mirror of
https://github.com/valitydev/atomic-threat-coverage.git
synced 2024-11-06 01:25:21 +00:00
Subtechniques support
This commit is contained in:
mrblacyk
parent
62ff711b16
commit
05f1b69292
@ -49,272 +49,667 @@ ta_mapping = {
|
||||
]
|
||||
}
|
||||
te_mapping = {
|
||||
"T1156": ".bash_profile and .bashrc",
|
||||
"T1134": "Access Token Manipulation",
|
||||
"T1015": "Accessibility Features",
|
||||
"T1531": "Account Access Removal",
|
||||
"T1087": "Account Discovery",
|
||||
"T1098": "Account Manipulation",
|
||||
"T1182": "AppCert DLLs",
|
||||
"T1103": "AppInit DLLs",
|
||||
"T1155": "AppleScript",
|
||||
"T1527": "Application Access Token",
|
||||
"T1017": "Application Deployment Software",
|
||||
"T1138": "Application Shimming",
|
||||
"T1010": "Application Window Discovery",
|
||||
"T1123": "Audio Capture",
|
||||
"T1131": "Authentication Package",
|
||||
"T1119": "Automated Collection",
|
||||
"T1020": "Automated Exfiltration",
|
||||
"T1197": "BITS Jobs",
|
||||
"T1139": "Bash History",
|
||||
"T1009": "Binary Padding",
|
||||
"T1067": "Bootkit",
|
||||
"T1217": "Browser Bookmark Discovery",
|
||||
"T1176": "Browser Extensions",
|
||||
"T1110": "Brute Force",
|
||||
"T1088": "Bypass User Account Control",
|
||||
"T1191": "CMSTP",
|
||||
"T1042": "Change Default File Association",
|
||||
"T1146": "Clear Command History",
|
||||
"T1115": "Clipboard Data",
|
||||
"T1522": "Cloud Instance Metadata API",
|
||||
"T1538": "Cloud Service Dashboard",
|
||||
"T1526": "Cloud Service Discovery",
|
||||
"T1116": "Code Signing",
|
||||
"T1059": "Command-Line Interface",
|
||||
"T1043": "Commonly Used Port",
|
||||
"T1092": "Communication Through Removable Media",
|
||||
"T1500": "Compile After Delivery",
|
||||
"T1223": "Compiled HTML File",
|
||||
"T1109": "Component Firmware",
|
||||
"T1122": "Component Object Model Hijacking",
|
||||
"T1175": "Component Object Model and Distributed COM",
|
||||
"T1090": "Connection Proxy",
|
||||
"T1196": "Control Panel Items",
|
||||
"T1136": "Create Account",
|
||||
"T1003": "Credential Dumping",
|
||||
"T1503": "Credentials from Web Browsers",
|
||||
"T1081": "Credentials in Files",
|
||||
"T1214": "Credentials in Registry",
|
||||
"T1094": "Custom Command and Control Protocol",
|
||||
"T1024": "Custom Cryptographic Protocol",
|
||||
"T1207": "DCShadow",
|
||||
"T1038": "DLL Search Order Hijacking",
|
||||
"T1073": "DLL Side-Loading",
|
||||
"T1002": "Data Compressed",
|
||||
"T1485": "Data Destruction",
|
||||
"T1132": "Data Encoding",
|
||||
"T1022": "Data Encrypted",
|
||||
"T1486": "Data Encrypted for Impact",
|
||||
"T1001": "Data Obfuscation",
|
||||
"T1074": "Data Staged",
|
||||
"T1030": "Data Transfer Size Limits",
|
||||
"T1530": "Data from Cloud Storage Object",
|
||||
"T1213": "Data from Information Repositories",
|
||||
"T1001.001": "Data Obfuscation : Junk Data",
|
||||
"T1001.002": "Data Obfuscation : Steganography",
|
||||
"T1001.003": "Data Obfuscation : Protocol Impersonation",
|
||||
"T1003": "OS Credential Dumping",
|
||||
"T1003.001": "OS Credential Dumping : LSASS Memory",
|
||||
"T1003.002": "OS Credential Dumping : Security Account Manager",
|
||||
"T1003.003": "OS Credential Dumping : NTDS",
|
||||
"T1003.004": "OS Credential Dumping : LSA Secrets",
|
||||
"T1003.005": "OS Credential Dumping : Cached Domain Credentials",
|
||||
"T1003.006": "OS Credential Dumping : DCSync",
|
||||
"T1003.007": "OS Credential Dumping : Proc Filesystem",
|
||||
"T1003.008": "OS Credential Dumping : /etc/passwd and /etc/shadow",
|
||||
"T1005": "Data from Local System",
|
||||
"T1039": "Data from Network Shared Drive",
|
||||
"T1025": "Data from Removable Media",
|
||||
"T1491": "Defacement",
|
||||
"T1140": "Deobfuscate/Decode Files or Information",
|
||||
"T1089": "Disabling Security Tools",
|
||||
"T1488": "Disk Content Wipe",
|
||||
"T1487": "Disk Structure Wipe",
|
||||
"T1172": "Domain Fronting",
|
||||
"T1483": "Domain Generation Algorithms",
|
||||
"T1482": "Domain Trust Discovery",
|
||||
"T1189": "Drive-by Compromise",
|
||||
"T1157": "Dylib Hijacking",
|
||||
"T1173": "Dynamic Data Exchange",
|
||||
"T1514": "Elevated Execution with Prompt",
|
||||
"T1114": "Email Collection",
|
||||
"T1519": "Emond",
|
||||
"T1499": "Endpoint Denial of Service",
|
||||
"T1480": "Execution Guardrails",
|
||||
"T1106": "Execution through API",
|
||||
"T1129": "Execution through Module Load",
|
||||
"T1048": "Exfiltration Over Alternative Protocol",
|
||||
"T1041": "Exfiltration Over Command and Control Channel",
|
||||
"T1011": "Exfiltration Over Other Network Medium",
|
||||
"T1052": "Exfiltration Over Physical Medium",
|
||||
"T1190": "Exploit Public-Facing Application",
|
||||
"T1203": "Exploitation for Client Execution",
|
||||
"T1212": "Exploitation for Credential Access",
|
||||
"T1211": "Exploitation for Defense Evasion",
|
||||
"T1068": "Exploitation for Privilege Escalation",
|
||||
"T1210": "Exploitation of Remote Services",
|
||||
"T1133": "External Remote Services",
|
||||
"T1181": "Extra Window Memory Injection",
|
||||
"T1008": "Fallback Channels",
|
||||
"T1107": "File Deletion",
|
||||
"T1006": "File System Logical Offsets",
|
||||
"T1044": "File System Permissions Weakness",
|
||||
"T1083": "File and Directory Discovery",
|
||||
"T1222": "File and Directory Permissions Modification",
|
||||
"T1495": "Firmware Corruption",
|
||||
"T1187": "Forced Authentication",
|
||||
"T1144": "Gatekeeper Bypass",
|
||||
"T1061": "Graphical User Interface",
|
||||
"T1484": "Group Policy Modification",
|
||||
"T1148": "HISTCONTROL",
|
||||
"T1200": "Hardware Additions",
|
||||
"T1158": "Hidden Files and Directories",
|
||||
"T1147": "Hidden Users",
|
||||
"T1143": "Hidden Window",
|
||||
"T1179": "Hooking",
|
||||
"T1062": "Hypervisor",
|
||||
"T1183": "Image File Execution Options Injection",
|
||||
"T1525": "Implant Container Image",
|
||||
"T1054": "Indicator Blocking",
|
||||
"T1066": "Indicator Removal from Tools",
|
||||
"T1070": "Indicator Removal on Host",
|
||||
"T1202": "Indirect Command Execution",
|
||||
"T1490": "Inhibit System Recovery",
|
||||
"T1056": "Input Capture",
|
||||
"T1141": "Input Prompt",
|
||||
"T1130": "Install Root Certificate",
|
||||
"T1118": "InstallUtil",
|
||||
"T1534": "Internal Spearphishing",
|
||||
"T1208": "Kerberoasting",
|
||||
"T1215": "Kernel Modules and Extensions",
|
||||
"T1142": "Keychain",
|
||||
"T1161": "LC_LOAD_DYLIB Addition",
|
||||
"T1149": "LC_MAIN Hijacking",
|
||||
"T1171": "LLMNR/NBT-NS Poisoning and Relay",
|
||||
"T1177": "LSASS Driver",
|
||||
"T1159": "Launch Agent",
|
||||
"T1160": "Launch Daemon",
|
||||
"T1152": "Launchctl",
|
||||
"T1168": "Local Job Scheduling",
|
||||
"T1162": "Login Item",
|
||||
"T1037": "Logon Scripts",
|
||||
"T1185": "Man in the Browser",
|
||||
"T1036": "Masquerading",
|
||||
"T1031": "Modify Existing Service",
|
||||
"T1112": "Modify Registry",
|
||||
"T1170": "Mshta",
|
||||
"T1104": "Multi-Stage Channels",
|
||||
"T1188": "Multi-hop Proxy",
|
||||
"T1026": "Multiband Communication",
|
||||
"T1079": "Multilayer Encryption",
|
||||
"T1096": "NTFS File Attributes",
|
||||
"T1128": "Netsh Helper DLL",
|
||||
"T1498": "Network Denial of Service",
|
||||
"T1046": "Network Service Scanning",
|
||||
"T1126": "Network Share Connection Removal",
|
||||
"T1135": "Network Share Discovery",
|
||||
"T1040": "Network Sniffing",
|
||||
"T1050": "New Service",
|
||||
"T1027": "Obfuscated Files or Information",
|
||||
"T1137": "Office Application Startup",
|
||||
"T1502": "Parent PID Spoofing",
|
||||
"T1075": "Pass the Hash",
|
||||
"T1097": "Pass the Ticket",
|
||||
"T1174": "Password Filter DLL",
|
||||
"T1201": "Password Policy Discovery",
|
||||
"T1034": "Path Interception",
|
||||
"T1120": "Peripheral Device Discovery",
|
||||
"T1069": "Permission Groups Discovery",
|
||||
"T1150": "Plist Modification",
|
||||
"T1205": "Port Knocking",
|
||||
"T1013": "Port Monitors",
|
||||
"T1086": "PowerShell",
|
||||
"T1504": "PowerShell Profile",
|
||||
"T1145": "Private Keys",
|
||||
"T1057": "Process Discovery",
|
||||
"T1186": "Process Doppelg\u00e4nging",
|
||||
"T1093": "Process Hollowing",
|
||||
"T1055": "Process Injection",
|
||||
"T1012": "Query Registry",
|
||||
"T1163": "Rc.common",
|
||||
"T1164": "Re-opened Applications",
|
||||
"T1108": "Redundant Access",
|
||||
"T1060": "Registry Run Keys / Startup Folder",
|
||||
"T1121": "Regsvcs/Regasm",
|
||||
"T1117": "Regsvr32",
|
||||
"T1219": "Remote Access Tools",
|
||||
"T1076": "Remote Desktop Protocol",
|
||||
"T1105": "Remote File Copy",
|
||||
"T1021": "Remote Services",
|
||||
"T1018": "Remote System Discovery",
|
||||
"T1091": "Replication Through Removable Media",
|
||||
"T1496": "Resource Hijacking",
|
||||
"T1536": "Revert Cloud Instance",
|
||||
"T1014": "Rootkit",
|
||||
"T1085": "Rundll32",
|
||||
"T1494": "Runtime Data Manipulation",
|
||||
"T1178": "SID-History Injection",
|
||||
"T1198": "SIP and Trust Provider Hijacking",
|
||||
"T1184": "SSH Hijacking",
|
||||
"T1053": "Scheduled Task",
|
||||
"T1029": "Scheduled Transfer",
|
||||
"T1113": "Screen Capture",
|
||||
"T1180": "Screensaver",
|
||||
"T1064": "Scripting",
|
||||
"T1063": "Security Software Discovery",
|
||||
"T1101": "Security Support Provider",
|
||||
"T1167": "Securityd Memory",
|
||||
"T1505": "Server Software Component",
|
||||
"T1035": "Service Execution",
|
||||
"T1058": "Service Registry Permissions Weakness",
|
||||
"T1489": "Service Stop",
|
||||
"T1166": "Setuid and Setgid",
|
||||
"T1051": "Shared Webroot",
|
||||
"T1023": "Shortcut Modification",
|
||||
"T1218": "Signed Binary Proxy Execution",
|
||||
"T1216": "Signed Script Proxy Execution",
|
||||
"T1518": "Software Discovery",
|
||||
"T1045": "Software Packing",
|
||||
"T1153": "Source",
|
||||
"T1151": "Space after Filename",
|
||||
"T1193": "Spearphishing Attachment",
|
||||
"T1192": "Spearphishing Link",
|
||||
"T1194": "Spearphishing via Service",
|
||||
"T1071": "Standard Application Layer Protocol",
|
||||
"T1032": "Standard Cryptographic Protocol",
|
||||
"T1095": "Standard Non-Application Layer Protocol",
|
||||
"T1165": "Startup Items",
|
||||
"T1528": "Steal Application Access Token",
|
||||
"T1539": "Steal Web Session Cookie",
|
||||
"T1492": "Stored Data Manipulation",
|
||||
"T1169": "Sudo",
|
||||
"T1206": "Sudo Caching",
|
||||
"T1195": "Supply Chain Compromise",
|
||||
"T1019": "System Firmware",
|
||||
"T1082": "System Information Discovery",
|
||||
"T1016": "System Network Configuration Discovery",
|
||||
"T1049": "System Network Connections Discovery",
|
||||
"T1033": "System Owner/User Discovery",
|
||||
"T1006": "Direct Volume Access",
|
||||
"T1007": "System Service Discovery",
|
||||
"T1529": "System Shutdown/Reboot",
|
||||
"T1124": "System Time Discovery",
|
||||
"T1501": "Systemd Service",
|
||||
"T1080": "Taint Shared Content",
|
||||
"T1221": "Template Injection",
|
||||
"T1072": "Third-party Software",
|
||||
"T1209": "Time Providers",
|
||||
"T1099": "Timestomp",
|
||||
"T1537": "Transfer Data to Cloud Account",
|
||||
"T1493": "Transmitted Data Manipulation",
|
||||
"T1154": "Trap",
|
||||
"T1127": "Trusted Developer Utilities",
|
||||
"T1199": "Trusted Relationship",
|
||||
"T1111": "Two-Factor Authentication Interception",
|
||||
"T1065": "Uncommonly Used Port",
|
||||
"T1535": "Unused/Unsupported Cloud Regions",
|
||||
"T1204": "User Execution",
|
||||
"T1078": "Valid Accounts",
|
||||
"T1125": "Video Capture",
|
||||
"T1497": "Virtualization/Sandbox Evasion",
|
||||
"T1102": "Web Service",
|
||||
"T1506": "Web Session Cookie",
|
||||
"T1100": "Web Shell",
|
||||
"T1077": "Windows Admin Shares",
|
||||
"T1008": "Fallback Channels",
|
||||
"T1010": "Application Window Discovery",
|
||||
"T1011": "Exfiltration Over Other Network Medium",
|
||||
"T1011.001": "Exfiltration Over Other Network Medium : Exfiltration Over Bluetooth",
|
||||
"T1012": "Query Registry",
|
||||
"T1014": "Rootkit",
|
||||
"T1016": "System Network Configuration Discovery",
|
||||
"T1018": "Remote System Discovery",
|
||||
"T1020": "Automated Exfiltration",
|
||||
"T1021": "Remote Services",
|
||||
"T1021.001": "Remote Services : Remote Desktop Protocol",
|
||||
"T1021.002": "Remote Services : SMB/Windows Admin Shares",
|
||||
"T1021.003": "Remote Services : Distributed Component Object Model",
|
||||
"T1021.004": "Remote Services : SSH",
|
||||
"T1021.005": "Remote Services : VNC",
|
||||
"T1021.006": "Remote Services : Windows Remote Management",
|
||||
"T1025": "Data from Removable Media",
|
||||
"T1027": "Obfuscated Files or Information",
|
||||
"T1027.001": "Obfuscated Files or Information : Binary Padding",
|
||||
"T1027.002": "Obfuscated Files or Information : Software Packing",
|
||||
"T1027.003": "Obfuscated Files or Information : Steganography",
|
||||
"T1027.004": "Obfuscated Files or Information : Compile After Delivery",
|
||||
"T1027.005": "Obfuscated Files or Information : Indicator Removal from Tools",
|
||||
"T1029": "Scheduled Transfer",
|
||||
"T1030": "Data Transfer Size Limits",
|
||||
"T1033": "System Owner/User Discovery",
|
||||
"T1036": "Masquerading",
|
||||
"T1036.001": "Masquerading : Invalid Code Signature",
|
||||
"T1036.002": "Masquerading : Right-to-Left Override",
|
||||
"T1036.003": "Masquerading : Rename System Utilities",
|
||||
"T1036.004": "Masquerading : Masquerade Task or Service",
|
||||
"T1036.005": "Masquerading : Match Legitimate Name or Location",
|
||||
"T1036.006": "Masquerading : Space after Filename",
|
||||
"T1037": "Boot or Logon Initialization Scripts",
|
||||
"T1037.001": "Boot or Logon Initialization Scripts : Logon Script (Windows)",
|
||||
"T1037.002": "Boot or Logon Initialization Scripts : Logon Script (Mac)",
|
||||
"T1037.003": "Boot or Logon Initialization Scripts : Network Logon Script",
|
||||
"T1037.004": "Boot or Logon Initialization Scripts : Rc.common",
|
||||
"T1037.005": "Boot or Logon Initialization Scripts : Startup Items",
|
||||
"T1039": "Data from Network Shared Drive",
|
||||
"T1040": "Network Sniffing",
|
||||
"T1041": "Exfiltration Over C2 Channel",
|
||||
"T1046": "Network Service Scanning",
|
||||
"T1047": "Windows Management Instrumentation",
|
||||
"T1084": "Windows Management Instrumentation Event Subscription",
|
||||
"T1028": "Windows Remote Management",
|
||||
"T1004": "Winlogon Helper DLL",
|
||||
"T1220": "XSL Script Processing"
|
||||
"T1048": "Exfiltration Over Alternative Protocol",
|
||||
"T1048.001": "Exfiltration Over Alternative Protocol : Exfiltration Over Symmetric Encrypted Non-C2 Protocol",
|
||||
"T1048.002": "Exfiltration Over Alternative Protocol : Exfiltration Over Asymmetric Encrypted Non-C2 Protocol",
|
||||
"T1048.003": "Exfiltration Over Alternative Protocol : Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol",
|
||||
"T1049": "System Network Connections Discovery",
|
||||
"T1052": "Exfiltration Over Physical Medium",
|
||||
"T1052.001": "Exfiltration Over Physical Medium : Exfiltration over USB",
|
||||
"T1053": "Scheduled Task/Job",
|
||||
"T1053.001": "Scheduled Task/Job : At (Linux)",
|
||||
"T1053.002": "Scheduled Task/Job : At (Windows)",
|
||||
"T1053.003": "Scheduled Task/Job : Cron",
|
||||
"T1053.004": "Scheduled Task/Job : Launchd",
|
||||
"T1053.005": "Scheduled Task/Job : Scheduled Task",
|
||||
"T1055": "Process Injection",
|
||||
"T1055.001": "Process Injection : Dynamic-link Library Injection",
|
||||
"T1055.002": "Process Injection : Portable Executable Injection",
|
||||
"T1055.003": "Process Injection : Thread Execution Hijacking",
|
||||
"T1055.004": "Process Injection : Asynchronous Procedure Call",
|
||||
"T1055.005": "Process Injection : Thread Local Storage",
|
||||
"T1055.008": "Process Injection : Ptrace System Calls",
|
||||
"T1055.009": "Process Injection : Proc Memory",
|
||||
"T1055.011": "Process Injection : Extra Window Memory Injection",
|
||||
"T1055.012": "Process Injection : Process Hollowing",
|
||||
"T1055.013": "Process Injection : Process Doppelgänging",
|
||||
"T1055.014": "Process Injection : VDSO Hijacking",
|
||||
"T1056": "Input Capture",
|
||||
"T1056.001": "Input Capture : Keylogging",
|
||||
"T1056.002": "Input Capture : GUI Input Capture",
|
||||
"T1056.003": "Input Capture : Web Portal Capture",
|
||||
"T1056.004": "Input Capture : Credential API Hooking",
|
||||
"T1057": "Process Discovery",
|
||||
"T1059": "Command and Scripting Interpreter",
|
||||
"T1059.001": "Command and Scripting Interpreter : PowerShell",
|
||||
"T1059.002": "Command and Scripting Interpreter : AppleScript",
|
||||
"T1059.003": "Command and Scripting Interpreter : Windows Command Shell",
|
||||
"T1059.004": "Command and Scripting Interpreter : Unix Shell",
|
||||
"T1059.005": "Command and Scripting Interpreter : Visual Basic",
|
||||
"T1059.006": "Command and Scripting Interpreter : Python",
|
||||
"T1059.007": "Command and Scripting Interpreter : JavaScript/JScript",
|
||||
"T1068": "Exploitation for Privilege Escalation",
|
||||
"T1069": "Permission Groups Discovery",
|
||||
"T1069.001": "Permission Groups Discovery : Local Groups",
|
||||
"T1069.002": "Permission Groups Discovery : Domain Groups",
|
||||
"T1069.003": "Permission Groups Discovery : Cloud Groups",
|
||||
"T1070": "Indicator Removal on Host",
|
||||
"T1070.001": "Indicator Removal on Host : Clear Windows Event Logs",
|
||||
"T1070.002": "Indicator Removal on Host : Clear Linux or Mac System Logs",
|
||||
"T1070.003": "Indicator Removal on Host : Clear Command History",
|
||||
"T1070.004": "Indicator Removal on Host : File Deletion",
|
||||
"T1070.005": "Indicator Removal on Host : Network Share Connection Removal",
|
||||
"T1070.006": "Indicator Removal on Host : Timestomp",
|
||||
"T1071": "Application Layer Protocol",
|
||||
"T1071.001": "Application Layer Protocol : Web Protocols",
|
||||
"T1071.002": "Application Layer Protocol : File Transfer Protocols",
|
||||
"T1071.003": "Application Layer Protocol : Mail Protocols",
|
||||
"T1071.004": "Application Layer Protocol : DNS",
|
||||
"T1072": "Software Deployment Tools",
|
||||
"T1074": "Data Staged",
|
||||
"T1074.001": "Data Staged : Local Data Staging",
|
||||
"T1074.002": "Data Staged : Remote Data Staging",
|
||||
"T1078": "Valid Accounts",
|
||||
"T1078.001": "Valid Accounts : Default Accounts",
|
||||
"T1078.002": "Valid Accounts : Domain Accounts",
|
||||
"T1078.003": "Valid Accounts : Local Accounts",
|
||||
"T1078.004": "Valid Accounts : Cloud Accounts",
|
||||
"T1080": "Taint Shared Content",
|
||||
"T1082": "System Information Discovery",
|
||||
"T1083": "File and Directory Discovery",
|
||||
"T1087": "Account Discovery",
|
||||
"T1087.001": "Account Discovery : Local Account",
|
||||
"T1087.002": "Account Discovery : Domain Account",
|
||||
"T1087.003": "Account Discovery : Email Account",
|
||||
"T1087.004": "Account Discovery : Cloud Account",
|
||||
"T1090": "Proxy",
|
||||
"T1090.001": "Proxy : Internal Proxy",
|
||||
"T1090.002": "Proxy : External Proxy",
|
||||
"T1090.003": "Proxy : Multi-hop Proxy",
|
||||
"T1090.004": "Proxy : Domain Fronting",
|
||||
"T1091": "Replication Through Removable Media",
|
||||
"T1092": "Communication Through Removable Media",
|
||||
"T1095": "Non-Application Layer Protocol",
|
||||
"T1098": "Account Manipulation",
|
||||
"T1098.001": "Account Manipulation : Additional Azure Service Principal Credentials",
|
||||
"T1098.002": "Account Manipulation : Exchange Email Delegate Permissions",
|
||||
"T1098.003": "Account Manipulation : Add Office 365 Global Administrator Role",
|
||||
"T1098.004": "Account Manipulation : SSH Authorized Keys",
|
||||
"T1102": "Web Service",
|
||||
"T1102.001": "Web Service : Dead Drop Resolver",
|
||||
"T1102.002": "Web Service : Bidirectional Communication",
|
||||
"T1102.003": "Web Service : One-Way Communication",
|
||||
"T1104": "Multi-Stage Channels",
|
||||
"T1105": "Ingress Tool Transfer",
|
||||
"T1106": "Native API",
|
||||
"T1110": "Brute Force",
|
||||
"T1110.001": "Brute Force : Password Guessing",
|
||||
"T1110.002": "Brute Force : Password Cracking",
|
||||
"T1110.003": "Brute Force : Password Spraying",
|
||||
"T1110.004": "Brute Force : Credential Stuffing",
|
||||
"T1111": "Two-Factor Authentication Interception",
|
||||
"T1112": "Modify Registry",
|
||||
"T1113": "Screen Capture",
|
||||
"T1114": "Email Collection",
|
||||
"T1114.001": "Email Collection : Local Email Collection",
|
||||
"T1114.002": "Email Collection : Remote Email Collection",
|
||||
"T1114.003": "Email Collection : Email Forwarding Rule",
|
||||
"T1115": "Clipboard Data",
|
||||
"T1119": "Automated Collection",
|
||||
"T1120": "Peripheral Device Discovery",
|
||||
"T1123": "Audio Capture",
|
||||
"T1124": "System Time Discovery",
|
||||
"T1125": "Video Capture",
|
||||
"T1127": "Trusted Developer Utilities Proxy Execution",
|
||||
"T1127.001": "Trusted Developer Utilities Proxy Execution : MSBuild",
|
||||
"T1129": "Shared Modules",
|
||||
"T1132": "Data Encoding",
|
||||
"T1132.001": "Data Encoding : Standard Encoding",
|
||||
"T1132.002": "Data Encoding : Non-Standard Encoding",
|
||||
"T1133": "External Remote Services",
|
||||
"T1134": "Access Token Manipulation",
|
||||
"T1134.001": "Access Token Manipulation : Token Impersonation/Theft",
|
||||
"T1134.002": "Access Token Manipulation : Create Process with Token",
|
||||
"T1134.003": "Access Token Manipulation : Make and Impersonate Token",
|
||||
"T1134.004": "Access Token Manipulation : Parent PID Spoofing",
|
||||
"T1134.005": "Access Token Manipulation : SID-History Injection",
|
||||
"T1135": "Network Share Discovery",
|
||||
"T1136": "Create Account",
|
||||
"T1136.001": "Create Account : Local Account",
|
||||
"T1136.002": "Create Account : Domain Account",
|
||||
"T1136.003": "Create Account : Cloud Account",
|
||||
"T1137": "Office Application Startup",
|
||||
"T1137.001": "Office Application Startup : Office Template Macros",
|
||||
"T1137.002": "Office Application Startup : Office Test",
|
||||
"T1137.003": "Office Application Startup : Outlook Forms",
|
||||
"T1137.004": "Office Application Startup : Outlook Home Page",
|
||||
"T1137.005": "Office Application Startup : Outlook Rules",
|
||||
"T1137.006": "Office Application Startup : Add-ins",
|
||||
"T1140": "Deobfuscate/Decode Files or Information",
|
||||
"T1176": "Browser Extensions",
|
||||
"T1185": "Man in the Browser",
|
||||
"T1187": "Forced Authentication",
|
||||
"T1189": "Drive-by Compromise",
|
||||
"T1190": "Exploit Public-Facing Application",
|
||||
"T1195": "Supply Chain Compromise",
|
||||
"T1195.001": "Supply Chain Compromise : Compromise Software Dependencies and Development Tools",
|
||||
"T1195.002": "Supply Chain Compromise : Compromise Software Supply Chain",
|
||||
"T1195.003": "Supply Chain Compromise : Compromise Hardware Supply Chain",
|
||||
"T1197": "BITS Jobs",
|
||||
"T1199": "Trusted Relationship",
|
||||
"T1200": "Hardware Additions",
|
||||
"T1201": "Password Policy Discovery",
|
||||
"T1202": "Indirect Command Execution",
|
||||
"T1203": "Exploitation for Client Execution",
|
||||
"T1204": "User Execution",
|
||||
"T1204.001": "User Execution : Malicious Link",
|
||||
"T1204.002": "User Execution : Malicious File",
|
||||
"T1205": "Traffic Signaling",
|
||||
"T1205.001": "Traffic Signaling : Port Knocking",
|
||||
"T1207": "Rogue Domain Controller",
|
||||
"T1210": "Exploitation of Remote Services",
|
||||
"T1211": "Exploitation for Defense Evasion",
|
||||
"T1212": "Exploitation for Credential Access",
|
||||
"T1213": "Data from Information Repositories",
|
||||
"T1213.001": "Data from Information Repositories : Confluence",
|
||||
"T1213.002": "Data from Information Repositories : Sharepoint",
|
||||
"T1216": "Signed Script Proxy Execution",
|
||||
"T1216.001": "Signed Script Proxy Execution : PubPrn",
|
||||
"T1217": "Browser Bookmark Discovery",
|
||||
"T1218": "Signed Binary Proxy Execution",
|
||||
"T1218.001": "Signed Binary Proxy Execution : Compiled HTML File",
|
||||
"T1218.002": "Signed Binary Proxy Execution : Control Panel",
|
||||
"T1218.003": "Signed Binary Proxy Execution : CMSTP",
|
||||
"T1218.004": "Signed Binary Proxy Execution : InstallUtil",
|
||||
"T1218.005": "Signed Binary Proxy Execution : Mshta",
|
||||
"T1218.007": "Signed Binary Proxy Execution : Msiexec",
|
||||
"T1218.008": "Signed Binary Proxy Execution : Odbcconf",
|
||||
"T1218.009": "Signed Binary Proxy Execution : Regsvcs/Regasm",
|
||||
"T1218.010": "Signed Binary Proxy Execution : Regsvr32",
|
||||
"T1218.011": "Signed Binary Proxy Execution : Rundll32",
|
||||
"T1219": "Remote Access Software",
|
||||
"T1220": "XSL Script Processing",
|
||||
"T1221": "Template Injection",
|
||||
"T1222": "File and Directory Permissions Modification",
|
||||
"T1222.001": "File and Directory Permissions Modification : Windows File and Directory Permissions Modification",
|
||||
"T1222.002": "File and Directory Permissions Modification : Linux and Mac File and Directory Permissions Modification",
|
||||
"T1224": "Assess leadership areas of interest",
|
||||
"T1225": "Identify gap areas",
|
||||
"T1226": "Conduct cost/benefit analysis",
|
||||
"T1227": "Develop KITs/KIQs",
|
||||
"T1228": "Assign KITs/KIQs into categories",
|
||||
"T1229": "Assess KITs/KIQs benefits",
|
||||
"T1230": "Derive intelligence requirements",
|
||||
"T1231": "Create strategic plan",
|
||||
"T1232": "Create implementation plan",
|
||||
"T1233": "Identify analyst level gaps",
|
||||
"T1234": "Generate analyst intelligence requirements",
|
||||
"T1235": "Receive operator KITs/KIQs tasking",
|
||||
"T1236": "Assess current holdings, needs, and wants",
|
||||
"T1237": "Submit KITs, KIQs, and intelligence requirements",
|
||||
"T1238": "Assign KITs, KIQs, and/or intelligence requirements",
|
||||
"T1239": "Receive KITs/KIQs and determine requirements",
|
||||
"T1240": "Task requirements",
|
||||
"T1241": "Determine strategic target",
|
||||
"T1242": "Determine operational element",
|
||||
"T1243": "Determine highest level tactical element",
|
||||
"T1244": "Determine secondary level tactical element",
|
||||
"T1245": "Determine approach/attack vector",
|
||||
"T1246": "Identify supply chains",
|
||||
"T1247": "Acquire OSINT data sets and information",
|
||||
"T1248": "Identify job postings and needs/gaps",
|
||||
"T1249": "Conduct social engineering",
|
||||
"T1250": "Determine domain and IP address space",
|
||||
"T1251": "Obtain domain/IP registration information",
|
||||
"T1252": "Map network topology",
|
||||
"T1253": "Conduct passive scanning",
|
||||
"T1254": "Conduct active scanning",
|
||||
"T1255": "Discover target logon/email address format",
|
||||
"T1256": "Identify web defensive services",
|
||||
"T1257": "Mine technical blogs/forums",
|
||||
"T1258": "Determine firmware version",
|
||||
"T1259": "Determine external network trust dependencies",
|
||||
"T1260": "Determine 3rd party infrastructure services",
|
||||
"T1261": "Enumerate externally facing software applications technologies, languages, and dependencies",
|
||||
"T1262": "Enumerate client configurations",
|
||||
"T1263": "Identify security defensive capabilities",
|
||||
"T1264": "Identify technology usage patterns",
|
||||
"T1265": "Identify supply chains",
|
||||
"T1266": "Acquire OSINT data sets and information",
|
||||
"T1267": "Identify job postings and needs/gaps",
|
||||
"T1268": "Conduct social engineering",
|
||||
"T1269": "Identify people of interest",
|
||||
"T1270": "Identify groups/roles",
|
||||
"T1271": "Identify personnel with an authority/privilege",
|
||||
"T1272": "Identify business relationships",
|
||||
"T1273": "Mine social media",
|
||||
"T1274": "Identify sensitive personnel information",
|
||||
"T1275": "Aggregate individual's digital footprint",
|
||||
"T1276": "Identify supply chains",
|
||||
"T1277": "Acquire OSINT data sets and information",
|
||||
"T1278": "Identify job postings and needs/gaps",
|
||||
"T1279": "Conduct social engineering",
|
||||
"T1280": "Identify business processes/tempo",
|
||||
"T1281": "Obtain templates/branding materials",
|
||||
"T1282": "Determine physical locations",
|
||||
"T1283": "Identify business relationships",
|
||||
"T1284": "Determine 3rd party infrastructure services",
|
||||
"T1285": "Determine centralization of IT management",
|
||||
"T1286": "Dumpster dive",
|
||||
"T1287": "Analyze data collected",
|
||||
"T1288": "Analyze architecture and configuration posture",
|
||||
"T1289": "Analyze organizational skillsets and deficiencies",
|
||||
"T1290": "Research visibility gap of security vendors",
|
||||
"T1291": "Research relevant vulnerabilities/CVEs",
|
||||
"T1292": "Test signature detection",
|
||||
"T1293": "Analyze application security posture",
|
||||
"T1294": "Analyze hardware/software security defensive capabilities",
|
||||
"T1295": "Analyze social and business relationships, interests, and affiliations",
|
||||
"T1296": "Assess targeting options",
|
||||
"T1297": "Analyze organizational skillsets and deficiencies",
|
||||
"T1298": "Assess vulnerability of 3rd party vendors",
|
||||
"T1299": "Assess opportunities created by business deals",
|
||||
"T1300": "Analyze organizational skillsets and deficiencies",
|
||||
"T1301": "Analyze business processes",
|
||||
"T1302": "Assess security posture of physical locations",
|
||||
"T1303": "Analyze presence of outsourced capabilities",
|
||||
"T1304": "Proxy/protocol relays",
|
||||
"T1305": "Private whois services",
|
||||
"T1306": "Anonymity services",
|
||||
"T1307": "Acquire and/or use 3rd party infrastructure services",
|
||||
"T1308": "Acquire and/or use 3rd party software services",
|
||||
"T1309": "Obfuscate infrastructure",
|
||||
"T1310": "Acquire or compromise 3rd party signing certificates",
|
||||
"T1311": "Dynamic DNS",
|
||||
"T1312": "Compromise 3rd party infrastructure to support delivery",
|
||||
"T1313": "Obfuscation or cryptography",
|
||||
"T1314": "Host-based hiding techniques",
|
||||
"T1315": "Network-based hiding techniques",
|
||||
"T1316": "Non-traditional or less attributable payment options",
|
||||
"T1317": "Secure and protect infrastructure",
|
||||
"T1318": "Obfuscate operational infrastructure",
|
||||
"T1319": "Obfuscate or encrypt code",
|
||||
"T1320": "Data Hiding",
|
||||
"T1321": "Common, high volume protocols and software",
|
||||
"T1322": "Misattributable credentials",
|
||||
"T1326": "Domain registration hijacking",
|
||||
"T1327": "Use multiple DNS infrastructures",
|
||||
"T1328": "Buy domain name",
|
||||
"T1329": "Acquire and/or use 3rd party infrastructure services",
|
||||
"T1330": "Acquire and/or use 3rd party software services",
|
||||
"T1331": "Obfuscate infrastructure",
|
||||
"T1332": "Acquire or compromise 3rd party signing certificates",
|
||||
"T1333": "Dynamic DNS",
|
||||
"T1334": "Compromise 3rd party infrastructure to support delivery",
|
||||
"T1335": "Procure required equipment and software",
|
||||
"T1336": "Install and configure hardware, network, and systems",
|
||||
"T1337": "SSL certificate acquisition for domain",
|
||||
"T1338": "SSL certificate acquisition for trust breaking",
|
||||
"T1339": "Create backup infrastructure",
|
||||
"T1340": "Shadow DNS",
|
||||
"T1341": "Build social network persona",
|
||||
"T1342": "Develop social network persona digital footprint",
|
||||
"T1343": "Choose pre-compromised persona and affiliated accounts",
|
||||
"T1344": "Friend/Follow/Connect to targets of interest",
|
||||
"T1345": "Create custom payloads",
|
||||
"T1346": "Obtain/re-use payloads",
|
||||
"T1347": "Build and configure delivery systems",
|
||||
"T1348": "Identify resources required to build capabilities",
|
||||
"T1349": "Build or acquire exploits",
|
||||
"T1350": "Discover new exploits and monitor exploit-provider forums",
|
||||
"T1351": "Remote access tool development",
|
||||
"T1352": "C2 protocol development",
|
||||
"T1353": "Post compromise tool development",
|
||||
"T1354": "Compromise 3rd party or closed-source vulnerability/exploit information",
|
||||
"T1355": "Create infected removable media",
|
||||
"T1356": "Test callback functionality",
|
||||
"T1357": "Test malware in various execution environments",
|
||||
"T1358": "Review logs and residual traces",
|
||||
"T1359": "Test malware to evade detection",
|
||||
"T1360": "Test physical access",
|
||||
"T1361": "Test signature detection for file upload/email filters",
|
||||
"T1362": "Upload, install, and configure software/tools",
|
||||
"T1363": "Port redirector",
|
||||
"T1364": "Friend/Follow/Connect to targets of interest",
|
||||
"T1365": "Hardware or software supply chain implant",
|
||||
"T1379": "Disseminate removable media",
|
||||
"T1389": "Identify vulnerabilities in third-party software libraries",
|
||||
"T1390": "OS-vendor provided communication channels",
|
||||
"T1391": "Choose pre-compromised mobile app developer account credentials or signing keys",
|
||||
"T1392": "Obtain Apple iOS enterprise distribution key pair and certificate",
|
||||
"T1393": "Test ability to evade automated mobile application security analysis performed by app stores",
|
||||
"T1394": "Distribute malicious software development tools",
|
||||
"T1396": "Obtain booter/stressor subscription",
|
||||
"T1397": "Spearphishing for Information",
|
||||
"T1398": "Modify OS Kernel or Boot Partition",
|
||||
"T1399": "Modify Trusted Execution Environment",
|
||||
"T1400": "Modify System Partition",
|
||||
"T1401": "Abuse Device Administrator Access to Prevent Removal",
|
||||
"T1402": "Broadcast Receivers",
|
||||
"T1403": "Modify Cached Executable Code",
|
||||
"T1404": "Exploit OS Vulnerability",
|
||||
"T1405": "Exploit TEE Vulnerability",
|
||||
"T1406": "Obfuscated Files or Information",
|
||||
"T1407": "Download New Code at Runtime",
|
||||
"T1408": "Disguise Root/Jailbreak Indicators",
|
||||
"T1409": "Access Stored Application Data",
|
||||
"T1410": "Network Traffic Capture or Redirection",
|
||||
"T1411": "Input Prompt",
|
||||
"T1412": "Capture SMS Messages",
|
||||
"T1413": "Access Sensitive Data in Device Logs",
|
||||
"T1414": "Capture Clipboard Data",
|
||||
"T1415": "URL Scheme Hijacking",
|
||||
"T1416": "Android Intent Hijacking",
|
||||
"T1417": "Input Capture",
|
||||
"T1418": "Application Discovery",
|
||||
"T1420": "File and Directory Discovery",
|
||||
"T1421": "System Network Connections Discovery",
|
||||
"T1422": "System Network Configuration Discovery",
|
||||
"T1423": "Network Service Scanning",
|
||||
"T1424": "Process Discovery",
|
||||
"T1426": "System Information Discovery",
|
||||
"T1427": "Attack PC via USB Connection",
|
||||
"T1428": "Exploit Enterprise Resources",
|
||||
"T1429": "Capture Audio",
|
||||
"T1430": "Location Tracking",
|
||||
"T1432": "Access Contact List",
|
||||
"T1433": "Access Call Log",
|
||||
"T1435": "Access Calendar Entries",
|
||||
"T1436": "Commonly Used Port",
|
||||
"T1437": "Standard Application Layer Protocol",
|
||||
"T1438": "Alternate Network Mediums",
|
||||
"T1439": "Eavesdrop on Insecure Network Communication",
|
||||
"T1444": "Masquerade as Legitimate Application",
|
||||
"T1446": "Device Lockout",
|
||||
"T1447": "Delete Device Data",
|
||||
"T1448": "Carrier Billing Fraud",
|
||||
"T1449": "Exploit SS7 to Redirect Phone Calls/SMS",
|
||||
"T1450": "Exploit SS7 to Track Device Location",
|
||||
"T1451": "SIM Card Swap",
|
||||
"T1452": "Manipulate App Store Rankings or Ratings",
|
||||
"T1456": "Drive-by Compromise",
|
||||
"T1458": "Exploit via Charging Station or PC",
|
||||
"T1461": "Lockscreen Bypass",
|
||||
"T1463": "Manipulate Device Communication",
|
||||
"T1464": "Jamming or Denial of Service",
|
||||
"T1465": "Rogue Wi-Fi Access Points",
|
||||
"T1466": "Downgrade to Insecure Protocols",
|
||||
"T1467": "Rogue Cellular Base Station",
|
||||
"T1468": "Remotely Track Device Without Authorization",
|
||||
"T1469": "Remotely Wipe Data Without Authorization",
|
||||
"T1470": "Obtain Device Cloud Backups",
|
||||
"T1471": "Data Encrypted for Impact",
|
||||
"T1472": "Generate Fraudulent Advertising Revenue",
|
||||
"T1474": "Supply Chain Compromise",
|
||||
"T1475": "Deliver Malicious App via Authorized App Store",
|
||||
"T1476": "Deliver Malicious App via Other Means",
|
||||
"T1477": "Exploit via Radio Interfaces",
|
||||
"T1478": "Install Insecure or Malicious Configuration",
|
||||
"T1480": "Execution Guardrails",
|
||||
"T1480.001": "Execution Guardrails : Environmental Keying",
|
||||
"T1481": "Web Service",
|
||||
"T1482": "Domain Trust Discovery",
|
||||
"T1484": "Group Policy Modification",
|
||||
"T1485": "Data Destruction",
|
||||
"T1486": "Data Encrypted for Impact",
|
||||
"T1489": "Service Stop",
|
||||
"T1490": "Inhibit System Recovery",
|
||||
"T1491": "Defacement",
|
||||
"T1491.001": "Defacement : Internal Defacement",
|
||||
"T1491.002": "Defacement : External Defacement",
|
||||
"T1495": "Firmware Corruption",
|
||||
"T1496": "Resource Hijacking",
|
||||
"T1497": "Virtualization/Sandbox Evasion",
|
||||
"T1497.001": "Virtualization/Sandbox Evasion : System Checks",
|
||||
"T1497.002": "Virtualization/Sandbox Evasion : User Activity Based Checks",
|
||||
"T1497.003": "Virtualization/Sandbox Evasion : Time Based Evasion",
|
||||
"T1498": "Network Denial of Service",
|
||||
"T1498.001": "Network Denial of Service : Direct Network Flood",
|
||||
"T1498.002": "Network Denial of Service : Reflection Amplification",
|
||||
"T1499": "Endpoint Denial of Service",
|
||||
"T1499.001": "Endpoint Denial of Service : OS Exhaustion Flood",
|
||||
"T1499.002": "Endpoint Denial of Service : Service Exhaustion Flood",
|
||||
"T1499.003": "Endpoint Denial of Service : Application Exhaustion Flood",
|
||||
"T1499.004": "Endpoint Denial of Service : Application or System Exploitation",
|
||||
"T1505": "Server Software Component",
|
||||
"T1505.001": "Server Software Component : SQL Stored Procedures",
|
||||
"T1505.002": "Server Software Component : Transport Agent",
|
||||
"T1505.003": "Server Software Component : Web Shell",
|
||||
"T1507": "Network Information Discovery",
|
||||
"T1508": "Suppress Application Icon",
|
||||
"T1509": "Uncommonly Used Port",
|
||||
"T1510": "Clipboard Modification",
|
||||
"T1512": "Capture Camera",
|
||||
"T1513": "Screen Capture",
|
||||
"T1516": "Input Injection",
|
||||
"T1517": "Access Notifications",
|
||||
"T1518": "Software Discovery",
|
||||
"T1518.001": "Software Discovery : Security Software Discovery",
|
||||
"T1520": "Domain Generation Algorithms",
|
||||
"T1521": "Standard Cryptographic Protocol",
|
||||
"T1523": "Evade Analysis Environment",
|
||||
"T1525": "Implant Container Image",
|
||||
"T1526": "Cloud Service Discovery",
|
||||
"T1528": "Steal Application Access Token",
|
||||
"T1529": "System Shutdown/Reboot",
|
||||
"T1530": "Data from Cloud Storage Object",
|
||||
"T1531": "Account Access Removal",
|
||||
"T1532": "Data Encrypted",
|
||||
"T1533": "Data from Local System",
|
||||
"T1534": "Internal Spearphishing",
|
||||
"T1535": "Unused/Unsupported Cloud Regions",
|
||||
"T1537": "Transfer Data to Cloud Account",
|
||||
"T1538": "Cloud Service Dashboard",
|
||||
"T1539": "Steal Web Session Cookie",
|
||||
"T1540": "Code Injection",
|
||||
"T1541": "Foreground Persistence",
|
||||
"T1542": "Pre-OS Boot",
|
||||
"T1542.001": "Pre-OS Boot : System Firmware",
|
||||
"T1542.002": "Pre-OS Boot : Component Firmware",
|
||||
"T1542.003": "Pre-OS Boot : Bootkit",
|
||||
"T1543": "Create or Modify System Process",
|
||||
"T1543.001": "Create or Modify System Process : Launch Agent",
|
||||
"T1543.002": "Create or Modify System Process : Systemd Service",
|
||||
"T1543.003": "Create or Modify System Process : Windows Service",
|
||||
"T1543.004": "Create or Modify System Process : Launch Daemon",
|
||||
"T1544": "Remote File Copy",
|
||||
"T1546": "Event Triggered Execution",
|
||||
"T1546.001": "Event Triggered Execution : Change Default File Association",
|
||||
"T1546.002": "Event Triggered Execution : Screensaver",
|
||||
"T1546.003": "Event Triggered Execution : Windows Management Instrumentation Event Subscription",
|
||||
"T1546.004": "Event Triggered Execution : .bash_profile and .bashrc",
|
||||
"T1546.005": "Event Triggered Execution : Trap",
|
||||
"T1546.006": "Event Triggered Execution : LC_LOAD_DYLIB Addition",
|
||||
"T1546.007": "Event Triggered Execution : Netsh Helper DLL",
|
||||
"T1546.008": "Event Triggered Execution : Accessibility Features",
|
||||
"T1546.009": "Event Triggered Execution : AppCert DLLs",
|
||||
"T1546.010": "Event Triggered Execution : AppInit DLLs",
|
||||
"T1546.011": "Event Triggered Execution : Application Shimming",
|
||||
"T1546.012": "Event Triggered Execution : Image File Execution Options Injection",
|
||||
"T1546.013": "Event Triggered Execution : PowerShell Profile",
|
||||
"T1546.014": "Event Triggered Execution : Emond",
|
||||
"T1546.015": "Event Triggered Execution : Component Object Model Hijacking",
|
||||
"T1547": "Boot or Logon Autostart Execution",
|
||||
"T1547.001": "Boot or Logon Autostart Execution : Registry Run Keys / Startup Folder",
|
||||
"T1547.002": "Boot or Logon Autostart Execution : Authentication Package",
|
||||
"T1547.003": "Boot or Logon Autostart Execution : Time Providers",
|
||||
"T1547.004": "Boot or Logon Autostart Execution : Winlogon Helper DLL",
|
||||
"T1547.005": "Boot or Logon Autostart Execution : Security Support Provider",
|
||||
"T1547.006": "Boot or Logon Autostart Execution : Kernel Modules and Extensions",
|
||||
"T1547.007": "Boot or Logon Autostart Execution : Re-opened Applications",
|
||||
"T1547.008": "Boot or Logon Autostart Execution : LSASS Driver",
|
||||
"T1547.009": "Boot or Logon Autostart Execution : Shortcut Modification",
|
||||
"T1547.010": "Boot or Logon Autostart Execution : Port Monitors",
|
||||
"T1547.011": "Boot or Logon Autostart Execution : Plist Modification",
|
||||
"T1548": "Abuse Elevation Control Mechanism",
|
||||
"T1548.001": "Abuse Elevation Control Mechanism : Setuid and Setgid",
|
||||
"T1548.002": "Abuse Elevation Control Mechanism : Bypass User Access Control",
|
||||
"T1548.003": "Abuse Elevation Control Mechanism : Sudo and Sudo Caching",
|
||||
"T1548.004": "Abuse Elevation Control Mechanism : Elevated Execution with Prompt",
|
||||
"T1550": "Use Alternate Authentication Material",
|
||||
"T1550.001": "Use Alternate Authentication Material : Application Access Token",
|
||||
"T1550.002": "Use Alternate Authentication Material : Pass the Hash",
|
||||
"T1550.003": "Use Alternate Authentication Material : Pass the Ticket",
|
||||
"T1550.004": "Use Alternate Authentication Material : Web Session Cookie",
|
||||
"T1552": "Unsecured Credentials",
|
||||
"T1552.001": "Unsecured Credentials : Credentials In Files",
|
||||
"T1552.002": "Unsecured Credentials : Credentials in Registry",
|
||||
"T1552.003": "Unsecured Credentials : Bash History",
|
||||
"T1552.004": "Unsecured Credentials : Private Keys",
|
||||
"T1552.005": "Unsecured Credentials : Cloud Instance Metadata API",
|
||||
"T1552.006": "Unsecured Credentials : Group Policy Preferences",
|
||||
"T1553": "Subvert Trust Controls",
|
||||
"T1553.001": "Subvert Trust Controls : Gatekeeper Bypass",
|
||||
"T1553.002": "Subvert Trust Controls : Code Signing",
|
||||
"T1553.003": "Subvert Trust Controls : SIP and Trust Provider Hijacking",
|
||||
"T1553.004": "Subvert Trust Controls : Install Root Certificate",
|
||||
"T1554": "Compromise Client Software Binary",
|
||||
"T1555": "Credentials from Password Stores",
|
||||
"T1555.001": "Credentials from Password Stores : Keychain",
|
||||
"T1555.002": "Credentials from Password Stores : Securityd Memory",
|
||||
"T1555.003": "Credentials from Password Stores : Credentials from Web Browsers",
|
||||
"T1556": "Modify Authentication Process",
|
||||
"T1556.001": "Modify Authentication Process : Domain Controller Authentication",
|
||||
"T1556.002": "Modify Authentication Process : Password Filter DLL",
|
||||
"T1556.003": "Modify Authentication Process : Pluggable Authentication Modules",
|
||||
"T1557": "Man-in-the-Middle",
|
||||
"T1557.001": "Man-in-the-Middle : LLMNR/NBT-NS Poisoning and SMB Relay",
|
||||
"T1558": "Steal or Forge Kerberos Tickets",
|
||||
"T1558.001": "Steal or Forge Kerberos Tickets : Golden Ticket",
|
||||
"T1558.002": "Steal or Forge Kerberos Tickets : Silver Ticket",
|
||||
"T1558.003": "Steal or Forge Kerberos Tickets : Kerberoasting",
|
||||
"T1559": "Inter-Process Communication",
|
||||
"T1559.001": "Inter-Process Communication : Component Object Model",
|
||||
"T1559.002": "Inter-Process Communication : Dynamic Data Exchange",
|
||||
"T1560": "Archive Collected Data",
|
||||
"T1560.001": "Archive Collected Data : Archive via Utility",
|
||||
"T1560.002": "Archive Collected Data : Archive via Library",
|
||||
"T1560.003": "Archive Collected Data : Archive via Custom Method",
|
||||
"T1561": "Disk Wipe",
|
||||
"T1561.001": "Disk Wipe : Disk Content Wipe",
|
||||
"T1561.002": "Disk Wipe : Disk Structure Wipe",
|
||||
"T1562": "Impair Defenses",
|
||||
"T1562.001": "Impair Defenses : Disable or Modify Tools",
|
||||
"T1562.002": "Impair Defenses : Disable Windows Event Logging",
|
||||
"T1562.003": "Impair Defenses : HISTCONTROL",
|
||||
"T1562.004": "Impair Defenses : Disable or Modify System Firewall",
|
||||
"T1562.006": "Impair Defenses : Indicator Blocking",
|
||||
"T1562.007": "Impair Defenses : Disable or Modify Cloud Firewall",
|
||||
"T1563": "Remote Service Session Hijacking",
|
||||
"T1563.001": "Remote Service Session Hijacking : SSH Hijacking",
|
||||
"T1563.002": "Remote Service Session Hijacking : RDP Hijacking",
|
||||
"T1564": "Hide Artifacts",
|
||||
"T1564.001": "Hide Artifacts : Hidden Files and Directories",
|
||||
"T1564.002": "Hide Artifacts : Hidden Users",
|
||||
"T1564.003": "Hide Artifacts : Hidden Window",
|
||||
"T1564.004": "Hide Artifacts : NTFS File Attributes",
|
||||
"T1564.005": "Hide Artifacts : Hidden File System",
|
||||
"T1564.006": "Hide Artifacts : Run Virtual Instance",
|
||||
"T1565": "Data Manipulation",
|
||||
"T1565.001": "Data Manipulation : Stored Data Manipulation",
|
||||
"T1565.002": "Data Manipulation : Transmitted Data Manipulation",
|
||||
"T1565.003": "Data Manipulation : Runtime Data Manipulation",
|
||||
"T1566": "Phishing",
|
||||
"T1566.001": "Phishing : Spearphishing Attachment",
|
||||
"T1566.002": "Phishing : Spearphishing Link",
|
||||
"T1566.003": "Phishing : Spearphishing via Service",
|
||||
"T1567": "Exfiltration Over Web Service",
|
||||
"T1567.001": "Exfiltration Over Web Service : Exfiltration to Code Repository",
|
||||
"T1567.002": "Exfiltration Over Web Service : Exfiltration to Cloud Storage",
|
||||
"T1568": "Dynamic Resolution",
|
||||
"T1568.001": "Dynamic Resolution : Fast Flux DNS",
|
||||
"T1568.002": "Dynamic Resolution : Domain Generation Algorithms",
|
||||
"T1568.003": "Dynamic Resolution : DNS Calculation",
|
||||
"T1569": "System Services",
|
||||
"T1569.001": "System Services : Launchctl",
|
||||
"T1569.002": "System Services : Service Execution",
|
||||
"T1570": "Lateral Tool Transfer",
|
||||
"T1571": "Non-Standard Port",
|
||||
"T1572": "Protocol Tunneling",
|
||||
"T1573": "Encrypted Channel",
|
||||
"T1573.001": "Encrypted Channel : Symmetric Cryptography",
|
||||
"T1573.002": "Encrypted Channel : Asymmetric Cryptography",
|
||||
"T1574": "Hijack Execution Flow",
|
||||
"T1574.001": "Hijack Execution Flow : DLL Search Order Hijacking",
|
||||
"T1574.002": "Hijack Execution Flow : DLL Side-Loading",
|
||||
"T1574.004": "Hijack Execution Flow : Dylib Hijacking",
|
||||
"T1574.005": "Hijack Execution Flow : Executable Installer File Permissions Weakness",
|
||||
"T1574.006": "Hijack Execution Flow : LD_PRELOAD",
|
||||
"T1574.007": "Hijack Execution Flow : Path Interception by PATH Environment Variable",
|
||||
"T1574.008": "Hijack Execution Flow : Path Interception by Search Order Hijacking",
|
||||
"T1574.009": "Hijack Execution Flow : Path Interception by Unquoted Path",
|
||||
"T1574.010": "Hijack Execution Flow : Services File Permissions Weakness",
|
||||
"T1574.011": "Hijack Execution Flow : Services Registry Permissions Weakness",
|
||||
"T1574.012": "Hijack Execution Flow : COR_PROFILER",
|
||||
"T1575": "Native Code",
|
||||
"T1576": "Uninstall Malicious Application",
|
||||
"T1577": "Compromise Application Executable",
|
||||
"T1578": "Modify Cloud Compute Infrastructure",
|
||||
"T1578.001": "Modify Cloud Compute Infrastructure : Create Snapshot",
|
||||
"T1578.002": "Modify Cloud Compute Infrastructure : Create Cloud Instance",
|
||||
"T1578.003": "Modify Cloud Compute Infrastructure : Delete Cloud Instance",
|
||||
"T1578.004": "Modify Cloud Compute Infrastructure : Revert Cloud Instance",
|
||||
"T1579": "Keychain"
|
||||
}
|
||||
mi_mapping = {
|
||||
"M1036": "Account Use Policies",
|
||||
|
||||
@ -146,7 +146,7 @@ class DetectionRule:
|
||||
tactic = []
|
||||
tactic_re = re.compile(r'attack\.\w\D+$')
|
||||
technique = []
|
||||
technique_re = re.compile(r'attack\.t\d{1,5}$')
|
||||
technique_re = re.compile(r'(?:attack\.t\d{4}$|attack\.t\d{4}\.\d{3}$)')
|
||||
# AM!TT Tactics and Techniques
|
||||
amitt_tactic = []
|
||||
amitt_tactic_re = re.compile(r'amitt\.\w\D+$')
|
||||
|
||||
Loading…
Reference in New Issue
Block a user