TECHNIQUES

PRE-ATT&CK

Priority Definition Planning

Assess current holdings, needs, and wants

Assess KITs/KIQs benefits

Assess leadership areas of interest

Assign KITs/KIQs into categories

Conduct cost/benefit analysis

Create implementation plan

Create strategic plan

Derive intelligence requirements

Develop KITs/KIQs

Generate analyst intelligence requirements

Identify analyst level gaps

Identify gap areas

Receive operator KITs/KIQs tasking

Priority Definition Direction

Assign KITs, KIQs, and/or intelligence requirements

Receive KITs/KIQs and determine requirements

Submit KITs, KIQs, and intelligence requirements

Task requirements

Target Selection

Determine approach/attack vector

Determine highest level tactical element

Determine operational element

Determine secondary level tactical element

Determine strategic target

Technical Information Gathering

Acquire OSINT data sets and information

Conduct active scanning

Conduct passive scanning

Conduct social engineering

Determine 3rd party infrastructure services

Determine domain and IP address space

Determine external network trust dependencies

Determine firmware version

Discover target logon/email address format

Enumerate client configurations

Enumerate externally facing software applications technologies, languages, and dependencies

Identify job postings and needs/gaps

Identify security defensive capabilities

Identify supply chains

Identify technology usage patterns

Identify web defensive services

Map network topology

Mine technical blogs/forums

Obtain domain/IP registration information

Spearphishing for Information

People Information Gathering

Acquire OSINT data sets and information

Aggregate individual's digital footprint

Conduct social engineering

Identify business relationships

Identify groups/roles

Identify job postings and needs/gaps

Identify people of interest

Identify personnel with an authority/privilege

Identify sensitive personnel information

Identify supply chains

Mine social media

Organizational Information Gathering

Acquire OSINT data sets and information

Conduct social engineering

Determine 3rd party infrastructure services

Determine centralization of IT management

Determine physical locations

Dumpster dive

Identify business processes/tempo

Identify business relationships

Identify job postings and needs/gaps

Identify supply chains

Obtain templates/branding materials

Technical Weakness Identification

Analyze application security posture

Analyze architecture and configuration posture

Analyze data collected

Analyze hardware/software security defensive capabilities

Analyze organizational skillsets and deficiencies

Identify vulnerabilities in third-party software libraries

Research relevant vulnerabilities/CVEs

Research visibility gap of security vendors

Test signature detection

People Weakness Identification

Analyze organizational skillsets and deficiencies

Analyze social and business relationships, interests, and affiliations

Assess targeting options

Organizational Weakness Identification

Analyze business processes

Analyze organizational skillsets and deficiencies

Analyze presence of outsourced capabilities

Assess opportunities created by business deals

Assess security posture of physical locations

Assess vulnerability of 3rd party vendors

Adversary OPSEC

Acquire and/or use 3rd party infrastructure services

Acquire and/or use 3rd party software services

Acquire or compromise 3rd party signing certificates

Anonymity services

Common, high volume protocols and software

Compromise 3rd party infrastructure to support delivery

Data Hiding

Dynamic DNS

Host-based hiding techniques

Misattributable credentials

Network-based hiding techniques

Non-traditional or less attributable payment options

Obfuscate infrastructure

Obfuscate operational infrastructure

Obfuscate or encrypt code

Obfuscation or cryptography

OS-vendor provided communication channels

Private whois services

Proxy/protocol relays

Secure and protect infrastructure

Establish & Maintain Infrastructure

Acquire and/or use 3rd party infrastructure services

Acquire and/or use 3rd party software services

Acquire or compromise 3rd party signing certificates

Buy domain name

Compromise 3rd party infrastructure to support delivery

Create backup infrastructure

Domain registration hijacking

Dynamic DNS

Install and configure hardware, network, and systems

Obfuscate infrastructure

Obtain booter/stressor subscription

Procure required equipment and software

Shadow DNS

SSL certificate acquisition for domain

SSL certificate acquisition for trust breaking

Use multiple DNS infrastructures

Persona Development

Build social network persona

Choose pre-compromised mobile app developer account credentials or signing keys

Choose pre-compromised persona and affiliated accounts

Develop social network persona digital footprint

Friend/Follow/Connect to targets of interest

Obtain Apple iOS enterprise distribution key pair and certificate

Build Capabilities

Build and configure delivery systems

Build or acquire exploits

C2 protocol development

Compromise 3rd party or closed-source vulnerability/exploit information

Create custom payloads

Create infected removable media

Discover new exploits and monitor exploit-provider forums

Identify resources required to build capabilities

Obtain/re-use payloads

Post compromise tool development

Remote access tool development

Test Capabilities

Review logs and residual traces

Test ability to evade automated mobile application security analysis performed by app stores

Test callback functionality

Test malware in various execution environments

Test malware to evade detection

Test physical access

Test signature detection for file upload/email filters

Stage Capabilities

Disseminate removable media

Distribute malicious software development tools

Friend/Follow/Connect to targets of interest

Hardware or software supply chain implant

Port redirector

Upload, install, and configure software/tools

Enterprise

Initial Access

Drive-by Compromise

Exploit Public-Facing Application

External Remote Services

Hardware Additions

Phishing

Spearphishing Attachment

Spearphishing Link

Spearphishing via Service

Replication Through Removable Media

Supply Chain Compromise

Compromise Software Dependencies and Development Tools

Compromise Software Supply Chain

Compromise Hardware Supply Chain

Trusted Relationship

Valid Accounts

Default Accounts

Domain Accounts

Local Accounts

Cloud Accounts

Execution

Command and Scripting Interpreter

PowerShell

AppleScript

Windows Command Shell

Unix Shell

Visual Basic

Python

JavaScript/JScript

Exploitation for Client Execution

Inter-Process Communication

Component Object Model

Dynamic Data Exchange

Native API

Scheduled Task/Job

At (Windows)

Scheduled Task

At (Linux)

Launchd

Cron

Shared Modules

Software Deployment Tools

System Services

Launchctl

Service Execution

User Execution

Malicious Link

Malicious File

Windows Management Instrumentation

Persistence

Account Manipulation

Additional Azure Service Principal Credentials

Exchange Email Delegate Permissions

Add Office 365 Global Administrator Role

SSH Authorized Keys

BITS Jobs

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Authentication Package

Time Providers

Winlogon Helper DLL

Security Support Provider

Kernel Modules and Extensions

Re-opened Applications

LSASS Driver

Shortcut Modification

Port Monitors

Plist Modification

Boot or Logon Initialization Scripts

Logon Script (Windows)

Logon Script (Mac)

Network Logon Script

Rc.common

Startup Items

Browser Extensions

Compromise Client Software Binary

Create Account

Local Account

Domain Account

Cloud Account

Create or Modify System Process

Launch Agent

Systemd Service

Windows Service

Launch Daemon

Event Triggered Execution

Change Default File Association

Screensaver

Windows Management Instrumentation Event Subscription

.bash_profile and .bashrc

Trap

LC_LOAD_DYLIB Addition

Netsh Helper DLL

Accessibility Features

AppCert DLLs

AppInit DLLs

Application Shimming

Image File Execution Options Injection

PowerShell Profile

Emond

Component Object Model Hijacking

External Remote Services

Hijack Execution Flow

Services File Permissions Weakness

Executable Installer File Permissions Weakness

Services Registry Permissions Weakness

Path Interception by Unquoted Path

Path Interception by PATH Environment Variable

Path Interception by Search Order Hijacking

DLL Search Order Hijacking

DLL Side-Loading

LD_PRELOAD

Dylib Hijacking

COR_PROFILER

Implant Container Image

Office Application Startup

Add-ins

Office Template Macros

Outlook Forms

Outlook Rules

Outlook Home Page

Office Test

Pre-OS Boot

System Firmware

Component Firmware

Bootkit

Scheduled Task/Job

At (Windows)

Scheduled Task

At (Linux)

Launchd

Cron

Server Software Component

SQL Stored Procedures

Transport Agent

Web Shell

Traffic Signaling

Port Knocking

Valid Accounts

Default Accounts

Domain Accounts

Local Accounts

Cloud Accounts

Privilege Escalation

Abuse Elevation Control Mechanism

Setuid and Setgid

Bypass User Access Control

Sudo and Sudo Caching

Elevated Execution with Prompt

Access Token Manipulation

Token Impersonation/Theft

Create Process with Token

Make and Impersonate Token

Parent PID Spoofing

SID-History Injection

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Authentication Package

Time Providers

Winlogon Helper DLL

Security Support Provider

Kernel Modules and Extensions

Re-opened Applications

LSASS Driver

Shortcut Modification

Port Monitors

Plist Modification

Boot or Logon Initialization Scripts

Logon Script (Windows)

Logon Script (Mac)

Network Logon Script

Rc.common

Startup Items

Create or Modify System Process

Launch Agent

Systemd Service

Windows Service

Launch Daemon

Event Triggered Execution

Change Default File Association

Screensaver

Windows Management Instrumentation Event Subscription

.bash_profile and .bashrc

Trap

LC_LOAD_DYLIB Addition

Netsh Helper DLL

Accessibility Features

AppCert DLLs

AppInit DLLs

Application Shimming

Image File Execution Options Injection

PowerShell Profile

Emond

Component Object Model Hijacking

Exploitation for Privilege Escalation

Group Policy Modification

Hijack Execution Flow

Services File Permissions Weakness

Executable Installer File Permissions Weakness

Services Registry Permissions Weakness

Path Interception by Unquoted Path

Path Interception by PATH Environment Variable

Path Interception by Search Order Hijacking

DLL Search Order Hijacking

DLL Side-Loading

LD_PRELOAD

Dylib Hijacking

COR_PROFILER

Process Injection

Dynamic-link Library Injection

Portable Executable Injection

Thread Execution Hijacking

Asynchronous Procedure Call

Thread Local Storage

Ptrace System Calls

Proc Memory

Extra Window Memory Injection

Process Doppelgänging

Process Hollowing

VDSO Hijacking

Scheduled Task/Job

At (Windows)

Scheduled Task

At (Linux)

Launchd

Cron

Valid Accounts

Default Accounts

Domain Accounts

Local Accounts

Cloud Accounts

Defense Evasion

Abuse Elevation Control Mechanism

Setuid and Setgid

Bypass User Access Control

Sudo and Sudo Caching

Elevated Execution with Prompt

Access Token Manipulation

Token Impersonation/Theft

Create Process with Token

Make and Impersonate Token

Parent PID Spoofing

SID-History Injection

BITS Jobs

Deobfuscate/Decode Files or Information

Direct Volume Access

Execution Guardrails

Environmental Keying

Exploitation for Defense Evasion

File and Directory Permissions Modification

Windows File and Directory Permissions Modification

Linux and Mac File and Directory Permissions Modification

Group Policy Modification

Hide Artifacts

Hidden Files and Directories

Hidden Users

Hidden Window

NTFS File Attributes

Hidden File System

Run Virtual Instance

Hijack Execution Flow

Services File Permissions Weakness

Executable Installer File Permissions Weakness

Services Registry Permissions Weakness

Path Interception by Unquoted Path

Path Interception by PATH Environment Variable

Path Interception by Search Order Hijacking

DLL Search Order Hijacking

DLL Side-Loading

LD_PRELOAD

Dylib Hijacking

COR_PROFILER

Impair Defenses

Disable or Modify Tools

Disable Windows Event Logging

HISTCONTROL

Disable or Modify System Firewall

Indicator Blocking

Disable or Modify Cloud Firewall

Indicator Removal on Host

Clear Windows Event Logs

Clear Linux or Mac System Logs

Clear Command History

File Deletion

Network Share Connection Removal

Timestomp

Indirect Command Execution

Masquerading

Invalid Code Signature

Right-to-Left Override

Rename System Utilities

Masquerade Task or Service

Match Legitimate Name or Location

Space after Filename

Modify Authentication Process

Domain Controller Authentication

Password Filter DLL

Pluggable Authentication Modules

Modify Cloud Compute Infrastructure

Create Snapshot

Create Cloud Instance

Delete Cloud Instance

Revert Cloud Instance

Modify Registry

Obfuscated Files or Information

Binary Padding

Software Packing

Steganography

Compile After Delivery

Indicator Removal from Tools

Pre-OS Boot

System Firmware

Component Firmware

Bootkit

Process Injection

Dynamic-link Library Injection

Portable Executable Injection

Thread Execution Hijacking

Asynchronous Procedure Call

Thread Local Storage

Ptrace System Calls

Proc Memory

Extra Window Memory Injection

Process Doppelgänging

Process Hollowing

VDSO Hijacking

Rogue Domain Controller

Rootkit

Signed Binary Proxy Execution

Rundll32

Compiled HTML File

Control Panel

CMSTP

InstallUtil

Mshta

Regsvcs/Regasm

Regsvr32

Msiexec

Odbcconf

Signed Script Proxy Execution

PubPrn

Subvert Trust Controls

Gatekeeper Bypass

Code Signing

SIP and Trust Provider Hijacking

Install Root Certificate

Template Injection

Traffic Signaling

Port Knocking

Trusted Developer Utilities Proxy Execution

MSBuild

Unused/Unsupported Cloud Regions

Use Alternate Authentication Material

Pass the Hash

Pass the Ticket

Application Access Token

Web Session Cookie

Valid Accounts

Default Accounts

Domain Accounts

Local Accounts

Cloud Accounts

Virtualization/Sandbox Evasion

System Checks

User Activity Based Checks

Time Based Evasion

XSL Script Processing

Credential Access

Brute Force

Password Guessing

Password Cracking

Password Spraying

Credential Stuffing

Credentials from Password Stores

Keychain

Securityd Memory

Credentials from Web Browsers

Exploitation for Credential Access

Forced Authentication

Input Capture

Keylogging

GUI Input Capture

Web Portal Capture

Credential API Hooking

Man-in-the-Middle

LLMNR/NBT-NS Poisoning and SMB Relay

Modify Authentication Process

Domain Controller Authentication

Password Filter DLL

Pluggable Authentication Modules

Network Sniffing

OS Credential Dumping

LSASS Memory

Security Account Manager

NTDS

DCSync

Proc Filesystem

/etc/passwd and /etc/shadow

Cached Domain Credentials

LSA Secrets

Steal Application Access Token

Steal or Forge Kerberos Tickets

Golden Ticket

Silver Ticket

Kerberoasting

Steal Web Session Cookie

Two-Factor Authentication Interception

Unsecured Credentials

Credentials In Files

Credentials in Registry

Bash History

Private Keys

Cloud Instance Metadata API

Group Policy Preferences

Discovery

Account Discovery

Local Account

Domain Account

Email Account

Cloud Account

Application Window Discovery

Browser Bookmark Discovery

Cloud Service Dashboard

Cloud Service Discovery

Domain Trust Discovery

File and Directory Discovery

Network Service Scanning

Network Share Discovery

Network Sniffing

Password Policy Discovery

Peripheral Device Discovery

Permission Groups Discovery

Domain Groups

Cloud Groups

Local Groups

Process Discovery

Query Registry

Remote System Discovery

Software Discovery

Security Software Discovery

System Information Discovery

System Network Configuration Discovery

System Network Connections Discovery

System Owner/User Discovery

System Service Discovery

System Time Discovery

Virtualization/Sandbox Evasion

System Checks

User Activity Based Checks

Time Based Evasion

Lateral Movement

Exploitation of Remote Services

Internal Spearphishing

Lateral Tool Transfer

Remote Service Session Hijacking

SSH Hijacking

RDP Hijacking

Remote Services

Remote Desktop Protocol

SMB/Windows Admin Shares

Distributed Component Object Model

SSH

VNC

Windows Remote Management

Replication Through Removable Media

Software Deployment Tools

Taint Shared Content

Use Alternate Authentication Material

Pass the Hash

Pass the Ticket

Application Access Token

Web Session Cookie

Collection

Archive Collected Data

Archive via Utility

Archive via Library

Archive via Custom Method

Audio Capture

Automated Collection

Clipboard Data

Data from Cloud Storage Object

Data from Information Repositories

Confluence

Sharepoint

Data from Local System

Data from Network Shared Drive

Data from Removable Media

Data Staged

Local Data Staging

Remote Data Staging

Email Collection

Local Email Collection

Remote Email Collection

Email Forwarding Rule

Input Capture

Keylogging

GUI Input Capture

Web Portal Capture

Credential API Hooking

Man in the Browser

Man-in-the-Middle

LLMNR/NBT-NS Poisoning and SMB Relay

Screen Capture

Video Capture

Command and Control

Application Layer Protocol

Web Protocols

File Transfer Protocols

Mail Protocols

DNS

Communication Through Removable Media

Data Encoding

Standard Encoding

Non-Standard Encoding

Data Obfuscation

Junk Data

Steganography

Protocol Impersonation

Dynamic Resolution

Domain Generation Algorithms

Fast Flux DNS

DNS Calculation

Encrypted Channel

Symmetric Cryptography

Asymmetric Cryptography

Fallback Channels

Ingress Tool Transfer

Multi-Stage Channels

Non-Application Layer Protocol

Non-Standard Port

Protocol Tunneling

Proxy

Internal Proxy

External Proxy

Multi-hop Proxy

Domain Fronting

Remote Access Software

Traffic Signaling

Port Knocking

Web Service

Dead Drop Resolver

Bidirectional Communication

One-Way Communication

Exfiltration

Automated Exfiltration

Data Transfer Size Limits

Exfiltration Over Alternative Protocol

Exfiltration Over Symmetric Encrypted Non-C2 Protocol

Exfiltration Over Asymmetric Encrypted Non-C2 Protocol

Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol

Exfiltration Over C2 Channel

Exfiltration Over Other Network Medium

Exfiltration Over Bluetooth

Exfiltration Over Physical Medium

Exfiltration over USB

Exfiltration Over Web Service

Exfiltration to Code Repository

Exfiltration to Cloud Storage

Scheduled Transfer

Transfer Data to Cloud Account

Impact

Account Access Removal

Data Destruction

Data Encrypted for Impact

Data Manipulation

Stored Data Manipulation

Transmitted Data Manipulation

Runtime Data Manipulation

Defacement

Internal Defacement

External Defacement

Disk Wipe

Disk Content Wipe

Disk Structure Wipe

Endpoint Denial of Service

OS Exhaustion Flood

Service Exhaustion Flood

Application Exhaustion Flood

Application or System Exploitation

Firmware Corruption

Inhibit System Recovery

Network Denial of Service

Direct Network Flood

Reflection Amplification

Resource Hijacking

Service Stop

System Shutdown/Reboot

Mobile

Initial Access

Deliver Malicious App via Authorized App Store

Deliver Malicious App via Other Means

Drive-by Compromise

Exploit via Charging Station or PC

Exploit via Radio Interfaces

Install Insecure or Malicious Configuration

Lockscreen Bypass

Masquerade as Legitimate Application

Supply Chain Compromise

Execution

Broadcast Receivers

Native Code

Persistence

Abuse Device Administrator Access to Prevent Removal

Broadcast Receivers

Code Injection

Compromise Application Executable

Foreground Persistence

Modify Cached Executable Code

Modify OS Kernel or Boot Partition

Modify System Partition

Modify Trusted Execution Environment

Privilege Escalation

Code Injection

Exploit OS Vulnerability

Exploit TEE Vulnerability

Defense Evasion

Application Discovery

Code Injection

Device Lockout

Disguise Root/Jailbreak Indicators

Download New Code at Runtime

Evade Analysis Environment

Input Injection

Install Insecure or Malicious Configuration

Masquerade as Legitimate Application

Modify OS Kernel or Boot Partition

Modify System Partition

Modify Trusted Execution Environment

Native Code

Obfuscated Files or Information

Suppress Application Icon

Uninstall Malicious Application

Credential Access

Access Notifications

Access Sensitive Data in Device Logs

Access Stored Application Data

Android Intent Hijacking

Capture Clipboard Data

Capture SMS Messages

Exploit TEE Vulnerability

Input Capture

Input Prompt

Keychain

Network Traffic Capture or Redirection

URL Scheme Hijacking

Discovery

Application Discovery

Evade Analysis Environment

File and Directory Discovery

Location Tracking

Network Service Scanning

Process Discovery

System Information Discovery

System Network Configuration Discovery

System Network Connections Discovery

Lateral Movement

Attack PC via USB Connection

Exploit Enterprise Resources

Collection

Access Calendar Entries

Access Call Log

Access Contact List

Access Notifications

Access Sensitive Data in Device Logs

Access Stored Application Data

Capture Audio

Capture Camera

Capture Clipboard Data

Capture SMS Messages

Data from Local System

Foreground Persistence

Input Capture

Location Tracking

Network Information Discovery

Network Traffic Capture or Redirection

Screen Capture

Command and Control

Alternate Network Mediums

Commonly Used Port

Domain Generation Algorithms

Remote File Copy

Standard Application Layer Protocol

Standard Cryptographic Protocol

Uncommonly Used Port

Web Service

Exfiltration

Alternate Network Mediums

Commonly Used Port

Data Encrypted

Standard Application Layer Protocol

Impact

Carrier Billing Fraud

Clipboard Modification

Data Encrypted for Impact

Delete Device Data

Device Lockout

Generate Fraudulent Advertising Revenue

Input Injection

Manipulate App Store Rankings or Ratings

Modify System Partition

Network Effects

Downgrade to Insecure Protocols

Eavesdrop on Insecure Network Communication

Exploit SS7 to Redirect Phone Calls/SMS

Exploit SS7 to Track Device Location

Jamming or Denial of Service

Manipulate Device Communication

Rogue Cellular Base Station

Rogue Wi-Fi Access Points

SIM Card Swap

Remote Service Effects

Obtain Device Cloud Backups

Remotely Track Device Without Authorization

Remotely Wipe Data Without Authorization

Conduct passive scanning

Passive scanning is the act of looking at existing network traffic in order to identify information about the communications system. ^[1] ^[2]

ID: T1253

Sub-techniques: No sub-techniques

Tactic: Technical Information Gathering

Version: 1.0

Created: 14 December 2017

Last Modified: 17 October 2018

Version Permalink

Live Version

Detection

Detectable by Common Defenses (Yes/No/Partial): No

Explanation: Generates no network traffic that would enable detection.

Difficulty for the Adversary

Easy for the Adversary (Yes/No): Yes

Explanation: Easy to do but it requires a vantage point conducive to accessing this data.

References

Jamal Raiyn. (2014). A survey of Cyber Attack Detection Strategies. Retrieved March 5, 2017.

H. P. Sanghvi and M. S. Dahiya. (2013, February). Cyber Reconnaissance: An Alarm before Cyber Attack. Retrieved March 5, 2017.