
"x_mitre_version": "1.5",
"detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.709000+00:00\", \"old_value\": \"2025-10-24 17:49:16.589000+00:00\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.3.0\", \"old_value\": \"3.2.0\"}}}",
"previous_version": "1.5",
"changelog_mitigations": {
"shared": [
"M1040: Behavior Prevention on Endpoint",
"M1053: Data Backup"
],
"new": [],
"dropped": []
},
"changelog_datacomponent_detections": {
"shared": [],
"new": [],
"dropped": []
},
"changelog_detectionstrategy_detections": {
"shared": [
"DET0215: Detection of Multi-Platform File Encryption for Impact"
],
"new": [],
"dropped": []
}
},
{
"type": "attack-pattern",
"id": "attack-pattern--ac9e6b22-11bf-45d7-9181-c1cb08360931",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2020-03-02 14:19:22.609000+00:00",
"modified": "2026-05-12 15:12:00.707000+00:00",
"name": "Data Manipulation",
"description": "Adversaries may insert, delete, or manipulate data in order to influence external outcomes or hide activity, thus threatening the integrity of the data.(Citation: Sygnia Elephant Beetle Jan 2022) By manipulating data, adversaries may attempt to affect a business process, organizational understanding, or decision making.\n\nThe type of modification and the impact it will have depends on the target application and process as well as the goals and objectives of the adversary. For complex systems, an adversary would likely need special expertise and possibly access to specialized software related to the system that would typically be gained through a prolonged information gathering campaign in order to have the desired impact.",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "impact"
}
],
"revoked": false,
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T1565",
"external_id": "T1565"
},
{
"source_name": "Sygnia Elephant Beetle Jan 2022",
"description": "Sygnia Incident Response Team. (2022, January 5). TG2003: ELEPHANT BEETLE UNCOVERING AN ORGANIZED FINANCIAL-THEFT OPERATION. Retrieved February 9, 2023.",
"url": "https://web.archive.org/web/20220105132433/https://f.hubspotusercontent30.net/hubfs/8776530/Sygnia-%20Elephant%20Beetle_Jan2022.pdf"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_attack_spec_version": "3.3.0",
"x_mitre_deprecated": false,
"x_mitre_domains": [
"enterprise-attack"
],
"x_mitre_impact_type": [
"Integrity"
],
"x_mitre_is_subtechnique": false,
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"Linux",
"macOS",
"Windows"
],
"x_mitre_version": "1.1",
"detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.707000+00:00\", \"old_value\": \"2026-01-20 15:10:23.526000+00:00\"}}}",
"previous_version": "1.1",
"changelog_mitigations": {
"shared": [
"M1022: Restrict File and Directory Permissions",
"M1029: Remote Data Storage",
"M1030: Network Segmentation",
"M1041: Encrypt Sensitive Information"
],
"new": [],
"dropped": []
},
"changelog_datacomponent_detections": {
"shared": [],
"new": [],
"dropped": []
},
"changelog_detectionstrategy_detections": {
"shared": [
"DET0059: Detection Strategy for Data Manipulation"
],
"new": [],
"dropped": []
}
},
{
"type": "attack-pattern",
"id": "attack-pattern--d0613359-5781-4fd2-b5be-c269270be1f6",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2020-03-02 14:27:00.693000+00:00",
"modified": "2026-05-12 15:12:00.717000+00:00",
"name": "Transmitted Data Manipulation",
"description": "Adversaries may alter data en route to storage or other systems in order to manipulate external outcomes or hide activity, thus threatening the integrity of the data.(Citation: FireEye APT38 Oct 2018)(Citation: DOJ Lazarus Sony 2018) By manipulating transmitted data, adversaries may attempt to affect a business process, organizational understanding, and decision making.\n\nManipulation may be possible over a network connection or between system processes where there is an opportunity deploy a tool that will intercept and change information. The type of modification and the impact it will have depends on the target transmission mechanism as well as the goals and objectives of the adversary. For complex systems, an adversary would likely need special expertise and possibly access to specialized software related to the system that would typically be gained through a prolonged information gathering campaign in order to have the desired impact.",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "impact"
}
],
"revoked": false,
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T1565/002",
"external_id": "T1565.002"
},
{
"source_name": "DOJ Lazarus Sony 2018",
"description": "Department of Justice. (2018, September 6). Criminal Complaint - United States of America v. PARK JIN HYOK. Retrieved March 29, 2019.",
"url": "https://www.justice.gov/opa/press-release/file/1092091/download"
},
{
"source_name": "FireEye APT38 Oct 2018",
"description": "FireEye. (2018, October 03). APT38: Un-usual Suspects. Retrieved November 17, 2024.",
"url": "https://services.google.com/fh/files/misc/apt38-un-usual-suspects.pdf"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_attack_spec_version": "3.3.0",
"x_mitre_deprecated": false,
"x_mitre_domains": [
"enterprise-attack"
],
"x_mitre_impact_type": [
"Integrity"
],
"x_mitre_is_subtechnique": true,
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"Linux",
"macOS",
"Windows"
],
"x_mitre_version": "1.1",
"detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.717000+00:00\", \"old_value\": \"2025-11-13 19:21:05.133000+00:00\"}}}",
"previous_version": "1.1",
"changelog_mitigations": {
"shared": [
"M1041: Encrypt Sensitive Information"
],
"new": [],
"dropped": []
},
"changelog_datacomponent_detections": {
"shared": [],
"new": [],
"dropped": []
},
"changelog_detectionstrategy_detections": {
"shared": [
"DET0254: Detection Strategy of Transmitted Data Manipulation"
],
"new": [],
"dropped": []
}
},
{
"type": "attack-pattern",
"id": "attack-pattern--ad255bfe-a9e6-4b52-a258-8d3462abe842",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-05-31 21:30:18.931000+00:00",
"modified": "2026-05-12 15:12:00.707000+00:00",
"name": "Data Obfuscation",
"description": "Adversaries may obfuscate command and control traffic to make it more difficult to detect.(Citation: Bitdefender FunnyDream Campaign November 2020) Command and control (C2) communications are hidden (but not necessarily encrypted) in an attempt to make the content more difficult to discover or decipher and to make the communication less conspicuous and hide commands from being seen. This encompasses many methods, such as adding junk data to protocol traffic, using steganography, or impersonating legitimate protocols. ",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "command-and-control"
}
],
"revoked": false,
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T1001",
"external_id": "T1001"
},
{
"source_name": "University of Birmingham C2",
"description": "Gardiner, J., Cova, M., Nagaraja, S. (2014, February). Command & Control Understanding, Denying and Detecting. Retrieved April 20, 2016.",
"url": "https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf"
},
{
"source_name": "Bitdefender FunnyDream Campaign November 2020",
"description": "Vrabie, V. (2020, November). Dissecting a Chinese APT Targeting South Eastern Asian Government Institutions. Retrieved September 19, 2022.",
"url": "https://www.bitdefender.com/files/News/CaseStudies/study/379/Bitdefender-Whitepaper-Chinese-APT.pdf"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_attack_spec_version": "3.3.0",
"x_mitre_deprecated": false,
"x_mitre_domains": [
"enterprise-attack"
],
"x_mitre_is_subtechnique": false,
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"ESXi",
"Linux",
"macOS",
"Windows"
],
"x_mitre_version": "1.2",
"detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.707000+00:00\", \"old_value\": \"2025-10-24 17:49:13.380000+00:00\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.3.0\", \"old_value\": \"3.2.0\"}}}",
"previous_version": "1.2",
"changelog_mitigations": {
"shared": [
"M1031: Network Intrusion Prevention"
],
"new": [],
"dropped": []
},
"changelog_datacomponent_detections": {
"shared": [],
"new": [],
"dropped": []
},
"changelog_detectionstrategy_detections": {
"shared": [
"DET0053: Detect Obfuscated C2 via Network Traffic Analysis"
],
"new": [],
"dropped": []
}
},
{
"type": "attack-pattern",
"id": "attack-pattern--f7c0689c-4dbd-489b-81be-7cb7c7079ade",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2020-03-15 00:30:25.444000+00:00",
"modified": "2026-05-12 15:12:00.725000+00:00",
"name": "Junk Data",
"description": "Adversaries may add junk data to protocols used for command and control to make detection more difficult.(Citation: FireEye SUNBURST Backdoor December 2020) By adding random or meaningless data to the protocols used for command and control, adversaries can prevent trivial methods for decoding, deciphering, or otherwise analyzing the traffic. Examples may include appending/prepending data with junk characters or writing junk characters between significant characters. ",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "command-and-control"
}
],
"revoked": false,
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T1001/001",
"external_id": "T1001.001"
},
{
"source_name": "FireEye SUNBURST Backdoor December 2020",
"description": "FireEye. (2020, December 13). Highly Evasive Attacker Leverages SolarWinds Supply Chain to Compromise Multiple Global Victims With SUNBURST Backdoor. Retrieved January 4, 2021.",
"url": "https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html"
},
{
"source_name": "University of Birmingham C2",
"description": "Gardiner, J., Cova, M., Nagaraja, S. (2014, February). Command & Control Understanding, Denying and Detecting. Retrieved April 20, 2016.",
"url": "https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_attack_spec_version": "3.3.0",
"x_mitre_deprecated": false,
"x_mitre_domains": [
"enterprise-attack"
],
"x_mitre_is_subtechnique": true,
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"ESXi",
"Linux",
"macOS",
"Windows"
],
"x_mitre_version": "1.1",
"detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.725000+00:00\", \"old_value\": \"2025-10-24 17:49:38.011000+00:00\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.3.0\", \"old_value\": \"3.2.0\"}}}",
"previous_version": "1.1",
"changelog_mitigations": {
"shared": [
"M1031: Network Intrusion Prevention"
],
"new": [],
"dropped": []
},
"changelog_datacomponent_detections": {
"shared": [],
"new": [],
"dropped": []
},
"changelog_detectionstrategy_detections": {
"shared": [
"DET0011: Detecting Junk Data in C2 Channels via Behavioral Analysis"
],
"new": [],
"dropped": []
}
},
{
"type": "attack-pattern",
"id": "attack-pattern--c325b232-d5bc-4dde-a3ec-71f3db9e8adc",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2020-03-15 00:40:27.503000+00:00",
"modified": "2026-05-12 15:12:00.714000+00:00",
"name": "Protocol or Service Impersonation",
"description": "Adversaries may impersonate legitimate protocols or web service traffic to disguise command and control activity and thwart analysis efforts. By impersonating legitimate protocols or web services, adversaries can make their command and control traffic blend in with legitimate network traffic. \n\nAdversaries may impersonate a fake SSL/TLS handshake to make it look like subsequent traffic is SSL/TLS encrypted, potentially interfering with some security tooling, or to make the traffic look like it is related with a trusted entity. \n\nAdversaries may also leverage legitimate protocols to impersonate expected web traffic or trusted services. For example, adversaries may manipulate HTTP headers, URI endpoints, SSL certificates, and transmitted data to disguise C2 communications or mimic legitimate services such as Gmail, Google Drive, and Yahoo Messenger.(Citation: ESET Okrum July 2019)(Citation: Malleable-C2-U42)",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "command-and-control"
}
],
"revoked": false,
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T1001/003",
"external_id": "T1001.003"
},
{
"source_name": "Malleable-C2-U42",
"description": "Chris Navarrete Durgesh Sangvikar Andrew Guan Yu Fu Yanhui Jia Siddhart Shibiraj. (2022, March 16). Cobalt Strike Analysis and Tutorial: How Malleable C2 Profiles Make Cobalt Strike Difficult to Detect. Retrieved September 24, 2024.",
"url": "https://unit42.paloaltonetworks.com/cobalt-strike-malleable-c2-profile/"
},
{
"source_name": "University of Birmingham C2",
"description": "Gardiner, J., Cova, M., Nagaraja, S. (2014, February). Command & Control Understanding, Denying and Detecting. Retrieved April 20, 2016.",
"url": "https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf"
},
{
"source_name": "ESET Okrum July 2019",
"description": "Hromcova, Z. (2019, July). OKRUM AND KETRICAN: AN OVERVIEW OF RECENT KE3CHANG GROUP ACTIVITY. Retrieved May 6, 2020.",
"url": "https://www.welivesecurity.com/wp-content/uploads/2019/07/ESET_Okrum_and_Ketrican.pdf"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_attack_spec_version": "3.3.0",
"x_mitre_contributors": [
"James Emery-Callcott, Emerging Threats Team, Proofpoint"
],
"x_mitre_deprecated": false,
"x_mitre_domains": [
"enterprise-attack"
],
"x_mitre_is_subtechnique": true,
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"ESXi",
"Linux",
"macOS",
"Windows"
],
"x_mitre_version": "2.1",
"detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.714000+00:00\", \"old_value\": \"2025-10-24 17:49:20.574000+00:00\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.3.0\", \"old_value\": \"3.2.0\"}}}",
"previous_version": "2.1",
"changelog_mitigations": {
"shared": [
"M1031: Network Intrusion Prevention"
],
"new": [],
"dropped": []
},
"changelog_datacomponent_detections": {
"shared": [],
"new": [],
"dropped": []
},
"changelog_detectionstrategy_detections": {
"shared": [
"DET0470: Detecting Protocol or Service Impersonation via Anomalous TLS, HTTP Header, and Port Mismatch Correlation"
],
"new": [],
"dropped": []
}
},
{
"type": "attack-pattern",
"id": "attack-pattern--7dd95ff6-712e-4056-9626-312ea4ab4c5e",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-05-31 21:30:58.938000+00:00",
"modified": "2026-05-12 15:12:00.645000+00:00",
"name": "Data Staged",
"description": "Adversaries may stage collected data in a central location or directory prior to Exfiltration. Data may be kept in separate files or combined into one file through techniques such as [Archive Collected Data](https://attack.mitre.org/techniques/T1560). Interactive command shells may be used, and common functionality within [cmd](https://attack.mitre.org/software/S0106) and bash may be used to copy data into a staging location.(Citation: PWC Cloud Hopper April 2017)\n\nIn cloud environments, adversaries may stage data within a particular instance or virtual machine before exfiltration. An adversary may [Create Cloud Instance](https://attack.mitre.org/techniques/T1578/002) and stage data in that instance.(Citation: Mandiant M-Trends 2020)\n\nAdversaries may choose to stage data from a victim network in a centralized location prior to Exfiltration to minimize the number of connections made to their C2 server and better evade detection.",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "collection"
}
],
"revoked": false,
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T1074",
"external_id": "T1074"
},
{
"source_name": "Mandiant M-Trends 2020",
"description": "Mandiant. (2020, February). M-Trends 2020. Retrieved November 17, 2024.",
"url": "https://www.mandiant.com/sites/default/files/2021-09/mtrends-2020.pdf"
},
{
"source_name": "PWC Cloud Hopper April 2017",
"description": "PwC and BAE Systems. (2017, April). Operation Cloud Hopper. Retrieved April 5, 2017.",
"url": "https://web.archive.org/web/20220224041316/https:/www.pwc.co.uk/cyber-security/pdf/cloud-hopper-report-final-v4.pdf"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_attack_spec_version": "3.3.0",
"x_mitre_contributors": [
"Praetorian",
"Shane Tully, @securitygypsy"
],
"x_mitre_deprecated": false,
"x_mitre_domains": [
"enterprise-attack"
],
"x_mitre_is_subtechnique": false,
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"ESXi",
"IaaS",
"Linux",
"macOS",
"Windows"
],
"x_mitre_version": "1.5",
"detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.645000+00:00\", \"old_value\": \"2025-10-24 17:49:01.010000+00:00\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.3.0\", \"old_value\": \"3.2.0\"}}}",
"previous_version": "1.5",
"changelog_mitigations": {
"shared": [],
"new": [],
"dropped": []
},
"changelog_datacomponent_detections": {
"shared": [],
"new": [],
"dropped": []
},
"changelog_detectionstrategy_detections": {
"shared": [
"DET0014: Detection of Data Staging Prior to Exfiltration"
],
"new": [],
"dropped": []
}
},
{
"type": "attack-pattern",
"id": "attack-pattern--1c34f7aa-9341-4a48-bfab-af22e51aca6c",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2020-03-13 21:13:10.467000+00:00",
"modified": "2026-05-12 15:12:00.622000+00:00",
"name": "Local Data Staging",
"description": "Adversaries may stage collected data in a central location or directory on the local system prior to Exfiltration. Data may be kept in separate files or combined into one file through techniques such as [Archive Collected Data](https://attack.mitre.org/techniques/T1560). Interactive command shells may be used, and common functionality within [cmd](https://attack.mitre.org/software/S0106) and bash may be used to copy data into a staging location.\n\nAdversaries may also stage collected data in various available formats/locations of a system, including local storage databases/repositories or the Windows Registry.(Citation: Prevailion DarkWatchman 2021)",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "collection"
}
],
"revoked": false,
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T1074/001",
"external_id": "T1074.001"
},
{
"source_name": "Prevailion DarkWatchman 2021",
"description": "Smith, S., Stafford, M. (2021, December 14). DarkWatchman: A new evolution in fileless techniques. Retrieved January 10, 2022.",
"url": "https://web.archive.org/web/20220629230035/https://www.prevailion.com/darkwatchman-new-fileless-techniques/"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_attack_spec_version": "3.3.0",
"x_mitre_contributors": [
"Massimiliano Romano, BT Security"
],
"x_mitre_deprecated": false,
"x_mitre_domains": [
"enterprise-attack"
],
"x_mitre_is_subtechnique": true,
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"ESXi",
"Linux",
"macOS",
"Windows"
],
"x_mitre_version": "1.2",
"detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.622000+00:00\", \"old_value\": \"2025-10-24 17:48:28.868000+00:00\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.3.0\", \"old_value\": \"3.2.0\"}}}",
"previous_version": "1.2",
"changelog_mitigations": {
"shared": [],
"new": [],
"dropped": []
},
"changelog_datacomponent_detections": {
"shared": [],
"new": [],
"dropped": []
},
"changelog_detectionstrategy_detections": {
"shared": [
"DET0261: Detection of Local Data Staging Prior to Exfiltration"
],
"new": [],
"dropped": []
}
},
{
"type": "attack-pattern",
"id": "attack-pattern--359b00ad-9425-420b-bba5-6de8d600cbc0",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2020-03-13 21:14:58.206000+00:00",
"modified": "2026-05-12 15:12:00.626000+00:00",
"name": "Remote Data Staging",
"description": "Adversaries may stage data collected from multiple systems in a central location or directory on one system prior to Exfiltration. Data may be kept in separate files or combined into one file through techniques such as [Archive Collected Data](https://attack.mitre.org/techniques/T1560). Interactive command shells may be used, and common functionality within [cmd](https://attack.mitre.org/software/S0106) and bash may be used to copy data into a staging location.\n\nIn cloud environments, adversaries may stage data within a particular instance or virtual machine before exfiltration. An adversary may [Create Cloud Instance](https://attack.mitre.org/techniques/T1578/002) and stage data in that instance.(Citation: Mandiant M-Trends 2020)\n\nBy staging data on one system prior to Exfiltration, adversaries can minimize the number of connections made to their C2 server and better evade detection.",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "collection"
}
],
"revoked": false,
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T1074/002",
"external_id": "T1074.002"
},
{
"source_name": "Mandiant M-Trends 2020",
"description": "Mandiant. (2020, February). M-Trends 2020. Retrieved November 17, 2024.",
"url": "https://www.mandiant.com/sites/default/files/2021-09/mtrends-2020.pdf"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_attack_spec_version": "3.3.0",
"x_mitre_contributors": [
"Praetorian"
],
"x_mitre_deprecated": false,
"x_mitre_domains": [
"enterprise-attack"
],
"x_mitre_is_subtechnique": true,
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"ESXi",
"IaaS",
"Linux",
"macOS",
"Windows"
],
"x_mitre_version": "1.2",
"detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.626000+00:00\", \"old_value\": \"2025-10-24 17:48:38.453000+00:00\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.3.0\", \"old_value\": \"3.2.0\"}}}",
"previous_version": "1.2",
"changelog_mitigations": {
"shared": [],
"new": [],
"dropped": []
},
"changelog_datacomponent_detections": {
"shared": [],
"new": [],
"dropped": []
},
"changelog_detectionstrategy_detections": {
"shared": [
"DET0071: Detection of Remote Data Staging Prior to Exfiltration"
],
"new": [],
"dropped": []
}
},
{
"type": "attack-pattern",
"id": "attack-pattern--3298ce88-1628-43b1-87d9-0b5336b193d7",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2019-08-30 18:07:27.741000+00:00",
"modified": "2026-05-12 15:12:00.624000+00:00",
"name": "Data from Cloud Storage",
"description": "Adversaries may access data from cloud storage.\n\nMany IaaS providers offer solutions for online data object storage such as Amazon S3, Azure Storage, and Google Cloud Storage. Similarly, SaaS enterprise platforms such as Office 365 and Google Workspace provide cloud-based document storage to users through services such as OneDrive and Google Drive, while SaaS application providers such as Slack, Confluence, Salesforce, and Dropbox may provide cloud storage solutions as a peripheral or primary use case of their platform. \n\nIn some cases, as with IaaS-based cloud storage, there exists no overarching application (such as SQL or Elasticsearch) with which to interact with the stored objects: instead, data from these solutions is retrieved directly though the [Cloud API](https://attack.mitre.org/techniques/T1059/009). In SaaS applications, adversaries may be able to collect this data directly from APIs or backend cloud storage objects, rather than through their front-end application or interface (i.e., [Data from Information Repositories](https://attack.mitre.org/techniques/T1213)). \n\nAdversaries may collect sensitive data from these cloud storage solutions. Providers typically offer security guides to help end users configure systems, though misconfigurations are a common problem.(Citation: Amazon S3 Security, 2019)(Citation: Microsoft Azure Storage Security, 2019)(Citation: Google Cloud Storage Best Practices, 2019) There have been numerous incidents where cloud storage has been improperly secured, typically by unintentionally allowing public access to unauthenticated users, overly-broad access by all users, or even access for any anonymous person outside the control of the Identity Access Management system without even needing basic user permissions.\n\nThis open access may expose various types of sensitive data, such as credit cards, personally identifiable information, or medical records.(Citation: Trend Micro S3 Exposed PII, 2017)(Citation: Wired Magecart S3 Buckets, 2019)(Citation: HIPAA Journal S3 Breach, 2017)(Citation: Rclone-mega-extortion_05_2021)\n\nAdversaries may also obtain then abuse leaked credentials from source repositories, logs, or other means as a way to gain access to cloud storage objects.",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "collection"
}
],
"revoked": false,
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T1530",
"external_id": "T1530"
},
{
"source_name": "Amazon S3 Security, 2019",
"description": "Amazon. (2019, May 17). How can I secure the files in my Amazon S3 bucket?. Retrieved October 4, 2019.",
"url": "https://aws.amazon.com/premiumsupport/knowledge-center/secure-s3-resources/"
},
{
"source_name": "Microsoft Azure Storage Security, 2019",
"description": "Amlekar, M., Brooks, C., Claman, L., et. al.. (2019, March 20). Azure Storage security guide. Retrieved October 4, 2019.",
"url": "https://docs.microsoft.com/en-us/azure/storage/common/storage-security-guide"
},
{
"source_name": "Wired Magecart S3 Buckets, 2019",
"description": "Barrett, B.. (2019, July 11). Hack Brief: A Card-Skimming Hacker Group Hit 17K Domains\u2014and Counting. Retrieved October 4, 2019.",
"url": "https://www.wired.com/story/magecart-amazon-cloud-hacks/"
},
{
"source_name": "Google Cloud Storage Best Practices, 2019",
"description": "Google. (2019, September 16). Best practices for Cloud Storage. Retrieved October 4, 2019.",
"url": "https://cloud.google.com/storage/docs/best-practices"
},
{
"source_name": "HIPAA Journal S3 Breach, 2017",
"description": "HIPAA Journal. (2017, October 11). 47GB of Medical Records and Test Results Found in Unsecured Amazon S3 Bucket. Retrieved October 4, 2019.",
"url": "https://www.hipaajournal.com/47gb-medical-records-unsecured-amazon-s3-bucket/"
},
{
"source_name": "Rclone-mega-extortion_05_2021",
"description": "Justin Schoenfeld, Aaron Didier. (2021, May 4). Transferring leverage in a ransomware attack. Retrieved July 14, 2022.",
"url": "https://redcanary.com/blog/rclone-mega-extortion/"
},
{
"source_name": "Trend Micro S3 Exposed PII, 2017",
"description": "Trend Micro. (2017, November 6). A Misconfigured Amazon S3 Exposed Almost 50 Thousand PII in Australia. Retrieved October 4, 2019.",
"url": "https://www.trendmicro.com/vinfo/us/security/news/virtualization-and-cloud/a-misconfigured-amazon-s3-exposed-almost-50-thousand-pii-in-australia"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_attack_spec_version": "3.3.0",
"x_mitre_contributors": [
"Netskope",
"Praetorian",
"AppOmni",
"Arun Seelagan, CISA"
],
"x_mitre_deprecated": false,
"x_mitre_domains": [
"enterprise-attack"
],
"x_mitre_is_subtechnique": false,
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"IaaS",
"Office Suite",
"SaaS"
],
"x_mitre_version": "2.2",
"detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.624000+00:00\", \"old_value\": \"2025-10-24 17:48:37.187000+00:00\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.3.0\", \"old_value\": \"3.2.0\"}}}",
"previous_version": "2.2",
"changelog_mitigations": {
"shared": [
"M1018: User Account Management",
"M1022: Restrict File and Directory Permissions",
"M1032: Multi-factor Authentication",
"M1037: Filter Network Traffic",
"M1041: Encrypt Sensitive Information",
"M1047: Audit"
],
"new": [],
"dropped": []
},
"changelog_datacomponent_detections": {
"shared": [],
"new": [],
"dropped": []
},
"changelog_detectionstrategy_detections": {
"shared": [
"DET0484: Multi-Platform Cloud Storage Exfiltration Behavior Chain"
],
"new": [],
"dropped": []
}
},
{
"type": "attack-pattern",
"id": "attack-pattern--52759bf1-fe12-4052-ace6-c5b0cf7dd7fd",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2020-10-20 00:08:21.745000+00:00",
"modified": "2026-05-12 15:12:00.633000+00:00",
"name": "Network Device Configuration Dump",
"description": "Adversaries may access network configuration files to collect sensitive data about the device and the network. The network configuration is a file containing parameters that determine the operation of the device. The device typically stores an in-memory copy of the configuration while operating, and a separate configuration on non-volatile storage to load after device reset. Adversaries can inspect the configuration files to reveal information about the target network and its layout, the network device and its software, or identifying legitimate accounts and credentials for later use.\n\nAdversaries can use common management tools and protocols, such as Simple Network Management Protocol (SNMP) and Smart Install (SMI), to access network configuration files.(Citation: US-CERT TA18-106A Network Infrastructure Devices 2018)(Citation: Cisco Blog Legacy Device Attacks) These tools may be used to query specific data from a configuration repository or configure the device to export the configuration for later analysis. ",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "collection"
}
],
"revoked": false,
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T1602/002",
"external_id": "T1602.002"
},
{
"source_name": "Cisco Blog Legacy Device Attacks",
"description": "Omar Santos. (2020, October 19). Attackers Continue to Target Legacy Devices. Retrieved October 20, 2020.",
"url": "https://community.cisco.com/t5/security-blogs/attackers-continue-to-target-legacy-devices/ba-p/4169954"
},
{
"source_name": "US-CERT TA18-106A Network Infrastructure Devices 2018",
"description": "US-CERT. (2018, April 20). Russian State-Sponsored Cyber Actors Targeting Network Infrastructure Devices. Retrieved October 19, 2020.",
"url": "https://us-cert.cisa.gov/ncas/alerts/TA18-106A"
},
{
"source_name": "US-CERT TA18-068A 2018",
"description": "US-CERT. (2018, March 27). TA18-068A Brute Force Attacks Conducted by Cyber Actors. Retrieved October 2, 2019.",
"url": "https://www.us-cert.gov/ncas/alerts/TA18-086A"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_attack_spec_version": "3.3.0",
"x_mitre_deprecated": false,
"x_mitre_domains": [
"enterprise-attack"
],
"x_mitre_is_subtechnique": true,
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"Network Devices"
],
"x_mitre_version": "1.1",
"detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.633000+00:00\", \"old_value\": \"2025-10-24 17:48:47.219000+00:00\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.3.0\", \"old_value\": \"3.2.0\"}}}",
"previous_version": "1.1",
"changelog_mitigations": {
"shared": [
"M1030: Network Segmentation",
"M1031: Network Intrusion Prevention",
"M1037: Filter Network Traffic",
"M1041: Encrypt Sensitive Information",
"M1051: Update Software",
"M1054: Software Configuration"
],
"new": [],
"dropped": []
},
"changelog_datacomponent_detections": {
"shared": [],
"new": [],
"dropped": []
},
"changelog_detectionstrategy_detections": {
"shared": [
"DET0233: Detection Strategy for Network Device Configuration Dump via Config Repositories"
],
"new": [],
"dropped": []
}
},
{
"type": "attack-pattern",
"id": "attack-pattern--cff94884-3b1c-4987-a70b-6d5643c621c3",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2021-05-11 18:51:16.343000+00:00",
"modified": "2026-05-12 15:12:00.717000+00:00",
"name": "Code Repositories",
"description": "Adversaries may leverage code repositories to collect valuable information. Code repositories are tools/services that store source code and automate software builds. They may be hosted internally or privately on third party sites such as Github, GitLab, SourceForge, and BitBucket. Users typically interact with code repositories through a web application or command-line utilities such as git.\n\nOnce adversaries gain access to a victim network or a private code repository, they may collect sensitive information such as proprietary source code or [Unsecured Credentials](https://attack.mitre.org/techniques/T1552) contained within software's source code. Having access to software's source code may allow adversaries to develop [Exploits](https://attack.mitre.org/techniques/T1587/004), while credentials may provide access to additional resources using [Valid Accounts](https://attack.mitre.org/techniques/T1078).(Citation: Wired Uber Breach)(Citation: Krebs Adobe)\n\n**Note:** This is distinct from [Code Repositories](https://attack.mitre.org/techniques/T1593/003), which focuses on conducting [Reconnaissance](https://attack.mitre.org/tactics/TA0043) via public code repositories.",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "collection"
}
],
"revoked": false,
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T1213/003",
"external_id": "T1213.003"
},
{
"source_name": "Wired Uber Breach",
"description": "Andy Greenberg. (2017, January 21). Hack Brief: Uber Paid Off Hackers to Hide a 57-Million User Data Breach. Retrieved May 14, 2021.",
"url": "https://www.wired.com/story/uber-paid-off-hackers-to-hide-a-57-million-user-data-breach/"
},
{
"source_name": "Krebs Adobe",
"description": "Brian Krebs. (2013, October 3). Adobe To Announce Source Code, Customer Data Breach. Retrieved May 17, 2021.",
"url": "https://krebsonsecurity.com/2013/10/adobe-to-announce-source-code-customer-data-breach/"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_attack_spec_version": "3.3.0",
"x_mitre_contributors": [
"Itamar Mizrahi, Cymptom",
"Toby Kohlenberg",
"Josh Liburdi, @jshlbrd"
],
"x_mitre_deprecated": false,
"x_mitre_domains": [
"enterprise-attack"
],
"x_mitre_is_subtechnique": true,
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"SaaS"
],
"x_mitre_version": "1.2",
"detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.717000+00:00\", \"old_value\": \"2025-10-24 17:49:25.081000+00:00\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.3.0\", \"old_value\": \"3.2.0\"}}}",
"previous_version": "1.2",
"changelog_mitigations": {
"shared": [
"M1017: User Training",
"M1018: User Account Management",
"M1032: Multi-factor Authentication",
"M1047: Audit"
],
"new": [],
"dropped": []
},
"changelog_datacomponent_detections": {
"shared": [],
"new": [],
"dropped": []
},
"changelog_detectionstrategy_detections": {
"shared": [
"DET0263: Detecting Bulk or Anomalous Access to Private Code Repositories via SaaS Platforms"
],
"new": [],
"dropped": []
}
},
{
"type": "attack-pattern",
"id": "attack-pattern--7ad38ef1-381a-406d-872a-38b136eb5ecc",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2020-02-14 13:09:51.004000+00:00",
"modified": "2026-05-12 15:12:00.643000+00:00",
"name": "Confluence",
"description": "\nAdversaries may leverage Confluence repositories to mine valuable information. Often found in development environments alongside Atlassian JIRA, Confluence is generally used to store development-related documentation, however, in general may contain more diverse categories of useful information, such as:\n\n* Policies, procedures, and standards\n* Physical / logical network diagrams\n* System architecture diagrams\n* Technical system documentation\n* Testing / development credentials (i.e., [Unsecured Credentials](https://attack.mitre.org/techniques/T1552))\n* Work / project schedules\n* Source code snippets\n* Links to network shares and other internal resources\n",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "collection"
}
],
"revoked": false,
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T1213/001",
"external_id": "T1213.001"
},
{
"source_name": "Atlassian Confluence Logging",
"description": "Atlassian. (2018, January 9). How to Enable User Access Logging. Retrieved April 4, 2018.",
"url": "https://confluence.atlassian.com/confkb/how-to-enable-user-access-logging-182943.html"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_attack_spec_version": "3.3.0",
"x_mitre_deprecated": false,
"x_mitre_domains": [
"enterprise-attack"
],
"x_mitre_is_subtechnique": true,
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"SaaS"
],
"x_mitre_version": "1.1",
"detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.643000+00:00\", \"old_value\": \"2025-10-24 17:48:59.776000+00:00\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.3.0\", \"old_value\": \"3.2.0\"}}}",
"previous_version": "1.1",
"changelog_mitigations": {
"shared": [
"M1017: User Training",
"M1018: User Account Management",
"M1047: Audit"
],
"new": [],
"dropped": []
},
"changelog_datacomponent_detections": {
"shared": [],
"new": [],
"dropped": []
},
"changelog_detectionstrategy_detections": {
"shared": [
"DET0358: Programmatic and Excessive Access to Confluence Documentation"
],
"new": [],
"dropped": []
}
},
{
"type": "attack-pattern",
"id": "attack-pattern--248d3fe1-7fe1-4d71-91c7-8bb7ef35cad3",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2025-05-22 19:02:46.718000+00:00",
"modified": "2026-05-12 15:12:00.623000+00:00",
"name": "Databases",
"description": "Adversaries may leverage databases to mine valuable information. These databases may be hosted on-premises or in the cloud (both in platform-as-a-service and software-as-a-service environments). \n\nExamples of databases from which information may be collected include MySQL, PostgreSQL, MongoDB, Amazon Relational Database Service, Azure SQL Database, Google Firebase, and Snowflake. Databases may include a variety of information of interest to adversaries, such as usernames, hashed passwords, personally identifiable information, and financial data. Data collected from databases may be used for [Lateral Movement](https://attack.mitre.org/tactics/TA0008), [Command and Control](https://attack.mitre.org/tactics/TA0011), or [Exfiltration](https://attack.mitre.org/tactics/TA0010). Data exfiltrated from databases may also be used to extort victims or may be sold for profit.(Citation: Google Cloud Threat Intelligence UNC5537 Snowflake 2024)",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "collection"
}
],
"revoked": false,
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T1213/006",
"external_id": "T1213.006"
},
{
"source_name": "Google Cloud Threat Intelligence UNC5537 Snowflake 2024",
"description": "Mandiant. (2024, June 10). UNC5537 Targets Snowflake Customer Instances for Data Theft and Extortion. Retrieved May 22, 2025.",
"url": "https://cloud.google.com/blog/topics/threat-intelligence/unc5537-snowflake-data-theft-extortion"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_attack_spec_version": "3.3.0",
"x_mitre_deprecated": false,
"x_mitre_domains": [
"enterprise-attack"
],
"x_mitre_is_subtechnique": true,
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"IaaS",
"Linux",
"macOS",
"SaaS",
"Windows"
],
"x_mitre_version": "1.0",
"detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.623000+00:00\", \"old_value\": \"2025-10-21 23:54:04.429000+00:00\"}}}",
"previous_version": "1.0",
"changelog_mitigations": {
"shared": [
"M1017: User Training",
"M1018: User Account Management",
"M1041: Encrypt Sensitive Information",
"M1047: Audit",
"M1054: Software Configuration"
],
"new": [],
"dropped": []
},
"changelog_datacomponent_detections": {
"shared": [],
"new": [],
"dropped": []
},
"changelog_detectionstrategy_detections": {
"shared": [
"DET0242: Suspicious Database Access and Dump Activity Across Environments (T1213.006)"
],
"new": [],
"dropped": []
}
},
{
"type": "attack-pattern",
"id": "attack-pattern--fb75213f-cfb0-40bf-a02f-3bad93d6601e",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2024-08-30 13:50:42.023000+00:00",
"modified": "2026-05-12 15:12:00.726000+00:00",
"name": "Messaging Applications",
"description": "Adversaries may leverage chat and messaging applications, such as Microsoft Teams, Google Chat, and Slack, to mine valuable information. \n\nThe following is a brief list of example information that may hold potential value to an adversary and may also be found on messaging applications: \n\n* Testing / development credentials (i.e., [Chat Messages](https://attack.mitre.org/techniques/T1552/008)) \n* Source code snippets \n* Links to network shares and other internal resources \n* Proprietary data(Citation: Guardian Grand Theft Auto Leak 2022)\n* Discussions about ongoing incident response efforts(Citation: SC Magazine Ragnar Locker 2021)(Citation: Microsoft DEV-0537)\n\nIn addition to exfiltrating data from messaging applications, adversaries may leverage data from chat messages in order to improve their targeting - for example, by learning more about an environment or evading ongoing incident response efforts.(Citation: Sentinel Labs NullBulge 2024)(Citation: Permiso Scattered Spider 2023)",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "collection"
}
],
"revoked": false,
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T1213/005",
"external_id": "T1213.005"
},
{
"source_name": "Sentinel Labs NullBulge 2024",
"description": " Jim Walter. (2024, July 16). NullBulge | Threat Actor Masquerades as Hacktivist Group Rebelling Against AI. Retrieved August 30, 2024.",
"url": "https://www.sentinelone.com/labs/nullbulge-threat-actor-masquerades-as-hacktivist-group-rebelling-against-ai/"
},
{
"source_name": "Permiso Scattered Spider 2023",
"description": "Ian Ahl. (2023, September 20). LUCR-3: SCATTERED SPIDER GETTING SAAS-Y IN THE CLOUD. Retrieved September 25, 2023.",
"url": "https://permiso.io/blog/lucr-3-scattered-spider-getting-saas-y-in-the-cloud"
},
{
"source_name": "SC Magazine Ragnar Locker 2021",
"description": "Joe Uchill. (2021, December 3). Ragnar Locker reminds breach victims it can read the on-network incident response chat rooms. Retrieved August 30, 2024.",
"url": "https://www.scmagazine.com/analysis/ragnar-locker-reminds-breach-victims-it-can-read-the-on-network-incident-response-chat-rooms"
},
{
"source_name": "Guardian Grand Theft Auto Leak 2022",
"description": "Keza MacDonald, Keith Stuart and Alex Hern. (2022, September 19). Grand Theft Auto 6 leak: who hacked Rockstar and what was stolen?. Retrieved August 30, 2024.",
"url": "https://www.theguardian.com/games/2022/sep/19/grand-theft-auto-6-leak-who-hacked-rockstar-and-what-was-stolen"
},
{
"source_name": "Microsoft DEV-0537",
"description": "Microsoft. (2022, March 22). DEV-0537 criminal actor targeting organizations for data exfiltration and destruction. Retrieved March 23, 2022.",
"url": "https://www.microsoft.com/security/blog/2022/03/22/dev-0537-criminal-actor-targeting-organizations-for-data-exfiltration-and-destruction/"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_attack_spec_version": "3.3.0",
"x_mitre_contributors": [
"Menachem Goldstein",
"Obsidian Security"
],
"x_mitre_deprecated": false,
"x_mitre_domains": [
"enterprise-attack"
],
"x_mitre_is_subtechnique": true,
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"Office Suite",
"SaaS"
],
"x_mitre_version": "1.0",
"detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.726000+00:00\", \"old_value\": \"2025-04-15 22:48:58.763000+00:00\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.3.0\", \"old_value\": \"3.2.0\"}}}",
"previous_version": "1.0",
"changelog_mitigations": {
"shared": [
"M1017: User Training",
"M1047: Audit",
"M1060: Out-of-Band Communications Channel"
],
"new": [],
"dropped": []
},
"changelog_datacomponent_detections": {
"shared": [],
"new": [],
"dropped": []
},
"changelog_detectionstrategy_detections": {
"shared": [
"DET0567: Detecting Unauthorized Collection from Messaging Applications in SaaS and Office Environments"
],
"new": [],
"dropped": []
}
},
{
"type": "attack-pattern",
"id": "attack-pattern--0c4b4fda-9062-47da-98b9-ceae2dcf052a",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2020-02-14 13:35:32.938000+00:00",
"modified": "2026-05-12 15:12:00.620000+00:00",
"name": "Sharepoint",
"description": "Adversaries may leverage the SharePoint repository as a source to mine valuable information. SharePoint will often contain useful information for an adversary to learn about the structure and functionality of the internal network and systems. For example, the following is a list of example information that may hold potential value to an adversary and may also be found on SharePoint:\n\n* Policies, procedures, and standards\n* Physical / logical network diagrams\n* System architecture diagrams\n* Technical system documentation\n* Testing / development credentials (i.e., [Unsecured Credentials](https://attack.mitre.org/techniques/T1552))\n* Work / project schedules\n* Source code snippets\n* Links to network shares and other internal resources\n",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "collection"
}
],
"revoked": false,
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T1213/002",
"external_id": "T1213.002"
},
{
"source_name": "Microsoft SharePoint Logging",
"description": "Microsoft. (2017, July 19). Configure audit settings for a site collection. Retrieved April 4, 2018.",
"url": "https://support.office.com/en-us/article/configure-audit-settings-for-a-site-collection-a9920c97-38c0-44f2-8bcb-4cf1e2ae22d2"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_attack_spec_version": "3.3.0",
"x_mitre_contributors": [
"Arun Seelagan, CISA"
],
"x_mitre_deprecated": false,
"x_mitre_domains": [
"enterprise-attack"
],
"x_mitre_is_subtechnique": true,
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"Office Suite",
"Windows"
],
"x_mitre_version": "1.1",
"detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.620000+00:00\", \"old_value\": \"2025-10-24 17:48:22.832000+00:00\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.3.0\", \"old_value\": \"3.2.0\"}}}",
"previous_version": "1.1",
"changelog_mitigations": {
"shared": [
"M1017: User Training",
"M1018: User Account Management",
"M1047: Audit"
],
"new": [],
"dropped": []
},
"changelog_datacomponent_detections": {
"shared": [],
"new": [],
"dropped": []
},
"changelog_detectionstrategy_detections": {
"shared": [
"DET0500: Detecting Abnormal SharePoint Data Mining by Privileged or Rare Users"
],
"new": [],
"dropped": []
}
},
{
"type": "attack-pattern",
"id": "attack-pattern--3c4a2599-71ee-4405-ba1e-0e28414b4bc5",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-05-31 21:30:20.537000+00:00",
"modified": "2026-05-12 15:12:00.628000+00:00",
"name": "Data from Local System",
"description": "Adversaries may search local system sources, such as file systems, configuration files, local databases, virtual machine files, or process memory, to find files of interest and sensitive data prior to Exfiltration.\n\nAdversaries may do this using a [Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059), such as [cmd](https://attack.mitre.org/software/S0106) as well as a [Network Device CLI](https://attack.mitre.org/techniques/T1059/008), which have functionality to interact with the file system to gather information.(Citation: show_run_config_cmd_cisco) Adversaries may also use [Automated Collection](https://attack.mitre.org/techniques/T1119) on the local system.\n",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "collection"
}
],
"revoked": false,
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T1005",
"external_id": "T1005"
},
{
"source_name": "show_run_config_cmd_cisco",
"description": "Cisco. (2022, August 16). show running-config - Cisco IOS Configuration Fundamentals Command Reference . Retrieved July 13, 2022.",
"url": "https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/fundamentals/command/cf_command_ref/show_protocols_through_showmon.html#wp2760878733"
},
{
"source_name": "Mandiant APT41 Global Intrusion ",
"description": "Gyler, C.,Perez D.,Jones, S.,Miller, S.. (2021, February 25). This is Not a Test: APT41 Initiates Global Intrusion Campaign Using Multiple Exploits. Retrieved February 17, 2022.",
"url": "https://www.mandiant.com/resources/apt41-initiates-global-intrusion-campaign-using-multiple-exploits"
},
{
"source_name": "US-CERT-TA18-106A",
"description": "US-CERT. (2018, April 20). Alert (TA18-106A) Russian State-Sponsored Cyber Actors Targeting Network Infrastructure Devices. Retrieved October 19, 2020.",
"url": "https://www.us-cert.gov/ncas/alerts/TA18-106A"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_attack_spec_version": "3.3.0",
"x_mitre_contributors": [
"William Cain",
"Austin Clark, @c2defense",
"Liran Ravich, CardinalOps"
],
"x_mitre_deprecated": false,
"x_mitre_domains": [
"enterprise-attack"
],
"x_mitre_is_subtechnique": false,
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"ESXi",
"Linux",
"macOS",
"Network Devices",
"Windows"
],
"x_mitre_version": "1.8",
"detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.628000+00:00\", \"old_value\": \"2025-10-24 17:48:40.839000+00:00\"}}}",
"previous_version": "1.8",
"changelog_mitigations": {
"shared": [
"M1057: Data Loss Prevention"
],
"new": [],
"dropped": []
},
"changelog_datacomponent_detections": {
"shared": [],
"new": [],
"dropped": []
},
"changelog_detectionstrategy_detections": {
"shared": [
"DET0380: Detection of Local Data Collection Prior to Exfiltration"
],
"new": [],
"dropped": []
}
},
{
"type": "attack-pattern",
"id": "attack-pattern--e4dc8c01-417f-458d-9ee0-bb0617c1b391",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2022-04-01 17:59:46.156000+00:00",
"modified": "2026-05-12 15:12:00.723000+00:00",
"name": "Debugger Evasion",
"description": "Adversaries may employ various means to detect and avoid debuggers. Debuggers are typically used by defenders to trace and/or analyze the execution of potential malware payloads.(Citation: ProcessHacker Github)\n\nDebugger evasion may include changing behaviors based on the results of the checks for the presence of artifacts indicative of a debugged environment. Similar to [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497), if the adversary detects a debugger, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for debugger artifacts before dropping secondary or additional payloads.\n\nSpecific checks will vary based on the target and/or adversary. On Windows, this may involve [Native API](https://attack.mitre.org/techniques/T1106) function calls such as IsDebuggerPresent() and NtQueryInformationProcess(), or manually checking the BeingDebugged flag of the Process Environment Block (PEB). On Linux, this may involve querying `/proc/self/status` for the `TracerPID` field, which indicates whether or not the process is being traced by dynamic analysis tools.(Citation: Cado Security P2PInfect 2023)(Citation: Positive Technologies Hellhounds 2023) Other checks for debugging artifacts may also seek to enumerate hardware breakpoints, interrupt assembly opcodes, time checks, or measurements if exceptions are raised in the current process (assuming a present debugger would \u201cswallow\u201d or handle the potential error).(Citation: hasherezade debug)(Citation: AlKhaser Debug)(Citation: vxunderground debug)\n\nMalware may also leverage Structured Exception Handling (SEH) to detect debuggers by throwing an exception and detecting whether the process is suspended. SEH handles both hardware and software expectations, providing control over the exceptions including support for debugging. If a debugger is present, the program\u2019s control will be transferred to the debugger, and the execution of the code will be suspended. If the debugger is not present, control will be transferred to the SEH handler, which will automatically handle the exception and allow the program\u2019s execution to continue.(Citation: Apriorit)\n\nAdversaries may use the information learned from these debugger checks during automated discovery to shape follow-on behaviors. Debuggers can also be evaded by detaching the process or flooding debug logs with meaningless data via messages produced by looping [Native API](https://attack.mitre.org/techniques/T1106) function calls such as OutputDebugStringW().(Citation: wardle evilquest partii)(Citation: Checkpoint Dridex Jan 2021)",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "stealth"
},
{
"kill_chain_name": "mitre-attack",
"phase_name": "discovery"
}
],
"revoked": false,
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T1622",
"external_id": "T1622"
},
{
"source_name": "Apriorit",
"description": "Apriorit. (2024, June 4). Anti Debugging Protection Techniques with Examples. Retrieved March 4, 2025.",
"url": "https://www.apriorit.com/dev-blog/367-anti-reverse-engineering-protection-techniques-to-use-before-releasing-software"
},
{
"source_name": "Checkpoint Dridex Jan 2021",
"description": "Check Point Research. (2021, January 4). Stopping Serial Killer: Catching the Next Strike. Retrieved September 7, 2021.",
"url": "https://research.checkpoint.com/2021/stopping-serial-killer-catching-the-next-strike/"
},
{
"source_name": "hasherezade debug",
"description": "hasherezade. (2021, June 30). Module 3 - Understanding and countering malware's evasion and self-defence. Retrieved April 1, 2022.",
"url": "https://github.com/hasherezade/malware_training_vol1/blob/main/slides/module3/Module3_2_fingerprinting.pdf"
},
{
"source_name": "Cado Security P2PInfect 2023",
"description": "jbowen. (2023, December 4). P2Pinfect - New Variant Targets MIPS Devices. Retrieved March 18, 2025.",
"url": "https://www.cadosecurity.com/blog/p2pinfect-new-variant-targets-mips-devices"
},
{
"source_name": "AlKhaser Debug",
"description": "Noteworthy. (2019, January 6). Al-Khaser. Retrieved April 1, 2022.",
"url": "https://github.com/LordNoteworthy/al-khaser/tree/master/al-khaser/AntiDebug"
},
{
"source_name": "wardle evilquest partii",
"description": "Patrick Wardle. (2020, July 3). OSX.EvilQuest Uncovered part ii: insidious capabilities. Retrieved March 21, 2021.",
"url": "https://objective-see.com/blog/blog_0x60.html"
},
{
"source_name": "ProcessHacker Github",
"description": "ProcessHacker. (2009, October 27). Process Hacker. Retrieved April 11, 2022.",
"url": "https://github.com/processhacker/processhacker"
},
{
"source_name": "Positive Technologies Hellhounds 2023",
"description": "PT Expert Security Center. (2023, November 29). Hellhounds: operation Lahat. Retrieved March 18, 2025.",
"url": "https://global.ptsecurity.com/analytics/pt-esc-threat-intelligence/hellhounds-operation-lahat"
},
{
"source_name": "vxunderground debug",
"description": "vxunderground. (2021, June 30). VX-API. Retrieved April 1, 2022.",
"url": "https://web.archive.org/web/20250904153443/https://github.com/vxunderground/VX-API/tree/main#anti-debug"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_attack_spec_version": "3.3.0",
"x_mitre_contributors": [
"Joas Antonio dos Santos, @C0d3Cr4zy",
"TruKno"
],
"x_mitre_deprecated": false,
"x_mitre_domains": [
"enterprise-attack"
],
"x_mitre_is_subtechnique": false,
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"Linux",
"macOS",
"Windows"
],
"x_mitre_version": "2.0",
"detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.723000+00:00\", \"old_value\": \"2026-04-15 19:57:49.208000+00:00\"}}}",
"previous_version": "2.0",
"changelog_mitigations": {
"shared": [],
"new": [],
"dropped": []
},
"changelog_datacomponent_detections": {
"shared": [],
"new": [],
"dropped": []
},
"changelog_detectionstrategy_detections": {
"shared": [
"DET0371: Detection Strategy for Debugger Evasion (T1622)"
],
"new": [],
"dropped": []
}
},
{
"type": "attack-pattern",
"id": "attack-pattern--8c41090b-aa47-4331-986b-8c9a51a91103",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2020-02-20 14:31:34.778000+00:00",
"modified": "2026-05-12 15:12:00.705000+00:00",
"name": "Internal Defacement",
"description": "An adversary may deface systems internal to an organization in an attempt to intimidate or mislead users, thus discrediting the integrity of the systems. This may take the form of modifications to internal websites or server login messages, or directly to user systems with the replacement of the desktop wallpaper.(Citation: Novetta Blockbuster)(Citation: Varonis) Disturbing or offensive images may be used as a part of [Internal Defacement](https://attack.mitre.org/techniques/T1491/001) in order to cause user discomfort, or to pressure compliance with accompanying messages. Since internally defacing systems exposes an adversary's presence, it often takes place after other intrusion goals have been accomplished.(Citation: Novetta Blockbuster Destructive Malware)",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "impact"
}
],
"revoked": false,
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T1491/001",
"external_id": "T1491.001"
},
{
"source_name": "Varonis",
"description": "Jason Hill. (2023, February 8). VMware ESXi in the Line of Ransomware Fire. Retrieved March 26, 2025.",
"url": "https://www.varonis.com/blog/vmware-esxi-in-the-line-of-ransomware-fire"
},
{
"source_name": "Novetta Blockbuster Destructive Malware",
"description": "Novetta Threat Research Group. (2016, February 24). Operation Blockbuster: Destructive Malware Report. Retrieved November 17, 2024.",
"url": "https://web.archive.org/web/20160303200515/https:/operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-Destructive-Malware-Report.pdf"
},
{
"source_name": "Novetta Blockbuster",
"description": "Novetta Threat Research Group. (2016, February 24). Operation Blockbuster: Unraveling the Long Thread of the Sony Attack. Retrieved February 25, 2016.",
"url": "https://web.archive.org/web/20160226161828/https://www.operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-Report.pdf"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_attack_spec_version": "3.3.0",
"x_mitre_deprecated": false,
"x_mitre_domains": [
"enterprise-attack"
],
"x_mitre_impact_type": [
"Integrity"
],
"x_mitre_is_subtechnique": true,
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"ESXi",
"Linux",
"macOS",
"Windows"
],
"x_mitre_version": "1.2",
"detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.705000+00:00\", \"old_value\": \"2025-10-24 17:49:05.030000+00:00\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.3.0\", \"old_value\": \"3.2.0\"}}}",
"previous_version": "1.2",
"changelog_mitigations": {
"shared": [
"M1053: Data Backup"
],
"new": [],
"dropped": []
},
"changelog_datacomponent_detections": {
"shared": [],
"new": [],
"dropped": []
},
"changelog_detectionstrategy_detections": {
"shared": [
"DET0082: Internal Website and System Content Defacement via UI or Messaging Modifications"
],
"new": [],
"dropped": []
}
},
{
"type": "attack-pattern",
"id": "attack-pattern--a1df809c-7d0e-459f-8fe5-25474bab770b",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2025-09-24 18:03:15.021000+00:00",
"modified": "2026-05-12 15:12:00.706000+00:00",
"name": "Delay Execution",
"description": "Adversaries may employ various time-based methods to evade detection and analysis. These techniques often exploit system clocks, delays, or timing mechanisms to obscure malicious activity, blend in with benign activity, and avoid scrutiny. Adversaries can perform this behavior within virtualization/sandbox environments or natively on host systems. \n\nAdversaries may utilize programmatic `sleep` commands or native system scheduling functionality, for example [Scheduled Task/Job](https://attack.mitre.org/techniques/T1053). Benign commands or other operations may also be used to delay malware execution or ensure prior commands have had time to execute properly. Loops or otherwise needless repetitions of commands, such as `ping`, may be used to delay malware execution and potentially exceed time thresholds of automated analysis environments.(Citation: Revil Independence Day)(Citation: Netskope Nitol) Another variation, commonly referred to as API hammering, involves making various calls to Native API functions in order to delay execution (while also potentially overloading analysis environments with junk data).(Citation: Joe Sec Nymaim)(Citation: Joe Sec Trickbot)",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "stealth"
}
],
"revoked": false,
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T1678",
"external_id": "T1678"
},
{
"source_name": "Joe Sec Nymaim",
"description": "Joe Security. (2016, April 21). Nymaim - evading Sandboxes with API hammering. Retrieved September 30, 2021.",
"url": "https://www.joesecurity.org/blog/3660886847485093803"
},
{
"source_name": "Joe Sec Trickbot",
"description": "Joe Security. (2020, July 13). TrickBot's new API-Hammering explained. Retrieved September 30, 2021.",
"url": "https://www.joesecurity.org/blog/498839998833561473"
},
{
"source_name": "Revil Independence Day",
"description": "Loman, M. et al. (2021, July 4). Independence Day: REvil uses supply chain exploit to attack hundreds of businesses. Retrieved September 30, 2021.",
"url": "https://news.sophos.com/en-us/2021/07/04/independence-day-revil-uses-supply-chain-exploit-to-attack-hundreds-of-businesses/"
},
{
"source_name": "Netskope Nitol",
"description": "Malik, A. (2016, October 14). Nitol Botnet makes a resurgence with evasive sandbox analysis technique. Retrieved September 30, 2021.",
"url": "https://www.netskope.com/blog/nitol-botnet-makes-resurgence-evasive-sandbox-analysis-technique"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_attack_spec_version": "3.3.0",
"x_mitre_contributors": [
"Deloitte Threat Library Team",
"Jeff Felling, Red Canary",
"Jorge Orchilles, SCYTHE",
"Ruben Dodge, @shotgunner101"
],
"x_mitre_deprecated": false,
"x_mitre_domains": [
"enterprise-attack"
],
"x_mitre_is_subtechnique": false,
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"Linux",
"macOS",
"Windows"
],
"x_mitre_version": "2.0",
"detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.706000+00:00\", \"old_value\": \"2026-04-15 19:57:37.301000+00:00\"}}}",
"previous_version": "2.0",
"changelog_mitigations": {
"shared": [],
"new": [],
"dropped": []
},
"changelog_datacomponent_detections": {
"shared": [],
"new": [],
"dropped": []
},
"changelog_detectionstrategy_detections": {
"shared": [
"DET0372: Multi-Platform Detection Strategy for T1678 - Delay Execution"
],
"new": [],
"dropped": []
}
},
{
"type": "attack-pattern",
"id": "attack-pattern--3ccef7ae-cb5e-48f6-8302-897105fbf55c",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-12-14 16:46:06.044000+00:00",
"modified": "2026-05-12 15:12:00.628000+00:00",
"name": "Deobfuscate/Decode Files or Information",
"description": "Adversaries may use [Obfuscated Files or Information](https://attack.mitre.org/techniques/T1027) to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.\n\nOne such example is the use of [certutil](https://attack.mitre.org/software/S0160) to decode a remote access tool portable executable file that has been hidden inside a certificate file.(Citation: Malwarebytes Targeted Attack against Saudi Arabia) Another example is using the Windows copy /b or type command to reassemble binary fragments into a malicious payload.(Citation: Carbon Black Obfuscation Sept 2016)(Citation: Sentinel One Tainted Love 2023)\n\nSometimes a user's action may be required to open it for deobfuscation or decryption as part of [User Execution](https://attack.mitre.org/techniques/T1204). The user may also be required to input a password to open a password protected compressed/encrypted file that was provided by the adversary.(Citation: Volexity PowerDuke November 2016)",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "stealth"
}
],
"revoked": false,
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T1140",
"external_id": "T1140"
},
{
"source_name": "Volexity PowerDuke November 2016",
"description": "Adair, S.. (2016, November 9). PowerDuke: Widespread Post-Election Spear Phishing Campaigns Targeting Think Tanks and NGOs. Retrieved January 11, 2017.",
"url": "https://www.volexity.com/blog/2016/11/09/powerduke-post-election-spear-phishing-campaigns-targeting-think-tanks-and-ngos/"
},
{
"source_name": "Sentinel One Tainted Love 2023",
"description": "Aleksandar Milenkoski, Juan Andres Guerrero-Saade, and Joey Chen. (2023, March 23). Operation Tainted Love | Chinese APTs Target Telcos in New Attacks. Retrieved March 18, 2025.",
"url": "https://www.sentinelone.com/labs/operation-tainted-love-chinese-apts-target-telcos-in-new-attacks/"
},
{
"source_name": "Malwarebytes Targeted Attack against Saudi Arabia",
"description": "Malwarebytes Labs. (2017, March 27). New targeted attack against Saudi Arabia Government. Retrieved July 3, 2017.",
"url": "https://blog.malwarebytes.com/cybercrime/social-engineering-cybercrime/2017/03/new-targeted-attack-saudi-arabia-government/"
},
{
"source_name": "Carbon Black Obfuscation Sept 2016",
"description": "Tedesco, B. (2016, September 23). Security Alert Summary. Retrieved February 12, 2018.",
"url": "https://www.carbonblack.com/2016/09/23/security-advisory-variants-well-known-adware-families-discovered-include-sophisticated-obfuscation-techniques-previously-associated-nation-state-attacks/"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_attack_spec_version": "3.3.0",
"x_mitre_contributors": [
"Crist\u00f3bal Mart\u00ednez Mart\u00edn",
"Matthew Demaske, Adaptforward",
"Red Canary"
],
"x_mitre_deprecated": false,
"x_mitre_domains": [
"enterprise-attack"
],
"x_mitre_is_subtechnique": false,
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"ESXi",
"Linux",
"macOS",
"Windows"
],
"x_mitre_version": "2.0",
"detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.628000+00:00\", \"old_value\": \"2026-04-15 19:58:25.069000+00:00\"}}}",
"previous_version": "2.0",
"changelog_mitigations": {
"shared": [],
"new": [],
"dropped": []
},
"changelog_datacomponent_detections": {
"shared": [],
"new": [],
"dropped": []
},
"changelog_detectionstrategy_detections": {
"shared": [
"DET0275: Detect Adversary Deobfuscation or Decoding of Files and Payloads"
],
"new": [],
"dropped": []
}
},
{
"type": "attack-pattern",
"id": "attack-pattern--56e0d8b8-3e25-49dd-9050-3aa252f5aa92",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2021-03-29 16:51:26.020000+00:00",
"modified": "2026-05-12 15:12:00.634000+00:00",
"name": "Deploy Container",
"description": "Adversaries may deploy a container into an environment to facilitate execution or evade defenses. In some cases, adversaries may deploy a new container to execute processes associated with a particular image or deployment, such as processes that execute or download malware. In others, an adversary may deploy a new container configured without network rules, user limitations, etc. to bypass existing defenses within the environment. In Kubernetes environments, an adversary may attempt to deploy a privileged or vulnerable container into a specific node in order to [Escape to Host](https://attack.mitre.org/techniques/T1611) and access other containers running on the node. (Citation: AppSecco Kubernetes Namespace Breakout 2020)\n\nContainers can be deployed by various means, such as via Docker's create and start APIs or via a web application such as the Kubernetes dashboard or Kubeflow. (Citation: Docker Container)(Citation: Kubernetes Dashboard)(Citation: Kubeflow Pipelines) In Kubernetes environments, containers may be deployed through workloads such as ReplicaSets or DaemonSets, which can allow containers to be deployed across multiple nodes.(Citation: Kubernetes Workload Management) Adversaries may deploy containers based on retrieved or built malicious images or from benign images that download and execute malicious payloads at runtime.(Citation: Aqua Build Images on Hosts)",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "execution"
}
],
"revoked": false,
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T1610",
"external_id": "T1610"
},
{
"source_name": "AppSecco Kubernetes Namespace Breakout 2020",
"description": "Abhisek Datta. (2020, March 18). Kubernetes Namespace Breakout using Insecure Host Path Volume \u2014 Part 1. Retrieved January 16, 2024.",
"url": "https://blog.appsecco.com/kubernetes-namespace-breakout-using-insecure-host-path-volume-part-1-b382f2a6e216"
},
{
"source_name": "Aqua Build Images on Hosts",
"description": "Assaf Morag. (2020, July 15). Threat Alert: Attackers Building Malicious Images on Your Hosts. Retrieved March 29, 2021.",
"url": "https://blog.aquasec.com/malicious-container-image-docker-container-host"
},
{
"source_name": "Docker Container",
"description": "DockerDocs. (n.d.). Retrieved December 8, 2025.",
"url": "https://docs.docker.com/reference/cli/docker/container/create/"
},
{
"source_name": "Kubernetes Workload Management",
"description": "Kubernetes. (n.d.). Workload Management. Retrieved March 28, 2024.",
"url": "https://kubernetes.io/docs/concepts/workloads/controllers/"
},
{
"source_name": "Kubeflow Pipelines",
"description": "The Kubeflow Authors. (n.d.). Overview of Kubeflow Pipelines. Retrieved March 29, 2021.",
"url": "https://www.kubeflow.org/docs/components/pipelines/overview/pipelines-overview/"
},
{
"source_name": "Kubernetes Dashboard",
"description": "The Kubernetes Authors. (n.d.). Kubernetes Web UI (Dashboard). Retrieved March 29, 2021.",
"url": "https://kubernetes.io/docs/tasks/access-application-cluster/web-ui-dashboard/"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_attack_spec_version": "3.3.0",
"x_mitre_contributors": [
"Alfredo Oliveira, Trend Micro",
"Ariel Shuper, Cisco",
"Center for Threat-Informed Defense (CTID)",
"Idan Frimark, Cisco",
"Joas Antonio dos Santos, @C0d3Cr4zy",
"Magno Logan, @magnologan, Trend Micro",
"Pawan Kinger, @kingerpawan, Trend Micro",
"Vishwas Manral, McAfee",
"Yossi Weizman, Azure Defender Research Team"
],
"x_mitre_deprecated": false,
"x_mitre_domains": [
"enterprise-attack"
],
"x_mitre_is_subtechnique": false,
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"Containers"
],
"x_mitre_remote_support": false,
"x_mitre_version": "2.0",
"detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.634000+00:00\", \"old_value\": \"2026-04-15 19:59:11.024000+00:00\"}}}",
"previous_version": "2.0",
"changelog_mitigations": {
"shared": [
"M1018: User Account Management",
"M1030: Network Segmentation",
"M1035: Limit Access to Resource Over Network",
"M1047: Audit"
],
"new": [],
"dropped": []
},
"changelog_datacomponent_detections": {
"shared": [],
"new": [],
"dropped": []
},
"changelog_detectionstrategy_detections": {
"shared": [
"DET0249: Behavior-chain detection for T1610 Deploy Container across Docker & Kubernetes control/node planes"
],
"new": [],
"dropped": []
}
},
{
"type": "attack-pattern",
"id": "attack-pattern--bbc3cba7-84ae-410d-b18b-16750731dfa2",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2020-10-01 01:48:15.511000+00:00",
"modified": "2026-05-12 15:12:00.711000+00:00",
"name": "Exploits",
"description": "Adversaries may develop exploits that can be used during targeting. An exploit takes advantage of a bug or vulnerability in order to cause unintended or unanticipated behavior to occur on computer hardware or software. Rather than finding/modifying exploits from online or purchasing them from exploit vendors, an adversary may develop their own exploits.(Citation: NYTStuxnet) Adversaries may use information acquired via [Vulnerabilities](https://attack.mitre.org/techniques/T1588/006) to focus exploit development efforts. As part of the exploit development process, adversaries may uncover exploitable vulnerabilities through methods such as fuzzing and patch analysis.(Citation: Irongeek Sims BSides 2017)\n\nAs with legitimate development efforts, different skill sets may be required for developing exploits. The skills needed may be located in-house, or may need to be contracted out. Use of a contractor may be considered an extension of that adversary's exploit development capabilities, provided the adversary plays a role in shaping requirements and maintains an initial degree of exclusivity to the exploit.\n\nAdversaries may use exploits during various phases of the adversary lifecycle (i.e. [Exploit Public-Facing Application](https://attack.mitre.org/techniques/T1190), [Exploitation for Client Execution](https://attack.mitre.org/techniques/T1203), [Exploitation for Privilege Escalation](https://attack.mitre.org/techniques/T1068), [Exploitation for Stealth](https://attack.mitre.org/techniques/T1211), [Exploitation for Credential Access](https://attack.mitre.org/techniques/T1212), [Exploitation of Remote Services](https://attack.mitre.org/techniques/T1210), and [Application or System Exploitation](https://attack.mitre.org/techniques/T1499/004)).",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "resource-development"
}
],
"revoked": false,
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T1587/004",
"external_id": "T1587.004"
},
{
"source_name": "Irongeek Sims BSides 2017",
"description": "Stephen Sims. (2017, April 30). Microsoft Patch Analysis for Exploitation. Retrieved October 16, 2020.",
"url": "https://www.irongeek.com/i.php?page=videos/bsidescharm2017/bsidescharm-2017-t111-microsoft-patch-analysis-for-exploitation-stephen-sims"
},
{
"source_name": "NYTStuxnet",
"description": "William J. Broad, John Markoff, and David E. Sanger. (2011, January 15). Israeli Test on Worm Called Crucial in Iran Nuclear Delay. Retrieved March 1, 2017.",
"url": "https://www.nytimes.com/2011/01/16/world/middleeast/16stuxnet.html"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_attack_spec_version": "3.3.0",
"x_mitre_deprecated": false,
"x_mitre_domains": [
"enterprise-attack"
],
"x_mitre_is_subtechnique": true,
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"PRE"
],
"x_mitre_version": "1.0",
"detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.711000+00:00\", \"old_value\": \"2025-10-24 17:49:17.967000+00:00\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.3.0\", \"old_value\": \"3.2.0\"}}}",
"previous_version": "1.0",
"changelog_mitigations": {
"shared": [
"M1056: Pre-compromise"
],
"new": [],
"dropped": []
},
"changelog_datacomponent_detections": {
"shared": [],
"new": [],
"dropped": []
},
"changelog_detectionstrategy_detections": {
"shared": [
"DET0894: Detection of Exploits"
],
"new": [],
"dropped": []
}
},
{
"type": "attack-pattern",
"id": "attack-pattern--212306d8-efa4-44c9-8c2d-ed3d2e224aa0",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2020-10-01 01:33:01.433000+00:00",
"modified": "2026-05-12 15:12:00.622000+00:00",
"name": "Malware",
"description": "Adversaries may develop malware and malware components that can be used during targeting. Building malicious software can include the development of payloads, droppers, post-compromise tools, backdoors (including backdoored images), packers, C2 protocols, and the creation of infected removable media. Adversaries may develop malware to support their operations, creating a means for maintaining control of remote machines, evading defenses, and executing post-compromise behaviors.(Citation: Mandiant APT1)(Citation: Kaspersky Sofacy)(Citation: ActiveMalwareEnergy)(Citation: FBI Flash FIN7 USB)\n\nDuring malware development, adversaries may intentionally include indicators aligned with other known actors in order to mislead attribution by defenders.(Citation: Olympic Destroyer)(Citation: Risky Bulletin Threat actor impersonates FSB APT)(Citation: GamaCopy organization)\n\nAs with legitimate development efforts, different skill sets may be required for developing malware. The skills needed may be located in-house, or may need to be contracted out. Use of a contractor may be considered an extension of that adversary's malware development capabilities, provided the adversary plays a role in shaping requirements and maintains a degree of exclusivity to the malware.\n\nSome aspects of malware development, such as C2 protocol development, may require adversaries to obtain additional infrastructure. For example, malware developed that will communicate with Twitter for C2, may require use of [Web Services](https://attack.mitre.org/techniques/T1583/006).(Citation: FireEye APT29)",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "resource-development"
}
],
"revoked": false,
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T1587/001",
"external_id": "T1587.001"
},
{
"source_name": "Risky Bulletin Threat actor impersonates FSB APT",
"description": "Catalin Cimpanu. (2025, January 22). Risky Bulletin: Threat actor impersonates FSB APT for months to target Russian orgs. Retrieved June 14, 2025.",
"url": "https://news.risky.biz/risky-bulletin-threat-actor-impersonates-fsb-apt-for-months-to-target-russian-orgs/"
},
{
"source_name": "ActiveMalwareEnergy",
"description": "Dan Goodin. (2014, June 30). Active malware operation let attackers sabotage US energy industry. Retrieved March 9, 2017.",
"url": "https://arstechnica.com/information-technology/2014/06/active-malware-operation-let-attackers-sabotage-us-energy-industry/"
},
{
"source_name": "FireEye APT29",
"description": "FireEye Labs. (2015, July). HAMMERTOSS: Stealthy Tactics Define a Russian Cyber Threat Group. Retrieved November 17, 2024.",
"url": "https://services.google.com/fh/files/misc/rpt-apt29-hammertoss-stealthy-tactics-define-en.pdf"
},
{
"source_name": "Kaspersky Sofacy",
"description": "Kaspersky Lab's Global Research and Analysis Team. (2015, December 4). Sofacy APT hits high profile targets with updated toolset. Retrieved December 10, 2015.",
"url": "https://securelist.com/sofacy-apt-hits-high-profile-targets-with-updated-toolset/72924/"
},
{
"source_name": "GamaCopy organization",
"description": "Knownsec 404 Advanced Threat Intelligence team. (2025, January 21). Love and hate under war: The GamaCopy organization, which imitates the Russian Gamaredon, uses military \u2014 related bait to launch attacks on Russia. Retrieved June 14, 2025.",
"url": "https://medium.com/@knownsec404team/love-and-hate-under-war-the-gamacopy-organization-which-imitates-the-russian-gamaredon-uses-560ba5e633fa"
},
{
"source_name": "Mandiant APT1",
"description": "Mandiant. (n.d.). APT1 Exposing One of China\u2019s Cyber Espionage Units. Retrieved July 18, 2016.",
"url": "https://www.fireeye.com/content/dam/fireeye-www/services/pdfs/mandiant-apt1-report.pdf"
},
{
"source_name": "Olympic Destroyer",
"description": "Paul Rascagneres, Martin Lee. (2018, February 26). Who Wasn\u2019t Responsible for Olympic Destroyer?. Retrieved June 14, 2025.",
"url": "https://blog.talosintelligence.com/who-wasnt-responsible-for-olympic/"
},
{
"source_name": "FBI Flash FIN7 USB",
"description": "The Record. (2022, January 7). FBI: FIN7 hackers target US companies with BadUSB devices to install ransomware. Retrieved January 14, 2022.",
"url": "https://therecord.media/fbi-fin7-hackers-target-us-companies-with-badusb-devices-to-install-ransomware/"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_attack_spec_version": "3.3.0",
"x_mitre_deprecated": false,
"x_mitre_domains": [
"enterprise-attack"
],
"x_mitre_is_subtechnique": true,
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"PRE"
],
"x_mitre_version": "1.3",
"detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.622000+00:00\", \"old_value\": \"2025-10-24 17:48:30.776000+00:00\"}}}",
"previous_version": "1.3",
"changelog_mitigations": {
"shared": [
"M1056: Pre-compromise"
],
"new": [],
"dropped": []
},
"changelog_datacomponent_detections": {
"shared": [],
"new": [],
"dropped": []
},
"changelog_detectionstrategy_detections": {
"shared": [
"DET0872: Detection of Malware"
],
"new": [],
"dropped": []
}
},
{
"type": "attack-pattern",
"id": "attack-pattern--0c8ab3eb-df48-4b9c-ace7-beacaac81cc5",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-05-31 21:30:20.934000+00:00",
"modified": "2026-05-12 15:12:00.620000+00:00",
"name": "Direct Volume Access",
"description": "Adversaries may directly access a volume to bypass file access controls and file system monitoring. Windows allows programs to have direct access to logical volumes. Programs with direct access may read and write files directly from the drive by analyzing file system data structures. This technique may bypass Windows file access controls as well as file system monitoring tools.(Citation: Hakobyan 2009)\n\nUtilities, such as `NinjaCopy`, exist to perform these actions in PowerShell.(Citation: Github PowerSploit Ninjacopy) Adversaries may also use built-in or third-party utilities (such as `vssadmin`, `wbadmin`, and [esentutl](https://attack.mitre.org/software/S0404)) to create shadow copies or backups of data from system volumes.(Citation: LOLBAS Esentutl)",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "stealth"
}
],
"revoked": false,
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T1006",
"external_id": "T1006"
},
{
"source_name": "Github PowerSploit Ninjacopy",
"description": "Bialek, J. (2015, December 16). Invoke-NinjaCopy.ps1. Retrieved June 2, 2016.",
"url": "https://github.com/PowerShellMafia/PowerSploit/blob/master/Exfiltration/Invoke-NinjaCopy.ps1"
},
{
"source_name": "Hakobyan 2009",
"description": "Hakobyan, A. (2009, January 8). FDump - Dumping File Sectors Directly from Disk using Logical Offsets. Retrieved November 12, 2014.",
"url": "http://www.codeproject.com/Articles/32169/FDump-Dumping-File-Sectors-Directly-from-Disk-usin"
},
{
"source_name": "LOLBAS Esentutl",
"description": "LOLBAS. (n.d.). Esentutl.exe. Retrieved September 3, 2019.",
"url": "https://lolbas-project.github.io/lolbas/Binaries/Esentutl/"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_attack_spec_version": "3.3.0",
"x_mitre_contributors": [
"Tom Simpson, CrowdStrike Falcon OverWatch"
],
"x_mitre_deprecated": false,
"x_mitre_domains": [
"enterprise-attack"
],
"x_mitre_is_subtechnique": false,
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"Network Devices",
"Windows"
],
"x_mitre_version": "3.0",
"detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.620000+00:00\", \"old_value\": \"2026-04-15 19:59:05.018000+00:00\"}, \"root['description']\": {\"new_value\": \"Adversaries may directly access a volume to bypass file access controls and file system monitoring. Windows allows programs to have direct access to logical volumes. Programs with direct access may read and write files directly from the drive by analyzing file system data structures. This technique may bypass Windows file access controls as well as file system monitoring tools.(Citation: Hakobyan 2009)\\n\\nUtilities, such as `NinjaCopy`, exist to perform these actions in PowerShell.(Citation: Github PowerSploit Ninjacopy) Adversaries may also use built-in or third-party utilities (such as `vssadmin`, `wbadmin`, and [esentutl](https://attack.mitre.org/software/S0404)) to create shadow copies or backups of data from system volumes.(Citation: LOLBAS Esentutl)\", \"old_value\": \"Adversaries may directly access a volume to bypass file access controls and file system monitoring. Windows allows programs to have direct access to logical volumes. Programs with direct access may read and write files directly from the drive by analyzing file system data structures. This technique may bypass Windows file access controls as well as file system monitoring tools. (Citation: Hakobyan 2009)\\n\\nUtilities, such as `NinjaCopy`, exist to perform these actions in PowerShell.(Citation: Github PowerSploit Ninjacopy) Adversaries may also use built-in or third-party utilities (such as `vssadmin`, `wbadmin`, and [esentutl](https://attack.mitre.org/software/S0404)) to create shadow copies or backups of data from system volumes.(Citation: LOLBAS Esentutl)\", \"diff\": \"--- \\n+++ \\n@@ -1,3 +1,3 @@\\n-Adversaries may directly access a volume to bypass file access controls and file system monitoring. Windows allows programs to have direct access to logical volumes. Programs with direct access may read and write files directly from the drive by analyzing file system data structures. This technique may bypass Windows file access controls as well as file system monitoring tools. (Citation: Hakobyan 2009)\\n+Adversaries may directly access a volume to bypass file access controls and file system monitoring. Windows allows programs to have direct access to logical volumes. Programs with direct access may read and write files directly from the drive by analyzing file system data structures. This technique may bypass Windows file access controls as well as file system monitoring tools.(Citation: Hakobyan 2009)\\n \\n Utilities, such as `NinjaCopy`, exist to perform these actions in PowerShell.(Citation: Github PowerSploit Ninjacopy) Adversaries may also use built-in or third-party utilities (such as `vssadmin`, `wbadmin`, and [esentutl](https://attack.mitre.org/software/S0404)) to create shadow copies or backups of data from system volumes.(Citation: LOLBAS Esentutl)\"}}}",
"previous_version": "3.0",
"description_change_table": "\n | Old Description | New Description | ||||
|---|---|---|---|---|---|
| t | 1 | Adversaries may directly access a volume to bypass file acce | t | 1 | Adversaries may directly access a volume to bypass file acce |
| > | ss controls and file system monitoring. Windows allows progr | > | ss controls and file system monitoring. Windows allows progr | ||
| > | ams to have direct access to logical volumes. Programs with | > | ams to have direct access to logical volumes. Programs with | ||
| > | direct access may read and write files directly from the dri | > | direct access may read and write files directly from the dri | ||
| > | ve by analyzing file system data structures. This technique | > | ve by analyzing file system data structures. This technique | ||
| > | may bypass Windows file access controls as well as file syst | > | may bypass Windows file access controls as well as file syst | ||
| > | em monitoring tools. (Citation: Hakobyan 2009) Utilities, s | > | em monitoring tools.(Citation: Hakobyan 2009) Utilities, su | ||
| > | uch as `NinjaCopy`, exist to perform these actions in PowerS | > | ch as `NinjaCopy`, exist to perform these actions in PowerSh | ||
| > | hell.(Citation: Github PowerSploit Ninjacopy) Adversaries ma | > | ell.(Citation: Github PowerSploit Ninjacopy) Adversaries may | ||
| > | y also use built-in or third-party utilities (such as `vssad | > | also use built-in or third-party utilities (such as `vssadm | ||
| > | min`, `wbadmin`, and [esentutl](https://attack.mitre.org/sof | > | in`, `wbadmin`, and [esentutl](https://attack.mitre.org/soft | ||
| > | tware/S0404)) to create shadow copies or backups of data fro | > | ware/S0404)) to create shadow copies or backups of data from | ||
| > | m system volumes.(Citation: LOLBAS Esentutl) | > | system volumes.(Citation: LOLBAS Esentutl) |
New-GPOImmediateTask can be leveraged to automate the creation of a malicious [Scheduled Task/Job](https://attack.mitre.org/techniques/T1053) by modifying GPO settings, in this case modifying <GPO_PATH>\\Machine\\Preferences\\ScheduledTasks\\ScheduledTasks.xml.(Citation: Wald0 Guide to GPOs)(Citation: Harmj0y Abusing GPO Permissions) In some cases an adversary might modify specific user rights like SeEnableDelegationPrivilege, set in <GPO_PATH>\\MACHINE\\Microsoft\\Windows NT\\SecEdit\\GptTmpl.inf, to achieve a subtle AD backdoor with complete control of the domain because the user account under the adversary's control would then be able to modify GPOs.(Citation: Harmj0y SeEnableDelegationPrivilege Right)",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "defense-impairment"
},
{
"kill_chain_name": "mitre-attack",
"phase_name": "privilege-escalation"
}
],
"revoked": false,
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T1484/001",
"external_id": "T1484.001"
},
{
"source_name": "Mandiant M Trends 2016",
"description": "Mandiant. (2016, February 25). Mandiant M-Trends 2016. Retrieved November 17, 2024.",
"url": "https://web.archive.org/web/20211024160454/https://www.fireeye.com/content/dam/fireeye-www/current-threats/pdfs/rpt-mtrends-2016.pdf"
},
{
"source_name": "ADSecurity GPO Persistence 2016",
"description": "Metcalf, S. (2016, March 14). Sneaky Active Directory Persistence #17: Group Policy. Retrieved March 5, 2019.",
"url": "https://adsecurity.org/?p=2716"
},
{
"source_name": "Microsoft Hacking Team Breach",
"description": "Microsoft Secure Team. (2016, June 1). Hacking Team Breach: A Cyber Jurassic Park. Retrieved March 5, 2019.",
"url": "https://www.microsoft.com/security/blog/2016/06/01/hacking-team-breach-a-cyber-jurassic-park/"
},
{
"source_name": "Wald0 Guide to GPOs",
"description": "Robbins, A. (2018, April 2). A Red Teamer\u2019s Guide to GPOs and OUs. Retrieved March 5, 2019.",
"url": "https://wald0.com/?p=179"
},
{
"source_name": "Harmj0y Abusing GPO Permissions",
"description": "Schroeder, W. (2016, March 17). Abusing GPO Permissions. Retrieved September 23, 2024.",
"url": "https://blog.harmj0y.net/redteaming/abusing-gpo-permissions/"
},
{
"source_name": "Harmj0y SeEnableDelegationPrivilege Right",
"description": "Schroeder, W. (2017, January 10). The Most Dangerous User Right You (Probably) Have Never Heard Of. Retrieved September 23, 2024.",
"url": "https://blog.harmj0y.net/activedirectory/the-most-dangerous-user-right-you-probably-have-never-heard-of/"
},
{
"source_name": "TechNet Group Policy Basics",
"description": "srachui. (2012, February 13). Group Policy Basics \u2013 Part 1: Understanding the Structure of a Group Policy Object. Retrieved March 5, 2019.",
"url": "https://blogs.technet.microsoft.com/musings_of_a_technical_tam/2012/02/13/group-policy-basics-part-1-understanding-the-structure-of-a-group-policy-object/"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_attack_spec_version": "3.3.0",
"x_mitre_contributors": [
"Itamar Mizrahi, Cymptom",
"Tristan Bennett, Seamless Intelligence"
],
"x_mitre_deprecated": false,
"x_mitre_domains": [
"enterprise-attack"
],
"x_mitre_is_subtechnique": true,
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"Windows"
],
"x_mitre_version": "2.0",
"detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.635000+00:00\", \"old_value\": \"2026-04-16 20:07:52.883000+00:00\"}}}",
"previous_version": "2.0",
"changelog_mitigations": {
"shared": [
"M1018: User Account Management",
"M1047: Audit"
],
"new": [],
"dropped": []
},
"changelog_datacomponent_detections": {
"shared": [],
"new": [],
"dropped": []
},
"changelog_detectionstrategy_detections": {
"shared": [
"DET0305: Detection of Group Policy Modifications via AD Object Changes and File Activity"
],
"new": [],
"dropped": []
}
},
{
"type": "attack-pattern",
"id": "attack-pattern--24769ab5-14bd-4f4e-a752-cfb185da53ee",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2020-12-28 21:59:02.181000+00:00",
"modified": "2026-05-12 15:12:00.623000+00:00",
"name": "Trust Modification",
"description": "Adversaries may add new domain trusts, modify the properties of existing domain trusts, or otherwise change the configuration of trust relationships between domains and tenants to evade defenses and/or elevate privileges.Trust details, such as whether or not user identities are federated, allow authentication and authorization properties to apply between domains or tenants for the purpose of accessing shared resources.(Citation: Microsoft - Azure AD Federation) These trust objects may include accounts, credentials, and other authentication material applied to servers, tokens, and domains.\n\nManipulating these trusts may allow an adversary to escalate privileges and/or evade defenses by modifying settings to add objects which they control. For example, in Microsoft Active Directory (AD) environments, this may be used to forge [SAML Tokens](https://attack.mitre.org/techniques/T1606/002) without the need to compromise the signing certificate to forge new credentials. Instead, an adversary can manipulate domain trusts to add their own signing certificate. An adversary may also convert an AD domain to a federated domain using Active Directory Federation Services (AD FS), which may enable malicious trust modifications such as altering the claim issuance rules to log in any valid set of credentials as a specified user.(Citation: AADInternals zure AD Federated Domain) \n\nAn adversary may also add a new federated identity provider to an identity tenant such as Okta or AWS IAM Identity Center, which may enable the adversary to authenticate as any user of the tenant.(Citation: Okta Cross-Tenant Impersonation 2023) This may enable the threat actor to gain broad access into a variety of cloud-based services that leverage the identity tenant. For example, in AWS environments, an adversary that creates a new identity provider for an AWS Organization will be able to federate into all of the AWS Organization member accounts without creating identities for each of the member accounts.(Citation: AWS re Inforce Trust Mod)",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "defense-impairment"
},
{
"kill_chain_name": "mitre-attack",
"phase_name": "privilege-escalation"
}
],
"revoked": false,
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T1484/002",
"external_id": "T1484.002"
},
{
"source_name": "AWS re Inforce Trust Mod",
"description": "AWS re Inforce. (2024, June). Retrieved April 15, 2026.",
"url": "https://d1.awsstatic.com/onedam/marketing-channels/website/aws/en_US/events/approved/reinforce-2025/reinforce/2024/slides/TDR432_New-tactics-and-techniques-for-proactive-threat-detection.pdf"
},
{
"source_name": "AADInternals zure AD Federated Domain",
"description": "Dr. Nestori Syynimaa. (2017, November 16). Security vulnerability in Azure AD & Office 365 identity federation. Retrieved September 28, 2022.",
"url": "https://o365blog.com/post/federation-vulnerability/"
},
{
"source_name": "Microsoft - Azure AD Federation",
"description": "Microsoft. (2018, November 28). What is federation with Azure AD?. Retrieved December 30, 2020.",
"url": "https://docs.microsoft.com/en-us/azure/active-directory/hybrid/whatis-fed"
},
{
"source_name": "Okta Cross-Tenant Impersonation 2023",
"description": "Okta Defensive Cyber Operations. (2023, August 31). Cross-Tenant Impersonation: Prevention and Detection. Retrieved February 15, 2024.",
"url": "https://sec.okta.com/articles/2023/08/cross-tenant-impersonation-prevention-and-detection"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_attack_spec_version": "3.3.0",
"x_mitre_contributors": [
"Blake Strom, Microsoft 365 Defender",
"Praetorian",
"Obsidian Security"
],
"x_mitre_deprecated": false,
"x_mitre_domains": [
"enterprise-attack"
],
"x_mitre_is_subtechnique": true,
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"Identity Provider",
"Windows"
],
"x_mitre_version": "3.0",
"detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.623000+00:00\", \"old_value\": \"2026-04-16 20:07:52.987000+00:00\"}}}",
"previous_version": "3.0",
"changelog_mitigations": {
"shared": [
"M1018: User Account Management",
"M1026: Privileged Account Management"
],
"new": [],
"dropped": []
},
"changelog_datacomponent_detections": {
"shared": [],
"new": [],
"dropped": []
},
"changelog_detectionstrategy_detections": {
"shared": [
"DET0458: Detection of Trust Relationship Modifications in Domain or Tenant Policies"
],
"new": [],
"dropped": []
}
},
{
"type": "attack-pattern",
"id": "attack-pattern--30904c16-39f9-41c6-b01a-500eb8878442",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2026-04-14 22:53:28.276000+00:00",
"modified": "2026-05-12 15:12:00.624000+00:00",
"name": "Downgrade Attack",
"description": "Adversaries may downgrade or use a version of system features that may be outdated, vulnerable, and/or does not support updated security controls. Downgrade attacks typically take advantage of a system\u2019s backward compatibility to force it into less secure modes of operation.\n\nAdversaries may downgrade and use various less-secure versions of features of a system, such as [Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059) or even network protocols that can be abused to enable [Adversary-in-the-Middle](https://attack.mitre.org/techniques/T1557) or [Network Sniffing](https://attack.mitre.org/techniques/T1040).(Citation: Praetorian TLS Downgrade Attack 2014) For example, [PowerShell](https://attack.mitre.org/techniques/T1059/001) versions 5+ includes Script Block Logging (SBL), which can record executed script content. However, adversaries may attempt to execute a previous version of PowerShell that does not support SBL with the intent to impair defenses while running malicious scripts that may have otherwise been detected.(Citation: CrowdStrike downgrade attack)(Citation: Google Cloud downgrade attack)(Citation: att_def_ps_logging)\n\nAdversaries may similarly target network traffic to downgrade from an encrypted HTTPS connection to an unsecured HTTP connection that exposes network data in clear text.(Citation: Targeted SSL Stripping Attacks Are Real)(Citation: CrowdStrike Downgrade attack 2) On Windows systems, adversaries may downgrade the boot manager to a vulnerable version that bypasses Secure Boot, granting the ability to disable various operating system security mechanisms.(Citation: SafeBreach)",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "defense-impairment"
}
],
"revoked": false,
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T1689",
"external_id": "T1689"
},
{
"source_name": "SafeBreach",
"description": "Alon Leviev. (2024, August 7). Windows Downdate: Downgrade Attacks Using Windows Updates. Retrieved January 8, 2025.",
"url": "https://www.safebreach.com/blog/downgrade-attacks-using-windows-updates/"
},
{
"source_name": "CrowdStrike Downgrade attack 2",
"description": "Bart Lenaerts-Bergmans. (2023, March 13). What are Downgrade Attacks?. Retrieved April 15, 2026.",
"url": "https://www.crowdstrike.com/en-us/cybersecurity-101/cyberattacks/downgrade-attack/"
},
{
"source_name": "Targeted SSL Stripping Attacks Are Real",
"description": "Check Point. (n.d.). Targeted SSL Stripping Attacks Are Real. Retrieved May 24, 2023.",
"url": "https://blog.checkpoint.com/research/targeted-ssl-stripping-attacks-are-real/amp/"
},
{
"source_name": "CrowdStrike downgrade attack",
"description": "Falcon Complete Team. (2021, May 11). Response When Minutes Matter: Rising Up Against Ransomware. Retrieved April 15, 2026.",
"url": "https://www.crowdstrike.com/en-us/blog/how-falcon-complete-stopped-a-big-game-hunting-ransomware-attack/"
},
{
"source_name": "att_def_ps_logging",
"description": "Hao, M. (2019, February 27). Attack and Defense Around PowerShell Event Logging. Retrieved November 24, 2021.",
"url": "https://nsfocusglobal.com/attack-and-defense-around-powershell-event-logging/"
},
{
"source_name": "Google Cloud downgrade attack",
"description": "Nathan Kirk. (2018, June 18). Bring Your Own Land (BYOL) \u2014 A Novel Red Teaming Technique. Retrieved April 15, 2026.",
"url": "https://cloud.google.com/blog/topics/threat-intelligence/bring-your-own-land-novel-red-teaming-technique/"
},
{
"source_name": "Praetorian TLS Downgrade Attack 2014",
"description": "Praetorian. (2014, August 19). Man-in-the-Middle TLS Protocol Downgrade Attack. Retrieved October 8, 2021.",
"url": "https://www.praetorian.com/blog/man-in-the-middle-tls-ssl-protocol-downgrade-attack/"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_attack_spec_version": "3.3.0",
"x_mitre_contributors": [
"Arad Inbar, Fidelis Security",
"Daniel Feichter, @VirtualAllocEx, Infosec Tirol",
"Mayuresh Dani, Qualys"
],
"x_mitre_deprecated": false,
"x_mitre_domains": [
"enterprise-attack"
],
"x_mitre_is_subtechnique": false,
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"macOS",
"Windows",
"Linux"
],
"x_mitre_version": "1.0",
"detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.624000+00:00\", \"old_value\": \"2026-04-22 15:44:42.756000+00:00\"}}}",
"previous_version": "1.0",
"changelog_mitigations": {
"shared": [
"M1042: Disable or Remove Feature or Program",
"M1054: Software Configuration"
],
"new": [],
"dropped": []
},
"changelog_datacomponent_detections": {
"shared": [],
"new": [],
"dropped": []
},
"changelog_detectionstrategy_detections": {
"shared": [
"DET0350: Detecting Downgrade Attacks"
],
"new": [],
"dropped": []
}
},
{
"type": "attack-pattern",
"id": "attack-pattern--7bd9c723-2f78-4309-82c5-47cad406572b",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2020-03-10 17:28:11.747000+00:00",
"modified": "2026-05-12 15:12:00.644000+00:00",
"name": "Dynamic Resolution",
"description": "Adversaries may dynamically establish connections to command and control infrastructure to evade common detections and remediations. This may be achieved by using malware that shares a common algorithm with the infrastructure the adversary uses to receive the malware's communications. These calculations can be used to dynamically adjust parameters such as the domain name, IP address, or port number the malware uses for command and control.\n\nAdversaries may use dynamic resolution for the purpose of [Fallback Channels](https://attack.mitre.org/techniques/T1008). When contact is lost with the primary command and control server malware may employ dynamic resolution as a means to reestablishing command and control.(Citation: Talos CCleanup 2017)(Citation: FireEye POSHSPY April 2017)(Citation: ESET Sednit 2017 Activity)",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "command-and-control"
}
],
"revoked": false,
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T1568",
"external_id": "T1568"
},
{
"source_name": "Talos CCleanup 2017",
"description": "Brumaghin, E. et al. (2017, September 18). CCleanup: A Vast Number of Machines at Risk. Retrieved March 9, 2018.",
"url": "http://blog.talosintelligence.com/2017/09/avast-distributes-malware.html"
},
{
"source_name": "FireEye POSHSPY April 2017",
"description": "Dunwoody, M.. (2017, April 3). Dissecting One of APT29\u2019s Fileless WMI and PowerShell Backdoors (POSHSPY). Retrieved April 5, 2017.",
"url": "https://www.fireeye.com/blog/threat-research/2017/03/dissecting_one_ofap.html"
},
{
"source_name": "ESET Sednit 2017 Activity",
"description": "ESET. (2017, December 21). Sednit update: How Fancy Bear Spent the Year. Retrieved February 18, 2019.",
"url": "https://www.welivesecurity.com/2017/12/21/sednit-update-fancy-bear-spent-year/"
},
{
"source_name": "Data Driven Security DGA",
"description": "Jacobs, J. (2014, October 2). Building a DGA Classifier: Part 2, Feature Engineering. Retrieved February 18, 2019.",
"url": "https://datadrivensecurity.info/blog/posts/2014/Oct/dga-part2/"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_attack_spec_version": "3.3.0",
"x_mitre_contributors": [
"Chris Roffe"
],
"x_mitre_deprecated": false,
"x_mitre_domains": [
"enterprise-attack"
],
"x_mitre_is_subtechnique": false,
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"ESXi",
"Linux",
"macOS",
"Windows"
],
"x_mitre_version": "1.1",
"detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.644000+00:00\", \"old_value\": \"2025-10-24 17:49:00.128000+00:00\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.3.0\", \"old_value\": \"3.2.0\"}}}",
"previous_version": "1.1",
"changelog_mitigations": {
"shared": [
"M1021: Restrict Web-Based Content",
"M1031: Network Intrusion Prevention"
],
"new": [],
"dropped": []
},
"changelog_datacomponent_detections": {
"shared": [],
"new": [],
"dropped": []
},
"changelog_detectionstrategy_detections": {
"shared": [
"DET0039: Detection Strategy for Dynamic Resolution across OS Platforms"
],
"new": [],
"dropped": []
}
},
{
"type": "attack-pattern",
"id": "attack-pattern--83a766f8-1501-4b3a-a2de-2e2849e8dfc1",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2020-03-11 14:56:34.154000+00:00",
"modified": "2026-05-12 15:12:00.673000+00:00",
"name": "DNS Calculation",
"description": "Adversaries may perform calculations on addresses returned in DNS results to determine which port and IP address to use for command and control, rather than relying on a predetermined port number or the actual returned IP address. A IP and/or port number calculation can be used to bypass egress filtering on a C2 channel.(Citation: Meyers Numbered Panda)\n\nOne implementation of [DNS Calculation](https://attack.mitre.org/techniques/T1568/003) is to take the first three octets of an IP address in a DNS response and use those values to calculate the port for command and control traffic.(Citation: Meyers Numbered Panda)(Citation: Moran 2014)(Citation: Rapid7G20Espionage)",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "command-and-control"
}
],
"revoked": false,
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T1568/003",
"external_id": "T1568.003"
},
{
"source_name": "Meyers Numbered Panda",
"description": "Meyers, A. (2013, March 29). Whois Numbered Panda. Retrieved January 14, 2016.",
"url": "http://www.crowdstrike.com/blog/whois-numbered-panda/"
},
{
"source_name": "Moran 2014",
"description": "Moran, N., Oppenheim, M., Engle, S., & Wartell, R.. (2014, September 3). Darwin\u2019s Favorite APT Group [Blog]. Retrieved November 12, 2014.",
"url": "https://www.fireeye.com/blog/threat-research/2014/09/darwins-favorite-apt-group-2.html"
},
{
"source_name": "Rapid7G20Espionage",
"description": "Rapid7. (2013, August 26). Upcoming G20 Summit Fuels Espionage Operations. Retrieved March 6, 2017.",
"url": "https://blog.rapid7.com/2013/08/26/upcoming-g20-summit-fuels-espionage-operations/"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_attack_spec_version": "3.3.0",
"x_mitre_deprecated": false,
"x_mitre_domains": [
"enterprise-attack"
],
"x_mitre_is_subtechnique": true,
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"ESXi",
"Linux",
"macOS",
"Windows"
],
"x_mitre_version": "1.1",
"detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.673000+00:00\", \"old_value\": \"2025-10-24 17:49:03.093000+00:00\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.3.0\", \"old_value\": \"3.2.0\"}}}",
"previous_version": "1.1",
"changelog_mitigations": {
"shared": [],
"new": [],
"dropped": []
},
"changelog_datacomponent_detections": {
"shared": [],
"new": [],
"dropped": []
},
"changelog_detectionstrategy_detections": {
"shared": [
"DET0262: Detection Strategy for Dynamic Resolution through DNS Calculation"
],
"new": [],
"dropped": []
}
},
{
"type": "attack-pattern",
"id": "attack-pattern--118f61a5-eb3e-4fb6-931f-2096647f4ecd",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2020-03-10 17:44:59.787000+00:00",
"modified": "2026-05-12 15:12:00.621000+00:00",
"name": "Domain Generation Algorithms",
"description": "Adversaries may make use of Domain Generation Algorithms (DGAs) to dynamically identify a destination domain for command and control traffic rather than relying on a list of static IP addresses or domains. This has the advantage of making it much harder for defenders to block, track, or take over the command and control channel, as there potentially could be thousands of domains that malware can check for instructions.(Citation: Cybereason Dissecting DGAs)(Citation: Cisco Umbrella DGA)(Citation: Unit 42 DGA Feb 2019)\n\nDGAs can take the form of apparently random or \u201cgibberish\u201d strings (ex: istgmxdejdnxuyla.ru) when they construct domain names by generating each letter. Alternatively, some DGAs employ whole words as the unit by concatenating words together instead of letters (ex: cityjulydish.net). Many DGAs are time-based, generating a different domain for each time period (hourly, daily, monthly, etc). Others incorporate a seed value as well to make predicting future domains more difficult for defenders.(Citation: Cybereason Dissecting DGAs)(Citation: Cisco Umbrella DGA)(Citation: Talos CCleanup 2017)(Citation: Akamai DGA Mitigation)\n\nAdversaries may use DGAs for the purpose of [Fallback Channels](https://attack.mitre.org/techniques/T1008). When contact is lost with the primary command and control server malware may employ a DGA as a means to reestablishing command and control.(Citation: Talos CCleanup 2017)(Citation: FireEye POSHSPY April 2017)(Citation: ESET Sednit 2017 Activity)",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "command-and-control"
}
],
"revoked": false,
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T1568/002",
"external_id": "T1568.002"
},
{
"source_name": "Elastic Predicting DGA",
"description": "Ahuja, A., Anderson, H., Grant, D., Woodbridge, J.. (2016, November 2). Predicting Domain Generation Algorithms with Long Short-Term Memory Networks. Retrieved April 26, 2019.",
"url": "https://arxiv.org/pdf/1611.00791.pdf"
},
{
"source_name": "Talos CCleanup 2017",
"description": "Brumaghin, E. et al. (2017, September 18). CCleanup: A Vast Number of Machines at Risk. Retrieved March 9, 2018.",
"url": "http://blog.talosintelligence.com/2017/09/avast-distributes-malware.html"
},
{
"source_name": "Pace University Detecting DGA May 2017",
"description": "Chen, L., Wang, T.. (2017, May 5). Detecting Algorithmically Generated Domains Using Data Visualization and N-Grams Methods . Retrieved April 26, 2019.",
"url": "http://csis.pace.edu/~ctappert/srd2017/2017PDF/d4.pdf"
},
{
"source_name": "FireEye POSHSPY April 2017",
"description": "Dunwoody, M.. (2017, April 3). Dissecting One of APT29\u2019s Fileless WMI and PowerShell Backdoors (POSHSPY). Retrieved April 5, 2017.",
"url": "https://www.fireeye.com/blog/threat-research/2017/03/dissecting_one_ofap.html"
},
{
"source_name": "ESET Sednit 2017 Activity",
"description": "ESET. (2017, December 21). Sednit update: How Fancy Bear Spent the Year. Retrieved February 18, 2019.",
"url": "https://www.welivesecurity.com/2017/12/21/sednit-update-fancy-bear-spent-year/"
},
{
"source_name": "Data Driven Security DGA",
"description": "Jacobs, J. (2014, October 2). Building a DGA Classifier: Part 2, Feature Engineering. Retrieved February 18, 2019.",
"url": "https://datadrivensecurity.info/blog/posts/2014/Oct/dga-part2/"
},
{
"source_name": "Akamai DGA Mitigation",
"description": "Liu, H. and Yuzifovich, Y. (2018, January 9). A Death Match of Domain Generation Algorithms. Retrieved February 18, 2019.",
"url": "https://medium.com/@yvyuz/a-death-match-of-domain-generation-algorithms-a5b5dbdc1c6e"
},
{
"source_name": "Cisco Umbrella DGA",
"description": "Scarfo, A. (2016, October 10). Domain Generation Algorithms \u2013 Why so effective?. Retrieved February 18, 2019.",
"url": "https://umbrella.cisco.com/blog/2016/10/10/domain-generation-algorithms-effective/"
},
{
"source_name": "Cybereason Dissecting DGAs",
"description": "Sternfeld, U. (2016). Dissecting Domain Generation Algorithms: Eight Real World DGA Variants. Retrieved February 18, 2019.",
"url": "http://go.cybereason.com/rs/996-YZT-709/images/Cybereason-Lab-Analysis-Dissecting-DGAs-Eight-Real-World-DGA-Variants.pdf"
},
{
"source_name": "Unit 42 DGA Feb 2019",
"description": "Unit 42. (2019, February 7). Threat Brief: Understanding Domain Generation Algorithms (DGA). Retrieved February 19, 2019.",
"url": "https://unit42.paloaltonetworks.com/threat-brief-understanding-domain-generation-algorithms-dga/"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_attack_spec_version": "3.3.0",
"x_mitre_contributors": [
"Ryan Benson, Exabeam",
"Barry Shteiman, Exabeam",
"Sylvain Gil, Exabeam"
],
"x_mitre_deprecated": false,
"x_mitre_domains": [
"enterprise-attack"
],
"x_mitre_is_subtechnique": true,
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"ESXi",
"Linux",
"macOS",
"Windows"
],
"x_mitre_version": "1.2",
"detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.621000+00:00\", \"old_value\": \"2025-10-24 17:48:25.458000+00:00\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.3.0\", \"old_value\": \"3.2.0\"}}}",
"previous_version": "1.2",
"changelog_mitigations": {
"shared": [
"M1021: Restrict Web-Based Content",
"M1031: Network Intrusion Prevention"
],
"new": [],
"dropped": []
},
"changelog_datacomponent_detections": {
"shared": [],
"new": [],
"dropped": []
},
"changelog_detectionstrategy_detections": {
"shared": [
"DET0419: Detection Strategy for Dynamic Resolution using Domain Generation Algorithms."
],
"new": [],
"dropped": []
}
},
{
"type": "attack-pattern",
"id": "attack-pattern--1e9eb839-294b-48cc-b0d3-c45555a2a004",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2020-02-19 18:46:06.098000+00:00",
"modified": "2026-05-12 15:12:00.622000+00:00",
"name": "Local Email Collection",
"description": "Adversaries may target user email on local systems to collect sensitive information. Files containing email data can be acquired from a user\u2019s local system, such as Outlook storage or cache files.\n\nOutlook stores data locally in offline data files with an extension of .ost. Outlook 2010 and later supports .ost file sizes up to 50GB, while earlier versions of Outlook support up to 20GB.(Citation: Outlook File Sizes) IMAP accounts in Outlook 2013 (and earlier) and POP accounts use Outlook Data Files (.pst) as opposed to .ost, whereas IMAP accounts in Outlook 2016 (and later) use .ost files. Both types of Outlook data files are typically stored in `C:\\Users\\C:\\dbg\\ntsd.exe -g notepad.exe).(Citation: Microsoft Dev Blog IFEO Mar 2010)\n\nIFEOs can be set directly via the Registry or in Global Flags via the GFlags tool.(Citation: Microsoft GFlags Mar 2017) IFEOs are represented as Debugger values in the Registry under HKLM\\SOFTWARE{\\Wow6432Node}\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\ where <executable> is the binary on which the debugger is attached.(Citation: Microsoft Dev Blog IFEO Mar 2010)\n\nIFEOs can also enable an arbitrary monitor program to be launched when a specified program silently exits (i.e. is prematurely terminated by itself or a second, non kernel-mode process).(Citation: Microsoft Silent Process Exit NOV 2017)(Citation: Oddvar Moe IFEO APR 2018) Similar to debuggers, silent exit monitoring can be enabled through GFlags and/or by directly modifying IFEO and silent process exit Registry values in HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\SilentProcessExit\\.(Citation: Microsoft Silent Process Exit NOV 2017)(Citation: Oddvar Moe IFEO APR 2018)\n\nSimilar to [Accessibility Features](https://attack.mitre.org/techniques/T1546/008), on Windows Vista and later as well as Windows Server 2008 and later, a Registry key may be modified that configures \"cmd.exe,\" or another program that provides backdoor access, as a \"debugger\" for an accessibility program (ex: utilman.exe). After the Registry is modified, pressing the appropriate key combination at the login screen while at the keyboard or when connected with [Remote Desktop Protocol](https://attack.mitre.org/techniques/T1021/001) will cause the \"debugger\" program to be executed with SYSTEM privileges.(Citation: Tilbury 2014)\n\nSimilar to [Process Injection](https://attack.mitre.org/techniques/T1055), these values may also be abused to obtain privilege escalation by causing a malicious executable to be loaded and run in the context of separate processes on the computer.(Citation: Elastic Process Injection July 2017) Installing IFEO mechanisms may also provide Persistence via continuous triggered invocation.\n\nMalware may also use IFEO to impair defenses by registering invalid debuggers that redirect and effectively disable various system and security applications.(Citation: FSecure Hupigon)(Citation: Symantec Ushedix June 2008)",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "privilege-escalation"
},
{
"kill_chain_name": "mitre-attack",
"phase_name": "persistence"
}
],
"revoked": false,
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T1546/012",
"external_id": "T1546.012"
},
{
"source_name": "FSecure Hupigon",
"description": "FSecure. (n.d.). Backdoor - W32/Hupigon.EMV - Threat Description. Retrieved December 18, 2017.",
"url": "https://www.f-secure.com/v-descs/backdoor_w32_hupigon_emv.shtml"
},
{
"source_name": "Elastic Process Injection July 2017",
"description": "Hosseini, A. (2017, July 18). Ten Process Injection Techniques: A Technical Survey Of Common And Trending Process Injection Techniques. Retrieved December 7, 2017.",
"url": "https://www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process"
},
{
"source_name": "Microsoft Silent Process Exit NOV 2017",
"description": "Marshall, D. & Griffin, S. (2017, November 28). Monitoring Silent Process Exit. Retrieved June 27, 2018.",
"url": "https://docs.microsoft.com/windows-hardware/drivers/debugger/registry-entries-for-silent-process-exit"
},
{
"source_name": "Microsoft GFlags Mar 2017",
"description": "Microsoft. (2017, May 23). GFlags Overview. Retrieved December 18, 2017.",
"url": "https://docs.microsoft.com/windows-hardware/drivers/debugger/gflags-overview"
},
{
"source_name": "Oddvar Moe IFEO APR 2018",
"description": "Moe, O. (2018, April 10). Persistence using GlobalFlags in Image File Execution Options - Hidden from Autoruns.exe. Retrieved June 27, 2018.",
"url": "https://oddvar.moe/2018/04/10/persistence-using-globalflags-in-image-file-execution-options-hidden-from-autoruns-exe/"
},
{
"source_name": "Microsoft Dev Blog IFEO Mar 2010",
"description": "Shanbhag, M. (2010, March 24). Image File Execution Options (IFEO). Retrieved December 18, 2017.",
"url": "https://blogs.msdn.microsoft.com/mithuns/2010/03/24/image-file-execution-options-ifeo/"
},
{
"source_name": "Symantec Ushedix June 2008",
"description": "Symantec. (2008, June 28). Trojan.Ushedix. Retrieved December 18, 2017.",
"url": "https://www.symantec.com/security_response/writeup.jsp?docid=2008-062807-2501-99&tabid=2"
},
{
"source_name": "Tilbury 2014",
"description": "Tilbury, C. (2014, August 28). Registry Analysis with CrowdResponse. Retrieved November 17, 2024.",
"url": "https://web.archive.org/web/20200730053039/https://www.crowdstrike.com/blog/registry-analysis-with-crowdresponse/"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_attack_spec_version": "3.3.0",
"x_mitre_contributors": [
"Oddvar Moe, @oddvarmoe"
],
"x_mitre_deprecated": false,
"x_mitre_domains": [
"enterprise-attack"
],
"x_mitre_is_subtechnique": true,
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"Windows"
],
"x_mitre_version": "1.2",
"detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.640000+00:00\", \"old_value\": \"2026-04-16 18:54:42.949000+00:00\"}}}",
"previous_version": "1.2",
"changelog_mitigations": {
"shared": [],
"new": [],
"dropped": []
},
"changelog_datacomponent_detections": {
"shared": [],
"new": [],
"dropped": []
},
"changelog_detectionstrategy_detections": {
"shared": [
"DET0422: Detection Strategy for IFEO Injection on Windows"
],
"new": [],
"dropped": []
}
},
{
"type": "attack-pattern",
"id": "attack-pattern--da051493-ae9c-4b1b-9760-c009c46c9b56",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2022-09-27 18:02:16.026000+00:00",
"modified": "2026-05-12 15:12:00.721000+00:00",
"name": "Installer Packages",
"description": "Adversaries may establish persistence and elevate privileges by using an installer to trigger the execution of malicious content. Installer packages are OS specific and contain the resources an operating system needs to install applications on a system. Installer packages can include scripts that run prior to installation as well as after installation is complete. Installer scripts may inherit elevated permissions when executed. Developers often use these scripts to prepare the environment for installation, check requirements, download dependencies, and remove files after installation.(Citation: Installer Package Scripting Rich Trouton)\n\nUsing legitimate applications, adversaries have distributed applications with modified installer scripts to execute malicious content. When a user installs the application, they may be required to grant administrative permissions to allow the installation. At the end of the installation process of the legitimate application, content such as macOS `postinstall` scripts can be executed with the inherited elevated permissions. Adversaries can use these scripts to execute a malicious executable or install other malicious components (such as a [Launch Daemon](https://attack.mitre.org/techniques/T1543/004)) with the elevated permissions.(Citation: Application Bundle Manipulation Brandon Dalton)(Citation: wardle evilquest parti)(Citation: Windows AppleJeus GReAT)(Citation: Debian Manual Maintainer Scripts)\n\nDepending on the distribution, Linux versions of package installer scripts are sometimes called maintainer scripts or post installation scripts. These scripts can include `preinst`, `postinst`, `prerm`, `postrm` scripts and run as root when executed.\n\nFor Windows, the Microsoft Installer services uses `.msi` files to manage the installing, updating, and uninstalling of applications. These installation routines may also include instructions to perform additional actions that may be abused by adversaries.(Citation: Microsoft Installation Procedures)",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "privilege-escalation"
},
{
"kill_chain_name": "mitre-attack",
"phase_name": "persistence"
}
],
"revoked": false,
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T1546/016",
"external_id": "T1546.016"
},
{
"source_name": "Application Bundle Manipulation Brandon Dalton",
"description": "Brandon Dalton. (2022, August 9). A bundle of nerves: Tweaking macOS security controls to thwart application bundle manipulation. Retrieved September 27, 2022.",
"url": "https://redcanary.com/blog/mac-application-bundles/"
},
{
"source_name": "Debian Manual Maintainer Scripts",
"description": "Debian Policy Manual v4.6.1.1. (2022, August 14). Package maintainer scripts and installation procedure. Retrieved September 27, 2022.",
"url": "https://www.debian.org/doc/debian-policy/ch-maintainerscripts.html#s-mscriptsinstact"
},
{
"source_name": "Windows AppleJeus GReAT",
"description": "Global Research & Analysis Team, Kaspersky Lab (GReAT). (2018, August 23). Operation AppleJeus: Lazarus hits cryptocurrency exchange with fake installer and macOS malware. Retrieved September 27, 2022.",
"url": "https://securelist.com/operation-applejeus/87553/"
},
{
"source_name": "Microsoft Installation Procedures",
"description": "Microsoft. (2021, January 7). Installation Procedure Tables Group. Retrieved December 27, 2023.",
"url": "https://learn.microsoft.com/windows/win32/msi/installation-procedure-tables-group"
},
{
"source_name": "wardle evilquest parti",
"description": "Patrick Wardle. (2020, June 29). OSX.EvilQuest Uncovered part i: infection, persistence, and more!. Retrieved March 18, 2021.",
"url": "https://objective-see.com/blog/blog_0x59.html"
},
{
"source_name": "Installer Package Scripting Rich Trouton",
"description": "Rich Trouton. (2019, August 9). Installer Package Scripting: Making your deployments easier, one ! at a time. Retrieved September 27, 2022.",
"url": "https://cpb-us-e1.wpmucdn.com/sites.psu.edu/dist/4/24696/files/2019/07/psumac2019-345-Installer-Package-Scripting-Making-your-deployments-easier-one-at-a-time.pdf"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_attack_spec_version": "3.3.0",
"x_mitre_contributors": [
"Brandon Dalton @PartyD0lphin",
"Rodchenko Aleksandr"
],
"x_mitre_deprecated": false,
"x_mitre_domains": [
"enterprise-attack"
],
"x_mitre_is_subtechnique": true,
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"Linux",
"macOS",
"Windows"
],
"x_mitre_version": "1.2",
"detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.721000+00:00\", \"old_value\": \"2025-04-15 19:59:13.167000+00:00\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.3.0\", \"old_value\": \"3.2.0\"}}}",
"previous_version": "1.2",
"changelog_mitigations": {
"shared": [],
"new": [],
"dropped": []
},
"changelog_datacomponent_detections": {
"shared": [],
"new": [],
"dropped": []
},
"changelog_detectionstrategy_detections": {
"shared": [
"DET0330: Detection Strategy for T1546.016 - Event Triggered Execution via Installer Packages"
],
"new": [],
"dropped": []
}
},
{
"type": "attack-pattern",
"id": "attack-pattern--b63a34e8-0a61-4c97-a23b-bf8a2ed812e2",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2020-01-24 14:13:45.936000+00:00",
"modified": "2026-05-12 15:12:00.709000+00:00",
"name": "Unix Shell Configuration Modification",
"description": "Adversaries may establish persistence through executing malicious commands triggered by a user\u2019s shell. User [Unix Shell](https://attack.mitre.org/techniques/T1059/004)s execute several configuration scripts at different points throughout the session based on events. For example, when a user opens a command-line interface or remotely logs in (such as via SSH) a login shell is initiated. The login shell executes scripts from the system (/etc) and the user\u2019s home directory (~/) to configure the environment. All login shells on a system use /etc/profile when initiated. These configuration scripts run at the permission level of their directory and are often used to set environment variables, create aliases, and customize the user\u2019s environment. When the shell exits or terminates, additional shell scripts are executed to ensure the shell exits appropriately. \n\nAdversaries may attempt to establish persistence by inserting commands into scripts automatically executed by shells. Using bash as an example, the default shell for most GNU/Linux systems, adversaries may add commands that launch malicious binaries into the /etc/profile and /etc/profile.d files.(Citation: intezer-kaiji-malware)(Citation: bencane blog bashrc) These files typically require root permissions to modify and are executed each time any shell on a system launches. For user level permissions, adversaries can insert malicious commands into ~/.bash_profile, ~/.bash_login, or ~/.profile which are sourced when a user opens a command-line interface or connects remotely.(Citation: anomali-rocke-tactics)(Citation: Linux manual bash invocation) Since the system only executes the first existing file in the listed order, adversaries have used ~/.bash_profile to ensure execution. Adversaries have also leveraged the ~/.bashrc file which is additionally executed if the connection is established remotely or an additional interactive shell is opened, such as a new tab in the command-line interface.(Citation: Tsunami)(Citation: anomali-rocke-tactics)(Citation: anomali-linux-rabbit)(Citation: Magento) Some malware targets the termination of a program to trigger execution, adversaries can use the ~/.bash_logout file to execute malicious commands at the end of a session. \n\nFor macOS, the functionality of this technique is similar but may leverage zsh, the default shell for macOS 10.15+. When the Terminal.app is opened, the application launches a zsh login shell and a zsh interactive shell. The login shell configures the system environment using /etc/profile, /etc/zshenv, /etc/zprofile, and /etc/zlogin.(Citation: ScriptingOSX zsh)(Citation: PersistentJXA_leopitt)(Citation: code_persistence_zsh)(Citation: macOS MS office sandbox escape) The login shell then configures the user environment with ~/.zprofile and ~/.zlogin. The interactive shell uses the ~/.zshrc to configure the user environment. Upon exiting, /etc/zlogout and ~/.zlogout are executed. For legacy programs, macOS executes /etc/bashrc on startup.",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "privilege-escalation"
},
{
"kill_chain_name": "mitre-attack",
"phase_name": "persistence"
}
],
"revoked": false,
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T1546/004",
"external_id": "T1546.004"
},
{
"source_name": "anomali-linux-rabbit",
"description": "Anomali Threat Research. (2018, December 6). Pulling Linux Rabbit/Rabbot Malware Out of a Hat. Retrieved December 17, 2020.",
"url": "https://www.anomali.com/blog/pulling-linux-rabbit-rabbot-malware-out-of-a-hat"
},
{
"source_name": "anomali-rocke-tactics",
"description": "Anomali Threat Research. (2019, October 15). Illicit Cryptomining Threat Actor Rocke Changes Tactics, Now More Difficult to Detect. Retrieved December 17, 2020.",
"url": "https://www.anomali.com/blog/illicit-cryptomining-threat-actor-rocke-changes-tactics-now-more-difficult-to-detect"
},
{
"source_name": "Linux manual bash invocation",
"description": "ArchWiki. (2021, January 19). Bash. Retrieved February 25, 2021.",
"url": "https://wiki.archlinux.org/index.php/Bash#Invocation"
},
{
"source_name": "ScriptingOSX zsh",
"description": "Armin Briegel. (2019, June 5). Moving to zsh, part 2: Configuration Files. Retrieved February 25, 2021.",
"url": "https://scriptingosx.com/2019/06/moving-to-zsh-part-2-configuration-files/"
},
{
"source_name": "bencane blog bashrc",
"description": "Benjamin Cane. (2013, September 16). Understanding a little more about /etc/profile and /etc/bashrc. Retrieved September 25, 2024.",
"url": "https://web.archive.org/web/20220316014323/http://bencane.com/2013/09/16/understanding-a-little-more-about-etcprofile-and-etcbashrc/"
},
{
"source_name": "macOS MS office sandbox escape",
"description": "Cedric Owens. (2021, May 22). macOS MS Office Sandbox Brain Dump. Retrieved August 20, 2021.",
"url": "https://cedowens.medium.com/macos-ms-office-sandbox-brain-dump-4509b5fed49a"
},
{
"source_name": "Magento",
"description": "Cesar Anjos. (2018, May 31). Shell Logins as a Magento Reinfection Vector. Retrieved December 17, 2020.",
"url": "https://blog.sucuri.net/2018/05/shell-logins-as-a-magento-reinfection-vector.html"
},
{
"source_name": "Tsunami",
"description": "Claud Xiao and Cong Zheng. (2017, April 6). New IoT/Linux Malware Targets DVRs, Forms Botnet. Retrieved December 17, 2020.",
"url": "https://unit42.paloaltonetworks.com/unit42-new-iotlinux-malware-targets-dvrs-forms-botnet/"
},
{
"source_name": "PersistentJXA_leopitt",
"description": "Leo Pitt. (2020, August 6). Persistent JXA - A poor man's Powershell for macOS. Retrieved January 11, 2021.",
"url": "https://posts.specterops.io/persistent-jxa-66e1c3cd1cf5"
},
{
"source_name": "code_persistence_zsh",
"description": "Leo Pitt. (2020, November 11). Github - PersistentJXA/BashProfilePersist.js. Retrieved January 11, 2021.",
"url": "https://github.com/D00MFist/PersistentJXA/blob/master/BashProfilePersist.js"
},
{
"source_name": "ESF_filemonitor",
"description": "Patrick Wardle. (2019, September 17). Writing a File Monitor with Apple's Endpoint Security Framework. Retrieved December 17, 2020.",
"url": "https://objective-see.com/blog/blog_0x48.html"
},
{
"source_name": "intezer-kaiji-malware",
"description": "Paul Litvak. (2020, May 4). Kaiji: New Chinese Linux malware turning to Golang. Retrieved December 17, 2020.",
"url": "https://www.intezer.com/blog/research/kaiji-new-chinese-linux-malware-turning-to-golang/"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_attack_spec_version": "3.3.0",
"x_mitre_contributors": [
"Robert Wilson",
"Tony Lambert, Red Canary"
],
"x_mitre_deprecated": false,
"x_mitre_domains": [
"enterprise-attack"
],
"x_mitre_is_subtechnique": true,
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"Linux",
"macOS"
],
"x_mitre_version": "2.2",
"detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.709000+00:00\", \"old_value\": \"2025-10-24 17:49:15.960000+00:00\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.3.0\", \"old_value\": \"3.2.0\"}}}",
"previous_version": "2.2",
"changelog_mitigations": {
"shared": [
"M1022: Restrict File and Directory Permissions"
],
"new": [],
"dropped": []
},
"changelog_datacomponent_detections": {
"shared": [],
"new": [],
"dropped": []
},
"changelog_detectionstrategy_detections": {
"shared": [
"DET0020: Detect Shell Configuration Modification for Persistence via Event-Triggered Execution"
],
"new": [],
"dropped": []
}
},
{
"type": "attack-pattern",
"id": "attack-pattern--853c4192-4311-43e1-bfbb-b11b14911852",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2019-01-31 02:10:08.261000+00:00",
"modified": "2026-05-12 15:12:00.685000+00:00",
"name": "Execution Guardrails",
"description": "Adversaries may use execution guardrails to constrain execution or actions based on adversary supplied and environment specific conditions that are expected to be present on the target. Guardrails ensure that a payload only executes against an intended target and reduces collateral damage from an adversary\u2019s campaign.(Citation: FireEye Kevin Mandia Guardrails) Values an adversary can provide about a target system or environment to use as guardrails may include specific network share names, attached physical devices, files, joined Active Directory (AD) domains, and local/external IP addresses.(Citation: FireEye Outlook Dec 2019)\n\nGuardrails can be used to prevent exposure of capabilities in environments that are not intended to be compromised or operated within. This use of guardrails is distinct from typical [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497). While use of [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) may involve checking for known sandbox values and continuing with execution only if there is no match, the use of guardrails will involve checking for an expected target-specific value and only continuing with execution if there is such a match.\n\nAdversaries may identify and block certain user-agents to evade defenses and narrow the scope of their attack to victims and platforms on which it will be most effective. A user-agent self-identifies data such as a user's software application, operating system, vendor, and version. Adversaries may check user-agents for operating system identification and then only serve malware for the exploitable software while ignoring all other operating systems.(Citation: Trellix-Qakbot)",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "stealth"
}
],
"revoked": false,
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T1480",
"external_id": "T1480"
},
{
"source_name": "FireEye Outlook Dec 2019",
"description": "McWhirt, M., Carr, N., Bienstock, D. (2019, December 4). Breaking the Rules: A Tough Outlook for Home Page Attacks (CVE-2017-11774). Retrieved June 23, 2020.",
"url": "https://www.fireeye.com/blog/threat-research/2019/12/breaking-the-rules-tough-outlook-for-home-page-attacks.html"
},
{
"source_name": "Trellix-Qakbot",
"description": "Pham Duy Phuc, John Fokker J.E., Alejandro Houspanossian and Mathanraj Thangaraju. (2023, March 7). Qakbot Evolves to OneNote Malware Distribution. Retrieved June 7, 2024.",
"url": "https://www.trellix.com/blogs/research/qakbot-evolves-to-onenote-malware-distribution/"
},
{
"source_name": "FireEye Kevin Mandia Guardrails",
"description": "Shoorbajee, Z. (2018, June 1). Playing nice? FireEye CEO says U.S. malware is more restrained than adversaries'. Retrieved January 17, 2019.",
"url": "https://www.cyberscoop.com/kevin-mandia-fireeye-u-s-malware-nice/"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_attack_spec_version": "3.3.0",
"x_mitre_contributors": [
"Nick Carr, Mandiant"
],
"x_mitre_deprecated": false,
"x_mitre_domains": [
"enterprise-attack"
],
"x_mitre_is_subtechnique": false,
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"ESXi",
"Linux",
"macOS",
"Windows"
],
"x_mitre_version": "2.0",
"detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.685000+00:00\", \"old_value\": \"2026-04-15 20:03:40.312000+00:00\"}}}",
"previous_version": "2.0",
"changelog_mitigations": {
"shared": [
"M1055: Do Not Mitigate"
],
"new": [],
"dropped": []
},
"changelog_datacomponent_detections": {
"shared": [],
"new": [],
"dropped": []
},
"changelog_detectionstrategy_detections": {
"shared": [
"DET0562: Multi-Platform Execution Guardrails Environmental Validation Detection Strategy"
],
"new": [],
"dropped": []
}
},
{
"type": "attack-pattern",
"id": "attack-pattern--f244b8dd-af6c-4391-a497-fc03627ce995",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2020-06-23 22:28:28.041000+00:00",
"modified": "2026-05-12 15:12:00.724000+00:00",
"name": "Environmental Keying",
"description": "Adversaries may environmentally key payloads or other features of malware to evade defenses and constraint execution to a specific target environment. Environmental keying uses cryptography to constrain execution or actions based on adversary supplied environment specific conditions that are expected to be present on the target. Environmental keying is an implementation of [Execution Guardrails](https://attack.mitre.org/techniques/T1480) that utilizes cryptographic techniques for deriving encryption/decryption keys from specific types of values in a given computing environment.(Citation: EK Clueless Agents)\n\nValues can be derived from target-specific elements and used to generate a decryption key for an encrypted payload. Target-specific values can be derived from specific network shares, physical devices, software/software versions, files, joined AD domains, system time, and local/external IP addresses.(Citation: Kaspersky Gauss Whitepaper)(Citation: Proofpoint Router Malvertising)(Citation: EK Impeding Malware Analysis)(Citation: Environmental Keyed HTA) By generating the decryption keys from target-specific environmental values, environmental keying can make sandbox detection, anti-virus detection, crowdsourcing of information, and reverse engineering difficult.(Citation: Kaspersky Gauss Whitepaper) These difficulties can slow down the incident response process and help adversaries hide their tactics, techniques, and procedures (TTPs).\n\nSimilar to [Obfuscated Files or Information](https://attack.mitre.org/techniques/T1027), adversaries may use environmental keying to help protect their TTPs and evade detection. Environmental keying may be used to deliver an encrypted payload to the target that will use target-specific values to decrypt the payload before execution.(Citation: Kaspersky Gauss Whitepaper)(Citation: EK Impeding Malware Analysis)(Citation: Environmental Keyed HTA)(Citation: Demiguise Guardrail Router Logo) By utilizing target-specific values to decrypt the payload the adversary can avoid packaging the decryption key with the payload or sending it over a potentially monitored network connection. Depending on the technique for gathering target-specific values, reverse engineering of the encrypted payload can be exceptionally difficult.(Citation: Kaspersky Gauss Whitepaper) This can be used to prevent exposure of capabilities in environments that are not intended to be compromised or operated within.\n\nLike other [Execution Guardrails](https://attack.mitre.org/techniques/T1480), environmental keying can be used to prevent exposure of capabilities in environments that are not intended to be compromised or operated within. This activity is distinct from typical [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497). While use of [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) may involve checking for known sandbox values and continuing with execution only if there is no match, the use of environmental keying will involve checking for an expected target-specific value that must match for decryption and subsequent execution to be successful.",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "stealth"
}
],
"revoked": false,
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T1480/001",
"external_id": "T1480.001"
},
{
"source_name": "Proofpoint Router Malvertising",
"description": "Kafeine. (2016, December 13). Home Routers Under Attack via Malvertising on Windows, Android Devices. Retrieved January 16, 2019.",
"url": "https://www.proofpoint.com/us/threat-insight/post/home-routers-under-attack-malvertising-windows-android-devices"
},
{
"source_name": "Kaspersky Gauss Whitepaper",
"description": "Kaspersky Lab. (2012, August). Gauss: Abnormal Distribution. Retrieved January 17, 2019.",
"url": "https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/20134940/kaspersky-lab-gauss.pdf"
},
{
"source_name": "EK Clueless Agents",
"description": "Riordan, J., Schneier, B. (1998, June 18). Environmental Key Generation towards Clueless Agents. Retrieved January 18, 2019.",
"url": "https://www.schneier.com/academic/paperfiles/paper-clueless-agents.pdf"
},
{
"source_name": "EK Impeding Malware Analysis",
"description": "Song, C., et al. (2012, August 7). Impeding Automated Malware Analysis with Environment-sensitive Malware. Retrieved January 18, 2019.",
"url": "https://pdfs.semanticscholar.org/2721/3d206bc3c1e8c229fb4820b6af09e7f975da.pdf"
},
{
"source_name": "Demiguise Guardrail Router Logo",
"description": "Warren, R. (2017, August 2). Demiguise: virginkey.js. Retrieved January 17, 2019.",
"url": "https://github.com/nccgroup/demiguise/blob/master/examples/virginkey.js"
},
{
"source_name": "Environmental Keyed HTA",
"description": "Warren, R. (2017, August 8). Smuggling HTA files in Internet Explorer/Edge. Retrieved November 17, 2024.",
"url": "http://web.archive.org/web/20200608093807/https://www.nccgroup.com/uk/about-us/newsroom-and-events/blogs/2017/august/smuggling-hta-files-in-internet-exploreredge/"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_attack_spec_version": "3.3.0",
"x_mitre_contributors": [
"Nick Carr, Mandiant"
],
"x_mitre_deprecated": false,
"x_mitre_domains": [
"enterprise-attack"
],
"x_mitre_is_subtechnique": true,
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"Linux",
"Windows",
"macOS"
],
"x_mitre_version": "2.0",
"detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.724000+00:00\", \"old_value\": \"2026-04-15 20:07:10.470000+00:00\"}}}",
"previous_version": "2.0",
"changelog_mitigations": {
"shared": [
"M1055: Do Not Mitigate"
],
"new": [],
"dropped": []
},
"changelog_datacomponent_detections": {
"shared": [],
"new": [],
"dropped": []
},
"changelog_detectionstrategy_detections": {
"shared": [
"DET0474: Environmental Keying Discovery-to-Decryption Behavioral Chain Detection Strategy"
],
"new": [],
"dropped": []
}
},
{
"type": "attack-pattern",
"id": "attack-pattern--49fca0d2-685d-41eb-8bd4-05451cc3a742",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2024-09-19 14:00:03.401000+00:00",
"modified": "2026-05-12 15:12:00.630000+00:00",
"name": "Mutual Exclusion",
"description": "Adversaries may constrain execution or actions based on the presence of a mutex associated with malware. A mutex is a locking mechanism used to synchronize access to a resource. Only one thread or process can acquire a mutex at a given time.(Citation: Microsoft Mutexes)\n\nWhile local mutexes only exist within a given process, allowing multiple threads to synchronize access to a resource, system mutexes can be used to synchronize the activities of multiple processes.(Citation: Microsoft Mutexes) By creating a unique system mutex associated with a particular malware, adversaries can verify whether or not a system has already been compromised.(Citation: Sans Mutexes 2012)\n\nIn Linux environments, malware may instead attempt to acquire a lock on a mutex file. If the malware is able to acquire the lock, it continues to execute; if it fails, it exits to avoid creating a second instance of itself.(Citation: Intezer RedXOR 2021)(Citation: Deep Instinct BPFDoor 2023)\n\nMutex names may be hard-coded or dynamically generated using a predictable algorithm.(Citation: ICS Mutexes 2015)",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "stealth"
}
],
"revoked": false,
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T1480/002",
"external_id": "T1480.002"
},
{
"source_name": "Intezer RedXOR 2021",
"description": "Joakim Kennedy and Avigayil Mechtinger. (2021, March 10). New Linux Backdoor RedXOR Likely Operated by Chinese Nation-State Actor. Retrieved September 19, 2024.",
"url": "https://intezer.com/blog/malware-analysis/new-linux-backdoor-redxor-likely-operated-by-chinese-nation-state-actor/"
},
{
"source_name": "Sans Mutexes 2012",
"description": "Lenny Zeltser. (2012, July 24). Looking at Mutex Objects for Malware Discovery & Indicators of Compromise. Retrieved September 19, 2024.",
"url": "https://www.sans.org/blog/looking-at-mutex-objects-for-malware-discovery-indicators-of-compromise/"
},
{
"source_name": "ICS Mutexes 2015",
"description": "Lenny Zeltser. (2015, March 9). How Malware Generates Mutex Names to Evade Detection. Retrieved September 19, 2024.",
"url": "https://isc.sans.edu/diary/How+Malware+Generates+Mutex+Names+to+Evade+Detection/19429/"
},
{
"source_name": "Microsoft Mutexes",
"description": "Microsoft. (2022, March 11). Mutexes. Retrieved September 19, 2024.",
"url": "https://learn.microsoft.com/en-us/dotnet/standard/threading/mutexes"
},
{
"source_name": "Deep Instinct BPFDoor 2023",
"description": "Shaul Vilkomir-Preisman and Eliran Nissan. (2023, May 10). BPFDoor Malware Evolves \u2013 Stealthy Sniffing Backdoor Ups Its Game. Retrieved September 19, 2024.",
"url": "https://www.deepinstinct.com/blog/bpfdoor-malware-evolves-stealthy-sniffing-backdoor-ups-its-game"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_attack_spec_version": "3.3.0",
"x_mitre_contributors": [
"Manikantan Srinivasan, NEC Corporation India",
"Pooja Natarajan, NEC Corporation India",
"Nagahama Hiroki \u2013 NEC Corporation Japan"
],
"x_mitre_deprecated": false,
"x_mitre_domains": [
"enterprise-attack"
],
"x_mitre_is_subtechnique": true,
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"Linux",
"macOS",
"Windows"
],
"x_mitre_version": "2.0",
"detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.630000+00:00\", \"old_value\": \"2026-04-15 20:07:21.724000+00:00\"}}}",
"previous_version": "2.0",
"changelog_mitigations": {
"shared": [
"M1055: Do Not Mitigate"
],
"new": [],
"dropped": []
},
"changelog_datacomponent_detections": {
"shared": [],
"new": [],
"dropped": []
},
"changelog_detectionstrategy_detections": {
"shared": [
"DET0132: Detection of Mutex-Based Execution Guardrails Across Platforms"
],
"new": [],
"dropped": []
}
},
{
"type": "attack-pattern",
"id": "attack-pattern--8e350c1d-ac79-4b5c-bd4e-7476d7e84ec5",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2020-03-15 15:34:30.767000+00:00",
"modified": "2026-05-12 15:12:00.705000+00:00",
"name": "Exfiltration Over Asymmetric Encrypted Non-C2 Protocol",
"description": "Adversaries may steal data by exfiltrating it over an asymmetrically encrypted network protocol other than that of the existing command and control channel. The data may also be sent to an alternate network location from the main command and control server. \n\nAsymmetric encryption algorithms are those that use different keys on each end of the channel. Also known as public-key cryptography, this requires pairs of cryptographic keys that can encrypt/decrypt data from the corresponding key. Each end of the communication channels requires a private key (only in the procession of that entity) and the public key of the other entity. The public keys of each entity are exchanged before encrypted communications begin. \n\nNetwork protocols that use asymmetric encryption (such as HTTPS/TLS/SSL) often utilize symmetric encryption once keys are exchanged. Adversaries may opt to use these encrypted mechanisms that are baked into a protocol. ",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "exfiltration"
}
],
"revoked": false,
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T1048/002",
"external_id": "T1048.002"
},
{
"source_name": "University of Birmingham C2",
"description": "Gardiner, J., Cova, M., Nagaraja, S. (2014, February). Command & Control Understanding, Denying and Detecting. Retrieved April 20, 2016.",
"url": "https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_attack_spec_version": "3.3.0",
"x_mitre_contributors": [
"William Cain"
],
"x_mitre_deprecated": false,
"x_mitre_domains": [
"enterprise-attack"
],
"x_mitre_is_subtechnique": true,
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"ESXi",
"Linux",
"macOS",
"Windows"
],
"x_mitre_version": "1.2",
"detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.705000+00:00\", \"old_value\": \"2025-10-24 17:49:05.552000+00:00\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.3.0\", \"old_value\": \"3.2.0\"}}}",
"previous_version": "1.2",
"changelog_mitigations": {
"shared": [
"M1030: Network Segmentation",
"M1031: Network Intrusion Prevention",
"M1037: Filter Network Traffic",
"M1057: Data Loss Prevention"
],
"new": [],
"dropped": []
},
"changelog_datacomponent_detections": {
"shared": [],
"new": [],
"dropped": []
},
"changelog_detectionstrategy_detections": {
"shared": [
"DET0512: Detection of Exfiltration Over Asymmetric Encrypted Non-C2 Protocol"
],
"new": [],
"dropped": []
}
},
{
"type": "attack-pattern",
"id": "attack-pattern--fb8d023d-45be-47e9-bc51-f56bcae6435b",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2020-03-15 15:37:47.583000+00:00",
"modified": "2026-05-12 15:12:00.726000+00:00",
"name": "Exfiltration Over Unencrypted Non-C2 Protocol",
"description": "Adversaries may steal data by exfiltrating it over an un-encrypted network protocol other than that of the existing command and control channel. The data may also be sent to an alternate network location from the main command and control server.(Citation: copy_cmd_cisco)\n\nAdversaries may opt to obfuscate this data, without the use of encryption, within network protocols that are natively unencrypted (such as HTTP, FTP, or DNS). This may include custom or publicly available encoding/compression algorithms (such as base64) as well as embedding data within protocol headers and fields. ",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "exfiltration"
}
],
"revoked": false,
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T1048/003",
"external_id": "T1048.003"
},
{
"source_name": "copy_cmd_cisco",
"description": "Cisco. (2022, August 16). copy - Cisco IOS Configuration Fundamentals Command Reference . Retrieved July 13, 2022.",
"url": "https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/fundamentals/command/cf_command_ref/C_commands.html#wp1068167689"
},
{
"source_name": "University of Birmingham C2",
"description": "Gardiner, J., Cova, M., Nagaraja, S. (2014, February). Command & Control Understanding, Denying and Detecting. Retrieved April 20, 2016.",
"url": "https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_attack_spec_version": "3.3.0",
"x_mitre_contributors": [
"William Cain",
"Austin Clark, @c2defense"
],
"x_mitre_deprecated": false,
"x_mitre_domains": [
"enterprise-attack"
],
"x_mitre_is_subtechnique": true,
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"ESXi",
"Linux",
"macOS",
"Network Devices",
"Windows"
],
"x_mitre_version": "2.2",
"detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.726000+00:00\", \"old_value\": \"2025-10-24 17:49:39.079000+00:00\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.3.0\", \"old_value\": \"3.2.0\"}}}",
"previous_version": "2.2",
"changelog_mitigations": {
"shared": [
"M1030: Network Segmentation",
"M1031: Network Intrusion Prevention",
"M1037: Filter Network Traffic",
"M1057: Data Loss Prevention"
],
"new": [],
"dropped": []
},
"changelog_datacomponent_detections": {
"shared": [],
"new": [],
"dropped": []
},
"changelog_detectionstrategy_detections": {
"shared": [
"DET0149: Detection of Exfiltration Over Unencrypted Non-C2 Protocol"
],
"new": [],
"dropped": []
}
},
{
"type": "attack-pattern",
"id": "attack-pattern--92d7da27-2d91-488e-a00c-059dc162766d",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-05-31 21:30:41.804000+00:00",
"modified": "2026-05-12 15:12:00.706000+00:00",
"name": "Exfiltration Over C2 Channel",
"description": "Adversaries may steal data by exfiltrating it over an existing command and control channel. Stolen data is encoded into the normal communications channel using the same protocol as command and control communications.",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "exfiltration"
}
],
"revoked": false,
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T1041",
"external_id": "T1041"
},
{
"source_name": "University of Birmingham C2",
"description": "Gardiner, J., Cova, M., Nagaraja, S. (2014, February). Command & Control Understanding, Denying and Detecting. Retrieved April 20, 2016.",
"url": "https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_attack_spec_version": "3.3.0",
"x_mitre_contributors": [
"William Cain"
],
"x_mitre_deprecated": false,
"x_mitre_domains": [
"enterprise-attack"
],
"x_mitre_is_subtechnique": false,
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"ESXi",
"Linux",
"macOS",
"Windows"
],
"x_mitre_version": "2.3",
"detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.706000+00:00\", \"old_value\": \"2025-10-24 17:49:06.675000+00:00\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.3.0\", \"old_value\": \"3.2.0\"}}}",
"previous_version": "2.3",
"changelog_mitigations": {
"shared": [
"M1031: Network Intrusion Prevention",
"M1057: Data Loss Prevention"
],
"new": [],
"dropped": []
},
"changelog_datacomponent_detections": {
"shared": [],
"new": [],
"dropped": []
},
"changelog_detectionstrategy_detections": {
"shared": [
"DET0348: Detection Strategy for Exfiltration Over C2 Channel"
],
"new": [],
"dropped": []
}
},
{
"type": "attack-pattern",
"id": "attack-pattern--40597f16-0963-4249-bf4c-ac93b7fb9807",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2020-03-09 12:51:45.570000+00:00",
"modified": "2026-05-12 15:12:00.628000+00:00",
"name": "Exfiltration Over Web Service",
"description": "Adversaries may use an existing, legitimate external Web service to exfiltrate data rather than their primary command and control channel. Popular Web services acting as an exfiltration mechanism may give a significant amount of cover due to the likelihood that hosts within a network are already communicating with them prior to compromise. Firewall rules may also already exist to permit traffic to these services.\n\nWeb service providers also commonly use SSL/TLS encryption, giving adversaries an added level of protection.",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "exfiltration"
}
],
"revoked": false,
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T1567",
"external_id": "T1567"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_attack_spec_version": "3.3.0",
"x_mitre_contributors": [
"William Cain"
],
"x_mitre_deprecated": false,
"x_mitre_domains": [
"enterprise-attack"
],
"x_mitre_is_subtechnique": false,
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"ESXi",
"Linux",
"macOS",
"Office Suite",
"SaaS",
"Windows"
],
"x_mitre_version": "1.5",
"detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.628000+00:00\", \"old_value\": \"2025-10-24 17:48:42.061000+00:00\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.3.0\", \"old_value\": \"3.2.0\"}}}",
"previous_version": "1.5",
"changelog_mitigations": {
"shared": [
"M1021: Restrict Web-Based Content",
"M1057: Data Loss Prevention"
],
"new": [],
"dropped": []
},
"changelog_datacomponent_detections": {
"shared": [],
"new": [],
"dropped": []
},
"changelog_detectionstrategy_detections": {
"shared": [
"DET0548: Detection Strategy for Exfiltration Over Web Service"
],
"new": [],
"dropped": []
}
},
{
"type": "attack-pattern",
"id": "attack-pattern--43f2776f-b4bd-4118-94b8-fee47e69676d",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2023-07-20 15:30:55.763000+00:00",
"modified": "2026-05-12 15:12:00.629000+00:00",
"name": "Exfiltration Over Webhook",
"description": "Adversaries may exfiltrate data to a webhook endpoint rather than over their primary command and control channel. Webhooks are simple mechanisms for allowing a server to push data over HTTP/S to a client without the need for the client to continuously poll the server.(Citation: RedHat Webhooks) Many public and commercial services, such as Discord, Slack, and `webhook.site`, support the creation of webhook endpoints that can be used by other services, such as Github, Jira, or Trello.(Citation: Discord Intro to Webhooks) When changes happen in the linked services (such as pushing a repository update or modifying a ticket), these services will automatically post the data to the webhook endpoint for use by the consuming application. \n\nAdversaries may link an adversary-owned environment to a victim-owned SaaS service to achieve repeated [Automated Exfiltration](https://attack.mitre.org/techniques/T1020) of emails, chat messages, and other data.(Citation: Push Security SaaS Attacks Repository Webhooks) Alternatively, instead of linking the webhook endpoint to a service, an adversary can manually post staged data directly to the URL in order to exfiltrate it.(Citation: Microsoft SQL Server)\n\nAccess to webhook endpoints is often over HTTPS, which gives the adversary an additional level of protection. Exfiltration leveraging webhooks can also blend in with normal network traffic if the webhook endpoint points to a commonly used SaaS application or collaboration service.(Citation: CyberArk Labs Discord)(Citation: Talos Discord Webhook Abuse)(Citation: Checkmarx Webhooks)",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "exfiltration"
}
],
"revoked": false,
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T1567/004",
"external_id": "T1567.004"
},
{
"source_name": "Checkmarx Webhooks",
"description": " Jossef Harush Kadouri. (2022, March 7). Webhook Party \u2014 Malicious packages caught exfiltrating data via legit webhook services. Retrieved July 20, 2023.",
"url": "https://medium.com/checkmarx-security/webhook-party-malicious-packages-caught-exfiltrating-data-via-legit-webhook-services-6e046b07d191"
},
{
"source_name": "CyberArk Labs Discord",
"description": "CyberArk Labs. (2023, April 13). The (Not so) Secret War on Discord. Retrieved July 20, 2023.",
"url": "https://www.cyberark.com/resources/threat-research-blog/the-not-so-secret-war-on-discord"
},
{
"source_name": "Discord Intro to Webhooks",
"description": "D. (n.d.). Intro to Webhooks. Retrieved July 20, 2023.",
"url": "https://support.discord.com/hc/en-us/articles/228383668-Intro-to-Webhooks"
},
{
"source_name": "Microsoft SQL Server",
"description": "Microsoft Threat Intelligence. (2023, October 3). Defending new vectors: Threat actors attempt SQL Server to cloud lateral movement. Retrieved October 3, 2023.",
"url": "https://www.microsoft.com/security/blog/2023/10/03/defending-new-vectors-threat-actors-attempt-sql-server-to-cloud-lateral-movement/"
},
{
"source_name": "Talos Discord Webhook Abuse",
"description": "Nick Biasini, Edmund Brumaghin, Chris Neal, and Paul Eubanks. (2021, April 7). https://blog.talosintelligence.com/collab-app-abuse/. Retrieved July 20, 2023.",
"url": "https://blog.talosintelligence.com/collab-app-abuse/"
},
{
"source_name": "Push Security SaaS Attacks Repository Webhooks",
"description": "Push Security. (2023, July 31). Webhooks. Retrieved August 4, 2023.",
"url": "https://github.com/pushsecurity/saas-attacks/blob/main/techniques/webhooks/description.md"
},
{
"source_name": "RedHat Webhooks",
"description": "RedHat. (2022, June 1). What is a webhook?. Retrieved July 20, 2023.",
"url": "https://www.redhat.com/en/topics/automation/what-is-a-webhook"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_attack_spec_version": "3.3.0",
"x_mitre_contributors": [
"Yossi Weizman, Microsoft Threat Intelligence",
"Sunders Bruskin, Microsoft Threat Intelligence"
],
"x_mitre_deprecated": false,
"x_mitre_domains": [
"enterprise-attack"
],
"x_mitre_is_subtechnique": true,
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"ESXi",
"Linux",
"macOS",
"Office Suite",
"SaaS",
"Windows"
],
"x_mitre_version": "1.2",
"detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.629000+00:00\", \"old_value\": \"2025-04-15 19:58:26.901000+00:00\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.3.0\", \"old_value\": \"3.2.0\"}}}",
"previous_version": "1.2",
"changelog_mitigations": {
"shared": [
"M1057: Data Loss Prevention"
],
"new": [],
"dropped": []
},
"changelog_datacomponent_detections": {
"shared": [],
"new": [],
"dropped": []
},
"changelog_detectionstrategy_detections": {
"shared": [
"DET0153: Detection Strategy for Exfiltration Over Webhook"
],
"new": [],
"dropped": []
}
},
{
"type": "attack-pattern",
"id": "attack-pattern--bf1b6176-597c-4600-bfcd-ac989670f96b",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2020-03-09 15:04:32.767000+00:00",
"modified": "2026-05-12 15:12:00.713000+00:00",
"name": "Exfiltration to Cloud Storage",
"description": "Adversaries may exfiltrate data to a cloud storage service rather than over their primary command and control channel. Cloud storage services allow for the storage, edit, and retrieval of data from a remote cloud storage server over the Internet.\n\nExamples of cloud storage services include Dropbox and Google Docs. Exfiltration to these cloud storage services can provide a significant amount of cover to the adversary if hosts within the network are already communicating with the service. ",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "exfiltration"
}
],
"revoked": false,
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T1567/002",
"external_id": "T1567.002"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_attack_spec_version": "3.3.0",
"x_mitre_deprecated": false,
"x_mitre_domains": [
"enterprise-attack"
],
"x_mitre_is_subtechnique": true,
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"ESXi",
"Linux",
"macOS",
"Windows"
],
"x_mitre_version": "1.3",
"detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.713000+00:00\", \"old_value\": \"2025-10-24 17:49:19.048000+00:00\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.3.0\", \"old_value\": \"3.2.0\"}}}",
"previous_version": "1.3",
"changelog_mitigations": {
"shared": [
"M1021: Restrict Web-Based Content"
],
"new": [],
"dropped": []
},
"changelog_datacomponent_detections": {
"shared": [],
"new": [],
"dropped": []
},
"changelog_detectionstrategy_detections": {
"shared": [
"DET0570: Detection Strategy for Exfiltration to Cloud Storage"
],
"new": [],
"dropped": []
}
},
{
"type": "attack-pattern",
"id": "attack-pattern--86a96bf6-cf8b-411c-aaeb-8959944d64f7",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2020-03-09 14:51:11.772000+00:00",
"modified": "2026-05-12 15:12:00.686000+00:00",
"name": "Exfiltration to Code Repository",
"description": "Adversaries may exfiltrate data to a code repository rather than over their primary command and control channel. Code repositories are often accessible via an API (ex: https://api.github.com). Access to these APIs are often over HTTPS, which gives the adversary an additional level of protection.\n\nExfiltration to a code repository can also provide a significant amount of cover to the adversary if it is a popular service already used by hosts within the network. ",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "exfiltration"
}
],
"revoked": false,
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T1567/001",
"external_id": "T1567.001"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_attack_spec_version": "3.3.0",
"x_mitre_deprecated": false,
"x_mitre_domains": [
"enterprise-attack"
],
"x_mitre_is_subtechnique": true,
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"ESXi",
"Linux",
"macOS",
"Windows"
],
"x_mitre_version": "1.2",
"detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.686000+00:00\", \"old_value\": \"2025-10-24 17:49:04.207000+00:00\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.3.0\", \"old_value\": \"3.2.0\"}}}",
"previous_version": "1.2",
"changelog_mitigations": {
"shared": [
"M1021: Restrict Web-Based Content"
],
"new": [],
"dropped": []
},
"changelog_datacomponent_detections": {
"shared": [],
"new": [],
"dropped": []
},
"changelog_detectionstrategy_detections": {
"shared": [
"DET0318: Detection Strategy for Exfiltration to Code Repository"
],
"new": [],
"dropped": []
}
},
{
"type": "attack-pattern",
"id": "attack-pattern--3f886f2a-874f-4333-b794-aa6075009b1c",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2018-04-18 17:59:24.739000+00:00",
"modified": "2026-05-12 15:12:00.628000+00:00",
"name": "Exploit Public-Facing Application",
"description": "Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network. The weakness in the system can be a software bug, a temporary glitch, or a misconfiguration.\n\nExploited applications are often websites/web servers, but can also include databases (like SQL), standard services (like SMB or SSH), network device administration and management protocols (like SNMP and Smart Install), and any other system with Internet-accessible open sockets.(Citation: NVD CVE-2016-6662)(Citation: CIS Multiple SMB Vulnerabilities)(Citation: US-CERT TA18-106A Network Infrastructure Devices 2018)(Citation: Cisco Blog Legacy Device Attacks)(Citation: NVD CVE-2014-7169) On ESXi infrastructure, adversaries may exploit exposed OpenSLP services; they may alternatively exploit exposed VMware vCenter servers.(Citation: Recorded Future ESXiArgs Ransomware 2023)(Citation: Ars Technica VMWare Code Execution Vulnerability 2021) Depending on the flaw being exploited, this may also involve [Exploitation for Stealth](https://attack.mitre.org/techniques/T1211) or [Exploitation for Client Execution](https://attack.mitre.org/techniques/T1203).\n\nIf an application is hosted on cloud-based infrastructure and/or is containerized, then exploiting it may lead to compromise of the underlying instance or container. This can allow an adversary a path to access the cloud or container APIs (e.g., via the [Cloud Instance Metadata API](https://attack.mitre.org/techniques/T1552/005)), exploit container host access via [Escape to Host](https://attack.mitre.org/techniques/T1611), or take advantage of weak identity and access management policies.\n\nAdversaries may also exploit edge network infrastructure and related appliances, specifically targeting devices that do not support robust host-based defenses.(Citation: Mandiant Fortinet Zero Day)(Citation: Wired Russia Cyberwar)\n\nFor websites and databases, the OWASP top 10 and CWE top 25 highlight the most common web-based vulnerabilities.(Citation: OWASP Top 10)(Citation: CWE top 25)",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "initial-access"
}
],
"revoked": false,
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T1190",
"external_id": "T1190"
},
{
"source_name": "CWE top 25",
"description": "Christey, S., Brown, M., Kirby, D., Martin, B., Paller, A.. (2011, September 13). 2011 CWE/SANS Top 25 Most Dangerous Software Errors. Retrieved April 10, 2019.",
"url": "https://cwe.mitre.org/top25/index.html"
},
{
"source_name": "CIS Multiple SMB Vulnerabilities",
"description": "CIS. (2017, May 15). Multiple Vulnerabilities in Microsoft Windows SMB Server Could Allow for Remote Code Execution. Retrieved April 3, 2018.",
"url": "https://www.cisecurity.org/advisory/multiple-vulnerabilities-in-microsoft-windows-smb-server-could-allow-for-remote-code-execution/"
},
{
"source_name": "Ars Technica VMWare Code Execution Vulnerability 2021",
"description": "Dan Goodin . (2021, February 25). Code-execution flaw in VMware has a severity rating of 9.8 out of 10. Retrieved April 8, 2025.",
"url": "https://arstechnica.com/information-technology/2021/02/armed-with-exploits-hackers-on-the-prowl-for-a-critical-vmware-vulnerability/"
},
{
"source_name": "Recorded Future ESXiArgs Ransomware 2023",
"description": "German Hoeffner, Aaron Soehnen and Gianni Perez. (2023, February 7). ESXiArgs Ransomware Targets Publicly-Exposed ESXi OpenSLP Servers. Retrieved March 26, 2025.",
"url": "https://www.recordedfuture.com/blog/esxiargs-ransomware-targets-vmware-esxi-openslp-servers"
},
{
"source_name": "Wired Russia Cyberwar",
"description": "Greenberg, A. (2022, November 10). Russia\u2019s New Cyberwarfare in Ukraine Is Fast, Dirty, and Relentless. Retrieved March 22, 2023.",
"url": "https://www.wired.com/story/russia-ukraine-cyberattacks-mandiant/"
},
{
"source_name": "Mandiant Fortinet Zero Day",
"description": "Marvi, A. et al.. (2023, March 16). Fortinet Zero-Day and Custom Malware Used by Suspected Chinese Actor in Espionage Operation. Retrieved March 22, 2023.",
"url": "https://www.mandiant.com/resources/blog/fortinet-malware-ecosystem"
},
{
"source_name": "NVD CVE-2016-6662",
"description": "National Vulnerability Database. (2017, February 2). CVE-2016-6662 Detail. Retrieved April 3, 2018.",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2016-6662"
},
{
"source_name": "NVD CVE-2014-7169",
"description": "National Vulnerability Database. (2017, September 24). CVE-2014-7169 Detail. Retrieved April 3, 2018.",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2014-7169"
},
{
"source_name": "Cisco Blog Legacy Device Attacks",
"description": "Omar Santos. (2020, October 19). Attackers Continue to Target Legacy Devices. Retrieved October 20, 2020.",
"url": "https://community.cisco.com/t5/security-blogs/attackers-continue-to-target-legacy-devices/ba-p/4169954"
},
{
"source_name": "OWASP Top 10",
"description": "OWASP. (2018, February 23). OWASP Top Ten Project. Retrieved April 3, 2018.",
"url": "https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project"
},
{
"source_name": "US-CERT TA18-106A Network Infrastructure Devices 2018",
"description": "US-CERT. (2018, April 20). Russian State-Sponsored Cyber Actors Targeting Network Infrastructure Devices. Retrieved October 19, 2020.",
"url": "https://us-cert.cisa.gov/ncas/alerts/TA18-106A"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_attack_spec_version": "3.3.0",
"x_mitre_contributors": [
"Praetorian",
"Yossi Weizman, Azure Defender Research Team",
"Don Le, Stifel Financial"
],
"x_mitre_deprecated": false,
"x_mitre_domains": [
"enterprise-attack"
],
"x_mitre_is_subtechnique": false,
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"Containers",
"ESXi",
"IaaS",
"Linux",
"macOS",
"Network Devices",
"Windows"
],
"x_mitre_version": "2.8",
"detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.628000+00:00\", \"old_value\": \"2025-10-24 17:48:41.788000+00:00\"}}}",
"previous_version": "2.8",
"changelog_mitigations": {
"shared": [
"M1016: Vulnerability Scanning",
"M1026: Privileged Account Management",
"M1030: Network Segmentation",
"M1035: Limit Access to Resource Over Network",
"M1037: Filter Network Traffic",
"M1048: Application Isolation and Sandboxing",
"M1050: Exploit Protection",
"M1051: Update Software"
],
"new": [],
"dropped": []
},
"changelog_datacomponent_detections": {
"shared": [],
"new": [],
"dropped": []
},
"changelog_detectionstrategy_detections": {
"shared": [
"DET0080: Exploit Public-Facing Application \u2013 multi-signal correlation (request \u2192 error \u2192 post-exploit process/egress)"
],
"new": [],
"dropped": []
}
},
{
"type": "attack-pattern",
"id": "attack-pattern--01c9b54f-c04e-41ba-b0c3-cfe784b3a463",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2026-04-14 22:53:27.621000+00:00",
"modified": "2026-05-12 15:12:00.619000+00:00",
"name": "Exploitation for Defense Impairment",
"description": "Adversaries may exploit vulnerabilities in security software, infrastructure, or defensive components to degrade, disable, or otherwise continue to impair their ability to prevent, detect, or respond to malicious activity. \n \nAdversaries may exploit a system or application vulnerability to directly interfere with defensive mechanisms. Exploitation occurs when an adversary takes advantage of a programming error in software, services, or the operating system to execute adversary-controlled code, often with the goal of weakening or disabling protections. \n\nVulnerabilities may exist in security tools such as antivirus, endpoint detection and response (EDR), firewalls, or other monitoring solutions. Adversaries may use prior reconnaissance or perform discovery activities (e.g., [Software Discovery](https://attack.mitre.org/techniques/T1518)) to identify defensive tools present in an environment and target them for exploitation. \n\nSuccessful exploitation may allow adversaries to terminate security processes, disable protections, bypass enforcement mechanisms, or reduce the effectiveness of defensive controls. In some cases, vulnerabilities in cloud-based or SaaS infrastructure may also be leveraged to bypass built-in security boundaries or disrupt visibility and enforcement across environments.(Citation: Salesforce zero-day in facebook phishing attack)",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "defense-impairment"
}
],
"revoked": false,
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T1687",
"external_id": "T1687"
},
{
"source_name": "Salesforce zero-day in facebook phishing attack",
"description": "Bill Toulas. (2023, August 2). Hackers exploited Salesforce zero-day in Facebook phishing attack. Retrieved September 18, 2023.",
"url": "https://www.bleepingcomputer.com/news/security/hackers-exploited-salesforce-zero-day-in-facebook-phishing-attack/"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_attack_spec_version": "3.3.0",
"x_mitre_deprecated": false,
"x_mitre_domains": [
"enterprise-attack"
],
"x_mitre_is_subtechnique": false,
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"IaaS",
"Linux",
"macOS",
"SaaS",
"Windows"
],
"x_mitre_version": "1.0",
"detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.619000+00:00\", \"old_value\": \"2026-04-16 20:10:42.138000+00:00\"}}}",
"previous_version": "1.0",
"changelog_mitigations": {
"shared": [],
"new": [],
"dropped": []
},
"changelog_datacomponent_detections": {
"shared": [],
"new": [],
"dropped": []
},
"changelog_detectionstrategy_detections": {
"shared": [
"DET0900: Detection of Defense Impairment"
],
"new": [],
"dropped": []
}
},
{
"type": "attack-pattern",
"id": "attack-pattern--fe926152-f431-4baf-956c-4ad3cb0bf23b",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2018-04-18 17:59:24.739000+00:00",
"modified": "2026-05-12 15:12:00.726000+00:00",
"name": "Exploitation for Stealth",
"description": "Adversaries may exploit vulnerabilities to evade detection by hiding activity, suppressing logging, or operating within trusted or unmonitored components. \n\nAdversaries may exploit a system or application vulnerability to avoid detection while maintaining access within an environment. Exploitation occurs when an adversary leverages a programming flaw to execute code in a manner that minimizes visibility or blends in with legitimate activity. \n\nRather than directly disabling defenses, adversaries may use exploitation to circumvent monitoring and logging mechanisms. This can include abusing vulnerabilities in logging pipelines, security tools, or cloud infrastructure to evade audit trails, suppress alerts, or operate without generating telemetry. \n\nAdversaries may identify these opportunities through prior reconnaissance or by performing discovery of security controls after initial access. In some cases, vulnerabilities in SaaS or public cloud environments may be exploited to evade logging, obscure activity, or deploy infrastructure that remains hidden from standard monitoring tools.(Citation: Bypassing CloudTrail in AWS Service Catalog)(Citation: GhostToken GCP flaw)",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "stealth"
}
],
"revoked": false,
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T1211",
"external_id": "T1211"
},
{
"source_name": "Bypassing CloudTrail in AWS Service Catalog",
"description": "Nick Frichette. (2023, March 20). Bypassing CloudTrail in AWS Service Catalog, and Other Logging Research. Retrieved September 18, 2023.",
"url": "https://securitylabs.datadoghq.com/articles/bypass-cloudtrail-aws-service-catalog-and-other/"
},
{
"source_name": "GhostToken GCP flaw",
"description": "Sergiu Gatlan. (2023, April 21). GhostToken GCP flaw let attackers backdoor Google accounts. Retrieved September 18, 2023.",
"url": "https://www.bleepingcomputer.com/news/security/ghosttoken-gcp-flaw-let-attackers-backdoor-google-accounts/"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_attack_spec_version": "3.3.0",
"x_mitre_contributors": [
"John Lambert, Microsoft Threat Intelligence Center"
],
"x_mitre_deprecated": false,
"x_mitre_domains": [
"enterprise-attack"
],
"x_mitre_is_subtechnique": false,
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"Linux",
"Windows",
"macOS",
"SaaS",
"IaaS"
],
"x_mitre_version": "2.0",
"detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.726000+00:00\", \"old_value\": \"2026-04-15 13:36:04.483000+00:00\"}}}",
"previous_version": "2.0",
"changelog_mitigations": {
"shared": [
"M1019: Threat Intelligence Program",
"M1048: Application Isolation and Sandboxing",
"M1050: Exploit Protection",
"M1051: Update Software"
],
"new": [],
"dropped": []
},
"changelog_datacomponent_detections": {
"shared": [],
"new": [],
"dropped": []
},
"changelog_detectionstrategy_detections": {
"shared": [
"DET0595: Detection Strategy for Exploitation for Stealth"
],
"new": [],
"dropped": []
}
},
{
"type": "attack-pattern",
"id": "attack-pattern--10d51417-ee35-4589-b1ff-b6df1c334e8d",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-05-31 21:31:44.421000+00:00",
"modified": "2026-05-12 15:12:00.621000+00:00",
"name": "External Remote Services",
"description": "Adversaries may leverage external-facing remote services to initially access and/or persist within a network. Remote services such as VPNs, Citrix, and other access mechanisms allow users to connect to internal enterprise network resources from external locations. There are often remote service gateways that manage connections and credential authentication for these services. Services such as [Windows Remote Management](https://attack.mitre.org/techniques/T1021/006) and [VNC](https://attack.mitre.org/techniques/T1021/005) can also be used externally.(Citation: MacOS VNC software for Remote Desktop)\n\nAccess to [Valid Accounts](https://attack.mitre.org/techniques/T1078) to use the service is often a requirement, which could be obtained through credential pharming or by obtaining the credentials from users after compromising the enterprise network.(Citation: Volexity Virtual Private Keylogging) Access to remote services may be used as a redundant or persistent access mechanism during an operation.\n\nAccess may also be gained through an exposed service that doesn\u2019t require authentication. In containerized environments, this may include an exposed Docker API, Kubernetes API server, kubelet, or web application such as the Kubernetes dashboard.(Citation: Trend Micro Exposed Docker Server)(Citation: Unit 42 Hildegard Malware)\n\nAdversaries may also establish persistence on network by configuring a Tor hidden service on a compromised system. Adversaries may utilize the tool `ShadowLink` to facilitate the installation and configuration of the Tor hidden service. Tor hidden service is then accessible via the Tor network because `ShadowLink` sets up a .onion address on the compromised system. `ShadowLink` may be used to forward any inbound connections to RDP, allowing the adversaries to have remote access.(Citation: The BadPilot campaign) Adversaries may get `ShadowLink` to persist on a system by masquerading it as an MS Defender application.(Citation: Russian threat actors dig in, prepare to seize on war fatigue)",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "persistence"
},
{
"kill_chain_name": "mitre-attack",
"phase_name": "initial-access"
}
],
"revoked": false,
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T1133",
"external_id": "T1133"
},
{
"source_name": "Volexity Virtual Private Keylogging",
"description": "Adair, S. (2015, October 7). Virtual Private Keylogging: Cisco Web VPNs Leveraged for Access and Persistence. Retrieved March 20, 2017.",
"url": "https://www.volexity.com/blog/2015/10/07/virtual-private-keylogging-cisco-web-vpns-leveraged-for-access-and-persistence/"
},
{
"source_name": "MacOS VNC software for Remote Desktop",
"description": "Apple Support. (n.d.). Set up a computer running VNC software for Remote Desktop. Retrieved August 18, 2021.",
"url": "https://support.apple.com/guide/remote-desktop/set-up-a-computer-running-vnc-software-apdbed09830/mac"
},
{
"source_name": "Unit 42 Hildegard Malware",
"description": "Chen, J. et al. (2021, February 3). Hildegard: New TeamTNT Cryptojacking Malware Targeting Kubernetes. Retrieved April 5, 2021.",
"url": "https://unit42.paloaltonetworks.com/hildegard-malware-teamtnt/"
},
{
"source_name": "Russian threat actors dig in, prepare to seize on war fatigue",
"description": "Microsoft Threat Intelligence. (2023, December 7). Russian threat actors dig in, prepare to seize on war fatigue. Retrieved June 18, 2025.",
"url": "https://www.microsoft.com/en-us/security/security-insider/intelligence-reports/russian-threat-actors-dig-in-prepare-to-seize-on-war-fatigue"
},
{
"source_name": "The BadPilot campaign",
"description": "Microsoft Threat Intelligence. (2025, February 12). The BadPilot campaign: Seashell Blizzard subgroup conducts multiyear global access operation. Retrieved June 18, 2025.",
"url": "https://www.microsoft.com/en-us/security/blog/2025/02/12/the-badpilot-campaign-seashell-blizzard-subgroup-conducts-multiyear-global-access-operation/?ref=thestack.technology"
},
{
"source_name": "Trend Micro Exposed Docker Server",
"description": "Remillano II, A., et al. (2020, June 20). XORDDoS, Kaiji Variants Target Exposed Docker Servers. Retrieved April 5, 2021.",
"url": "https://www.trendmicro.com/en_us/research/20/f/xorddos-kaiji-botnet-malware-variants-target-exposed-docker-servers.html"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_attack_spec_version": "3.3.0",
"x_mitre_contributors": [
"ExtraHop",
"David Fiser, @anu4is, Trend Micro",
"Alfredo Oliveira, Trend Micro",
"Idan Frimark, Cisco",
"Rory McCune, Aqua Security",
"Yuval Avrahami, Palo Alto Networks",
"Jay Chen, Palo Alto Networks",
"Brad Geesaman, @bradgeesaman",
"Magno Logan, @magnologan, Trend Micro",
"Ariel Shuper, Cisco",
"Yossi Weizman, Azure Defender Research Team",
"Vishwas Manral, McAfee",
"Daniel Oakley",
"Travis Smith, Tripwire",
"David Tayouri",
"Liran Ravich, CardinalOps"
],
"x_mitre_deprecated": false,
"x_mitre_domains": [
"enterprise-attack"
],
"x_mitre_is_subtechnique": false,
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"Containers",
"Linux",
"macOS",
"Windows"
],
"x_mitre_version": "2.5",
"detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.621000+00:00\", \"old_value\": \"2025-10-24 17:48:24.982000+00:00\"}}}",
"previous_version": "2.5",
"changelog_mitigations": {
"shared": [
"M1021: Restrict Web-Based Content",
"M1030: Network Segmentation",
"M1032: Multi-factor Authentication",
"M1035: Limit Access to Resource Over Network",
"M1042: Disable or Remove Feature or Program"
],
"new": [],
"dropped": []
},
"changelog_datacomponent_detections": {
"shared": [],
"new": [],
"dropped": []
},
"changelog_detectionstrategy_detections": {
"shared": [
"DET0354: Behavior-chain detection for T1133 External Remote Services across Windows, Linux, macOS, Containers"
],
"new": [],
"dropped": []
}
},
{
"type": "attack-pattern",
"id": "attack-pattern--f24faf46-3b26-4dbb-98f2-63460498e433",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-05-31 21:30:21.689000+00:00",
"modified": "2026-05-12 15:12:00.724000+00:00",
"name": "Fallback Channels",
"description": "Adversaries may use fallback or alternate communication channels if the primary channel is compromised or inaccessible in order to maintain reliable command and control and to avoid data transfer thresholds.",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "command-and-control"
}
],
"revoked": false,
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T1008",
"external_id": "T1008"
},
{
"source_name": "University of Birmingham C2",
"description": "Gardiner, J., Cova, M., Nagaraja, S. (2014, February). Command & Control Understanding, Denying and Detecting. Retrieved April 20, 2016.",
"url": "https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_attack_spec_version": "3.3.0",
"x_mitre_deprecated": false,
"x_mitre_domains": [
"enterprise-attack"
],
"x_mitre_is_subtechnique": false,
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"ESXi",
"Linux",
"macOS",
"Windows"
],
"x_mitre_version": "1.1",
"detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.724000+00:00\", \"old_value\": \"2025-10-24 17:49:35.854000+00:00\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.3.0\", \"old_value\": \"3.2.0\"}}}",
"previous_version": "1.1",
"changelog_mitigations": {
"shared": [
"M1031: Network Intrusion Prevention"
],
"new": [],
"dropped": []
},
"changelog_datacomponent_detections": {
"shared": [],
"new": [],
"dropped": []
},
"changelog_detectionstrategy_detections": {
"shared": [
"DET0499: Behavioral Detection of Fallback or Alternate C2 Channels"
],
"new": [],
"dropped": []
}
},
{
"type": "attack-pattern",
"id": "attack-pattern--7bc57495-ea59-4380-be31-a64af124ef18",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-05-31 21:31:04.710000+00:00",
"modified": "2026-05-12 15:12:00.644000+00:00",
"name": "File and Directory Discovery",
"description": "Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from [File and Directory Discovery](https://attack.mitre.org/techniques/T1083) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.\n\nMany command shell utilities can be used to obtain this information. Examples include dir, tree, ls, find, and locate.(Citation: Windows Commands JPCERT) Custom tools may also be used to gather file and directory information and interact with the [Native API](https://attack.mitre.org/techniques/T1106). Adversaries may also leverage a [Network Device CLI](https://attack.mitre.org/techniques/T1059/008) on network devices to gather file and directory information (e.g. dir, show flash, and/or nvram).(Citation: US-CERT-TA18-106A)\n\nSome files and directories may require elevated or specific user permissions to access.",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "discovery"
}
],
"revoked": false,
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T1083",
"external_id": "T1083"
},
{
"source_name": "Windows Commands JPCERT",
"description": "Tomonaga, S. (2016, January 26). Windows Commands Abused by Attackers. Retrieved February 2, 2016.",
"url": "https://blogs.jpcert.or.jp/en/2016/01/windows-commands-abused-by-attackers.html"
},
{
"source_name": "US-CERT-TA18-106A",
"description": "US-CERT. (2018, April 20). Alert (TA18-106A) Russian State-Sponsored Cyber Actors Targeting Network Infrastructure Devices. Retrieved October 19, 2020.",
"url": "https://www.us-cert.gov/ncas/alerts/TA18-106A"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_attack_spec_version": "3.3.0",
"x_mitre_contributors": [
"Austin Clark, @c2defense"
],
"x_mitre_deprecated": false,
"x_mitre_domains": [
"enterprise-attack"
],
"x_mitre_is_subtechnique": false,
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"ESXi",
"Linux",
"macOS",
"Network Devices",
"Windows"
],
"x_mitre_version": "1.7",
"detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.644000+00:00\", \"old_value\": \"2025-10-24 17:49:00.036000+00:00\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.3.0\", \"old_value\": \"3.2.0\"}}}",
"previous_version": "1.7",
"changelog_mitigations": {
"shared": [],
"new": [],
"dropped": []
},
"changelog_datacomponent_detections": {
"shared": [],
"new": [],
"dropped": []
},
"changelog_detectionstrategy_detections": {
"shared": [
"DET0370: Recursive Enumeration of Files and Directories Across Privilege Contexts"
],
"new": [],
"dropped": []
}
},
{
"type": "attack-pattern",
"id": "attack-pattern--65917ae0-b854-4139-83fe-bf2441cf0196",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2018-10-17 00:14:20.652000+00:00",
"modified": "2026-05-12 15:12:00.637000+00:00",
"name": "File and Directory Permissions Modification",
"description": "Adversaries may modify file or directory permissions/attributes to evade access control lists (ACLs) and access protected files.(Citation: Hybrid Analysis Icacls1 June 2018)(Citation: Hybrid Analysis Icacls2 May 2018) File and directory permissions are commonly managed by ACLs configured by the file or directory owner, or users with the appropriate permissions. File and directory ACL implementations vary by platform, but generally explicitly designate which users or groups can perform which actions (read, write, execute, etc.).\n\nModifications may include changing specific access rights, which may require taking ownership of a file or directory and/or elevated permissions depending on the file or directory\u2019s existing permissions. This may enable malicious activity such as modifying, replacing, or deleting specific files or directories. Specific file and directory modifications may be a required step for many techniques, such as establishing Persistence via [Accessibility Features](https://attack.mitre.org/techniques/T1546/008), [Boot or Logon Initialization Scripts](https://attack.mitre.org/techniques/T1037), [Unix Shell Configuration Modification](https://attack.mitre.org/techniques/T1546/004), or tainting/hijacking other instrumental binary/configuration files via [Hijack Execution Flow](https://attack.mitre.org/techniques/T1574).\n\nAdversaries may also change permissions of symbolic links. For example, malware (particularly ransomware) may modify symbolic links and associated settings to enable access to files from local shortcuts with remote paths.(Citation: new_rust_based_ransomware)(Citation: bad_luck_blackcat)(Citation: falconoverwatch_blackcat_attack)(Citation: blackmatter_blackcat)(Citation: fsutil_behavior) ",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "defense-impairment"
}
],
"revoked": false,
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T1222",
"external_id": "T1222"
},
{
"source_name": "falconoverwatch_blackcat_attack",
"description": "Falcon OverWatch Team. (2022, March 23). Falcon OverWatch Threat Hunting Contributes to Seamless Protection Against Novel BlackCat Attack. Retrieved May 5, 2022.",
"url": "https://www.crowdstrike.com/blog/falcon-overwatch-contributes-to-blackcat-protection/"
},
{
"source_name": "Hybrid Analysis Icacls1 June 2018",
"description": "Hybrid Analysis. (2018, June 12). c9b65b764985dfd7a11d3faf599c56b8.exe. Retrieved August 19, 2018.",
"url": "https://www.hybrid-analysis.com/sample/ef0d2628823e8e0a0de3b08b8eacaf41cf284c086a948bdfd67f4e4373c14e4d?environmentId=100"
},
{
"source_name": "Hybrid Analysis Icacls2 May 2018",
"description": "Hybrid Analysis. (2018, May 30). 2a8efbfadd798f6111340f7c1c956bee.dll. Retrieved August 19, 2018.",
"url": "https://www.hybrid-analysis.com/sample/22dab012c3e20e3d9291bce14a2bfc448036d3b966c6e78167f4626f5f9e38d6?environmentId=110"
},
{
"source_name": "bad_luck_blackcat",
"description": "Kaspersky Global Research & Analysis Team (GReAT). (2022). A Bad Luck BlackCat. Retrieved May 5, 2022.",
"url": "https://go.kaspersky.com/rs/802-IJN-240/images/TR_BlackCat_Report.pdf"
},
{
"source_name": "fsutil_behavior",
"description": "Microsoft. (2021, September 27). fsutil behavior. Retrieved January 14, 2022.",
"url": "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/fsutil-behavior"
},
{
"source_name": "blackmatter_blackcat",
"description": "Pereira, T. Huey, C. (2022, March 17). From BlackMatter to BlackCat: Analyzing two attacks from one affiliate. Retrieved May 5, 2022.",
"url": "https://blog.talosintelligence.com/2022/03/from-blackmatter-to-blackcat-analyzing.html"
},
{
"source_name": "new_rust_based_ransomware",
"description": "Symantec Threat Hunter Team. (2021, December 16). Noberus: Technical Analysis Shows Sophistication of New Rust-based Ransomware. Retrieved January 14, 2022.",
"url": "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/noberus-blackcat-alphv-rust-ransomware"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_attack_spec_version": "3.3.0",
"x_mitre_contributors": [
"CrowdStrike Falcon OverWatch",
"Jan Miller, CrowdStrike"
],
"x_mitre_deprecated": false,
"x_mitre_domains": [
"enterprise-attack"
],
"x_mitre_is_subtechnique": false,
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"ESXi",
"Linux",
"macOS",
"Windows"
],
"x_mitre_version": "3.0",
"detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.637000+00:00\", \"old_value\": \"2026-04-16 20:07:53.078000+00:00\"}}}",
"previous_version": "3.0",
"changelog_mitigations": {
"shared": [
"M1022: Restrict File and Directory Permissions",
"M1026: Privileged Account Management"
],
"new": [],
"dropped": []
},
"changelog_datacomponent_detections": {
"shared": [],
"new": [],
"dropped": []
},
"changelog_detectionstrategy_detections": {
"shared": [
"DET0299: Multi-Platform File and Directory Permissions Modification Detection Strategy"
],
"new": [],
"dropped": []
}
},
{
"type": "attack-pattern",
"id": "attack-pattern--09b130a2-a77e-4af0-a361-f46f9aad1345",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2020-02-04 19:24:27.774000+00:00",
"modified": "2026-05-12 15:12:00.620000+00:00",
"name": "Linux and Mac Permissions",
"description": "Adversaries may modify file or directory permissions/attributes to evade access control lists (ACLs) and access protected files.(Citation: Hybrid Analysis Icacls1 June 2018)(Citation: Hybrid Analysis Icacls2 May 2018) File and directory permissions are commonly managed by ACLs configured by the file or directory owner, or users with the appropriate permissions. File and directory ACL implementations vary by platform, but generally explicitly designate which users or groups can perform which actions (read, write, execute, etc.).\n\nMost Linux and Linux-based platforms provide a standard set of permission groups (user, group, and other) and a standard set of permissions (read, write, and execute) that are applied to each group. While nuances of each platform\u2019s permissions implementation may vary, most of the platforms provide two primary commands used to manipulate file and directory ACLs: chown (short for change owner), and chmod (short for change mode).\n\nAdversarial may use these commands to make themselves the owner of files and directories or change the mode if current permissions allow it. They could subsequently lock others out of the file. Specific file and directory modifications may be a required step for many techniques, such as establishing Persistence via [Unix Shell Configuration Modification](https://attack.mitre.org/techniques/T1546/004) or tainting/hijacking other instrumental binary/configuration files via [Hijack Execution Flow](https://attack.mitre.org/techniques/T1574).(Citation: 20 macOS Common Tools and Techniques) ",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "defense-impairment"
}
],
"revoked": false,
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T1222/002",
"external_id": "T1222.002"
},
{
"source_name": "Hybrid Analysis Icacls1 June 2018",
"description": "Hybrid Analysis. (2018, June 12). c9b65b764985dfd7a11d3faf599c56b8.exe. Retrieved August 19, 2018.",
"url": "https://www.hybrid-analysis.com/sample/ef0d2628823e8e0a0de3b08b8eacaf41cf284c086a948bdfd67f4e4373c14e4d?environmentId=100"
},
{
"source_name": "Hybrid Analysis Icacls2 May 2018",
"description": "Hybrid Analysis. (2018, May 30). 2a8efbfadd798f6111340f7c1c956bee.dll. Retrieved August 19, 2018.",
"url": "https://www.hybrid-analysis.com/sample/22dab012c3e20e3d9291bce14a2bfc448036d3b966c6e78167f4626f5f9e38d6?environmentId=110"
},
{
"source_name": "20 macOS Common Tools and Techniques",
"description": "Phil Stokes. (2021, February 16). 20 Common Tools & Techniques Used by macOS Threat Actors & Malware. Retrieved August 23, 2021.",
"url": "https://labs.sentinelone.com/20-common-tools-techniques-used-by-macos-threat-actors-malware/"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_attack_spec_version": "3.3.0",
"x_mitre_deprecated": false,
"x_mitre_domains": [
"enterprise-attack"
],
"x_mitre_is_subtechnique": true,
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"Linux",
"macOS"
],
"x_mitre_version": "2.0",
"detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.620000+00:00\", \"old_value\": \"2026-04-22 15:51:53.173000+00:00\"}}}",
"previous_version": "2.0",
"changelog_mitigations": {
"shared": [
"M1022: Restrict File and Directory Permissions",
"M1026: Privileged Account Management"
],
"new": [],
"dropped": []
},
"changelog_datacomponent_detections": {
"shared": [],
"new": [],
"dropped": []
},
"changelog_detectionstrategy_detections": {
"shared": [
"DET0351: Unix-like File Permission Manipulation Behavioral Chain Detection Strategy"
],
"new": [],
"dropped": []
}
},
{
"type": "attack-pattern",
"id": "attack-pattern--34e793de-0274-4982-9c1a-246ed1c19dee",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2020-02-04 19:17:41.767000+00:00",
"modified": "2026-05-12 15:12:00.625000+00:00",
"name": "Windows Permissions",
"description": "Adversaries may modify file or directory permissions/attributes to evade access control lists (ACLs) and access protected files.(Citation: Hybrid Analysis Icacls1 June 2018)(Citation: Hybrid Analysis Icacls2 May 2018) File and directory permissions are commonly managed by ACLs configured by the file or directory owner, or users with the appropriate permissions. File and directory ACL implementations vary by platform, but generally explicitly designate which users or groups can perform which actions (read, write, execute, etc.).\n\nWindows implements file and directory ACLs as Discretionary Access Control Lists (DACLs).(Citation: Microsoft DACL May 2018) Similar to a standard ACL, DACLs identifies the accounts that are allowed or denied access to a securable object. When an attempt is made to access a securable object, the system checks the access control entries in the DACL in order. If a matching entry is found, access to the object is granted. Otherwise, access is denied.(Citation: Microsoft Access Control Lists May 2018)\n\nAdversaries can interact with the DACLs using built-in Windows commands, such as `icacls`, `cacls`, `takeown`, and `attrib`, which can grant adversaries higher permissions on specific files and folders. Further, [PowerShell](https://attack.mitre.org/techniques/T1059/001) provides cmdlets that can be used to retrieve or modify file and directory DACLs. Specific file and directory modifications may be a required step for many techniques, such as establishing Persistence via [Accessibility Features](https://attack.mitre.org/techniques/T1546/008), [Boot or Logon Initialization Scripts](https://attack.mitre.org/techniques/T1037), or tainting/hijacking other instrumental binary/configuration files via [Hijack Execution Flow](https://attack.mitre.org/techniques/T1574).",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "defense-impairment"
}
],
"revoked": false,
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T1222/001",
"external_id": "T1222.001"
},
{
"source_name": "Hybrid Analysis Icacls1 June 2018",
"description": "Hybrid Analysis. (2018, June 12). c9b65b764985dfd7a11d3faf599c56b8.exe. Retrieved August 19, 2018.",
"url": "https://www.hybrid-analysis.com/sample/ef0d2628823e8e0a0de3b08b8eacaf41cf284c086a948bdfd67f4e4373c14e4d?environmentId=100"
},
{
"source_name": "Hybrid Analysis Icacls2 May 2018",
"description": "Hybrid Analysis. (2018, May 30). 2a8efbfadd798f6111340f7c1c956bee.dll. Retrieved August 19, 2018.",
"url": "https://www.hybrid-analysis.com/sample/22dab012c3e20e3d9291bce14a2bfc448036d3b966c6e78167f4626f5f9e38d6?environmentId=110"
},
{
"source_name": "Microsoft Access Control Lists May 2018",
"description": "M. Satran, M. Jacobs. (2018, May 30). Access Control Lists. Retrieved February 4, 2020.",
"url": "https://docs.microsoft.com/en-us/windows/win32/secauthz/access-control-lists"
},
{
"source_name": "Microsoft DACL May 2018",
"description": "Microsoft. (2018, May 30). DACLs and ACEs. Retrieved August 19, 2018.",
"url": "https://docs.microsoft.com/windows/desktop/secauthz/dacls-and-aces"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_attack_spec_version": "3.3.0",
"x_mitre_deprecated": false,
"x_mitre_domains": [
"enterprise-attack"
],
"x_mitre_is_subtechnique": true,
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"Windows"
],
"x_mitre_version": "2.0",
"detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.625000+00:00\", \"old_value\": \"2026-04-22 15:51:17.272000+00:00\"}}}",
"previous_version": "2.0",
"changelog_mitigations": {
"shared": [
"M1022: Restrict File and Directory Permissions",
"M1026: Privileged Account Management"
],
"new": [],
"dropped": []
},
"changelog_datacomponent_detections": {
"shared": [],
"new": [],
"dropped": []
},
"changelog_detectionstrategy_detections": {
"shared": [
"DET0418: Windows DACL Manipulation Behavioral Chain Detection Strategy"
],
"new": [],
"dropped": []
}
},
{
"type": "attack-pattern",
"id": "attack-pattern--851e071f-208d-4c79-adc6-5974c85c78f3",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2023-08-18 20:50:04.222000+00:00",
"modified": "2026-05-12 15:12:00.685000+00:00",
"name": "Financial Theft",
"description": "Adversaries may steal monetary resources from targets through extortion, social engineering, technical theft, or other methods aimed at their own financial gain at the expense of the availability of these resources for victims. Financial theft is the ultimate objective of several popular campaign types including extortion by ransomware,(Citation: FBI-ransomware) business email compromise (BEC) and fraud,(Citation: FBI-BEC) \"pig butchering,\"(Citation: wired-pig butchering) bank hacking,(Citation: DOJ-DPRK Heist) and exploiting cryptocurrency networks.(Citation: BBC-Ronin) \n\nAdversaries may [Compromise Accounts](https://attack.mitre.org/techniques/T1586) to conduct unauthorized transfers of funds.(Citation: Internet crime report 2022) In the case of business email compromise or email fraud, an adversary may utilize [Impersonation](https://attack.mitre.org/techniques/T1684/001) of a trusted entity. Once the social engineering is successful, victims can be deceived into sending money to financial accounts controlled by an adversary.(Citation: FBI-BEC) This creates the potential for multiple victims (i.e., compromised accounts as well as the ultimate monetary loss) in incidents involving financial theft.(Citation: VEC)\n\nExtortion by ransomware may occur, for example, when an adversary demands payment from a victim after [Data Encrypted for Impact](https://attack.mitre.org/techniques/T1486) (Citation: NYT-Colonial) and [Exfiltration](https://attack.mitre.org/tactics/TA0010) of data, followed by threatening to leak sensitive data to the public unless payment is made to the adversary.(Citation: Mandiant-leaks) Adversaries may use dedicated leak sites to distribute victim data.(Citation: Crowdstrike-leaks)\n\nDue to the potentially immense business impact of financial theft, an adversary may abuse the possibility of financial theft and seeking monetary gain to divert attention from their true goals such as [Data Destruction](https://attack.mitre.org/techniques/T1485) and business disruption.(Citation: AP-NotPetya)",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "impact"
}
],
"revoked": false,
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T1657",
"external_id": "T1657"
},
{
"source_name": "VEC",
"description": "CloudFlare. (n.d.). What is vendor email compromise (VEC)?. Retrieved September 12, 2023.",
"url": "https://www.cloudflare.com/learning/email-security/what-is-vendor-email-compromise/#:~:text=Vendor%20email%20compromise%2C%20also%20referred,steal%20from%20that%20vendor%27s%20customers."
},
{
"source_name": "Crowdstrike-leaks",
"description": "Crowdstrike. (2020, September 24). Double Trouble: Ransomware with Data Leak Extortion, Part 1. Retrieved December 6, 2023.",
"url": "https://www.crowdstrike.com/blog/double-trouble-ransomware-data-leak-extortion-part-1/"
},
{
"source_name": "Mandiant-leaks",
"description": "DANIEL KAPELLMANN ZAFRA, COREY HIDELBRANDT, NATHAN BRUBAKER, KEITH LUNDEN. (2022, January 31). 1 in 7 OT Ransomware Extortion Attacks Leak Critical Operational Technology Information. Retrieved August 18, 2023.",
"url": "https://www.mandiant.com/resources/blog/ransomware-extortion-ot-docs"
},
{
"source_name": "DOJ-DPRK Heist",
"description": "Department of Justice. (2021). 3 North Korean Military Hackers Indicted in Wide-Ranging Scheme to Commit Cyber-attacks and Financial Crimes Across the Globe. Retrieved August 18, 2023.",
"url": "https://www.justice.gov/usao-cdca/pr/3-north-korean-military-hackers-indicted-wide-ranging-scheme-commit-cyber-attacks-and"
},
{
"source_name": "FBI-BEC",
"description": "FBI. (2022). FBI 2022 Congressional Report on BEC and Real Estate Wire Fraud. Retrieved August 18, 2023.",
"url": "https://www.fbi.gov/file-repository/fy-2022-fbi-congressional-report-business-email-compromise-and-real-estate-wire-fraud-111422.pdf/view"
},
{
"source_name": "FBI-ransomware",
"description": "FBI. (n.d.). Ransomware. Retrieved August 18, 2023.",
"url": "https://www.cisa.gov/sites/default/files/Ransomware_Trifold_e-version.pdf"
},
{
"source_name": "AP-NotPetya",
"description": "FRANK BAJAK AND RAPHAEL SATTER. (2017, June 30). Companies still hobbled from fearsome cyberattack. Retrieved August 18, 2023.",
"url": "https://apnews.com/article/russia-ukraine-technology-business-europe-hacking-ce7a8aca506742ab8e8873e7f9f229c2"
},
{
"source_name": "Internet crime report 2022",
"description": "IC3. (2022). 2022 Internet Crime Report. Retrieved August 18, 2023.",
"url": "https://www.ic3.gov/Media/PDF/AnnualReport/2022_IC3Report.pdf"
},
{
"source_name": "BBC-Ronin",
"description": "Joe Tidy. (2022, March 30). Ronin Network: What a $600m hack says about the state of crypto. Retrieved August 18, 2023.",
"url": "https://www.bbc.com/news/technology-60933174"
},
{
"source_name": "wired-pig butchering",
"description": "Lily Hay Newman. (n.d.). \u2018Pig Butchering\u2019 Scams Are Now a $3 Billion Threat. Retrieved August 18, 2023.",
"url": "https://www.wired.com/story/pig-butchering-fbi-ic3-2022-report/"
},
{
"source_name": "NYT-Colonial",
"description": "Nicole Perlroth. (2021, May 13). Colonial Pipeline paid 75 Bitcoin, or roughly $5 million, to hackers.. Retrieved August 18, 2023.",
"url": "https://www.nytimes.com/2021/05/13/technology/colonial-pipeline-ransom.html"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_attack_spec_version": "3.3.0",
"x_mitre_contributors": [
"Blake Strom, Microsoft Threat Intelligence",
"Pawel Partyka, Microsoft Threat Intelligence",
"Menachem Goldstein"
],
"x_mitre_deprecated": false,
"x_mitre_domains": [
"enterprise-attack"
],
"x_mitre_impact_type": [
"Availability"
],
"x_mitre_is_subtechnique": false,
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"Linux",
"macOS",
"Office Suite",
"SaaS",
"Windows"
],
"x_mitre_version": "1.2",
"detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.685000+00:00\", \"old_value\": \"2026-04-17 16:12:12.496000+00:00\"}}}",
"previous_version": "1.2",
"changelog_mitigations": {
"shared": [
"M1017: User Training",
"M1018: User Account Management"
],
"new": [],
"dropped": []
},
"changelog_datacomponent_detections": {
"shared": [],
"new": [],
"dropped": []
},
"changelog_detectionstrategy_detections": {
"shared": [
"DET0495: Detection Strategy for Financial Theft"
],
"new": [],
"dropped": []
}
},
{
"type": "attack-pattern",
"id": "attack-pattern--f5bb433e-bdf6-4781-84bc-35e97e43be89",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2019-04-12 18:28:15.451000+00:00",
"modified": "2026-05-12 15:12:00.724000+00:00",
"name": "Firmware Corruption",
"description": "Adversaries may overwrite or corrupt the flash memory contents of system BIOS or other firmware in devices attached to a system in order to render them inoperable or unable to boot, thus denying the availability to use the devices and/or the system.(Citation: Symantec Chernobyl W95.CIH) Firmware is software that is loaded and executed from non-volatile memory on hardware devices in order to initialize and manage device functionality. These devices may include the motherboard, hard drive, or video cards.\n\nIn general, adversaries may manipulate, overwrite, or corrupt firmware in order to deny the use of the system or devices. For example, corruption of firmware responsible for loading the operating system for network devices may render the network devices inoperable.(Citation: dhs_threat_to_net_devices)(Citation: cisa_malware_orgs_ukraine) Depending on the device, this attack may also result in [Data Destruction](https://attack.mitre.org/techniques/T1485). ",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "impact"
}
],
"revoked": false,
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T1495",
"external_id": "T1495"
},
{
"source_name": "cisa_malware_orgs_ukraine",
"description": "CISA. (2022, April 28). Alert (AA22-057A) Update: Destructive Malware Targeting Organizations in Ukraine. Retrieved July 29, 2022.",
"url": "https://www.cisa.gov/uscert/ncas/alerts/aa22-057a"
},
{
"source_name": "dhs_threat_to_net_devices",
"description": "U.S. Department of Homeland Security. (2016, August 30). The Increasing Threat to Network Infrastructure Devices and Recommended Mitigations. Retrieved July 29, 2022.",
"url": "https://cyber.dhs.gov/assets/report/ar-16-20173.pdf"
},
{
"source_name": "MITRE Trustworthy Firmware Measurement",
"description": "Upham, K. (2014, March). Going Deep into the BIOS with MITRE Firmware Security Research. Retrieved January 5, 2016.",
"url": "http://www.mitre.org/publications/project-stories/going-deep-into-the-bios-with-mitre-firmware-security-research"
},
{
"source_name": "Symantec Chernobyl W95.CIH",
"description": "Yamamura, M. (2002, April 25). W95.CIH. Retrieved April 12, 2019.",
"url": "https://web.archive.org/web/20190508170055/https://www.symantec.com/security-center/writeup/2000-122010-2655-99"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_attack_spec_version": "3.3.0",
"x_mitre_deprecated": false,
"x_mitre_domains": [
"enterprise-attack"
],
"x_mitre_impact_type": [
"Availability"
],
"x_mitre_is_subtechnique": false,
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"Linux",
"macOS",
"Network Devices",
"Windows"
],
"x_mitre_version": "1.3",
"detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.724000+00:00\", \"old_value\": \"2025-10-24 17:49:37.207000+00:00\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.3.0\", \"old_value\": \"3.2.0\"}}}",
"previous_version": "1.3",
"changelog_mitigations": {
"shared": [
"M1026: Privileged Account Management",
"M1046: Boot Integrity",
"M1051: Update Software"
],
"new": [],
"dropped": []
},
"changelog_datacomponent_detections": {
"shared": [],
"new": [],
"dropped": []
},
"changelog_detectionstrategy_detections": {
"shared": [
"DET0167: Firmware Modification via Flash Tool or Corrupted Firmware Upload"
],
"new": [],
"dropped": []
}
},
{
"type": "attack-pattern",
"id": "attack-pattern--774ad5bb-2366-4c13-a8a9-65e50b292e7c",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2020-10-02 16:47:16.719000+00:00",
"modified": "2026-05-12 15:12:00.642000+00:00",
"name": "Client Configurations",
"description": "Adversaries may gather information about the victim's client configurations that can be used during targeting. Information about client configurations may include a variety of details and settings, including operating system/version, virtualization, architecture (ex: 32 or 64 bit), language, and/or time zone.\n\nAdversaries may gather this information in various ways, such as direct collection actions via [Active Scanning](https://attack.mitre.org/techniques/T1595) (ex: listening ports, server banners, user agent strings) or [Phishing for Information](https://attack.mitre.org/techniques/T1598). Adversaries may also compromise sites then include malicious content designed to collect host information from visitors.(Citation: ATT ScanBox) Information about the client configurations may also be exposed to adversaries via online or other accessible data sets (ex: job postings, network maps, assessment reports, resumes, or purchase invoices). Gathering this information may reveal opportunities for other forms of reconnaissance (ex: [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593) or [Search Open Technical Databases](https://attack.mitre.org/techniques/T1596)), establishing operational resources (ex: [Develop Capabilities](https://attack.mitre.org/techniques/T1587) or [Obtain Capabilities](https://attack.mitre.org/techniques/T1588)), and/or initial access (ex: [Supply Chain Compromise](https://attack.mitre.org/techniques/T1195) or [External Remote Services](https://attack.mitre.org/techniques/T1133)).",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "reconnaissance"
}
],
"revoked": false,
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T1592/004",
"external_id": "T1592.004"
},
{
"source_name": "ATT ScanBox",
"description": "Blasco, J. (2014, August 28). Scanbox: A Reconnaissance Framework Used with Watering Hole Attacks. Retrieved October 19, 2020.",
"url": "https://cybersecurity.att.com/blogs/labs-research/scanbox-a-reconnaissance-framework-used-on-watering-hole-attacks"
},
{
"source_name": "ThreatConnect Infrastructure Dec 2020",
"description": "ThreatConnect. (2020, December 15). Infrastructure Research and Hunting: Boiling the Domain Ocean. Retrieved October 12, 2021.",
"url": "https://threatconnect.com/blog/infrastructure-research-hunting/"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_attack_spec_version": "3.3.0",
"x_mitre_deprecated": false,
"x_mitre_domains": [
"enterprise-attack"
],
"x_mitre_is_subtechnique": true,
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"PRE"
],
"x_mitre_version": "1.1",
"detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.642000+00:00\", \"old_value\": \"2025-10-24 17:48:58.431000+00:00\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.3.0\", \"old_value\": \"3.2.0\"}}}",
"previous_version": "1.1",
"changelog_mitigations": {
"shared": [
"M1056: Pre-compromise"
],
"new": [],
"dropped": []
},
"changelog_datacomponent_detections": {
"shared": [],
"new": [],
"dropped": []
},
"changelog_detectionstrategy_detections": {
"shared": [
"DET0820: Detection of Client Configurations"
],
"new": [],
"dropped": []
}
},
{
"type": "attack-pattern",
"id": "attack-pattern--baf60e1a-afe5-4d31-830f-1b1ba2351884",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2020-10-02 16:42:17.482000+00:00",
"modified": "2026-05-12 15:12:00.710000+00:00",
"name": "Software",
"description": "Adversaries may gather information about the victim's host software that can be used during targeting. Information about installed software may include a variety of details such as types and versions on specific hosts, as well as the presence of additional components that might be indicative of added defensive protections (ex: antivirus, SIEMs, etc.).\n\nAdversaries may gather this information in various ways, such as direct collection actions via [Active Scanning](https://attack.mitre.org/techniques/T1595) (ex: listening ports, server banners, user agent strings) or [Phishing for Information](https://attack.mitre.org/techniques/T1598). Adversaries may also compromise sites then include malicious content designed to collect host information from visitors.(Citation: ATT ScanBox) Information about the installed software may also be exposed to adversaries via online or other accessible data sets (ex: job postings, network maps, assessment reports, resumes, or purchase invoices). Additionally, adversaries may analyze metadata from victim-owned files (e.g., PDFs, DOCs, images, and sound files hosted on victim-owned websites) to extract information about the software and hardware used to create or process those files. Metadata may reveal software versions, configurations, or timestamps that indicate outdated or vulnerable software. This information can be cross-referenced with known CVEs to identify potential vectors for exploitation in future operations.(Citation: Outpost24)\n\nGathering this information may reveal opportunities for other forms of reconnaissance (ex: [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593) or [Search Open Technical Databases](https://attack.mitre.org/techniques/T1596)), establishing operational resources (ex: [Develop Capabilities](https://attack.mitre.org/techniques/T1587) or [Obtain Capabilities](https://attack.mitre.org/techniques/T1588)), and/or for initial access (ex: [Supply Chain Compromise](https://attack.mitre.org/techniques/T1195) or [External Remote Services](https://attack.mitre.org/techniques/T1133)).",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "reconnaissance"
}
],
"revoked": false,
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T1592/002",
"external_id": "T1592.002"
},
{
"source_name": "ATT ScanBox",
"description": "Blasco, J. (2014, August 28). Scanbox: A Reconnaissance Framework Used with Watering Hole Attacks. Retrieved October 19, 2020.",
"url": "https://cybersecurity.att.com/blogs/labs-research/scanbox-a-reconnaissance-framework-used-on-watering-hole-attacks"
},
{
"source_name": "Outpost24",
"description": "Stijn Vande Casteele. (2025, March 31). How to analyze metadata and hide it from hackers. Retrieved July 2, 2025.",
"url": "https://outpost24.com/blog/metadata-hackers-best-friend/"
},
{
"source_name": "ThreatConnect Infrastructure Dec 2020",
"description": "ThreatConnect. (2020, December 15). Infrastructure Research and Hunting: Boiling the Domain Ocean. Retrieved October 12, 2021.",
"url": "https://threatconnect.com/blog/infrastructure-research-hunting/"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_attack_spec_version": "3.3.0",
"x_mitre_contributors": [
"Michal Biesiada"
],
"x_mitre_deprecated": false,
"x_mitre_domains": [
"enterprise-attack"
],
"x_mitre_is_subtechnique": true,
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"PRE"
],
"x_mitre_version": "1.2",
"detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.710000+00:00\", \"old_value\": \"2025-10-24 17:49:17.631000+00:00\"}}}",
"previous_version": "1.2",
"changelog_mitigations": {
"shared": [
"M1056: Pre-compromise"
],
"new": [],
"dropped": []
},
"changelog_datacomponent_detections": {
"shared": [],
"new": [],
"dropped": []
},
"changelog_detectionstrategy_detections": {
"shared": [
"DET0888: Detection of Software"
],
"new": [],
"dropped": []
}
},
{
"type": "attack-pattern",
"id": "attack-pattern--5282dd9a-d26d-4e16-88b7-7c0f4553daf4",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2020-10-02 14:54:59.263000+00:00",
"modified": "2026-05-12 15:12:00.633000+00:00",
"name": "Gather Victim Identity Information",
"description": "Adversaries may gather information about the victim's identity that can be used during targeting. Information about identities may include a variety of details, including personal data (ex: employee names, email addresses, security question responses, etc.) as well as sensitive details such as credentials or multi-factor authentication (MFA) configurations.\n\nAdversaries may gather this information in various ways, such as direct elicitation via [Phishing for Information](https://attack.mitre.org/techniques/T1598). Information about users could also be enumerated via other active means (i.e. [Active Scanning](https://attack.mitre.org/techniques/T1595)) such as probing and analyzing responses from authentication services that may reveal valid usernames in a system or permitted MFA /methods associated with those usernames.(Citation: GrimBlog UsernameEnum)(Citation: Obsidian SSPR Abuse 2023) Information about victims may also be exposed to adversaries via online or other accessible data sets (ex: [Social Media](https://attack.mitre.org/techniques/T1593/001) or [Search Victim-Owned Websites](https://attack.mitre.org/techniques/T1594)).(Citation: OPM Leak)(Citation: Register Deloitte)(Citation: Register Uber)(Citation: Detectify Slack Tokens)(Citation: Forbes GitHub Creds)(Citation: GitHub truffleHog)(Citation: GitHub Gitrob)(Citation: CNET Leaks)\n\nGathering this information may reveal opportunities for other forms of reconnaissance (ex: [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593) or [Phishing for Information](https://attack.mitre.org/techniques/T1598)), establishing operational resources (ex: [Compromise Accounts](https://attack.mitre.org/techniques/T1586)), and/or initial access (ex: [Phishing](https://attack.mitre.org/techniques/T1566) or [Valid Accounts](https://attack.mitre.org/techniques/T1078)).",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "reconnaissance"
}
],
"revoked": false,
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T1589",
"external_id": "T1589"
},
{
"source_name": "OPM Leak",
"description": "Cybersecurity Resource Center. (n.d.). CYBERSECURITY INCIDENTS. Retrieved September 16, 2024.",
"url": "https://web.archive.org/web/20230602111604/https://www.opm.gov/cybersecurity/cybersecurity-incidents/"
},
{
"source_name": "Detectify Slack Tokens",
"description": "Detectify. (2016, April 28). Slack bot token leakage exposing business critical information. Retrieved November 17, 2024.",
"url": "https://labs.detectify.com/writeups/slack-bot-token-leakage-exposing-business-critical-information/"
},
{
"source_name": "GitHub truffleHog",
"description": "Dylan Ayrey. (2016, December 31). truffleHog. Retrieved October 19, 2020.",
"url": "https://github.com/dxa4481/truffleHog"
},
{
"source_name": "GrimBlog UsernameEnum",
"description": "GrimHacker. (2017, July 24). Office365 ActiveSync Username Enumeration. Retrieved December 9, 2021.",
"url": "https://grimhacker.com/2017/07/24/office365-activesync-username-enumeration/"
},
{
"source_name": "Register Uber",
"description": "McCarthy, K. (2015, February 28). FORK ME! Uber hauls GitHub into court to find who hacked database of 50,000 drivers. Retrieved October 19, 2020.",
"url": "https://www.theregister.com/2015/02/28/uber_subpoenas_github_for_hacker_details/"
},
{
"source_name": "GitHub Gitrob",
"description": "Michael Henriksen. (2018, June 9). Gitrob: Putting the Open Source in OSINT. Retrieved October 19, 2020.",
"url": "https://github.com/michenriksen/gitrob"
},
{
"source_name": "CNET Leaks",
"description": "Ng, A. (2019, January 17). Massive breach leaks 773 million email addresses, 21 million passwords. Retrieved October 20, 2020.",
"url": "https://www.cnet.com/news/massive-breach-leaks-773-million-emails-21-million-passwords/"
},
{
"source_name": "Obsidian SSPR Abuse 2023",
"description": "Noah Corradin and Shuyang Wang. (2023, August 1). Behind The Breach: Self-Service Password Reset (SSPR) Abuse in Azure AD. Retrieved March 28, 2024.",
"url": "https://www.obsidiansecurity.com/blog/behind-the-breach-self-service-password-reset-azure-ad/"
},
{
"source_name": "Forbes GitHub Creds",
"description": "Sandvik, R. (2014, January 14). Attackers Scrape GitHub For Cloud Service Credentials, Hijack Account To Mine Virtual Currency. Retrieved October 19, 2020.",
"url": "https://www.forbes.com/sites/runasandvik/2014/01/14/attackers-scrape-github-for-cloud-service-credentials-hijack-account-to-mine-virtual-currency/#242c479d3196"
},
{
"source_name": "Register Deloitte",
"description": "Thomson, I. (2017, September 26). Deloitte is a sitting duck: Key systems with RDP open, VPN and proxy 'login details leaked'. Retrieved October 19, 2020.",
"url": "https://www.theregister.com/2017/09/26/deloitte_leak_github_and_google/"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_attack_spec_version": "3.3.0",
"x_mitre_contributors": [
"Jannie Li, Microsoft Threat Intelligence\u202fCenter\u202f(MSTIC)",
"Obsidian Security"
],
"x_mitre_deprecated": false,
"x_mitre_domains": [
"enterprise-attack"
],
"x_mitre_is_subtechnique": false,
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"PRE"
],
"x_mitre_version": "1.3",
"detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.633000+00:00\", \"old_value\": \"2025-10-24 17:48:47.303000+00:00\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.3.0\", \"old_value\": \"3.2.0\"}}}",
"previous_version": "1.3",
"changelog_mitigations": {
"shared": [
"M1056: Pre-compromise"
],
"new": [],
"dropped": []
},
"changelog_datacomponent_detections": {
"shared": [],
"new": [],
"dropped": []
},
"changelog_detectionstrategy_detections": {
"shared": [
"DET0841: Detection of Gather Victim Identity Information"
],
"new": [],
"dropped": []
}
},
{
"type": "attack-pattern",
"id": "attack-pattern--69f897fd-12a9-4c89-ad6a-46d2f3c38262",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2020-10-02 14:56:24.866000+00:00",
"modified": "2026-05-12 15:12:00.640000+00:00",
"name": "Email Addresses",
"description": "Adversaries may gather email addresses that can be used during targeting. Even if internal instances exist, organizations may have public-facing email infrastructure and addresses for employees.\n\nAdversaries may easily gather email addresses, since they may be readily available and exposed via online or other accessible data sets (ex: [Social Media](https://attack.mitre.org/techniques/T1593/001) or [Search Victim-Owned Websites](https://attack.mitre.org/techniques/T1594)).(Citation: HackersArise Email)(Citation: CNET Leaks) Email addresses could also be enumerated via more active means (i.e. [Active Scanning](https://attack.mitre.org/techniques/T1595)), such as probing and analyzing responses from authentication services that may reveal valid usernames in a system.(Citation: GrimBlog UsernameEnum) For example, adversaries may be able to enumerate email addresses in Office 365 environments by querying a variety of publicly available API endpoints, such as autodiscover and GetCredentialType.(Citation: GitHub Office 365 User Enumeration)(Citation: Azure Active Directory Reconnaisance)\n\nGathering this information may reveal opportunities for other forms of reconnaissance (ex: [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593) or [Phishing for Information](https://attack.mitre.org/techniques/T1598)), establishing operational resources (ex: [Email Accounts](https://attack.mitre.org/techniques/T1586/002)), and/or initial access (ex: [Phishing](https://attack.mitre.org/techniques/T1566) or [Brute Force](https://attack.mitre.org/techniques/T1110) via [External Remote Services](https://attack.mitre.org/techniques/T1133)).",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "reconnaissance"
}
],
"revoked": false,
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T1589/002",
"external_id": "T1589.002"
},
{
"source_name": "Azure Active Directory Reconnaisance",
"description": "Dr. Nestori Syynimaa. (2020, June 13). Just looking: Azure Active Directory reconnaissance as an outsider. Retrieved May 27, 2022.",
"url": "https://o365blog.com/post/just-looking/"
},
{
"source_name": "GitHub Office 365 User Enumeration",
"description": "gremwell. (2020, March 24). Office 365 User Enumeration. Retrieved May 27, 2022.",
"url": "https://github.com/gremwell/o365enum"
},
{
"source_name": "GrimBlog UsernameEnum",
"description": "GrimHacker. (2017, July 24). Office365 ActiveSync Username Enumeration. Retrieved December 9, 2021.",
"url": "https://grimhacker.com/2017/07/24/office365-activesync-username-enumeration/"
},
{
"source_name": "HackersArise Email",
"description": "Hackers Arise. (n.d.). Email Scraping and Maltego. Retrieved October 20, 2020.",
"url": "https://www.hackers-arise.com/email-scraping-and-maltego"
},
{
"source_name": "CNET Leaks",
"description": "Ng, A. (2019, January 17). Massive breach leaks 773 million email addresses, 21 million passwords. Retrieved October 20, 2020.",
"url": "https://www.cnet.com/news/massive-breach-leaks-773-million-emails-21-million-passwords/"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_attack_spec_version": "3.3.0",
"x_mitre_contributors": [
"Jannie Li, Microsoft Threat Intelligence\u202fCenter\u202f(MSTIC)"
],
"x_mitre_deprecated": false,
"x_mitre_domains": [
"enterprise-attack"
],
"x_mitre_is_subtechnique": true,
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"PRE"
],
"x_mitre_version": "1.3",
"detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.640000+00:00\", \"old_value\": \"2025-10-24 17:48:54.336000+00:00\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.3.0\", \"old_value\": \"3.2.0\"}}}",
"previous_version": "1.3",
"changelog_mitigations": {
"shared": [
"M1056: Pre-compromise"
],
"new": [],
"dropped": []
},
"changelog_datacomponent_detections": {
"shared": [],
"new": [],
"dropped": []
},
"changelog_detectionstrategy_detections": {
"shared": [
"DET0814: Detection of Email Addresses"
],
"new": [],
"dropped": []
}
},
{
"type": "attack-pattern",
"id": "attack-pattern--6c2957f9-502a-478c-b1dd-d626c0659413",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2020-10-02 16:01:35.350000+00:00",
"modified": "2026-05-12 15:12:00.640000+00:00",
"name": "Network Security Appliances",
"description": "Adversaries may gather information about the victim's network security appliances that can be used during targeting. Information about network security appliances may include a variety of details, such as the existence and specifics of deployed firewalls, content filters, and proxies/bastion hosts. Adversaries may also target information about victim network-based intrusion detection systems (NIDS) or other appliances related to defensive cybersecurity operations.\n\nAdversaries may gather this information in various ways, such as direct collection actions via [Active Scanning](https://attack.mitre.org/techniques/T1595) or [Phishing for Information](https://attack.mitre.org/techniques/T1598).(Citation: Nmap Firewalls NIDS) Information about network security appliances may also be exposed to adversaries via online or other accessible data sets (ex: [Search Victim-Owned Websites](https://attack.mitre.org/techniques/T1594)). Gathering this information may reveal opportunities for other forms of reconnaissance (ex: [Search Open Technical Databases](https://attack.mitre.org/techniques/T1596) or [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593)), establishing operational resources (ex: [Develop Capabilities](https://attack.mitre.org/techniques/T1587) or [Obtain Capabilities](https://attack.mitre.org/techniques/T1588)), and/or initial access (ex: [External Remote Services](https://attack.mitre.org/techniques/T1133)).",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "reconnaissance"
}
],
"revoked": false,
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T1590/006",
"external_id": "T1590.006"
},
{
"source_name": "Nmap Firewalls NIDS",
"description": "Nmap. (n.d.). Chapter 10. Detecting and Subverting Firewalls and Intrusion Detection Systems. Retrieved October 20, 2020.",
"url": "https://nmap.org/book/firewalls.html"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_attack_spec_version": "3.3.0",
"x_mitre_deprecated": false,
"x_mitre_domains": [
"enterprise-attack"
],
"x_mitre_is_subtechnique": true,
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"PRE"
],
"x_mitre_version": "1.0",
"detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.640000+00:00\", \"old_value\": \"2025-10-24 17:48:55.360000+00:00\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.3.0\", \"old_value\": \"3.2.0\"}}}",
"previous_version": "1.0",
"changelog_mitigations": {
"shared": [
"M1056: Pre-compromise"
],
"new": [],
"dropped": []
},
"changelog_datacomponent_detections": {
"shared": [],
"new": [],
"dropped": []
},
"changelog_detectionstrategy_detections": {
"shared": [
"DET0889: Detection of Network Security Appliances"
],
"new": [],
"dropped": []
}
},
{
"type": "attack-pattern",
"id": "attack-pattern--34ab90a3-05f6-4259-8f21-621081fdaba5",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2020-10-02 15:49:03.815000+00:00",
"modified": "2026-05-12 15:12:00.625000+00:00",
"name": "Network Topology",
"description": "Adversaries may gather information about the victim's network topology that can be used during targeting. Information about network topologies may include a variety of details, including the physical and/or logical arrangement of both external-facing and internal network environments. This information may also include specifics regarding network devices (gateways, routers, etc.) and other infrastructure.\n\nAdversaries may gather this information in various ways, such as direct collection actions via [Active Scanning](https://attack.mitre.org/techniques/T1595) or [Phishing for Information](https://attack.mitre.org/techniques/T1598). Information about network topologies may also be exposed to adversaries via online or other accessible data sets (ex: [Search Victim-Owned Websites](https://attack.mitre.org/techniques/T1594)).(Citation: DNS Dumpster) Gathering this information may reveal opportunities for other forms of reconnaissance (ex: [Search Open Technical Databases](https://attack.mitre.org/techniques/T1596) or [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593)), establishing operational resources (ex: [Acquire Infrastructure](https://attack.mitre.org/techniques/T1583) or [Compromise Infrastructure](https://attack.mitre.org/techniques/T1584)), and/or initial access (ex: [External Remote Services](https://attack.mitre.org/techniques/T1133)).",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "reconnaissance"
}
],
"revoked": false,
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T1590/004",
"external_id": "T1590.004"
},
{
"source_name": "DNS Dumpster",
"description": "Hacker Target. (n.d.). DNS Dumpster. Retrieved October 20, 2020.",
"url": "https://dnsdumpster.com/"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_attack_spec_version": "3.3.0",
"x_mitre_deprecated": false,
"x_mitre_domains": [
"enterprise-attack"
],
"x_mitre_is_subtechnique": true,
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"PRE"
],
"x_mitre_version": "1.0",
"detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.625000+00:00\", \"old_value\": \"2025-10-24 17:48:37.652000+00:00\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.3.0\", \"old_value\": \"3.2.0\"}}}",
"previous_version": "1.0",
"changelog_mitigations": {
"shared": [
"M1056: Pre-compromise"
],
"new": [],
"dropped": []
},
"changelog_datacomponent_detections": {
"shared": [],
"new": [],
"dropped": []
},
"changelog_detectionstrategy_detections": {
"shared": [
"DET0819: Detection of Network Topology"
],
"new": [],
"dropped": []
}
},
{
"type": "attack-pattern",
"id": "attack-pattern--937e4772-8441-4e4a-8bf0-8d447d667e23",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2020-10-02 16:27:02.339000+00:00",
"modified": "2026-05-12 15:12:00.706000+00:00",
"name": "Gather Victim Org Information",
"description": "Adversaries may gather information about the victim's organization that can be used during targeting. Information about an organization may include a variety of details, including the names of divisions/departments, specifics of business operations, as well as the roles and responsibilities of key employees.\n\nAdversaries may gather this information in various ways, such as direct elicitation via [Phishing for Information](https://attack.mitre.org/techniques/T1598). Information about an organization may also be exposed to adversaries via online or other accessible data sets (ex: [Social Media](https://attack.mitre.org/techniques/T1593/001) or [Search Victim-Owned Websites](https://attack.mitre.org/techniques/T1594)).(Citation: ThreatPost Broadvoice Leak)(Citation: SEC EDGAR Search) Gathering this information may reveal opportunities for other forms of reconnaissance (ex: [Phishing for Information](https://attack.mitre.org/techniques/T1598) or [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593)), establishing operational resources (ex: [Establish Accounts](https://attack.mitre.org/techniques/T1585) or [Compromise Accounts](https://attack.mitre.org/techniques/T1586)), and/or initial access (ex: [Phishing](https://attack.mitre.org/techniques/T1566) or [Trusted Relationship](https://attack.mitre.org/techniques/T1199)).",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "reconnaissance"
}
],
"revoked": false,
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T1591",
"external_id": "T1591"
},
{
"source_name": "ThreatPost Broadvoice Leak",
"description": "Seals, T. (2020, October 15). Broadvoice Leak Exposes 350M Records, Personal Voicemail Transcripts. Retrieved October 20, 2020.",
"url": "https://threatpost.com/broadvoice-leaks-350m-records-voicemail-transcripts/160158/"
},
{
"source_name": "SEC EDGAR Search",
"description": "U.S. SEC. (n.d.). EDGAR - Search and Access. Retrieved November 17, 2024.",
"url": "https://www.sec.gov/edgar/search/"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_attack_spec_version": "3.3.0",
"x_mitre_deprecated": false,
"x_mitre_domains": [
"enterprise-attack"
],
"x_mitre_is_subtechnique": false,
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"PRE"
],
"x_mitre_version": "1.1",
"detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.706000+00:00\", \"old_value\": \"2025-10-24 17:49:06.846000+00:00\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.3.0\", \"old_value\": \"3.2.0\"}}}",
"previous_version": "1.1",
"changelog_mitigations": {
"shared": [
"M1056: Pre-compromise"
],
"new": [],
"dropped": []
},
"changelog_datacomponent_detections": {
"shared": [],
"new": [],
"dropped": []
},
"changelog_detectionstrategy_detections": {
"shared": [
"DET0890: Detection of Gather Victim Org Information"
],
"new": [],
"dropped": []
}
},
{
"type": "attack-pattern",
"id": "attack-pattern--b512fb8a-18dd-4bfc-bbad-acbaaeb7dde3",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2026-03-25 14:24:06.194000+00:00",
"modified": "2026-05-12 15:12:00.709000+00:00",
"name": "Generate Content",
"description": "Adversaries may create or generate content to support targeting and operations. This content may be used to establish personas, impersonate known individuals or organizations, and support [Social Engineering](https://attack.mitre.org/techniques/T1684), fraud, or influence activities. Written materials, audio, images, video, or other media may be developed and tailored to the target and objective.(Citation: IBM AI-Generated Content)\n\nContent development may occur prior to or during an operation. Adversaries may develop or generate content in-house, source it through third parties, or produce it using AI-assisted tools. Adversaries may use AI to research targets, develop pretexts, and better understand the organizations and individuals they intend to target or deceive prior to generating content (i.e., [Query Public AI Services](https://attack.mitre.org/techniques/T1682)); for obtaining access to AI tools used in content generation, see [Artificial Intelligence](https://attack.mitre.org/techniques/T1588/007). \n\nContent may be leveraged in support of techniques such as [Phishing](https://attack.mitre.org/techniques/T1566), [Phishing for Information](https://attack.mitre.org/techniques/T1598), [Social Engineering](https://attack.mitre.org/techniques/T1684), [Financial Theft](https://attack.mitre.org/techniques/T1657), or [Establish Accounts](https://attack.mitre.org/techniques/T1585). Generated or developed content does not include malicious code or scripts (i.e., [Develop Capabilities](https://attack.mitre.org/techniques/T1587) and [Artificial Intelligence](https://attack.mitre.org/techniques/T1588/007)).",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "resource-development"
}
],
"revoked": false,
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T1683",
"external_id": "T1683"
},
{
"source_name": "IBM AI-Generated Content",
"description": "Tim Mucci. (n.d.). What is AI-Generated Content?. Retrieved April 22, 2026.",
"url": "https://www.ibm.com/think/insights/ai-generated-content"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_attack_spec_version": "3.3.0",
"x_mitre_deprecated": false,
"x_mitre_domains": [
"enterprise-attack"
],
"x_mitre_is_subtechnique": false,
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"PRE"
],
"x_mitre_version": "1.0",
"detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.709000+00:00\", \"old_value\": \"2026-04-23 23:36:34.476000+00:00\"}}}",
"previous_version": "1.0",
"changelog_mitigations": {
"shared": [
"M1056: Pre-compromise"
],
"new": [],
"dropped": []
},
"changelog_datacomponent_detections": {
"shared": [],
"new": [],
"dropped": []
},
"changelog_detectionstrategy_detections": {
"shared": [
"DET0916: Detection of Generate Content"
],
"new": [],
"dropped": []
}
},
{
"type": "attack-pattern",
"id": "attack-pattern--8f452cb4-cbf4-4522-8b11-448787be95c4",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2026-03-25 14:28:15.331000+00:00",
"modified": "2026-05-12 15:12:00.705000+00:00",
"name": "Audio-Visual Content",
"description": "Adversaries may create or manipulate audio, image, and video content to support targeting and malicious operations. Adversaries may also use synthetic voice recordings, real-time altered audio or video during live interactions, fabricated profile photos and identity documents, or video content depicting fabricated or impersonated individuals.(Citation: Nov AI Threat Tracker)\n\nContent may be produced manually through editing tools, generated using AI-assisted tools, or produced using third-party synthetic services.(Citation: FBI 2025 AI Generate Content)(Citation: Europol Deepfakes) AI-assisted tools have enabled adversaries to produce synthetic media at scale and generate content that is more difficult to identify as inauthentic. \n\nAudio-visual content produced through these methods may be used in support of other techniques, such as [Phishing](https://attack.mitre.org/techniques/T1660), [Spearphishing via Service](https://attack.mitre.org/techniques/T1566/003), [Phishing for Information](https://attack.mitre.org/techniques/T1598), [Internal Spearphishing](https://attack.mitre.org/techniques/T1534), [Social Engineering](https://attack.mitre.org/techniques/T1684), [Financial Theft](https://attack.mitre.org/techniques/T1657), or [Establish Accounts](https://attack.mitre.org/techniques/T1585).",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "resource-development"
}
],
"revoked": false,
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T1683/002",
"external_id": "T1683.002"
},
{
"source_name": "Europol Deepfakes",
"description": "Europol. (2022). FACING REALITY? LAW ENFORCEMENT AND THE CHALLENGE OF DEEPFAKES. Retrieved April 17, 2026.",
"url": "https://www.europol.europa.eu/cms/sites/default/files/documents/Europol_Innovation_Lab_Facing_Reality_Law_Enforcement_And_The_Challenge_Of_Deepfakes.pdf"
},
{
"source_name": "Nov AI Threat Tracker",
"description": "Google Threat Intelligence Group. (2025, November 5). GTIG AI Threat Tracker: Advances in Threat Actor Usage of AI Tools. Retrieved March 31, 2026.",
"url": "https://cloud.google.com/blog/topics/threat-intelligence/threat-actor-usage-of-ai-tools"
},
{
"source_name": "FBI 2025 AI Generate Content",
"description": "Internet Crime Complaint Center, FBI. (2025). Federal Bureau of Investigation Internet Crime Report, 2025. Retrieved April 17, 2026.",
"url": "https://www.ic3.gov/AnnualReport/Reports/2025_IC3Report.pdf"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_attack_spec_version": "3.3.0",
"x_mitre_contributors": [
"Gilberto P\u00e9rez",
"Alex Wong",
"Patrick Mkhael (aka Pinguino)"
],
"x_mitre_deprecated": false,
"x_mitre_domains": [
"enterprise-attack"
],
"x_mitre_is_subtechnique": true,
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"PRE"
],
"x_mitre_version": "1.0",
"detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.705000+00:00\", \"old_value\": \"2026-04-20 15:34:51.855000+00:00\"}}}",
"previous_version": "1.0",
"changelog_mitigations": {
"shared": [
"M1056: Pre-compromise"
],
"new": [],
"dropped": []
},
"changelog_datacomponent_detections": {
"shared": [],
"new": [],
"dropped": []
},
"changelog_detectionstrategy_detections": {
"shared": [
"DET0918: Detection of Audio-Visual Content"
],
"new": [],
"dropped": []
}
},
{
"type": "attack-pattern",
"id": "attack-pattern--6a6f9892-c46a-46db-b331-c09a99200fcf",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2026-03-25 14:26:19.040000+00:00",
"modified": "2026-05-12 15:12:00.640000+00:00",
"name": "Written Content",
"description": "Adversaries may create or tailor written materials to support targeting and malicious operations. Content may include phishing lures, fraudulent financial communications, fabricated job postings, fabricated employment credentials and documentation, decoy documents, social media persona content, and supporting narratives used to sustain fabricated personas over time.(Citation: GenAI Phishing)(Citation: GTIG AI Threat Tracker) Content may be authored manually, commissioned through third parties, or produced using AI-assisted tools.\n\nWritten materials may impersonate legitimate government correspondence, diplomatic communications, or internal organizational documents to support targeting efforts. AI-assisted tools may also be used to tailor content to specific targets, industries, or regions. For example, adversaries may leverage AI to translate content into a target's native language or mimic the communication style of trusted senders.\n\nWritten content produced through these methods may be used in support of other techniques, such as [Phishing](https://attack.mitre.org/techniques/T1660), [Spearphishing via Service](https://attack.mitre.org/techniques/T1566/003), [Phishing for Information](https://attack.mitre.org/techniques/T1598), [Internal Spearphishing](https://attack.mitre.org/techniques/T1534), [Social Engineering](https://attack.mitre.org/techniques/T1684), [Financial Theft](https://attack.mitre.org/techniques/T1657), or [Establish Accounts](https://attack.mitre.org/techniques/T1585).\n\nWritten content does not include malicious code or scripts; for development of malicious code and scripts, see [Develop Capabilities](https://attack.mitre.org/techniques/T1587).",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "resource-development"
}
],
"revoked": false,
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T1683/001",
"external_id": "T1683.001"
},
{
"source_name": "GenAI Phishing",
"description": "Adaptive Team. (2025, August 29). Generative AI Phishing: How to Defend in 2025. Retrieved March 26, 2026.",
"url": "https://www.adaptivesecurity.com/blog/ai-phishing"
},
{
"source_name": "GTIG AI Threat Tracker",
"description": "Google Threat Intelligence Group . (2026, February 12). GTIG AI Threat Tracker: Distillation, Experimentation, and (Continued) Integration of AI for Adversarial Use. Retrieved March 25, 2026.",
"url": "https://cloud.google.com/blog/topics/threat-intelligence/distillation-experimentation-integration-ai-adversarial-use"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_attack_spec_version": "3.3.0",
"x_mitre_deprecated": false,
"x_mitre_domains": [
"enterprise-attack"
],
"x_mitre_is_subtechnique": true,
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"PRE"
],
"x_mitre_version": "1.0",
"detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.640000+00:00\", \"old_value\": \"2026-04-20 15:34:25.836000+00:00\"}}}",
"previous_version": "1.0",
"changelog_mitigations": {
"shared": [
"M1056: Pre-compromise"
],
"new": [],
"dropped": []
},
"changelog_datacomponent_detections": {
"shared": [],
"new": [],
"dropped": []
},
"changelog_detectionstrategy_detections": {
"shared": [
"DET0917: Detection of Written Content"
],
"new": [],
"dropped": []
}
},
{
"type": "attack-pattern",
"id": "attack-pattern--22905430-4901-4c2a-84f6-98243cb173f8",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2020-02-26 17:41:25.933000+00:00",
"modified": "2026-05-12 15:12:00.623000+00:00",
"name": "Hide Artifacts",
"description": "Adversaries may attempt to hide artifacts associated with their behaviors to evade detection. Operating systems may have features to hide various artifacts, such as important system files and administrative task execution, to avoid disrupting user work environments and prevent users from changing files or features on the system. Adversaries may abuse these features to hide artifacts such as files, directories, user accounts, or other system activity to evade detection.(Citation: Sofacy Komplex Trojan)(Citation: Cybereason OSX Pirrit)(Citation: MalwareBytes ADS July 2015)\n\nAdversaries may also attempt to hide artifacts associated with malicious behavior by creating computing regions that are isolated from common security instrumentation, such as through the use of virtualization technology.(Citation: Sophos Ragnar May 2020)",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "stealth"
}
],
"revoked": false,
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T1564",
"external_id": "T1564"
},
{
"source_name": "Cybereason OSX Pirrit",
"description": "Amit Serper. (2016). Cybereason Lab Analysis OSX.Pirrit. Retrieved December 10, 2021.",
"url": "https://cdn2.hubspot.net/hubfs/3354902/Content%20PDFs/Cybereason-Lab-Analysis-OSX-Pirrit-4-6-16.pdf"
},
{
"source_name": "MalwareBytes ADS July 2015",
"description": "Arntz, P. (2015, July 22). Introduction to Alternate Data Streams. Retrieved March 21, 2018.",
"url": "https://blog.malwarebytes.com/101/2015/07/introduction-to-alternate-data-streams/"
},
{
"source_name": "Sofacy Komplex Trojan",
"description": "Dani Creus, Tyler Halfpop, Robert Falcone. (2016, September 26). Sofacy's 'Komplex' OS X Trojan. Retrieved July 8, 2017.",
"url": "https://researchcenter.paloaltonetworks.com/2016/09/unit42-sofacys-komplex-os-x-trojan/"
},
{
"source_name": "Sophos Ragnar May 2020",
"description": "SophosLabs. (2020, May 21). Ragnar Locker ransomware deploys virtual machine to dodge security. Retrieved June 29, 2020.",
"url": "https://news.sophos.com/en-us/2020/05/21/ragnar-locker-ransomware-deploys-virtual-machine-to-dodge-security/"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_attack_spec_version": "3.3.0",
"x_mitre_deprecated": false,
"x_mitre_domains": [
"enterprise-attack"
],
"x_mitre_is_subtechnique": false,
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"ESXi",
"Linux",
"macOS",
"Office Suite",
"Windows"
],
"x_mitre_version": "2.0",
"detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.623000+00:00\", \"old_value\": \"2026-04-15 20:17:25.231000+00:00\"}}}",
"previous_version": "2.0",
"changelog_mitigations": {
"shared": [
"M1013: Application Developer Guidance",
"M1033: Limit Software Installation",
"M1047: Audit",
"M1049: Antivirus/Antimalware"
],
"new": [],
"dropped": []
},
"changelog_datacomponent_detections": {
"shared": [],
"new": [],
"dropped": []
},
"changelog_detectionstrategy_detections": {
"shared": [
"DET0502: Detection Strategy for Hidden Artifacts Across Platforms"
],
"new": [],
"dropped": []
}
},
{
"type": "attack-pattern",
"id": "attack-pattern--5bd41255-a224-4425-a2e2-e9d293eafe1c",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2025-01-30 21:01:16.340000+00:00",
"modified": "2026-05-12 15:12:00.635000+00:00",
"name": "Bind Mounts",
"description": "Adversaries may abuse bind mounts on file structures to hide their activity and artifacts from native utilities. A bind mount maps a directory or file from one location on the filesystem to another, similar to a shortcut on Windows. It\u2019s commonly used to provide access to specific files or directories across different environments, such as inside containers or chroot environments, and requires sudo access. \n\nAdversaries may use bind mounts to map either an empty directory or a benign `/proc` directory to a malicious process\u2019s `/proc` directory. Using the commands `mount \u2013o bind /proc/benign-process /proc/malicious-process` (or `mount \u2013B`), the malicious process's `/proc` directory is overlayed with the contents of a benign process's `/proc` directory. When system utilities query process activity, such as `ps` and `top`, the kernel follows the bind mount and presents the benign directory\u2019s contents instead of the malicious process's actual `/proc` directory. As a result, these utilities display information that appears to come from the benign process, effectively hiding the malicious process's metadata, executable, or other artifacts from detection.(Citation: Cado Security Commando Cat 2024)(Citation: Ahn Lab CoinMiner 2023)",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "stealth"
}
],
"revoked": false,
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T1564/013",
"external_id": "T1564.013"
},
{
"source_name": "Ahn Lab CoinMiner 2023",
"description": "Ahn Lab. (2023, April 24). CoinMiner (KONO DIO DA) Distributed to Linux SSH Servers. Retrieved April 4, 2025.",
"url": "https://asec.ahnlab.com/en/51908/"
},
{
"source_name": "Cado Security Commando Cat 2024",
"description": "Nate Bill & Matt Muir. (2024, February 1). The Nine Lives of Commando Cat: Analysing a Novel Malware Campaign Targeting Docker. Retrieved April 4, 2025.",
"url": "https://www.cadosecurity.com/blog/the-nine-lives-of-commando-cat-analysing-a-novel-malware-campaign-targeting-docker"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_attack_spec_version": "3.3.0",
"x_mitre_contributors": [
"L\u00ea Ph\u01b0\u01a1ng Nam, Group-IB"
],
"x_mitre_deprecated": false,
"x_mitre_domains": [
"enterprise-attack"
],
"x_mitre_is_subtechnique": true,
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"Linux"
],
"x_mitre_version": "2.0",
"detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.635000+00:00\", \"old_value\": \"2026-04-15 20:17:48.263000+00:00\"}}}",
"previous_version": "2.0",
"changelog_mitigations": {
"shared": [],
"new": [],
"dropped": []
},
"changelog_datacomponent_detections": {
"shared": [],
"new": [],
"dropped": []
},
"changelog_detectionstrategy_detections": {
"shared": [
"DET0428: Detection Strategy for Bind Mounts on Linux"
],
"new": [],
"dropped": []
}
},
{
"type": "attack-pattern",
"id": "attack-pattern--0cf55441-b176-4332-89e7-2c4c7799d0ff",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2021-06-07 13:20:23.767000+00:00",
"modified": "2026-05-12 15:12:00.620000+00:00",
"name": "Email Hiding Rules",
"description": "Adversaries may use email rules to hide inbound emails in a compromised user's mailbox. Many email clients allow users to create inbox rules for various email functions, including moving emails to other folders, marking emails as read, or deleting emails. Rules may be created or modified within email clients or through external features such as the New-InboxRule or Set-InboxRule [PowerShell](https://attack.mitre.org/techniques/T1059/001) cmdlets on Windows systems.(Citation: Microsoft Inbox Rules)(Citation: MacOS Email Rules)(Citation: Microsoft New-InboxRule)(Citation: Microsoft Set-InboxRule)\n\nAdversaries may utilize email rules within a compromised user's mailbox to delete and/or move emails to less noticeable folders. Adversaries may do this to hide security alerts, C2 communication, or responses to [Internal Spearphishing](https://attack.mitre.org/techniques/T1534) emails sent from the compromised account.\n\nAny user or administrator within the organization (or adversary with valid credentials) may be able to create rules to automatically move or delete emails. These rules can be abused to impair/delay detection had the email content been immediately seen by a user or defender. Malicious rules commonly filter out emails based on key words (such as malware, suspicious, phish, and hack) found in message bodies and subject lines. (Citation: Microsoft Cloud App Security)\n\nIn some environments, administrators may be able to enable email rules that operate organization-wide rather than on individual inboxes. For example, Microsoft Exchange supports transport rules that evaluate all mail an organization receives against user-specified conditions, then performs a user-specified action on mail that adheres to those conditions.(Citation: Microsoft Mail Flow Rules 2023) Adversaries that abuse such features may be able to automatically modify or delete all emails related to specific topics (such as internal security incident notifications).",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "stealth"
}
],
"revoked": false,
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T1564/008",
"external_id": "T1564.008"
},
{
"source_name": "MacOS Email Rules",
"description": "Apple. (n.d.). Use rules to manage emails you receive in Mail on Mac. Retrieved June 14, 2021.",
"url": "https://support.apple.com/guide/mail/use-rules-to-manage-emails-you-receive-mlhlp1017/mac"
},
{
"source_name": "Microsoft Mail Flow Rules 2023",
"description": "Microsoft. (2023, February 22). Mail flow rules (transport rules) in Exchange Online. Retrieved March 13, 2023.",
"url": "https://learn.microsoft.com/en-us/exchange/security-and-compliance/mail-flow-rules/mail-flow-rules"
},
{
"source_name": "Microsoft Inbox Rules",
"description": "Microsoft. (n.d.). Manage email messages by using rules. Retrieved June 11, 2021.",
"url": "https://support.microsoft.com/en-us/office/manage-email-messages-by-using-rules-c24f5dea-9465-4df4-ad17-a50704d66c59"
},
{
"source_name": "Microsoft New-InboxRule",
"description": "Microsoft. (n.d.). New-InboxRule. Retrieved June 7, 2021.",
"url": "https://docs.microsoft.com/en-us/powershell/module/exchange/new-inboxrule?view=exchange-ps"
},
{
"source_name": "Microsoft Set-InboxRule",
"description": "Microsoft. (n.d.). Set-InboxRule. Retrieved June 7, 2021.",
"url": "https://docs.microsoft.com/en-us/powershell/module/exchange/set-inboxrule?view=exchange-ps"
},
{
"source_name": "Microsoft Cloud App Security",
"description": "Niv Goldenberg. (2018, December 12). Rule your inbox with Microsoft Cloud App Security. Retrieved June 7, 2021.",
"url": "https://techcommunity.microsoft.com/t5/security-compliance-and-identity/rule-your-inbox-with-microsoft-cloud-app-security/ba-p/299154"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_attack_spec_version": "3.3.0",
"x_mitre_contributors": [
"Dor Edry, Microsoft",
"Liran Ravich, CardinalOps"
],
"x_mitre_deprecated": false,
"x_mitre_domains": [
"enterprise-attack"
],
"x_mitre_is_subtechnique": true,
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"Windows",
"Linux",
"macOS",
"Office Suite"
],
"x_mitre_version": "2.0",
"detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.620000+00:00\", \"old_value\": \"2026-04-15 20:18:10.251000+00:00\"}}}",
"previous_version": "2.0",
"changelog_mitigations": {
"shared": [
"M1047: Audit"
],
"new": [],
"dropped": []
},
"changelog_datacomponent_detections": {
"shared": [],
"new": [],
"dropped": []
},
"changelog_detectionstrategy_detections": {
"shared": [
"DET0192: Detection Strategy for Email Hiding Rules"
],
"new": [],
"dropped": []
}
},
{
"type": "attack-pattern",
"id": "attack-pattern--762e6f29-a62f-4d96-91ed-d0073181431f",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2025-03-27 19:40:00.716000+00:00",
"modified": "2026-05-12 15:12:00.642000+00:00",
"name": "Extended Attributes",
"description": "Adversaries may abuse extended attributes (xattrs) on macOS and Linux to hide their malicious data in order to evade detection. Extended attributes are key-value pairs of file and directory metadata used by both macOS and Linux. They are not visible through standard tools like `Finder`, `ls`, or `cat` and require utilities such as `xattr` (macOS) or `getfattr` (Linux) for inspection. Operating systems and applications use xattrs for tagging, integrity checks, and access control. On Linux, xattrs are organized into namespaces such as `user.` (user permissions), `trusted.` (root permissions), `security.`, and `system.`, each with specific permissions. On macOS, xattrs are flat strings without namespace prefixes, commonly prefixed with `com.apple.*` (e.g., `com.apple.quarantine`, `com.apple.metadata:_kMDItemUserTags`) and used by system features like Gatekeeper and Spotlight.(Citation: Establishing persistence using extended attributes on Linux)\n\nAn adversary may leverage xattrs by embedding a second-stage payload into the extended attribute of a legitimate file. On macOS, a payload can be embedded into a custom attribute using the `xattr` command. A separate loader can retrieve the attribute with `xattr -p`, decode the content, and execute it using a scripting interpreter. On Linux, an adversary may use `setfattr` to write a payload into the `user.` namespace of a legitimate file. A loader script can later extract the payload with `getfattr --only-values`, decode it, and execute it using bash or another interpreter. In both cases, because the primary file content remains unchanged, security tools and integrity checks that do not inspect extended attributes will observe the original file hash, allowing the malicious payload to evade detection.(Citation: Low GroupIB xattrs nov 2024)",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "stealth"
}
],
"revoked": false,
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T1564/014",
"external_id": "T1564.014"
},
{
"source_name": "Establishing persistence using extended attributes on Linux",
"description": "Irem Kuyucu. (2024, August 6). Establishing persistence using extended attributes on Linux. Retrieved March 27, 2025.",
"url": "https://kernal.eu/posts/linux-xattr-persistence/"
},
{
"source_name": "Low GroupIB xattrs nov 2024",
"description": "Sharmine Low. (2024, November 13). Stealthy Attributes of Lazarus APT Group: Evading Detection with Extended Attributes. Retrieved March 27, 2025.",
"url": "https://www.group-ib.com/blog/stealthy-attributes-of-apt-lazarus/"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_attack_spec_version": "3.3.0",
"x_mitre_contributors": [
"Sharmine Low, Group-IB",
"Rouven Bissinger (SySS GmbH)",
"RoseSecurity"
],
"x_mitre_deprecated": false,
"x_mitre_domains": [
"enterprise-attack"
],
"x_mitre_is_subtechnique": true,
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"Linux",
"macOS"
],
"x_mitre_version": "2.0",
"detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.642000+00:00\", \"old_value\": \"2026-04-15 20:19:25.896000+00:00\"}}}",
"previous_version": "2.0",
"changelog_mitigations": {
"shared": [
"M1040: Behavior Prevention on Endpoint"
],
"new": [],
"dropped": []
},
"changelog_datacomponent_detections": {
"shared": [],
"new": [],
"dropped": []
},
"changelog_detectionstrategy_detections": {
"shared": [
"DET0406: Detection Strategy for Extended Attributes Abuse"
],
"new": [],
"dropped": []
}
},
{
"type": "attack-pattern",
"id": "attack-pattern--09b008a9-b4eb-462a-a751-a0eb58050cd9",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2024-03-29 16:59:10.374000+00:00",
"modified": "2026-05-12 15:12:00.620000+00:00",
"name": "File/Path Exclusions",
"description": "Adversaries may attempt to hide their file-based artifacts by writing them to specific folders or file names excluded from antivirus (AV) scanning and other defensive capabilities. AV and other file-based scanners often include exclusions to optimize performance as well as ease installation and legitimate use of applications. These exclusions may be contextual (e.g., scans are only initiated in response to specific triggering events/alerts), but are also often hardcoded strings referencing specific folders and/or files assumed to be trusted and legitimate.(Citation: Microsoft File Folder Exclusions)\n\nAdversaries may abuse these exclusions to hide their file-based artifacts. For example, rather than tampering with tool settings to add a new exclusion (i.e., [Disable or Modify Tools](https://attack.mitre.org/techniques/T1685)), adversaries may drop their file-based payloads in default or otherwise well-known exclusions. Adversaries may also use [Security Software Discovery](https://attack.mitre.org/techniques/T1518/001) and other [Discovery](https://attack.mitre.org/tactics/TA0007)/[Reconnaissance](https://attack.mitre.org/tactics/TA0043) activities to both discover and verify existing exclusions in a victim environment.",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "stealth"
}
],
"revoked": false,
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T1564/012",
"external_id": "T1564.012"
},
{
"source_name": "Microsoft File Folder Exclusions",
"description": "Microsoft. (2024, February 27). Contextual file and folder exclusions. Retrieved March 29, 2024.",
"url": "https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/configure-contextual-file-folder-exclusions-microsoft-defender-antivirus"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_attack_spec_version": "3.3.0",
"x_mitre_deprecated": false,
"x_mitre_domains": [
"enterprise-attack"
],
"x_mitre_is_subtechnique": true,
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"Linux",
"macOS",
"Windows"
],
"x_mitre_version": "2.0",
"detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.620000+00:00\", \"old_value\": \"2026-04-16 19:21:42.768000+00:00\"}}}",
"previous_version": "2.0",
"changelog_mitigations": {
"shared": [
"M1013: Application Developer Guidance",
"M1049: Antivirus/Antimalware"
],
"new": [],
"dropped": []
},
"changelog_datacomponent_detections": {
"shared": [],
"new": [],
"dropped": []
},
"changelog_detectionstrategy_detections": {
"shared": [
"DET0051: Detection Strategy for File/Path Exclusions"
],
"new": [],
"dropped": []
}
},
{
"type": "attack-pattern",
"id": "attack-pattern--dfebc3b7-d19d-450b-81c7-6dafe4184c04",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2020-06-28 22:55:55.719000+00:00",
"modified": "2026-05-12 15:12:00.722000+00:00",
"name": "Hidden File System",
"description": "Adversaries may use a hidden file system to conceal malicious activity from users and security tools. File systems provide a structure to store and access data from physical storage. Typically, a user engages with a file system through applications that allow them to access files and directories, which are an abstraction from their physical location (ex: disk sector). Standard file systems include FAT, NTFS, ext4, and APFS. File systems can also contain other structures, such as the Volume Boot Record (VBR) and Master File Table (MFT) in NTFS.(Citation: MalwareTech VFS Nov 2014)\n\nAdversaries may use their own abstracted file system, separate from the standard file system present on the infected system. In doing so, adversaries can hide the presence of malicious components and file input/output from security tools. Hidden file systems, sometimes referred to as virtual file systems, can be implemented in numerous ways. One implementation would be to store a file system in reserved disk space unused by disk structures or standard file system partitions.(Citation: MalwareTech VFS Nov 2014)(Citation: FireEye Bootkits) Another implementation could be for an adversary to drop their own portable partition image as a file on top of the standard file system.(Citation: ESET ComRAT May 2020) Adversaries may also fragment files across the existing file system structure in non-standard ways.(Citation: Kaspersky Equation QA)",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "stealth"
}
],
"revoked": false,
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T1564/005",
"external_id": "T1564.005"
},
{
"source_name": "FireEye Bootkits",
"description": "Andonov, D., et al. (2015, December 7). Thriving Beyond The Operating System: Financial Threat Group Targets Volume Boot Record. Retrieved May 13, 2016.",
"url": "https://www.fireeye.com/blog/threat-research/2015/12/fin1-targets-boot-record.html"
},
{
"source_name": "ESET ComRAT May 2020",
"description": "Faou, M. (2020, May). From Agent.btz to ComRAT v4: A ten-year journey. Retrieved June 15, 2020.",
"url": "https://www.welivesecurity.com/wp-content/uploads/2020/05/ESET_Turla_ComRAT.pdf"
},
{
"source_name": "MalwareTech VFS Nov 2014",
"description": "Hutchins, M. (2014, November 28). Virtual File Systems for Beginners. Retrieved June 22, 2020.",
"url": "https://www.malwaretech.com/2014/11/virtual-file-systems-for-beginners.html"
},
{
"source_name": "Kaspersky Equation QA",
"description": "Kaspersky Lab's Global Research and Analysis Team. (2015, February). Equation Group: Questions and Answers. Retrieved December 21, 2015.",
"url": "https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/08064459/Equation_group_questions_and_answers.pdf"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_attack_spec_version": "3.3.0",
"x_mitre_deprecated": false,
"x_mitre_domains": [
"enterprise-attack"
],
"x_mitre_is_subtechnique": true,
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"Linux",
"macOS",
"Windows"
],
"x_mitre_version": "2.0",
"detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.722000+00:00\", \"old_value\": \"2026-04-15 20:22:45.621000+00:00\"}}}",
"previous_version": "2.0",
"changelog_mitigations": {
"shared": [],
"new": [],
"dropped": []
},
"changelog_datacomponent_detections": {
"shared": [],
"new": [],
"dropped": []
},
"changelog_detectionstrategy_detections": {
"shared": [
"DET0461: Detection Strategy for Hidden File System Abuse"
],
"new": [],
"dropped": []
}
},
{
"type": "attack-pattern",
"id": "attack-pattern--ec8fc7e2-b356-455c-8db5-2e37be158e7d",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2020-02-26 17:46:13.128000+00:00",
"modified": "2026-05-12 15:12:00.723000+00:00",
"name": "Hidden Files and Directories",
"description": "Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a \u2018hidden\u2019 file. These files don\u2019t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches (dir /a for Windows and ls \u2013a for Linux and macOS).\n\nOn Linux and Mac, users can mark specific files as hidden simply by putting a \u201c.\u201d as the first character in the file or folder name (Citation: Sofacy Komplex Trojan) (Citation: Antiquated Mac Malware). Files and folders that start with a period, \u2018.\u2019, are by default hidden from being viewed in the Finder application and standard command-line utilities like \u201cls\u201d. Users must specifically change settings to have these files viewable.\n\nFiles on macOS can also be marked with the UF_HIDDEN flag which prevents them from being seen in Finder.app, but still allows them to be seen in Terminal.app (Citation: WireLurker). On Windows, users can mark specific files as hidden by using the attrib.exe binary. Many applications create these hidden files and folders to store information so that it doesn\u2019t clutter up the user\u2019s workspace. For example, SSH utilities create a .ssh folder that\u2019s hidden and contains the user\u2019s known hosts and keys.\n\nAdditionally, adversaries may name files in a manner that would allow the file to be hidden such as naming a file only a \u201cspace\u201d character.\n\nAdversaries can use this to their advantage to hide files and folders anywhere on the system and evading a typical user or system analysis that does not incorporate investigation of hidden files.",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "stealth"
}
],
"revoked": false,
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T1564/001",
"external_id": "T1564.001"
},
{
"source_name": "WireLurker",
"description": "Claud Xiao. (n.d.). WireLurker: A New Era in iOS and OS X Malware. Retrieved July 10, 2017.",
"url": "https://www.paloaltonetworks.com/content/dam/pan/en_US/assets/pdf/reports/Unit_42/unit42-wirelurker.pdf"
},
{
"source_name": "Sofacy Komplex Trojan",
"description": "Dani Creus, Tyler Halfpop, Robert Falcone. (2016, September 26). Sofacy's 'Komplex' OS X Trojan. Retrieved July 8, 2017.",
"url": "https://researchcenter.paloaltonetworks.com/2016/09/unit42-sofacys-komplex-os-x-trojan/"
},
{
"source_name": "Antiquated Mac Malware",
"description": "Thomas Reed. (2017, January 18). New Mac backdoor using antiquated code. Retrieved July 5, 2017.",
"url": "https://blog.malwarebytes.com/threat-analysis/2017/01/new-mac-backdoor-using-antiquated-code/"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_attack_spec_version": "3.3.0",
"x_mitre_contributors": [
"Gr@ve_Rose (tcpdump101.com on bsky)"
],
"x_mitre_deprecated": false,
"x_mitre_domains": [
"enterprise-attack"
],
"x_mitre_is_subtechnique": true,
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"Linux",
"macOS",
"Windows"
],
"x_mitre_version": "2.0",
"detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.723000+00:00\", \"old_value\": \"2026-04-15 20:23:13.914000+00:00\"}}}",
"previous_version": "2.0",
"changelog_mitigations": {
"shared": [],
"new": [],
"dropped": []
},
"changelog_datacomponent_detections": {
"shared": [],
"new": [],
"dropped": []
},
"changelog_detectionstrategy_detections": {
"shared": [
"DET0032: Detection Strategy for Hidden Files and Directories"
],
"new": [],
"dropped": []
}
},
{
"type": "attack-pattern",
"id": "attack-pattern--8c4aef43-48d5-49aa-b2af-c0cd58d30c3d",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2020-03-13 20:12:40.876000+00:00",
"modified": "2026-05-12 15:12:00.705000+00:00",
"name": "Hidden Users",
"description": "Adversaries may use hidden users to hide the presence of user accounts they create or modify. Administrators may want to hide users when there are many user accounts on a given system or if they want to hide their administrative or other management accounts from other users. \n\nIn macOS, adversaries can create or modify a user to be hidden through manipulating plist files, folder attributes, and user attributes. To prevent a user from being shown on the login screen and in System Preferences, adversaries can set the userID to be under 500 and set the key value Hide500Users to TRUE in the /Library/Preferences/com.apple.loginwindow plist file.(Citation: Cybereason OSX Pirrit) Every user has a userID associated with it. When the Hide500Users key value is set to TRUE, users with a userID under 500 do not appear on the login screen and in System Preferences. Using the command line, adversaries can use the dscl utility to create hidden user accounts by setting the IsHidden attribute to 1. Adversaries can also hide a user\u2019s home folder by changing the chflags to hidden.(Citation: Apple Support Hide a User Account) \n\nAdversaries may similarly hide user accounts in Windows. Adversaries can set the HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\SpecialAccounts\\UserList Registry key value to 0 for a specific user to prevent that user from being listed on the logon screen.(Citation: FireEye SMOKEDHAM June 2021)(Citation: US-CERT TA18-074A)\n\nOn Linux systems, adversaries may hide user accounts from the login screen, also referred to as the greeter. The method an adversary may use depends on which Display Manager the distribution is currently using. For example, on an Ubuntu system using the GNOME Display Manger (GDM), accounts may be hidden from the greeter using the gsettings command (ex: sudo -u gdm gsettings set org.gnome.login-screen disable-user-list true).(Citation: Hide GDM User Accounts) Display Managers are not anchored to specific distributions and may be changed by a user or adversary.",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "stealth"
}
],
"revoked": false,
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T1564/002",
"external_id": "T1564.002"
},
{
"source_name": "Cybereason OSX Pirrit",
"description": "Amit Serper. (2016). Cybereason Lab Analysis OSX.Pirrit. Retrieved December 10, 2021.",
"url": "https://cdn2.hubspot.net/hubfs/3354902/Content%20PDFs/Cybereason-Lab-Analysis-OSX-Pirrit-4-6-16.pdf"
},
{
"source_name": "Apple Support Hide a User Account",
"description": "Apple. (2020, November 30). Hide a user account in macOS. Retrieved December 10, 2021.",
"url": "https://support.apple.com/en-us/HT203998"
},
{
"source_name": "FireEye SMOKEDHAM June 2021",
"description": "FireEye. (2021, June 16). Smoking Out a DARKSIDE Affiliate\u2019s Supply Chain Software Compromise. Retrieved September 22, 2021.",
"url": "https://www.fireeye.com/blog/threat-research/2021/06/darkside-affiliate-supply-chain-software-compromise.html"
},
{
"source_name": "Hide GDM User Accounts",
"description": "Ji Mingkui. (2021, June 17). How to Hide All The User Accounts in Ubuntu 20.04, 21.04 Login Screen. Retrieved March 15, 2022.",
"url": "https://ubuntuhandbook.org/index.php/2021/06/hide-user-accounts-ubuntu-20-04-login-screen/"
},
{
"source_name": "US-CERT TA18-074A",
"description": "US-CERT. (2018, March 16). Alert (TA18-074A): Russian Government Cyber Activity Targeting Energy and Other Critical Infrastructure Sectors. Retrieved June 6, 2018.",
"url": "https://www.us-cert.gov/ncas/alerts/TA18-074A"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_attack_spec_version": "3.3.0",
"x_mitre_contributors": [
"Omkar Gudhate"
],
"x_mitre_deprecated": false,
"x_mitre_domains": [
"enterprise-attack"
],
"x_mitre_is_subtechnique": true,
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"Linux",
"macOS",
"Windows"
],
"x_mitre_version": "2.0",
"detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.705000+00:00\", \"old_value\": \"2026-04-15 20:23:44.205000+00:00\"}}}",
"previous_version": "2.0",
"changelog_mitigations": {
"shared": [
"M1028: Operating System Configuration"
],
"new": [],
"dropped": []
},
"changelog_datacomponent_detections": {
"shared": [],
"new": [],
"dropped": []
},
"changelog_detectionstrategy_detections": {
"shared": [
"DET0353: Detection Strategy for Hidden User Accounts"
],
"new": [],
"dropped": []
}
},
{
"type": "attack-pattern",
"id": "attack-pattern--cbb66055-0325-4111-aca0-40547b6ad5b0",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2020-03-13 20:26:49.433000+00:00",
"modified": "2026-05-12 15:12:00.716000+00:00",
"name": "Hidden Window",
"description": "Adversaries may use hidden windows to conceal malicious activity from the plain sight of users. In some cases, windows that would typically be displayed when an application carries out an operation can be hidden. This may be utilized by system administrators to avoid disrupting user work environments when carrying out administrative tasks. \n\nAdversaries may abuse these functionalities to hide otherwise visible windows from users so as not to alert the user to adversary activity on the system.(Citation: Antiquated Mac Malware)\n\nOn macOS, the configurations for how applications run are listed in property list (plist) files. One of the tags in these files can be apple.awt.UIElement, which allows for Java applications to prevent the application's icon from appearing in the Dock. A common use for this is when applications run in the system tray, but don't also want to show up in the Dock.\n\nSimilarly, on Windows there are a variety of features in scripting languages, such as [PowerShell](https://attack.mitre.org/techniques/T1059/001), Jscript, and [Visual Basic](https://attack.mitre.org/techniques/T1059/005) to make windows hidden. One example of this is powershell.exe -WindowStyle Hidden.(Citation: PowerShell About 2019)\n\nThe Windows Registry can also be edited to hide application windows from the current user. For example, by setting the `WindowPosition` subkey in the `HKEY_CURRENT_USER\\Console\\%SystemRoot%_System32_WindowsPowerShell_v1.0_PowerShell.exe` Registry key to a maximum value, PowerShell windows will open off screen and be hidden.(Citation: Cantoris Computing)\n\nIn addition, Windows supports the `CreateDesktop()` API that can create a hidden desktop window with its own corresponding explorer.exe process.(Citation: Hidden VNC)(Citation: Anatomy of an hVNC Attack) All applications running on the hidden desktop window, such as a hidden VNC (hVNC) session,(Citation: Hidden VNC) will be invisible to other desktops windows.\n\nAdversaries may also leverage cmd.exe(Citation: Cybereason - Hidden Malicious Remote Access) as a parent process, and then utilize a LOLBin, such as DeviceCredentialDeployment.exe,(Citation: LOLBAS Project GitHub Device Cred Dep)(Citation: SecureList BlueNoroff Device Cred Dev) to hide windows.",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "stealth"
}
],
"revoked": false,
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T1564/003",
"external_id": "T1564.003"
},
{
"source_name": "Cantoris Computing",
"description": "Cantoris. (2016, July 22). PowerShell Malware. Retrieved December 12, 2024.",
"url": "https://cantoriscomputing.wordpress.com/2016/07/22/powershell-malware/"
},
{
"source_name": "Cybereason - Hidden Malicious Remote Access",
"description": "Cybereason Security Services Team. (n.d.). Behind Closed Doors: The Rise of Hidden Malicious Remote Access. Retrieved July 22, 2025.",
"url": "https://www.cybereason.com/blog/behind-closed-doors-the-rise-of-hidden-malicious-remote-access"
},
{
"source_name": "LOLBAS Project GitHub Device Cred Dep",
"description": "Elliot Killick. (n.d.). /DeviceCredentialDeployment.exe. Retrieved July 22, 2025.",
"url": "https://lolbas-project.github.io/lolbas/Binaries/DeviceCredentialDeployment/"
},
{
"source_name": "Hidden VNC",
"description": "Hutchins, Marcus. (2015, September 13). Hidden VNC for Beginners. Retrieved November 28, 2023.",
"url": "https://www.malwaretech.com/2015/09/hidden-vnc-for-beginners.html"
},
{
"source_name": "Anatomy of an hVNC Attack",
"description": "Keshet, Lior. Kessem, Limor. (2017, January 25). Anatomy of an hVNC Attack. Retrieved November 28, 2023.",
"url": "https://securityintelligence.com/anatomy-of-an-hvnc-attack/"
},
{
"source_name": "SecureList BlueNoroff Device Cred Dev",
"description": "Seongsu Park. (2022, December 27). BlueNoroff introduces new methods bypassing MoTW. Retrieved July 22, 2025.",
"url": "https://securelist.com/bluenoroff-methods-bypass-motw/108383/"
},
{
"source_name": "Antiquated Mac Malware",
"description": "Thomas Reed. (2017, January 18). New Mac backdoor using antiquated code. Retrieved July 5, 2017.",
"url": "https://blog.malwarebytes.com/threat-analysis/2017/01/new-mac-backdoor-using-antiquated-code/"
},
{
"source_name": "PowerShell About 2019",
"description": "Wheeler, S. et al.. (2019, May 1). About PowerShell.exe. Retrieved October 11, 2019.",
"url": "https://docs.microsoft.com/en-us/powershell/module/Microsoft.PowerShell.Core/About/about_PowerShell_exe?view=powershell-5.1"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_attack_spec_version": "3.3.0",
"x_mitre_contributors": [
"Liran Ravich, CardinalOps",
"Mark Tsipershtein",
"Travis Smith, Tripwire",
"Vijay Lalwani"
],
"x_mitre_deprecated": false,
"x_mitre_domains": [
"enterprise-attack"
],
"x_mitre_is_subtechnique": true,
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"Linux",
"macOS",
"Windows"
],
"x_mitre_version": "2.0",
"detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.716000+00:00\", \"old_value\": \"2026-04-15 20:23:51.965000+00:00\"}}}",
"previous_version": "2.0",
"changelog_mitigations": {
"shared": [
"M1033: Limit Software Installation",
"M1038: Execution Prevention"
],
"new": [],
"dropped": []
},
"changelog_datacomponent_detections": {
"shared": [],
"new": [],
"dropped": []
},
"changelog_detectionstrategy_detections": {
"shared": [
"DET0128: Detection Strategy for Hidden Windows"
],
"new": [],
"dropped": []
}
},
{
"type": "attack-pattern",
"id": "attack-pattern--4a2975db-414e-4c0c-bd92-775987514b4b",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2023-08-24 17:23:34.470000+00:00",
"modified": "2026-05-12 15:12:00.630000+00:00",
"name": "Ignore Process Interrupts",
"description": "Adversaries may evade defensive mechanisms by executing commands that hide from process interrupt signals. Many operating systems use signals to deliver messages to control process behavior. Command interpreters often include specific commands/flags that ignore errors and other hangups, such as when the user of the active session logs off.(Citation: Linux Signal Man) These interrupt signals may also be used by defensive tools and/or analysts to pause or terminate specified running processes. \n\nAdversaries may invoke processes using `nohup`, [PowerShell](https://attack.mitre.org/techniques/T1059/001) `-ErrorAction SilentlyContinue`, or similar commands that may be immune to hangups.(Citation: nohup Linux Man)(Citation: Microsoft PowerShell SilentlyContinue) This may enable malicious commands and malware to continue execution through system events that would otherwise terminate its execution, such as users logging off or the termination of its C2 network connection.\n\nHiding from process interrupt signals may allow malware to continue execution, but unlike [Trap](https://attack.mitre.org/techniques/T1546/005) this does not establish [Persistence](https://attack.mitre.org/tactics/TA0003) since the process will not be re-invoked once actually terminated.",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "stealth"
}
],
"revoked": false,
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T1564/011",
"external_id": "T1564.011"
},
{
"source_name": "Linux Signal Man",
"description": "Linux man-pages. (2023, April 3). signal(7). Retrieved August 30, 2023.",
"url": "https://man7.org/linux/man-pages/man7/signal.7.html"
},
{
"source_name": "nohup Linux Man",
"description": "Meyering, J. (n.d.). nohup(1). Retrieved August 30, 2023.",
"url": "https://linux.die.net/man/1/nohup"
},
{
"source_name": "Microsoft PowerShell SilentlyContinue",
"description": "Microsoft. (2023, March 2). $DebugPreference. Retrieved August 30, 2023.",
"url": "https://learn.microsoft.com/powershell/module/microsoft.powershell.core/about/about_preference_variables?view=powershell-7.3#debugpreference"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_attack_spec_version": "3.3.0",
"x_mitre_contributors": [
"Viren Chaudhari, Qualys"
],
"x_mitre_deprecated": false,
"x_mitre_domains": [
"enterprise-attack"
],
"x_mitre_is_subtechnique": true,
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"Linux",
"macOS",
"Windows"
],
"x_mitre_version": "2.0",
"detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.630000+00:00\", \"old_value\": \"2026-04-15 20:24:37.027000+00:00\"}}}",
"previous_version": "2.0",
"changelog_mitigations": {
"shared": [],
"new": [],
"dropped": []
},
"changelog_datacomponent_detections": {
"shared": [],
"new": [],
"dropped": []
},
"changelog_detectionstrategy_detections": {
"shared": [
"DET0067: Detection Strategy for Ignore Process Interrupts"
],
"new": [],
"dropped": []
}
},
{
"type": "attack-pattern",
"id": "attack-pattern--f2857333-11d4-45bf-b064-2c28d8525be5",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2020-03-13 20:33:00.009000+00:00",
"modified": "2026-05-12 15:12:00.724000+00:00",
"name": "NTFS File Attributes",
"description": "Adversaries may use NTFS file attributes to hide their malicious data in order to evade detection. Every New Technology File System (NTFS) formatted partition contains a Master File Table (MFT) that maintains a record for every file/directory on the partition. (Citation: SpectorOps Host-Based Jul 2017) Within MFT entries are file attributes, (Citation: Microsoft NTFS File Attributes Aug 2010) such as Extended Attributes (EA) and Data [known as Alternate Data Streams (ADSs) when more than one Data attribute is present], that can be used to store arbitrary data (and even complete files). (Citation: SpectorOps Host-Based Jul 2017) (Citation: Microsoft File Streams) (Citation: MalwareBytes ADS July 2015) (Citation: Microsoft ADS Mar 2014)\n\nAdversaries may store malicious data or binaries in file attribute metadata instead of directly in files. This may be done to evade some defenses, such as static indicator scanning tools and anti-virus. (Citation: Journey into IR ZeroAccess NTFS EA) (Citation: MalwareBytes ADS July 2015)",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "stealth"
}
],
"revoked": false,
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T1564/004",
"external_id": "T1564.004"
},
{
"source_name": "MalwareBytes ADS July 2015",
"description": "Arntz, P. (2015, July 22). Introduction to Alternate Data Streams. Retrieved March 21, 2018.",
"url": "https://blog.malwarebytes.com/101/2015/07/introduction-to-alternate-data-streams/"
},
{
"source_name": "SpectorOps Host-Based Jul 2017",
"description": "Atkinson, J. (2017, July 18). Host-based Threat Modeling & Indicator Design. Retrieved March 21, 2018.",
"url": "https://posts.specterops.io/host-based-threat-modeling-indicator-design-a9dbbb53d5ea"
},
{
"source_name": "Journey into IR ZeroAccess NTFS EA",
"description": "Harrell, C. (2012, December 11). Extracting ZeroAccess from NTFS Extended Attributes. Retrieved June 3, 2016.",
"url": "http://journeyintoir.blogspot.com/2012/12/extracting-zeroaccess-from-ntfs.html"
},
{
"source_name": "Microsoft NTFS File Attributes Aug 2010",
"description": "Hughes, J. (2010, August 25). NTFS File Attributes. Retrieved March 21, 2018.",
"url": "https://blogs.technet.microsoft.com/askcore/2010/08/25/ntfs-file-attributes/"
},
{
"source_name": "Microsoft ADS Mar 2014",
"description": "Marlin, J. (2013, March 24). Alternate Data Streams in NTFS. Retrieved March 21, 2018.",
"url": "https://blogs.technet.microsoft.com/askcore/2013/03/24/alternate-data-streams-in-ntfs/"
},
{
"source_name": "Microsoft File Streams",
"description": "Microsoft. (n.d.). File Streams. Retrieved September 12, 2024.",
"url": "https://learn.microsoft.com/en-us/windows/win32/fileio/file-streams"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_attack_spec_version": "3.3.0",
"x_mitre_contributors": [
"Oddvar Moe, @oddvarmoe",
"Red Canary"
],
"x_mitre_deprecated": false,
"x_mitre_domains": [
"enterprise-attack"
],
"x_mitre_is_subtechnique": true,
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"Windows"
],
"x_mitre_version": "2.0",
"detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.724000+00:00\", \"old_value\": \"2026-04-15 20:24:50.745000+00:00\"}}}",
"previous_version": "2.0",
"changelog_mitigations": {
"shared": [
"M1022: Restrict File and Directory Permissions"
],
"new": [],
"dropped": []
},
"changelog_datacomponent_detections": {
"shared": [],
"new": [],
"dropped": []
},
"changelog_detectionstrategy_detections": {
"shared": [
"DET0432: Detection Strategy for NTFS File Attribute Abuse (ADS/EAs)"
],
"new": [],
"dropped": []
}
},
{
"type": "attack-pattern",
"id": "attack-pattern--ffe59ad3-ad9b-4b9f-b74f-5beb3c309dc1",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2021-11-19 14:13:11.335000+00:00",
"modified": "2026-05-12 15:12:00.727000+00:00",
"name": "Process Argument Spoofing",
"description": "Adversaries may attempt to hide process command-line arguments by overwriting process memory. Process command-line arguments are stored in the process environment block (PEB), a data structure used by Windows to store various information about/used by a process. The PEB includes the process command-line arguments that are referenced when executing the process. When a process is created, defensive tools/sensors that monitor process creations may retrieve the process arguments from the PEB.(Citation: Microsoft PEB 2021)(Citation: Xpn Argue Like Cobalt 2019)\n\nAdversaries may manipulate a process PEB to evade defenses. For example, [Process Hollowing](https://attack.mitre.org/techniques/T1055/012) can be abused to spawn a process in a suspended state with benign arguments. After the process is spawned and the PEB is initialized (and process information is potentially logged by tools/sensors), adversaries may override the PEB to modify the command-line arguments (ex: using the [Native API](https://attack.mitre.org/techniques/T1106) WriteProcessMemory() function) then resume process execution with malicious arguments.(Citation: Cobalt Strike Arguments 2019)(Citation: Xpn Argue Like Cobalt 2019)(Citation: Nviso Spoof Command Line 2020)\n\nAdversaries may also execute a process with malicious command-line arguments then patch the memory with benign arguments that may bypass subsequent process memory analysis.(Citation: FireEye FiveHands April 2021)\n\nThis behavior may also be combined with other tricks (such as [Parent PID Spoofing](https://attack.mitre.org/techniques/T1134/004)) to manipulate or further evade process-based detections.",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "stealth"
}
],
"revoked": false,
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T1564/010",
"external_id": "T1564.010"
},
{
"source_name": "Xpn Argue Like Cobalt 2019",
"description": "Chester, A. (2019, January 28). How to Argue like Cobalt Strike. Retrieved November 19, 2021.",
"url": "https://blog.xpnsec.com/how-to-argue-like-cobalt-strike/"
},
{
"source_name": "Nviso Spoof Command Line 2020",
"description": "Daman, R. (2020, February 4). The return of the spoof part 2: Command line spoofing. Retrieved November 19, 2021.",
"url": "https://blog.nviso.eu/2020/02/04/the-return-of-the-spoof-part-2-command-line-spoofing/"
},
{
"source_name": "FireEye FiveHands April 2021",
"description": "McLellan, T. and Moore, J. et al. (2021, April 29). UNC2447 SOMBRAT and FIVEHANDS Ransomware: A Sophisticated Financial Threat. Retrieved June 2, 2021.",
"url": "https://www.fireeye.com/blog/threat-research/2021/04/unc2447-sombrat-and-fivehands-ransomware-sophisticated-financial-threat.html"
},
{
"source_name": "Microsoft PEB 2021",
"description": "Microsoft. (2021, October 6). PEB structure (winternl.h). Retrieved November 19, 2021.",
"url": "https://docs.microsoft.com/en-us/windows/win32/api/winternl/ns-winternl-peb"
},
{
"source_name": "Cobalt Strike Arguments 2019",
"description": "Mudge, R. (2019, January 2). https://blog.cobaltstrike.com/2019/01/02/cobalt-strike-3-13-why-do-we-argue/. Retrieved November 19, 2021.",
"url": "https://blog.cobaltstrike.com/2019/01/02/cobalt-strike-3-13-why-do-we-argue/"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_attack_spec_version": "3.3.0",
"x_mitre_deprecated": false,
"x_mitre_domains": [
"enterprise-attack"
],
"x_mitre_is_subtechnique": true,
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"Windows"
],
"x_mitre_version": "2.0",
"detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.727000+00:00\", \"old_value\": \"2026-04-15 20:25:25.946000+00:00\"}}}",
"previous_version": "2.0",
"changelog_mitigations": {
"shared": [],
"new": [],
"dropped": []
},
"changelog_datacomponent_detections": {
"shared": [],
"new": [],
"dropped": []
},
"changelog_detectionstrategy_detections": {
"shared": [
"DET0045: Detection Strategy for Process Argument Spoofing on Windows"
],
"new": [],
"dropped": []
}
},
{
"type": "attack-pattern",
"id": "attack-pattern--b22e5153-ac28-4cc6-865c-2054e36285cb",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2021-10-12 20:02:31.866000+00:00",
"modified": "2026-05-12 15:12:00.708000+00:00",
"name": "Resource Forking",
"description": "Adversaries may abuse resource forks to hide malicious code or executables to evade detection and bypass security applications. A resource fork provides applications a structured way to store resources such as thumbnail images, menu definitions, icons, dialog boxes, and code.(Citation: macOS Hierarchical File System Overview) Usage of a resource fork is identifiable when displaying a file\u2019s extended attributes, using ls -l@ or xattr -l commands. Resource forks have been deprecated and replaced with the application bundle structure. Non-localized resources are placed at the top level directory of an application bundle, while localized resources are placed in the /Resources folder.(Citation: Resource and Data Forks)(Citation: ELC Extended Attributes)\n\nAdversaries can use resource forks to hide malicious data that may otherwise be stored directly in files. Adversaries can execute content with an attached resource fork, at a specified offset, that is moved to an executable location then invoked. Resource fork content may also be obfuscated/encrypted until execution.(Citation: sentinellabs resource named fork 2020)(Citation: tau bundlore erika noerenberg 2020)",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "stealth"
}
],
"revoked": false,
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T1564/009",
"external_id": "T1564.009"
},
{
"source_name": "tau bundlore erika noerenberg 2020",
"description": "Erika Noerenberg. (2020, June 29). TAU Threat Analysis: Bundlore (macOS) mm-install-macos. Retrieved October 12, 2021.",
"url": "https://blogs.vmware.com/security/2020/06/tau-threat-analysis-bundlore-macos-mm-install-macos.html"
},
{
"source_name": "Resource and Data Forks",
"description": "Flylib. (n.d.). Identifying Resource and Data Forks. Retrieved October 12, 2021.",
"url": "https://flylib.com/books/en/4.395.1.192/1/"
},
{
"source_name": "ELC Extended Attributes",
"description": "Howard Oakley. (2020, October 24). There's more to files than data: Extended Attributes. Retrieved October 12, 2021.",
"url": "https://eclecticlight.co/2020/10/24/theres-more-to-files-than-data-extended-attributes/"
},
{
"source_name": "sentinellabs resource named fork 2020",
"description": "Phil Stokes. (2020, November 5). Resourceful macOS Malware Hides in Named Fork. Retrieved October 12, 2021.",
"url": "https://www.sentinelone.com/labs/resourceful-macos-malware-hides-in-named-fork/"
},
{
"source_name": "macOS Hierarchical File System Overview",
"description": "Tenon. (n.d.). Retrieved October 12, 2021.",
"url": "http://tenon.com/products/codebuilder/User_Guide/6_File_Systems.html#anchor520553"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_attack_spec_version": "3.3.0",
"x_mitre_contributors": [
"Ivan Sinyakov",
"Jaron Bradley @jbradley89"
],
"x_mitre_deprecated": false,
"x_mitre_domains": [
"enterprise-attack"
],
"x_mitre_is_subtechnique": true,
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"macOS"
],
"x_mitre_version": "2.0",
"detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.708000+00:00\", \"old_value\": \"2026-04-15 20:25:32.891000+00:00\"}}}",
"previous_version": "2.0",
"changelog_mitigations": {
"shared": [
"M1013: Application Developer Guidance"
],
"new": [],
"dropped": []
},
"changelog_datacomponent_detections": {
"shared": [],
"new": [],
"dropped": []
},
"changelog_detectionstrategy_detections": {
"shared": [
"DET0584: Detection Strategy for Resource Forking on macOS"
],
"new": [],
"dropped": []
}
},
{
"type": "attack-pattern",
"id": "attack-pattern--b5327dd1-6bf9-4785-a199-25bcbd1f4a9d",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2020-06-29 15:36:41.535000+00:00",
"modified": "2026-05-12 15:12:00.709000+00:00",
"name": "Run Virtual Instance",
"description": "Adversaries may carry out malicious operations using a virtual instance to avoid detection. A wide variety of virtualization technologies exist that allow for the emulation of a computer or computing environment. By running malicious code inside of a virtual instance, adversaries can hide artifacts associated with their behavior from security tools that are unable to monitor activity inside the virtual instance.(Citation: CyberCX Akira Ransomware) Additionally, depending on the virtual networking implementation (ex: bridged adapter), network traffic generated by the virtual instance can be difficult to trace back to the compromised host as the IP address and hostname might not match known values.(Citation: SingHealth Breach Jan 2019)\n\nAdversaries may utilize native support for virtualization (ex: Hyper-V), deploy lightweight emulators (ex: QEMU), or drop the necessary files to run a virtual instance (ex: VirtualBox binaries).(Citation: Securonix CronTrap 2024) After running a virtual instance, adversaries may create a shared folder between the guest and host with permissions that enable the virtual instance to interact with the host file system.(Citation: Sophos Ragnar May 2020)\n\nThreat actors may also leverage temporary virtualized environments such as the Windows Sandbox, which supports the use of `.wsb` configuration files for defining execution parameters. For example, the `PerformanceCache that stores a separate compiled version of the VBA source code known as p-code. The p-code is executed when the MS Office version specified in the _VBA_PROJECT stream (which contains the version-dependent description of the VBA project) matches the version of the host MS Office application.(Citation: Evil Clippy May 2019)(Citation: Microsoft _VBA_PROJECT Stream)\n\nAn adversary may hide malicious VBA code by overwriting the VBA source code location with zero\u2019s, benign code, or random bytes while leaving the previously compiled malicious p-code. Tools that scan for malicious VBA source code may be bypassed as the unwanted code is hidden in the compiled p-code. If the VBA source code is removed, some tools might even think that there are no macros present. If there is a version match between the _VBA_PROJECT stream and host MS Office application, the p-code will be executed, otherwise the benign VBA source code will be decompressed and recompiled to p-code, thus removing malicious p-code and potentially bypassing dynamic analysis.(Citation: Walmart Roberts Oct 2018)(Citation: FireEye VBA stomp Feb 2020)(Citation: pcodedmp Bontchev)",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "stealth"
}
],
"revoked": false,
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T1564/007",
"external_id": "T1564.007"
},
{
"source_name": "pcodedmp Bontchev",
"description": "Bontchev, V. (2019, July 30). pcodedmp.py - A VBA p-code disassembler. Retrieved September 17, 2020.",
"url": "https://github.com/bontchev/pcodedmp"
},
{
"source_name": "FireEye VBA stomp Feb 2020",
"description": "Cole, R., Moore, A., Stark, G., Stancill, B. (2020, February 5). STOMP 2 DIS: Brilliance in the (Visual) Basics. Retrieved September 17, 2020.",
"url": "https://www.fireeye.com/blog/threat-research/2020/01/stomp-2-dis-brilliance-in-the-visual-basics.html"
},
{
"source_name": "Evil Clippy May 2019",
"description": "Hegt, S. (2019, May 5). Evil Clippy: MS Office maldoc assistant. Retrieved September 17, 2020.",
"url": "https://outflank.nl/blog/2019/05/05/evil-clippy-ms-office-maldoc-assistant/"
},
{
"source_name": "Microsoft _VBA_PROJECT Stream",
"description": "Microsoft. (2020, February 19). 2.3.4.1 _VBA_PROJECT Stream: Version Dependent Project Information. Retrieved September 18, 2020.",
"url": "https://docs.microsoft.com/en-us/openspecs/office_file_formats/ms-ovba/ef7087ac-3974-4452-aab2-7dba2214d239"
},
{
"source_name": "Walmart Roberts Oct 2018",
"description": "Sayre, K., Ogden, H., Roberts, C. (2018, October 10). VBA Stomping \u2014 Advanced Maldoc Techniques. Retrieved September 17, 2020.",
"url": "https://medium.com/walmartglobaltech/vba-stomping-advanced-maldoc-techniques-612c484ab278"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_attack_spec_version": "3.3.0",
"x_mitre_contributors": [
"Rick Cole, Mandiant"
],
"x_mitre_deprecated": false,
"x_mitre_domains": [
"enterprise-attack"
],
"x_mitre_is_subtechnique": true,
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"Linux",
"macOS",
"Windows"
],
"x_mitre_version": "2.0",
"detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.716000+00:00\", \"old_value\": \"2026-04-15 20:26:09.220000+00:00\"}}}",
"previous_version": "2.0",
"changelog_mitigations": {
"shared": [
"M1042: Disable or Remove Feature or Program"
],
"new": [],
"dropped": []
},
"changelog_datacomponent_detections": {
"shared": [],
"new": [],
"dropped": []
},
"changelog_detectionstrategy_detections": {
"shared": [
"DET0012: Detection Strategy for VBA Stomping"
],
"new": [],
"dropped": []
}
},
{
"type": "attack-pattern",
"id": "attack-pattern--eb897572-8979-4242-a089-56f294f4c91d",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2024-02-13 17:00:00.175000+00:00",
"modified": "2026-05-12 15:12:00.723000+00:00",
"name": "Hide Infrastructure",
"description": "Adversaries may manipulate network traffic in order to hide and evade detection of their C2 infrastructure. This can be accomplished by identifying and filtering traffic from defensive tools,(Citation: TA571) masking malicious domains to obfuscate the true destination from both automated scanning tools and security researchers,(Citation: Schema-abuse)(Citation: Facad1ng)(Citation: Browser-updates) and otherwise hiding malicious artifacts to delay discovery and prolong the effectiveness of adversary infrastructure that could otherwise be identified, blocked, or taken down entirely.\n\nC2 networks may include the use of [Proxy](https://attack.mitre.org/techniques/T1090) or VPNs to disguise IP addresses, which can allow adversaries to blend in with normal network traffic and bypass conditional access policies or anti-abuse protections. For example, an adversary may use a virtual private cloud to spoof their IP address to closer align with a victim's IP address ranges. This may also bypass security measures relying on geolocation of the source IP address.(Citation: sysdig)(Citation: Orange Residential Proxies)\n\nAdversaries may also attempt to filter network traffic in order to evade defensive tools in numerous ways, including blocking/redirecting common incident responder or security appliance user agents.(Citation: mod_rewrite)(Citation: SocGholish-update) Filtering traffic based on IP and geo-fencing may also avoid automated sandboxing or researcher activity (i.e., [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497)).(Citation: TA571)(Citation: mod_rewrite)\n\nHiding C2 infrastructure may also be supported by [Resource Development](https://attack.mitre.org/tactics/TA0042) activities such as [Acquire Infrastructure](https://attack.mitre.org/techniques/T1583) and [Compromise Infrastructure](https://attack.mitre.org/techniques/T1584). For example, using widely trusted hosting services or domains such as prominent URL shortening providers or marketing services for C2 networks may enable adversaries to present benign content that later redirects victims to malicious web pages or infrastructure once specific conditions are met.(Citation: StarBlizzard)(Citation: QR-cofense)",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "command-and-control"
}
],
"revoked": false,
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T1665",
"external_id": "T1665"
},
{
"source_name": "SocGholish-update",
"description": "Andrew Northern. (2022, November 22). SocGholish, a very real threat from a very fake update. Retrieved February 13, 2024.",
"url": "https://www.proofpoint.com/us/blog/threat-insight/part-1-socgholish-very-real-threat-very-fake-update"
},
{
"source_name": "TA571",
"description": "Axel F, Selena Larson. (2023, October 30). TA571 Delivers IcedID Forked Loader. Retrieved February 13, 2024.",
"url": "https://www.proofpoint.com/us/blog/threat-insight/security-brief-ta571-delivers-icedid-forked-loader"
},
{
"source_name": "mod_rewrite",
"description": "Bluescreenofjeff.com. (2015, April 12). Combatting Incident Responders with Apache mod_rewrite. Retrieved February 13, 2024.",
"url": "https://bluescreenofjeff.com/2016-04-12-combatting-incident-responders-with-apache-mod_rewrite/"
},
{
"source_name": "Browser-updates",
"description": "Dusty Miller. (2023, October 17). Are You Sure Your Browser is Up to Date? The Current Landscape of Fake Browser Updates . Retrieved February 13, 2024.",
"url": "https://www.proofpoint.com/us/blog/threat-insight/are-you-sure-your-browser-date-current-landscape-fake-browser-updates"
},
{
"source_name": "StarBlizzard",
"description": "Microsoft Threat Intelligence. (2023, December 7). Star Blizzard increases sophistication and evasion in ongoing attacks. Retrieved February 13, 2024.",
"url": "https://www.microsoft.com/en-us/security/blog/2023/12/07/star-blizzard-increases-sophistication-and-evasion-in-ongoing-attacks/"
},
{
"source_name": "QR-cofense",
"description": "Nathaniel Raymond. (2023, August 16). Major Energy Company Targeted in Large QR Code Phishing Campaign. Retrieved February 13, 2024.",
"url": "https://cofense.com/blog/major-energy-company-targeted-in-large-qr-code-campaign/"
},
{
"source_name": "Schema-abuse",
"description": "Nick Simonian. (2023, May 22). Don't @ Me: URL Obfuscation Through Schema Abuse. Retrieved February 13, 2024.",
"url": "https://www.mandiant.com/resources/blog/url-obfuscation-schema-abuse"
},
{
"source_name": "Orange Residential Proxies",
"description": "Orange Cyberdefense. (2024, March 14). Unveiling the depths of residential proxies providers. Retrieved April 11, 2024.",
"url": "https://www.orangecyberdefense.com/global/blog/research/residential-proxies"
},
{
"source_name": "Facad1ng",
"description": "Spyboy. (2023). Facad1ng. Retrieved February 13, 2024.",
"url": "https://github.com/spyboy-productions/Facad1ng"
},
{
"source_name": "sysdig",
"description": "Sysdig. (2023). Sysdig Global Cloud Threat Report. Retrieved March 1, 2024.",
"url": "https://sysdig.com/content/c/pf-2023-global-cloud-threat-report?x=u_WFRi&xs=524303#page=1"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_attack_spec_version": "3.3.0",
"x_mitre_contributors": [
"Diyar Saadi Ali",
"Eliav Livneh",
"Hen Porcilan",
"Matt Mullins"
],
"x_mitre_deprecated": false,
"x_mitre_domains": [
"enterprise-attack"
],
"x_mitre_is_subtechnique": false,
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"ESXi",
"Linux",
"macOS",
"Network Devices",
"Windows"
],
"x_mitre_version": "1.2",
"detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.723000+00:00\", \"old_value\": \"2025-10-22 03:57:22.646000+00:00\"}}}",
"previous_version": "1.2",
"changelog_mitigations": {
"shared": [],
"new": [],
"dropped": []
},
"changelog_datacomponent_detections": {
"shared": [],
"new": [],
"dropped": []
},
"changelog_detectionstrategy_detections": {
"shared": [
"DET0411: Detection Strategy for Hide Infrastructure"
],
"new": [],
"dropped": []
}
},
{
"type": "attack-pattern",
"id": "attack-pattern--aedfca76-3b30-4866-b2aa-0f1d7fd1e4b6",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2020-03-12 20:38:12.465000+00:00",
"modified": "2026-05-12 15:12:00.707000+00:00",
"name": "Hijack Execution Flow",
"description": "Adversaries may execute their own malicious payloads by hijacking the way operating systems run programs. Hijacking execution flow can be for the purposes of persistence, since this hijacked execution may reoccur over time. Adversaries may also use these mechanisms to elevate privileges or evade defenses, such as application control or other restrictions on execution.\n\nThere are many ways an adversary may hijack the flow of execution, including by manipulating how the operating system locates programs to be executed. How the operating system locates libraries to be used by a program can also be intercepted. Locations where the operating system looks for programs/resources, such as file directories and in the case of Windows the Registry, could also be poisoned to include malicious payloads.",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "stealth"
},
{
"kill_chain_name": "mitre-attack",
"phase_name": "execution"
}
],
"revoked": false,
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T1574",
"external_id": "T1574"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_attack_spec_version": "3.3.0",
"x_mitre_deprecated": false,
"x_mitre_domains": [
"enterprise-attack"
],
"x_mitre_is_subtechnique": false,
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"Linux",
"macOS",
"Windows"
],
"x_mitre_remote_support": false,
"x_mitre_version": "2.0",
"detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.707000+00:00\", \"old_value\": \"2026-04-20 21:18:17.156000+00:00\"}}}",
"previous_version": "2.0",
"changelog_mitigations": {
"shared": [
"M1013: Application Developer Guidance",
"M1018: User Account Management",
"M1022: Restrict File and Directory Permissions",
"M1024: Restrict Registry Permissions",
"M1038: Execution Prevention",
"M1040: Behavior Prevention on Endpoint",
"M1044: Restrict Library Loading",
"M1047: Audit",
"M1051: Update Software",
"M1052: User Account Control"
],
"new": [],
"dropped": []
},
"changelog_datacomponent_detections": {
"shared": [],
"new": [],
"dropped": []
},
"changelog_detectionstrategy_detections": {
"shared": [
"DET0218: Detection Strategy for Hijack Execution Flow across OS platforms."
],
"new": [],
"dropped": []
}
},
{
"type": "attack-pattern",
"id": "attack-pattern--356662f7-e315-4759-86c9-6214e2a50ff8",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2024-03-28 15:36:34.141000+00:00",
"modified": "2026-05-12 15:12:00.626000+00:00",
"name": "AppDomainManager",
"description": "Adversaries may execute their own malicious payloads by hijacking how the .NET `AppDomainManager` loads assemblies. The .NET framework uses the `AppDomainManager` class to create and manage one or more isolated runtime environments (called application domains) inside a process to host the execution of .NET applications. Assemblies (`.exe` or `.dll` binaries compiled to run as .NET code) may be loaded into an application domain as executable code.(Citation: Microsoft App Domains) \n\nKnown as \"AppDomainManager injection,\" adversaries may execute arbitrary code by hijacking how .NET applications load assemblies. For example, malware may create a custom application domain inside a target process to load and execute an arbitrary assembly. Alternatively, configuration files (`.config`) or process environment variables that define .NET runtime settings may be tampered with to instruct otherwise benign .NET applications to load a malicious assembly (identified by name) into the target process.(Citation: PenTestLabs AppDomainManagerInject)(Citation: PwC Yellow Liderc)(Citation: Rapid7 AppDomain Manager Injection)",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "stealth"
},
{
"kill_chain_name": "mitre-attack",
"phase_name": "execution"
}
],
"revoked": false,
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T1574/014",
"external_id": "T1574.014"
},
{
"source_name": "PenTestLabs AppDomainManagerInject",
"description": "Administrator. (2020, May 26). APPDOMAINMANAGER INJECTION AND DETECTION. Retrieved March 28, 2024.",
"url": "https://pentestlaboratories.com/2020/05/26/appdomainmanager-injection-and-detection/"
},
{
"source_name": "Microsoft App Domains",
"description": "Microsoft. (2021, September 15). Application domains. Retrieved March 28, 2024.",
"url": "https://learn.microsoft.com/dotnet/framework/app-domains/application-domains"
},
{
"source_name": "PwC Yellow Liderc",
"description": "PwC Threat Intelligence. (2023, October 25). Yellow Liderc ships its scripts and delivers IMAPLoader malware. Retrieved March 29, 2024.",
"url": "https://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/yellow-liderc-ships-its-scripts-delivers-imaploader-malware.html"
},
{
"source_name": "Rapid7 AppDomain Manager Injection",
"description": "Spagnola, N. (2023, May 5). AppDomain Manager Injection: New Techniques For Red Teams. Retrieved March 29, 2024.",
"url": "https://www.rapid7.com/blog/post/2023/05/05/appdomain-manager-injection-new-techniques-for-red-teams/"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_attack_spec_version": "3.3.0",
"x_mitre_contributors": [
"Ivy Drexel",
"Thomas B"
],
"x_mitre_deprecated": false,
"x_mitre_domains": [
"enterprise-attack"
],
"x_mitre_is_subtechnique": true,
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"Windows"
],
"x_mitre_remote_support": false,
"x_mitre_version": "2.0",
"detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.626000+00:00\", \"old_value\": \"2026-04-15 22:57:09.601000+00:00\"}}}",
"previous_version": "2.0",
"changelog_mitigations": {
"shared": [
"M1022: Restrict File and Directory Permissions"
],
"new": [],
"dropped": []
},
"changelog_datacomponent_detections": {
"shared": [],
"new": [],
"dropped": []
},
"changelog_detectionstrategy_detections": {
"shared": [
"DET0517: Detection Strategy for Hijack Execution Flow through the AppDomainManager on Windows."
],
"new": [],
"dropped": []
}
},
{
"type": "attack-pattern",
"id": "attack-pattern--ffeb0780-356e-4261-b036-cfb6bd234335",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2020-06-24 22:30:55.843000+00:00",
"modified": "2026-05-12 15:12:00.727000+00:00",
"name": "COR_PROFILER",
"description": "Adversaries may leverage the COR_PROFILER environment variable to hijack the execution flow of programs that load the .NET CLR. The COR_PROFILER is a .NET Framework feature which allows developers to specify an unmanaged (or external of .NET) profiling DLL to be loaded into each .NET process that loads the Common Language Runtime (CLR). These profilers are designed to monitor, troubleshoot, and debug managed code executed by the .NET CLR.(Citation: Microsoft Profiling Mar 2017)(Citation: Microsoft COR_PROFILER Feb 2013)\n\nThe COR_PROFILER environment variable can be set at various scopes (system, user, or process) resulting in different levels of influence. System and user-wide environment variable scopes are specified in the Registry, where a [Component Object Model](https://attack.mitre.org/techniques/T1559/001) (COM) object can be registered as a profiler DLL. A process scope COR_PROFILER can also be created in-memory without modifying the Registry. Starting with .NET Framework 4, the profiling DLL does not need to be registered as long as the location of the DLL is specified in the COR_PROFILER_PATH environment variable.(Citation: Microsoft COR_PROFILER Feb 2013)\n\nAdversaries may abuse COR_PROFILER to establish persistence that executes a malicious DLL in the context of all .NET processes every time the CLR is invoked. The COR_PROFILER can also be used to elevate privileges (ex: [Bypass User Account Control](https://attack.mitre.org/techniques/T1548/002)) if the victim .NET process executes at a higher permission level, as well as to hook and impair defenses provided by .NET processes.(Citation: RedCanary Mockingbird May 2020)(Citation: Red Canary COR_PROFILER May 2020)(Citation: Almond COR_PROFILER Apr 2019)(Citation: GitHub OmerYa Invisi-Shell)(Citation: subTee .NET Profilers May 2017)",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "stealth"
},
{
"kill_chain_name": "mitre-attack",
"phase_name": "execution"
}
],
"revoked": false,
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T1574/012",
"external_id": "T1574.012"
},
{
"source_name": "Almond COR_PROFILER Apr 2019",
"description": "Almond. (2019, April 30). UAC bypass via elevated .NET applications. Retrieved June 24, 2020.",
"url": "https://offsec.almond.consulting/UAC-bypass-dotnet.html"
},
{
"source_name": "Red Canary COR_PROFILER May 2020",
"description": "Brown, J. (2020, May 7). Detecting COR_PROFILER manipulation for persistence. Retrieved June 24, 2020.",
"url": "https://redcanary.com/blog/cor_profiler-for-persistence/"
},
{
"source_name": "RedCanary Mockingbird May 2020",
"description": "Lambert, T. (2020, May 7). Introducing Blue Mockingbird. Retrieved May 26, 2020.",
"url": "https://redcanary.com/blog/blue-mockingbird-cryptominer/"
},
{
"source_name": "Microsoft COR_PROFILER Feb 2013",
"description": "Microsoft. (2013, February 4). Registry-Free Profiler Startup and Attach. Retrieved June 24, 2020.",
"url": "https://docs.microsoft.com/en-us/previous-versions/dotnet/netframework-4.0/ee471451(v=vs.100)"
},
{
"source_name": "Microsoft Profiling Mar 2017",
"description": "Microsoft. (2017, March 30). Profiling Overview. Retrieved June 24, 2020.",
"url": "https://docs.microsoft.com/en-us/dotnet/framework/unmanaged-api/profiling/profiling-overview"
},
{
"source_name": "subTee .NET Profilers May 2017",
"description": "Smith, C. (2017, May 18). Subvert CLR Process Listing With .NET Profilers. Retrieved June 24, 2020.",
"url": "https://web.archive.org/web/20170720041203/http://subt0x10.blogspot.com/2017/05/subvert-clr-process-listing-with-net.html"
},
{
"source_name": "GitHub OmerYa Invisi-Shell",
"description": "Yair, O. (2019, August 19). Invisi-Shell. Retrieved June 24, 2020.",
"url": "https://github.com/OmerYa/Invisi-Shell"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_attack_spec_version": "3.3.0",
"x_mitre_contributors": [
"Jesse Brown, Red Canary"
],
"x_mitre_deprecated": false,
"x_mitre_domains": [
"enterprise-attack"
],
"x_mitre_is_subtechnique": true,
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"Windows"
],
"x_mitre_remote_support": false,
"x_mitre_version": "2.0",
"detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.727000+00:00\", \"old_value\": \"2026-04-16 18:58:17.752000+00:00\"}}}",
"previous_version": "2.0",
"changelog_mitigations": {
"shared": [
"M1018: User Account Management",
"M1024: Restrict Registry Permissions",
"M1038: Execution Prevention"
],
"new": [],
"dropped": []
},
"changelog_datacomponent_detections": {
"shared": [],
"new": [],
"dropped": []
},
"changelog_detectionstrategy_detections": {
"shared": [
"DET0479: Detection Strategy for Hijack Execution Flow using the Windows COR_PROFILER."
],
"new": [],
"dropped": []
}
},
{
"type": "attack-pattern",
"id": "attack-pattern--2fee9321-3e71-4cf4-af24-d4d40d355b34",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2020-03-13 18:11:08.357000+00:00",
"modified": "2026-05-12 15:12:00.624000+00:00",
"name": "DLL",
"description": "Adversaries may abuse dynamic-link library files (DLLs) in order to achieve persistence, escalate privileges, and evade defenses. DLLs are libraries that contain code and data that can be simultaneously utilized by multiple programs. While DLLs are not malicious by nature, they can be abused through mechanisms such as side-loading, hijacking search order, and phantom DLL hijacking.(Citation: unit 42)\n\nSpecific ways DLLs are abused by adversaries include:\n\n### DLL Sideloading\nAdversaries may execute their own malicious payloads by side-loading DLLs. Side-loading involves hijacking which DLL a program loads by planting and then invoking a legitimate application that executes their payload(s).\n\nSide-loading positions both the victim application and malicious payload(s) alongside each other. Adversaries likely use side-loading as a means of masking actions they perform under a legitimate, trusted, and potentially elevated system or software process. Benign executables used to side-load payloads may not be flagged during delivery and/or execution. Adversary payloads may also be encrypted/packed or otherwise obfuscated until loaded into the memory of the trusted process.\n\nAdversaries may also side-load other packages, such as BPLs (Borland Package Library).(Citation: kroll bpl)\n\nAdversaries may chain DLL sideloading multiple times to fragment functionality hindering analysis. Adversaries using multiple DLL files can split the loader functions across different DLLs, with a main DLL loading the separated export functions. (Citation: Virus Bulletin) Spreading loader functions across multiple DLLs makes analysis harder, since all files must be collected to fully understand the malware\u2019s behavior. Another method implements a \u201cloader-for-a-loader\u201d, where a malicious DLL\u2019s sole role is to load a second DLL (or a chain of DLLs) that contain the real payload. (Citation: Sophos)\n\n### DLL Search Order Hijacking\nAdversaries may execute their own malicious payloads by hijacking the search order that Windows uses to load DLLs. This search order is a sequence of special and standard search locations that a program checks when loading a DLL. An adversary can plant a trojan DLL in a directory that will be prioritized by the DLL search order over the location of a legitimate library. This will cause Windows to load the malicious DLL when it is called for by the victim program.(Citation: unit 42)\n\n### DLL Redirection\nAdversaries may directly modify the search order via DLL redirection, which after being enabled (in the Registry or via the creation of a redirection file) may cause a program to load a DLL from a different location.(Citation: Microsoft redirection)(Citation: Microsoft - manifests/assembly)\n\n### Phantom DLL Hijacking\nAdversaries may leverage phantom DLL hijacking by targeting references to non-existent DLL files. They may be able to load their own malicious DLL by planting it with the correct name in the location of the missing module.(Citation: Hexacorn DLL Hijacking)(Citation: Hijack DLLs CrowdStrike)\n\n### DLL Substitution\nAdversaries may target existing, valid DLL files and substitute them with their own malicious DLLs, planting them with the same name and in the same location as the valid DLL file.(Citation: Wietze Beukema DLL Hijacking)\n\nPrograms that fall victim to DLL hijacking may appear to behave normally because malicious DLLs may be configured to also load the legitimate DLLs they were meant to replace, evading defenses.\n\nRemote DLL hijacking can occur when a program sets its current directory to a remote location, such as a Web share, before loading a DLL.(Citation: dll pre load owasp)(Citation: microsoft remote preloading)\n\nIf a valid DLL is configured to run at a higher privilege level, then the adversary-controlled DLL that is loaded will also be executed at the higher level. In this case, the technique could be used for privilege escalation.",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "stealth"
},
{
"kill_chain_name": "mitre-attack",
"phase_name": "execution"
}
],
"revoked": false,
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T1574/001",
"external_id": "T1574.001"
},
{
"source_name": "Hijack DLLs CrowdStrike",
"description": " falcon.overwatch.team. (2022, December 30). 4 Ways Adversaries Hijack DLLs \u2014 and How CrowdStrike Falcon OverWatch Fights Back. Retrieved January 30, 2025.",
"url": "https://www.crowdstrike.com/en-us/blog/4-ways-adversaries-hijack-dlls/"
},
{
"source_name": "kroll bpl",
"description": "Dave Truman. (2024, June 24). Novel Technique Combination Used In IDATLOADER Distribution. Retrieved January 30, 2025.",
"url": "https://www.kroll.com/en/insights/publications/cyber/idatloader-distribution"
},
{
"source_name": "Sophos",
"description": "Gabor Szappanos. (2023, May 3). A doubled \u201cDragon Breath\u201d adds new air to DLL sideloading attacks. Retrieved October 3, 2025.",
"url": "https://news.sophos.com/en-us/2023/05/03/doubled-dll-sideloading-dragon-breath/"
},
{
"source_name": "Hexacorn DLL Hijacking",
"description": "Hexacorn. (2013, December 8). Beyond good ol\u2019 Run key, Part 5. Retrieved August 14, 2024.",
"url": "https://www.hexacorn.com/blog/2013/12/08/beyond-good-ol-run-key-part-5/"
},
{
"source_name": "microsoft remote preloading",
"description": "Microsoft. (2014, May 13). Microsoft Security Advisory 2269637: Insecure Library Loading Could Allow Remote Code Execution. Retrieved January 30, 2025.",
"url": "https://learn.microsoft.com/en-us/security-updates/securityadvisories/2010/2269637"
},
{
"source_name": "Microsoft - manifests/assembly",
"description": "Microsoft. (2021, January 7). Manifests. Retrieved January 30, 2025.",
"url": "https://learn.microsoft.com/en-us/windows/win32/sbscs/manifests?redirectedfrom=MSDN"
},
{
"source_name": "Microsoft redirection",
"description": "Microsoft. (2023, October 12). Dynamic-link library redirection. Retrieved January 30, 2025.",
"url": "https://learn.microsoft.com/en-us/windows/win32/dlls/dynamic-link-library-redirection?redirectedfrom=MSDN"
},
{
"source_name": "dll pre load owasp",
"description": "OWASP. (n.d.). Binary Planting. Retrieved January 30, 2025.",
"url": "https://owasp.org/www-community/attacks/Binary_planting"
},
{
"source_name": "Virus Bulletin",
"description": "Suguru Ishimaru, Hajime Yanagishita, Yusuke Niwa. (2023, October 5). Unveiling activities of Tropic Trooper 2023: deep analysis of Xiangoop Loader and EntryShell payload. Retrieved October 3, 2025.",
"url": "https://www.virusbulletin.com/conference/vb2023/abstracts/unveiling-activities-tropic-trooper-2023-deep-analysis-xiangoop-loader-and-entryshell-payload/"
},
{
"source_name": "unit 42",
"description": "Tom Fakterman, Chen Erlich, & Assaf Dahan. (2024, February 22). Intruders in the Library: Exploring DLL Hijacking. Retrieved January 30, 2025.",
"url": "https://unit42.paloaltonetworks.com/dll-hijacking-techniques/"
},
{
"source_name": "Wietze Beukema DLL Hijacking",
"description": "Wietze Beukema. (2020, June 22). Hijacking DLLs in Windows. Retrieved April 8, 2025.",
"url": "https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_attack_spec_version": "3.3.0",
"x_mitre_contributors": [
"Ami Holeston, CrowdStrike",
"Hajime Yanagishita, Macnica, Inc.",
"Marina Liang",
"Stefan Kanthak",
"Suguru Ishimaru, ITOCHU Cyber & Intelligence Inc.",
"Travis Smith, Tripwire",
"Wietze Beukema @Wietze",
"Will Alexander, CrowdStrike",
"Yusuke Niwa, ITOCHU Cyber & Intelligence Inc."
],
"x_mitre_deprecated": false,
"x_mitre_domains": [
"enterprise-attack"
],
"x_mitre_is_subtechnique": true,
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"Windows"
],
"x_mitre_remote_support": false,
"x_mitre_version": "3.0",
"detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.624000+00:00\", \"old_value\": \"2026-04-15 22:57:22.515000+00:00\"}}}",
"previous_version": "3.0",
"changelog_mitigations": {
"shared": [
"M1013: Application Developer Guidance",
"M1038: Execution Prevention",
"M1044: Restrict Library Loading",
"M1047: Audit",
"M1051: Update Software"
],
"new": [],
"dropped": []
},
"changelog_datacomponent_detections": {
"shared": [],
"new": [],
"dropped": []
},
"changelog_detectionstrategy_detections": {
"shared": [
"DET0201: Detection Strategy for Hijack Execution Flow for DLLs"
],
"new": [],
"dropped": []
}
},
{
"type": "attack-pattern",
"id": "attack-pattern--fc742192-19e3-466c-9eb5-964a97b29490",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2020-03-16 15:23:30.896000+00:00",
"modified": "2026-05-12 15:12:00.726000+00:00",
"name": "Dylib Hijacking",
"description": "Adversaries may execute their own payloads by placing a malicious dynamic library (dylib) with an expected name in a path a victim application searches at runtime. The dynamic loader will try to find the dylibs based on the sequential order of the search paths. Paths to dylibs may be prefixed with @rpath, which allows developers to use relative paths to specify an array of search paths used at runtime based on the location of the executable. Additionally, if weak linking is used, such as the LC_LOAD_WEAK_DYLIB function, an application will still execute even if an expected dylib is not present. Weak linking enables developers to run an application on multiple macOS versions as new APIs are added.\n\nAdversaries may gain execution by inserting malicious dylibs with the name of the missing dylib in the identified path.(Citation: Wardle Dylib Hijack Vulnerable Apps)(Citation: Wardle Dylib Hijacking OSX 2015)(Citation: Github EmpireProject HijackScanner)(Citation: Github EmpireProject CreateHijacker Dylib) Dylibs are loaded into an application's address space allowing the malicious dylib to inherit the application's privilege level and resources. Based on the application, this could result in privilege escalation and uninhibited network access. This method may also evade detection from security products since the execution is masked under a legitimate process.(Citation: Writing Bad Malware for OSX)(Citation: wardle artofmalware volume1)(Citation: MalwareUnicorn macOS Dylib Injection MachO)",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "stealth"
},
{
"kill_chain_name": "mitre-attack",
"phase_name": "execution"
}
],
"revoked": false,
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T1574/004",
"external_id": "T1574.004"
},
{
"source_name": "MalwareUnicorn macOS Dylib Injection MachO",
"description": "Amanda Rousseau. (2020, April 4). MacOS Dylib Injection Workshop. Retrieved March 29, 2021.",
"url": "https://malwareunicorn.org/workshops/macos_dylib_injection.html#5"
},
{
"source_name": "Wardle Dylib Hijacking OSX 2015",
"description": "Patrick Wardle. (2015, March 1). Dylib Hijacking on OS X. Retrieved March 29, 2021.",
"url": "https://www.virusbulletin.com/uploads/pdf/magazine/2015/vb201503-dylib-hijacking.pdf"
},
{
"source_name": "Writing Bad Malware for OSX",
"description": "Patrick Wardle. (2015). Writing Bad @$$ Malware for OS X. Retrieved July 10, 2017.",
"url": "https://www.blackhat.com/docs/us-15/materials/us-15-Wardle-Writing-Bad-A-Malware-For-OS-X.pdf"
},
{
"source_name": "Wardle Dylib Hijack Vulnerable Apps",
"description": "Patrick Wardle. (2019, July 2). Getting Root with Benign AppStore Apps. Retrieved March 31, 2021.",
"url": "https://objective-see.com/blog/blog_0x46.html"
},
{
"source_name": "wardle artofmalware volume1",
"description": "Patrick Wardle. (2020, August 5). The Art of Mac Malware Volume 0x1: Analysis. Retrieved November 17, 2024.",
"url": "https://taomm.org/vol1/read.html"
},
{
"source_name": "Github EmpireProject HijackScanner",
"description": "Wardle, P., Ross, C. (2017, September 21). Empire Project Dylib Hijack Vulnerability Scanner. Retrieved April 1, 2021.",
"url": "https://github.com/EmpireProject/Empire/blob/master/lib/modules/python/situational_awareness/host/osx/HijackScanner.py"
},
{
"source_name": "Github EmpireProject CreateHijacker Dylib",
"description": "Wardle, P., Ross, C. (2018, April 8). EmpireProject Create Dylib Hijacker. Retrieved April 1, 2021.",
"url": "https://github.com/EmpireProject/Empire/blob/08cbd274bef78243d7a8ed6443b8364acd1fc48b/lib/modules/python/persistence/osx/CreateHijacker.py"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_attack_spec_version": "3.3.0",
"x_mitre_deprecated": false,
"x_mitre_domains": [
"enterprise-attack"
],
"x_mitre_is_subtechnique": true,
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"macOS"
],
"x_mitre_remote_support": false,
"x_mitre_version": "3.0",
"detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.726000+00:00\", \"old_value\": \"2026-04-15 22:58:27.104000+00:00\"}}}",
"previous_version": "3.0",
"changelog_mitigations": {
"shared": [
"M1022: Restrict File and Directory Permissions"
],
"new": [],
"dropped": []
},
"changelog_datacomponent_detections": {
"shared": [],
"new": [],
"dropped": []
},
"changelog_detectionstrategy_detections": {
"shared": [
"DET0152: Detection Strategy for Hijack Execution Flow: Dylib Hijacking"
],
"new": [],
"dropped": []
}
},
{
"type": "attack-pattern",
"id": "attack-pattern--633a100c-b2c9-41bf-9be5-905c1b16c825",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2020-03-13 20:09:59.569000+00:00",
"modified": "2026-05-12 15:12:00.636000+00:00",
"name": "Dynamic Linker Hijacking",
"description": "Adversaries may execute their own malicious payloads by hijacking environment variables the dynamic linker uses to load shared libraries. During the execution preparation phase of a program, the dynamic linker loads specified absolute paths of shared libraries from various environment variables and files, such as LD_PRELOAD on Linux or DYLD_INSERT_LIBRARIES on macOS.(Citation: TheEvilBit DYLD_INSERT_LIBRARIES)(Citation: Timac DYLD_INSERT_LIBRARIES)(Citation: Gabilondo DYLD_INSERT_LIBRARIES Catalina Bypass) Libraries specified in environment variables are loaded first, taking precedence over system libraries with the same function name.(Citation: Man LD.SO)(Citation: TLDP Shared Libraries)(Citation: Apple Doco Archive Dynamic Libraries) Each platform's linker uses an extensive list of environment variables at different points in execution. These variables are often used by developers to debug binaries without needing to recompile, deconflict mapped symbols, and implement custom functions in the original library.(Citation: Baeldung LD_PRELOAD)\n\nHijacking dynamic linker variables may grant access to the victim process's memory, system/network resources, and possibly elevated privileges. On Linux, adversaries may set LD_PRELOAD to point to malicious libraries that match the name of legitimate libraries which are requested by a victim program, causing the operating system to load the adversary's malicious code upon execution of the victim program. For example, adversaries have used `LD_PRELOAD` to inject a malicious library into every descendant process of the `sshd` daemon, resulting in execution under a legitimate process. When the executing sub-process calls the `execve` function, for example, the malicious library\u2019s `execve` function is executed rather than the system function `execve` contained in the system library on disk. This allows adversaries to [Hide Artifacts](https://attack.mitre.org/techniques/T1564) from detection, as hooking system functions such as `execve` and `readdir` enables malware to scrub its own artifacts from the results of commands such as `ls`, `ldd`, `iptables`, and `dmesg`.(Citation: ESET Ebury Oct 2017)(Citation: Intezer Symbiote 2022)(Citation: Elastic Security Labs Pumakit 2024)\n\nHijacking dynamic linker variables may grant access to the victim process's memory, system/network resources, and possibly elevated privileges.",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "stealth"
},
{
"kill_chain_name": "mitre-attack",
"phase_name": "execution"
}
],
"revoked": false,
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T1574/006",
"external_id": "T1574.006"
},
{
"source_name": "Apple Doco Archive Dynamic Libraries",
"description": "Apple Inc.. (2012, July 23). Overview of Dynamic Libraries. Retrieved March 24, 2021.",
"url": "https://developer.apple.com/library/archive/documentation/DeveloperTools/Conceptual/DynamicLibraries/100-Articles/OverviewOfDynamicLibraries.html"
},
{
"source_name": "Baeldung LD_PRELOAD",
"description": "baeldung. (2020, August 9). What Is the LD_PRELOAD Trick?. Retrieved March 24, 2021.",
"url": "https://www.baeldung.com/linux/ld_preload-trick-what-is"
},
{
"source_name": "TheEvilBit DYLD_INSERT_LIBRARIES",
"description": "Fitzl, C. (2019, July 9). DYLD_INSERT_LIBRARIES DYLIB injection in macOS / OSX. Retrieved March 26, 2020.",
"url": "https://theevilbit.github.io/posts/dyld_insert_libraries_dylib_injection_in_macos_osx_deep_dive/"
},
{
"source_name": "Intezer Symbiote 2022",
"description": "Joakim Kennedy and The BlackBerry Threat Research & Intelligence Team. (2022, June 9). Symbiote Deep-Dive: Analysis of a New, Nearly-Impossible-to-Detect Linux Threat. Retrieved March 24, 2025.",
"url": "https://intezer.com/blog/research/new-linux-threat-symbiote/"
},
{
"source_name": "Gabilondo DYLD_INSERT_LIBRARIES Catalina Bypass",
"description": "Jon Gabilondo. (2019, September 22). How to Inject Code into Mach-O Apps. Part II.. Retrieved March 24, 2021.",
"url": "https://jon-gabilondo-angulo-7635.medium.com/how-to-inject-code-into-mach-o-apps-part-ii-ddb13ebc8191"
},
{
"source_name": "Man LD.SO",
"description": "Kerrisk, M. (2020, June 13). Linux Programmer's Manual. Retrieved June 15, 2020.",
"url": "https://www.man7.org/linux/man-pages/man8/ld.so.8.html"
},
{
"source_name": "Elastic Security Labs Pumakit 2024",
"description": "Remco Sprooten and Ruben Groenewoud. (2024, December 11). Declawing PUMAKIT. Retrieved March 24, 2025.",
"url": "https://www.elastic.co/security-labs/declawing-pumakit"
},
{
"source_name": "TLDP Shared Libraries",
"description": "The Linux Documentation Project. (n.d.). Shared Libraries. Retrieved January 31, 2020.",
"url": "https://www.tldp.org/HOWTO/Program-Library-HOWTO/shared-libraries.html"
},
{
"source_name": "Timac DYLD_INSERT_LIBRARIES",
"description": "Timac. (2012, December 18). Simple code injection using DYLD_INSERT_LIBRARIES. Retrieved March 26, 2020.",
"url": "https://blog.timac.org/2012/1218-simple-code-injection-using-dyld_insert_libraries/"
},
{
"source_name": "ESET Ebury Oct 2017",
"description": "Vachon, F. (2017, October 30). Windigo Still not Windigone: An Ebury Update . Retrieved February 10, 2021.",
"url": "https://www.welivesecurity.com/2017/10/30/windigo-ebury-update-2/"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_attack_spec_version": "3.3.0",
"x_mitre_deprecated": false,
"x_mitre_domains": [
"enterprise-attack"
],
"x_mitre_is_subtechnique": true,
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"Linux",
"macOS"
],
"x_mitre_remote_support": false,
"x_mitre_version": "3.0",
"detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.636000+00:00\", \"old_value\": \"2026-04-15 22:57:21.530000+00:00\"}}}",
"previous_version": "3.0",
"changelog_mitigations": {
"shared": [
"M1028: Operating System Configuration",
"M1038: Execution Prevention"
],
"new": [],
"dropped": []
},
"changelog_datacomponent_detections": {
"shared": [],
"new": [],
"dropped": []
},
"changelog_detectionstrategy_detections": {
"shared": [
"DET0435: Detection Strategy for Hijack Execution Flow: Dynamic Linker Hijacking"
],
"new": [],
"dropped": []
}
},
{
"type": "attack-pattern",
"id": "attack-pattern--70d81154-b187-45f9-8ec5-295d01255979",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2020-03-13 11:12:18.558000+00:00",
"modified": "2026-05-12 15:12:00.641000+00:00",
"name": "Executable Installer File Permissions Weakness",
"description": "Adversaries may execute their own malicious payloads by hijacking the binaries used by an installer. These processes may automatically execute specific binaries as part of their functionality or to perform other actions. If the permissions on the file system directory containing a target binary, or permissions on the binary itself, are improperly set, then the target binary may be overwritten with another binary using user-level permissions and executed by the original process. If the original process and thread are running under a higher permissions level, then the replaced binary will also execute under higher-level permissions, which could include SYSTEM.\n\nAnother variation of this technique can be performed by taking advantage of a weakness that is common in executable, self-extracting installers. During the installation process, it is common for installers to use a subdirectory within the %TEMP% directory to unpack binaries such as DLLs, EXEs, or other payloads. When installers create subdirectories and files they often do not set appropriate permissions to restrict write access, which allows for execution of untrusted code placed in the subdirectories or overwriting of binaries used in the installation process. This behavior is related to and may take advantage of [DLL](https://attack.mitre.org/techniques/T1574/001) search order hijacking.\n\nAdversaries may use this technique to replace legitimate binaries with malicious ones as a means of executing code at a higher permissions level. Some installers may also require elevated privileges that will result in privilege escalation when executing adversary controlled code. This behavior is related to [Bypass User Account Control](https://attack.mitre.org/techniques/T1548/002). Several examples of this weakness in existing common installers have been reported to software vendors.(Citation: mozilla_sec_adv_2012) (Citation: Executable Installers are Vulnerable) If the executing process is set to run at a specific time or during a certain event (e.g., system bootup) then this technique can also be used for persistence.",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "stealth"
},
{
"kill_chain_name": "mitre-attack",
"phase_name": "execution"
}
],
"revoked": false,
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T1574/005",
"external_id": "T1574.005"
},
{
"source_name": "mozilla_sec_adv_2012",
"description": "Robert Kugler. (2012, November 20). Mozilla Foundation Security Advisory 2012-98. Retrieved March 10, 2017.",
"url": "https://www.mozilla.org/en-US/security/advisories/mfsa2012-98/"
},
{
"source_name": "Executable Installers are Vulnerable",
"description": "Stefan Kanthak. (2015, December 8). Executable installers are vulnerable^WEVIL (case 7): 7z*.exe allows remote code execution with escalation of privilege. Retrieved December 4, 2014.",
"url": "https://seclists.org/fulldisclosure/2015/Dec/34"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_attack_spec_version": "3.3.0",
"x_mitre_contributors": [
"Stefan Kanthak",
"Travis Smith, Tripwire"
],
"x_mitre_deprecated": false,
"x_mitre_domains": [
"enterprise-attack"
],
"x_mitre_is_subtechnique": true,
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"Windows"
],
"x_mitre_remote_support": false,
"x_mitre_version": "2.0",
"detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.641000+00:00\", \"old_value\": \"2026-04-15 23:02:03.423000+00:00\"}}}",
"previous_version": "2.0",
"changelog_mitigations": {
"shared": [
"M1018: User Account Management",
"M1047: Audit",
"M1052: User Account Control"
],
"new": [],
"dropped": []
},
"changelog_datacomponent_detections": {
"shared": [],
"new": [],
"dropped": []
},
"changelog_detectionstrategy_detections": {
"shared": [
"DET0038: Detection Strategy for Hijack Execution Flow using Executable Installer File Permissions Weakness"
],
"new": [],
"dropped": []
}
},
{
"type": "attack-pattern",
"id": "attack-pattern--a4657bc9-d22f-47d2-a7b7-dd6ec33f3dde",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2022-02-25 15:27:44.927000+00:00",
"modified": "2026-05-12 15:12:00.706000+00:00",
"name": "KernelCallbackTable",
"description": "Adversaries may abuse the KernelCallbackTable of a process to hijack its execution flow in order to run their own payloads.(Citation: Lazarus APT January 2022)(Citation: FinFisher exposed ) The KernelCallbackTable can be found in the Process Environment Block (PEB) and is initialized to an array of graphic functions available to a GUI process once user32.dll is loaded.(Citation: Windows Process Injection KernelCallbackTable)\n\nAn adversary may hijack the execution flow of a process using the KernelCallbackTable by replacing an original callback function with a malicious payload. Modifying callback functions can be achieved in various ways involving related behaviors such as [Reflective Code Loading](https://attack.mitre.org/techniques/T1620) or [Process Injection](https://attack.mitre.org/techniques/T1055) into another process.\n\nA pointer to the memory address of the KernelCallbackTable can be obtained by locating the PEB (ex: via a call to the NtQueryInformationProcess() [Native API](https://attack.mitre.org/techniques/T1106) function).(Citation: NtQueryInformationProcess) Once the pointer is located, the KernelCallbackTable can be duplicated, and a function in the table (e.g., fnCOPYDATA) set to the address of a malicious payload (ex: via WriteProcessMemory()). The PEB is then updated with the new address of the table. Once the tampered function is invoked, the malicious payload will be triggered.(Citation: Lazarus APT January 2022)\n\nThe tampered function is typically invoked using a Windows message. After the process is hijacked and malicious code is executed, the KernelCallbackTable may also be restored to its original state by the rest of the malicious payload.(Citation: Lazarus APT January 2022) Use of the KernelCallbackTable to hijack execution flow may evade detection from security products since the execution can be masked under a legitimate process.",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "stealth"
},
{
"kill_chain_name": "mitre-attack",
"phase_name": "execution"
}
],
"revoked": false,
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T1574/013",
"external_id": "T1574.013"
},
{
"source_name": "FinFisher exposed ",
"description": "Microsoft Defender Security Research Team. (2018, March 1). FinFisher exposed: A researcher\u2019s tale of defeating traps, tricks, and complex virtual machines. Retrieved January 27, 2022.",
"url": "https://www.microsoft.com/security/blog/2018/03/01/finfisher-exposed-a-researchers-tale-of-defeating-traps-tricks-and-complex-virtual-machines/"
},
{
"source_name": "NtQueryInformationProcess",
"description": "Microsoft. (2021, November 23). NtQueryInformationProcess function (winternl.h). Retrieved February 4, 2022.",
"url": "https://docs.microsoft.com/en-us/windows/win32/api/winternl/nf-winternl-ntqueryinformationprocess"
},
{
"source_name": "Windows Process Injection KernelCallbackTable",
"description": "odzhan. (2019, May 25). Windows Process Injection: KernelCallbackTable used by FinFisher / FinSpy. Retrieved February 4, 2022.",
"url": "https://modexp.wordpress.com/2019/05/25/windows-injection-finspy/"
},
{
"source_name": "Lazarus APT January 2022",
"description": "Saini, A. and Hossein, J. (2022, January 27). North Korea\u2019s Lazarus APT leverages Windows Update client, GitHub in latest campaign. Retrieved January 27, 2022.",
"url": "https://blog.malwarebytes.com/threat-intelligence/2022/01/north-koreas-lazarus-apt-leverages-windows-update-client-github-in-latest-campaign/"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_attack_spec_version": "3.3.0",
"x_mitre_deprecated": false,
"x_mitre_domains": [
"enterprise-attack"
],
"x_mitre_is_subtechnique": true,
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"Windows"
],
"x_mitre_remote_support": false,
"x_mitre_version": "2.0",
"detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.706000+00:00\", \"old_value\": \"2026-04-15 23:01:58.951000+00:00\"}}}",
"previous_version": "2.0",
"changelog_mitigations": {
"shared": [
"M1040: Behavior Prevention on Endpoint"
],
"new": [],
"dropped": []
},
"changelog_datacomponent_detections": {
"shared": [],
"new": [],
"dropped": []
},
"changelog_detectionstrategy_detections": {
"shared": [
"DET0577: Detection Strategy for Hijack Execution Flow through the KernelCallbackTable on Windows."
],
"new": [],
"dropped": []
}
},
{
"type": "attack-pattern",
"id": "attack-pattern--0c2d00da-7742-49e7-9928-4514e5075d32",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2020-03-13 14:10:43.424000+00:00",
"modified": "2026-05-12 15:12:00.620000+00:00",
"name": "Path Interception by PATH Environment Variable",
"description": "Adversaries may execute their own malicious payloads by hijacking environment variables used to load libraries. The PATH environment variable contains a list of directories (User and System) that the OS searches sequentially through in search of the binary that was called from a script or the command line. \n\nAdversaries can place a malicious program in an earlier entry in the list of directories stored in the PATH environment variable, resulting in the operating system executing the malicious binary rather than the legitimate binary when it searches sequentially through that PATH listing.\n\nFor example, on Windows if an adversary places a malicious program named \"net.exe\" in `C:\\example path`, which by default precedes `C:\\Windows\\system32\\net.exe` in the PATH environment variable, when \"net\" is executed from the command-line the `C:\\example path` will be called instead of the system's legitimate executable at `C:\\Windows\\system32\\net.exe`. Some methods of executing a program rely on the PATH environment variable to determine the locations that are searched when the path for the program is not given, such as executing programs from a [Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059).(Citation: ExpressVPN PATH env Windows 2021)\n\nAdversaries may also directly modify the $PATH variable specifying the directories to be searched. An adversary can modify the `$PATH` variable to point to a directory they have write access. When a program using the $PATH variable is called, the OS searches the specified directory and executes the malicious binary. On macOS, this can also be performed through modifying the $HOME variable. These variables can be modified using the command-line, launchctl, [Unix Shell Configuration Modification](https://attack.mitre.org/techniques/T1546/004), or modifying the `/etc/paths.d` folder contents.(Citation: uptycs Fake POC linux malware 2023)(Citation: nixCraft macOS PATH variables)(Citation: Elastic Rules macOS launchctl 2022)",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "stealth"
},
{
"kill_chain_name": "mitre-attack",
"phase_name": "execution"
}
],
"revoked": false,
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T1574/007",
"external_id": "T1574.007"
},
{
"source_name": "Elastic Rules macOS launchctl 2022",
"description": "Elastic Security 7.17. (2022, February 1). Modification of Environment Variable via Launchctl. Retrieved September 28, 2023.",
"url": "https://www.elastic.co/guide/en/security/7.17/prebuilt-rule-7-16-4-modification-of-environment-variable-via-launchctl.html"
},
{
"source_name": "ExpressVPN PATH env Windows 2021",
"description": "ExpressVPN Security Team. (2021, November 16). Cybersecurity lessons: A PATH vulnerability in Windows. Retrieved September 28, 2023.",
"url": "https://www.expressvpn.com/blog/cybersecurity-lessons-a-path-vulnerability-in-windows/"
},
{
"source_name": "uptycs Fake POC linux malware 2023",
"description": "Nischay Hegde and Siddartha Malladi. (2023, July 12). PoC Exploit: Fake Proof of Concept with Backdoor Malware. Retrieved September 28, 2023.",
"url": "https://www.uptycs.com/blog/new-poc-exploit-backdoor-malware"
},
{
"source_name": "nixCraft macOS PATH variables",
"description": "Vivek Gite. (2023, August 22). MacOS \u2013 Set / Change $PATH Variable Command. Retrieved September 28, 2023.",
"url": "https://www.cyberciti.biz/faq/appleosx-bash-unix-change-set-path-environment-variable/"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_attack_spec_version": "3.3.0",
"x_mitre_contributors": [
"Stefan Kanthak"
],
"x_mitre_deprecated": false,
"x_mitre_domains": [
"enterprise-attack"
],
"x_mitre_is_subtechnique": true,
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"Linux",
"macOS",
"Windows"
],
"x_mitre_remote_support": false,
"x_mitre_version": "2.0",
"detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.620000+00:00\", \"old_value\": \"2026-04-15 23:01:52.753000+00:00\"}}}",
"previous_version": "2.0",
"changelog_mitigations": {
"shared": [
"M1022: Restrict File and Directory Permissions",
"M1038: Execution Prevention",
"M1047: Audit"
],
"new": [],
"dropped": []
},
"changelog_datacomponent_detections": {
"shared": [],
"new": [],
"dropped": []
},
"changelog_detectionstrategy_detections": {
"shared": [
"DET0004: Detection Strategy for Hijack Execution Flow using Path Interception by PATH Environment Variable."
],
"new": [],
"dropped": []
}
},
{
"type": "attack-pattern",
"id": "attack-pattern--58af3705-8740-4c68-9329-ec015a7013c2",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2020-03-13 17:48:58.999000+00:00",
"modified": "2026-05-12 15:12:00.635000+00:00",
"name": "Path Interception by Search Order Hijacking",
"description": "Adversaries may execute their own malicious payloads by hijacking the search order used to load other programs. Because some programs do not call other programs using the full path, adversaries may place their own file in the directory where the calling program is located, causing the operating system to launch their malicious software at the request of the calling program.\n\nSearch order hijacking occurs when an adversary abuses the order in which Windows searches for programs that are not given a path. Unlike [DLL](https://attack.mitre.org/techniques/T1574/001) search order hijacking, the search order differs depending on the method that is used to execute the program. (Citation: Microsoft CreateProcess) (Citation: Windows NT Command Shell) (Citation: Microsoft WinExec) However, it is common for Windows to search in the directory of the initiating program before searching through the Windows system directory. An adversary who finds a program vulnerable to search order hijacking (i.e., a program that does not specify the path to an executable) may take advantage of this vulnerability by creating a program named after the improperly specified program and placing it within the initiating program's directory.\n\nFor example, \"example.exe\" runs \"cmd.exe\" with the command-line argument net user. An adversary may place a program called \"net.exe\" within the same directory as example.exe, \"net.exe\" will be run instead of the Windows system utility net. In addition, if an adversary places a program called \"net.com\" in the same directory as \"net.exe\", then cmd.exe /C net user will execute \"net.com\" instead of \"net.exe\" due to the order of executable extensions defined under PATHEXT. (Citation: Microsoft Environment Property)\n\nSearch order hijacking is also a common practice for hijacking DLL loads and is covered in [DLL](https://attack.mitre.org/techniques/T1574/001).",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "stealth"
},
{
"kill_chain_name": "mitre-attack",
"phase_name": "execution"
}
],
"revoked": false,
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T1574/008",
"external_id": "T1574.008"
},
{
"source_name": "Microsoft Environment Property",
"description": "Microsoft. (2011, October 24). Environment Property. Retrieved July 27, 2016.",
"url": "https://docs.microsoft.com/en-us/previous-versions//fd7hxfdd(v=vs.85)?redirectedfrom=MSDN"
},
{
"source_name": "Microsoft CreateProcess",
"description": "Microsoft. (n.d.). CreateProcess function. Retrieved September 12, 2024.",
"url": "https://learn.microsoft.com/en-us/windows/win32/api/processthreadsapi/nf-processthreadsapi-createprocessa"
},
{
"source_name": "Microsoft WinExec",
"description": "Microsoft. (n.d.). WinExec function. Retrieved September 12, 2024.",
"url": "https://learn.microsoft.com/en-us/windows/win32/api/winbase/nf-winbase-winexec"
},
{
"source_name": "Windows NT Command Shell",
"description": "Tim Hill. (2014, February 2). The Windows NT Command Shell. Retrieved December 5, 2014.",
"url": "https://docs.microsoft.com/en-us/previous-versions//cc723564(v=technet.10)?redirectedfrom=MSDN#XSLTsection127121120120"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_attack_spec_version": "3.3.0",
"x_mitre_contributors": [
"Stefan Kanthak"
],
"x_mitre_deprecated": false,
"x_mitre_domains": [
"enterprise-attack"
],
"x_mitre_is_subtechnique": true,
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"Windows"
],
"x_mitre_remote_support": false,
"x_mitre_version": "2.0",
"detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.635000+00:00\", \"old_value\": \"2026-04-15 23:01:48.263000+00:00\"}}}",
"previous_version": "2.0",
"changelog_mitigations": {
"shared": [
"M1022: Restrict File and Directory Permissions",
"M1038: Execution Prevention",
"M1047: Audit"
],
"new": [],
"dropped": []
},
"changelog_datacomponent_detections": {
"shared": [],
"new": [],
"dropped": []
},
"changelog_detectionstrategy_detections": {
"shared": [
"DET0564: Detection Strategy for Hijack Execution Flow using Path Interception by Search Order Hijacking"
],
"new": [],
"dropped": []
}
},
{
"type": "attack-pattern",
"id": "attack-pattern--bf96a5a3-3bce-43b7-8597-88545984c07b",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2020-03-13 13:51:58.519000+00:00",
"modified": "2026-05-12 15:12:00.713000+00:00",
"name": "Path Interception by Unquoted Path",
"description": "Adversaries may execute their own malicious payloads by hijacking vulnerable file path references. Adversaries can take advantage of paths that lack surrounding quotations by placing an executable in a higher level directory within the path, so that Windows will choose the adversary's executable to launch.\n\nService paths (Citation: Microsoft CurrentControlSet Services) and shortcut paths may also be vulnerable to path interception if the path has one or more spaces and is not surrounded by quotation marks (e.g., C:\\unsafe path with space\\program.exe vs. \"C:\\safe path with space\\program.exe\"). (Citation: Help eliminate unquoted path) (stored in Windows Registry keys) An adversary can place an executable in a higher level directory of the path, and Windows will resolve that executable instead of the intended executable. For example, if the path in a shortcut is C:\\program files\\myapp.exe, an adversary may create a program at C:\\program.exe that will be run instead of the intended program. (Citation: Windows Unquoted Services) (Citation: Windows Privilege Escalation Guide)\n\nThis technique can be used for persistence if executables are called on a regular basis, as well as privilege escalation if intercepted executables are started by a higher privileged process.",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "stealth"
},
{
"kill_chain_name": "mitre-attack",
"phase_name": "execution"
}
],
"revoked": false,
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T1574/009",
"external_id": "T1574.009"
},
{
"source_name": "Windows Privilege Escalation Guide",
"description": "absolomb. (2018, January 26). Windows Privilege Escalation Guide. Retrieved August 10, 2018.",
"url": "https://www.absolomb.com/2018-01-26-Windows-Privilege-Escalation-Guide/"
},
{
"source_name": "Windows Unquoted Services",
"description": "HackHappy. (2018, April 23). Windows Privilege Escalation \u2013 Unquoted Services. Retrieved August 10, 2018.",
"url": "https://securityboulevard.com/2018/04/windows-privilege-escalation-unquoted-services/"
},
{
"source_name": "Help eliminate unquoted path",
"description": "Mark Baggett. (2012, November 8). Help eliminate unquoted path vulnerabilities. Retrieved November 8, 2012.",
"url": "https://isc.sans.edu/diary/Help+eliminate+unquoted+path+vulnerabilities/14464"
},
{
"source_name": "Microsoft CurrentControlSet Services",
"description": "Microsoft. (2017, April 20). HKLM\\SYSTEM\\CurrentControlSet\\Services Registry Tree. Retrieved March 16, 2020.",
"url": "https://docs.microsoft.com/en-us/windows-hardware/drivers/install/hklm-system-currentcontrolset-services-registry-tree"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_attack_spec_version": "3.3.0",
"x_mitre_contributors": [
"Stefan Kanthak"
],
"x_mitre_deprecated": false,
"x_mitre_domains": [
"enterprise-attack"
],
"x_mitre_is_subtechnique": true,
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"Windows"
],
"x_mitre_remote_support": false,
"x_mitre_version": "2.0",
"detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.713000+00:00\", \"old_value\": \"2026-04-15 23:01:45.477000+00:00\"}}}",
"previous_version": "2.0",
"changelog_mitigations": {
"shared": [
"M1022: Restrict File and Directory Permissions",
"M1038: Execution Prevention",
"M1047: Audit"
],
"new": [],
"dropped": []
},
"changelog_datacomponent_detections": {
"shared": [],
"new": [],
"dropped": []
},
"changelog_detectionstrategy_detections": {
"shared": [
"DET0064: Detection Strategy for Hijack Execution Flow through Path Interception by Unquoted Path"
],
"new": [],
"dropped": []
}
},
{
"type": "attack-pattern",
"id": "attack-pattern--9e8b28c9-35fe-48ac-a14d-e6cc032dcbcd",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2020-03-12 20:43:53.998000+00:00",
"modified": "2026-05-12 15:12:00.706000+00:00",
"name": "Services File Permissions Weakness",
"description": "Adversaries may execute their own malicious payloads by hijacking the binaries used by services. Adversaries may use flaws in the permissions of Windows services to replace the binary that is executed upon service start. These service processes may automatically execute specific binaries as part of their functionality or to perform other actions. If the permissions on the file system directory containing a target binary, or permissions on the binary itself are improperly set, then the target binary may be overwritten with another binary using user-level permissions and executed by the original process. If the original process and thread are running under a higher permissions level, then the replaced binary will also execute under higher-level permissions, which could include SYSTEM.\n\nAdversaries may use this technique to replace legitimate binaries with malicious ones as a means of executing code at a higher permissions level. If the executing process is set to run at a specific time or during a certain event (e.g., system bootup) then this technique can also be used for persistence.",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "stealth"
},
{
"kill_chain_name": "mitre-attack",
"phase_name": "execution"
}
],
"revoked": false,
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T1574/010",
"external_id": "T1574.010"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_attack_spec_version": "3.3.0",
"x_mitre_contributors": [
"Stefan Kanthak",
"Travis Smith, Tripwire"
],
"x_mitre_deprecated": false,
"x_mitre_domains": [
"enterprise-attack"
],
"x_mitre_is_subtechnique": true,
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"Windows"
],
"x_mitre_remote_support": false,
"x_mitre_version": "2.0",
"detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.706000+00:00\", \"old_value\": \"2026-04-15 23:02:37.539000+00:00\"}}}",
"previous_version": "2.0",
"changelog_mitigations": {
"shared": [
"M1018: User Account Management",
"M1047: Audit",
"M1052: User Account Control"
],
"new": [],
"dropped": []
},
"changelog_datacomponent_detections": {
"shared": [],
"new": [],
"dropped": []
},
"changelog_detectionstrategy_detections": {
"shared": [
"DET0436: Detection Strategy for Hijack Execution Flow through Services File Permissions Weakness."
],
"new": [],
"dropped": []
}
},
{
"type": "attack-pattern",
"id": "attack-pattern--17cc750b-e95b-4d7d-9dde-49e0de24148c",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2020-03-13 11:42:14.444000+00:00",
"modified": "2026-05-12 15:12:00.622000+00:00",
"name": "Services Registry Permissions Weakness",
"description": "Adversaries may execute their own malicious payloads by hijacking the Registry entries used by services. Flaws in the permissions for Registry keys related to services can allow adversaries to redirect the originally specified executable to one they control, launching their own code when a service starts. Windows stores local service configuration information in the Registry under HKLM\\SYSTEM\\CurrentControlSet\\Services. The information stored under a service's Registry keys can be manipulated to modify a service's execution parameters through tools such as the service controller, sc.exe, [PowerShell](https://attack.mitre.org/techniques/T1059/001), or [Reg](https://attack.mitre.org/software/S0075). Access to Registry keys is controlled through access control lists and user permissions. (Citation: Registry Key Security)(Citation: malware_hides_service)\n\nIf the permissions for users and groups are not properly set and allow access to the Registry keys for a service, adversaries may change the service's binPath/ImagePath to point to a different executable under their control. When the service starts or is restarted, the adversary-controlled program will execute, allowing the adversary to establish persistence and/or privilege escalation to the account context the service is set to execute under (local/domain account, SYSTEM, LocalService, or NetworkService).\n\nAdversaries may also alter other Registry keys in the service\u2019s Registry tree. For example, the FailureCommand key may be changed so that the service is executed in an elevated context anytime the service fails or is intentionally corrupted.(Citation: Kansa Service related collectors)(Citation: Tweet Registry Perms Weakness)\n\nThe Performance key contains the name of a driver service's performance DLL and the names of several exported functions in the DLL.(Citation: microsoft_services_registry_tree) If the Performance key is not already present and if an adversary-controlled user has the Create Subkey permission, adversaries may create the Performance key in the service\u2019s Registry tree to point to a malicious DLL.(Citation: insecure_reg_perms)\n\nAdversaries may also add the Parameters key, which can reference malicious drivers file paths. This technique has been identified to be a method of abuse by configuring DLL file paths within the Parameters key of a given services registry configuration. By placing and configuring the Parameters key to reference a malicious DLL, adversaries can ensure that their code is loaded persistently whenever the associated service or library is invoked.\n\nFor example, the registry path(Citation: MDSec) HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\WinSock2\\Parameters(Citation: hexacorn)(Citation: gendigital) contains the AutodiaDLL value, which specifies the DLL to be loaded for autodial funcitionality. An adversary could set the AutodiaDLL to point to a hijacked or malicious DLL:\n\n\"AutodialDLL\"=\"c:\\temp\\foo.dll\"\n\nThis ensures persistence, as it causes the DLL (in this case, foo.dll) to be loaded each time the Winsock 2 library is invoked.",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "stealth"
},
{
"kill_chain_name": "mitre-attack",
"phase_name": "execution"
}
],
"revoked": false,
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T1574/011",
"external_id": "T1574.011"
},
{
"source_name": "Tweet Registry Perms Weakness",
"description": "@r0wdy_. (2017, November 30). Service Recovery Parameters. Retrieved September 12, 2024.",
"url": "https://x.com/r0wdy_/status/936365549553991680"
},
{
"source_name": "insecure_reg_perms",
"description": "Cl\u00e9ment Labro. (2020, November 12). Windows RpcEptMapper Service Insecure Registry Permissions EoP. Retrieved August 25, 2021.",
"url": "https://itm4n.github.io/windows-registry-rpceptmapper-eop/"
},
{
"source_name": "hexacorn",
"description": "hexacorn. (2015, January 13). Beyond good ol\u2019 Run key, Part 24. Retrieved September 25, 2025.",
"url": "https://www.hexacorn.com/blog/2015/01/13/beyond-good-ol-run-key-part-24/"
},
{
"source_name": "Kansa Service related collectors",
"description": "Hull, D.. (2014, May 3). Kansa: Service related collectors and analysis. Retrieved October 10, 2019.",
"url": "https://trustedsignal.blogspot.com/2014/05/kansa-service-related-collectors-and.html"
},
{
"source_name": "malware_hides_service",
"description": "Lawrence Abrams. (2004, September 10). How Malware hides and is installed as a Service. Retrieved August 30, 2021.",
"url": "https://www.bleepingcomputer.com/tutorials/how-malware-hides-as-a-service/"
},
{
"source_name": "MDSec",
"description": "MDSec. (n.d.). Autodial(DLL)ing Your Way. Retrieved September 25, 2025.",
"url": "https://www.mdsec.co.uk/2022/10/autodialdlling-your-way/"
},
{
"source_name": "Registry Key Security",
"description": "Microsoft. (2018, May 31). Registry Key Security and Access Rights. Retrieved March 16, 2017.",
"url": "https://docs.microsoft.com/en-us/windows/win32/sysinfo/registry-key-security-and-access-rights?redirectedfrom=MSDN"
},
{
"source_name": "microsoft_services_registry_tree",
"description": "Microsoft. (2021, August 5). HKLM\\SYSTEM\\CurrentControlSet\\Services Registry Tree. Retrieved August 25, 2021.",
"url": "https://docs.microsoft.com/en-us/windows-hardware/drivers/install/hklm-system-currentcontrolset-services-registry-tree"
},
{
"source_name": "gendigital",
"description": "Threat Research Team. (2022, March 22). Operation Dragon Castling: APT group targeting betting companies. Retrieved September 25, 2025.",
"url": "https://www.gendigital.com/blog/insights/research/operation-dragon-castling-apt-group-targeting-betting-companies"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_attack_spec_version": "3.3.0",
"x_mitre_contributors": [
"Joe Gumke, U.S. Bank",
"Matthew Demaske, Adaptforward",
"Travis Smith, Tripwire"
],
"x_mitre_deprecated": false,
"x_mitre_domains": [
"enterprise-attack"
],
"x_mitre_is_subtechnique": true,
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"Windows"
],
"x_mitre_remote_support": false,
"x_mitre_version": "2.0",
"detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.622000+00:00\", \"old_value\": \"2026-04-15 23:02:58.258000+00:00\"}}}",
"previous_version": "2.0",
"changelog_mitigations": {
"shared": [
"M1024: Restrict Registry Permissions"
],
"new": [],
"dropped": []
},
"changelog_datacomponent_detections": {
"shared": [],
"new": [],
"dropped": []
},
"changelog_detectionstrategy_detections": {
"shared": [
"DET0427: Detection Strategy for Hijack Execution Flow through Service Registry Premission Weakness."
],
"new": [],
"dropped": []
}
},
{
"type": "attack-pattern",
"id": "attack-pattern--799ace7f-e227-4411-baa0-8868704f2a69",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-05-31 21:30:55.892000+00:00",
"modified": "2026-05-12 15:12:00.643000+00:00",
"name": "Indicator Removal",
"description": "Adversaries may selectively delete or modify artifacts generated to reduce indications of their presence and blend in with legitimate activity. Rather than broadly removing evidence, adversaries may target specific artifacts that appear anomalous or are likely to draw scrutiny, while leaving sufficient data intact to maintain the appearance of normal system behavior.\n\nArtifacts such as command histories, log entries, or file metadata may be altered in ways that align with expected user or system activity. Location, format, and type of artifact (such as command or login history) are often platform-specific, allowing adversaries to tailor modifications that minimize suspicion.\n\nThese actions may not prevent detection entirely but can delay recognition of malicious activity or reduce the fidelity of alerts by making events appear benign or consistent with routine operations. Additionally, selectively removed or modified artifacts may still be recoverable through deeper forensic analysis, though their absence or alteration can complicate timeline reconstruction and attribution.",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "stealth"
}
],
"revoked": false,
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T1070",
"external_id": "T1070"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_attack_spec_version": "3.3.0",
"x_mitre_contributors": [
"Brad Geesaman, @bradgeesaman",
"Ed Williams, Trustwave, SpiderLabs",
"Blake Strom, Microsoft 365 Defender"
],
"x_mitre_deprecated": false,
"x_mitre_domains": [
"enterprise-attack"
],
"x_mitre_is_subtechnique": false,
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"Containers",
"ESXi",
"Linux",
"macOS",
"Network Devices",
"Office Suite",
"Windows"
],
"x_mitre_version": "3.0",
"detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.643000+00:00\", \"old_value\": \"2026-04-15 15:10:02.929000+00:00\"}}}",
"previous_version": "3.0",
"changelog_mitigations": {
"shared": [
"M1022: Restrict File and Directory Permissions",
"M1029: Remote Data Storage",
"M1041: Encrypt Sensitive Information"
],
"new": [],
"dropped": []
},
"changelog_datacomponent_detections": {
"shared": [],
"new": [],
"dropped": []
},
"changelog_detectionstrategy_detections": {
"shared": [
"DET0184: Behavioral Detection of Indicator Removal Across Platforms"
],
"new": [],
"dropped": []
}
},
{
"type": "attack-pattern",
"id": "attack-pattern--3aef9463-9a7a-43ba-8957-a867e07c1e6a",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2020-01-31 12:32:08.228000+00:00",
"modified": "2026-05-12 15:12:00.627000+00:00",
"name": "Clear Command History",
"description": "In addition to clearing system logs, an adversary may clear the command history of a compromised account to conceal the actions undertaken during an intrusion. Various command interpreters keep track of the commands users type in their terminal so that users can retrace what they've done.\n\nOn Linux and macOS, these command histories can be accessed in a few different ways. While logged in, this command history is tracked in a file pointed to by the environment variable HISTFILE. When a user logs off a system, this information is flushed to a file in the user's home directory called ~/.bash_history. The benefit of this is that it allows users to go back to commands they've used before in different sessions. Adversaries may delete their commands from these logs by manually clearing the history (history -c) or deleting the bash history file rm ~/.bash_history. \n\nAdversaries may also leverage a [Network Device CLI](https://attack.mitre.org/techniques/T1059/008) on network devices to clear command history data (clear logging and/or clear history).(Citation: US-CERT-TA18-106A) On ESXi servers, command history may be manually removed from the `/var/log/shell.log` file.(Citation: Broadcom ESXi Shell Audit)\n\nOn Windows hosts, PowerShell has two different command history providers: the built-in history and the command history managed by the PSReadLine module. The built-in history only tracks the commands used in the current session. This command history is not available to other sessions and is deleted when the session ends.\n\nThe PSReadLine command history tracks the commands used in all PowerShell sessions and writes them to a file ($env:APPDATA\\Microsoft\\Windows\\PowerShell\\PSReadLine\\ConsoleHost_history.txt by default). This history file is available to all sessions and contains all past history since the file is not deleted when the session ends.(Citation: Microsoft PowerShell Command History)\n\nAdversaries may run the PowerShell command Clear-History to flush the entire command history from a current PowerShell session. This, however, will not delete/flush the ConsoleHost_history.txt file. Adversaries may also delete the ConsoleHost_history.txt file or edit its contents to hide PowerShell commands they have run.(Citation: Sophos PowerShell command audit)(Citation: Sophos PowerShell Command History Forensics)",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "stealth"
}
],
"revoked": false,
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T1070/003",
"external_id": "T1070.003"
},
{
"source_name": "Broadcom ESXi Shell Audit",
"description": "Broadcom. (2025, February 20). Auditing ESXi Shell logins and commands. Retrieved March 26, 2025.",
"url": "https://knowledge.broadcom.com/external/article/321910/auditing-esxi-shell-logins-and-commands.html"
},
{
"source_name": "Sophos PowerShell command audit",
"description": "jak. (2020, June 27). Live Discover - PowerShell command audit. Retrieved August 21, 2020.",
"url": "https://community.sophos.com/products/intercept/early-access-program/f/live-discover-response-queries/121529/live-discover---powershell-command-audit"
},
{
"source_name": "Microsoft PowerShell Command History",
"description": "Microsoft. (2020, May 13). About History. Retrieved September 4, 2020.",
"url": "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_history?view=powershell-7"
},
{
"source_name": "US-CERT-TA18-106A",
"description": "US-CERT. (2018, April 20). Alert (TA18-106A) Russian State-Sponsored Cyber Actors Targeting Network Infrastructure Devices. Retrieved October 19, 2020.",
"url": "https://www.us-cert.gov/ncas/alerts/TA18-106A"
},
{
"source_name": "Sophos PowerShell Command History Forensics",
"description": "Vikas, S. (2020, August 26). PowerShell Command History Forensics. Retrieved November 17, 2024.",
"url": "https://community.sophos.com/sophos-labs/b/blog/posts/powershell-command-history-forensics"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_attack_spec_version": "3.3.0",
"x_mitre_contributors": [
"Vikas Singh, Sophos",
"Emile Kenning, Sophos",
"Austin Clark, @c2defense"
],
"x_mitre_deprecated": false,
"x_mitre_domains": [
"enterprise-attack"
],
"x_mitre_is_subtechnique": true,
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"ESXi",
"Linux",
"macOS",
"Network Devices",
"Windows"
],
"x_mitre_version": "2.0",
"detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.627000+00:00\", \"old_value\": \"2026-04-15 20:27:09.604000+00:00\"}}}",
"previous_version": "2.0",
"changelog_mitigations": {
"shared": [
"M1022: Restrict File and Directory Permissions",
"M1029: Remote Data Storage",
"M1039: Environment Variable Permissions"
],
"new": [],
"dropped": []
},
"changelog_datacomponent_detections": {
"shared": [],
"new": [],
"dropped": []
},
"changelog_detectionstrategy_detections": {
"shared": [
"DET0165: Behavioral Detection of Command History Clearing"
],
"new": [],
"dropped": []
}
},
{
"type": "attack-pattern",
"id": "attack-pattern--438c967d-3996-4870-bfc2-3954752a1927",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2022-07-08 21:04:03.739000+00:00",
"modified": "2026-05-12 15:12:00.629000+00:00",
"name": "Clear Mailbox Data",
"description": "Adversaries may modify mail and mail application data to remove evidence of their activity. Email applications allow users and other programs to export and delete mailbox data via command line tools or use of APIs. Mail application data can be emails, email metadata, or logs generated by the application or operating system, such as export requests. \n\nAdversaries may manipulate emails and mailbox data to remove logs, artifacts, and metadata, such as evidence of [Phishing](https://attack.mitre.org/techniques/T1566)/[Internal Spearphishing](https://attack.mitre.org/techniques/T1534), [Email Collection](https://attack.mitre.org/techniques/T1114), [Mail Protocols](https://attack.mitre.org/techniques/T1071/003) for command and control, or email-based exfiltration such as [Exfiltration Over Alternative Protocol](https://attack.mitre.org/techniques/T1048). For example, to remove evidence on Exchange servers adversaries have used the ExchangePowerShell [PowerShell](https://attack.mitre.org/techniques/T1059/001) module, including Remove-MailboxExportRequest to remove evidence of mailbox exports.(Citation: Volexity SolarWinds)(Citation: ExchangePowerShell Module) On Linux and macOS, adversaries may also delete emails through a command line utility called mail or use [AppleScript](https://attack.mitre.org/techniques/T1059/002) to interact with APIs on macOS.(Citation: Cybereason Cobalt Kitty 2017)(Citation: mailx man page)\n\nAdversaries may also remove emails and metadata/headers indicative of spam or suspicious activity (for example, through the use of organization-wide transport rules) to reduce the likelihood of malicious emails being detected by security products.(Citation: Microsoft OAuth Spam 2022)",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "stealth"
}
],
"revoked": false,
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T1070/008",
"external_id": "T1070.008"
},
{
"source_name": "Volexity SolarWinds",
"description": "Cash, D. et al. (2020, December 14). Dark Halo Leverages SolarWinds Compromise to Breach Organizations. Retrieved December 29, 2020.",
"url": "https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/"
},
{
"source_name": "Cybereason Cobalt Kitty 2017",
"description": "Dahan, A. (2017). Operation Cobalt Kitty. Retrieved December 27, 2018.",
"url": "https://cdn2.hubspot.net/hubfs/3354902/Cybereason%20Labs%20Analysis%20Operation%20Cobalt%20Kitty.pdf"
},
{
"source_name": "mailx man page",
"description": "Michael Kerrisk. (2021, August 27). mailx(1p) \u2014 Linux manual page. Retrieved June 10, 2022.",
"url": "https://man7.org/linux/man-pages/man1/mailx.1p.html"
},
{
"source_name": "ExchangePowerShell Module",
"description": "Microsoft. (2017, September 25). ExchangePowerShell. Retrieved June 10, 2022.",
"url": "https://docs.microsoft.com/en-us/powershell/module/exchange/?view=exchange-ps#mailboxes"
},
{
"source_name": "Microsoft OAuth Spam 2022",
"description": "Microsoft. (2023, September 22). Malicious OAuth applications abuse cloud email services to spread spam. Retrieved March 13, 2023.",
"url": "https://www.microsoft.com/en-us/security/blog/2022/09/22/malicious-oauth-applications-used-to-compromise-email-servers-and-spread-spam/"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_attack_spec_version": "3.3.0",
"x_mitre_contributors": [
"Liran Ravich, CardinalOps"
],
"x_mitre_deprecated": false,
"x_mitre_domains": [
"enterprise-attack"
],
"x_mitre_is_subtechnique": true,
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"Linux",
"macOS",
"Office Suite",
"Windows"
],
"x_mitre_version": "2.0",
"detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.629000+00:00\", \"old_value\": \"2026-04-15 20:27:22.074000+00:00\"}}}",
"previous_version": "2.0",
"changelog_mitigations": {
"shared": [
"M1022: Restrict File and Directory Permissions",
"M1029: Remote Data Storage",
"M1047: Audit"
],
"new": [],
"dropped": []
},
"changelog_datacomponent_detections": {
"shared": [],
"new": [],
"dropped": []
},
"changelog_detectionstrategy_detections": {
"shared": [
"DET0266: Behavioral Detection of Mailbox Data and Log Deletion for Anti-Forensics"
],
"new": [],
"dropped": []
}
},
{
"type": "attack-pattern",
"id": "attack-pattern--3975dbb5-0e1e-4f5b-bae1-cf2ab84b46dc",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2022-06-15 18:00:04.219000+00:00",
"modified": "2026-05-12 15:12:00.627000+00:00",
"name": "Clear Network Connection History and Configurations",
"description": "Adversaries may clear or remove evidence of malicious network connections in order to clean up traces of their operations. Configuration settings as well as various artifacts that highlight connection history may be created on a system and/or in application logs from behaviors that require network connections, such as [Remote Services](https://attack.mitre.org/techniques/T1021) or [External Remote Services](https://attack.mitre.org/techniques/T1133). Defenders may use these artifacts to monitor or otherwise analyze network connections created by adversaries.\n\nNetwork connection history may be stored in various locations. For example, RDP connection history may be stored in Windows Registry values under (Citation: Microsoft RDP Removal):\n\n* HKEY_CURRENT_USER\\Software\\Microsoft\\Terminal Server Client\\Default\n* HKEY_CURRENT_USER\\Software\\Microsoft\\Terminal Server Client\\Servers\n\nWindows may also store information about recent RDP connections in files such as C:\\Users\\\\%username%\\Documents\\Default.rdp and `C:\\Users\\%username%\\AppData\\Local\\Microsoft\\Terminal\nServer Client\\Cache\\`.(Citation: Moran RDPieces) Similarly, macOS and Linux hosts may store information highlighting connection history in system logs (such as those stored in `/Library/Logs` and/or `/var/log/`).(Citation: Apple Culprit Access)(Citation: FreeDesktop Journal)(Citation: Apple Unified Log Analysis Remote Login and Screen Sharing)\n\nMalicious network connections may also require changes to third-party applications or network configuration settings, such as [Disable or Modify System Firewall](https://attack.mitre.org/techniques/T1686) or tampering to enable [Proxy](https://attack.mitre.org/techniques/T1090). Adversaries may delete or modify this data to conceal indicators and/or impede defensive analysis.",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "stealth"
}
],
"revoked": false,
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T1070/007",
"external_id": "T1070.007"
},
{
"source_name": "FreeDesktop Journal",
"description": "freedesktop.org. (n.d.). systemd-journald.service. Retrieved June 15, 2022.",
"url": "https://www.freedesktop.org/software/systemd/man/systemd-journald.service.html"
},
{
"source_name": "Microsoft RDP Removal",
"description": "Microsoft. (2021, September 24). How to remove entries from the Remote Desktop Connection Computer box. Retrieved June 15, 2022.",
"url": "https://docs.microsoft.com/troubleshoot/windows-server/remote/remove-entries-from-remote-desktop-connection-computer"
},
{
"source_name": "Moran RDPieces",
"description": "Moran, B. (2020, November 18). Putting Together the RDPieces. Retrieved October 17, 2022.",
"url": "https://www.osdfcon.org/presentations/2020/Brian-Moran_Putting-Together-the-RDPieces.pdf"
},
{
"source_name": "Apple Culprit Access",
"description": "rjben. (2012, May 30). How do you find the culprit when unauthorized access to a computer is a problem?. Retrieved August 3, 2022.",
"url": "https://discussions.apple.com/thread/3991574"
},
{
"source_name": "Apple Unified Log Analysis Remote Login and Screen Sharing",
"description": "Sarah Edwards. (2020, April 30). Analysis of Apple Unified Logs: Quarantine Edition [Entry 6] \u2013 Working From Home? Remote Logins. Retrieved August 19, 2021.",
"url": "https://sarah-edwards-xzkc.squarespace.com/blog/2020/4/30/analysis-of-apple-unified-logs-quarantine-edition-entry-6-working-from-home-remote-logins"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_attack_spec_version": "3.3.0",
"x_mitre_contributors": [
"CrowdStrike Falcon OverWatch"
],
"x_mitre_deprecated": false,
"x_mitre_domains": [
"enterprise-attack"
],
"x_mitre_is_subtechnique": true,
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"Linux",
"macOS",
"Windows",
"Network Devices"
],
"x_mitre_version": "2.0",
"detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.627000+00:00\", \"old_value\": \"2026-04-16 19:27:07.242000+00:00\"}}}",
"previous_version": "2.0",
"changelog_mitigations": {
"shared": [
"M1024: Restrict Registry Permissions",
"M1029: Remote Data Storage"
],
"new": [],
"dropped": []
},
"changelog_datacomponent_detections": {
"shared": [],
"new": [],
"dropped": []
},
"changelog_detectionstrategy_detections": {
"shared": [
"DET0049: Behavioral Detection of Network History and Configuration Tampering"
],
"new": [],
"dropped": []
}
},
{
"type": "attack-pattern",
"id": "attack-pattern--d2c4e5ea-dbdf-4113-805a-b1e2a337fb33",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2022-07-29 19:32:11.552000+00:00",
"modified": "2026-05-12 15:12:00.717000+00:00",
"name": "Clear Persistence",
"description": "Adversaries may clear artifacts associated with previously established persistence on a host system to remove evidence of their activity. This may involve various actions, such as removing services, deleting executables, [Modify Registry](https://attack.mitre.org/techniques/T1112), [Plist File Modification](https://attack.mitre.org/techniques/T1647), or other methods of cleanup to prevent defenders from collecting evidence of their persistent presence.(Citation: Cylance Dust Storm) Adversaries may also delete accounts previously created to maintain persistence (i.e. [Create Account](https://attack.mitre.org/techniques/T1136)).(Citation: Talos - Cisco Attack 2022)\n\nIn some instances, artifacts of persistence may also be removed once an adversary\u2019s persistence is executed in order to prevent errors with the new instance of the malware.(Citation: NCC Group Team9 June 2020)",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "stealth"
}
],
"revoked": false,
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T1070/009",
"external_id": "T1070.009"
},
{
"source_name": "Cylance Dust Storm",
"description": "Gross, J. (2016, February 23). Operation Dust Storm. Retrieved December 22, 2021.",
"url": "https://s7d2.scene7.com/is/content/cylance/prod/cylance-web/en-us/resources/knowledge-center/resource-library/reports/Op_Dust_Storm_Report.pdf"
},
{
"source_name": "Talos - Cisco Attack 2022",
"description": "Nick Biasini. (2022, August 10). Cisco Talos shares insights related to recent cyber attack on Cisco. Retrieved March 9, 2023.",
"url": "https://blog.talosintelligence.com/recent-cyber-attack/"
},
{
"source_name": "NCC Group Team9 June 2020",
"description": "Pantazopoulos, N. (2020, June 2). In-depth analysis of the new Team9 malware family. Retrieved December 1, 2020.",
"url": "https://research.nccgroup.com/2020/06/02/in-depth-analysis-of-the-new-team9-malware-family/"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_attack_spec_version": "3.3.0",
"x_mitre_contributors": [
"Gavin Knapp"
],
"x_mitre_deprecated": false,
"x_mitre_domains": [
"enterprise-attack"
],
"x_mitre_is_subtechnique": true,
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"ESXi",
"Linux",
"macOS",
"Windows"
],
"x_mitre_version": "2.0",
"detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.717000+00:00\", \"old_value\": \"2026-04-15 20:28:24.292000+00:00\"}}}",
"previous_version": "2.0",
"changelog_mitigations": {
"shared": [
"M1022: Restrict File and Directory Permissions",
"M1029: Remote Data Storage"
],
"new": [],
"dropped": []
},
"changelog_datacomponent_detections": {
"shared": [],
"new": [],
"dropped": []
},
"changelog_detectionstrategy_detections": {
"shared": [
"DET0040: Detection of Persistence Artifact Removal Across Host Platforms"
],
"new": [],
"dropped": []
}
},
{
"type": "attack-pattern",
"id": "attack-pattern--d63a3fb8-9452-4e9d-a60a-54be68d5998c",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2020-01-31 12:35:36.479000+00:00",
"modified": "2026-05-12 15:12:00.718000+00:00",
"name": "File Deletion",
"description": "Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary (ex: [Ingress Tool Transfer](https://attack.mitre.org/techniques/T1105)) may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.\n\nThere are tools available from the host operating system to perform cleanup, but adversaries may use other tools as well.(Citation: Microsoft SDelete July 2016) Examples of built-in [Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059) functions include del on Windows, rm or unlink on Linux and macOS, and `rm` on ESXi.",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "stealth"
}
],
"revoked": false,
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T1070/004",
"external_id": "T1070.004"
},
{
"source_name": "Microsoft SDelete July 2016",
"description": "Russinovich, M. (2016, July 4). SDelete v2.0. Retrieved February 8, 2018.",
"url": "https://docs.microsoft.com/en-us/sysinternals/downloads/sdelete"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_attack_spec_version": "3.3.0",
"x_mitre_contributors": [
"Walker Johnson"
],
"x_mitre_deprecated": false,
"x_mitre_domains": [
"enterprise-attack"
],
"x_mitre_is_subtechnique": true,
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"ESXi",
"Linux",
"macOS",
"Windows"
],
"x_mitre_version": "2.0",
"detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.718000+00:00\", \"old_value\": \"2026-04-15 20:28:46.342000+00:00\"}}}",
"previous_version": "2.0",
"changelog_mitigations": {
"shared": [],
"new": [],
"dropped": []
},
"changelog_datacomponent_detections": {
"shared": [],
"new": [],
"dropped": []
},
"changelog_detectionstrategy_detections": {
"shared": [
"DET0140: Behavioral Detection of Malicious File Deletion"
],
"new": [],
"dropped": []
}
},
{
"type": "attack-pattern",
"id": "attack-pattern--a750a9f6-0bde-4bb3-9aae-1e2786e9780c",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2020-01-31 12:39:18.816000+00:00",
"modified": "2026-05-12 15:12:00.706000+00:00",
"name": "Network Share Connection Removal",
"description": "Adversaries may remove share connections that are no longer useful in order to clean up traces of their operation. Windows shared drive and [SMB/Windows Admin Shares](https://attack.mitre.org/techniques/T1021/002) connections can be removed when no longer needed. [Net](https://attack.mitre.org/software/S0039) is an example utility that can be used to remove network share connections with the net use \\\\system\\share /delete command. (Citation: Technet Net Use)",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "stealth"
}
],
"revoked": false,
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T1070/005",
"external_id": "T1070.005"
},
{
"source_name": "Technet Net Use",
"description": "Microsoft. (n.d.). Net Use. Retrieved November 25, 2016.",
"url": "https://technet.microsoft.com/bb490717.aspx"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_attack_spec_version": "3.3.0",
"x_mitre_deprecated": false,
"x_mitre_domains": [
"enterprise-attack"
],
"x_mitre_is_subtechnique": true,
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"Windows"
],
"x_mitre_version": "2.0",
"detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.706000+00:00\", \"old_value\": \"2026-04-15 20:29:50.512000+00:00\"}}}",
"previous_version": "2.0",
"changelog_mitigations": {
"shared": [],
"new": [],
"dropped": []
},
"changelog_datacomponent_detections": {
"shared": [],
"new": [],
"dropped": []
},
"changelog_detectionstrategy_detections": {
"shared": [
"DET0103: Behavioral Detection of Network Share Connection Removal via CLI and SMB Disconnects"
],
"new": [],
"dropped": []
}
},
{
"type": "attack-pattern",
"id": "attack-pattern--cc36eeae-2209-4e63-89d3-c97e19edf280",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2024-05-31 11:07:57.406000+00:00",
"modified": "2026-05-12 15:12:00.717000+00:00",
"name": "Relocate Malware",
"description": "Once a payload is delivered, adversaries may reproduce copies of the same malware on the victim system to remove evidence of their presence and/or avoid defenses. Copying malware payloads to new locations may also be combined with [File Deletion](https://attack.mitre.org/techniques/T1070/004) to cleanup older artifacts.\n\nRelocating malware may be a part of many actions intended to evade defenses. For example, adversaries may copy and rename payloads to better blend into the local environment (i.e., [Match Legitimate Resource Name or Location](https://attack.mitre.org/techniques/T1036/005)).(Citation: DFIR Report Trickbot June 2023) Payloads may also be repositioned to target [File/Path Exclusions](https://attack.mitre.org/techniques/T1564/012) as well as specific locations associated with establishing [Persistence](https://attack.mitre.org/tactics/TA0003).(Citation: Latrodectus APR 2024)\n\nRelocating malicious payloads may also hinder defensive analysis, especially to separate these payloads from earlier events (such as [User Execution](https://attack.mitre.org/techniques/T1204) and [Phishing](https://attack.mitre.org/techniques/T1566)) that may have generated alerts or otherwise drawn attention from defenders. Moving payloads into target directories does not alter the Creation timestamp, thereby evading detection logic reliant on modifications to this artifact (i.e., [Timestomp](https://attack.mitre.org/techniques/T1070/006)).",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "stealth"
}
],
"revoked": false,
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T1070/010",
"external_id": "T1070.010"
},
{
"source_name": "Latrodectus APR 2024",
"description": "Proofpoint Threat Research and Team Cymru S2 Threat Research. (2024, April 4). Latrodectus: This Spider Bytes Like Ice . Retrieved May 31, 2024.",
"url": "https://www.proofpoint.com/us/blog/threat-insight/latrodectus-spider-bytes-ice"
},
{
"source_name": "DFIR Report Trickbot June 2023",
"description": "The DFIR Report. (2023, June 12). A Truly Graceful Wipe Out. Retrieved May 31, 2024.",
"url": "https://thedfirreport.com/2023/06/12/a-truly-graceful-wipe-out/"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_attack_spec_version": "3.3.0",
"x_mitre_contributors": [
"Gregory Frey",
"Matt Anderson, @\u200cnosecurething, Huntress"
],
"x_mitre_deprecated": false,
"x_mitre_domains": [
"enterprise-attack"
],
"x_mitre_is_subtechnique": true,
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"Linux",
"macOS",
"Network Devices",
"Windows"
],
"x_mitre_version": "2.0",
"detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.717000+00:00\", \"old_value\": \"2026-04-15 20:29:55.911000+00:00\"}}}",
"previous_version": "2.0",
"changelog_mitigations": {
"shared": [],
"new": [],
"dropped": []
},
"changelog_datacomponent_detections": {
"shared": [],
"new": [],
"dropped": []
},
"changelog_detectionstrategy_detections": {
"shared": [
"DET0439: Detection of Malware Relocation via Suspicious File Movement"
],
"new": [],
"dropped": []
}
},
{
"type": "attack-pattern",
"id": "attack-pattern--47f2d673-ca62-47e9-929b-1b0be9657611",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2020-01-31 12:42:44.103000+00:00",
"modified": "2026-05-12 15:12:00.630000+00:00",
"name": "Timestomp",
"description": "Adversaries may modify file time attributes to hide new files or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder and blend malicious files with legitimate files.\n\nIn Windows systems, both the `$STANDARD_INFORMATION` (`$SI`) and `$FILE_NAME` (`$FN`) attributes record times in a Master File Table (MFT) file.(Citation: Inversecos Timestomping 2022) `$SI` (dates/time stamps) is displayed to the end user, including in the File System view, while `$FN` is dealt with by the kernel.(Citation: Magnet Forensics)\n\nModifying the `$SI` attribute is the most common method of timestomping because it can be modified at the user level using API calls. `$FN` timestomping, however, typically requires interacting with the system kernel or moving or renaming a file.(Citation: Inversecos Timestomping 2022)\n\nAdversaries modify timestamps on files so that they do not appear conspicuous to forensic investigators or file analysis tools. In order to evade detections that rely on identifying discrepancies between the `$SI` and `$FN` attributes, adversaries may also engage in \u201cdouble timestomping\u201d by modifying times on both attributes simultaneously.(Citation: Double Timestomping)\n\nIn Linux systems and on ESXi servers, threat actors may attempt to perform timestomping using commands such as `touch -a -m -t IEX(New-Object Net.WebClient).downloadString() and Invoke-WebRequest. On Linux and macOS systems, a variety of utilities also exist, such as `curl`, `scp`, `sftp`, `tftp`, `rsync`, `finger`, and `wget`.(Citation: t1105_lolbas) A number of these tools, such as `wget`, `curl`, and `scp`, also exist on ESXi. After downloading a file, a threat actor may attempt to verify its integrity by checking its hash value (e.g., via `certutil -hashfile`).(Citation: Google Cloud Threat Intelligence COSCMICENERGY 2023)\n\nAdversaries may also abuse installers and package managers, such as `yum` or `winget`, to download tools to victim hosts. Adversaries have also abused file application features, such as the Windows `search-ms` protocol handler, to deliver malicious files to victims through remote file searches invoked by [User Execution](https://attack.mitre.org/techniques/T1204) (typically after interacting with [Phishing](https://attack.mitre.org/techniques/T1566) lures).(Citation: T1105: Trellix_search-ms)\n\nFiles can also be transferred using various [Web Service](https://attack.mitre.org/techniques/T1102)s as well as native or otherwise present tools on the victim system.(Citation: PTSecurity Cobalt Dec 2016) In some cases, adversaries may be able to leverage services that sync between a web-based and an on-premises client, such as Dropbox or OneDrive, to transfer files onto victim systems. For example, by compromising a cloud account and logging into the service's web portal, an adversary may be able to trigger an automatic syncing process that transfers the file onto the victim's machine.(Citation: Dropbox Malware Sync)",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "command-and-control"
}
],
"revoked": false,
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T1105",
"external_id": "T1105"
},
{
"source_name": "T1105: Trellix_search-ms",
"description": " Mathanraj Thangaraju, Sijo Jacob. (2023, July 26). Beyond File Search: A Novel Method for Exploiting the \"search-ms\" URI Protocol Handler. Retrieved March 15, 2024.",
"url": "https://www.trellix.com/blogs/research/beyond-file-search-a-novel-method/"
},
{
"source_name": "Google Cloud Threat Intelligence COSCMICENERGY 2023",
"description": "COSMICENERGY: New OT Malware Possibly Related To Russian Emergency Response Exercises. (2023, May 25). Ken Proska, Daniel Kapellmann Zafra, Keith Lunden, Corey Hildebrandt, Rushikesh Nandedkar, Nathan Brubaker. Retrieved March 18, 2025.",
"url": "https://cloud.google.com/blog/topics/threat-intelligence/cosmicenergy-ot-malware-russian-response/"
},
{
"source_name": "Dropbox Malware Sync",
"description": "David Talbot. (2013, August 21). Dropbox and Similar Services Can Sync Malware. Retrieved May 31, 2023.",
"url": "https://www.technologyreview.com/2013/08/21/83143/dropbox-and-similar-services-can-sync-malware/"
},
{
"source_name": "University of Birmingham C2",
"description": "Gardiner, J., Cova, M., Nagaraja, S. (2014, February). Command & Control Understanding, Denying and Detecting. Retrieved April 20, 2016.",
"url": "https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf"
},
{
"source_name": "t1105_lolbas",
"description": "LOLBAS. (n.d.). LOLBAS Mapped to T1105. Retrieved March 11, 2022.",
"url": "https://lolbas-project.github.io/#t1105"
},
{
"source_name": "PTSecurity Cobalt Dec 2016",
"description": "Positive Technologies. (2016, December 16). Cobalt Snatch. Retrieved October 9, 2018.",
"url": "https://www.ptsecurity.com/upload/corporate/ww-en/analytics/Cobalt-Snatch-eng.pdf"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_attack_spec_version": "3.3.0",
"x_mitre_contributors": [
"Alain Homewood",
"Jeremy Hedges",
"Joe Wise",
"John Page (aka hyp3rlinx), ApparitionSec",
"Mark Wee",
"Peter Oakes",
"Selena Larson, @selenalarson",
"Shailesh Tiwary (Indian Army)",
"The DFIR Report",
"Don Le, Stifel Financial"
],
"x_mitre_deprecated": false,
"x_mitre_domains": [
"enterprise-attack"
],
"x_mitre_is_subtechnique": false,
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"ESXi",
"Linux",
"macOS",
"Network Devices",
"Windows"
],
"x_mitre_version": "2.6",
"detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.723000+00:00\", \"old_value\": \"2025-10-24 17:49:32.714000+00:00\"}}}",
"previous_version": "2.6",
"changelog_mitigations": {
"shared": [
"M1031: Network Intrusion Prevention",
"M1037: Filter Network Traffic"
],
"new": [],
"dropped": []
},
"changelog_datacomponent_detections": {
"shared": [],
"new": [],
"dropped": []
},
"changelog_detectionstrategy_detections": {
"shared": [
"DET0060: Detect Ingress Tool Transfers via Behavioral Chain"
],
"new": [],
"dropped": []
}
},
{
"type": "attack-pattern",
"id": "attack-pattern--f5d8eed6-48a9-4cdf-a3d7-d1ffa99c3d2a",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2019-04-02 13:54:43.136000+00:00",
"modified": "2026-05-12 15:12:00.724000+00:00",
"name": "Inhibit System Recovery",
"description": "Adversaries may delete or remove built-in data and turn off services designed to aid in the recovery of a corrupted system to prevent recovery.(Citation: Talos Olympic Destroyer 2018)(Citation: FireEye WannaCry 2017) This may deny access to available backups and recovery options.\n\nOperating systems may contain features that can help fix corrupted systems, such as a backup catalog, volume shadow copies, and automatic repair features. Adversaries may disable or delete system recovery features to augment the effects of [Data Destruction](https://attack.mitre.org/techniques/T1485) and [Data Encrypted for Impact](https://attack.mitre.org/techniques/T1486).(Citation: Talos Olympic Destroyer 2018)(Citation: FireEye WannaCry 2017) Furthermore, adversaries may disable recovery notifications, then corrupt backups.(Citation: disable_notif_synology_ransom)\n\nA number of native Windows utilities have been used by adversaries to disable or delete system recovery features:\n\n* vssadmin.exe can be used to delete all volume shadow copies on a system - vssadmin.exe delete shadows /all /quiet\n* [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) can be used to delete volume shadow copies - wmic shadowcopy delete\n* wbadmin.exe can be used to delete the Windows Backup Catalog - wbadmin.exe delete catalog -quiet\n* bcdedit.exe can be used to disable automatic Windows recovery features by modifying boot configuration data - bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no\n* REAgentC.exe can be used to disable Windows Recovery Environment (WinRE) repair/recovery options of an infected system\n* diskshadow.exe can be used to delete all volume shadow copies on a system - diskshadow delete shadows all (Citation: Diskshadow) (Citation: Crytox Ransomware)\n\nOn network devices, adversaries may leverage [Disk Wipe](https://attack.mitre.org/techniques/T1561) to delete backup firmware images and reformat the file system, then [System Shutdown/Reboot](https://attack.mitre.org/techniques/T1529) to reload the device. Together this activity may leave network devices completely inoperable and inhibit recovery operations.\n\nOn ESXi servers, adversaries may delete or encrypt snapshots of virtual machines to support [Data Encrypted for Impact](https://attack.mitre.org/techniques/T1486), preventing them from being leveraged as backups (e.g., via ` vim-cmd vmsvc/snapshot.removeall`).(Citation: Cybereason)\n\nAdversaries may also delete \u201conline\u201d backups that are connected to their network \u2013 whether via network storage media or through folders that sync to cloud services.(Citation: ZDNet Ransomware Backups 2020) In cloud environments, adversaries may disable versioning and backup policies and delete snapshots, database backups, machine images, and prior versions of objects designed to be used in disaster recovery scenarios.(Citation: Dark Reading Code Spaces Cyber Attack)(Citation: Rhino Security Labs AWS S3 Ransomware)",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "impact"
}
],
"revoked": false,
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T1490",
"external_id": "T1490"
},
{
"source_name": "Dark Reading Code Spaces Cyber Attack",
"description": " Brian Prince. (2014, June 20). Code Hosting Service Shuts Down After Cyber Attack. Retrieved March 21, 2023.",
"url": "https://www.darkreading.com/attacks-breaches/code-hosting-service-shuts-down-after-cyber-attack"
},
{
"source_name": "FireEye WannaCry 2017",
"description": "Berry, A., Homan, J., and Eitzman, R. (2017, May 23). WannaCry Malware Profile. Retrieved March 15, 2019.",
"url": "https://www.fireeye.com/blog/threat-research/2017/05/wannacry-malware-profile.html"
},
{
"source_name": "Cybereason",
"description": "Cybereason Nocturnus. (n.d.). Cybereason vs. BlackCat Ransomware. Retrieved March 26, 2025.",
"url": "https://www.cybereason.com/blog/cybereason-vs.-blackcat-ransomware"
},
{
"source_name": "Talos Olympic Destroyer 2018",
"description": "Mercer, W. and Rascagneres, P. (2018, February 12). Olympic Destroyer Takes Aim At Winter Olympics. Retrieved March 14, 2019.",
"url": "https://blog.talosintelligence.com/2018/02/olympic-destroyer.html"
},
{
"source_name": "Diskshadow",
"description": "Microsoft Windows Server. (2023, February 3). Diskshadow. Retrieved November 21, 2023.",
"url": "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/diskshadow"
},
{
"source_name": "Crytox Ransomware",
"description": "Romain Dumont . (2022, September 21). Technical Analysis of Crytox Ransomware. Retrieved November 22, 2023.",
"url": "https://www.zscaler.com/blogs/security-research/technical-analysis-crytox-ransomware"
},
{
"source_name": "Rhino Security Labs AWS S3 Ransomware",
"description": "Spencer Gietzen. (n.d.). AWS Simple Storage Service S3 Ransomware Part 2: Prevention and Defense. Retrieved March 21, 2023.",
"url": "https://rhinosecuritylabs.com/aws/s3-ransomware-part-2-prevention-and-defense/"
},
{
"source_name": "ZDNet Ransomware Backups 2020",
"description": "Steve Ranger. (2020, February 27). Ransomware victims thought their backups were safe. They were wrong. Retrieved March 21, 2023.",
"url": "https://www.zdnet.com/article/ransomware-victims-thought-their-backups-were-safe-they-were-wrong/"
},
{
"source_name": "disable_notif_synology_ransom",
"description": "TheDFIRReport. (2022, March 1). Disabling notifications on Synology servers before ransom. Retrieved September 12, 2024.",
"url": "https://x.com/TheDFIRReport/status/1498657590259109894"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_attack_spec_version": "3.3.0",
"x_mitre_contributors": [
"Yonatan Gotlib, Deep Instinct",
"Austin Clark, @c2defense",
"Pallavi Sivakumaran, WithSecure",
"Joey Lei",
"Harjot Shah Singh"
],
"x_mitre_deprecated": false,
"x_mitre_domains": [
"enterprise-attack"
],
"x_mitre_impact_type": [
"Availability"
],
"x_mitre_is_subtechnique": false,
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"Containers",
"ESXi",
"IaaS",
"Linux",
"macOS",
"Network Devices",
"Windows"
],
"x_mitre_version": "1.6",
"detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.724000+00:00\", \"old_value\": \"2025-10-24 17:49:37.297000+00:00\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.3.0\", \"old_value\": \"3.2.0\"}}}",
"previous_version": "1.6",
"changelog_mitigations": {
"shared": [
"M1018: User Account Management",
"M1028: Operating System Configuration",
"M1038: Execution Prevention",
"M1053: Data Backup"
],
"new": [],
"dropped": []
},
"changelog_datacomponent_detections": {
"shared": [],
"new": [],
"dropped": []
},
"changelog_detectionstrategy_detections": {
"shared": [
"DET0329: Behavioral Detection for T1490 - Inhibit System Recovery"
],
"new": [],
"dropped": []
}
},
{
"type": "attack-pattern",
"id": "attack-pattern--a2029942-0a85-4947-b23c-ca434698171d",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2020-02-11 18:58:45.908000+00:00",
"modified": "2026-05-12 15:12:00.706000+00:00",
"name": "GUI Input Capture",
"description": "Adversaries may mimic common operating system GUI components to prompt users for credentials with a seemingly legitimate prompt. When programs are executed that need additional privileges than are present in the current user context, it is common for the operating system to prompt the user for proper credentials to authorize the elevated privileges for the task (ex: [Bypass User Account Control](https://attack.mitre.org/techniques/T1548/002)).\n\nAdversaries may mimic this functionality to prompt users for credentials with a seemingly legitimate prompt for a number of reasons that mimic normal usage, such as a fake installer requiring additional access or a fake malware removal suite.(Citation: OSX Malware Exploits MacKeeper) This type of prompt can be used to collect credentials via various languages such as [AppleScript](https://attack.mitre.org/techniques/T1059/002)(Citation: LogRhythm Do You Trust Oct 2014)(Citation: OSX Keydnap malware)(Citation: Spoofing credential dialogs) and [PowerShell](https://attack.mitre.org/techniques/T1059/001).(Citation: LogRhythm Do You Trust Oct 2014)(Citation: Enigma Phishing for Credentials Jan 2015)(Citation: Spoofing credential dialogs) On Linux systems adversaries may launch dialog boxes prompting users for credentials from malicious shell scripts or the command line (i.e. [Unix Shell](https://attack.mitre.org/techniques/T1059/004)).(Citation: Spoofing credential dialogs)\n\nAdversaries may also mimic common software authentication requests, such as those from browsers or email clients. This may also be paired with user activity monitoring (i.e., [Browser Information Discovery](https://attack.mitre.org/techniques/T1217) and/or [Application Window Discovery](https://attack.mitre.org/techniques/T1010)) to spoof prompts when users are naturally accessing sensitive sites/data.",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "collection"
},
{
"kill_chain_name": "mitre-attack",
"phase_name": "credential-access"
}
],
"revoked": false,
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T1056/002",
"external_id": "T1056.002"
},
{
"source_name": "LogRhythm Do You Trust Oct 2014",
"description": "Foss, G. (2014, October 3). Do You Trust Your Computer?. Retrieved December 17, 2018.",
"url": "https://logrhythm.com/blog/do-you-trust-your-computer/"
},
{
"source_name": "Spoofing credential dialogs",
"description": "Johann Rehberger. (2021, April 18). Spoofing credential dialogs on macOS Linux and Windows. Retrieved August 19, 2021.",
"url": "https://embracethered.com/blog/posts/2021/spoofing-credential-dialogs/"
},
{
"source_name": "OSX Keydnap malware",
"description": "Marc-Etienne M.Leveille. (2016, July 6). New OSX/Keydnap malware is hungry for credentials. Retrieved July 3, 2017.",
"url": "https://www.welivesecurity.com/2016/07/06/new-osxkeydnap-malware-hungry-credentials/"
},
{
"source_name": "Enigma Phishing for Credentials Jan 2015",
"description": "Nelson, M. (2015, January 21). Phishing for Credentials: If you want it, just ask!. Retrieved December 17, 2018.",
"url": "https://enigma0x3.net/2015/01/21/phishing-for-credentials-if-you-want-it-just-ask/"
},
{
"source_name": "OSX Malware Exploits MacKeeper",
"description": "Sergei Shevchenko. (2015, June 4). New Mac OS Malware Exploits Mackeeper. Retrieved July 3, 2017.",
"url": "https://baesystemsai.blogspot.com/2015/06/new-mac-os-malware-exploits-mackeeper.html"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_attack_spec_version": "3.3.0",
"x_mitre_contributors": [
"Matthew Molyett, @s1air, Cisco Talos"
],
"x_mitre_deprecated": false,
"x_mitre_domains": [
"enterprise-attack"
],
"x_mitre_is_subtechnique": true,
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"Linux",
"macOS",
"Windows"
],
"x_mitre_version": "1.3",
"detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.706000+00:00\", \"old_value\": \"2025-10-24 17:49:10.643000+00:00\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.3.0\", \"old_value\": \"3.2.0\"}}}",
"previous_version": "1.3",
"changelog_mitigations": {
"shared": [
"M1017: User Training"
],
"new": [],
"dropped": []
},
"changelog_datacomponent_detections": {
"shared": [],
"new": [],
"dropped": []
},
"changelog_detectionstrategy_detections": {
"shared": [
"DET0521: Behavioral Detection of Spoofed GUI Credential Prompts"
],
"new": [],
"dropped": []
}
},
{
"type": "attack-pattern",
"id": "attack-pattern--09a60ea3-a8d1-4ae5-976e-5783248b72a4",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2020-02-11 18:58:11.791000+00:00",
"modified": "2026-05-12 15:12:00.620000+00:00",
"name": "Keylogging",
"description": "Adversaries may log user keystrokes to intercept credentials as the user types them. Keylogging is likely to be used to acquire credentials for new access opportunities when [OS Credential Dumping](https://attack.mitre.org/techniques/T1003) efforts are not effective, and may require an adversary to intercept keystrokes on a system for a substantial period of time before credentials can be successfully captured. In order to increase the likelihood of capturing credentials quickly, an adversary may also perform actions such as clearing browser cookies to force users to reauthenticate to systems.(Citation: Talos Kimsuky Nov 2021)\n\nKeylogging is the most prevalent type of input capture, with many different ways of intercepting keystrokes.(Citation: Adventures of a Keystroke) Some methods include:\n\n* Hooking API callbacks used for processing keystrokes. Unlike [Credential API Hooking](https://attack.mitre.org/techniques/T1056/004), this focuses solely on API functions intended for processing keystroke data.\n* Reading raw keystroke data from the hardware buffer.\n* Windows Registry modifications.\n* Custom drivers.\n* [Modify System Image](https://attack.mitre.org/techniques/T1601) may provide adversaries with hooks into the operating system of network devices to read raw keystrokes for login sessions.(Citation: Cisco Blog Legacy Device Attacks) ",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "collection"
},
{
"kill_chain_name": "mitre-attack",
"phase_name": "credential-access"
}
],
"revoked": false,
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T1056/001",
"external_id": "T1056.001"
},
{
"source_name": "Talos Kimsuky Nov 2021",
"description": "An, J and Malhotra, A. (2021, November 10). North Korean attackers use malicious blogs to deliver malware to high-profile South Korean targets. Retrieved December 29, 2021.",
"url": "https://blog.talosintelligence.com/2021/11/kimsuky-abuses-blogs-delivers-malware.html"
},
{
"source_name": "Cisco Blog Legacy Device Attacks",
"description": "Omar Santos. (2020, October 19). Attackers Continue to Target Legacy Devices. Retrieved October 20, 2020.",
"url": "https://community.cisco.com/t5/security-blogs/attackers-continue-to-target-legacy-devices/ba-p/4169954"
},
{
"source_name": "Adventures of a Keystroke",
"description": "Tinaztepe, E. (n.d.). The Adventures of a Keystroke: An in-depth look into keyloggers on Windows. Retrieved April 27, 2016.",
"url": "http://opensecuritytraining.info/Keylogging_files/The%20Adventures%20of%20a%20Keystroke.pdf"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_attack_spec_version": "3.3.0",
"x_mitre_contributors": [
"TruKno"
],
"x_mitre_deprecated": false,
"x_mitre_domains": [
"enterprise-attack"
],
"x_mitre_is_subtechnique": true,
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"Linux",
"macOS",
"Network Devices",
"Windows"
],
"x_mitre_version": "1.3",
"detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.620000+00:00\", \"old_value\": \"2025-10-24 17:48:21.756000+00:00\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.3.0\", \"old_value\": \"3.2.0\"}}}",
"previous_version": "1.3",
"changelog_mitigations": {
"shared": [],
"new": [],
"dropped": []
},
"changelog_datacomponent_detections": {
"shared": [],
"new": [],
"dropped": []
},
"changelog_detectionstrategy_detections": {
"shared": [
"DET0089: Behavioral Detection of Keylogging Activity Across Platforms"
],
"new": [],
"dropped": []
}
},
{
"type": "attack-pattern",
"id": "attack-pattern--69e5226d-05dc-4f15-95d7-44f5ed78d06e",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2020-02-11 18:59:50.058000+00:00",
"modified": "2026-05-12 15:12:00.640000+00:00",
"name": "Web Portal Capture",
"description": "Adversaries may install code on externally facing portals, such as a VPN login page, to capture and transmit credentials of users who attempt to log into the service. For example, a compromised login page may log provided user credentials before logging the user in to the service.\n\nThis variation on input capture may be conducted post-compromise using legitimate administrative access as a backup measure to maintain network access through [External Remote Services](https://attack.mitre.org/techniques/T1133) and [Valid Accounts](https://attack.mitre.org/techniques/T1078) or as part of the initial compromise by exploitation of the externally facing web service.(Citation: Volexity Virtual Private Keylogging)",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "collection"
},
{
"kill_chain_name": "mitre-attack",
"phase_name": "credential-access"
}
],
"revoked": false,
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T1056/003",
"external_id": "T1056.003"
},
{
"source_name": "Volexity Virtual Private Keylogging",
"description": "Adair, S. (2015, October 7). Virtual Private Keylogging: Cisco Web VPNs Leveraged for Access and Persistence. Retrieved March 20, 2017.",
"url": "https://www.volexity.com/blog/2015/10/07/virtual-private-keylogging-cisco-web-vpns-leveraged-for-access-and-persistence/"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_attack_spec_version": "3.3.0",
"x_mitre_deprecated": false,
"x_mitre_domains": [
"enterprise-attack"
],
"x_mitre_is_subtechnique": true,
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"Linux",
"macOS",
"Windows"
],
"x_mitre_version": "1.1",
"detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.640000+00:00\", \"old_value\": \"2025-10-24 17:48:54.254000+00:00\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.3.0\", \"old_value\": \"3.2.0\"}}}",
"previous_version": "1.1",
"changelog_mitigations": {
"shared": [
"M1026: Privileged Account Management"
],
"new": [],
"dropped": []
},
"changelog_datacomponent_detections": {
"shared": [],
"new": [],
"dropped": []
},
"changelog_detectionstrategy_detections": {
"shared": [
"DET0480: Detection of Credential Harvesting via Web Portal Modification"
],
"new": [],
"dropped": []
}
},
{
"type": "attack-pattern",
"id": "attack-pattern--acd0ba37-7ba9-4cc5-ac61-796586cd856d",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2020-02-12 14:08:48.689000+00:00",
"modified": "2026-05-12 15:12:00.707000+00:00",
"name": "Inter-Process Communication",
"description": "Adversaries may abuse inter-process communication (IPC) mechanisms for local code or command execution. IPC is typically used by processes to share data, communicate with each other, or synchronize execution. IPC is also commonly used to avoid situations such as deadlocks, which occurs when processes are stuck in a cyclic waiting pattern. \n\nAdversaries may abuse IPC to execute arbitrary code or commands. IPC mechanisms may differ depending on OS, but typically exists in a form accessible through programming languages/libraries or native interfaces such as Windows [Dynamic Data Exchange](https://attack.mitre.org/techniques/T1559/002) or [Component Object Model](https://attack.mitre.org/techniques/T1559/001). Linux environments support several different IPC mechanisms, two of which being sockets and pipes.(Citation: Linux IPC) Higher level execution mediums, such as those of [Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059)s, may also leverage underlying IPC mechanisms. Adversaries may also use [Remote Services](https://attack.mitre.org/techniques/T1021) such as [Distributed Component Object Model](https://attack.mitre.org/techniques/T1021/003) to facilitate remote IPC execution.(Citation: Fireeye Hunting COM June 2019)",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "execution"
}
],
"revoked": false,
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T1559",
"external_id": "T1559"
},
{
"source_name": "Fireeye Hunting COM June 2019",
"description": "Hamilton, C. (2019, June 4). Hunting COM Objects. Retrieved June 10, 2019.",
"url": "https://www.fireeye.com/blog/threat-research/2019/06/hunting-com-objects.html"
},
{
"source_name": "Linux IPC",
"description": "N/A. (2021, April 1). Inter Process Communication (IPC). Retrieved March 11, 2022.",
"url": "https://www.geeksforgeeks.org/inter-process-communication-ipc/#:~:text=Inter%2Dprocess%20communication%20(IPC),of%20co%2Doperation%20between%20them."
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_attack_spec_version": "3.3.0",
"x_mitre_deprecated": false,
"x_mitre_domains": [
"enterprise-attack"
],
"x_mitre_is_subtechnique": false,
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"Linux",
"macOS",
"Windows"
],
"x_mitre_remote_support": false,
"x_mitre_version": "1.4",
"detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.707000+00:00\", \"old_value\": \"2025-10-24 17:49:13.194000+00:00\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.3.0\", \"old_value\": \"3.2.0\"}}}",
"previous_version": "1.4",
"changelog_mitigations": {
"shared": [
"M1013: Application Developer Guidance",
"M1026: Privileged Account Management",
"M1040: Behavior Prevention on Endpoint",
"M1042: Disable or Remove Feature or Program",
"M1048: Application Isolation and Sandboxing",
"M1054: Software Configuration"
],
"new": [],
"dropped": []
},
"changelog_datacomponent_detections": {
"shared": [],
"new": [],
"dropped": []
},
"changelog_detectionstrategy_detections": {
"shared": [
"DET0493: Detect Abuse of Inter-Process Communication (T1559)"
],
"new": [],
"dropped": []
}
},
{
"type": "attack-pattern",
"id": "attack-pattern--2f6b4ed7-fef1-44ba-bcb8-1b4beb610b64",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2020-02-12 14:09:53.107000+00:00",
"modified": "2026-05-12 15:12:00.624000+00:00",
"name": "Component Object Model",
"description": "Adversaries may use the Windows Component Object Model (COM) for local code execution. COM is an inter-process communication (IPC) component of the native Windows application programming interface (API) that enables interaction between software objects, or executable code that implements one or more interfaces.(Citation: Fireeye Hunting COM June 2019) Through COM, a client object can call methods of server objects, which are typically binary Dynamic Link Libraries (DLL) or executables (EXE).(Citation: Microsoft COM) Remote COM execution is facilitated by [Remote Services](https://attack.mitre.org/techniques/T1021) such as [Distributed Component Object Model](https://attack.mitre.org/techniques/T1021/003) (DCOM).(Citation: Fireeye Hunting COM June 2019)\n\nVarious COM interfaces are exposed that can be abused to invoke arbitrary execution via a variety of programming languages such as C, C++, Java, and [Visual Basic](https://attack.mitre.org/techniques/T1059/005).(Citation: Microsoft COM) Specific COM objects also exist to directly perform functions beyond code execution, such as creating a [Scheduled Task/Job](https://attack.mitre.org/techniques/T1053), fileless download/execution, and other adversary behaviors related to privilege escalation and persistence.(Citation: Fireeye Hunting COM June 2019)(Citation: ProjectZero File Write EoP Apr 2018)",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "execution"
}
],
"revoked": false,
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T1559/001",
"external_id": "T1559.001"
},
{
"source_name": "ProjectZero File Write EoP Apr 2018",
"description": "Forshaw, J. (2018, April 18). Windows Exploitation Tricks: Exploiting Arbitrary File Writes for Local Elevation of Privilege. Retrieved May 3, 2018.",
"url": "https://googleprojectzero.blogspot.com/2018/04/windows-exploitation-tricks-exploiting.html"
},
{
"source_name": "Fireeye Hunting COM June 2019",
"description": "Hamilton, C. (2019, June 4). Hunting COM Objects. Retrieved June 10, 2019.",
"url": "https://www.fireeye.com/blog/threat-research/2019/06/hunting-com-objects.html"
},
{
"source_name": "Microsoft COM",
"description": "Microsoft. (n.d.). Component Object Model (COM). Retrieved November 22, 2017.",
"url": "https://msdn.microsoft.com/library/windows/desktop/ms680573.aspx"
},
{
"source_name": "Enigma MMC20 COM Jan 2017",
"description": "Nelson, M. (2017, January 5). Lateral Movement using the MMC20 Application COM Object. Retrieved November 21, 2017.",
"url": "https://enigma0x3.net/2017/01/05/lateral-movement-using-the-mmc20-application-com-object/"
},
{
"source_name": "Enigma Outlook DCOM Lateral Movement Nov 2017",
"description": "Nelson, M. (2017, November 16). Lateral Movement using Outlook's CreateObject Method and DotNetToJScript. Retrieved November 21, 2017.",
"url": "https://enigma0x3.net/2017/11/16/lateral-movement-using-outlooks-createobject-method-and-dotnettojscript/"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_attack_spec_version": "3.3.0",
"x_mitre_deprecated": false,
"x_mitre_domains": [
"enterprise-attack"
],
"x_mitre_is_subtechnique": true,
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"Windows"
],
"x_mitre_remote_support": false,
"x_mitre_version": "1.2",
"detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.624000+00:00\", \"old_value\": \"2025-10-24 17:48:35.814000+00:00\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.3.0\", \"old_value\": \"3.2.0\"}}}",
"previous_version": "1.2",
"changelog_mitigations": {
"shared": [
"M1026: Privileged Account Management",
"M1048: Application Isolation and Sandboxing"
],
"new": [],
"dropped": []
},
"changelog_datacomponent_detections": {
"shared": [],
"new": [],
"dropped": []
},
"changelog_detectionstrategy_detections": {
"shared": [
"DET0224: Detect Abuse of Component Object Model (T1559.001)"
],
"new": [],
"dropped": []
}
},
{
"type": "attack-pattern",
"id": "attack-pattern--9e7452df-5144-4b6e-b04a-b66dd4016747",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2019-09-04 19:26:12.441000+00:00",
"modified": "2026-05-12 15:12:00.706000+00:00",
"name": "Internal Spearphishing",
"description": "After they already have access to accounts or systems within the environment, adversaries may use internal spearphishing to gain access to additional information or compromise other users within the same organization. Internal spearphishing is multi-staged campaign where a legitimate account is initially compromised either by controlling the user's device or by compromising the account credentials of the user. Adversaries may then attempt to take advantage of the trusted internal account to increase the likelihood of tricking more victims into falling for phish attempts, often incorporating [Impersonation](https://attack.mitre.org/techniques/T1684/001).(Citation: Trend Micro - Int SP)\n\nFor example, adversaries may leverage [Spearphishing Attachment](https://attack.mitre.org/techniques/T1566/001) or [Spearphishing Link](https://attack.mitre.org/techniques/T1566/002) as part of internal spearphishing to deliver a payload or redirect to an external site to capture credentials through [Input Capture](https://attack.mitre.org/techniques/T1056) on sites that mimic login interfaces.\n\nAdversaries may also leverage internal chat apps, such as Microsoft Teams, to spread malicious content or engage users in attempts to capture sensitive information and/or credentials.(Citation: Int SP - chat apps)",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "lateral-movement"
}
],
"revoked": false,
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T1534",
"external_id": "T1534"
},
{
"source_name": "Int SP - chat apps",
"description": "Microsoft Threat Intelligence. (2023, August 2). Midnight Blizzard conducts targeted social engineering over Microsoft Teams. Retrieved February 16, 2024.",
"url": "https://www.microsoft.com/en-us/security/blog/2023/08/02/midnight-blizzard-conducts-targeted-social-engineering-over-microsoft-teams/"
},
{
"source_name": "Trend Micro - Int SP",
"description": "Trend Micro. (n.d.). Retrieved February 16, 2024.",
"url": "https://www.trendmicro.com/en_us/research.html"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_attack_spec_version": "3.3.0",
"x_mitre_contributors": [
"Tim MalcomVetter",
"Swetha Prabakaran, Microsoft Threat Intelligence Center (MSTIC)"
],
"x_mitre_deprecated": false,
"x_mitre_domains": [
"enterprise-attack"
],
"x_mitre_is_subtechnique": false,
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"Linux",
"macOS",
"Office Suite",
"SaaS",
"Windows"
],
"x_mitre_version": "1.4",
"detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.706000+00:00\", \"old_value\": \"2026-04-17 14:23:56.376000+00:00\"}}}",
"previous_version": "1.4",
"changelog_mitigations": {
"shared": [],
"new": [],
"dropped": []
},
"changelog_datacomponent_detections": {
"shared": [],
"new": [],
"dropped": []
},
"changelog_detectionstrategy_detections": {
"shared": [
"DET0054: Internal Spearphishing via Trusted Accounts"
],
"new": [],
"dropped": []
}
},
{
"type": "attack-pattern",
"id": "attack-pattern--bf90d72c-c00b-45e3-b3aa-68560560d4c5",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2020-03-11 21:01:00.959000+00:00",
"modified": "2026-05-12 15:12:00.713000+00:00",
"name": "Lateral Tool Transfer",
"description": "Adversaries may transfer tools or other files between systems in a compromised environment. Once brought into the victim environment (i.e., [Ingress Tool Transfer](https://attack.mitre.org/techniques/T1105)) files may then be copied from one system to another to stage adversary tools or other files over the course of an operation.\n\nAdversaries may copy files between internal victim systems to support lateral movement using inherent file sharing protocols such as file sharing over [SMB/Windows Admin Shares](https://attack.mitre.org/techniques/T1021/002) to connected network shares or with authenticated connections via [Remote Desktop Protocol](https://attack.mitre.org/techniques/T1021/001).(Citation: Unit42 LockerGoga 2019)\n\nFiles can also be transferred using native or otherwise present tools on the victim system, such as scp, rsync, curl, sftp, and [ftp](https://attack.mitre.org/software/S0095). In some cases, adversaries may be able to leverage [Web Service](https://attack.mitre.org/techniques/T1102)s such as Dropbox or OneDrive to copy files from one machine to another via shared, automatically synced folders.(Citation: Dropbox Malware Sync)",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "lateral-movement"
}
],
"revoked": false,
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T1570",
"external_id": "T1570"
},
{
"source_name": "Dropbox Malware Sync",
"description": "David Talbot. (2013, August 21). Dropbox and Similar Services Can Sync Malware. Retrieved May 31, 2023.",
"url": "https://www.technologyreview.com/2013/08/21/83143/dropbox-and-similar-services-can-sync-malware/"
},
{
"source_name": "Unit42 LockerGoga 2019",
"description": "Harbison, M. (2019, March 26). Born This Way? Origins of LockerGoga. Retrieved April 16, 2019.",
"url": "https://unit42.paloaltonetworks.com/born-this-way-origins-of-lockergoga/"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_attack_spec_version": "3.3.0",
"x_mitre_contributors": [
"Shailesh Tiwary (Indian Army)"
],
"x_mitre_deprecated": false,
"x_mitre_domains": [
"enterprise-attack"
],
"x_mitre_is_subtechnique": false,
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"ESXi",
"Linux",
"macOS",
"Windows"
],
"x_mitre_version": "1.4",
"detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.713000+00:00\", \"old_value\": \"2025-10-24 17:49:19.137000+00:00\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.3.0\", \"old_value\": \"3.2.0\"}}}",
"previous_version": "1.4",
"changelog_mitigations": {
"shared": [
"M1031: Network Intrusion Prevention",
"M1037: Filter Network Traffic"
],
"new": [],
"dropped": []
},
"changelog_datacomponent_detections": {
"shared": [],
"new": [],
"dropped": []
},
"changelog_detectionstrategy_detections": {
"shared": [
"DET0183: Detection Strategy for Lateral Tool Transfer across OS platforms"
],
"new": [],
"dropped": []
}
},
{
"type": "attack-pattern",
"id": "attack-pattern--f2514ae4-4e9b-4f26-a5ba-c4ae85fe93c3",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2025-09-25 21:09:38.677000+00:00",
"modified": "2026-05-12 15:12:00.724000+00:00",
"name": "Local Storage Discovery",
"description": "Adversaries may enumerate local drives, disks, and/or volumes and their attributes like total or free space and volume serial number. This can be done to prepare for ransomware-related encryption, to perform [Lateral Movement](https://attack.mitre.org/tactics/TA0109), or as a precursor to [Direct Volume Access](https://attack.mitre.org/techniques/T1006). \n\nOn ESXi systems, adversaries may use [Hypervisor CLI](https://attack.mitre.org/techniques/T1059/012) commands such as `esxcli` to list storage connected to the host as well as `.vmdk` files.(Citation: TrendMicro)(Citation: TrendMicro ESXI Ransomware)\n\nOn Windows systems, adversaries can use `wmic logicaldisk get` to find information about local network drives. They can also use `Get-PSDrive` in PowerShell to retrieve drives and may additionally use Windows API functions such as `GetDriveType`.(Citation: Trend Micro MUSTANG PANDA PUBLOAD HIUPAN SEPTEMBER 2024)(Citation: Volexity)\n\nLinux has commands such as `parted`, `lsblk`, `fdisk`, `lshw`, and `df` that can list information about disk partitions such as size, type, file system types, and free space. The command `diskutil` on MacOS can be used to list disks while `system_profiler SPStorageDataType` can additionally show information such as a volume\u2019s mount path, file system, and the type of drive in the system. \n\nInfrastructure as a Service (IaaS) cloud providers also have commands for storage discovery such as `describe volume` in AWS, `gcloud compute disks list` in GCP, and `az disk list` in Azure.(Citation: AWS docs describe volumes)(Citation: GCP gcloud compute disks list)(Citation: azure az disk)",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "discovery"
}
],
"revoked": false,
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T1680",
"external_id": "T1680"
},
{
"source_name": "Volexity",
"description": "Ankur Saini, Charlie Gardner. (2023, June 28). Charming Kitten Updates POWERSTAR with an InterPlanetary Twist. Retrieved September 25, 2025.",
"url": "https://www.volexity.com/blog/2023/06/28/charming-kitten-updates-powerstar-with-an-interplanetary-twist/"
},
{
"source_name": "AWS docs describe volumes",
"description": "AWS. (n.d.). describe-volumes. Retrieved October 20, 2025.",
"url": "https://docs.aws.amazon.com/cli/latest/reference/ec2/describe-volumes.html"
},
{
"source_name": "azure az disk",
"description": "Azure. (n.d.). az disk. Retrieved October 20, 2025.",
"url": "https://learn.microsoft.com/en-us/cli/azure/disk?view=azure-cli-latest"
},
{
"source_name": "GCP gcloud compute disks list",
"description": "Google Cloud. (n.d.). gcloud compute disks list. Retrieved October 20, 2025.",
"url": "https://cloud.google.com/sdk/gcloud/reference/compute/disks/list"
},
{
"source_name": "TrendMicro ESXI Ransomware",
"description": "Junestherry Dela Cruz. (2022, January 24). Analysis and Impact of LockBit Ransomware\u2019s First Linux and VMware ESXi Variant. Retrieved March 26, 2025.",
"url": "https://www.trendmicro.com/en_us/research/22/a/analysis-and-Impact-of-lockbit-ransomwares-first-linux-and-vmware-esxi-variant.html"
},
{
"source_name": "Trend Micro MUSTANG PANDA PUBLOAD HIUPAN SEPTEMBER 2024",
"description": "Lenart Bermejo, Sunny Lu, Ted Lee. (2024, September 9). Earth Preta Evolves its Attacks with New Malware and Strategies. Retrieved August 4, 2025.",
"url": "https://www.trendmicro.com/en_us/research/24/i/earth-preta-new-malware-and-strategies.html"
},
{
"source_name": "TrendMicro",
"description": "Mina Naiim. (2021, May 28). DarkSide on Linux: Virtual Machines Targeted. Retrieved March 26, 2025.",
"url": "https://www.trendmicro.com/en_us/research/21/e/darkside-linux-vms-targeted.html"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_attack_spec_version": "3.3.0",
"x_mitre_contributors": [
"Liran Ravich, CardinalOps"
],
"x_mitre_deprecated": false,
"x_mitre_domains": [
"enterprise-attack"
],
"x_mitre_is_subtechnique": false,
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"ESXi",
"IaaS",
"Linux",
"macOS",
"Windows"
],
"x_mitre_version": "1.0",
"detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.724000+00:00\", \"old_value\": \"2025-10-22 02:09:54.940000+00:00\"}}}",
"previous_version": "1.0",
"changelog_mitigations": {
"shared": [],
"new": [],
"dropped": []
},
"changelog_datacomponent_detections": {
"shared": [],
"new": [],
"dropped": []
},
"changelog_detectionstrategy_detections": {
"shared": [
"DET0188: Local Storage Discovery via Drive Enumeration and Filesystem Probing"
],
"new": [],
"dropped": []
}
},
{
"type": "attack-pattern",
"id": "attack-pattern--42e8de7b-37b2-4258-905a-6897815e58e0",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-05-31 21:30:38.511000+00:00",
"modified": "2026-05-12 15:12:00.629000+00:00",
"name": "Masquerading",
"description": "Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.\n\nRenaming abusable system utilities to evade security monitoring is also a form of [Masquerading](https://attack.mitre.org/techniques/T1036).(Citation: LOLBAS Main Site)",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "stealth"
}
],
"revoked": false,
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T1036",
"external_id": "T1036"
},
{
"source_name": "LOLBAS Main Site",
"description": "LOLBAS. (n.d.). Living Off The Land Binaries and Scripts (and also Libraries). Retrieved February 10, 2020.",
"url": "https://lolbas-project.github.io/"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_attack_spec_version": "3.3.0",
"x_mitre_contributors": [
"Bartosz Jerzman",
"David Lu, Tripwire",
"Elastic",
"Felipe Esp\u00f3sito, @Pr0teus",
"Menachem Goldstein",
"Nick Carr, Mandiant",
"Oleg Kolesnikov, Securonix"
],
"x_mitre_deprecated": false,
"x_mitre_domains": [
"enterprise-attack"
],
"x_mitre_is_subtechnique": false,
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"Containers",
"ESXi",
"Linux",
"macOS",
"Windows"
],
"x_mitre_version": "2.0",
"detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.629000+00:00\", \"old_value\": \"2026-04-15 20:32:00.311000+00:00\"}}}",
"previous_version": "2.0",
"changelog_mitigations": {
"shared": [
"M1017: User Training",
"M1018: User Account Management",
"M1022: Restrict File and Directory Permissions",
"M1038: Execution Prevention",
"M1040: Behavior Prevention on Endpoint",
"M1045: Code Signing",
"M1047: Audit",
"M1049: Antivirus/Antimalware"
],
"new": [],
"dropped": []
},
"changelog_datacomponent_detections": {
"shared": [],
"new": [],
"dropped": []
},
"changelog_detectionstrategy_detections": {
"shared": [
"DET0127: Behavioral Detection of Masquerading Across Platforms via Metadata and Execution Discrepancy"
],
"new": [],
"dropped": []
}
},
{
"type": "attack-pattern",
"id": "attack-pattern--34a80bc4-80f2-46e6-94ff-f3265a4b657c",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2023-09-27 19:49:40.815000+00:00",
"modified": "2026-05-12 15:12:00.625000+00:00",
"name": "Break Process Trees",
"description": "An adversary may attempt to evade process tree-based analysis by modifying executed malware's parent process ID (PPID). If endpoint protection software leverages the \u201cparent-child\" relationship for detection, breaking this relationship could result in the adversary\u2019s behavior not being associated with previous process tree activity. On Unix-based systems breaking this process tree is common practice for administrators to execute software using scripts and programs.(Citation: 3OHA double-fork 2022) \n\nOn Linux systems, adversaries may execute a series of [Native API](https://attack.mitre.org/techniques/T1106) calls to alter malware's process tree. For example, adversaries can execute their payload without any arguments, call the `fork()` API call twice, then have the parent process exit. This creates a grandchild process with no parent process that is immediately adopted by the `init` system process (PID 1), which successfully disconnects the execution of the adversary's payload from its previous process tree.\n\nAnother example is using the \u201cdaemon\u201d syscall to detach from the current parent process and run in the background.(Citation: Sandfly BPFDoor 2022)(Citation: Microsoft XorDdos Linux Stealth 2022) ",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "stealth"
}
],
"revoked": false,
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T1036/009",
"external_id": "T1036.009"
},
{
"source_name": "3OHA double-fork 2022",
"description": "Juan Tapiador. (2022, April 11). UNIX daemonization and the double fork. Retrieved September 29, 2023.",
"url": "https://0xjet.github.io/3OHA/2022/04/11/post.html"
},
{
"source_name": "Microsoft XorDdos Linux Stealth 2022",
"description": "Microsoft Threat Intelligence. (2022, May 19). Rise in XorDdos: A deeper look at the stealthy DDoS malware targeting Linux devices. Retrieved September 27, 2023.",
"url": "https://www.microsoft.com/en-us/security/blog/2022/05/19/rise-in-xorddos-a-deeper-look-at-the-stealthy-ddos-malware-targeting-linux-devices/"
},
{
"source_name": "Sandfly BPFDoor 2022",
"description": "The Sandfly Security Team. (2022, May 11). BPFDoor - An Evasive Linux Backdoor Technical Analysis. Retrieved September 29, 2023.",
"url": "https://sandflysecurity.com/blog/bpfdoor-an-evasive-linux-backdoor-technical-analysis/"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_attack_spec_version": "3.3.0",
"x_mitre_contributors": [
"Tim (Wadhwa-)Brown"
],
"x_mitre_deprecated": false,
"x_mitre_domains": [
"enterprise-attack"
],
"x_mitre_is_subtechnique": true,
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"Linux",
"macOS"
],
"x_mitre_version": "2.0",
"detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.625000+00:00\", \"old_value\": \"2026-04-15 20:32:49.027000+00:00\"}}}",
"previous_version": "2.0",
"changelog_mitigations": {
"shared": [],
"new": [],
"dropped": []
},
"changelog_datacomponent_detections": {
"shared": [],
"new": [],
"dropped": []
},
"changelog_detectionstrategy_detections": {
"shared": [
"DET0443: Detection Strategy for Masquerading via Breaking Process Trees"
],
"new": [],
"dropped": []
}
},
{
"type": "attack-pattern",
"id": "attack-pattern--afac5dbc-4383-4fb6-9ba6-45b25d49e530",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2025-09-22 20:13:45.616000+00:00",
"modified": "2026-05-12 15:12:00.707000+00:00",
"name": "Browser Fingerprint",
"description": "Adversaries may attempt to blend in with legitimate traffic by spoofing browser and system attributes like operating system, system language, platform, user-agent string, resolution, time zone, etc. The HTTP\u00a0User-Agent\u00a0request header\u00a0is a string that lets servers and network peers identify the application, operating system, vendor, and/or version of the requesting\u00a0user agent.(Citation: Mozilla User Agent)\n\nAdversaries may gather this information through [System Information Discovery](https://attack.mitre.org/techniques/T1082) or by users navigating to adversary-controlled websites, and then use that information to craft their web traffic to evade defenses.(Citation: Gummy Browsers Targeted Browser Spoofing against State-of-the-Art Fingerprinting Techniques)",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "stealth"
}
],
"revoked": false,
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T1036/012",
"external_id": "T1036.012"
},
{
"source_name": "Mozilla User Agent",
"description": "MDN contributors. (2025, July 4). User-Agent header. Retrieved October 19, 2025.",
"url": "https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/User-Agent"
},
{
"source_name": "Gummy Browsers Targeted Browser Spoofing against State-of-the-Art Fingerprinting Techniques",
"description": "Zengrui Liu, Prakash Shrestha, and Nitesh Saxena. (2021, October 19). Retrieved April 15, 2026.",
"url": "https://arxiv.org/pdf/2110.10129"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_attack_spec_version": "3.3.0",
"x_mitre_deprecated": false,
"x_mitre_domains": [
"enterprise-attack"
],
"x_mitre_is_subtechnique": true,
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"Linux",
"macOS",
"Windows"
],
"x_mitre_version": "2.0",
"detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.707000+00:00\", \"old_value\": \"2026-04-15 20:37:12.322000+00:00\"}}}",
"previous_version": "2.0",
"changelog_mitigations": {
"shared": [
"M1047: Audit"
],
"new": [],
"dropped": []
},
"changelog_datacomponent_detections": {
"shared": [],
"new": [],
"dropped": []
},
"changelog_detectionstrategy_detections": {
"shared": [
"DET0898: Detection of Spoofed User-Agent"
],
"new": [],
"dropped": []
}
},
{
"type": "attack-pattern",
"id": "attack-pattern--11f29a39-0942-4d62-92b6-fe236cf3066e",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2021-08-04 20:54:03.066000+00:00",
"modified": "2026-05-12 15:12:00.621000+00:00",
"name": "Double File Extension",
"description": "Adversaries may abuse a double extension in the filename as a means of masquerading the true file type. A file name may include a secondary file type extension that may cause only the first extension to be displayed (ex: File.txt.exe may render in some views as just File.txt). However, the second extension is the true file type that determines how the file is opened and executed. The real file extension may be hidden by the operating system in the file browser (ex: explorer.exe), as well as in any software configured using or similar to the system\u2019s policies.(Citation: PCMag DoubleExtension)(Citation: SOCPrime DoubleExtension) \n\nAdversaries may abuse double extensions to attempt to conceal dangerous file types of payloads. A very common usage involves tricking a user into opening what they think is a benign file type but is actually executable code. Such files often pose as email attachments and allow an adversary to gain [Initial Access](https://attack.mitre.org/tactics/TA0001) into a user\u2019s system via [Spearphishing Attachment](https://attack.mitre.org/techniques/T1566/001) then [User Execution](https://attack.mitre.org/techniques/T1204). For example, an executable file attachment named Evil.txt.exe may display as Evil.txt to a user. The user may then view it as a benign text file and open it, inadvertently executing the hidden malware.(Citation: SOCPrime DoubleExtension)\n\nCommon file types, such as text files (.txt, .doc, etc.) and image files (.jpg, .gif, etc.) are typically used as the first extension to appear benign. Executable extensions commonly regarded as dangerous, such as .exe, .lnk, .hta, and .scr, often appear as the second extension and true file type.",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "stealth"
}
],
"revoked": false,
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T1036/007",
"external_id": "T1036.007"
},
{
"source_name": "SOCPrime DoubleExtension",
"description": "Eugene Tkachenko. (2020, May 1). Rule of the Week: Possible Malicious File Double Extension. Retrieved July 27, 2021.",
"url": "https://socprime.com/blog/rule-of-the-week-possible-malicious-file-double-extension/"
},
{
"source_name": "PCMag DoubleExtension",
"description": "PCMag. (n.d.). Encyclopedia: double extension. Retrieved August 4, 2021.",
"url": "https://www.pcmag.com/encyclopedia/term/double-extension"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_attack_spec_version": "3.3.0",
"x_mitre_deprecated": false,
"x_mitre_domains": [
"enterprise-attack"
],
"x_mitre_is_subtechnique": true,
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"Windows"
],
"x_mitre_version": "2.0",
"detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.621000+00:00\", \"old_value\": \"2026-04-15 20:33:07.592000+00:00\"}}}",
"previous_version": "2.0",
"changelog_mitigations": {
"shared": [
"M1017: User Training",
"M1028: Operating System Configuration"
],
"new": [],
"dropped": []
},
"changelog_datacomponent_detections": {
"shared": [],
"new": [],
"dropped": []
},
"changelog_detectionstrategy_detections": {
"shared": [
"DET0366: Detection Strategy for Double File Extension Masquerading"
],
"new": [],
"dropped": []
}
},
{
"type": "attack-pattern",
"id": "attack-pattern--b4b7458f-81f2-4d38-84be-1c5ba0167a52",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2020-02-10 19:49:46.752000+00:00",
"modified": "2026-05-12 15:12:00.709000+00:00",
"name": "Invalid Code Signature",
"description": "Adversaries may attempt to mimic features of valid code signatures to increase the chance of deceiving a user, analyst, or tool. Code signing provides a level of authenticity on a binary from the developer and a guarantee that the binary has not been tampered with. Adversaries can copy the metadata and signature information from a signed program, then use it as a template for an unsigned program. Files with invalid code signatures will fail digital signature validation checks, but they may appear more legitimate to users and security tools may improperly handle these files.(Citation: Threatexpress MetaTwin 2017)\n\nUnlike [Code Signing](https://attack.mitre.org/techniques/T1553/002), this activity will not result in a valid signature.",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "stealth"
}
],
"revoked": false,
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T1036/001",
"external_id": "T1036.001"
},
{
"source_name": "Threatexpress MetaTwin 2017",
"description": "Vest, J. (2017, October 9). Borrowing Microsoft MetaData and Signatures to Hide Binary Payloads. Retrieved September 10, 2019.",
"url": "https://threatexpress.com/blogs/2017/metatwin-borrowing-microsoft-metadata-and-digital-signatures-to-hide-binaries/"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_attack_spec_version": "3.3.0",
"x_mitre_deprecated": false,
"x_mitre_domains": [
"enterprise-attack"
],
"x_mitre_is_subtechnique": true,
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"macOS",
"Windows"
],
"x_mitre_version": "2.0",
"detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.709000+00:00\", \"old_value\": \"2026-04-15 20:38:13.564000+00:00\"}}}",
"previous_version": "2.0",
"changelog_mitigations": {
"shared": [
"M1045: Code Signing"
],
"new": [],
"dropped": []
},
"changelog_datacomponent_detections": {
"shared": [],
"new": [],
"dropped": []
},
"changelog_detectionstrategy_detections": {
"shared": [
"DET0031: Invalid Code Signature Execution Detection via Metadata and Behavioral Context"
],
"new": [],
"dropped": []
}
},
{
"type": "attack-pattern",
"id": "attack-pattern--d349c66e-18e1-4d8b-a2d7-65af7cbd2ba0",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2024-08-05 21:39:16.274000+00:00",
"modified": "2026-05-12 15:12:00.717000+00:00",
"name": "Masquerade Account Name",
"description": "Adversaries may match or approximate the names of legitimate accounts to make newly created ones appear benign. This will typically occur during [Create Account](https://attack.mitre.org/techniques/T1136), although accounts may also be renamed at a later date. This may also coincide with [Account Access Removal](https://attack.mitre.org/techniques/T1531) if the actor first deletes an account before re-creating one with the same name.(Citation: Huntress MOVEit 2023)\n\nOften, adversaries will attempt to masquerade as service accounts, such as those associated with legitimate software, data backups, or container cluster management.(Citation: Elastic CUBA Ransomware 2022)(Citation: Aquasec Kubernetes Attack 2023) They may also give accounts generic, trustworthy names, such as \u201cadmin\u201d, \u201chelp\u201d, or \u201croot.\u201d(Citation: Invictus IR Cloud Ransomware 2024) Sometimes adversaries may model account names off of those already existing in the system, as a follow-on behavior to [Account Discovery](https://attack.mitre.org/techniques/T1087). \n\nNote that this is distinct from [Impersonation](https://attack.mitre.org/techniques/T1684/001), which describes impersonating specific trusted individuals or organizations, rather than user or service account names. ",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "stealth"
}
],
"revoked": false,
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T1036/010",
"external_id": "T1036.010"
},
{
"source_name": "Elastic CUBA Ransomware 2022",
"description": "Daniel Stepanic, Derek Ditch, Seth Goodwin, Salim Bitam, Andrew Pease. (2022, September 7). CUBA Ransomware Campaign Analysis. Retrieved August 5, 2024.",
"url": "https://www.elastic.co/security-labs/cuba-ransomware-campaign-analysis"
},
{
"source_name": "Invictus IR Cloud Ransomware 2024",
"description": "Invictus IR. (2024, January 11). Ransomware in the cloud. Retrieved August 5, 2024.",
"url": "https://www.invictus-ir.com/news/ransomware-in-the-cloud"
},
{
"source_name": "Huntress MOVEit 2023",
"description": "John Hammond. (2023, June 1). MOVEit Transfer Critical Vulnerability CVE-2023-34362 Rapid Response. Retrieved August 5, 2024.",
"url": "https://www.huntress.com/blog/moveit-transfer-critical-vulnerability-rapid-response"
},
{
"source_name": "Aquasec Kubernetes Attack 2023",
"description": "Michael Katchinskiy, Assaf Morag. (2023, April 21). First-Ever Attack Leveraging Kubernetes RBAC to Backdoor Clusters. Retrieved July 14, 2023.",
"url": "https://blog.aquasec.com/leveraging-kubernetes-rbac-to-backdoor-clusters"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_attack_spec_version": "3.3.0",
"x_mitre_contributors": [
"Menachem Goldstein"
],
"x_mitre_deprecated": false,
"x_mitre_domains": [
"enterprise-attack"
],
"x_mitre_is_subtechnique": true,
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"Containers",
"IaaS",
"Identity Provider",
"Linux",
"macOS",
"Office Suite",
"SaaS",
"Windows"
],
"x_mitre_version": "2.0",
"detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.717000+00:00\", \"old_value\": \"2026-04-17 14:21:43.719000+00:00\"}}}",
"previous_version": "2.0",
"changelog_mitigations": {
"shared": [
"M1018: User Account Management",
"M1047: Audit"
],
"new": [],
"dropped": []
},
"changelog_datacomponent_detections": {
"shared": [],
"new": [],
"dropped": []
},
"changelog_detectionstrategy_detections": {
"shared": [
"DET0383: Detection Strategy for Masquerading via Account Name Similarity"
],
"new": [],
"dropped": []
}
},
{
"type": "attack-pattern",
"id": "attack-pattern--208884f1-7b83-4473-ac22-4e1cf6c41471",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2023-03-08 22:40:06.918000+00:00",
"modified": "2026-05-12 15:12:00.622000+00:00",
"name": "Masquerade File Type",
"description": "Adversaries may masquerade malicious payloads as legitimate files through changes to the payload's formatting, including the file\u2019s signature, extension, icon, and contents. Various file types have a typical standard format, including how they are encoded and organized. For example, a file\u2019s signature (also known as header or magic bytes) is the beginning bytes of a file and is often used to identify the file\u2019s type. For example, the header of a JPEG file, is 0xFF 0xD8 and the file extension is either `.JPE`, `.JPEG` or `.JPG`. \n\nAdversaries may edit the header\u2019s hex code and/or the file extension of a malicious payload in order to bypass file validation checks and/or input sanitization. This behavior is commonly used when payload files are transferred (e.g., [Ingress Tool Transfer](https://attack.mitre.org/techniques/T1105)) and stored (e.g., [Upload Malware](https://attack.mitre.org/techniques/T1608/001)) so that adversaries may move their malware without triggering detections. \n\nCommon non-executable file types and extensions, such as text files (`.txt`) and image files (`.jpg`, `.gif`, etc.) may be typically treated as benign. Based on this, adversaries may use a file extension to disguise malware, such as naming a PHP backdoor code with a file name of test.gif. A user may not know that a file is malicious due to the benign appearance and file extension.\n\nPolyglot files, which are files that have multiple different file types and that function differently based on the application that will execute them, may also be used to disguise malicious malware and capabilities.(Citation: polygot_icedID)",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "stealth"
}
],
"revoked": false,
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T1036/008",
"external_id": "T1036.008"
},
{
"source_name": "polygot_icedID",
"description": "Lim, M. (2022, September 27). More Than Meets the Eye: Exposing a Polyglot File That Delivers IcedID. Retrieved September 29, 2022.",
"url": "https://unit42.paloaltonetworks.com/polyglot-file-icedid-payload"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_attack_spec_version": "3.3.0",
"x_mitre_contributors": [
"Ben Smith",
"CrowdStrike Falcon OverWatch"
],
"x_mitre_deprecated": false,
"x_mitre_domains": [
"enterprise-attack"
],
"x_mitre_is_subtechnique": true,
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"Linux",
"macOS",
"Windows"
],
"x_mitre_version": "2.0",
"detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.622000+00:00\", \"old_value\": \"2026-04-15 20:39:13.971000+00:00\"}}}",
"previous_version": "2.0",
"changelog_mitigations": {
"shared": [
"M1038: Execution Prevention",
"M1040: Behavior Prevention on Endpoint",
"M1049: Antivirus/Antimalware"
],
"new": [],
"dropped": []
},
"changelog_datacomponent_detections": {
"shared": [],
"new": [],
"dropped": []
},
"changelog_detectionstrategy_detections": {
"shared": [
"DET0226: Detection Strategy for Masquerading via File Type Modification"
],
"new": [],
"dropped": []
}
},
{
"type": "attack-pattern",
"id": "attack-pattern--7bdca9d5-d500-4d7d-8c52-5fd47baf4c0c",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2020-02-10 20:30:07.426000+00:00",
"modified": "2026-05-12 15:12:00.644000+00:00",
"name": "Masquerade Task or Service",
"description": "Adversaries may attempt to manipulate the name of a task or service to make it appear legitimate or benign. Tasks/services executed by the Task Scheduler or systemd will typically be given a name and/or description.(Citation: TechNet Schtasks)(Citation: Systemd Service Units) Windows services will have a service name as well as a display name. Many benign tasks and services exist that have commonly associated names. Adversaries may give tasks or services names that are similar or identical to those of legitimate ones.\n\nTasks or services contain other fields, such as a description, that adversaries may attempt to make appear legitimate.(Citation: Palo Alto Shamoon Nov 2016)(Citation: Fysbis Dr Web Analysis)",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "stealth"
}
],
"revoked": false,
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T1036/004",
"external_id": "T1036.004"
},
{
"source_name": "Fysbis Dr Web Analysis",
"description": "Doctor Web. (2014, November 21). Linux.BackDoor.Fysbis.1. Retrieved December 7, 2017.",
"url": "https://vms.drweb.com/virus/?i=4276269"
},
{
"source_name": "Palo Alto Shamoon Nov 2016",
"description": "Falcone, R.. (2016, November 30). Shamoon 2: Return of the Disttrack Wiper. Retrieved January 11, 2017.",
"url": "http://researchcenter.paloaltonetworks.com/2016/11/unit42-shamoon-2-return-disttrack-wiper/"
},
{
"source_name": "Systemd Service Units",
"description": "Freedesktop.org. (n.d.). systemd.service \u2014 Service unit configuration. Retrieved March 16, 2020.",
"url": "https://www.freedesktop.org/software/systemd/man/systemd.service.html"
},
{
"source_name": "TechNet Schtasks",
"description": "Microsoft. (n.d.). Schtasks. Retrieved April 28, 2016.",
"url": "https://technet.microsoft.com/en-us/library/bb490996.aspx"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_attack_spec_version": "3.3.0",
"x_mitre_deprecated": false,
"x_mitre_domains": [
"enterprise-attack"
],
"x_mitre_is_subtechnique": true,
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"Linux",
"macOS",
"Windows"
],
"x_mitre_version": "2.0",
"detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.644000+00:00\", \"old_value\": \"2026-04-15 20:39:39.311000+00:00\"}}}",
"previous_version": "2.0",
"changelog_mitigations": {
"shared": [],
"new": [],
"dropped": []
},
"changelog_datacomponent_detections": {
"shared": [],
"new": [],
"dropped": []
},
"changelog_detectionstrategy_detections": {
"shared": [
"DET0117: Detection of Masqueraded Tasks or Services with Suspicious Naming and Execution"
],
"new": [],
"dropped": []
}
},
{
"type": "attack-pattern",
"id": "attack-pattern--1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2020-02-10 20:43:10.239000+00:00",
"modified": "2026-05-12 15:12:00.622000+00:00",
"name": "Match Legitimate Resource Name or Location",
"description": "Adversaries may match or approximate the name or location of legitimate files, Registry keys, or other resources when naming/placing them. This is done for the sake of evading defenses and observation. \n\nThis may be done by placing an executable in a commonly trusted directory (ex: under System32) or giving it the name of a legitimate, trusted program (ex: `svchost.exe`). Alternatively, a Windows Registry key may be given a close approximation to a key used by a legitimate program. In containerized environments, a threat actor may create a resource in a trusted namespace or one that matches the naming convention of a container pod or cluster.(Citation: Aquasec Kubernetes Backdoor 2023)",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "stealth"
}
],
"revoked": false,
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T1036/005",
"external_id": "T1036.005"
},
{
"source_name": "Aquasec Kubernetes Backdoor 2023",
"description": "Michael Katchinskiy and Assaf Morag. (2023, April 21). First-Ever Attack Leveraging Kubernetes RBAC to Backdoor Clusters. Retrieved March 24, 2025.",
"url": "https://www.aquasec.com/blog/leveraging-kubernetes-rbac-to-backdoor-clusters/"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_attack_spec_version": "3.3.0",
"x_mitre_contributors": [
"Vishwas Manral, McAfee",
"Yossi Weizman, Azure Defender Research Team"
],
"x_mitre_deprecated": false,
"x_mitre_domains": [
"enterprise-attack"
],
"x_mitre_is_subtechnique": true,
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"Containers",
"ESXi",
"Linux",
"macOS",
"Windows"
],
"x_mitre_version": "3.0",
"detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.622000+00:00\", \"old_value\": \"2026-04-15 20:39:41.881000+00:00\"}}}",
"previous_version": "3.0",
"changelog_mitigations": {
"shared": [
"M1022: Restrict File and Directory Permissions",
"M1038: Execution Prevention",
"M1045: Code Signing"
],
"new": [],
"dropped": []
},
"changelog_datacomponent_detections": {
"shared": [],
"new": [],
"dropped": []
},
"changelog_detectionstrategy_detections": {
"shared": [
"DET0347: Detection Strategy for Masquerading via Legitimate Resource Name or Location"
],
"new": [],
"dropped": []
}
},
{
"type": "attack-pattern",
"id": "attack-pattern--514dc7b3-0b80-4382-80a9-2e2d294f5019",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2025-03-27 20:37:52.269000+00:00",
"modified": "2026-05-12 15:12:00.632000+00:00",
"name": "Overwrite Process Arguments",
"description": "Adversaries may modify a process's in-memory arguments to change its name in order to appear as a legitimate or benign process. On Linux, the operating system stores command-line arguments in the process\u2019s stack and passes them to the `main()` function as the `argv` array. The first element, `argv[0]`, typically contains the process name or path - by default, the command used to actually start the process (e.g., `cat /etc/passwd`). By default, the Linux `/proc` filesystem uses this value to represent the process name. The `/proc/rundll32.exe).(Citation: Elastic Masquerade Ball) An alternative case occurs when a legitimate utility is copied or moved to a different directory and renamed to avoid detections based on these utilities executing from non-standard paths.(Citation: F-Secure CozyDuke)",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "stealth"
}
],
"revoked": false,
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T1036/003",
"external_id": "T1036.003"
},
{
"source_name": "Elastic Masquerade Ball",
"description": "Ewing, P. (2016, October 31). How to Hunt: The Masquerade Ball. Retrieved October 31, 2016.",
"url": "https://www.elastic.co/blog/how-hunt-masquerade-ball"
},
{
"source_name": "F-Secure CozyDuke",
"description": "F-Secure Labs. (2015, April 22). CozyDuke: Malware Analysis. Retrieved December 10, 2015.",
"url": "https://www.f-secure.com/documents/996508/1030745/CozyDuke"
},
{
"source_name": "LOLBAS Main Site",
"description": "LOLBAS. (n.d.). Living Off The Land Binaries and Scripts (and also Libraries). Retrieved February 10, 2020.",
"url": "https://lolbas-project.github.io/"
},
{
"source_name": "Huntress Python Malware 2025",
"description": "Matthew Brennan. (2024, July 5). Snakes on a Domain: An Analysis of a Python Malware Loader. Retrieved April 3, 2025.",
"url": "https://www.huntress.com/blog/snakes-on-a-domain-an-analysis-of-a-python-malware-loader"
},
{
"source_name": "Splunk Detect Renamed PSExec",
"description": "Splunk. (2025, February 24). Detection: Detect Renamed PSExec. Retrieved April 3, 2025.",
"url": "https://research.splunk.com/endpoint/683e6196-b8e8-11eb-9a79-acde48001122/"
},
{
"source_name": "The DFIR Report AutoHotKey 2023",
"description": "The DFIR Report. (2023, February 6). Collect, Exfiltrate, Sleep, Repeat. Retrieved April 3, 2025.",
"url": "https://thedfirreport.com/2023/02/06/collect-exfiltrate-sleep-repeat/"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_attack_spec_version": "3.3.0",
"x_mitre_contributors": [
"Matt Anderson, @\u200cnosecurething, Huntress"
],
"x_mitre_deprecated": false,
"x_mitre_domains": [
"enterprise-attack"
],
"x_mitre_is_subtechnique": true,
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"Linux",
"macOS",
"Windows"
],
"x_mitre_version": "3.0",
"detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.713000+00:00\", \"old_value\": \"2026-04-15 20:40:54.471000+00:00\"}}}",
"previous_version": "3.0",
"changelog_mitigations": {
"shared": [
"M1022: Restrict File and Directory Permissions"
],
"new": [],
"dropped": []
},
"changelog_datacomponent_detections": {
"shared": [],
"new": [],
"dropped": []
},
"changelog_detectionstrategy_detections": {
"shared": [
"DET0005: Renamed Legitimate Utility Execution with Metadata Mismatch and Suspicious Path"
],
"new": [],
"dropped": []
}
},
{
"type": "attack-pattern",
"id": "attack-pattern--77eae145-55db-4519-8ae5-77b0c7215d69",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2020-02-10 19:55:29.385000+00:00",
"modified": "2026-05-12 15:12:00.643000+00:00",
"name": "Right-to-Left Override",
"description": "Adversaries may abuse the right-to-left override (RTLO or RLO) character (U+202E) to disguise a string and/or file name to make it appear benign. RTLO is a non-printing Unicode character that causes the text that follows it to be displayed in reverse. For example, a Windows screensaver executable named March 25 \\u202Excod.scr will display as March 25 rcs.docx. A JavaScript file named photo_high_re\\u202Egnp.js will be displayed as photo_high_resj.png.(Citation: Infosecinstitute RTLO Technique)\n\nAdversaries may abuse the RTLO character as a means of tricking a user into executing what they think is a benign file type. A common use of this technique is with [Spearphishing Attachment](https://attack.mitre.org/techniques/T1566/001)/[Malicious File](https://attack.mitre.org/techniques/T1204/002) since it can trick both end users and defenders if they are not aware of how their tools display and render the RTLO character. Use of the RTLO character has been seen in many targeted intrusion attempts and criminal activity.(Citation: Trend Micro PLEAD RTLO)(Citation: Kaspersky RTLO Cyber Crime) RTLO can be used in the Windows Registry as well, where regedit.exe displays the reversed characters but the command line tool reg.exe does not by default.",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "stealth"
}
],
"revoked": false,
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T1036/002",
"external_id": "T1036.002"
},
{
"source_name": "Trend Micro PLEAD RTLO",
"description": "Alintanahin, K.. (2014, May 23). PLEAD Targeted Attacks Against Taiwanese Government Agencies. Retrieved April 22, 2019.",
"url": "https://blog.trendmicro.com/trendlabs-security-intelligence/plead-targeted-attacks-against-taiwanese-government-agencies-2/"
},
{
"source_name": "Kaspersky RTLO Cyber Crime",
"description": "Firsh, A.. (2018, February 13). Zero-day vulnerability in Telegram - Cybercriminals exploited Telegram flaw to launch multipurpose attacks. Retrieved April 22, 2019.",
"url": "https://securelist.com/zero-day-vulnerability-in-telegram/83800/"
},
{
"source_name": "Infosecinstitute RTLO Technique",
"description": "Security Ninja. (2015, April 16). Spoof Using Right to Left Override (RTLO) Technique. Retrieved April 22, 2019.",
"url": "https://web.archive.org/web/20151102094333/https://resources.infosecinstitute.com/spoof-using-right-to-left-override-rtlo-technique-2/"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_attack_spec_version": "3.3.0",
"x_mitre_deprecated": false,
"x_mitre_domains": [
"enterprise-attack"
],
"x_mitre_is_subtechnique": true,
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"Linux",
"macOS",
"Windows"
],
"x_mitre_version": "2.0",
"detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.643000+00:00\", \"old_value\": \"2026-04-15 20:41:03.753000+00:00\"}}}",
"previous_version": "2.0",
"changelog_mitigations": {
"shared": [],
"new": [],
"dropped": []
},
"changelog_datacomponent_detections": {
"shared": [],
"new": [],
"dropped": []
},
"changelog_detectionstrategy_detections": {
"shared": [
"DET0527: Right-to-Left Override Masquerading Detection via Filename and Execution Context"
],
"new": [],
"dropped": []
}
},
{
"type": "attack-pattern",
"id": "attack-pattern--e51137a5-1cdc-499e-911a-abaedaa5ac86",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2020-02-10 20:47:10.082000+00:00",
"modified": "2026-05-12 15:12:00.723000+00:00",
"name": "Space after Filename",
"description": "Adversaries can hide a program's true filetype by changing the extension of a file. With certain file types (specifically this does not work with .app extensions), appending a space to the end of a filename will change how the file is processed by the operating system.\n\nFor example, if there is a Mach-O executable file called evil.bin, when it is double clicked by a user, it will launch Terminal.app and execute. If this file is renamed to evil.txt, then when double clicked by a user, it will launch with the default text editing application (not executing the binary). However, if the file is renamed to evil.txt (note the space at the end), then when double clicked by a user, the true file type is determined by the OS and handled appropriately and the binary will be executed (Citation: Mac Backdoors are back).\n\nAdversaries can use this feature to trick users into double clicking benign-looking files of any format and ultimately executing something malicious.",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "stealth"
}
],
"revoked": false,
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T1036/006",
"external_id": "T1036.006"
},
{
"source_name": "Mac Backdoors are back",
"description": "Dan Goodin. (2016, July 6). After hiatus, in-the-wild Mac backdoors are suddenly back. Retrieved July 8, 2017.",
"url": "https://arstechnica.com/security/2016/07/after-hiatus-in-the-wild-mac-backdoors-are-suddenly-back/"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_attack_spec_version": "3.3.0",
"x_mitre_contributors": [
"Erye Hernandez, Palo Alto Networks"
],
"x_mitre_deprecated": false,
"x_mitre_domains": [
"enterprise-attack"
],
"x_mitre_is_subtechnique": true,
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"Linux",
"macOS"
],
"x_mitre_version": "2.0",
"detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.723000+00:00\", \"old_value\": \"2026-04-15 20:41:09.462000+00:00\"}}}",
"previous_version": "2.0",
"changelog_mitigations": {
"shared": [],
"new": [],
"dropped": []
},
"changelog_datacomponent_detections": {
"shared": [],
"new": [],
"dropped": []
},
"changelog_detectionstrategy_detections": {
"shared": [
"DET0292: Masquerading via Space After Filename - Behavioral Detection Strategy"
],
"new": [],
"dropped": []
}
},
{
"type": "attack-pattern",
"id": "attack-pattern--f4c1826f-a322-41cd-9557-562100848c84",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2020-02-11 19:01:56.887000+00:00",
"modified": "2026-05-12 15:12:00.724000+00:00",
"name": "Modify Authentication Process",
"description": "Adversaries may modify authentication mechanisms and processes to access user credentials or enable otherwise unwarranted access to accounts. The authentication process is handled by mechanisms, such as the Local Security Authentication Server (LSASS) process and the Security Accounts Manager (SAM) on Windows, pluggable authentication modules (PAM) on Unix-based systems, and authorization plugins on MacOS systems, responsible for gathering, storing, and validating credentials. By modifying an authentication process, an adversary may be able to authenticate to a service or system without using [Valid Accounts](https://attack.mitre.org/techniques/T1078).\n\nAdversaries may maliciously modify a part of this process to either reveal credentials or bypass authentication mechanisms. Compromised credentials or access may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access and remote desktop.",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "defense-impairment"
},
{
"kill_chain_name": "mitre-attack",
"phase_name": "persistence"
},
{
"kill_chain_name": "mitre-attack",
"phase_name": "credential-access"
}
],
"revoked": false,
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T1556",
"external_id": "T1556"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_attack_spec_version": "3.3.0",
"x_mitre_contributors": [
"Chris Ross @xorrior"
],
"x_mitre_deprecated": false,
"x_mitre_domains": [
"enterprise-attack"
],
"x_mitre_is_subtechnique": false,
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"IaaS",
"Identity Provider",
"Linux",
"macOS",
"Network Devices",
"Office Suite",
"SaaS",
"Windows"
],
"x_mitre_version": "3.0",
"detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.724000+00:00\", \"old_value\": \"2026-04-16 20:07:52.977000+00:00\"}}}",
"previous_version": "3.0",
"changelog_mitigations": {
"shared": [
"M1018: User Account Management",
"M1022: Restrict File and Directory Permissions",
"M1024: Restrict Registry Permissions",
"M1025: Privileged Process Integrity",
"M1026: Privileged Account Management",
"M1027: Password Policies",
"M1028: Operating System Configuration",
"M1032: Multi-factor Authentication",
"M1047: Audit"
],
"new": [],
"dropped": []
},
"changelog_datacomponent_detections": {
"shared": [],
"new": [],
"dropped": []
},
"changelog_detectionstrategy_detections": {
"shared": [
"DET0104: Detect Modification of Authentication Processes Across Platforms"
],
"new": [],
"dropped": []
}
},
{
"type": "attack-pattern",
"id": "attack-pattern--ceaeb6d8-95ee-4da2-9d42-dc6aa6ca43ae",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2024-01-02 13:43:37.389000+00:00",
"modified": "2026-05-12 15:12:00.717000+00:00",
"name": "Conditional Access Policies",
"description": "Adversaries may disable or modify conditional access policies to enable persistent access to compromised accounts. Conditional access policies are additional verifications used by identity providers and identity and access management systems to determine whether a user should be granted access to a resource.\n\nFor example, in Entra ID, Okta, and JumpCloud, users can be denied access to applications based on their IP address, device enrollment status, and use of multi-factor authentication.(Citation: Microsoft Conditional Access)(Citation: JumpCloud Conditional Access Policies)(Citation: Okta Conditional Access Policies) In some cases, identity providers may also support the use of risk-based metrics to deny sign-ins based on a variety of indicators. In AWS and GCP, IAM policies can contain `condition` attributes that verify arbitrary constraints such as the source IP, the date the request was made, and the nature of the resources or regions being requested.(Citation: AWS IAM Conditions)(Citation: GCP IAM Conditions) These measures help to prevent compromised credentials from resulting in unauthorized access to data or resources, as well as limit user permissions to only those required. \n\nBy modifying conditional access policies, such as adding additional trusted IP ranges, removing [Multi-Factor Authentication](https://attack.mitre.org/techniques/T1556/006) requirements, or allowing additional [Unused/Unsupported Cloud Regions](https://attack.mitre.org/techniques/T1535), adversaries may be able to ensure persistent access to accounts and circumvent defensive measures.",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "defense-impairment"
},
{
"kill_chain_name": "mitre-attack",
"phase_name": "persistence"
},
{
"kill_chain_name": "mitre-attack",
"phase_name": "credential-access"
}
],
"revoked": false,
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T1556/009",
"external_id": "T1556.009"
},
{
"source_name": "AWS IAM Conditions",
"description": "AWS. (n.d.). IAM JSON policy elements: Condition. Retrieved January 2, 2024.",
"url": "https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_condition.html"
},
{
"source_name": "GCP IAM Conditions",
"description": "Google Cloud. (n.d.). Overview of IAM Conditions. Retrieved January 2, 2024.",
"url": "https://cloud.google.com/iam/docs/conditions-overview"
},
{
"source_name": "JumpCloud Conditional Access Policies",
"description": "JumpCloud. (n.d.). Get Started: Conditional Access Policies. Retrieved January 2, 2024.",
"url": "https://jumpcloud.com/support/get-started-conditional-access-policies"
},
{
"source_name": "Microsoft Conditional Access",
"description": "Microsoft. (2023, November 15). What is Conditional Access?. Retrieved January 2, 2024.",
"url": "https://learn.microsoft.com/en-us/entra/identity/conditional-access/overview"
},
{
"source_name": "Okta Conditional Access Policies",
"description": "Okta. (2023, November 30). Conditional Access Based on Device Security Posture. Retrieved January 2, 2024.",
"url": "https://support.okta.com/help/s/article/Conditional-access-based-on-device-security-posture?language=en_US"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_attack_spec_version": "3.3.0",
"x_mitre_contributors": [
"Gavin Knapp",
"Joshua Penny"
],
"x_mitre_deprecated": false,
"x_mitre_domains": [
"enterprise-attack"
],
"x_mitre_is_subtechnique": true,
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"IaaS",
"Identity Provider"
],
"x_mitre_version": "2.0",
"detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.717000+00:00\", \"old_value\": \"2026-04-16 20:07:53.111000+00:00\"}}}",
"previous_version": "2.0",
"changelog_mitigations": {
"shared": [
"M1018: User Account Management"
],
"new": [],
"dropped": []
},
"changelog_datacomponent_detections": {
"shared": [],
"new": [],
"dropped": []
},
"changelog_detectionstrategy_detections": {
"shared": [
"DET0030: Detect Conditional Access Policy Modification in Identity and Cloud Platforms"
],
"new": [],
"dropped": []
}
},
{
"type": "attack-pattern",
"id": "attack-pattern--d4b96d2c-1032-4b22-9235-2b5b649d0605",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2020-02-11 19:05:02.399000+00:00",
"modified": "2026-05-12 15:12:00.717000+00:00",
"name": "Domain Controller Authentication",
"description": "Adversaries may patch the authentication process on a domain controller to bypass the typical authentication mechanisms and enable access to accounts. \n\nMalware may be used to inject false credentials into the authentication process on a domain controller with the intent of creating a backdoor used to access any user\u2019s account and/or credentials (ex: [Skeleton Key](https://attack.mitre.org/software/S0007)). Skeleton key works through a patch on an enterprise domain controller authentication process (LSASS) with credentials that adversaries may use to bypass the standard authentication system. Once patched, an adversary can use the injected password to successfully authenticate as any domain user account (until the the skeleton key is erased from memory by a reboot of the domain controller). Authenticated access may enable unfettered access to hosts and/or resources within single-factor authentication environments.(Citation: Dell Skeleton)",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "defense-impairment"
},
{
"kill_chain_name": "mitre-attack",
"phase_name": "persistence"
},
{
"kill_chain_name": "mitre-attack",
"phase_name": "credential-access"
}
],
"revoked": false,
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T1556/001",
"external_id": "T1556.001"
},
{
"source_name": "Dell Skeleton",
"description": "Dell SecureWorks. (2015, January 12). Skeleton Key Malware Analysis. Retrieved April 8, 2019.",
"url": "https://www.secureworks.com/research/skeleton-key-malware-analysis"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_attack_spec_version": "3.3.0",
"x_mitre_deprecated": false,
"x_mitre_domains": [
"enterprise-attack"
],
"x_mitre_is_subtechnique": true,
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"Windows"
],
"x_mitre_version": "3.0",
"detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.717000+00:00\", \"old_value\": \"2026-04-16 20:07:53.091000+00:00\"}}}",
"previous_version": "3.0",
"changelog_mitigations": {
"shared": [
"M1017: User Training",
"M1025: Privileged Process Integrity",
"M1026: Privileged Account Management",
"M1032: Multi-factor Authentication"
],
"new": [],
"dropped": []
},
"changelog_datacomponent_detections": {
"shared": [],
"new": [],
"dropped": []
},
"changelog_detectionstrategy_detections": {
"shared": [
"DET0271: Detect Domain Controller Authentication Process Modification (Skeleton Key)"
],
"new": [],
"dropped": []
}
},
{
"type": "attack-pattern",
"id": "attack-pattern--54ca26f3-c172-4231-93e5-ccebcac2161f",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2022-09-28 13:29:53.354000+00:00",
"modified": "2026-05-12 15:12:00.633000+00:00",
"name": "Hybrid Identity",
"description": "Adversaries may patch, modify, or otherwise backdoor cloud authentication processes that are tied to on-premises user identities in order to bypass typical authentication mechanisms, access credentials, and enable persistent access to accounts. \n\nMany organizations maintain hybrid user and device identities that are shared between on-premises and cloud-based environments. These can be maintained in a number of ways. For example, Microsoft Entra ID includes three options for synchronizing identities between Active Directory and Entra ID(Citation: Azure AD Hybrid Identity):\n\n* Password Hash Synchronization (PHS), in which a privileged on-premises account synchronizes user password hashes between Active Directory and Entra ID, allowing authentication to Entra ID to take place entirely in the cloud \n* Pass Through Authentication (PTA), in which Entra ID authentication attempts are forwarded to an on-premises PTA agent, which validates the credentials against Active Directory \n* Active Directory Federation Services (AD FS), in which a trust relationship is established between Active Directory and Entra ID \n\nAD FS can also be used with other SaaS and cloud platforms such as AWS and GCP, which will hand off the authentication process to AD FS and receive a token containing the hybrid users\u2019 identity and privileges. \n\nBy modifying authentication processes tied to hybrid identities, an adversary may be able to establish persistent privileged access to cloud resources. For example, adversaries who compromise an on-premises server running a PTA agent may inject a malicious DLL into the `AzureADConnectAuthenticationAgentService` process that authorizes all attempts to authenticate to Entra ID, as well as records user credentials.(Citation: Azure AD Connect for Read Teamers)(Citation: AADInternals Azure AD On-Prem to Cloud) In environments using AD FS, an adversary may edit the `Microsoft.IdentityServer.Servicehost` configuration file to load a malicious DLL that generates authentication tokens for any user with any set of claims, thereby bypassing multi-factor authentication and defined AD FS policies.(Citation: MagicWeb)\n\nIn some cases, adversaries may be able to modify the hybrid identity authentication process from the cloud. For example, adversaries who compromise a Global Administrator account in an Entra ID tenant may be able to register a new PTA agent via the web console, similarly allowing them to harvest credentials and log into the Entra ID environment as any user.(Citation: Mandiant Azure AD Backdoors)",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "defense-impairment"
},
{
"kill_chain_name": "mitre-attack",
"phase_name": "persistence"
},
{
"kill_chain_name": "mitre-attack",
"phase_name": "credential-access"
}
],
"revoked": false,
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T1556/007",
"external_id": "T1556.007"
},
{
"source_name": "Azure AD Connect for Read Teamers",
"description": "Adam Chester. (2019, February 18). Azure AD Connect for Red Teamers. Retrieved September 28, 2022.",
"url": "https://blog.xpnsec.com/azuread-connect-for-redteam/"
},
{
"source_name": "AADInternals Azure AD On-Prem to Cloud",
"description": "Dr. Nestori Syynimaa. (2020, July 13). Unnoticed sidekick: Getting access to cloud as an on-prem admin. Retrieved September 28, 2022.",
"url": "https://o365blog.com/post/on-prem_admin/"
},
{
"source_name": "MagicWeb",
"description": "Microsoft Threat Intelligence Center, Microsoft Detection and Response Team, Microsoft 365 Defender Research Team . (2022, August 24). MagicWeb: NOBELIUM\u2019s post-compromise trick to authenticate as anyone. Retrieved September 28, 2022.",
"url": "https://www.microsoft.com/security/blog/2022/08/24/magicweb-nobeliums-post-compromise-trick-to-authenticate-as-anyone/"
},
{
"source_name": "Azure AD Hybrid Identity",
"description": "Microsoft. (2022, August 26). Choose the right authentication method for your Azure Active Directory hybrid identity solution. Retrieved September 28, 2022.",
"url": "https://learn.microsoft.com/en-us/azure/active-directory/hybrid/choose-ad-authn"
},
{
"source_name": "Mandiant Azure AD Backdoors",
"description": "Mike Burns. (2020, September 30). Detecting Microsoft 365 and Azure Active Directory Backdoors. Retrieved September 28, 2022.",
"url": "https://www.mandiant.com/resources/detecting-microsoft-365-azure-active-directory-backdoors"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_attack_spec_version": "3.3.0",
"x_mitre_contributors": [
"Praetorian"
],
"x_mitre_deprecated": false,
"x_mitre_domains": [
"enterprise-attack"
],
"x_mitre_is_subtechnique": true,
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"IaaS",
"Identity Provider",
"Office Suite",
"SaaS",
"Windows"
],
"x_mitre_version": "2.0",
"detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.633000+00:00\", \"old_value\": \"2026-04-16 20:07:52.922000+00:00\"}}}",
"previous_version": "2.0",
"changelog_mitigations": {
"shared": [
"M1026: Privileged Account Management",
"M1032: Multi-factor Authentication",
"M1047: Audit"
],
"new": [],
"dropped": []
},
"changelog_datacomponent_detections": {
"shared": [],
"new": [],
"dropped": []
},
"changelog_detectionstrategy_detections": {
"shared": [
"DET0293: Detect Hybrid Identity Authentication Process Modification"
],
"new": [],
"dropped": []
}
},
{
"type": "attack-pattern",
"id": "attack-pattern--b4409cd8-0da9-46e1-a401-a241afd4d1cc",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2022-05-31 19:31:38.431000+00:00",
"modified": "2026-05-12 15:12:00.708000+00:00",
"name": "Multi-Factor Authentication",
"description": "Adversaries may disable or modify multi-factor authentication (MFA) mechanisms to enable persistent access to compromised accounts.\n\nOnce adversaries have gained access to a network by either compromising an account lacking MFA or by employing an MFA bypass method such as [Multi-Factor Authentication Request Generation](https://attack.mitre.org/techniques/T1621), adversaries may leverage their access to modify or completely disable MFA defenses. This can be accomplished by abusing legitimate features, such as excluding users from Azure AD Conditional Access Policies, registering a new yet vulnerable/adversary-controlled MFA method, or by manually patching MFA programs and configuration files to bypass expected functionality.(Citation: Mandiant APT42)(Citation: Azure AD Conditional Access Exclusions)\n\nFor example, modifying the Windows hosts file (`C:\\windows\\system32\\drivers\\etc\\hosts`) to redirect MFA calls to localhost instead of an MFA server may cause the MFA process to fail. If a \"fail open\" policy is in place, any otherwise successful authentication attempt may be granted access without enforcing MFA. (Citation: Russians Exploit Default MFA Protocol - CISA March 2022) \n\nDepending on the scope, goals, and privileges of the adversary, MFA defenses may be disabled for individual accounts or for all accounts tied to a larger group, such as all domain accounts in a victim's network environment.(Citation: Russians Exploit Default MFA Protocol - CISA March 2022) ",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "defense-impairment"
},
{
"kill_chain_name": "mitre-attack",
"phase_name": "persistence"
},
{
"kill_chain_name": "mitre-attack",
"phase_name": "credential-access"
}
],
"revoked": false,
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T1556/006",
"external_id": "T1556.006"
},
{
"source_name": "Russians Exploit Default MFA Protocol - CISA March 2022",
"description": "Cyber Security Infrastructure Agency. (2022, March 15). Russian State-Sponsored Cyber Actors Gain Network Access by Exploiting Default Multifactor Authentication Protocols and \u201cPrintNightmare\u201d Vulnerability. Retrieved May 31, 2022.",
"url": "https://www.cisa.gov/uscert/ncas/alerts/aa22-074a"
},
{
"source_name": "Mandiant APT42",
"description": "Mandiant. (n.d.). APT42: Crooked Charms, Cons and Compromise. Retrieved September 16, 2022.",
"url": "https://www.mandiant.com/media/17826"
},
{
"source_name": "Azure AD Conditional Access Exclusions",
"description": "Microsoft. (2022, August 26). Use Azure AD access reviews to manage users excluded from Conditional Access policies. Retrieved August 30, 2022.",
"url": "https://docs.microsoft.com/en-us/azure/active-directory/governance/conditional-access-exclusion"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_attack_spec_version": "3.3.0",
"x_mitre_contributors": [
"Arun Seelagan, CISA",
"Liran Ravich, CardinalOps",
"Muhammad Moiz Arshad, @5T34L7H"
],
"x_mitre_deprecated": false,
"x_mitre_domains": [
"enterprise-attack"
],
"x_mitre_is_subtechnique": true,
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"IaaS",
"Identity Provider",
"Linux",
"macOS",
"Office Suite",
"SaaS",
"Windows"
],
"x_mitre_version": "2.0",
"detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.708000+00:00\", \"old_value\": \"2026-04-16 20:07:52.875000+00:00\"}}}",
"previous_version": "2.0",
"changelog_mitigations": {
"shared": [
"M1018: User Account Management",
"M1032: Multi-factor Authentication",
"M1047: Audit"
],
"new": [],
"dropped": []
},
"changelog_datacomponent_detections": {
"shared": [],
"new": [],
"dropped": []
},
"changelog_detectionstrategy_detections": {
"shared": [
"DET0190: Detect MFA Modification or Disabling Across Platforms"
],
"new": [],
"dropped": []
}
},
{
"type": "attack-pattern",
"id": "attack-pattern--fa44a152-ac48-441e-a524-dd7b04b8adcd",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2020-10-19 17:58:04.155000+00:00",
"modified": "2026-05-12 15:12:00.726000+00:00",
"name": "Network Device Authentication",
"description": "Adversaries may use [Patch System Image](https://attack.mitre.org/techniques/T1601/001) to hard code a password in the operating system, thus bypassing of native authentication mechanisms for local accounts on network devices.\n\n[Modify System Image](https://attack.mitre.org/techniques/T1601) may include implanted code to the operating system for network devices to provide access for adversaries using a specific password. The modification includes a specific password which is implanted in the operating system image via the patch. Upon authentication attempts, the inserted code will first check to see if the user input is the password. If so, access is granted. Otherwise, the implanted code will pass the credentials on for verification of potentially valid credentials.(Citation: Mandiant - Synful Knock)",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "defense-impairment"
},
{
"kill_chain_name": "mitre-attack",
"phase_name": "persistence"
},
{
"kill_chain_name": "mitre-attack",
"phase_name": "credential-access"
}
],
"revoked": false,
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T1556/004",
"external_id": "T1556.004"
},
{
"source_name": "Mandiant - Synful Knock",
"description": "Bill Hau, Tony Lee, Josh Homan. (2015, September 15). SYNful Knock - A Cisco router implant - Part I. Retrieved November 17, 2024.",
"url": "https://cloud.google.com/blog/topics/threat-intelligence/synful-knock-acis/"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_attack_spec_version": "3.3.0",
"x_mitre_deprecated": false,
"x_mitre_domains": [
"enterprise-attack"
],
"x_mitre_is_subtechnique": true,
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"Network Devices"
],
"x_mitre_version": "3.0",
"detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.726000+00:00\", \"old_value\": \"2026-04-16 20:07:53.117000+00:00\"}}}",
"previous_version": "3.0",
"changelog_mitigations": {
"shared": [
"M1026: Privileged Account Management",
"M1032: Multi-factor Authentication"
],
"new": [],
"dropped": []
},
"changelog_datacomponent_detections": {
"shared": [],
"new": [],
"dropped": []
},
"changelog_detectionstrategy_detections": {
"shared": [
"DET0272: Detect Modification of Network Device Authentication via Patched System Images"
],
"new": [],
"dropped": []
}
},
{
"type": "attack-pattern",
"id": "attack-pattern--90c4a591-d02d-490b-92aa-619d9701ac04",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2023-03-30 22:45:00.431000+00:00",
"modified": "2026-05-12 15:12:00.705000+00:00",
"name": "Network Provider DLL",
"description": "Adversaries may register malicious network provider dynamic link libraries (DLLs) to capture cleartext user credentials during the authentication process. Network provider DLLs allow Windows to interface with specific network protocols and can also support add-on credential management functions.(Citation: Network Provider API) During the logon process, Winlogon (the interactive logon module) sends credentials to the local `mpnotify.exe` process via RPC. The `mpnotify.exe` process then shares the credentials in cleartext with registered credential managers when notifying that a logon event is happening.(Citation: NPPSPY - Huntress)(Citation: NPPSPY Video)(Citation: NPLogonNotify) \n\nAdversaries can configure a malicious network provider DLL to receive credentials from `mpnotify.exe`.(Citation: NPPSPY) Once installed as a credential manager (via the Registry), a malicious DLL can receive and save credentials each time a user logs onto a Windows workstation or domain via the `NPLogonNotify()` function.(Citation: NPLogonNotify)\n\nAdversaries may target planting malicious network provider DLLs on systems known to have increased logon activity and/or administrator logon activity, such as servers and domain controllers.(Citation: NPPSPY - Huntress)",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "defense-impairment"
},
{
"kill_chain_name": "mitre-attack",
"phase_name": "persistence"
},
{
"kill_chain_name": "mitre-attack",
"phase_name": "credential-access"
}
],
"revoked": false,
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T1556/008",
"external_id": "T1556.008"
},
{
"source_name": "NPPSPY - Huntress",
"description": " Dray Agha. (2022, August 16). Cleartext Shenanigans: Gifting User Passwords to Adversaries With NPPSPY. Retrieved March 30, 2023.",
"url": "https://www.huntress.com/blog/cleartext-shenanigans-gifting-user-passwords-to-adversaries-with-nppspy"
},
{
"source_name": "NPPSPY Video",
"description": "Grzegorz Tworek. (2021, December 14). How winlogon.exe shares the cleartext password with custom DLLs. Retrieved March 30, 2023.",
"url": "https://www.youtube.com/watch?v=ggY3srD9dYs"
},
{
"source_name": "NPPSPY",
"description": "Grzegorz Tworek. (2021, December 15). NPPSpy. Retrieved March 30, 2023.",
"url": "https://github.com/gtworek/PSBits/tree/master/PasswordStealing/NPPSpy"
},
{
"source_name": "Network Provider API",
"description": "Microsoft. (2021, January 7). Network Provider API. Retrieved March 30, 2023.",
"url": "https://learn.microsoft.com/en-us/windows/win32/secauthn/network-provider-api"
},
{
"source_name": "NPLogonNotify",
"description": "Microsoft. (2021, October 21). NPLogonNotify function (npapi.h). Retrieved March 30, 2023.",
"url": "https://learn.microsoft.com/en-us/windows/win32/api/npapi/nf-npapi-nplogonnotify"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_attack_spec_version": "3.3.0",
"x_mitre_contributors": [
"CrowdStrike Falcon OverWatch",
"Jai Minton"
],
"x_mitre_deprecated": false,
"x_mitre_domains": [
"enterprise-attack"
],
"x_mitre_is_subtechnique": true,
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"Windows"
],
"x_mitre_version": "2.0",
"detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.705000+00:00\", \"old_value\": \"2026-04-16 20:07:53.025000+00:00\"}}}",
"previous_version": "2.0",
"changelog_mitigations": {
"shared": [
"M1024: Restrict Registry Permissions",
"M1028: Operating System Configuration",
"M1047: Audit"
],
"new": [],
"dropped": []
},
"changelog_datacomponent_detections": {
"shared": [],
"new": [],
"dropped": []
},
"changelog_detectionstrategy_detections": {
"shared": [
"DET0580: Detect Network Provider DLL Registration and Credential Capture"
],
"new": [],
"dropped": []
}
},
{
"type": "attack-pattern",
"id": "attack-pattern--3731fbcd-0e43-47ae-ae6c-d15e510f0d42",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2020-02-11 19:05:45.829000+00:00",
"modified": "2026-05-12 15:12:00.626000+00:00",
"name": "Password Filter DLL",
"description": "Adversaries may register malicious password filter dynamic link libraries (DLLs) into the authentication process to acquire user credentials as they are validated. \n\nWindows password filters are password policy enforcement mechanisms for both domain and local accounts. Filters are implemented as DLLs containing a method to validate potential passwords against password policies. Filter DLLs can be positioned on local computers for local accounts and/or domain controllers for domain accounts. Before registering new passwords in the Security Accounts Manager (SAM), the Local Security Authority (LSA) requests validation from each registered filter. Any potential changes cannot take effect until every registered filter acknowledges validation. \n\nAdversaries can register malicious password filters to harvest credentials from local computers and/or entire domains. To perform proper validation, filters must receive plain-text credentials from the LSA. A malicious password filter would receive these plain-text credentials every time a password request is made.(Citation: Carnal Ownage Password Filters Sept 2013)",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "defense-impairment"
},
{
"kill_chain_name": "mitre-attack",
"phase_name": "persistence"
},
{
"kill_chain_name": "mitre-attack",
"phase_name": "credential-access"
}
],
"revoked": false,
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T1556/002",
"external_id": "T1556.002"
},
{
"source_name": "Carnal Ownage Password Filters Sept 2013",
"description": "Fuller, R. (2013, September 11). Stealing passwords every time they change. Retrieved November 21, 2017.",
"url": "http://carnal0wnage.attackresearch.com/2013/09/stealing-passwords-every-time-they.html"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_attack_spec_version": "3.3.0",
"x_mitre_contributors": [
"Vincent Le Toux"
],
"x_mitre_deprecated": false,
"x_mitre_domains": [
"enterprise-attack"
],
"x_mitre_is_subtechnique": true,
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"Windows"
],
"x_mitre_version": "3.0",
"detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.626000+00:00\", \"old_value\": \"2026-04-16 20:07:53.031000+00:00\"}}}",
"previous_version": "3.0",
"changelog_mitigations": {
"shared": [
"M1028: Operating System Configuration"
],
"new": [],
"dropped": []
},
"changelog_datacomponent_detections": {
"shared": [],
"new": [],
"dropped": []
},
"changelog_detectionstrategy_detections": {
"shared": [
"DET0472: Detect Malicious Password Filter DLL Registration"
],
"new": [],
"dropped": []
}
},
{
"type": "attack-pattern",
"id": "attack-pattern--06c00069-771a-4d57-8ef5-d3718c1a8771",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2020-06-26 04:01:09.648000+00:00",
"modified": "2026-05-12 15:12:00.620000+00:00",
"name": "Pluggable Authentication Modules",
"description": "Adversaries may modify pluggable authentication modules (PAM) to access user credentials or enable otherwise unwarranted access to accounts. PAM is a modular system of configuration files, libraries, and executable files which guide authentication for many services. The most common authentication module is pam_unix.so, which retrieves, sets, and verifies account authentication information in /etc/passwd and /etc/shadow.(Citation: Apple PAM)(Citation: Man Pam_Unix)(Citation: Red Hat PAM)\n\nAdversaries may modify components of the PAM system to create backdoors. PAM components, such as pam_unix.so, can be patched to accept arbitrary adversary supplied values as legitimate credentials.(Citation: PAM Backdoor)\n\nMalicious modifications to the PAM system may also be abused to steal credentials. Adversaries may infect PAM resources with code to harvest user credentials, since the values exchanged with PAM components may be plain-text since PAM does not store passwords.(Citation: PAM Creds)(Citation: Apple PAM)",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "defense-impairment"
},
{
"kill_chain_name": "mitre-attack",
"phase_name": "persistence"
},
{
"kill_chain_name": "mitre-attack",
"phase_name": "credential-access"
}
],
"revoked": false,
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T1556/003",
"external_id": "T1556.003"
},
{
"source_name": "Apple PAM",
"description": "Apple. (2011, May 11). PAM - Pluggable Authentication Modules. Retrieved June 25, 2020.",
"url": "https://opensource.apple.com/source/dovecot/dovecot-239/dovecot/doc/wiki/PasswordDatabase.PAM.txt"
},
{
"source_name": "Man Pam_Unix",
"description": "die.net. (n.d.). pam_unix(8) - Linux man page. Retrieved June 25, 2020.",
"url": "https://linux.die.net/man/8/pam_unix"
},
{
"source_name": "PAM Creds",
"description": "Fern\u00e1ndez, J. M. (2018, June 27). Exfiltrating credentials via PAM backdoors & DNS requests. Retrieved November 17, 2024.",
"url": "https://web.archive.org/web/20240303094335/https://x-c3ll.github.io/posts/PAM-backdoor-DNS/"
},
{
"source_name": "Red Hat PAM",
"description": "Red Hat. (n.d.). CHAPTER 2. USING PLUGGABLE AUTHENTICATION MODULES (PAM). Retrieved June 25, 2020.",
"url": "https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/managing_smart_cards/pluggable_authentication_modules"
},
{
"source_name": "PAM Backdoor",
"description": "zephrax. (2018, August 3). linux-pam-backdoor. Retrieved June 25, 2020.",
"url": "https://github.com/zephrax/linux-pam-backdoor"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_attack_spec_version": "3.3.0",
"x_mitre_contributors": [
"George Allen, VMware Carbon Black",
"Scott Knight, @sdotknight, VMware Carbon Black"
],
"x_mitre_deprecated": false,
"x_mitre_domains": [
"enterprise-attack"
],
"x_mitre_is_subtechnique": true,
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"Linux",
"macOS"
],
"x_mitre_version": "3.0",
"detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.620000+00:00\", \"old_value\": \"2026-04-16 20:07:53.037000+00:00\"}}}",
"previous_version": "3.0",
"changelog_mitigations": {
"shared": [
"M1026: Privileged Account Management",
"M1032: Multi-factor Authentication"
],
"new": [],
"dropped": []
},
"changelog_datacomponent_detections": {
"shared": [],
"new": [],
"dropped": []
},
"changelog_detectionstrategy_detections": {
"shared": [
"DET0454: Detect Malicious Modification of Pluggable Authentication Modules (PAM)"
],
"new": [],
"dropped": []
}
},
{
"type": "attack-pattern",
"id": "attack-pattern--d50955c2-272d-4ac8-95da-10c29dda1c48",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2022-01-13 20:02:28.349000+00:00",
"modified": "2026-05-12 15:12:00.718000+00:00",
"name": "Reversible Encryption",
"description": "An adversary may abuse Active Directory authentication encryption properties to gain access to credentials on Windows systems. The AllowReversiblePasswordEncryption property specifies whether reversible password encryption for an account is enabled or disabled. By default this property is disabled (instead storing user credentials as the output of one-way hashing functions) and should not be enabled unless legacy or other software require it.(Citation: store_pwd_rev_enc)\n\nIf the property is enabled and/or a user changes their password after it is enabled, an adversary may be able to obtain the plaintext of passwords created/changed after the property was enabled. To decrypt the passwords, an adversary needs four components:\n\n1. Encrypted password (G$RADIUSCHAP) from the Active Directory user-structure userParameters\n2. 16 byte randomly-generated value (G$RADIUSCHAPKEY) also from userParameters\n3. Global LSA secret (G$MSRADIUSCHAPKEY)\n4. Static key hardcoded in the Remote Access Subauthentication DLL (RASSFM.DLL)\n\nWith this information, an adversary may be able to reproduce the encryption key and subsequently decrypt the encrypted password value.(Citation: how_pwd_rev_enc_1)(Citation: how_pwd_rev_enc_2)\n\nAn adversary may set this property at various scopes through Local Group Policy Editor, user properties, Fine-Grained Password Policy (FGPP), or via the ActiveDirectory [PowerShell](https://attack.mitre.org/techniques/T1059/001) module. For example, an adversary may implement and apply a FGPP to users or groups if the Domain Functional Level is set to \"Windows Server 2008\" or higher.(Citation: dump_pwd_dcsync) In PowerShell, an adversary may make associated changes to user settings using commands similar to Set-ADUser -AllowReversiblePasswordEncryption $true.",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "defense-impairment"
},
{
"kill_chain_name": "mitre-attack",
"phase_name": "persistence"
},
{
"kill_chain_name": "mitre-attack",
"phase_name": "credential-access"
}
],
"revoked": false,
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T1556/005",
"external_id": "T1556.005"
},
{
"source_name": "dump_pwd_dcsync",
"description": "Metcalf, S. (2015, November 22). Dump Clear-Text Passwords for All Admins in the Domain Using Mimikatz DCSync. Retrieved November 15, 2021.",
"url": "https://adsecurity.org/?p=2053"
},
{
"source_name": "store_pwd_rev_enc",
"description": "Microsoft. (2021, October 28). Store passwords using reversible encryption. Retrieved January 3, 2022.",
"url": "https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/store-passwords-using-reversible-encryption"
},
{
"source_name": "how_pwd_rev_enc_1",
"description": "Teusink, N. (2009, August 25). Passwords stored using reversible encryption: how it works (part 1). Retrieved November 17, 2021.",
"url": "http://blog.teusink.net/2009/08/passwords-stored-using-reversible.html"
},
{
"source_name": "how_pwd_rev_enc_2",
"description": "Teusink, N. (2009, August 26). Passwords stored using reversible encryption: how it works (part 2). Retrieved November 17, 2021.",
"url": "http://blog.teusink.net/2009/08/passwords-stored-using-reversible_26.html"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_attack_spec_version": "3.3.0",
"x_mitre_deprecated": false,
"x_mitre_domains": [
"enterprise-attack"
],
"x_mitre_is_subtechnique": true,
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"Windows"
],
"x_mitre_version": "2.0",
"detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.718000+00:00\", \"old_value\": \"2026-04-16 20:07:53.082000+00:00\"}}}",
"previous_version": "2.0",
"changelog_mitigations": {
"shared": [
"M1026: Privileged Account Management",
"M1027: Password Policies"
],
"new": [],
"dropped": []
},
"changelog_datacomponent_detections": {
"shared": [],
"new": [],
"dropped": []
},
"changelog_detectionstrategy_detections": {
"shared": [
"DET0589: Detect Modification of Authentication Process via Reversible Encryption"
],
"new": [],
"dropped": []
}
},
{
"type": "attack-pattern",
"id": "attack-pattern--144e007b-e638-431d-a894-45d90c54ab90",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2019-08-30 18:03:05.864000+00:00",
"modified": "2026-05-12 15:12:00.621000+00:00",
"name": "Modify Cloud Compute Infrastructure",
"description": "An adversary may attempt to modify a cloud account's compute service infrastructure to evade defenses. A modification to the compute service infrastructure can include the creation, deletion, or modification of one or more components such as compute instances, virtual machines, and snapshots.\n\nPermissions gained from the modification of infrastructure components may bypass restrictions that prevent access to existing infrastructure. Modifying infrastructure components may also allow an adversary to evade detection and remove evidence of their presence.(Citation: Mandiant M-Trends 2020)",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "defense-impairment"
}
],
"revoked": false,
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T1578",
"external_id": "T1578"
},
{
"source_name": "Mandiant M-Trends 2020",
"description": "Mandiant. (2020, February). M-Trends 2020. Retrieved November 17, 2024.",
"url": "https://www.mandiant.com/sites/default/files/2021-09/mtrends-2020.pdf"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_attack_spec_version": "3.3.0",
"x_mitre_deprecated": false,
"x_mitre_domains": [
"enterprise-attack"
],
"x_mitre_is_subtechnique": false,
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"IaaS"
],
"x_mitre_version": "2.0",
"detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.621000+00:00\", \"old_value\": \"2026-04-16 20:07:52.919000+00:00\"}}}",
"previous_version": "2.0",
"changelog_mitigations": {
"shared": [
"M1018: User Account Management",
"M1047: Audit"
],
"new": [],
"dropped": []
},
"changelog_datacomponent_detections": {
"shared": [],
"new": [],
"dropped": []
},
"changelog_detectionstrategy_detections": {
"shared": [
"DET0308: Detection Strategy for Modify Cloud Compute Infrastructure"
],
"new": [],
"dropped": []
}
},
{
"type": "attack-pattern",
"id": "attack-pattern--cf1c2504-433f-4c4e-a1f8-91de45a0318c",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2020-05-14 14:45:15.978000+00:00",
"modified": "2026-05-12 15:12:00.717000+00:00",
"name": "Create Cloud Instance",
"description": "An adversary may create a new instance or virtual machine (VM) within the compute service of a cloud account to evade defenses. Creating a new instance may allow an adversary to bypass firewall rules and permissions that exist on instances currently residing within an account. An adversary may [Create Snapshot](https://attack.mitre.org/techniques/T1578/001) of one or more volumes in an account, create a new instance, mount the snapshots, and then apply a less restrictive security policy to collect [Data from Local System](https://attack.mitre.org/techniques/T1005) or for [Remote Data Staging](https://attack.mitre.org/techniques/T1074/002).(Citation: Mandiant M-Trends 2020)\n\nCreating a new instance may also allow an adversary to carry out malicious activity within an environment without affecting the execution of current running instances.",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "defense-impairment"
}
],
"revoked": false,
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T1578/002",
"external_id": "T1578.002"
},
{
"source_name": "Mandiant M-Trends 2020",
"description": "Mandiant. (2020, February). M-Trends 2020. Retrieved November 17, 2024.",
"url": "https://www.mandiant.com/sites/default/files/2021-09/mtrends-2020.pdf"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_attack_spec_version": "3.3.0",
"x_mitre_contributors": [
"Arun Seelagan, CISA"
],
"x_mitre_deprecated": false,
"x_mitre_domains": [
"enterprise-attack"
],
"x_mitre_is_subtechnique": true,
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"IaaS"
],
"x_mitre_version": "2.0",
"detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.717000+00:00\", \"old_value\": \"2026-04-16 20:07:52.862000+00:00\"}}}",
"previous_version": "2.0",
"changelog_mitigations": {
"shared": [
"M1018: User Account Management",
"M1047: Audit"
],
"new": [],
"dropped": []
},
"changelog_datacomponent_detections": {
"shared": [],
"new": [],
"dropped": []
},
"changelog_detectionstrategy_detections": {
"shared": [
"DET0449: Detection Strategy for Modify Cloud Compute Infrastructure: Create Cloud Instance"
],
"new": [],
"dropped": []
}
},
{
"type": "attack-pattern",
"id": "attack-pattern--ed2e45f9-d338-4eb2-8ce5-3a2e03323bc1",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2020-06-09 15:33:13.563000+00:00",
"modified": "2026-05-12 15:12:00.723000+00:00",
"name": "Create Snapshot",
"description": "An adversary may create a snapshot or data backup within a cloud account to evade defenses. A snapshot is a point-in-time copy of an existing cloud compute component such as a virtual machine (VM), virtual hard drive, or volume. An adversary may leverage permissions to create a snapshot in order to bypass restrictions that prevent access to existing compute service infrastructure, unlike in [Revert Cloud Instance](https://attack.mitre.org/techniques/T1578/004) where an adversary may revert to a snapshot to evade detection and remove evidence of their presence.\n\nAn adversary may [Create Cloud Instance](https://attack.mitre.org/techniques/T1578/002), mount one or more created snapshots to that instance, and then apply a policy that allows the adversary access to the created instance, such as a firewall policy that allows them inbound and outbound SSH access.(Citation: Mandiant M-Trends 2020)",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "defense-impairment"
}
],
"revoked": false,
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T1578/001",
"external_id": "T1578.001"
},
{
"source_name": "Mandiant M-Trends 2020",
"description": "Mandiant. (2020, February). M-Trends 2020. Retrieved November 17, 2024.",
"url": "https://www.mandiant.com/sites/default/files/2021-09/mtrends-2020.pdf"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_attack_spec_version": "3.3.0",
"x_mitre_contributors": [
"Praetorian"
],
"x_mitre_deprecated": false,
"x_mitre_domains": [
"enterprise-attack"
],
"x_mitre_is_subtechnique": true,
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"IaaS"
],
"x_mitre_version": "2.0",
"detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.723000+00:00\", \"old_value\": \"2026-04-16 20:07:52.934000+00:00\"}}}",
"previous_version": "2.0",
"changelog_mitigations": {
"shared": [
"M1018: User Account Management",
"M1047: Audit"
],
"new": [],
"dropped": []
},
"changelog_datacomponent_detections": {
"shared": [],
"new": [],
"dropped": []
},
"changelog_detectionstrategy_detections": {
"shared": [
"DET0423: Detection Strategy for Modify Cloud Compute Infrastructure: Create Snapshot"
],
"new": [],
"dropped": []
}
},
{
"type": "attack-pattern",
"id": "attack-pattern--70857657-bd0b-4695-ad3e-b13f92cac1b4",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2020-06-16 17:23:06.508000+00:00",
"modified": "2026-05-12 15:12:00.641000+00:00",
"name": "Delete Cloud Instance",
"description": "An adversary may delete a cloud instance after they have performed malicious activities in an attempt to evade detection and remove evidence of their presence. Deleting an instance or virtual machine can remove valuable forensic artifacts and other evidence of suspicious behavior if the instance is not recoverable.\n\nAn adversary may also [Create Cloud Instance](https://attack.mitre.org/techniques/T1578/002) and later terminate the instance after achieving their objectives.(Citation: Mandiant M-Trends 2020)",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "defense-impairment"
}
],
"revoked": false,
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T1578/003",
"external_id": "T1578.003"
},
{
"source_name": "Mandiant M-Trends 2020",
"description": "Mandiant. (2020, February). M-Trends 2020. Retrieved November 17, 2024.",
"url": "https://www.mandiant.com/sites/default/files/2021-09/mtrends-2020.pdf"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_attack_spec_version": "3.3.0",
"x_mitre_contributors": [
"Arun Seelagan, CISA"
],
"x_mitre_deprecated": false,
"x_mitre_domains": [
"enterprise-attack"
],
"x_mitre_is_subtechnique": true,
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"IaaS"
],
"x_mitre_version": "2.0",
"detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.641000+00:00\", \"old_value\": \"2026-04-16 20:07:52.915000+00:00\"}}}",
"previous_version": "2.0",
"changelog_mitigations": {
"shared": [
"M1018: User Account Management",
"M1047: Audit"
],
"new": [],
"dropped": []
},
"changelog_datacomponent_detections": {
"shared": [],
"new": [],
"dropped": []
},
"changelog_detectionstrategy_detections": {
"shared": [
"DET0084: Detection Strategy for Modify Cloud Compute Infrastructure: Delete Cloud Instance"
],
"new": [],
"dropped": []
}
},
{
"type": "attack-pattern",
"id": "attack-pattern--ca00366b-83a1-4c7b-a0ce-8ff950a7c87f",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2023-09-05 14:19:17.486000+00:00",
"modified": "2026-05-12 15:12:00.716000+00:00",
"name": "Modify Cloud Compute Configurations",
"description": "Adversaries may modify settings that directly affect the size, locations, and resources available to cloud compute infrastructure in order to evade defenses. These settings may include service quotas, subscription associations, tenant-wide policies, or other configurations that impact available compute. Such modifications may allow adversaries to abuse the victim\u2019s compute resources to achieve their goals, potentially without affecting the execution of running instances and/or revealing their activities to the victim.\n\nFor example, cloud providers often limit customer usage of compute resources via quotas. Customers may request adjustments to these quotas to support increased computing needs, though these adjustments may require approval from the cloud provider. Adversaries who compromise a cloud environment may similarly request quota adjustments in order to support their activities, such as enabling additional [Resource Hijacking](https://attack.mitre.org/techniques/T1496) without raising suspicion by using up a victim\u2019s entire quota.(Citation: Microsoft Cryptojacking 2023) Adversaries may also increase allowed resource usage by modifying any tenant-wide policies that limit the sizes of deployed virtual machines.(Citation: Microsoft Azure Policy)\n\nAdversaries may also modify settings that affect where cloud resources can be deployed, such as enabling [Unused/Unsupported Cloud Regions](https://attack.mitre.org/techniques/T1535). ",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "defense-impairment"
}
],
"revoked": false,
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T1578/005",
"external_id": "T1578.005"
},
{
"source_name": "Microsoft Cryptojacking 2023",
"description": "Microsoft Threat Intelligence. (2023, July 25). Cryptojacking: Understanding and defending against cloud compute resource abuse. Retrieved September 5, 2023.",
"url": "https://www.microsoft.com/en-us/security/blog/2023/07/25/cryptojacking-understanding-and-defending-against-cloud-compute-resource-abuse/"
},
{
"source_name": "Microsoft Azure Policy",
"description": "Microsoft. (2023, August 30). Azure Policy built-in policy definitions. Retrieved September 5, 2023.",
"url": "https://learn.microsoft.com/en-us/azure/governance/policy/samples/built-in-policies#compute"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_attack_spec_version": "3.3.0",
"x_mitre_contributors": [
"Amir Gharib, Microsoft Threat Intelligence",
"Blake Strom, Microsoft Threat Intelligence"
],
"x_mitre_deprecated": false,
"x_mitre_domains": [
"enterprise-attack"
],
"x_mitre_is_subtechnique": true,
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"IaaS"
],
"x_mitre_version": "3.0",
"detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.716000+00:00\", \"old_value\": \"2026-04-16 20:07:53.098000+00:00\"}}}",
"previous_version": "3.0",
"changelog_mitigations": {
"shared": [
"M1018: User Account Management",
"M1047: Audit"
],
"new": [],
"dropped": []
},
"changelog_datacomponent_detections": {
"shared": [],
"new": [],
"dropped": []
},
"changelog_detectionstrategy_detections": {
"shared": [
"DET0492: Detection Strategy for Modify Cloud Compute Infrastructure: Modify Cloud Compute Configurations"
],
"new": [],
"dropped": []
}
},
{
"type": "attack-pattern",
"id": "attack-pattern--0708ae90-d0eb-4938-9a76-d0fc94f6eec1",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2020-06-16 18:42:20.734000+00:00",
"modified": "2026-05-12 15:12:00.620000+00:00",
"name": "Revert Cloud Instance",
"description": "An adversary may revert changes made to a cloud instance after they have performed malicious activities in attempt to evade detection and remove evidence of their presence. In highly virtualized environments, such as cloud-based infrastructure, this may be accomplished by restoring virtual machine (VM) or data storage snapshots through the cloud management dashboard or cloud APIs.\n\nAnother variation of this technique is to utilize temporary storage attached to the compute instance. Most cloud providers provide various types of storage including persistent, local, and/or ephemeral, with the ephemeral types often reset upon stop/restart of the VM.(Citation: Tech Republic - Restore AWS Snapshots)(Citation: Google - Restore Cloud Snapshot)",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "defense-impairment"
}
],
"revoked": false,
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T1578/004",
"external_id": "T1578.004"
},
{
"source_name": "Google - Restore Cloud Snapshot",
"description": "Google. (2019, October 7). Restoring and deleting persistent disk snapshots. Retrieved October 8, 2019.",
"url": "https://cloud.google.com/compute/docs/disks/restore-and-delete-snapshots"
},
{
"source_name": "Tech Republic - Restore AWS Snapshots",
"description": "Hardiman, N.. (2012, March 20). Backing up and restoring snapshots on Amazon EC2 machines. Retrieved October 8, 2019.",
"url": "https://www.techrepublic.com/blog/the-enterprise-cloud/backing-up-and-restoring-snapshots-on-amazon-ec2-machines/"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_attack_spec_version": "3.3.0",
"x_mitre_contributors": [
"Netskope"
],
"x_mitre_deprecated": false,
"x_mitre_domains": [
"enterprise-attack"
],
"x_mitre_is_subtechnique": true,
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"IaaS"
],
"x_mitre_version": "2.0",
"detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.620000+00:00\", \"old_value\": \"2026-04-16 20:07:52.953000+00:00\"}}}",
"previous_version": "2.0",
"changelog_mitigations": {
"shared": [],
"new": [],
"dropped": []
},
"changelog_datacomponent_detections": {
"shared": [],
"new": [],
"dropped": []
},
"changelog_detectionstrategy_detections": {
"shared": [
"DET0337: Detection Strategy for Modify Cloud Compute Infrastructure: Revert Cloud Instance"
],
"new": [],
"dropped": []
}
},
{
"type": "attack-pattern",
"id": "attack-pattern--0ce73446-8722-4086-9d43-514f1d0f669e",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2024-09-25 14:16:19.234000+00:00",
"modified": "2026-05-12 15:12:00.620000+00:00",
"name": "Modify Cloud Resource Hierarchy",
"description": "Adversaries may attempt to modify hierarchical structures in infrastructure-as-a-service (IaaS) environments in order to evade defenses. \n\nIaaS environments often group resources into a hierarchy, enabling improved resource management and application of policies to relevant groups. Hierarchical structures differ among cloud providers. For example, in AWS environments, multiple accounts can be grouped under a single organization, while in Azure environments, multiple subscriptions can be grouped under a single management group.(Citation: AWS Organizations)(Citation: Microsoft Azure Resources)\n\nAdversaries may add, delete, or otherwise modify resource groups within an IaaS hierarchy. For example, in Azure environments, an adversary who has gained access to a Global Administrator account may create new subscriptions in which to deploy resources. They may also engage in subscription hijacking by transferring an existing pay-as-you-go subscription from a victim tenant to an adversary-controlled tenant. This will allow the adversary to use the victim\u2019s compute resources without generating logs on the victim tenant.(Citation: Microsoft Peach Sandstorm 2023)(Citation: Microsoft Subscription Hijacking 2022)\n\nIn AWS environments, adversaries with appropriate permissions in a given account may call the `LeaveOrganization` API, causing the account to be severed from the AWS Organization to which it was tied and removing any Service Control Policies, guardrails, or restrictions imposed upon it by its former Organization. Alternatively, adversaries may call the `CreateAccount` API in order to create a new account within an AWS Organization. This account will use the same payment methods registered to the payment account but may not be subject to existing detections or Service Control Policies.(Citation: AWS re Inforce Trust Mod)",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "defense-impairment"
}
],
"revoked": false,
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T1666",
"external_id": "T1666"
},
{
"source_name": "AWS re Inforce Trust Mod",
"description": "AWS re Inforce. (2024, June). Retrieved April 15, 2026.",
"url": "https://d1.awsstatic.com/onedam/marketing-channels/website/aws/en_US/events/approved/reinforce-2025/reinforce/2024/slides/TDR432_New-tactics-and-techniques-for-proactive-threat-detection.pdf"
},
{
"source_name": "AWS Organizations",
"description": "AWS. (n.d.). Terminology and concepts for AWS Organizations. Retrieved September 25, 2024.",
"url": "https://docs.aws.amazon.com/organizations/latest/userguide/orgs_getting-started_concepts.html"
},
{
"source_name": "Microsoft Subscription Hijacking 2022",
"description": "Dor Edry. (2022, August 24). Hunt for compromised Azure subscriptions using Microsoft Defender for Cloud Apps. Retrieved September 5, 2023.",
"url": "https://techcommunity.microsoft.com/t5/microsoft-365-defender-blog/hunt-for-compromised-azure-subscriptions-using-microsoft/ba-p/3607121"
},
{
"source_name": "Microsoft Azure Resources",
"description": "Microsoft Azure. (2024, May 31). Organize your Azure resources effectively. Retrieved September 25, 2024.",
"url": "https://learn.microsoft.com/en-us/azure/cloud-adoption-framework/ready/azure-setup-guide/organize-resources"
},
{
"source_name": "Microsoft Peach Sandstorm 2023",
"description": "Microsoft Threat Intelligence. (2023, September 14). Peach Sandstorm password spray campaigns enable intelligence collection at high-value targets. Retrieved September 18, 2023.",
"url": "https://www.microsoft.com/en-us/security/blog/2023/09/14/peach-sandstorm-password-spray-campaigns-enable-intelligence-collection-at-high-value-targets/"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_attack_spec_version": "3.3.0",
"x_mitre_deprecated": false,
"x_mitre_domains": [
"enterprise-attack"
],
"x_mitre_is_subtechnique": false,
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"IaaS"
],
"x_mitre_version": "2.0",
"detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.620000+00:00\", \"old_value\": \"2026-04-16 20:07:52.999000+00:00\"}}}",
"previous_version": "2.0",
"changelog_mitigations": {
"shared": [
"M1018: User Account Management",
"M1047: Audit",
"M1054: Software Configuration"
],
"new": [],
"dropped": []
},
"changelog_datacomponent_detections": {
"shared": [],
"new": [],
"dropped": []
},
"changelog_detectionstrategy_detections": {
"shared": [
"DET0155: Detection Strategy for Modify Cloud Resource Hierarchy"
],
"new": [],
"dropped": []
}
},
{
"type": "attack-pattern",
"id": "attack-pattern--57340c81-c025-4189-8fa0-fc7ede51bae4",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-05-31 21:31:23.587000+00:00",
"modified": "2026-05-12 15:12:00.634000+00:00",
"name": "Modify Registry",
"description": "Adversaries may interact with the Windows Registry as part of a variety of other techniques to aid in defense evasion, persistence, and execution.\n\nAccess to specific areas of the Registry depends on account permissions, with some keys requiring administrator-level access. The built-in Windows command-line utility [Reg](https://attack.mitre.org/software/S0075) may be used for local or remote Registry modification.(Citation: Microsoft Reg) Other tools, such as remote access tools, may also contain functionality to interact with the Registry through the Windows API.\n\nThe Registry may be modified in order to hide configuration information or malicious payloads via [Obfuscated Files or Information](https://attack.mitre.org/techniques/T1027).(Citation: Unit42 BabyShark Feb 2019)(Citation: Avaddon Ransomware 2021)(Citation: Microsoft BlackCat Jun 2022)(Citation: CISA Russian Gov Critical Infra 2018) The Registry may also be modified to impair defenses, such as by enabling macros for all Microsoft Office products, allowing privilege escalation without alerting the user, increasing the maximum number of allowed outbound requests, and/or modifying systems to store plaintext credentials in memory.(Citation: CISA LockBit 2023)(Citation: Unit42 BabyShark Feb 2019)\n\nThe Registry of a remote system may be modified to aid in execution of files as part of lateral movement. It requires the remote Registry service to be running on the target system.(Citation: Microsoft Remote) Often [Valid Accounts](https://attack.mitre.org/techniques/T1078) are required, along with access to the remote system's [SMB/Windows Admin Shares](https://attack.mitre.org/techniques/T1021/002) for RPC communication.\n\nFinally, Registry modifications may also include actions to hide keys, such as prepending key names with a null character, which will cause an error and/or be ignored when read via [Reg](https://attack.mitre.org/software/S0075) or other utilities using the Win32 API.(Citation: Microsoft Reghide NOV 2006) Adversaries may abuse these pseudo-hidden keys to conceal payloads/commands used to maintain persistence.(Citation: TrendMicro POWELIKS AUG 2014)(Citation: SpectorOps Hiding Reg Jul 2017)",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "defense-impairment"
},
{
"kill_chain_name": "mitre-attack",
"phase_name": "persistence"
}
],
"revoked": false,
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T1112",
"external_id": "T1112"
},
{
"source_name": "CISA Russian Gov Critical Infra 2018",
"description": "CISA. (2018, March 16). Russian Government Cyber Activity Targeting Energy and Other Critical Infrastructure Sectors. Retrieved March 24, 2025.",
"url": "https://www.cisa.gov/news-events/alerts/2018/03/15/russian-government-cyber-activity-targeting-energy-and-other-critical-infrastructure-sectors"
},
{
"source_name": "CISA LockBit 2023",
"description": "CISA. (2023, March 16). #StopRansomware: LockBit 3.0. Retrieved March 24, 2025.",
"url": "https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-075a"
},
{
"source_name": "Avaddon Ransomware 2021",
"description": "Javier Yuste and Sergio Pastrana. (2021). Avaddon ransomware: an in-depth analysis and decryption of infected systems. Retrieved March 24, 2025.",
"url": "https://arxiv.org/pdf/2102.04796"
},
{
"source_name": "Microsoft BlackCat Jun 2022",
"description": "Microsoft Defender Threat Intelligence. (2022, June 13). The many lives of BlackCat ransomware. Retrieved December 20, 2022.",
"url": "https://www.microsoft.com/en-us/security/blog/2022/06/13/the-many-lives-of-blackcat-ransomware/"
},
{
"source_name": "Microsoft Reg",
"description": "Microsoft. (2012, April 17). Reg. Retrieved May 1, 2015.",
"url": "https://technet.microsoft.com/en-us/library/cc732643.aspx"
},
{
"source_name": "Microsoft Remote",
"description": "Microsoft. (n.d.). Enable the Remote Registry Service. Retrieved May 1, 2015.",
"url": "https://technet.microsoft.com/en-us/library/cc754820.aspx"
},
{
"source_name": "SpectorOps Hiding Reg Jul 2017",
"description": "Reitz, B. (2017, July 14). Hiding Registry keys with PSReflect. Retrieved August 9, 2018.",
"url": "https://posts.specterops.io/hiding-registry-keys-with-psreflect-b18ec5ac8353"
},
{
"source_name": "Microsoft Reghide NOV 2006",
"description": "Russinovich, M. & Sharkey, K. (2006, January 10). Reghide. Retrieved August 9, 2018.",
"url": "https://docs.microsoft.com/sysinternals/downloads/reghide"
},
{
"source_name": "TrendMicro POWELIKS AUG 2014",
"description": "Santos, R. (2014, August 1). POWELIKS: Malware Hides In Windows Registry. Retrieved August 9, 2018.",
"url": "https://blog.trendmicro.com/trendlabs-security-intelligence/poweliks-malware-hides-in-windows-registry/"
},
{
"source_name": "Unit42 BabyShark Feb 2019",
"description": "Unit 42. (2019, February 22). New BabyShark Malware Targets U.S. National Security Think Tanks. Retrieved October 7, 2019.",
"url": "https://unit42.paloaltonetworks.com/new-babyshark-malware-targets-u-s-national-security-think-tanks/"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_attack_spec_version": "3.3.0",
"x_mitre_contributors": [
"Bartosz Jerzman",
"David Lu, Tripwire",
"Gerardo Santos",
"Travis Smith, Tripwire"
],
"x_mitre_deprecated": false,
"x_mitre_domains": [
"enterprise-attack"
],
"x_mitre_is_subtechnique": false,
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"Windows"
],
"x_mitre_version": "3.0",
"detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.634000+00:00\", \"old_value\": \"2026-04-16 20:07:53.021000+00:00\"}}}",
"previous_version": "3.0",
"changelog_mitigations": {
"shared": [
"M1024: Restrict Registry Permissions"
],
"new": [],
"dropped": []
},
"changelog_datacomponent_detections": {
"shared": [],
"new": [],
"dropped": []
},
"changelog_detectionstrategy_detections": {
"shared": [
"DET0280: Behavior-Based Registry Modification Detection on Windows"
],
"new": [],
"dropped": []
}
},
{
"type": "attack-pattern",
"id": "attack-pattern--ae7f3575-0a5e-427e-991b-fe03ad44c754",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2020-10-19 19:42:19.740000+00:00",
"modified": "2026-05-12 15:12:00.707000+00:00",
"name": "Modify System Image",
"description": "Adversaries may make changes to the operating system of embedded network devices to weaken defenses and provide new capabilities for themselves. On such devices, the operating systems are typically monolithic and most of the device functionality and capabilities are contained within a single file.\n\nTo change the operating system, the adversary typically only needs to affect this one file, replacing or modifying it. This can either be done live in memory during system runtime for immediate effect, or in storage to implement the change on the next boot of the network device.",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "defense-impairment"
}
],
"revoked": false,
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T1601",
"external_id": "T1601"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_attack_spec_version": "3.3.0",
"x_mitre_deprecated": false,
"x_mitre_domains": [
"enterprise-attack"
],
"x_mitre_is_subtechnique": false,
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"Network Devices"
],
"x_mitre_version": "2.0",
"detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.707000+00:00\", \"old_value\": \"2026-04-16 20:07:53.013000+00:00\"}}}",
"previous_version": "2.0",
"changelog_mitigations": {
"shared": [
"M1026: Privileged Account Management",
"M1027: Password Policies",
"M1032: Multi-factor Authentication",
"M1043: Credential Access Protection",
"M1045: Code Signing",
"M1046: Boot Integrity"
],
"new": [],
"dropped": []
},
"changelog_datacomponent_detections": {
"shared": [],
"new": [],
"dropped": []
},
"changelog_detectionstrategy_detections": {
"shared": [
"DET0170: Detection Strategy for Modify System Image on Network Devices"
],
"new": [],
"dropped": []
}
},
{
"type": "attack-pattern",
"id": "attack-pattern--fc74ba38-dc98-461f-8611-b3dbf9978e3d",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2020-10-19 19:53:10.576000+00:00",
"modified": "2026-05-12 15:12:00.726000+00:00",
"name": "Downgrade System Image",
"description": "Adversaries may install an older version of the operating system of a network device to weaken security. Older operating system versions on network devices often have weaker encryption ciphers and, in general, fewer/less updated defensive features. (Citation: Cisco Synful Knock Evolution)\n\nOn embedded devices, downgrading the version typically only requires replacing the operating system file in storage. With most embedded devices, this can be achieved by downloading a copy of the desired version of the operating system file and reconfiguring the device to boot from that file on next system restart. The adversary could then restart the device to implement the change immediately or they could wait until the next time the system restarts.\n\nDowngrading the system image to an older versions may allow an adversary to evade defenses by enabling behaviors such as [Weaken Encryption](https://attack.mitre.org/techniques/T1600). Downgrading of a system image can be done on its own, or it can be used in conjunction with [Patch System Image](https://attack.mitre.org/techniques/T1601/001). ",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "defense-impairment"
}
],
"revoked": false,
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T1601/002",
"external_id": "T1601.002"
},
{
"source_name": "Cisco Synful Knock Evolution",
"description": "Graham Holmes. (2015, October 8). Evolution of attacks on Cisco IOS devices. Retrieved October 19, 2020.",
"url": "https://blogs.cisco.com/security/evolution-of-attacks-on-cisco-ios-devices"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_attack_spec_version": "3.3.0",
"x_mitre_deprecated": false,
"x_mitre_domains": [
"enterprise-attack"
],
"x_mitre_is_subtechnique": true,
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"Network Devices"
],
"x_mitre_version": "2.0",
"detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.726000+00:00\", \"old_value\": \"2026-04-16 20:07:53.109000+00:00\"}}}",
"previous_version": "2.0",
"changelog_mitigations": {
"shared": [
"M1026: Privileged Account Management",
"M1027: Password Policies",
"M1032: Multi-factor Authentication",
"M1043: Credential Access Protection",
"M1045: Code Signing",
"M1046: Boot Integrity"
],
"new": [],
"dropped": []
},
"changelog_datacomponent_detections": {
"shared": [],
"new": [],
"dropped": []
},
"changelog_detectionstrategy_detections": {
"shared": [
"DET0569: Detection Strategy for Downgrade System Image on Network Devices"
],
"new": [],
"dropped": []
}
},
{
"type": "attack-pattern",
"id": "attack-pattern--d245808a-7086-4310-984a-a84aaaa43f8f",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2020-10-19 19:49:24.129000+00:00",
"modified": "2026-05-12 15:12:00.717000+00:00",
"name": "Patch System Image",
"description": "Adversaries may modify the operating system of a network device to introduce new capabilities or weaken existing defenses.(Citation: Killing the myth of Cisco IOS rootkits) (Citation: Killing IOS diversity myth) (Citation: Cisco IOS Shellcode) (Citation: Cisco IOS Forensics Developments) (Citation: Juniper Netscreen of the Dead) Some network devices are built with a monolithic architecture, where the entire operating system and most of the functionality of the device is contained within a single file. Adversaries may change this file in storage, to be loaded in a future boot, or in memory during runtime.\n\nTo change the operating system in storage, the adversary will typically use the standard procedures available to device operators. This may involve downloading a new file via typical protocols used on network devices, such as TFTP, FTP, SCP, or a console connection. The original file may be overwritten, or a new file may be written alongside of it and the device reconfigured to boot to the compromised image.\n\nTo change the operating system in memory, the adversary typically can use one of two methods. In the first, the adversary would make use of native debug commands in the original, unaltered running operating system that allow them to directly modify the relevant memory addresses containing the running operating system. This method typically requires administrative level access to the device.\n\nIn the second method for changing the operating system in memory, the adversary would make use of the boot loader. The boot loader is the first piece of software that loads when the device starts that, in turn, will launch the operating system. Adversaries may use malicious code previously implanted in the boot loader, such as through the [ROMMONkit](https://attack.mitre.org/techniques/T1542/004) method, to directly manipulate running operating system code in memory. This malicious code in the bootloader provides the capability of direct memory manipulation to the adversary, allowing them to patch the live operating system during runtime.\n\nBy modifying the instructions stored in the system image file, adversaries may either weaken existing defenses or provision new capabilities that the device did not have before. Examples of existing defenses that can be impeded include encryption, via [Weaken Encryption](https://attack.mitre.org/techniques/T1600), authentication, via [Network Device Authentication](https://attack.mitre.org/techniques/T1556/004), and perimeter defenses, via [Network Boundary Bridging](https://attack.mitre.org/techniques/T1599). Adding new capabilities for the adversary\u2019s purpose include [Keylogging](https://attack.mitre.org/techniques/T1056/001), [Multi-hop Proxy](https://attack.mitre.org/techniques/T1090/003), and [Port Knocking](https://attack.mitre.org/techniques/T1205/001).\n\nAdversaries may also compromise existing commands in the operating system to produce false output to mislead defenders. When this method is used in conjunction with [Downgrade System Image](https://attack.mitre.org/techniques/T1601/002), one example of a compromised system command may include changing the output of the command that shows the version of the currently running operating system. By patching the operating system, the adversary can change this command to instead display the original, higher revision number that they replaced through the system downgrade. \n\nWhen the operating system is patched in storage, this can be achieved in either the resident storage (typically a form of flash memory, which is non-volatile) or via [TFTP Boot](https://attack.mitre.org/techniques/T1542/005). \n\nWhen the technique is performed on the running operating system in memory and not on the stored copy, this technique will not survive across reboots. However, live memory modification of the operating system can be combined with [ROMMONkit](https://attack.mitre.org/techniques/T1542/004) to achieve persistence. ",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "defense-impairment"
}
],
"revoked": false,
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T1601/001",
"external_id": "T1601.001"
},
{
"source_name": "Killing IOS diversity myth",
"description": "Ang Cui, Jatin Kataria, Salvatore J. Stolfo. (2011, August). Killing the myth of Cisco IOS diversity: recent advances in reliable shellcode design. Retrieved October 20, 2020.",
"url": "https://www.usenix.org/legacy/event/woot/tech/final_files/Cui.pdf"
},
{
"source_name": "Cisco IOS Forensics Developments",
"description": "Felix 'FX' Lindner. (2008, February). Developments in Cisco IOS Forensics. Retrieved October 21, 2020.",
"url": "https://www.recurity-labs.com/research/RecurityLabs_Developments_in_IOS_Forensics.pdf"
},
{
"source_name": "Cisco IOS Shellcode",
"description": "George Nosenko. (2015). CISCO IOS SHELLCODE: ALL-IN-ONE. Retrieved October 21, 2020.",
"url": "http://2015.zeronights.org/assets/files/05-Nosenko.pdf"
},
{
"source_name": "Juniper Netscreen of the Dead",
"description": "Graeme Neilson . (2009, August). Juniper Netscreen of the Dead. Retrieved October 20, 2020.",
"url": "https://www.blackhat.com/presentations/bh-usa-09/NEILSON/BHUSA09-Neilson-NetscreenDead-SLIDES.pdf"
},
{
"source_name": "Killing the myth of Cisco IOS rootkits",
"description": "Sebastian 'topo' Mu\u00f1iz. (2008, May). Killing the myth of Cisco IOS rootkits. Retrieved October 20, 2020.",
"url": "https://drwho.virtadpt.net/images/killing_the_myth_of_cisco_ios_rootkits.pdf"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_attack_spec_version": "3.3.0",
"x_mitre_deprecated": false,
"x_mitre_domains": [
"enterprise-attack"
],
"x_mitre_is_subtechnique": true,
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"Network Devices"
],
"x_mitre_version": "2.0",
"detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.717000+00:00\", \"old_value\": \"2026-04-16 20:07:53.106000+00:00\"}}}",
"previous_version": "2.0",
"changelog_mitigations": {
"shared": [
"M1026: Privileged Account Management",
"M1027: Password Policies",
"M1032: Multi-factor Authentication",
"M1043: Credential Access Protection",
"M1045: Code Signing",
"M1046: Boot Integrity"
],
"new": [],
"dropped": []
},
"changelog_datacomponent_detections": {
"shared": [],
"new": [],
"dropped": []
},
"changelog_detectionstrategy_detections": {
"shared": [
"DET0469: Detection Strategy for Patch System Image on Network Devices"
],
"new": [],
"dropped": []
}
},
{
"type": "attack-pattern",
"id": "attack-pattern--dd43c543-bb85-4a6f-aa6e-160d90d06a49",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-05-31 21:31:23.195000+00:00",
"modified": "2026-05-12 15:12:00.722000+00:00",
"name": "Multi-Factor Authentication Interception",
"description": "Adversaries may target multi-factor authentication (MFA) mechanisms, (i.e., smart cards, token generators, etc.) to gain access to credentials that can be used to access systems, services, and network resources. Use of MFA is recommended and provides a higher level of security than usernames and passwords alone, but organizations should be aware of techniques that could be used to intercept and bypass these security mechanisms. \n\nIf a smart card is used for multi-factor authentication, then a keylogger will need to be used to obtain the password associated with a smart card during normal use. With both an inserted card and access to the smart card password, an adversary can connect to a network resource using the infected system to proxy the authentication with the inserted hardware token. (Citation: Mandiant M Trends 2011)\n\nAdversaries may also employ a keylogger to similarly target other hardware tokens, such as RSA SecurID. Capturing token input (including a user's personal identification code) may provide temporary access (i.e. replay the one-time passcode until the next value rollover) as well as possibly enabling adversaries to reliably predict future authentication values (given access to both the algorithm and any seed values used to generate appended temporary codes). (Citation: GCN RSA June 2011)\n\nOther methods of MFA may be intercepted and used by an adversary to authenticate. It is common for one-time codes to be sent via out-of-band communications (email, SMS). If the device and/or service is not secured, then it may be vulnerable to interception. Service providers can also be targeted: for example, an adversary may compromise an SMS messaging service in order to steal MFA codes sent to users\u2019 phones.(Citation: Okta Scatter Swine 2022)",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "credential-access"
}
],
"revoked": false,
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T1111",
"external_id": "T1111"
},
{
"source_name": "GCN RSA June 2011",
"description": "Jackson, William. (2011, June 7). RSA confirms its tokens used in Lockheed hack. Retrieved November 17, 2024.",
"url": "https://www.route-fifty.com/cybersecurity/2011/06/rsa-confirms-its-tokens-used-in-lockheed-hack/282818/"
},
{
"source_name": "Mandiant M Trends 2011",
"description": "Mandiant. (2011, January 27). Mandiant M-Trends 2011. Retrieved January 10, 2016.",
"url": "https://dl.mandiant.com/EE/assets/PDF_MTrends_2011.pdf"
},
{
"source_name": "Okta Scatter Swine 2022",
"description": "Okta. (2022, August 25). Detecting Scatter Swine: Insights into a Relentless Phishing Campaign. Retrieved February 24, 2023.",
"url": "https://sec.okta.com/scatterswine"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_attack_spec_version": "3.3.0",
"x_mitre_contributors": [
"John Lambert, Microsoft Threat Intelligence Center"
],
"x_mitre_deprecated": false,
"x_mitre_domains": [
"enterprise-attack"
],
"x_mitre_is_subtechnique": false,
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"Linux",
"macOS",
"Windows"
],
"x_mitre_version": "2.1",
"detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.722000+00:00\", \"old_value\": \"2025-10-24 17:49:29.231000+00:00\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.3.0\", \"old_value\": \"3.2.0\"}}}",
"previous_version": "2.1",
"changelog_mitigations": {
"shared": [
"M1017: User Training"
],
"new": [],
"dropped": []
},
"changelog_datacomponent_detections": {
"shared": [],
"new": [],
"dropped": []
},
"changelog_detectionstrategy_detections": {
"shared": [
"DET0246: Detection Strategy for MFA Interception via Input Capture and Smart Card Proxying"
],
"new": [],
"dropped": []
}
},
{
"type": "attack-pattern",
"id": "attack-pattern--391d824f-0ef1-47a0-b0ee-c59a75e27670",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-05-31 21:31:17.472000+00:00",
"modified": "2026-05-12 15:12:00.627000+00:00",
"name": "Native API",
"description": "Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.(Citation: NT API Windows)(Citation: Linux Kernel API) These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.\n\nAdversaries may abuse these OS API functions as a means of executing behaviors. Similar to [Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059), the native API and its hierarchy of interfaces provide mechanisms to interact with and utilize various components of a victimized system.\n\nNative API functions (such as NtCreateProcess) may be directed invoked via system calls / syscalls, but these features are also often exposed to user-mode applications via interfaces and libraries.(Citation: OutFlank System Calls)(Citation: CyberBit System Calls)(Citation: MDSec System Calls) For example, functions such as the Windows API CreateProcess() or GNU fork() will allow programs and scripts to start other processes.(Citation: Microsoft CreateProcess)(Citation: GNU Fork) This may allow API callers to execute a binary, run a CLI command, load modules, etc. as thousands of similar API functions exist for various system operations.(Citation: Microsoft Win32)(Citation: LIBC)(Citation: GLIBC)\n\nHigher level software frameworks, such as Microsoft .NET and macOS Cocoa, are also available to interact with native APIs. These frameworks typically provide language wrappers/abstractions to API functionalities and are designed for ease-of-use/portability of code.(Citation: Microsoft NET)(Citation: Apple Core Services)(Citation: MACOS Cocoa)(Citation: macOS Foundation)\n\nAdversaries may use assembly to directly or in-directly invoke syscalls in an attempt to subvert defensive sensors and detection signatures such as user mode API-hooks.(Citation: Redops Syscalls) Adversaries may also attempt to tamper with sensors and defensive tools associated with API monitoring, such as unhooking monitored functions via [Disable or Modify Tools](https://attack.mitre.org/techniques/T1685).",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "execution"
}
],
"revoked": false,
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T1106",
"external_id": "T1106"
},
{
"source_name": "MACOS Cocoa",
"description": "Apple. (2015, September 16). Cocoa Application Layer. Retrieved June 25, 2020.",
"url": "https://developer.apple.com/library/archive/documentation/MacOSX/Conceptual/OSX_Technology_Overview/CocoaApplicationLayer/CocoaApplicationLayer.html#//apple_ref/doc/uid/TP40001067-CH274-SW1"
},
{
"source_name": "Apple Core Services",
"description": "Apple. (n.d.). Core Services. Retrieved June 25, 2020.",
"url": "https://developer.apple.com/documentation/coreservices"
},
{
"source_name": "macOS Foundation",
"description": "Apple. (n.d.). Foundation. Retrieved July 1, 2020.",
"url": "https://developer.apple.com/documentation/foundation"
},
{
"source_name": "OutFlank System Calls",
"description": "de Plaa, C. (2019, June 19). Red Team Tactics: Combining Direct System Calls and sRDI to bypass AV/EDR. Retrieved September 29, 2021.",
"url": "https://outflank.nl/blog/2019/06/19/red-team-tactics-combining-direct-system-calls-and-srdi-to-bypass-av-edr/"
},
{
"source_name": "Redops Syscalls",
"description": "Feichter, D. (2023, June 30). Direct Syscalls vs Indirect Syscalls. Retrieved September 27, 2023.",
"url": "https://redops.at/en/blog/direct-syscalls-vs-indirect-syscalls"
},
{
"source_name": "GNU Fork",
"description": "Free Software Foundation, Inc.. (2020, June 18). Creating a Process. Retrieved June 25, 2020.",
"url": "https://www.gnu.org/software/libc/manual/html_node/Creating-a-Process.html"
},
{
"source_name": "CyberBit System Calls",
"description": "Gavriel, H. (2018, November 27). Malware Mitigation when Direct System Calls are Used. Retrieved September 29, 2021.",
"url": "https://www.cyberbit.com/blog/endpoint-security/malware-mitigation-when-direct-system-calls-are-used/"
},
{
"source_name": "GLIBC",
"description": "glibc developer community. (2020, February 1). The GNU C Library (glibc). Retrieved June 25, 2020.",
"url": "https://www.gnu.org/software/libc/"
},
{
"source_name": "LIBC",
"description": "Kerrisk, M. (2016, December 12). libc(7) \u2014 Linux manual page. Retrieved June 25, 2020.",
"url": "https://man7.org/linux/man-pages//man7/libc.7.html"
},
{
"source_name": "Linux Kernel API",
"description": "Linux Kernel Organization, Inc. (n.d.). The Linux Kernel API. Retrieved June 25, 2020.",
"url": "https://www.kernel.org/doc/html/v4.12/core-api/kernel-api.html"
},
{
"source_name": "MDSec System Calls",
"description": "MDSec Research. (2020, December). Bypassing User-Mode Hooks and Direct Invocation of System Calls for Red Teams. Retrieved September 29, 2021.",
"url": "https://www.mdsec.co.uk/2020/12/bypassing-user-mode-hooks-and-direct-invocation-of-system-calls-for-red-teams/"
},
{
"source_name": "Microsoft CreateProcess",
"description": "Microsoft. (n.d.). CreateProcess function. Retrieved September 12, 2024.",
"url": "https://learn.microsoft.com/en-us/windows/win32/api/processthreadsapi/nf-processthreadsapi-createprocessa"
},
{
"source_name": "Microsoft Win32",
"description": "Microsoft. (n.d.). Programming reference for the Win32 API. Retrieved March 15, 2020.",
"url": "https://docs.microsoft.com/en-us/windows/win32/api/"
},
{
"source_name": "Microsoft NET",
"description": "Microsoft. (n.d.). What is .NET Framework?. Retrieved March 15, 2020.",
"url": "https://dotnet.microsoft.com/learn/dotnet/what-is-dotnet-framework"
},
{
"source_name": "NT API Windows",
"description": "The NTinterlnals.net team. (n.d.). Nowak, T. Retrieved June 25, 2020.",
"url": "https://undocumented.ntinternals.net/"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_attack_spec_version": "3.3.0",
"x_mitre_contributors": [
"Gordon Long, LegioX/Zoom, asaurusrex",
"Stefan Kanthak",
"Tristan Madani (Cybereason)"
],
"x_mitre_deprecated": false,
"x_mitre_domains": [
"enterprise-attack"
],
"x_mitre_is_subtechnique": false,
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"Linux",
"macOS",
"Windows"
],
"x_mitre_remote_support": false,
"x_mitre_version": "2.3",
"detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.627000+00:00\", \"old_value\": \"2026-04-16 19:16:22.540000+00:00\"}}}",
"previous_version": "2.3",
"changelog_mitigations": {
"shared": [
"M1038: Execution Prevention",
"M1040: Behavior Prevention on Endpoint"
],
"new": [],
"dropped": []
},
"changelog_datacomponent_detections": {
"shared": [],
"new": [],
"dropped": []
},
"changelog_detectionstrategy_detections": {
"shared": [
"DET0529: Behavioral Detection of Native API Invocation via Unusual DLL Loads and Direct Syscalls"
],
"new": [],
"dropped": []
}
},
{
"type": "attack-pattern",
"id": "attack-pattern--b8017880-4b1e-42de-ad10-ae7ac6705166",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2020-10-19 16:08:29.817000+00:00",
"modified": "2026-05-12 15:12:00.709000+00:00",
"name": "Network Boundary Bridging",
"description": "Adversaries may bridge network boundaries by compromising perimeter network devices or internal devices responsible for network segmentation. Breaching these devices may enable an adversary to bypass restrictions on traffic routing that otherwise separate trusted and untrusted networks.\n\nDevices such as routers and firewalls can be used to create boundaries between trusted and untrusted networks. They achieve this by restricting traffic types to enforce organizational policy in an attempt to reduce the risk inherent in such connections. Restriction of traffic can be achieved by prohibiting IP addresses, layer 4 protocol ports, or through deep packet inspection to identify applications. To participate with the rest of the network, these devices can be directly addressable or transparent, but their mode of operation has no bearing on how the adversary can bypass them when compromised.\n\nWhen an adversary takes control of such a boundary device, they can bypass its policy enforcement to pass normally prohibited traffic across the trust boundary between the two separated networks without hinderance. By achieving sufficient rights on the device, an adversary can reconfigure the device to allow the traffic they want, allowing them to then further achieve goals such as command and control via [Multi-hop Proxy](https://attack.mitre.org/techniques/T1090/003) or exfiltration of data via [Traffic Duplication](https://attack.mitre.org/techniques/T1020/001). Adversaries may also target internal devices responsible for network segmentation and abuse these in conjunction with [Internal Proxy](https://attack.mitre.org/techniques/T1090/001) to achieve the same goals.(Citation: Kaspersky ThreatNeedle Feb 2021) In the cases where a border device separates two separate organizations, the adversary can also facilitate lateral movement into new victim environments.",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "defense-impairment"
}
],
"revoked": false,
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T1599",
"external_id": "T1599"
},
{
"source_name": "Kaspersky ThreatNeedle Feb 2021",
"description": "Vyacheslav Kopeytsev and Seongsu Park. (2021, February 25). Lazarus targets defense industry with ThreatNeedle. Retrieved October 27, 2021.",
"url": "https://securelist.com/lazarus-threatneedle/100803/"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_attack_spec_version": "3.3.0",
"x_mitre_deprecated": false,
"x_mitre_domains": [
"enterprise-attack"
],
"x_mitre_is_subtechnique": false,
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"Network Devices"
],
"x_mitre_version": "2.0",
"detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.709000+00:00\", \"old_value\": \"2026-04-16 20:07:53.048000+00:00\"}}}",
"previous_version": "2.0",
"changelog_mitigations": {
"shared": [
"M1026: Privileged Account Management",
"M1027: Password Policies",
"M1032: Multi-factor Authentication",
"M1037: Filter Network Traffic",
"M1043: Credential Access Protection"
],
"new": [],
"dropped": []
},
"changelog_datacomponent_detections": {
"shared": [],
"new": [],
"dropped": []
},
"changelog_detectionstrategy_detections": {
"shared": [
"DET0006: Detection Strategy for Network Boundary Bridging"
],
"new": [],
"dropped": []
}
},
{
"type": "attack-pattern",
"id": "attack-pattern--4ffc1794-ec3b-45be-9e52-42dbcb2af2de",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2020-10-19 16:48:08.241000+00:00",
"modified": "2026-05-12 15:12:00.632000+00:00",
"name": "Network Address Translation Traversal",
"description": "Adversaries may bridge network boundaries by modifying a network device\u2019s Network Address Translation (NAT) configuration. Malicious modifications to NAT may enable an adversary to bypass restrictions on traffic routing that otherwise separate trusted and untrusted networks.\n\nNetwork devices such as routers and firewalls that connect multiple networks together may implement NAT during the process of passing packets between networks. When performing NAT, the network device will rewrite the source and/or destination addresses of the IP address header. Some network designs require NAT for the packets to cross the border device. A typical example of this is environments where internal networks make use of non-Internet routable addresses.(Citation: RFC1918)\n\nWhen an adversary gains control of a network boundary device, they may modify NAT configurations to send traffic between two separated networks, or to obscure their activities. In network designs that require NAT to function, such modifications enable the adversary to overcome inherent routing limitations that would normally prevent them from accessing protected systems behind the border device. In network designs that do not require NAT, adversaries may use address translation to further obscure their activities, as changing the addresses of packets that traverse a network boundary device can make monitoring data transmissions more challenging for defenders. \n\nAdversaries may use [Patch System Image](https://attack.mitre.org/techniques/T1601/001) to change the operating system of a network device, implementing their own custom NAT mechanisms to further obscure their activities.",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "defense-impairment"
}
],
"revoked": false,
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T1599/001",
"external_id": "T1599.001"
},
{
"source_name": "RFC1918",
"description": "IETF Network Working Group. (1996, February). Address Allocation for Private Internets. Retrieved October 20, 2020.",
"url": "https://tools.ietf.org/html/rfc1918"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_attack_spec_version": "3.3.0",
"x_mitre_deprecated": false,
"x_mitre_domains": [
"enterprise-attack"
],
"x_mitre_is_subtechnique": true,
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"Network Devices"
],
"x_mitre_version": "2.0",
"detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.632000+00:00\", \"old_value\": \"2026-04-16 20:07:52.887000+00:00\"}}}",
"previous_version": "2.0",
"changelog_mitigations": {
"shared": [
"M1026: Privileged Account Management",
"M1027: Password Policies",
"M1032: Multi-factor Authentication",
"M1037: Filter Network Traffic",
"M1043: Credential Access Protection"
],
"new": [],
"dropped": []
},
"changelog_datacomponent_detections": {
"shared": [],
"new": [],
"dropped": []
},
"changelog_detectionstrategy_detections": {
"shared": [
"DET0163: Detection Strategy for Network Address Translation Traversal"
],
"new": [],
"dropped": []
}
},
{
"type": "attack-pattern",
"id": "attack-pattern--e3a12395-188d-4051-9a16-ea8e14d07b88",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-05-31 21:30:43.915000+00:00",
"modified": "2026-05-12 15:12:00.723000+00:00",
"name": "Network Service Discovery",
"description": "Adversaries may attempt to get a listing of services running on remote hosts and local network infrastructure devices, including those that may be vulnerable to remote software exploitation. Common methods to acquire this information include port, vulnerability, and/or wordlist scans using tools that are brought onto a system.(Citation: CISA AR21-126A FIVEHANDS May 2021) \n\nWithin cloud environments, adversaries may attempt to discover services running on other cloud hosts. Additionally, if the cloud environment is connected to a on-premises environment, adversaries may be able to identify services running on non-cloud systems as well.\n\nWithin macOS environments, adversaries may use the native Bonjour application to discover services running on other macOS hosts within a network. The Bonjour mDNSResponder daemon automatically registers and advertises a host\u2019s registered services on the network. For example, adversaries can use a mDNS query (such as dns-sd -B _ssh._tcp .) to find other systems broadcasting the ssh service.(Citation: apple doco bonjour description)(Citation: macOS APT Activity Bradley)",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "discovery"
}
],
"revoked": false,
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T1046",
"external_id": "T1046"
},
{
"source_name": "apple doco bonjour description",
"description": "Apple Inc. (2013, April 23). Bonjour Overview. Retrieved October 11, 2021.",
"url": "https://developer.apple.com/library/archive/documentation/Cocoa/Conceptual/NetServices/Introduction.html"
},
{
"source_name": "CISA AR21-126A FIVEHANDS May 2021",
"description": "CISA. (2021, May 6). Analysis Report (AR21-126A) FiveHands Ransomware. Retrieved June 7, 2021.",
"url": "https://us-cert.cisa.gov/ncas/analysis-reports/ar21-126a"
},
{
"source_name": "macOS APT Activity Bradley",
"description": "Jaron Bradley. (2021, November 14). What does APT Activity Look Like on macOS?. Retrieved January 19, 2022.",
"url": "https://themittenmac.com/what-does-apt-activity-look-like-on-macos/"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_attack_spec_version": "3.3.0",
"x_mitre_contributors": [
"Praetorian",
"Aaron Sullivan aka ZerkerEOD"
],
"x_mitre_deprecated": false,
"x_mitre_domains": [
"enterprise-attack"
],
"x_mitre_is_subtechnique": false,
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"Containers",
"IaaS",
"Linux",
"macOS",
"Network Devices",
"Windows"
],
"x_mitre_version": "3.2",
"detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.723000+00:00\", \"old_value\": \"2025-10-24 17:49:31.494000+00:00\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.3.0\", \"old_value\": \"3.2.0\"}}}",
"previous_version": "3.2",
"changelog_mitigations": {
"shared": [
"M1030: Network Segmentation",
"M1031: Network Intrusion Prevention",
"M1042: Disable or Remove Feature or Program"
],
"new": [],
"dropped": []
},
"changelog_datacomponent_detections": {
"shared": [],
"new": [],
"dropped": []
},
"changelog_detectionstrategy_detections": {
"shared": [
"DET0376: Behavioral Detection Strategy for Network Service Discovery Across Platforms"
],
"new": [],
"dropped": []
}
},
{
"type": "attack-pattern",
"id": "attack-pattern--3257eb21-f9a7-4430-8de1-d8b6e288f529",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-05-31 21:30:41.399000+00:00",
"modified": "2026-05-12 15:12:00.624000+00:00",
"name": "Network Sniffing",
"description": "Adversaries may passively sniff network traffic to capture information about an environment, including authentication material passed over the network. Network sniffing refers to using the network interface on a system to monitor or capture information sent over a wired or wireless connection. An adversary may place a network interface into promiscuous mode to passively access data in transit over the network, or use span ports to capture a larger amount of data.\n\nData captured via this technique may include user credentials, especially those sent over an insecure, unencrypted protocol. Techniques for name service resolution poisoning, such as [Name Resolution Poisoning and SMB Relay](https://attack.mitre.org/techniques/T1557/001), can also be used to capture credentials to websites, proxies, and internal systems by redirecting traffic to an adversary.\n\nNetwork sniffing may reveal configuration details, such as running services, version numbers, and other network characteristics (e.g. IP addresses, hostnames, VLAN IDs) necessary for subsequent [Lateral Movement](https://attack.mitre.org/tactics/TA0008) and/or [Stealth](https://attack.mitre.org/tactics/TA0005) activities. Adversaries may likely also utilize network sniffing during [Adversary-in-the-Middle](https://attack.mitre.org/techniques/T1557) (AiTM) to passively gain additional knowledge about the environment.\n\nIn cloud-based environments, adversaries may still be able to use traffic mirroring services to sniff network traffic from virtual machines. For example, AWS Traffic Mirroring, GCP Packet Mirroring, and Azure vTap allow users to define specified instances to collect traffic from and specified targets to send collected traffic to.(Citation: AWS Traffic Mirroring)(Citation: GCP Packet Mirroring)(Citation: Azure Virtual Network TAP) Often, much of this traffic will be in cleartext due to the use of TLS termination at the load balancer level to reduce the strain of encrypting and decrypting traffic.(Citation: Rhino Security Labs AWS VPC Traffic Mirroring)(Citation: SpecterOps AWS Traffic Mirroring) The adversary can then use exfiltration techniques such as Transfer Data to Cloud Account in order to access the sniffed traffic.(Citation: Rhino Security Labs AWS VPC Traffic Mirroring)\n\nOn network devices, adversaries may perform network captures using [Network Device CLI](https://attack.mitre.org/techniques/T1059/008) commands such as `monitor capture`.(Citation: US-CERT-TA18-106A)(Citation: capture_embedded_packet_on_software)",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "credential-access"
},
{
"kill_chain_name": "mitre-attack",
"phase_name": "discovery"
}
],
"revoked": false,
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T1040",
"external_id": "T1040"
},
{
"source_name": "AWS Traffic Mirroring",
"description": "Amazon Web Services. (n.d.). How Traffic Mirroring works. Retrieved March 17, 2022.",
"url": "https://docs.aws.amazon.com/vpc/latest/mirroring/traffic-mirroring-how-it-works.html"
},
{
"source_name": "capture_embedded_packet_on_software",
"description": "Cisco. (2022, August 17). Configure and Capture Embedded Packet on Software. Retrieved July 13, 2022.",
"url": "https://www.cisco.com/c/en/us/support/docs/ios-nx-os-software/ios-embedded-packet-capture/116045-productconfig-epc-00.html"
},
{
"source_name": "GCP Packet Mirroring",
"description": "Google Cloud. (n.d.). Packet Mirroring overview. Retrieved March 17, 2022.",
"url": "https://cloud.google.com/vpc/docs/packet-mirroring"
},
{
"source_name": "SpecterOps AWS Traffic Mirroring",
"description": "Luke Paine. (2020, March 11). Through the Looking Glass \u2014 Part 1. Retrieved March 17, 2022.",
"url": "https://posts.specterops.io/through-the-looking-glass-part-1-f539ae308512"
},
{
"source_name": "Azure Virtual Network TAP",
"description": "Microsoft. (2022, February 9). Virtual network TAP. Retrieved March 17, 2022.",
"url": "https://docs.microsoft.com/en-us/azure/virtual-network/virtual-network-tap-overview"
},
{
"source_name": "Rhino Security Labs AWS VPC Traffic Mirroring",
"description": "Spencer Gietzen. (2019, September 17). Abusing VPC Traffic Mirroring in AWS. Retrieved March 17, 2022.",
"url": "https://rhinosecuritylabs.com/aws/abusing-vpc-traffic-mirroring-in-aws/"
},
{
"source_name": "US-CERT-TA18-106A",
"description": "US-CERT. (2018, April 20). Alert (TA18-106A) Russian State-Sponsored Cyber Actors Targeting Network Infrastructure Devices. Retrieved October 19, 2020.",
"url": "https://www.us-cert.gov/ncas/alerts/TA18-106A"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_attack_spec_version": "3.3.0",
"x_mitre_contributors": [
"Oleg Kolesnikov, Securonix",
"Tiago Faria, 3CORESec",
"Austin Clark, @c2defense",
"Itamar Mizrahi, Cymptom",
"Eliraz Levi, Hunters"
],
"x_mitre_deprecated": false,
"x_mitre_domains": [
"enterprise-attack"
],
"x_mitre_is_subtechnique": false,
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"IaaS",
"Linux",
"macOS",
"Network Devices",
"Windows"
],
"x_mitre_version": "1.7",
"detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.624000+00:00\", \"old_value\": \"2025-10-24 17:48:36.910000+00:00\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.3.0\", \"old_value\": \"3.2.0\"}}}",
"previous_version": "1.7",
"changelog_mitigations": {
"shared": [
"M1018: User Account Management",
"M1030: Network Segmentation",
"M1032: Multi-factor Authentication",
"M1041: Encrypt Sensitive Information"
],
"new": [],
"dropped": []
},
"changelog_datacomponent_detections": {
"shared": [],
"new": [],
"dropped": []
},
"changelog_detectionstrategy_detections": {
"shared": [
"DET0314: Detection Strategy for Network Sniffing Across Platforms"
],
"new": [],
"dropped": []
}
},
{
"type": "attack-pattern",
"id": "attack-pattern--c21d5a77-d422-4a69-acd7-2c53c1faa34b",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-05-31 21:31:10.728000+00:00",
"modified": "2026-05-12 15:12:00.713000+00:00",
"name": "Non-Application Layer Protocol",
"description": "Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.(Citation: Wikipedia OSI) Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).\n\nICMP communication between hosts is one example.(Citation: Cisco Synful Knock Evolution) Because ICMP is part of the Internet Protocol Suite, it is required to be implemented by all IP-compatible hosts.(Citation: Microsoft ICMP) However, it is not as commonly monitored as other Internet Protocols such as TCP or UDP and may be used by adversaries to hide communications.\n\nIn ESXi environments, adversaries may leverage the Virtual Machine Communication Interface (VMCI) for communication between guest virtual machines and the ESXi host. This traffic is similar to client-server communications on traditional network sockets but is localized to the physical machine running the ESXi host, meaning it does not traverse external networks (routers, switches). This results in communications that are invisible to external monitoring and standard networking tools like tcpdump, netstat, nmap, and Wireshark. By adding a VMCI backdoor to a compromised ESXi host, adversaries may persistently regain access from any guest VM to the compromised ESXi host\u2019s backdoor, regardless of network segmentation or firewall rules in place.(Citation: Google Cloud Threat Intelligence VMWare ESXi Zero-Day 2023)",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "command-and-control"
}
],
"revoked": false,
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T1095",
"external_id": "T1095"
},
{
"source_name": "Google Cloud Threat Intelligence VMWare ESXi Zero-Day 2023",
"description": "Alexander Marvi, Brad Slaybaugh, Ron Craft, and Rufus Brown. (2023, June 13). VMware ESXi Zero-Day Used by Chinese Espionage Actor to Perform Privileged Guest Operations on Compromised Hypervisors. Retrieved March 26, 2025.",
"url": "https://cloud.google.com/blog/topics/threat-intelligence/vmware-esxi-zero-day-bypass/"
},
{
"source_name": "University of Birmingham C2",
"description": "Gardiner, J., Cova, M., Nagaraja, S. (2014, February). Command & Control Understanding, Denying and Detecting. Retrieved April 20, 2016.",
"url": "https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf"
},
{
"source_name": "Cisco Synful Knock Evolution",
"description": "Graham Holmes. (2015, October 8). Evolution of attacks on Cisco IOS devices. Retrieved October 19, 2020.",
"url": "https://blogs.cisco.com/security/evolution-of-attacks-on-cisco-ios-devices"
},
{
"source_name": "Microsoft ICMP",
"description": "Microsoft. (n.d.). Internet Control Message Protocol (ICMP) Basics. Retrieved December 1, 2014.",
"url": "http://support.microsoft.com/KB/170292"
},
{
"source_name": "Cisco Blog Legacy Device Attacks",
"description": "Omar Santos. (2020, October 19). Attackers Continue to Target Legacy Devices. Retrieved October 20, 2020.",
"url": "https://community.cisco.com/t5/security-blogs/attackers-continue-to-target-legacy-devices/ba-p/4169954"
},
{
"source_name": "Wikipedia OSI",
"description": "Wikipedia. (n.d.). List of network protocols (OSI model). Retrieved December 4, 2014.",
"url": "http://en.wikipedia.org/wiki/List_of_network_protocols_%28OSI_model%29"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_attack_spec_version": "3.3.0",
"x_mitre_contributors": [
"Ryan Becwar",
"Duane Michael"
],
"x_mitre_deprecated": false,
"x_mitre_domains": [
"enterprise-attack"
],
"x_mitre_is_subtechnique": false,
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"ESXi",
"Linux",
"macOS",
"Network Devices",
"Windows"
],
"x_mitre_version": "2.4",
"detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.713000+00:00\", \"old_value\": \"2025-10-24 17:49:20.136000+00:00\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.3.0\", \"old_value\": \"3.2.0\"}}}",
"previous_version": "2.4",
"changelog_mitigations": {
"shared": [
"M1030: Network Segmentation",
"M1031: Network Intrusion Prevention",
"M1037: Filter Network Traffic",
"M1047: Audit"
],
"new": [],
"dropped": []
},
"changelog_datacomponent_detections": {
"shared": [],
"new": [],
"dropped": []
},
"changelog_detectionstrategy_detections": {
"shared": [
"DET0457: Detection of Non-Application Layer Protocols for C2"
],
"new": [],
"dropped": []
}
},
{
"type": "attack-pattern",
"id": "attack-pattern--b18eae87-b469-4e14-b454-b171b416bc18",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2020-03-14 18:18:32.443000+00:00",
"modified": "2026-05-12 15:12:00.707000+00:00",
"name": "Non-Standard Port",
"description": "Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088(Citation: Symantec Elfin Mar 2019) or port 587(Citation: Fortinet Agent Tesla April 2018) as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.\n\nAdversaries may also make changes to victim systems to abuse non-standard ports. For example, Registry keys and other configuration settings can be used to modify protocol and port pairings.(Citation: change_rdp_port_conti)",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "command-and-control"
}
],
"revoked": false,
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T1571",
"external_id": "T1571"
},
{
"source_name": "University of Birmingham C2",
"description": "Gardiner, J., Cova, M., Nagaraja, S. (2014, February). Command & Control Understanding, Denying and Detecting. Retrieved April 20, 2016.",
"url": "https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf"
},
{
"source_name": "Symantec Elfin Mar 2019",
"description": "Security Response attack Investigation Team. (2019, March 27). Elfin: Relentless Espionage Group Targets Multiple Organizations in Saudi Arabia and U.S.. Retrieved April 10, 2019.",
"url": "https://www.symantec.com/blogs/threat-intelligence/elfin-apt33-espionage"
},
{
"source_name": "change_rdp_port_conti",
"description": "The DFIR Report. (2022, March 1). \"Change RDP port\" #ContiLeaks. Retrieved September 12, 2024.",
"url": "https://x.com/TheDFIRReport/status/1498657772254240768"
},
{
"source_name": "Fortinet Agent Tesla April 2018",
"description": "Zhang, X. (2018, April 05). Analysis of New Agent Tesla Spyware Variant. Retrieved November 5, 2018.",
"url": "https://www.fortinet.com/blog/threat-research/analysis-of-new-agent-tesla-spyware-variant.html"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_attack_spec_version": "3.3.0",
"x_mitre_deprecated": false,
"x_mitre_domains": [
"enterprise-attack"
],
"x_mitre_is_subtechnique": false,
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"ESXi",
"Linux",
"macOS",
"Windows"
],
"x_mitre_version": "1.3",
"detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.707000+00:00\", \"old_value\": \"2025-10-24 17:49:14.187000+00:00\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.3.0\", \"old_value\": \"3.2.0\"}}}",
"previous_version": "1.3",
"changelog_mitigations": {
"shared": [
"M1030: Network Segmentation",
"M1031: Network Intrusion Prevention"
],
"new": [],
"dropped": []
},
"changelog_datacomponent_detections": {
"shared": [],
"new": [],
"dropped": []
},
"changelog_detectionstrategy_detections": {
"shared": [
"DET0227: Detection Strategy for Non-Standard Ports"
],
"new": [],
"dropped": []
}
},
{
"type": "attack-pattern",
"id": "attack-pattern--65f2d882-3f41-4d48-8a06-29af77ec9f90",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2020-02-11 18:41:44.783000+00:00",
"modified": "2026-05-12 15:12:00.637000+00:00",
"name": "LSASS Memory",
"description": "Adversaries may attempt to access credential material stored in the process memory of the Local Security Authority Subsystem Service (LSASS). After a user logs on, the system generates and stores a variety of credential materials in LSASS process memory. These credential materials can be harvested by an administrative user or SYSTEM and used to conduct [Lateral Movement](https://attack.mitre.org/tactics/TA0008) using [Use Alternate Authentication Material](https://attack.mitre.org/techniques/T1550).\n\nAs well as in-memory techniques, the LSASS process memory can be dumped from the target host and analyzed on a local system.\n\nFor example, on the target host use procdump:\n\n* procdump -ma lsass.exe lsass_dump\n\nLocally, mimikatz can be run using:\n\n* sekurlsa::Minidump lsassdump.dmp\n* sekurlsa::logonPasswords\n\nBuilt-in Windows tools such as `comsvcs.dll` can also be used:\n\n* rundll32.exe C:\\Windows\\System32\\comsvcs.dll MiniDump PID lsass.dmp full(Citation: Volexity Exchange Marauder March 2021)(Citation: Symantec Attacks Against Government Sector)\n\nSimilar to [Image File Execution Options Injection](https://attack.mitre.org/techniques/T1546/012), the silent process exit mechanism can be abused to create a memory dump of `lsass.exe` through Windows Error Reporting (`WerFault.exe`).(Citation: Deep Instinct LSASS)\n\nWindows Security Support Provider (SSP) DLLs are loaded into LSASS process at system start. Once loaded into the LSA, SSP DLLs have access to encrypted and plaintext passwords that are stored in Windows, such as any logged-on user's Domain password or smart card PINs. The SSP configuration is stored in two Registry keys: HKLM\\SYSTEM\\CurrentControlSet\\Control\\Lsa\\Security Packages and HKLM\\SYSTEM\\CurrentControlSet\\Control\\Lsa\\OSConfig\\Security Packages. An adversary may modify these Registry keys to add new SSPs, which will be loaded the next time the system boots, or when the AddSecurityPackage Windows API function is called.(Citation: Graeber 2014)\n\nThe following SSPs can be used to access credentials:\n\n* Msv: Interactive logons, batch logons, and service logons are done through the MSV authentication package.\n* Wdigest: The Digest Authentication protocol is designed for use with Hypertext Transfer Protocol (HTTP) and Simple Authentication Security Layer (SASL) exchanges.(Citation: TechNet Blogs Credential Protection)\n* Kerberos: Preferred for mutual client-server domain authentication in Windows 2000 and later.\n* CredSSP: Provides SSO and Network Level Authentication for Remote Desktop Services.(Citation: TechNet Blogs Credential Protection)\n",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "credential-access"
}
],
"revoked": false,
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T1003/001",
"external_id": "T1003.001"
},
{
"source_name": "Medium Detecting Attempts to Steal Passwords from Memory",
"description": "French, D. (2018, October 2). Detecting Attempts to Steal Passwords from Memory. Retrieved October 11, 2019.",
"url": "https://medium.com/threatpunter/detecting-attempts-to-steal-passwords-from-memory-558f16dce4ea"
},
{
"source_name": "Deep Instinct LSASS",
"description": "Gilboa, A. (2021, February 16). LSASS Memory Dumps are Stealthier than Ever Before - Part 2. Retrieved December 27, 2023.",
"url": "https://www.deepinstinct.com/blog/lsass-memory-dumps-are-stealthier-than-ever-before-part-2"
},
{
"source_name": "Graeber 2014",
"description": "Graeber, M. (2014, October). Analysis of Malicious Security Support Provider DLLs. Retrieved March 1, 2017.",
"url": "http://docplayer.net/20839173-Analysis-of-malicious-security-support-provider-dlls.html"
},
{
"source_name": "Volexity Exchange Marauder March 2021",
"description": "Gruzweig, J. et al. (2021, March 2). Operation Exchange Marauder: Active Exploitation of Multiple Zero-Day Microsoft Exchange Vulnerabilities. Retrieved March 3, 2021.",
"url": "https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities/"
},
{
"source_name": "Powersploit",
"description": "PowerSploit. (n.d.). Retrieved December 4, 2014.",
"url": "https://github.com/mattifestation/PowerSploit"
},
{
"source_name": "Symantec Attacks Against Government Sector",
"description": "Symantec. (2021, June 10). Attacks Against the Government Sector. Retrieved September 28, 2021.",
"url": "https://symantec.broadcom.com/hubfs/Attacks-Against-Government-Sector.pdf"
},
{
"source_name": "TechNet Blogs Credential Protection",
"description": "Wilson, B. (2016, April 18). The Importance of KB2871997 and KB2928120 for Credential Protection. Retrieved April 11, 2018.",
"url": "https://blogs.technet.microsoft.com/askpfeplat/2016/04/18/the-importance-of-kb2871997-and-kb2928120-for-credential-protection/"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_attack_spec_version": "3.3.0",
"x_mitre_contributors": [
"Edward Millington",
"Ed Williams, Trustwave, SpiderLabs",
"Olaf Hartong, Falcon Force",
"Michael Forret, Quorum Cyber"
],
"x_mitre_deprecated": false,
"x_mitre_domains": [
"enterprise-attack"
],
"x_mitre_is_subtechnique": true,
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"Windows"
],
"x_mitre_version": "1.5",
"detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.637000+00:00\", \"old_value\": \"2025-10-24 17:48:52.657000+00:00\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.3.0\", \"old_value\": \"3.2.0\"}}}",
"previous_version": "1.5",
"changelog_mitigations": {
"shared": [
"M1017: User Training",
"M1025: Privileged Process Integrity",
"M1026: Privileged Account Management",
"M1027: Password Policies",
"M1028: Operating System Configuration",
"M1040: Behavior Prevention on Endpoint",
"M1043: Credential Access Protection"
],
"new": [],
"dropped": []
},
"changelog_datacomponent_detections": {
"shared": [],
"new": [],
"dropped": []
},
"changelog_detectionstrategy_detections": {
"shared": [
"DET0363: Detection of Credential Dumping from LSASS Memory via Access and Dump Sequence"
],
"new": [],
"dropped": []
}
},
{
"type": "attack-pattern",
"id": "attack-pattern--edf91964-b26e-4b4a-9600-ccacd7d7df24",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2020-02-11 18:42:35.572000+00:00",
"modified": "2026-05-12 15:12:00.723000+00:00",
"name": "NTDS",
"description": "Adversaries may attempt to access or create a copy of the Active Directory domain database in order to steal credential information, as well as obtain other information about domain members such as devices, users, and access rights. By default, the NTDS file (NTDS.dit) is located in %SystemRoot%\\NTDS\\Ntds.dit of a domain controller.(Citation: Wikipedia Active Directory)\n\nIn addition to looking for NTDS files on active Domain Controllers, adversaries may search for backups that contain the same or similar information.(Citation: Metcalf 2015)\n\nThe following tools and techniques can be used to enumerate the NTDS file and the contents of the entire Active Directory hashes.\n\n* Volume Shadow Copy\n* secretsdump.py\n* Using the in-built Windows tool, ntdsutil.exe\n* Invoke-NinjaCopy\n",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "credential-access"
}
],
"revoked": false,
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T1003/003",
"external_id": "T1003.003"
},
{
"source_name": "Metcalf 2015",
"description": "Metcalf, S. (2015, January 19). Attackers Can Now Use Mimikatz to Implant Skeleton Key on Domain Controllers & BackDoor Your Active Directory Forest. Retrieved February 3, 2015.",
"url": "http://adsecurity.org/?p=1275"
},
{
"source_name": "Wikipedia Active Directory",
"description": "Wikipedia. (2018, March 10). Active Directory. Retrieved April 11, 2018.",
"url": "https://en.wikipedia.org/wiki/Active_Directory"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_attack_spec_version": "3.3.0",
"x_mitre_contributors": [
"Ed Williams, Trustwave, SpiderLabs"
],
"x_mitre_deprecated": false,
"x_mitre_domains": [
"enterprise-attack"
],
"x_mitre_is_subtechnique": true,
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"Windows"
],
"x_mitre_version": "1.3",
"detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.723000+00:00\", \"old_value\": \"2025-10-24 17:49:34.852000+00:00\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.3.0\", \"old_value\": \"3.2.0\"}}}",
"previous_version": "1.3",
"changelog_mitigations": {
"shared": [
"M1017: User Training",
"M1026: Privileged Account Management",
"M1027: Password Policies",
"M1041: Encrypt Sensitive Information"
],
"new": [],
"dropped": []
},
"changelog_datacomponent_detections": {
"shared": [],
"new": [],
"dropped": []
},
"changelog_detectionstrategy_detections": {
"shared": [
"DET0586: Detection of NTDS.dit Credential Dumping from Domain Controllers"
],
"new": [],
"dropped": []
}
},
{
"type": "attack-pattern",
"id": "attack-pattern--1644e709-12d2-41e5-a60f-3470991f5011",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2020-02-11 18:42:07.281000+00:00",
"modified": "2026-05-12 15:12:00.621000+00:00",
"name": "Security Account Manager",
"description": "Adversaries may attempt to extract credential material from the Security Account Manager (SAM) database either through in-memory techniques or through the Windows Registry where the SAM database is stored. The SAM is a database file that contains local accounts for the host, typically those found with the net user command. Enumerating the SAM database requires SYSTEM level access.\n\nA number of tools can be used to retrieve the SAM file through in-memory techniques:\n\n* pwdumpx.exe\n* [gsecdump](https://attack.mitre.org/software/S0008)\n* [Mimikatz](https://attack.mitre.org/software/S0002)\n* secretsdump.py\n\nAlternatively, the SAM can be extracted from the Registry with Reg:\n\n* reg save HKLM\\sam sam\n* reg save HKLM\\system system\n\nCreddump7 can then be used to process the SAM database locally to retrieve hashes.(Citation: GitHub Creddump7)\n\nNotes: \n\n* RID 500 account is the local, built-in administrator.\n* RID 501 is the guest account.\n* User accounts start with a RID of 1,000+.\n",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "credential-access"
}
],
"revoked": false,
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T1003/002",
"external_id": "T1003.002"
},
{
"source_name": "GitHub Creddump7",
"description": "Flathers, R. (2018, February 19). creddump7. Retrieved April 11, 2018.",
"url": "https://github.com/Neohapsis/creddump7"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_attack_spec_version": "3.3.0",
"x_mitre_contributors": [
"Ed Williams, Trustwave, SpiderLabs",
"Olaf Hartong, Falcon Force"
],
"x_mitre_deprecated": false,
"x_mitre_domains": [
"enterprise-attack"
],
"x_mitre_is_subtechnique": true,
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"Windows"
],
"x_mitre_version": "1.1",
"detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.621000+00:00\", \"old_value\": \"2025-10-24 17:48:26.545000+00:00\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.3.0\", \"old_value\": \"3.2.0\"}}}",
"previous_version": "1.1",
"changelog_mitigations": {
"shared": [
"M1017: User Training",
"M1026: Privileged Account Management",
"M1027: Password Policies",
"M1028: Operating System Configuration"
],
"new": [],
"dropped": []
},
"changelog_datacomponent_detections": {
"shared": [],
"new": [],
"dropped": []
},
"changelog_detectionstrategy_detections": {
"shared": [
"DET0085: Credential Dumping from SAM via Registry Dump and Local File Access"
],
"new": [],
"dropped": []
}
},
{
"type": "attack-pattern",
"id": "attack-pattern--b3d682b6-98f2-4fb0-aa3b-b4df007ca70a",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-05-31 21:30:32.662000+00:00",
"modified": "2026-05-12 15:12:00.708000+00:00",
"name": "Obfuscated Files or Information",
"description": "Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses. \n\nPayloads may be compressed, archived, or encrypted in order to avoid detection. These payloads may be used during Initial Access or later to mitigate detection. Sometimes a user's action may be required to open and [Deobfuscate/Decode Files or Information](https://attack.mitre.org/techniques/T1140) for [User Execution](https://attack.mitre.org/techniques/T1204). The user may also be required to input a password to open a password protected compressed/encrypted file that was provided by the adversary.(Citation: Volexity PowerDuke November 2016) Adversaries may also use compressed or archived scripts, such as JavaScript. \n\nPortions of files can also be encoded to hide the plain-text strings that would otherwise help defenders with discovery.(Citation: Linux/Cdorked.A We Live Security Analysis) Payloads may also be split into separate, seemingly benign files that only reveal malicious functionality when reassembled.(Citation: Carbon Black Obfuscation Sept 2016)\n\nAdversaries may also abuse [Command Obfuscation](https://attack.mitre.org/techniques/T1027/010) to obscure commands executed from payloads or directly via [Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059). Environment variables, aliases, characters, and other platform/language specific semantics can be used to evade signature based detections and application control mechanisms.(Citation: FireEye Obfuscation June 2017)(Citation: FireEye Revoke-Obfuscation July 2017)(Citation: PaloAlto EncodedCommand March 2017) ",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "stealth"
}
],
"revoked": false,
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T1027",
"external_id": "T1027"
},
{
"source_name": "Volexity PowerDuke November 2016",
"description": "Adair, S.. (2016, November 9). PowerDuke: Widespread Post-Election Spear Phishing Campaigns Targeting Think Tanks and NGOs. Retrieved January 11, 2017.",
"url": "https://www.volexity.com/blog/2016/11/09/powerduke-post-election-spear-phishing-campaigns-targeting-think-tanks-and-ngos/"
},
{
"source_name": "FireEye Obfuscation June 2017",
"description": "Bohannon, D. & Carr N. (2017, June 30). Obfuscation in the Wild: Targeted Attackers Lead the Way in Evasion Techniques. Retrieved February 12, 2018.",
"url": "https://web.archive.org/web/20170923102302/https://www.fireeye.com/blog/threat-research/2017/06/obfuscation-in-the-wild.html"
},
{
"source_name": "FireEye Revoke-Obfuscation July 2017",
"description": "Bohannon, D. & Holmes, L. (2017, July 27). Revoke-Obfuscation: PowerShell Obfuscation Detection Using Science. Retrieved November 17, 2024.",
"url": "https://www.blackhat.com/docs/us-17/thursday/us-17-Bohannon-Revoke-Obfuscation-PowerShell-Obfuscation-Detection-And%20Evasion-Using-Science-wp.pdf"
},
{
"source_name": "Linux/Cdorked.A We Live Security Analysis",
"description": "Pierre-Marc Bureau. (2013, April 26). Linux/Cdorked.A: New Apache backdoor being used in the wild to serve Blackhole. Retrieved September 10, 2017.",
"url": "https://www.welivesecurity.com/2013/04/26/linuxcdorked-new-apache-backdoor-in-the-wild-serves-blackhole/"
},
{
"source_name": "Carbon Black Obfuscation Sept 2016",
"description": "Tedesco, B. (2016, September 23). Security Alert Summary. Retrieved February 12, 2018.",
"url": "https://www.carbonblack.com/2016/09/23/security-advisory-variants-well-known-adware-families-discovered-include-sophisticated-obfuscation-techniques-previously-associated-nation-state-attacks/"
},
{
"source_name": "PaloAlto EncodedCommand March 2017",
"description": "White, J. (2017, March 10). Pulling Back the Curtains on EncodedCommand PowerShell Attacks. Retrieved February 12, 2018.",
"url": "https://researchcenter.paloaltonetworks.com/2017/03/unit42-pulling-back-the-curtains-on-encodedcommand-powershell-attacks/"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_attack_spec_version": "3.3.0",
"x_mitre_contributors": [
"Christiaan Beek, @ChristiaanBeek",
"Red Canary"
],
"x_mitre_deprecated": false,
"x_mitre_domains": [
"enterprise-attack"
],
"x_mitre_is_subtechnique": false,
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"ESXi",
"Linux",
"macOS",
"Network Devices",
"Windows"
],
"x_mitre_version": "2.0",
"detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.708000+00:00\", \"old_value\": \"2026-04-15 22:14:56.435000+00:00\"}}}",
"previous_version": "2.0",
"changelog_mitigations": {
"shared": [
"M1017: User Training",
"M1040: Behavior Prevention on Endpoint",
"M1047: Audit",
"M1049: Antivirus/Antimalware"
],
"new": [],
"dropped": []
},
"changelog_datacomponent_detections": {
"shared": [],
"new": [],
"dropped": []
},
"changelog_detectionstrategy_detections": {
"shared": [
"DET0378: Behavioral Detection of Obfuscated Files or Information"
],
"new": [],
"dropped": []
}
},
{
"type": "attack-pattern",
"id": "attack-pattern--5bfccc3f-2326-4112-86cc-c1ece9d8a2b5",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2020-02-05 14:04:25.865000+00:00",
"modified": "2026-05-12 15:12:00.635000+00:00",
"name": "Binary Padding",
"description": "Adversaries may use binary padding to add junk data and change the on-disk representation of malware. This can be done without affecting the functionality or behavior of a binary, but can increase the size of the binary beyond what some security tools are capable of handling due to file size limitations. \n\nBinary padding effectively changes the checksum of the file and can also be used to avoid hash-based blocklists and static anti-virus signatures.(Citation: ESET OceanLotus) The padding used is commonly generated by a function to create junk data and then appended to the end or applied to sections of malware.(Citation: Securelist Malware Tricks April 2017) Increasing the file size may decrease the effectiveness of certain tools and detection capabilities that are not designed or configured to scan large files. This may also reduce the likelihood of being collected for analysis. Public file scanning services, such as VirusTotal, limits the maximum size of an uploaded file to be analyzed.(Citation: VirusTotal FAQ) ",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "stealth"
}
],
"revoked": false,
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T1027/001",
"external_id": "T1027.001"
},
{
"source_name": "ESET OceanLotus",
"description": "Folt\u00fdn, T. (2018, March 13). OceanLotus ships new backdoor using old tricks. Retrieved May 22, 2018.",
"url": "https://www.welivesecurity.com/2018/03/13/oceanlotus-ships-new-backdoor/"
},
{
"source_name": "Securelist Malware Tricks April 2017",
"description": "Ishimaru, S.. (2017, April 13). Old Malware Tricks To Bypass Detection in the Age of Big Data. Retrieved May 30, 2019.",
"url": "https://securelist.com/old-malware-tricks-to-bypass-detection-in-the-age-of-big-data/78010/"
},
{
"source_name": "VirusTotal FAQ",
"description": "VirusTotal. (n.d.). VirusTotal FAQ. Retrieved May 23, 2019.",
"url": "https://www.virustotal.com/en/faq/"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_attack_spec_version": "3.3.0",
"x_mitre_contributors": [
"Martin Jirkal, ESET"
],
"x_mitre_deprecated": false,
"x_mitre_domains": [
"enterprise-attack"
],
"x_mitre_is_subtechnique": true,
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"Linux",
"macOS",
"Windows"
],
"x_mitre_version": "2.0",
"detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.635000+00:00\", \"old_value\": \"2026-04-15 22:15:33.904000+00:00\"}}}",
"previous_version": "2.0",
"changelog_mitigations": {
"shared": [],
"new": [],
"dropped": []
},
"changelog_datacomponent_detections": {
"shared": [],
"new": [],
"dropped": []
},
"changelog_detectionstrategy_detections": {
"shared": [
"DET0553: Detection Strategy for Obfuscated Files or Information: Binary Padding"
],
"new": [],
"dropped": []
}
},
{
"type": "attack-pattern",
"id": "attack-pattern--d511a6f6-4a33-41d5-bc95-c343875d1377",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2023-03-14 17:36:01.022000+00:00",
"modified": "2026-05-12 15:12:00.718000+00:00",
"name": "Command Obfuscation",
"description": "Adversaries may obfuscate content during command execution to impede detection. Command-line obfuscation is a method of making strings and patterns within commands and scripts more difficult to signature and analyze. This type of obfuscation can be included within commands executed by delivered payloads (e.g., [Phishing](https://attack.mitre.org/techniques/T1566) and [Drive-by Compromise](https://attack.mitre.org/techniques/T1189)) or interactively via [Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059).(Citation: Akamai JS)(Citation: Malware Monday VBE)\n\nFor example, adversaries may abuse syntax that utilizes various symbols and escape characters (such as spacing, `^`, `+`. `$`, and `%`) to make commands difficult to analyze while maintaining the same intended functionality.(Citation: RC PowerShell) Many languages support built-in obfuscation in the form of base64 or URL encoding.(Citation: Microsoft PowerShellB64) Adversaries may also manually implement command obfuscation via string splitting (`\u201cWor\u201d+\u201cd.Application\u201d`), order and casing of characters (`rev <<<'dwssap/cte/ tac'`), globing (`mkdir -p '/tmp/:&$NiA'`), as well as various tricks involving passing strings through tokens/environment variables/input streams.(Citation: Bashfuscator Command Obfuscators)(Citation: FireEye Obfuscation June 2017)\n\nAdversaries may also use tricks such as directory traversals to obfuscate references to the binary being invoked by a command (`C:\\voi\\pcw\\..\\..\\Windows\\tei\\qs\\k\\..\\..\\..\\system32\\erool\\..\\wbem\\wg\\je\\..\\..\\wmic.exe shadowcopy delete`).(Citation: Twitter Richard WMIC)\n\nTools such as Invoke-Obfuscation and Invoke-DOSfucation have also been used to obfuscate commands.(Citation: Invoke-DOSfuscation)(Citation: Invoke-Obfuscation)",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "stealth"
}
],
"revoked": false,
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T1027/010",
"external_id": "T1027.010"
},
{
"source_name": "Twitter Richard WMIC",
"description": "Ackroyd, R. (2023, March 24). Twitter. Retrieved September 12, 2024.",
"url": "https://x.com/rfackroyd/status/1639136000755765254"
},
{
"source_name": "Invoke-Obfuscation",
"description": "Bohannon, D. (2016, September 24). Invoke-Obfuscation. Retrieved March 17, 2023.",
"url": "https://github.com/danielbohannon/Invoke-Obfuscation"
},
{
"source_name": "Invoke-DOSfuscation",
"description": "Bohannon, D. (2018, March 19). Invoke-DOSfuscation. Retrieved March 17, 2023.",
"url": "https://github.com/danielbohannon/Invoke-DOSfuscation"
},
{
"source_name": "FireEye Obfuscation June 2017",
"description": "Bohannon, D. & Carr N. (2017, June 30). Obfuscation in the Wild: Targeted Attackers Lead the Way in Evasion Techniques. Retrieved February 12, 2018.",
"url": "https://web.archive.org/web/20170923102302/https://www.fireeye.com/blog/threat-research/2017/06/obfuscation-in-the-wild.html"
},
{
"source_name": "Malware Monday VBE",
"description": "Bromiley, M. (2016, December 27). Malware Monday: VBScript and VBE Files. Retrieved March 17, 2023.",
"url": "https://bromiley.medium.com/malware-monday-vbscript-and-vbe-files-292252c1a16"
},
{
"source_name": "Akamai JS",
"description": "Katz, O. (2020, October 26). Catch Me if You Can\u2014JavaScript Obfuscation. Retrieved March 17, 2023.",
"url": "https://www.akamai.com/blog/security/catch-me-if-you-can-javascript-obfuscation"
},
{
"source_name": "Bashfuscator Command Obfuscators",
"description": "LeFevre, A. (n.d.). Bashfuscator Command Obfuscators. Retrieved March 17, 2023.",
"url": "https://bashfuscator.readthedocs.io/en/latest/Mutators/command_obfuscators/index.html"
},
{
"source_name": "Microsoft PowerShellB64",
"description": "Microsoft. (2023, February 8). about_PowerShell_exe: EncodedCommand. Retrieved March 17, 2023.",
"url": "https://learn.microsoft.com/powershell/module/microsoft.powershell.core/about/about_powershell_exe?view=powershell-5.1#-encodedcommand-base64encodedcommand"
},
{
"source_name": "RC PowerShell",
"description": "Red Canary. (n.d.). 2022 Threat Detection Report: PowerShell. Retrieved March 17, 2023.",
"url": "https://redcanary.com/threat-detection-report/techniques/powershell/"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_attack_spec_version": "3.3.0",
"x_mitre_contributors": [
"George Thomas",
"Tim Peck",
"TruKno"
],
"x_mitre_deprecated": false,
"x_mitre_domains": [
"enterprise-attack"
],
"x_mitre_is_subtechnique": true,
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"Linux",
"macOS",
"Windows"
],
"x_mitre_version": "2.0",
"detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.718000+00:00\", \"old_value\": \"2026-04-15 22:16:39.249000+00:00\"}}}",
"previous_version": "2.0",
"changelog_mitigations": {
"shared": [
"M1040: Behavior Prevention on Endpoint",
"M1049: Antivirus/Antimalware"
],
"new": [],
"dropped": []
},
"changelog_datacomponent_detections": {
"shared": [],
"new": [],
"dropped": []
},
"changelog_detectionstrategy_detections": {
"shared": [
"DET0505: Detection Strategy for Command Obfuscation"
],
"new": [],
"dropped": []
}
},
{
"type": "attack-pattern",
"id": "attack-pattern--c726e0a2-a57a-4b7b-a973-d0f013246617",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2020-03-16 15:30:57.711000+00:00",
"modified": "2026-05-12 15:12:00.716000+00:00",
"name": "Compile After Delivery",
"description": "Adversaries may attempt to make payloads difficult to discover and analyze by delivering files to victims as uncompiled code. Text-based source code files may subvert analysis and scrutiny from protections targeting executables/binaries. These payloads will need to be compiled before execution; typically via native utilities such as ilasm.exe(Citation: ATTACK IQ), csc.exe, or GCC/MinGW.(Citation: ClearSky MuddyWater Nov 2018)\n\nSource code payloads may also be encrypted, encoded, and/or embedded within other files, such as those delivered as a [Phishing](https://attack.mitre.org/techniques/T1566). Payloads may also be delivered in formats unrecognizable and inherently benign to the native OS (ex: EXEs on macOS/Linux) before later being (re)compiled into a proper executable binary with a bundled compiler and execution framework.(Citation: TrendMicro WindowsAppMac)",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "stealth"
}
],
"revoked": false,
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T1027/004",
"external_id": "T1027.004"
},
{
"source_name": "ClearSky MuddyWater Nov 2018",
"description": "ClearSky Cyber Security. (2018, November). MuddyWater Operations in Lebanon and Oman: Using an Israeli compromised domain for a two-stage campaign. Retrieved November 29, 2018.",
"url": "https://www.clearskysec.com/wp-content/uploads/2018/11/MuddyWater-Operations-in-Lebanon-and-Oman.pdf"
},
{
"source_name": "ATTACK IQ",
"description": "Federico Quattrin, Nick Desler, Tin Tam, & Matthew Rutkoske. (2023, March 16). Hiding in Plain Sight: Monitoring and Testing for Living-Off-the-Land Binaries. Retrieved July 15, 2024.",
"url": "https://www.attackiq.com/2023/03/16/hiding-in-plain-sight/"
},
{
"source_name": "TrendMicro WindowsAppMac",
"description": "Trend Micro. (2019, February 11). Windows App Runs on Mac, Downloads Info Stealer and Adware. Retrieved April 25, 2019.",
"url": "https://blog.trendmicro.com/trendlabs-security-intelligence/windows-app-runs-on-mac-downloads-info-stealer-and-adware/"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_attack_spec_version": "3.3.0",
"x_mitre_contributors": [
"Liran Ravich, CardinalOps",
"Praetorian",
"Ye Yint Min Thu Htut, Offensive Security Team, DBS Bank"
],
"x_mitre_deprecated": false,
"x_mitre_domains": [
"enterprise-attack"
],
"x_mitre_is_subtechnique": true,
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"Linux",
"macOS",
"Windows"
],
"x_mitre_version": "2.0",
"detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.716000+00:00\", \"old_value\": \"2026-04-15 22:16:52.765000+00:00\"}}}",
"previous_version": "2.0",
"changelog_mitigations": {
"shared": [],
"new": [],
"dropped": []
},
"changelog_datacomponent_detections": {
"shared": [],
"new": [],
"dropped": []
},
"changelog_detectionstrategy_detections": {
"shared": [
"DET0501: Detection Strategy for Compile After Delivery - Source Code to Executable Transformation"
],
"new": [],
"dropped": []
}
},
{
"type": "attack-pattern",
"id": "attack-pattern--fbd91bfc-75c2-4f0c-8116-3b4e722906b3",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2025-03-04 18:29:33.850000+00:00",
"modified": "2026-05-12 15:12:00.726000+00:00",
"name": "Compression",
"description": "Adversaries may use compression to obfuscate their payloads or files. Compressed file formats such as ZIP, gzip, 7z, and RAR can compress and archive multiple files together to make it easier and faster to transfer files. In addition to compressing files, adversaries may also compress shellcode directly - for example, in order to store it in a Windows Registry key (i.e., [Fileless Storage](https://attack.mitre.org/techniques/T1027/011)).(Citation: Trustwave Pillowmint June 2020)\n\nIn order to further evade detection, adversaries may combine multiple ZIP files into one archive. This process of concatenation creates an archive that appears to be a single archive but in fact contains the central directories of the embedded archives. Some ZIP readers, such as 7zip, may not be able to identify concatenated ZIP files and miss the presence of the malicious payload.(Citation: Perception Point)\n\nFile archives may be sent as one [Spearphishing Attachment](https://attack.mitre.org/techniques/T1566/001) through email. Adversaries have sent malicious payloads as archived files to encourage the user to interact with and extract the malicious payload onto their system (i.e., [Malicious File](https://attack.mitre.org/techniques/T1204/002)).(Citation: NTT Security Flagpro new December 2021) However, some file compression tools, such as 7zip, can be used to produce self-extracting archives. Adversaries may send self-extracting archives to hide the functionality of their payload and launch it without requiring multiple actions from the user.(Citation: The Hacker News)\n\n[Compression](https://attack.mitre.org/techniques/T1027/015) may be used in combination with [Encrypted/Encoded File](https://attack.mitre.org/techniques/T1027/013) where compressed files are encrypted and password-protected.",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "stealth"
}
],
"revoked": false,
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T1027/015",
"external_id": "T1027.015"
},
{
"source_name": "Perception Point",
"description": "Arthur Vaiselbuh, Peleg Cabra. (2024, November 7). Evasive ZIP Concatenation: Trojan Targets Windows Users. Retrieved March 3, 2025.",
"url": "https://perception-point.io/blog/evasive-concatenated-zip-trojan-targets-windows-users/"
},
{
"source_name": "NTT Security Flagpro new December 2021",
"description": "Hada, H. (2021, December 28). Flagpro The new malware used by BlackTech. Retrieved March 25, 2022.",
"url": "https://insight-jp.nttsecurity.com/post/102hf3q/flagpro-the-new-malware-used-by-blacktech"
},
{
"source_name": "The Hacker News",
"description": "Ravie Lakshmanan. (2023, April 5). Hackers Using Self-Extracting Archives Exploit for Stealthy Backdoor Attacks. Retrieved March 3, 2025.",
"url": "https://thehackernews.com/2023/04/hackers-using-self-extracting-archives.html"
},
{
"source_name": "Trustwave Pillowmint June 2020",
"description": "Trustwave SpiderLabs. (2020, June 22). Pillowmint: FIN7\u2019s Monkey Thief . Retrieved July 27, 2020.",
"url": "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/pillowmint-fin7s-monkey-thief/"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_attack_spec_version": "3.3.0",
"x_mitre_contributors": [
"Fernando Bacchin"
],
"x_mitre_deprecated": false,
"x_mitre_domains": [
"enterprise-attack"
],
"x_mitre_is_subtechnique": true,
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"Linux",
"macOS",
"Windows"
],
"x_mitre_version": "2.0",
"detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.726000+00:00\", \"old_value\": \"2026-04-15 22:16:53.338000+00:00\"}}}",
"previous_version": "2.0",
"changelog_mitigations": {
"shared": [
"M1049: Antivirus/Antimalware"
],
"new": [],
"dropped": []
},
"changelog_datacomponent_detections": {
"shared": [],
"new": [],
"dropped": []
},
"changelog_detectionstrategy_detections": {
"shared": [
"DET0281: Detection Strategy for Compressed Payload Creation and Execution"
],
"new": [],
"dropped": []
}
},
{
"type": "attack-pattern",
"id": "attack-pattern--ea4c2f9c-9df1-477c-8c42-6da1118f2ac4",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2022-08-22 20:42:08.498000+00:00",
"modified": "2026-05-12 15:12:00.723000+00:00",
"name": "Dynamic API Resolution",
"description": "Adversaries may obfuscate then dynamically resolve API functions called by their malware in order to conceal malicious functionalities and impair defensive analysis. Malware commonly uses various [Native API](https://attack.mitre.org/techniques/T1106) functions provided by the OS to perform various tasks such as those involving processes, files, and other system artifacts.\n\nAPI functions called by malware may leave static artifacts such as strings in payload files. Defensive analysts may also uncover which functions a binary file may execute via an import address table (IAT) or other structures that help dynamically link calling code to the shared modules that provide functions.(Citation: Huntress API Hash)(Citation: IRED API Hashing)\n\nTo avoid static or other defensive analysis, adversaries may use dynamic API resolution to conceal malware characteristics and functionalities. Similar to [Software Packing](https://attack.mitre.org/techniques/T1027/002), dynamic API resolution may change file signatures and obfuscate malicious API function calls until they are resolved and invoked during runtime.\n\nVarious methods may be used to obfuscate malware calls to API functions. For example, hashes of function names are commonly stored in malware in lieu of literal strings. Malware can use these hashes (or other identifiers) to manually reproduce the linking and loading process using functions such as `GetProcAddress()` and `LoadLibrary()`. These hashes/identifiers can also be further obfuscated using encryption or other string manipulation tricks (requiring various forms of [Deobfuscate/Decode Files or Information](https://attack.mitre.org/techniques/T1140) during execution).(Citation: BlackHat API Packers)(Citation: Drakonia HInvoke)(Citation: Huntress API Hash)",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "stealth"
}
],
"revoked": false,
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T1027/007",
"external_id": "T1027.007"
},
{
"source_name": "Huntress API Hash",
"description": "Brennan, M. (2022, February 16). Hackers No Hashing: Randomizing API Hashes to Evade Cobalt Strike Shellcode Detection. Retrieved August 22, 2022.",
"url": "https://www.huntress.com/blog/hackers-no-hashing-randomizing-api-hashes-to-evade-cobalt-strike-shellcode-detection"
},
{
"source_name": "BlackHat API Packers",
"description": "Choi, S. (2015, August 6). Obfuscated API Functions in Modern Packers. Retrieved August 22, 2022.",
"url": "https://www.blackhat.com/docs/us-15/materials/us-15-Choi-API-Deobfuscator-Resolving-Obfuscated-API-Functions-In-Modern-Packers.pdf"
},
{
"source_name": "Drakonia HInvoke",
"description": "drakonia. (2022, August 10). HInvoke and avoiding PInvoke. Retrieved August 22, 2022.",
"url": "https://dr4k0nia.github.io/posts/HInvoke-and-avoiding-PInvoke/"
},
{
"source_name": "IRED API Hashing",
"description": "spotheplanet. (n.d.). Windows API Hashing in Malware. Retrieved August 22, 2022.",
"url": "https://www.ired.team/offensive-security/defense-evasion/windows-api-hashing-in-malware"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_attack_spec_version": "3.3.0",
"x_mitre_deprecated": false,
"x_mitre_domains": [
"enterprise-attack"
],
"x_mitre_is_subtechnique": true,
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"Windows"
],
"x_mitre_version": "2.0",
"detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.723000+00:00\", \"old_value\": \"2026-04-15 22:17:50.411000+00:00\"}}}",
"previous_version": "2.0",
"changelog_mitigations": {
"shared": [],
"new": [],
"dropped": []
},
"changelog_datacomponent_detections": {
"shared": [],
"new": [],
"dropped": []
},
"changelog_detectionstrategy_detections": {
"shared": [
"DET0091: Detection Strategy for Dynamic API Resolution via Hash-Based Function Lookups"
],
"new": [],
"dropped": []
}
},
{
"type": "attack-pattern",
"id": "attack-pattern--0533ab23-3f7d-463f-9bd8-634d27e4dee1",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2022-09-30 18:50:14.351000+00:00",
"modified": "2026-05-12 15:12:00.620000+00:00",
"name": "Embedded Payloads",
"description": "Adversaries may embed payloads within other files to conceal malicious content from defenses. Otherwise seemingly benign files (such as scripts and executables) may be abused to carry and obfuscate malicious payloads and content. In some cases, embedded payloads may also enable adversaries to [Subvert Trust Controls](https://attack.mitre.org/techniques/T1553) by not impacting execution controls such as digital signatures and notarization tickets.(Citation: Sentinel Labs) \n\nAdversaries may embed payloads in various file formats to hide payloads.(Citation: Microsoft Learn) This is similar to [Steganography](https://attack.mitre.org/techniques/T1027/003), though does not involve weaving malicious content into specific bytes and patterns related to legitimate digital media formats.(Citation: GitHub PSImage) \n\nFor example, adversaries have been observed embedding payloads within or as an overlay of an otherwise benign binary.(Citation: Securelist Dtrack2) Adversaries have also been observed nesting payloads (such as executables and run-only scripts) inside a file of the same format.(Citation: SentinelLabs reversing run-only applescripts 2021) \n\nEmbedded content may also be used as [Process Injection](https://attack.mitre.org/techniques/T1055) payloads used to infect benign system processes.(Citation: Trend Micro) These embedded then injected payloads may be used as part of the modules of malware designed to provide specific features such as encrypting C2 communications in support of an orchestrator module. For example, an embedded module may be injected into default browsers, allowing adversaries to then communicate via the network.(Citation: Malware Analysis Report ComRAT)",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "stealth"
}
],
"revoked": false,
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T1027/009",
"external_id": "T1027.009"
},
{
"source_name": "GitHub PSImage",
"description": "Barrett Adams . (n.d.). Invoke-PSImage . Retrieved September 30, 2022.",
"url": "https://github.com/peewpw/Invoke-PSImage"
},
{
"source_name": "Malware Analysis Report ComRAT",
"description": "CISA. (2020, October 29). Malware Analysis Report (AR20-303A) MAR-10310246-2.v1 \u2013 PowerShell Script: ComRAT. Retrieved September 30, 2022.",
"url": "https://www.cisa.gov/uscert/ncas/analysis-reports/ar20-303a"
},
{
"source_name": "Trend Micro",
"description": "Karen Victor. (2020, May 18). Reflective Loading Runs Netwalker Fileless Ransomware. Retrieved September 30, 2022.",
"url": "https://www.trendmicro.com/en_us/research/20/e/netwalker-fileless-ransomware-injected-via-reflective-loading.html"
},
{
"source_name": "Securelist Dtrack2",
"description": "KONSTANTIN ZYKOV. (2019, September 23). Hello! My name is Dtrack. Retrieved September 30, 2022.",
"url": "https://securelist.com/my-name-is-dtrack/93338/"
},
{
"source_name": "Microsoft Learn",
"description": "Microsoft. (2021, April 6). 2.5 ExtraData. Retrieved September 30, 2022.",
"url": "https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-shllink/c41e062d-f764-4f13-bd4f-ea812ab9a4d1"
},
{
"source_name": "SentinelLabs reversing run-only applescripts 2021",
"description": "Phil Stokes. (2021, January 11). FADE DEAD | Adventures in Reversing Malicious Run-Only AppleScripts. Retrieved September 29, 2022.",
"url": "https://www.sentinelone.com/labs/fade-dead-adventures-in-reversing-malicious-run-only-applescripts/"
},
{
"source_name": "Sentinel Labs",
"description": "Phil Stokes. (2021, January 11). FADE DEAD | Adventures in Reversing Malicious Run-Only AppleScripts. Retrieved September 30, 2022.",
"url": "https://www.sentinelone.com/labs/fade-dead-adventures-in-reversing-malicious-run-only-applescripts/"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_attack_spec_version": "3.3.0",
"x_mitre_contributors": [
"Nick Cairns, @grotezinfosec"
],
"x_mitre_deprecated": false,
"x_mitre_domains": [
"enterprise-attack"
],
"x_mitre_is_subtechnique": true,
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"Linux",
"macOS",
"Windows"
],
"x_mitre_version": "2.0",
"detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.620000+00:00\", \"old_value\": \"2026-04-15 22:18:17.938000+00:00\"}}}",
"previous_version": "2.0",
"changelog_mitigations": {
"shared": [
"M1040: Behavior Prevention on Endpoint",
"M1049: Antivirus/Antimalware"
],
"new": [],
"dropped": []
},
"changelog_datacomponent_detections": {
"shared": [],
"new": [],
"dropped": []
},
"changelog_detectionstrategy_detections": {
"shared": [
"DET0214: Detection Strategy for Embedded Payloads"
],
"new": [],
"dropped": []
}
},
{
"type": "attack-pattern",
"id": "attack-pattern--0d91b3c0-5e50-47c3-949a-2a796f04d144",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2024-03-29 12:38:17.135000+00:00",
"modified": "2026-05-12 15:12:00.620000+00:00",
"name": "Encrypted/Encoded File",
"description": "Adversaries may encrypt or encode files to obfuscate strings, bytes, and other specific patterns to impede detection. Encrypting and/or encoding file content aims to conceal malicious artifacts within a file used in an intrusion. Many other techniques, such as [Software Packing](https://attack.mitre.org/techniques/T1027/002), [Steganography](https://attack.mitre.org/techniques/T1027/003), and [Embedded Payloads](https://attack.mitre.org/techniques/T1027/009), share this same broad objective. Encrypting and/or encoding files could lead to a lapse in detection of static signatures, only for this malicious content to be revealed (i.e., [Deobfuscate/Decode Files or Information](https://attack.mitre.org/techniques/T1140)) at the time of execution/use.\n\nThis type of file obfuscation can be applied to many file artifacts present on victim hosts, such as malware log/configuration and payload files.(Citation: File obfuscation) Files can be encrypted with a hardcoded or user-supplied key, as well as otherwise obfuscated using standard encoding schemes such as Base64.\n\nThe entire content of a file may be obfuscated, or just specific functions or values (such as C2 addresses). Encryption and encoding may also be applied in redundant layers for additional protection.\n\nFor example, adversaries may abuse password-protected Word documents or self-extracting (SFX) archives as a method of encrypting/encoding a file such as a [Phishing](https://attack.mitre.org/techniques/T1566) payload. These files typically function by attaching the intended archived content to a decompressor stub that is executed when the file is invoked (e.g., [User Execution](https://attack.mitre.org/techniques/T1204)).(Citation: SFX - Encrypted/Encoded File) \n\nAdversaries may also abuse file-specific as well as custom encoding schemes. For example, Byte Order Mark (BOM) headers in text files may be abused to manipulate and obfuscate file content until [Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059) execution.",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "stealth"
}
],
"revoked": false,
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T1027/013",
"external_id": "T1027.013"
},
{
"source_name": "File obfuscation",
"description": "Aspen Lindblom, Joseph Goodwin, and Chris Sheldon. (2021, July 19). Shlayer Malvertising Campaigns Still Using Flash Update Disguise. Retrieved March 29, 2024.",
"url": "https://www.crowdstrike.com/blog/shlayer-malvertising-campaigns-still-using-flash-update-disguise/"
},
{
"source_name": "SFX - Encrypted/Encoded File",
"description": "Jai Minton. (2023, March 31). How Falcon OverWatch Investigates Malicious Self-Extracting Archives, Decoy Files and Their Hidden Payloads. Retrieved March 29, 2024.",
"url": "https://www.crowdstrike.com/blog/self-extracting-archives-decoy-files-and-their-hidden-payloads/"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_attack_spec_version": "3.3.0",
"x_mitre_contributors": [
"Andrew Northern, @ex_raritas",
"David Galazin @themalwareman1",
"Jai Minton, @Cyberraiju"
],
"x_mitre_deprecated": false,
"x_mitre_domains": [
"enterprise-attack"
],
"x_mitre_is_subtechnique": true,
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"Linux",
"macOS",
"Windows"
],
"x_mitre_version": "2.0",
"detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.620000+00:00\", \"old_value\": \"2026-04-15 22:18:22.179000+00:00\"}}}",
"previous_version": "2.0",
"changelog_mitigations": {
"shared": [
"M1040: Behavior Prevention on Endpoint",
"M1049: Antivirus/Antimalware"
],
"new": [],
"dropped": []
},
"changelog_datacomponent_detections": {
"shared": [],
"new": [],
"dropped": []
},
"changelog_detectionstrategy_detections": {
"shared": [
"DET0087: Encrypted or Encoded File Payload Detection Strategy"
],
"new": [],
"dropped": []
}
},
{
"type": "attack-pattern",
"id": "attack-pattern--02c5abff-30bf-4703-ab92-1f6072fae939",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2023-03-23 19:55:25.546000+00:00",
"modified": "2026-05-12 15:12:00.619000+00:00",
"name": "Fileless Storage",
"description": "Adversaries may store data in \"fileless\" formats to conceal malicious activity from defenses. Fileless storage can be broadly defined as any format other than a file. Common examples of non-volatile fileless storage in Windows systems include the Windows Registry, event logs, or WMI repository.(Citation: Microsoft Fileless)(Citation: SecureList Fileless) Shared memory directories on Linux systems (`/dev/shm`, `/run/shm`, `/var/run`, and `/var/lock`) and volatile directories on Network Devices (`/tmp` and `/volatile`) may also be considered fileless storage, as files written to these directories are mapped directly to RAM and not stored on the disk.(Citation: Elastic Binary Executed from Shared Memory Directory)(Citation: Akami Frog4Shell 2024)(Citation: Aquasec Muhstik Malware 2024)(Citation: Bitsight 7777 Botnet)(Citation: CISCO Nexus 900 Config).\n\nSimilar to fileless in-memory behaviors such as [Reflective Code Loading](https://attack.mitre.org/techniques/T1620) and [Process Injection](https://attack.mitre.org/techniques/T1055), fileless data storage may remain undetected by antivirus and other endpoint security tools that can only access specific file formats from disk storage. Leveraging fileless storage may also allow adversaries to bypass the protections offered by read-only file systems in Linux.(Citation: Sysdig Fileless Malware 23022)\n\nAdversaries may use fileless storage to conceal various types of stored data, including payloads/shellcode (potentially being used as part of [Persistence](https://attack.mitre.org/tactics/TA0003)) and collected data not yet exfiltrated from the victim (e.g., [Local Data Staging](https://attack.mitre.org/techniques/T1074/001)). Adversaries also often encrypt, encode, splice, or otherwise obfuscate this fileless data when stored. \n\nSome forms of fileless storage activity may indirectly create artifacts in the file system, but in central and otherwise difficult to inspect formats such as the WMI (e.g., `%SystemRoot%\\System32\\Wbem\\Repository`) or Registry (e.g., `%SystemRoot%\\System32\\Config`) physical files.(Citation: Microsoft Fileless) ",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "stealth"
}
],
"revoked": false,
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T1027/011",
"external_id": "T1027.011"
},
{
"source_name": "Aquasec Muhstik Malware 2024",
"description": " Nitzan Yaakov. (2024, June 4). Muhstik Malware Targets Message Queuing Services Applications. Retrieved September 24, 2024.",
"url": "https://www.aquasec.com/blog/muhstik-malware-targets-message-queuing-services-applications/"
},
{
"source_name": "Bitsight 7777 Botnet",
"description": "Batista, Jo\u00e3o. Gi7w0rm. (2024, August 27). Retrieved June 5, 2025.",
"url": "https://www.bitsight.com/blog/7777-botnet-insights-multi-target-botnet"
},
{
"source_name": "CISCO Nexus 900 Config",
"description": "CISCO. (2021, September 14). Cisco Nexus 9000 Series NX-OS Fundamentals Configuration Guide, Release 7.x. Retrieved June 5, 2025.",
"url": "https://www.cisco.com/c/en/us/td/docs/switches/datacenter/nexus9000/sw/7-x/fundamentals/configuration/guide/b_Cisco_Nexus_9000_Series_NX-OS_Fundamentals_Configuration_Guide_7x/b_Cisco_Nexus_9000_Series_NX-OS_Fundamentals_Configuration_Guide_7x_chapter_01000.html"
},
{
"source_name": "Elastic Binary Executed from Shared Memory Directory",
"description": "Elastic. (n.d.). Binary Executed from Shared Memory Directory. Retrieved September 24, 2024.",
"url": "https://www.elastic.co/guide/en/security/7.17/prebuilt-rule-7-16-3-binary-executed-from-shared-memory-directory.html"
},
{
"source_name": "SecureList Fileless",
"description": "Legezo, D. (2022, May 4). A new secret stash for \u201cfileless\u201d malware. Retrieved March 23, 2023.",
"url": "https://securelist.com/a-new-secret-stash-for-fileless-malware/106393/"
},
{
"source_name": "Microsoft Fileless",
"description": "Microsoft. (2023, February 6). Fileless threats. Retrieved March 23, 2023.",
"url": "https://learn.microsoft.com/microsoft-365/security/intelligence/fileless-threats"
},
{
"source_name": "Sysdig Fileless Malware 23022",
"description": "Nicholas Lang. (2022, May 3). Fileless malware mitigation. Retrieved September 24, 2024.",
"url": "https://sysdig.com/blog/containers-read-only-fileless-malware/"
},
{
"source_name": "Akami Frog4Shell 2024",
"description": "Ori David. (2024, February 1). Frog4Shell \u2014 FritzFrog Botnet Adds One-Days to Its Arsenal. Retrieved September 24, 2024.",
"url": "https://www.akamai.com/blog/security-research/fritzfrog-botnet-new-capabilities-log4shell"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_attack_spec_version": "3.3.0",
"x_mitre_contributors": [
"Christopher Peacock",
"Denise Tan",
"Mark Wee",
"Simona David",
"Vito Alfano, Group-IB",
"Xavier Rousseau"
],
"x_mitre_deprecated": false,
"x_mitre_domains": [
"enterprise-attack"
],
"x_mitre_is_subtechnique": true,
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"Linux",
"Windows"
],
"x_mitre_version": "3.0",
"detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.619000+00:00\", \"old_value\": \"2026-04-15 22:18:39.119000+00:00\"}}}",
"previous_version": "3.0",
"changelog_mitigations": {
"shared": [
"M1047: Audit"
],
"new": [],
"dropped": []
},
"changelog_datacomponent_detections": {
"shared": [],
"new": [],
"dropped": []
},
"changelog_detectionstrategy_detections": {
"shared": [
"DET0344: Detection Strategy for Fileless Storage via Registry, WMI, and Shared Memory"
],
"new": [],
"dropped": []
}
},
{
"type": "attack-pattern",
"id": "attack-pattern--d4dc46e3-5ba5-45b9-8204-010867cacfcb",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2021-05-20 12:20:42.219000+00:00",
"modified": "2026-05-12 15:12:00.717000+00:00",
"name": "HTML Smuggling",
"description": "Adversaries may smuggle data and files past content filters by hiding malicious payloads inside of seemingly benign HTML files. HTML documents can store large binary objects known as JavaScript Blobs (immutable data that represents raw bytes) that can later be constructed into file-like objects. Data may also be stored in Data URLs, which enable embedding media type or MIME files inline of HTML documents. HTML5 also introduced a download attribute that may be used to initiate file downloads.(Citation: HTML Smuggling Menlo Security 2020)(Citation: Outlflank HTML Smuggling 2018)\n\nAdversaries may deliver payloads to victims that bypass security controls through HTML Smuggling by abusing JavaScript Blobs and/or HTML5 download attributes. Security controls such as web content filters may not identify smuggled malicious files inside of HTML/JS files, as the content may be based on typically benign MIME types such as text/plain and/or text/html. Malicious files or data can be obfuscated and hidden inside of HTML files through Data URLs and/or JavaScript Blobs and can be deobfuscated when they reach the victim (i.e. [Deobfuscate/Decode Files or Information](https://attack.mitre.org/techniques/T1140)), potentially bypassing content filters.\n\nFor example, JavaScript Blobs can be abused to dynamically generate malicious files in the victim machine and may be dropped to disk by abusing JavaScript functions such as msSaveBlob.(Citation: HTML Smuggling Menlo Security 2020)(Citation: MSTIC NOBELIUM May 2021)(Citation: Outlflank HTML Smuggling 2018)(Citation: nccgroup Smuggling HTA 2017)",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "stealth"
}
],
"revoked": false,
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T1027/006",
"external_id": "T1027.006"
},
{
"source_name": "Outlflank HTML Smuggling 2018",
"description": "Hegt, S. (2018, August 14). HTML smuggling explained. Retrieved May 20, 2021.",
"url": "https://outflank.nl/blog/2018/08/14/html-smuggling-explained/"
},
{
"source_name": "MSTIC NOBELIUM May 2021",
"description": "Microsoft Threat Intelligence Center (MSTIC). (2021, May 27). New sophisticated email-based attack from NOBELIUM. Retrieved May 28, 2021.",
"url": "https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/"
},
{
"source_name": "HTML Smuggling Menlo Security 2020",
"description": "Subramanian, K. (2020, August 18). New HTML Smuggling Attack Alert: Duri. Retrieved May 20, 2021.",
"url": "https://www.menlosecurity.com/blog/new-attack-alert-duri"
},
{
"source_name": "nccgroup Smuggling HTA 2017",
"description": "Warren, R. (2017, August 8). Smuggling HTA files in Internet Explorer/Edge. Retrieved September 12, 2024.",
"url": "https://www.nccgroup.com/us/research-blog/smuggling-hta-files-in-internet-exploreredge/"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_attack_spec_version": "3.3.0",
"x_mitre_contributors": [
"Jonathan Boucher, @crash_wave, Bank of Canada",
"Krishnan Subramanian, @krish203",
"Stan Hegt, Outflank",
"Vinay Pidathala"
],
"x_mitre_deprecated": false,
"x_mitre_domains": [
"enterprise-attack"
],
"x_mitre_is_subtechnique": true,
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"Linux",
"macOS",
"Windows"
],
"x_mitre_version": "2.0",
"detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.717000+00:00\", \"old_value\": \"2026-04-15 22:19:27.839000+00:00\"}}}",
"previous_version": "2.0",
"changelog_mitigations": {
"shared": [
"M1048: Application Isolation and Sandboxing"
],
"new": [],
"dropped": []
},
"changelog_datacomponent_detections": {
"shared": [],
"new": [],
"dropped": []
},
"changelog_detectionstrategy_detections": {
"shared": [
"DET0313: Detection Strategy for HTML Smuggling via JavaScript Blob + Dynamic File Drop"
],
"new": [],
"dropped": []
}
},
{
"type": "attack-pattern",
"id": "attack-pattern--b0533c6e-8fea-4788-874f-b799cacc4b92",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2020-03-19 21:27:32.820000+00:00",
"modified": "2026-05-12 15:12:00.707000+00:00",
"name": "Indicator Removal from Tools",
"description": "Adversaries may remove indicators from tools if they believe their malicious tool was detected, quarantined, or otherwise curtailed. They can modify the tool by removing the indicator and using the updated version that is no longer detected by the target's defensive systems or subsequent targets that may use similar systems.\n\nA good example of this is when malware is detected with a file signature and quarantined by anti-virus software. An adversary who can determine that the malware was quarantined because of its file signature may modify the file to explicitly avoid that signature, and then re-use the malware.",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "stealth"
}
],
"revoked": false,
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T1027/005",
"external_id": "T1027.005"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_attack_spec_version": "3.3.0",
"x_mitre_deprecated": false,
"x_mitre_domains": [
"enterprise-attack"
],
"x_mitre_is_subtechnique": true,
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"Linux",
"macOS",
"Windows"
],
"x_mitre_version": "2.0",
"detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.707000+00:00\", \"old_value\": \"2026-04-15 22:19:28.558000+00:00\"}}}",
"previous_version": "2.0",
"changelog_mitigations": {
"shared": [],
"new": [],
"dropped": []
},
"changelog_datacomponent_detections": {
"shared": [],
"new": [],
"dropped": []
},
"changelog_detectionstrategy_detections": {
"shared": [
"DET0189: Detection Strategy for Indicator Removal from Tools - Post-AV Evasion Modification"
],
"new": [],
"dropped": []
}
},
{
"type": "attack-pattern",
"id": "attack-pattern--e9b75bb0-b5ec-42c8-b728-f4f424d9c39e",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2026-04-22 19:18:41.169000+00:00",
"modified": "2026-05-12 15:12:00.723000+00:00",
"name": "Invisible Unicode",
"description": "Adversaries may abuse invisible or non-printing Unicode characters to conceal malicious content within files, scripts, or text. By inserting characters that do not visibly render, adversaries may hide data, alter how content is interpreted, or make malicious code appear as benign text or whitespace. Adversaries may encode these malicious payloads, using binary, Base64, or custom schemes, to be reconstructed at runtime through scripting features such as [JavaScript](https://attack.mitre.org/techniques/T1059/007) Proxy traps, `eval()`, or other dynamic execution methods. This technique enables adversaries to evade visual inspection and basic static analysis by hiding malicious encoded content in innocuous text.(Citation: PUAs Unicode - Eriksen)(Citation: Tycoon2FA - Unicode)(Citation: Unicode - Veracode) \n\nUnicode is a standardized character encoding model that assigns a unique numerical value, known as a code point, to every character across writing systems, enabling consistent text representation across platforms, applications, and languages. Code points are represented as `U+` followed by a hexadecimal value and may be encoded using formats such as `UTF-8` or `UTF-16`. Adversaries may abuse the valid code points in Unicode that are not visibly rendered but still take up bytes, such as zero-width spaces, variation selectors, or bidirectional formatting controls, to conceal malicious payloads.(Citation: Tycoon2FA - Unicode)(Citation: GlassWorm - Unicode)(Citation: Unicode and Hidden Prompts - Perets)\n\nAdversaries may additionally exploit Private Use Area (PUA) characters, a range of code points reserved for custom assignment. PUA characters that are not defined by a font or application are typically rendered blank.(Citation: PUAs Unicode - Eriksen)\n\nUnicode characters may also be leveraged in support of other techniques such as [Phishing](https://attack.mitre.org/techniques/T1660), [Right-to-Left Override](https://attack.mitre.org/techniques/T1036/002), or [User Execution](https://attack.mitre.org/techniques/T1204). For example, some adversaries may embed artificial intelligence (AI) prompt injections using invisible Unicode characters in emails or documents that appear benign when processed by AI systems.(Citation: LLMs and Unicode - Medium)(Citation: Invisible Prompt Injection - Trend Micro)",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "stealth"
}
],
"revoked": false,
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T1027/018",
"external_id": "T1027.018"
},
{
"source_name": "GlassWorm - Unicode",
"description": " Idan Dardikman. (2025, October 18). GlassWorm: First Self-Propagating Worm Using Invisible Code Hits OpenVSX Marketplace. Retrieved April 21, 2026.",
"url": "https://www.koi.ai/blog/glassworm-first-self-propagating-worm-using-invisible-code-hits-openvsx-marketplace#heading-5"
},
{
"source_name": "PUAs Unicode - Eriksen",
"description": "Charlie Eriksen. (2025, May 13). You're Invited: Delivering malware via Google Calendar invites and PUAs. Retrieved April 21, 2026.",
"url": "https://www.aikido.dev/blog/youre-invited-delivering-malware-via-google-calendar-invites-and-puas"
},
{
"source_name": "Invisible Prompt Injection - Trend Micro",
"description": "Ian Ch Lui. (2025, January 22). Invisible Prompt Injection: A Threat to AI Security. Retrieved April 21, 2026.",
"url": "https://www.trendmicro.com/en_us/research/25/a/invisible-prompt-injection-secure-ai.html"
},
{
"source_name": "LLMs and Unicode - Medium",
"description": "Idan Habler. (2025, September 12). Hiding in Plain Sight: Weaponizing Invisible Unicode to Attack LLMs. Retrieved April 21, 2026.",
"url": "https://idanhabler.medium.com/hiding-in-plain-sight-weaponizing-invisible-unicode-to-attack-llms-f9033865ec10"
},
{
"source_name": "Tycoon2FA - Unicode",
"description": "Rodel Mendrez. (2025, April 10). Tycoon2FA New Evasion Technique for 2025. Retrieved April 21, 2026.",
"url": "https://www.levelblue.com/blogs/spiderlabs-blog/tycoon2fa-new-evasion-technique-for-2025"
},
{
"source_name": "Unicode and Hidden Prompts - Perets",
"description": "Shaked Perets. (2025, December 7). Invisible Code & Hidden Prompts \u2013 How Attackers Weaponize Unicode in Repos (and How SAST Can Help). Retrieved April 21, 2026.",
"url": "https://cycode.com/blog/invisible-code-hidden-prompts-unicode-attacks-sast/"
},
{
"source_name": "Unicode - Veracode",
"description": "Veracode Threat Research. (2025, June 9). Down the Rabbit Hole of Unicode Obfuscation. Retrieved April 21, 2026.",
"url": "https://www.veracode.com/blog/down-the-rabbit-hole-of-unicode-obfuscation/"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_attack_spec_version": "3.3.0",
"x_mitre_contributors": [
"Menachem Goldstein",
"Rich Rafferty (NR Labs)"
],
"x_mitre_deprecated": false,
"x_mitre_domains": [
"enterprise-attack"
],
"x_mitre_is_subtechnique": true,
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"Linux",
"macOS",
"Windows"
],
"x_mitre_version": "1.0",
"detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.723000+00:00\", \"old_value\": \"2026-04-23 18:41:48.689000+00:00\"}}}",
"previous_version": "1.0",
"changelog_mitigations": {
"shared": [],
"new": [],
"dropped": []
},
"changelog_datacomponent_detections": {
"shared": [],
"new": [],
"dropped": []
},
"changelog_detectionstrategy_detections": {
"shared": [
"DET0920: Detection Strategy for Invisible Unicode"
],
"new": [],
"dropped": []
}
},
{
"type": "attack-pattern",
"id": "attack-pattern--671cd17f-a765-48fd-adc4-dad1941b1ae3",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2025-03-04 21:38:49.913000+00:00",
"modified": "2026-05-12 15:12:00.639000+00:00",
"name": "Junk Code Insertion",
"description": "Adversaries may use junk code / dead code to obfuscate a malware\u2019s functionality. Junk code is code that either does not execute, or if it does execute, does not change the functionality of the code. Junk code makes analysis more difficult and time-consuming, as the analyst steps through non-functional code instead of analyzing the main code. It also may hinder detections that rely on static code analysis due to the use of benign functionality, especially when combined with [Compression](https://attack.mitre.org/techniques/T1027/015) or [Software Packing](https://attack.mitre.org/techniques/T1027/002).(Citation: ReasonLabs)(Citation: ReasonLabs Cyberpedia Junk Code)\n\nNo-Operation (NOP) instructions are an example of dead code commonly used in x86 assembly language. They are commonly used as the 0x90 opcode. When NOPs are added to malware, the disassembler may show the NOP instructions, leading to the analyst needing to step through them.(Citation: ReasonLabs)\n\nThe use of junk / dead code insertion is distinct from [Binary Padding](https://attack.mitre.org/techniques/T1027/001) because the purpose is to obfuscate the functionality of the code, rather than simply to change the malware\u2019s signature. ",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "stealth"
}
],
"revoked": false,
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T1027/016",
"external_id": "T1027.016"
},
{
"source_name": "ReasonLabs",
"description": "ReasonLabs. (n.d.). What is Dead code insertion?. Retrieved March 4, 2025.",
"url": "https://cyberpedia.reasonlabs.com/EN/dead%20code%20insertion.html"
},
{
"source_name": "ReasonLabs Cyberpedia Junk Code",
"description": "What is Junk Code?. (n.d.). ReasonLabs. Retrieved April 4, 2025.",
"url": "https://cyberpedia.reasonlabs.com/EN/junk%20code.html"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_attack_spec_version": "3.3.0",
"x_mitre_contributors": [
"Joas Antonio dos Santos, @C0d3Cr4zy"
],
"x_mitre_deprecated": false,
"x_mitre_domains": [
"enterprise-attack"
],
"x_mitre_is_subtechnique": true,
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"Linux",
"macOS",
"Windows"
],
"x_mitre_version": "2.0",
"detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.639000+00:00\", \"old_value\": \"2026-04-15 22:19:48.489000+00:00\"}}}",
"previous_version": "2.0",
"changelog_mitigations": {
"shared": [
"M1049: Antivirus/Antimalware"
],
"new": [],
"dropped": []
},
"changelog_datacomponent_detections": {
"shared": [],
"new": [],
"dropped": []
},
"changelog_detectionstrategy_detections": {
"shared": [
"DET0322: Detection Strategy for Junk Code Obfuscation with Suspicious Execution Patterns"
],
"new": [],
"dropped": []
}
},
{
"type": "attack-pattern",
"id": "attack-pattern--887274fc-2d63-4bdc-82f3-fae56d1d5fdc",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2023-09-29 15:28:42.409000+00:00",
"modified": "2026-05-12 15:12:00.690000+00:00",
"name": "LNK Icon Smuggling",
"description": "Adversaries may smuggle commands to download malicious payloads past content filters by hiding them within otherwise seemingly benign windows shortcut files. Windows shortcut files (.LNK) include many metadata fields, including an icon location field (also known as the `IconEnvironmentDataBlock`) designed to specify the path to an icon file that is to be displayed for the LNK file within a host directory. \n\nAdversaries may abuse this LNK metadata to download malicious payloads. For example, adversaries have been observed using LNK files as phishing payloads to deliver malware. Once invoked (e.g., [Malicious File](https://attack.mitre.org/techniques/T1204/002)), payloads referenced via external URLs within the LNK icon location field may be downloaded. These files may also then be invoked by [Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059)/[System Binary Proxy Execution](https://attack.mitre.org/techniques/T1218) arguments within the target path field of the LNK.(Citation: Unprotect Shortcut)(Citation: Booby Trap Shortcut 2017)\n\nLNK Icon Smuggling may also be utilized post compromise, such as malicious scripts executing an LNK on an infected host to download additional malicious payloads. \n",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "stealth"
}
],
"revoked": false,
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T1027/012",
"external_id": "T1027.012"
},
{
"source_name": "Unprotect Shortcut",
"description": "Unprotect Project. (2019, March 18). Shortcut Hiding. Retrieved October 3, 2023.",
"url": "https://unprotect.it/technique/shortcut-hiding/"
},
{
"source_name": "Booby Trap Shortcut 2017",
"description": "Weyne, F. (2017, April). Booby trap a shortcut with a backdoor. Retrieved October 3, 2023.",
"url": "https://web.archive.org/web/20171225152553/https://www.uperesia.com/booby-trapped-shortcut"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_attack_spec_version": "3.3.0",
"x_mitre_contributors": [
"Michael Raggi @aRtAGGI",
"Andrew Northern, @ex_raritas",
"Gregory Lesnewich, @greglesnewich"
],
"x_mitre_deprecated": false,
"x_mitre_domains": [
"enterprise-attack"
],
"x_mitre_is_subtechnique": true,
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"Windows"
],
"x_mitre_version": "2.0",
"detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.690000+00:00\", \"old_value\": \"2026-04-15 22:20:54.005000+00:00\"}}}",
"previous_version": "2.0",
"changelog_mitigations": {
"shared": [
"M1040: Behavior Prevention on Endpoint",
"M1049: Antivirus/Antimalware"
],
"new": [],
"dropped": []
},
"changelog_datacomponent_detections": {
"shared": [],
"new": [],
"dropped": []
},
"changelog_detectionstrategy_detections": {
"shared": [
"DET0405: Detection Strategy for LNK Icon Smuggling"
],
"new": [],
"dropped": []
}
},
{
"type": "attack-pattern",
"id": "attack-pattern--b577dfc1-0177-4522-8d5a-782127c8592b",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2024-09-27 12:28:03.938000+00:00",
"modified": "2026-05-12 15:12:00.709000+00:00",
"name": "Polymorphic Code",
"description": "Adversaries may utilize polymorphic code (also known as metamorphic or mutating code) to evade detection. Polymorphic code is a type of software capable of changing its runtime footprint during code execution.(Citation: polymorphic-blackberry) With each execution of the software, the code is mutated into a different version of itself that achieves the same purpose or objective as the original. This functionality enables the malware to evade traditional signature-based defenses, such as antivirus and antimalware tools.(Citation: polymorphic-sentinelone) \nOther obfuscation techniques can be used in conjunction with polymorphic code to accomplish the intended effects, including using mutation engines to conduct actions such as [Software Packing](https://attack.mitre.org/techniques/T1027/002), [Command Obfuscation](https://attack.mitre.org/techniques/T1027/010), or [Encrypted/Encoded File](https://attack.mitre.org/techniques/T1027/013).(Citation: polymorphic-linkedin)(Citation: polymorphic-medium)\n",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "stealth"
}
],
"revoked": false,
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T1027/014",
"external_id": "T1027.014"
},
{
"source_name": "polymorphic-blackberry",
"description": "Blackberry. (n.d.). What is Polymorphic Malware?. Retrieved September 27, 2024.",
"url": "https://www.blackberry.com/us/en/solutions/endpoint-security/ransomware-protection/polymorphic-malware"
},
{
"source_name": "polymorphic-sentinelone",
"description": "SentinelOne. (2023, March 18). What is Polymorphic Malware? Examples and Challenges. Retrieved September 27, 2024.",
"url": "https://www.sentinelone.com/cybersecurity-101/threat-intelligence/what-is-polymorphic-malware"
},
{
"source_name": "polymorphic-medium",
"description": "Shellseekercyber. (2024, January 7). Explainer: Packed Malware. Retrieved September 27, 2024.",
"url": "https://medium.com/@shellseekerscyber/explainer-packed-malware-16f09cc75035"
},
{
"source_name": "polymorphic-linkedin",
"description": "Sherwin Akshay. (2024, May 28). Techniques for concealing malware and hindering analysis: Packing up and unpacking stuff. Retrieved September 27, 2024.",
"url": "https://www.linkedin.com/pulse/techniques-concealing-malware-hindering-analysis-packing-akshay-unijc"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_attack_spec_version": "3.3.0",
"x_mitre_contributors": [
"TruKno",
"Ye Yint Min Thu Htut, Active Defense Team, DBS Bank"
],
"x_mitre_deprecated": false,
"x_mitre_domains": [
"enterprise-attack"
],
"x_mitre_is_subtechnique": true,
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"Linux",
"macOS",
"Windows"
],
"x_mitre_version": "2.0",
"detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.709000+00:00\", \"old_value\": \"2026-04-15 22:20:58.199000+00:00\"}}}",
"previous_version": "2.0",
"changelog_mitigations": {
"shared": [
"M1040: Behavior Prevention on Endpoint",
"M1049: Antivirus/Antimalware"
],
"new": [],
"dropped": []
},
"changelog_datacomponent_detections": {
"shared": [],
"new": [],
"dropped": []
},
"changelog_detectionstrategy_detections": {
"shared": [
"DET0324: Detection Strategy for Polymorphic Code Mutation and Execution"
],
"new": [],
"dropped": []
}
},
{
"type": "attack-pattern",
"id": "attack-pattern--78b9e70d-1605-459c-b23d-e3a25036968c",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2025-03-25 15:31:09.697000+00:00",
"modified": "2026-05-12 15:12:00.643000+00:00",
"name": "SVG Smuggling",
"description": "Adversaries may smuggle data and files past content filters by hiding malicious payloads inside of seemingly benign SVG files.(Citation: Trustwave SVG Smuggling 2025) SVGs, or Scalable Vector Graphics, are vector-based image files constructed using XML. As such, they can legitimately include `