防御规避
对手试图避免被检测到。
防御规避包括对手用来在整个入侵过程中避免被发现的技术。用于防御规避的技术包括卸载/禁用安全软件或混淆/加密数据和脚本。攻击者还利用和滥用受信任的进程来隐藏和伪装他们的恶意软件。其他战术技术在这里交叉列出,当这些技术包括颠覆防御的额外好处时。
技术: 42
| 编号 | 名字 | 描述 | |
|---|---|---|---|
| T1548 | 滥用提升控制机制 | 攻击者可能会绕过旨在控制提升权限的机制,以获得更高级别的权限。大多数现代系统都包含本机高程控制机制,旨在限制用户可以在计算机上执行的权限。必须向特定用户授予授权才能执行可能被认为具有较高风险的任务。攻击者可以执行多种方法来利用内置控制机制来提升系统上的权限。 | |
| .001 | 塞图伊德和塞吉德 | 攻击者可能会滥用应用程序设置了 setuid 或 setgid 位的配置,以便让代码在不同的(可能更具特权的)用户的上下文中运行。在 Linux 或 macOS 上,当为应用程序二进制文件设置 setuid 或 setgid 位时,应用程序将分别以拥有用户或组的权限运行。通常,应用程序在当前用户的上下文中运行,而不管哪个用户或组拥有该应用程序。但是,在某些情况下,程序需要在提升的上下文中执行才能正常运行,但运行它们的用户可能没有特定的必需权限。 | |
| .002 | 绕过用户帐户控制 | 攻击者可能会绕过 UAC 机制来提升系统上的进程权限。Windows 用户帐户控制 (UAC) 允许程序提升其权限(跟踪为从低到高的完整性级别),以在管理员级别权限下执行任务,可能通过提示用户进行确认。对用户的影响范围从在高强制下拒绝操作到允许用户在本地管理员组中执行操作并单击提示,或者允许他们输入管理员密码以完成操作。 | |
| .003 | 须藤和须藤缓存 | 攻击者可以执行 sudo 缓存和/或使用 sudoers 文件来提升权限。攻击者可以这样做以其他用户的身份执行命令或生成具有更高权限的进程。 | |
| .004 | 提升执行与提示 | 攻击者可以利用 API 通过提示用户输入凭据来提升权限。此 API 的目的是为应用程序开发人员提供一种使用 root 权限执行操作的简单方法,例如应用程序安装或更新。此 API 不会验证请求根权限的程序是否来自信誉良好的来源或已被恶意修改。AuthorizationExecuteWithPrivileges |
|
| T1134 | 访问令牌操作 | 攻击者可以修改访问令牌以在不同的用户或系统安全上下文下操作,以执行操作并绕过访问控制。Windows 使用访问令牌来确定正在运行的进程的所有权。用户可以操作访问令牌,使正在运行的进程看起来好像是其他进程的子进程,或者属于启动进程的用户以外的其他人。发生这种情况时,该进程还会采用与新令牌关联的安全上下文。 | |
| .001 | 令牌冒充/盗窃 | 攻击者可能会复制然后模拟其他用户的现有令牌,以提升权限并绕过访问控制。例如,攻击者可以使用 或 复制现有令牌。然后,可以将令牌用于允许调用线程模拟登录用户的安全上下文,或将模拟的令牌分配给线程。DuplicateToken``DuplicateTokenEx``ImpersonateLoggedOnUser``SetThreadToken |
|
| .002 | 使用令牌创建流程 | 攻击者可能会使用现有令牌创建新进程,以提升权限并绕过访问控制。可以使用 和 等功能使用其他用户的令牌和生成的安全上下文创建进程。CreateProcessWithTokenW``runas |
|
| .003 | 制作和模拟令牌 | 攻击者可能会创建新令牌并模拟用户以提升权限并绕过访问控制。例如,如果攻击者具有用户名和密码,但用户未登录到系统,则攻击者可以使用该函数为用户创建登录会话。该函数将返回新会话的访问令牌的副本,攻击者可以使用该令牌将令牌分配给线程。LogonUser``SetThreadToken |
|
| .004 | 父 PID 欺骗 | 攻击者可能会欺骗新进程的父进程标识符 (PPID),以逃避进程监视防御或提升权限。除非明确指定,否则新进程通常直接从其父进程或调用进程生成。显式分配新进程的 PPID 的一种方法是通过 API 调用,该调用支持定义要使用的 PPID 的参数。Windows 功能(如用户帐户控制 (UAC))使用此功能在系统(通常通过 或)而不是当前用户上下文生成请求的提升进程后正确设置 PPID。CreateProcess``svchost.exe``consent.exe |
|
| .005 | SID 历史注入 | 攻击者可以使用 SID 历史记录注入来提升权限并绕过访问控制。Windows 安全标识符 (SID) 是标识用户帐户或组帐户的唯一值。Windows 安全性在安全描述符和访问令牌中使用 SID。一个帐户可以在SID-History Active Directory属性中保存其他SID,允许域之间的可互操作帐户迁移(例如,SID-History中的所有值都包含在访问令牌中)。 | |
| T1197 | 位作业 | 攻击者可能会滥用 BITS 作业来持久执行代码并执行各种后台任务。Windows 后台智能传输服务 (BITS) 是通过组件对象模型 (COM) 公开的低带宽异步文件传输机制。BITS 通常由更新程序、信使和其他应用程序使用,这些应用程序更喜欢在后台运行(使用可用的空闲带宽),而不会中断其他网络应用程序。文件传输任务作为 BITS 作业实现,其中包含一个或多个文件操作的队列。 | |
| T1612 | 在主机上构建映像 | 攻击者可以直接在主机上构建容器映像,以绕过监视从公共注册表检索恶意映像的防御。远程请求可能会发送到 Docker API,其中包含一个 Dockerfile,该 Dockerfile 从公共或本地注册表中提取原版基础映像(如 alpine),然后在其上构建自定义映像。build |
|
| T1622 | 调试器规避 | 攻击者可能会采用各种方法来检测和避免调试器。防御者通常使用调试器来跟踪和/或分析潜在恶意软件有效负载的执行。 | |
| T1140 | 对文件或信息进行解密/解码 | 攻击者可能会使用混淆文件或信息来隐藏入侵的工件,使其免受分析。他们可能需要单独的机制来解码或去混淆该信息,具体取决于他们打算如何使用它。执行此操作的方法包括恶意软件的内置功能或使用系统上存在的实用程序。 | |
| T1610 | 部署容器 | 攻击者可能会将容器部署到环境中,以方便执行或规避防御。在某些情况下,攻击者可能会部署新容器来执行与特定映像或部署关联的进程,例如执行或下载恶意软件的进程。在其他情况下,攻击者可能会部署在没有网络规则、用户限制等的情况下配置的新容器。绕过环境中的现有防御。 | |
| T1006 | 直接卷访问 | 攻击者可以直接访问卷以绕过文件访问控制和文件系统监控。Windows 允许程序直接访问逻辑卷。具有直接访问权限的程序可以通过分析文件系统数据结构直接从驱动器读取和写入文件。此技术绕过了 Windows 文件访问控制以及文件系统监视工具。 | |
| T1484 | 域策略修改 | 攻击者可能会修改域的配置设置,以逃避防御和/或提升域环境中的权限。域提供了一种集中式方法来管理计算机资源(例如:计算机、用户帐户)如何在网络上执行操作并相互交互。域的策略还包括可能在多域/林环境中的域之间应用的配置设置。对域设置的修改可能包括更改域组策略对象 (GPO) 或更改域的信任设置,包括联合身份验证信任。 | |
| .001 | 组策略修改 | 攻击者可能会修改组策略对象 (GPO) 以破坏域的预期自由访问控制,通常目的是提升域的权限。组策略允许集中管理活动目录 (AD) 中的用户和计算机设置。GPO 是由存储在可预测网络路径中的文件组成的组策略设置的容器。\<DOMAIN>\SYSVOL\<DOMAIN>\Policies\ |
|
| .002 | 域信任修改 | 攻击者可能会添加新的域信任或修改现有域信任的属性,以逃避防御和/或提升权限。域信任详细信息(例如域是否联合)允许在域之间应用身份验证和授权属性,以便访问共享资源。这些信任对象可能包括应用于服务器、令牌和域的帐户、凭据和其他身份验证材料。 | |
| T1480 | 执行护栏 | 攻击者可以使用执行护栏来限制基于攻击者提供的执行或操作以及目标上预期存在的环境特定条件。护栏确保有效载荷仅针对预期目标执行,并减少对手战役的附带损害。攻击者可以提供的有关目标系统或环境用作护栏的值可能包括特定的网络共享名称、连接的物理设备、文件、加入的 Active Directory (AD) 域以及本地/外部 IP 地址。 | |
| .001 | 环境键控 | 攻击者可能会对环境有效负载或恶意软件的其他功能进行关键处理,以逃避对特定目标环境的防御和约束执行。环境密钥使用加密来约束基于预期存在于目标上的对手提供的环境特定条件的执行或操作。环境密钥是执行护栏的一种实现,它利用加密技术从给定计算环境中的特定类型的值派生加密/解密密钥。 | |
| T1211 | 用于防御规避的利用 | 攻击者可以利用系统或应用程序漏洞绕过安全功能。当攻击者利用程序、服务或操作系统软件或内核本身中的编程错误来执行对手控制的代码时,就会利用软件漏洞。防御性安全软件中可能存在漏洞,可用于禁用或规避这些漏洞。 | |
| T1222 | 文件和目录权限修改 | 攻击者可以修改文件或目录权限/属性以逃避访问控制列表 (ACL) 并访问受保护的文件。文件和目录权限通常由文件或目录所有者配置的 ACL 或具有适当权限的用户管理。文件和目录 ACL 实现因平台而异,但通常明确指定哪些用户或组可以执行哪些操作(读取、写入、执行等)。 | |
| .001 | Windows 文件和目录权限修改 | 攻击者可以修改文件或目录权限/属性以逃避访问控制列表 (ACL) 并访问受保护的文件。文件和目录权限通常由文件或目录所有者配置的 ACL 或具有适当权限的用户管理。文件和目录 ACL 实现因平台而异,但通常明确指定哪些用户或组可以执行哪些操作(读取、写入、执行等)。 | |
| .002 | Linux 和 Mac 文件和目录权限修改 | 攻击者可以修改文件或目录权限/属性以逃避访问控制列表 (ACL) 并访问受保护的文件。文件和目录权限通常由文件或目录所有者配置的 ACL 或具有适当权限的用户管理。文件和目录 ACL 实现因平台而异,但通常明确指定哪些用户或组可以执行哪些操作(读取、写入、执行等)。 | |
| T1564 | 隐藏工件 | 攻击者可能会尝试隐藏与其行为关联的项目以逃避检测。操作系统可能具有隐藏各种工件的功能,例如重要的系统文件和管理任务执行,以避免中断用户工作环境并防止用户更改系统上的文件或功能。攻击者可能会滥用这些功能来隐藏项目(如文件、目录、用户帐户或其他系统活动)以逃避检测。 | |
| .001 | 隐藏文件和目录 | 攻击者可能会将文件和目录设置为隐藏以逃避检测机制。为了防止普通用户意外更改系统上的特殊文件,大多数操作系统都有“隐藏”文件的概念。当用户使用 GUI 浏览文件系统或在命令行上使用普通命令时,这些文件不会显示。用户必须明确要求通过一系列图形用户界面(GUI)提示或命令行开关(适用于Windows以及Linux和macOS)显示隐藏文件。dir /a``ls –a |
|
| .002 | 隐藏用户 | 攻击者可能会使用隐藏的用户来隐藏他们创建或修改的用户帐户的存在。当给定系统上有许多用户帐户时,或者如果管理员希望对其他用户隐藏其管理或其他管理帐户,则管理员可能希望隐藏用户。 | |
| .003 | 隐藏窗口 | 攻击者可能会使用隐藏的窗口来隐藏恶意活动,使其不让用户看到。在某些情况下,可以隐藏应用程序执行操作时通常显示的窗口。系统管理员可以利用这一点来避免在执行管理任务时中断用户工作环境。 | |
| .004 | NTFS 文件属性 | 攻击者可能会使用 NTFS 文件属性来隐藏其恶意数据以逃避检测。每个新技术文件系统 (NTFS) 格式的分区都包含一个主文件表 (MFT),该表维护分区上每个文件/目录的记录。MFT 条目中是文件属性,例如扩展属性 (EA) 和数据 [当存在多个数据属性时称为备用数据流 (ADS)],可用于存储任意数据(甚至完整文件)。 | |
| .005 | 隐藏文件系统 | 攻击者可能会使用隐藏的文件系统来隐藏用户和安全工具的恶意活动。文件系统提供了一种结构来存储和访问来自物理存储的数据。通常,用户通过允许他们访问文件和目录的应用程序与文件系统互动,这些文件和目录是从其物理位置(例如:磁盘扇区)抽象出来的。标准文件系统包括 FAT、NTFS、ext4 和 APFS。文件系统还可以包含其他结构,例如 NTFS 中的卷启动记录 (VBR) 和主文件表 (MFT)。 | |
| .006 | 运行虚拟实例 | 攻击者可能会使用虚拟实例执行恶意操作以避免检测。存在各种各样的虚拟化技术,允许模拟计算机或计算环境。通过在虚拟实例中运行恶意代码,攻击者可以隐藏与其行为关联的项目,使其无法监控虚拟实例内活动的安全工具。此外,根据虚拟网络实现(例如:桥接适配器),虚拟实例生成的网络流量可能难以追溯到受感染的主机,因为 IP 地址和主机名可能与已知值不匹配。 | |
| .007 | VBA 跺脚 | 攻击者可以通过将 VBA 源代码替换为良性数据来隐藏嵌入在 MS Office 文档中的恶意 Visual Basic for Applications (VBA) 有效负载。 | |
| .008 | 电子邮件隐藏规则 | 攻击者可能会使用电子邮件规则在遭到入侵的用户邮箱中隐藏入站电子邮件。许多电子邮件客户端允许用户为各种电子邮件功能创建收件箱规则,包括将电子邮件移动到其他文件夹、将电子邮件标记为已读或删除电子邮件。可以在电子邮件客户端中或通过外部功能(如 Windows 系统上的 PowerShell cmdlet)创建或修改规则。New-InboxRule``Set-InboxRule |
|
| .009 | 资源分叉 | 攻击者可能会滥用资源分叉来隐藏恶意代码或可执行文件,以逃避检测并绕过安全应用程序。资源分支为应用程序提供了一种结构化的方式来存储资源,例如缩略图、菜单定义、图标、对话框和代码。使用 or 命令显示文件的扩展属性时,资源分支的用法是可识别的。资源分支已被弃用,取而代之的是应用程序捆绑包结构。未本地化的资源放置在应用程序捆绑包的顶级目录中,而本地化的资源放置在文件夹中。ls -l@``xattr -l``/Resources |
|
| .010 | 进程参数欺骗 | 攻击者可能会尝试通过覆盖进程内存来隐藏进程命令行参数。进程命令行参数存储在进程环境块 (PEB) 中,PEB 是 Windows 用来存储有关进程/由进程使用的各种信息的数据结构。PEB 包括执行进程时引用的进程命令行参数。创建进程时,监视进程创建的防御工具/传感器可能会从 PEB 检索进程参数。 | |
| T1574 | 劫持执行流程 | 攻击者可以通过劫持操作系统运行程序的方式来执行自己的恶意负载。劫持执行流可以用于持久性,因为这种劫持的执行可能会随着时间的推移而重新发生。攻击者还可以使用这些机制来提升权限或规避防御,例如应用程序控制或其他执行限制。 | |
| .001 | DLL 搜索顺序劫持 | 攻击者可能会通过劫持用于加载 DLL 的搜索顺序来执行自己的恶意负载。 Windows 系统使用一种常用方法来查找要加载到程序中所需的 DLL。劫持 DLL 加载可能是为了建立持久性以及提升权限和/或逃避对文件执行的限制。 | |
| .002 | DLL 旁加载 | 攻击者可能会通过旁加载 DLL 来执行自己的恶意负载。 与 DLL 搜索顺序劫持类似,旁加载涉及劫持程序加载的 DLL。但是,攻击者不仅可以在程序的搜索顺序中植入 DLL,然后等待调用受害应用程序,而是可以通过植入然后调用执行其有效负载的合法应用程序来直接旁加载其有效负载。 | |
| .004 | 迪利布劫持 | 攻击者可以通过在受害者应用程序在运行时搜索的路径中放置具有预期名称的恶意动态库 (dylib) 来执行自己的有效负载。动态加载程序将尝试根据搜索路径的顺序查找 dylib。dylibs 的路径可以以 为前缀,这允许开发人员使用相对路径根据可执行文件的位置指定运行时使用的搜索路径数组。此外,如果使用弱链接(例如函数),即使不存在预期的 dylib,应用程序仍将执行。弱链接使开发人员能够在添加新 API 时在多个 macOS 版本上运行应用程序。@rpath``LC_LOAD_WEAK_DYLIB |
|
| .005 | 可执行安装程序文件权限弱点 | 攻击者可以通过劫持安装程序使用的二进制文件来执行自己的恶意负载。这些进程可能会自动执行特定的二进制文件作为其功能的一部分或执行其他操作。如果对包含目标二进制文件的文件系统目录的权限或对二进制文件本身的权限设置不正确,则目标二进制文件可能会被使用用户级权限的另一个二进制文件覆盖,并由原始进程执行。如果原始进程和线程在更高的权限级别下运行,则替换的二进制文件也将在更高级别的权限下执行,其中可能包括 SYSTEM。 | |
| .006 | 动态链接器劫持 | 攻击者可能会通过劫持动态链接器用于加载共享库的环境变量来执行自己的恶意负载。在程序的执行准备阶段,动态链接器从环境变量和文件(例如在 Linux 或 macOS 上)加载共享库的指定绝对路径。首先加载环境变量中指定的库,优先于具有相同函数名称的系统库。开发人员通常使用这些变量来调试二进制文件而无需重新编译、消除映射符号的冲突以及实现自定义函数而无需更改原始库。LD_PRELOAD``DYLD_INSERT_LIBRARIES |
|
| .007 | 路径环境变量的路径拦截 | 攻击者可以通过劫持用于加载库的环境变量来执行自己的恶意负载。攻击者可能会将程序放在存储在 PATH 环境变量中的目录列表中的较早条目中,然后 Windows 将在按顺序搜索该 PATH 列表以搜索从脚本或命令行调用的二进制文件时执行该条目。 | |
| .008 | 通过搜索顺序劫持进行路径拦截 | 攻击者可以通过劫持用于加载其他程序的搜索顺序来执行自己的恶意负载。由于某些程序不使用完整路径调用其他程序,因此攻击者可能会将自己的文件放在调用程序所在的目录中,从而导致操作系统应调用程序的请求启动其恶意软件。 | |
| .009 | 通过不带引号的路径拦截 | 攻击者可以通过劫持易受攻击的文件路径引用来执行自己的恶意负载。攻击者可以通过将可执行文件放置在路径内的更高级别目录中来利用缺少周围引号的路径,以便 Windows 选择要启动的对手的可执行文件。 | |
| .010 | 服务文件权限弱点 | 攻击者可以通过劫持服务使用的二进制文件来执行自己的恶意负载。攻击者可能会利用 Windows 服务权限中的缺陷来替换在服务启动时执行的二进制文件。这些服务进程可能会自动执行特定的二进制文件,作为其功能的一部分或执行其他操作。如果对包含目标二进制文件的文件系统目录的权限或对二进制文件本身的权限设置不正确,则目标二进制文件可能会被使用用户级权限的另一个二进制文件覆盖,并由原始进程执行。如果原始进程和线程在更高的权限级别下运行,则替换的二进制文件也将在更高级别的权限下执行,其中可能包括 SYSTEM。 | |
| .011 | 服务注册表权限弱点 | 攻击者可以通过劫持服务使用的注册表项来执行自己的恶意负载。攻击者可能会利用与服务相关的注册表项权限中的缺陷,从最初指定的可执行文件重定向到他们控制的可执行文件,以便在服务启动时启动自己的代码。Windows 将本地服务配置信息存储在注册表中的 下。可以通过服务控制器、sc.exe、PowerShell 或 Reg 等工具操作存储在服务的注册表项下的信息来修改服务的执行参数。对注册表项的访问通过访问控制列表和用户权限进行控制。HKLM\SYSTEM\CurrentControlSet\Services |
|
| .012 | COR_PROFILER | 攻击者可以利用COR_PROFILER环境变量劫持加载 .NET CLR 的程序的执行流。COR_PROFILER是一项 .NET Framework 功能,它允许开发人员指定要加载到加载公共语言运行时 (CLR) 的每个 .NET 进程中的非托管(或 .NET 外部)分析 DLL。这些探查器旨在监视、排查和调试由 .NET CLR 执行的托管代码。 | |
| .013 | 内核回调表 | 攻击者可能会滥用进程来劫持其执行流,以便运行自己的有效负载。可以在进程环境块 (PEB) 中找到,并在加载后初始化为 GUI 进程可用的图形函数数组。KernelCallbackTable``KernelCallbackTable``user32.dll |
|
| T1562 | 损害防御 | 攻击者可能会恶意修改受害环境的组件,以阻碍或禁用防御机制。这不仅涉及损害预防性防御(如防火墙和防病毒),还涉及防御者可用于审核活动和识别恶意行为的检测功能。这也可能涵盖本机防御以及用户和管理员安装的补充功能。 | |
| .001 | 禁用或修改工具 | 攻击者可能会修改和/或禁用安全工具,以避免可能检测到其恶意软件/工具和活动。这可能采取多种形式,例如杀死安全软件进程或服务,修改/删除注册表项或配置文件以使工具无法正常运行,或其他干扰安全工具扫描或报告信息的方法。攻击者还可能禁用更新,以防止最新的安全补丁访问受害系统上的工具。 | |
| .002 | 禁用 Windows 事件日志记录 | 攻击者可能会禁用 Windows 事件日志记录,以限制可用于检测和审核的数据。Windows 事件日志记录用户和系统活动,例如登录尝试、进程创建等。安全工具和分析师使用此数据来生成检测。 | |
| .003 | 损害命令历史记录日志记录 | 攻击者可能会损害命令历史记录日志记录,以隐藏他们在受感染系统上运行的命令。各种命令解释器跟踪用户在其终端中键入的命令,以便用户可以回放他们所做的事情。 | |
| .004 | 禁用或修改系统防火墙 | 攻击者可能会禁用或修改系统防火墙,以绕过限制网络使用的控件。更改可能会禁用整个机制以及添加、删除或修改特定规则。根据操作系统的不同,可以通过多种方式执行此操作,包括通过命令行,编辑Windows注册表项和Windows控制面板。 | |
| .006 | 指标阻塞 | 攻击者可能会尝试阻止收集和分析通常由传感器捕获的指示器或事件。这可能包括通过篡改控制事件遥测收集和流的设置来恶意重定向甚至禁用基于主机的传感器,例如 Windows 事件跟踪 (ETW)。这些设置可以存储在系统上的配置文件和/或注册表中,也可以通过管理实用程序(如PowerShell或WindowsManagement Instrumentation)访问。 | |
| .007 | 禁用或修改云防火墙 | 攻击者可能会禁用或修改云环境中的防火墙,以绕过限制对云资源访问的控制。云防火墙独立于禁用或修改系统防火墙中所述的系统防火墙。 | |
| .008 | 禁用云日志 | 攻击者可能会禁用云日志记录功能和集成,以限制收集有关其活动的数据并避免检测。云环境允许收集和分析审核和应用程序日志,从而深入了解用户在环境中执行的活动。如果攻击者具有足够的权限,他们可以禁用日志记录以避免检测到其活动。 | |
| .009 | 安全模式启动 | 攻击者可能会滥用 Windows 安全模式来禁用终结点防御。安全模式使用一组有限的驱动程序和服务启动 Windows 操作系统。在安全模式下启动 Windows 后,第三方安全软件(如终结点检测和响应 (EDR) 工具)可能无法启动。安全模式有两个版本:安全模式和带网络连接的安全模式。可以在安全模式启动后启动其他服务。 | |
| .010 | 降级攻击 | 攻击者可能会降级或使用可能已过时、易受攻击和/或不支持更新的安全控制(如日志记录)的系统功能版本。例如,PowerShell 版本 5+ 包括脚本块日志记录 (SBL),它可以记录执行的脚本内容。但是,攻击者可能会尝试执行不支持 SBL 的以前版本的 PowerShell,目的是在运行可能已检测到的恶意脚本时损害防御。 | |
| .011 | 欺骗安全警报 | 攻击者可能会从工具中欺骗安全警报,提供虚假证据来削弱防御者对恶意活动的意识。防御工具生成的消息包含有关潜在安全事件以及安全软件和系统运行状态的信息。安全报告消息对于监视系统的正常运行和识别可能发出安全事件信号的重要事件非常重要。 | |
| T1070 | 指标移除 | 攻击者可能会删除或修改系统中生成的工件,以消除其存在的证据或阻碍防御。各种工件可能由对手创建,也可能归因于对手的行为。通常,这些项目用作与受监视事件相关的防御指标,例如下载文件中的字符串、用户操作生成的日志以及防御者分析的其他数据。项目的位置、格式和类型(如命令或登录历史记录)通常特定于每个平台。 | |
| .001 | 清除窗口事件日志 | 攻击者可能会清除 Windows 事件日志以隐藏入侵活动。Windows 事件日志是计算机警报和通知的记录。有三个系统定义的事件源:系统、应用程序和安全性,具有五种事件类型:错误、警告、信息、成功审核和失败审核。 | |
| .002 | 清除 Linux 或 Mac 系统日志 | 攻击者可能会清除系统日志以隐藏入侵证据。macOS 和 Linux 都通过系统日志跟踪系统或用户启动的操作。大多数本机系统日志记录都存储在目录下。此目录中的子文件夹按其相关功能对日志进行分类,例如:/var/log/ |
|
| .003 | 清除命令历史记录 | 除了清除系统日志外,攻击者还可以清除受损帐户的命令历史记录,以隐藏入侵期间执行的操作。各种命令解释器跟踪用户在其终端中键入的命令,以便用户可以回放他们所做的事情。 | |
| .004 | 文件删除 | 攻击者可能会删除其入侵活动操作留下的文件。攻击者在系统上丢弃或创建的恶意软件、工具或其他非本机文件(例如:入口工具传输)可能会留下痕迹,以指示在网络中执行的操作以及如何执行的操作。删除这些文件可以在入侵期间进行,也可以作为入侵后过程的一部分进行,以最大程度地减少对手的足迹。 | |
| .005 | 网络共享连接删除 | 攻击者可能会删除不再有用的共享连接,以清理其操作的痕迹。当不再需要时,可以删除 Windows 共享驱动器和 SMB/Windows 管理员共享连接。Net 是一个示例实用程序,可用于通过命令删除网络共享连接。net use \system\share /delete |
|
| .006 | 时代跺脚 | 攻击者可能会修改文件时间属性以隐藏新文件或对现有文件的更改。时间踩踏是一种修改文件时间戳(修改、访问、创建和更改时间)的技术,通常用于模拟同一文件夹中的文件。例如,这是在对手修改或创建的文件上完成的,以便它们在取证调查人员或文件分析工具中不会显眼。 | |
| .007 | 清除网络连接历史记录和配置 | 攻击者可能会清除或删除恶意网络连接的证据,以清理其操作的痕迹。配置设置以及突出显示连接历史记录的各种项目可能会从需要网络连接的行为(如远程服务或外部远程服务)在系统上创建。防御者可以使用这些项目来监视或以其他方式分析对手创建的网络连接。 | |
| .008 | 清除邮箱数据 | 攻击者可以修改邮件和邮件应用程序数据,以删除其活动的证据。电子邮件应用程序允许用户和其他程序通过命令行工具或使用 API 导出和删除邮箱数据。邮件应用程序数据可以是电子邮件、电子邮件元数据或应用程序或操作系统生成的日志,例如导出请求。 | |
| .009 | 清除持久性 | 攻击者可能会清除与主机系统上先前建立的持久性关联的项目,以删除其活动的证据。这可能涉及各种操作,例如删除服务、删除可执行文件、修改注册表、修改 Plist 文件或其他清理方法,以防止防御者收集其持续存在的证据。攻击者还可以删除以前创建的帐户以保持持久性(即创建帐户)。 | |
| T1202 | 间接命令执行 | 攻击者可能会滥用允许命令执行的实用程序来绕过限制使用命令行解释器的安全限制。可以使用各种Windows实用程序来执行命令,可能无需调用cmd。例如,Forfiles、程序兼容性助手 (pcalua.exe)、Windows 子系统 for Linux (WSL) 的组件以及其他实用程序可能会从命令和脚本解释器、运行窗口或通过脚本调用程序和命令的执行。 | |
| T1036 | 伪装 | 攻击者可能会尝试操纵其工件的功能,使其对用户和/或安全工具看起来合法或良性。当为了逃避防御和观察而操纵或滥用物体的名称或位置时,就会发生伪装,无论是合法的还是恶意的。这可能包括操纵文件元数据、诱骗用户错误识别文件类型以及提供合法的任务或服务名称。 | |
| .001 | 无效的代码签名 | 攻击者可能会尝试模仿有效代码签名的功能,以增加欺骗用户、分析师或工具的机会。代码签名提供开发人员对二进制文件的真实性级别,并保证二进制文件未被篡改。攻击者可以从已签名的程序复制元数据和签名信息,然后将其用作未签名程序的模板。具有无效代码签名的文件将无法通过数字签名验证检查,但它们对用户来说可能看起来更合法,并且安全工具可能会不正确地处理这些文件。 | |
| .002 | 从右到左覆盖 | 攻击者可能会滥用从右到左的覆盖(RTLO 或 RLO)字符 (U+202E) 来伪装字符串和/或文件名,使其看起来是良性的。RTLO 是一个非打印的 Unicode 字符,它会导致其后面的文本反向显示。例如,名为的 Windows 屏幕保护程序可执行文件将显示为 。名为 的 JavaScript 文件将显示为 。March 25 \u202Excod.scr``March 25 rcs.docx``photo_high_re\u202Egnp.js``photo_high_resj.png |
|
| .003 | 重命名系统实用程序 | 攻击者可能会重命名合法的系统实用程序,以试图逃避有关使用这些实用程序的安全机制。对于对手能够滥用的系统实用程序,可能会建立安全监视和控制机制。可以通过在使用之前重命名实用程序来绕过这些安全机制(例如:重命名)。另一种情况是,将合法实用程序复制或移动到其他目录并重命名,以避免基于从非标准路径执行的系统实用程序进行检测。rundll32.exe |
|
| .004 | 化装舞会任务或服务 | 攻击者可能会尝试操纵任务或服务的名称,使其看起来合法或良性。任务计划程序或 systemd 执行的任务/服务通常会被赋予名称和/或描述。Windows 服务将具有服务名称和显示名称。存在许多具有通常关联名称的良性任务和服务。攻击者可能会为任务或服务提供与合法任务或服务名称相似或相同的名称。 | |
| .005 | 匹配合法名称或位置 | 攻击者在命名/放置合法文件或资源时可能会匹配或近似合法文件或资源的名称或位置。这样做是为了逃避防御和观察。这可以通过将可执行文件放在一个通常受信任的目录中(例如:在System32下)或为其指定合法的受信任程序的名称(例如:svchost.exe)来完成。在容器化环境中,也可以通过在与容器 Pod 或集群的命名约定匹配的命名空间中创建资源来完成此操作。或者,给定的文件或容器映像名称可能与合法程序/映像或无害的东西非常接近。 | |
| .006 | 文件名后的空格 | 攻击者可以通过更改文件的扩展名来隐藏程序的真实文件类型。对于某些文件类型(特别是不适用于.app扩展名),在文件名末尾附加空格将更改操作系统处理文件的方式。 | |
| .007 | 双文件扩展名 | 攻击者可能会滥用文件名中的双扩展名作为伪装真实文件类型的一种手段。文件名可能包含辅助文件类型扩展名,该扩展名可能只显示第一个扩展名(例如:在某些视图中可能仅呈现为 )。但是,第二个扩展名是确定如何打开和执行文件的真实文件类型。真正的文件扩展名可能作系统隐藏在文件浏览器(例如:explorer.exe)以及使用或类似于系统策略配置的任何软件中。File.txt.exe``File.txt |
|
| .008 | 假面舞会文件类型 | 攻击者可以通过更改有效负载的格式(包括文件的签名、扩展名和内容)将恶意负载伪装成合法文件。各种文件类型具有典型的标准格式,包括它们的编码和组织方式。例如,文件的签名(也称为标头或魔术字节)是文件的起始字节,通常用于标识文件类型。例如,JPEG 文件的标头为 ,文件扩展名为 、 或 。0xFF 0xD8``.JPE``.JPEG``.JPG |
|
| T1556 | 修改身份验证过程 | 攻击者可能会修改身份验证机制和流程以访问用户凭据或启用对帐户的无根据访问。身份验证过程由机制处理,例如 Windows 上的本地安全身份验证服务器 (LSASS) 进程和安全帐户管理器 (SAM)、基于 Unix 的系统上的可插入身份验证模块 (PAM) 以及 MacOS 系统上的授权插件,负责收集、存储和验证凭据。通过修改身份验证过程,攻击者可能能够在不使用有效帐户的情况下对服务或系统进行身份验证。 | |
| .001 | 域控制器身份验证 | 攻击者可能会修补域控制器上的身份验证过程,以绕过典型的身份验证机制并启用对帐户的访问。 | |
| .002 | 密码筛选器 DLL | 攻击者可能会将恶意密码筛选器动态链接库 (DLL) 注册到身份验证过程中,以便在验证用户凭据时获取用户凭据。 | |
| .003 | 可插拔身份验证模块 | 攻击者可以修改可插入身份验证模块 (PAM) 以访问用户凭据或启用对帐户的无保证访问。PAM 是配置文件、库和可执行文件的模块化系统,用于指导许多服务的身份验证。最常见的身份验证模块是 ,它检索、设置和验证 和 中的帐户身份验证信息。pam_unix.so``/etc/passwd``/etc/shadow |
|
| .004 | 网络设备身份验证 | 攻击者可以使用修补程序系统映像在操作系统中对密码进行硬编码,从而绕过网络设备上本地帐户的本机身份验证机制。 | |
| .005 | 可逆加密 | 攻击者可能会滥用 Active Directory 身份验证加密属性来获取对 Windows 系统上凭据的访问权限。该属性指定是启用还是禁用帐户的可逆密码加密。默认情况下,此属性处于禁用状态(而是将用户凭据存储为单向哈希函数的输出),除非旧版或其他软件需要,否则不应启用此属性。AllowReversiblePasswordEncryption |
|
| .006 | 多重身份验证 | 攻击者可能会禁用或修改多重身份验证 (MFA) 机制,以启用对受损帐户的持久访问。 | |
| .007 | 混合标识 | 攻击者可能会修补、修改或以其他方式后门云身份验证过程,这些过程绑定到本地用户标识,以便绕过典型的身份验证机制、访问凭据并启用对帐户的持久访问。 | |
| .008 | 网络提供程序 DLL | 攻击者可能会注册恶意网络提供程序动态链接库 (DLL),以便在身份验证过程中捕获明文用户凭据。网络提供程序 DLL 允许 Windows 与特定网络协议进行交互,还可以支持加载项凭据管理功能。在登录过程中,Winlogon(交互式登录模块)通过 RPC 将凭据发送到本地进程。然后,当通知正在发生登录事件时,该过程会以明文形式与已注册的凭据管理器共享凭据。mpnotify.exe``mpnotify.exe |
|
| T1578 | 修改云计算基础架构 | 攻击者可能会尝试修改云帐户的计算服务基础结构以逃避防御。对计算服务基础结构的修改可以包括创建、删除或修改一个或多个组件,例如计算实例、虚拟机和快照。 | |
| .001 | 创建快照 | 攻击者可能会在云帐户中创建快照或数据备份以逃避防御。快照是现有云计算组件(如虚拟机 (VM)、虚拟硬盘驱动器或卷)的时间点副本。攻击者可以利用权限创建快照,以绕过阻止访问现有计算服务基础架构的限制,这与在还原云实例中不同,在还原云实例中,攻击者可能会还原到快照以逃避检测并删除其存在的证据。 | |
| .002 | 创建云实例 | 攻击者可以在云帐户的计算服务中创建新的实例或虚拟机 (VM) 以逃避防御。创建新实例可能允许攻击者绕过当前驻留在账户中的实例上存在的防火墙规则和权限。攻击者可能会在账户中创建一个或多个卷的快照,创建新实例,挂载快照,然后应用限制较少的安全策略来从本地系统收集数据或进行远程数据暂存。 | |
| .003 | 删除云实例 | 攻击者可能会在执行恶意活动后删除云实例,以试图逃避检测并删除其存在的证据。如果实例不可恢复,删除实例或虚拟机可以删除有价值的取证项目和其他可疑行为证据。 | |
| .004 | 恢复云实例 | 攻击者在执行恶意活动以试图逃避检测并删除其存在的证据后,可能会还原对云实例所做的更改。在高度虚拟化的环境(例如基于云的基础架构)中,可以通过云管理仪表板或云 API 还原虚拟机 (VM) 或数据存储快照来实现这一点。 | |
| T1112 | 修改注册表 | 攻击者可能会与 Windows 注册表交互,以隐藏注册表项中的配置信息、删除信息作为清理的一部分,或作为其他技术的一部分来帮助持久性和执行。 | |
| T1601 | 修改系统映像 | 攻击者可能会对嵌入式网络设备的操作系统进行更改,以削弱防御并为自己提供新功能。在此类设备上,操作系统通常是整体式的,大多数设备功能和功能都包含在单个文件中。 | |
| .001 | 补丁系统映像 | 攻击者可能会修改网络设备的操作系统,以引入新功能或削弱现有防御。某些网络设备是使用整体架构构建的,其中整个操作系统和设备的大部分功能都包含在单个文件中。攻击者可能会更改此文件在存储中、在将来的启动中加载或在运行时加载到内存中。 | |
| .002 | 降级系统映像 | 攻击者可能会安装旧版本的网络设备操作系统以削弱安全性。网络设备上较旧的操作系统版本通常具有较弱的加密密码,并且通常具有较少/较少更新的防御功能。 | |
| T1599 | 网络边界桥接 | 攻击者可能会通过破坏外围网络设备或负责网络分段的内部设备来桥接网络边界。破坏这些设备可能使攻击者绕过流量路由限制,否则这些限制将受信任和不受信任的网络分开。 | |
| .001 | 网络地址转换遍历 | 攻击者可以通过修改网络设备的网络地址转换 (NAT) 配置来桥接网络边界。对 NAT 的恶意修改可能使攻击者能够绕过流量路由限制,否则这些限制会将受信任和不受信任的网络分开。 | |
| T1027 | 混淆的文件或信息 | 攻击者可能会尝试通过加密、编码或以其他方式混淆系统上或传输过程中的内容来使可执行文件或文件难以发现或分析。这是常见行为,可以在不同的平台和网络中使用,以逃避防御。 | |
| .001 | 二进制填充 | 攻击者可能会使用二进制填充来添加垃圾数据并更改恶意软件的磁盘表示形式。这可以在不影响二进制文件的功能或行为的情况下完成,但由于文件大小限制,可能会增加二进制文件的大小,超出某些安全工具能够处理的大小。 | |
| .002 | 软件打包 | 攻击者可能会执行软件打包或虚拟机软件保护来隐藏其代码。软件打包是一种压缩或加密可执行文件的方法。打包可执行文件会更改文件签名,以避免基于签名的检测。大多数解压缩技术解压缩内存中的可执行代码。虚拟机软件保护将可执行文件的原始代码转换为只有特殊虚拟机才能运行的特殊格式。然后调用虚拟机来运行此代码。 | |
| .003 | 隐写术 | 对手可能会使用隐写技术来防止检测到隐藏信息。隐写技术可用于隐藏数字媒体中的数据,例如图像、音轨、视频剪辑或文本文件。 | |
| .004 | 交付后编译 | 攻击者可能会尝试通过将文件作为未编译的代码交付给受害者来使有效负载难以发现和分析。基于文本的源代码文件可能会破坏针对可执行文件/二进制文件的保护的分析和审查。这些有效负载需要在执行前进行编译;通常通过本地实用程序,如CSC.exe或GCC / MinGW。 | |
| .005 | 从工具中删除指示器 | 如果攻击者认为其恶意工具已被检测到、隔离或以其他方式缩减,则可以从工具中删除指示器。他们可以通过删除指示器并使用目标的防御系统或可能使用类似系统的后续目标不再检测到的更新版本来修改工具。 | |
| .006 | 网页走私 | 攻击者可能会通过将恶意负载隐藏在看似良性的 HTML 文件中来窃取数据和文件通过内容过滤器。HTML 文档可以存储称为 JavaScript Blob(表示原始字节的不可变数据)的大型二进制对象,这些对象以后可以构造成类似文件的对象。数据也可以存储在数据 URL 中,从而可以在 HTML 文档中嵌入媒体类型或 MIME 文件。HTML5还引入了可用于启动文件下载的下载属性。 | |
| .007 | 动态 API 解析 | 攻击者可能会混淆然后动态解析其恶意软件调用的 API 函数,以隐藏恶意功能并损害防御分析。恶意软件通常使用操作系统提供的各种本机 API 函数来执行各种任务,例如涉及进程、文件和其他系统工件的任务。 | |
| .008 | 剥离的有效载荷 | 攻击者可能会尝试通过删除符号、字符串和其他人类可读信息来使有效负载难以分析。脚本和可执行文件可能包含变量名称和其他字符串,可帮助开发人员记录代码功能。符号通常由操作系统在编译可执行有效负载时创建。逆向工程师使用这些符号和字符串来分析代码并识别有效负载中的功能。linker |
|
| .009 | 嵌入式有效负载 | 攻击者可能会在其他文件中嵌入有效负载,以隐藏恶意内容免受防御。否则,看似良性的文件(例如脚本和可执行文件)可能会被滥用来携带和混淆恶意负载和内容。在某些情况下,嵌入式有效负载还可能使攻击者能够通过不影响数字签名和公证票证等执行控制来破坏信任控制。 | |
| .010 | 命令混淆 | 攻击者可能会在命令执行期间对内容进行模糊处理以阻碍检测。命令行模糊处理是一种使命令和脚本中的字符串和模式更难签名和分析的方法。这种类型的混淆可以包含在交付的有效负载执行的命令中(例如,网络钓鱼和偷渡式入侵),也可以通过命令和脚本解释器以交互方式进行。 | |
| .011 | 无文件存储 | 攻击者可能会以“无文件”格式存储数据,以隐藏防御中的恶意活动。无文件存储可以广义地定义为文件以外的任何格式。非易失性无文件存储的常见示例包括 Windows 注册表、事件日志或 WMI 存储库。 | |
| T1647 | Plist文件修改 | 攻击者可能会修改属性列表文件(plist 文件)以启用其他恶意活动,同时还可能逃避和绕过系统防御。macOS 应用程序使用 plist 文件(如文件)来存储属性和配置设置,以通知操作系统如何在运行时处理应用程序。Plist文件是基于Apple的核心基础DTD的XML格式的键值对中的结构化元数据。Plist文件可以保存为文本或二进制格式。info.plist |
|
| T1542 | 预操作系统启动 | 攻击者可能会滥用预操作系统引导机制作为在系统上建立持久性的一种方式。在计算机的启动过程中,固件和各种启动服务在操作系统之前加载。这些程序在操作系统控制之前控制执行流。 | |
| .001 | 系统固件 | 攻击者可能会修改系统固件以保留在系统上。BIOS(基本输入/输出系统)和统一可扩展固件接口 (UEFI) 或可扩展固件接口 (EFI) 是作为计算机操作系统和硬件之间的软件接口运行的系统固件的示例。 | |
| .002 | 组件固件 | 攻击者可能会修改组件固件以保留在系统上。某些攻击者可能会采用复杂的方法来破坏计算机组件并安装恶意固件,这些固件将在操作系统和主系统固件或 BIOS 之外执行对手代码。此技术可能类似于系统固件,但在可能不具有相同功能或完整性检查级别的其他系统组件/设备上执行。 | |
| .003 | 引导套件 | 攻击者可以使用引导工具包在系统上保留。引导工具包驻留在操作系统下方的一层,并且可能难以执行完全修正,除非组织怀疑使用了引导工具包并可以采取相应的措施。 | |
| .004 | 罗蒙基特 | 攻击者可能会滥用 ROM 监视器 (ROMMON),方法是使用对手代码加载未经授权的固件,以提供持久访问并操纵难以检测的设备行为。 | |
| .005 | TFTP 启动 | 攻击者可能会滥用网络引导从简单文件传输协议 (TFTP) 服务器加载未经授权的网络设备操作系统。TFTP 引导(网络引导)通常由网络管理员用于从集中式管理服务器加载配置控制的网络设备映像。网络引导是引导序列中的一个选项,可用于集中、管理和控制设备映像。 | |
| T1055 | 工艺注入 | 攻击者可能会将代码注入进程,以逃避基于进程的防御,并可能提升权限。进程注入是一种在单独的实时进程的地址空间中执行任意代码的方法。在另一个进程的上下文中运行代码可能允许访问进程的内存、系统/网络资源以及可能提升的权限。通过进程注入执行也可以逃避安全产品的检测,因为执行在合法进程下被掩盖。 | |
| .001 | 动态链接库注入 | 攻击者可能会将动态链接库 (DLL) 注入进程,以逃避基于进程的防御,并可能提升权限。DLL 注入是一种在单独的实时进程的地址空间中执行任意代码的方法。 | |
| .002 | 可移植可执行注入 | 攻击者可能会将可移植可执行文件 (PE) 注入进程,以逃避基于进程的防御,并可能提升权限。PE 注入是一种在单独的实时进程的地址空间中执行任意代码的方法。 | |
| .003 | 线程执行劫持 | 攻击者可能会将恶意代码注入被劫持的进程,以逃避基于进程的防御,并可能提升权限。线程执行劫持是一种在单独的实时进程的地址空间中执行任意代码的方法。 | |
| .004 | 异步过程调用 | 攻击者可能会通过异步过程调用 (APC) 队列将恶意代码注入进程,以逃避基于进程的防御,并可能提升权限。APC 注入是一种在单独的实时进程的地址空间中执行任意代码的方法。 | |
| .005 | 线程本地存储 | 攻击者可能会通过线程本地存储 (TLS) 回调将恶意代码注入进程,以逃避基于进程的防御,并可能提升权限。TLS 回调注入是一种在单独的实时进程的地址空间中执行任意代码的方法。 | |
| .008 | 跟踪系统调用 | 攻击者可能会通过 ptrace(进程跟踪)系统调用将恶意代码注入进程,以逃避基于进程的防御,并可能提升权限。Ptrace 系统调用注入是一种在单独的实时进程的地址空间中执行任意代码的方法。 | |
| .009 | 处理器内存 | 攻击者可能会通过 /proc 文件系统将恶意代码注入进程,以逃避基于进程的防御,并可能提升权限。Proc 内存注入是一种在单独的实时进程的地址空间中执行任意代码的方法。 | |
| .011 | 额外的窗口内存注入 | 攻击者可能会通过额外窗口内存 (EWM) 将恶意代码注入进程,以逃避基于进程的防御,并可能提升权限。EWM 注入是一种在单独的实时进程的地址空间中执行任意代码的方法。 | |
| .012 | 工艺镂空 | 攻击者可能会将恶意代码注入到挂起和空洞的进程中,以逃避基于进程的防御。进程挖空是一种在单独的实时进程的地址空间中执行任意代码的方法。 | |
| .013 | 过程分身 | 攻击者可能会通过进程分身将恶意代码注入进程,以逃避基于进程的防御,并可能提升权限。进程分身是一种在单独的实时进程的地址空间中执行任意代码的方法。 | |
| .014 | VDSO劫持 | 攻击者可能会通过 VDSO 劫持将恶意代码注入进程,以逃避基于进程的防御,并可能提升权限。虚拟动态共享对象 (vdso) 劫持是一种在单独的实时进程的地址空间中执行任意代码的方法。 | |
| .015 | 列表种植 | 攻击者可能会滥用列表视图控件将恶意代码注入被劫持的进程,以逃避基于进程的防御,并可能提升权限。ListPlanting 是一种在单独的实时进程的地址空间中执行任意代码的方法。通过 ListPlanting 执行的代码也可以逃避安全产品的检测,因为执行在合法进程下被掩盖。 | |
| T1620 | 反射代码加载 | 攻击者可能会以反射方式将代码加载到进程中,以隐藏恶意负载的执行。反射加载涉及直接在进程的内存中分配然后执行有效负载,从而创建由磁盘上的文件路径支持的线程或进程。反射加载的有效负载可以是编译的二进制文件、匿名文件(仅存在于 RAM 中),或者只是无文件可执行代码的冷落(例如:与位置无关的外壳代码)。 | |
| T1207 | 恶意域控制器 | 攻击者可能会注册恶意域控制器以启用对 Active Directory 数据的操作。DCShadow 可用于创建恶意域控制器 (DC)。DCShadow 是一种通过注册(或重用非活动注册)和模拟 DC 的行为来操作活动目录 (AD) 数据(包括对象和架构)的方法。注册后,恶意 DC 可能能够将更改注入并复制到任何域对象(包括凭据和密钥)的 AD 基础结构中。 | |
| T1014 | 根套件 | 攻击者可能会使用 rootkit 来隐藏程序、文件、网络连接、服务、驱动程序和其他系统组件的存在。Rootkit 是通过拦截/挂钩和修改提供系统信息的操作系统 API 调用来隐藏恶意软件存在的程序。 | |
| T1553 | 颠覆信任控制 | 攻击者可能会破坏安全控制,从而警告用户不受信任的活动或阻止执行不受信任的程序。操作系统和安全产品可能包含将程序或网站识别为具有某种信任级别的机制。此类功能的示例包括:由于程序由有效的代码签名证书签名而允许运行的程序,由于该程序具有从 Internet 下载的属性集而提示用户发出警告,或者获得指示您将要连接到不受信任的站点。 | |
| .001 | 网守旁路 | 攻击者可能会修改文件属性并破坏网守功能,以逃避用户提示并执行不受信任的程序。网守是一组技术,充当Apple安全模型的层,以确保仅在主机上执行受信任的应用程序。Gatekeeper 建立在 Snow Leopard 中的文件隔离(10.6,2009 年)之上,并已发展到包括代码签名、安全策略合规性、公证等。Gatekeeper 对首次运行的应用程序的处理方式也与重新打开的应用程序不同。 | |
| .002 | 代码签名 | 攻击者可能会创建、获取或窃取代码签名材料来签署其恶意软件或工具。代码签名提供开发人员对二进制文件的真实性级别,并保证二进制文件未被篡改。操作期间使用的证书可能由对手创建、获取或窃取。与无效代码签名不同,此活动将生成有效的签名。 | |
| .003 | SIP 和信任提供商劫持 | 攻击者可能会篡改 SIP 和信任提供程序组件,以在执行签名验证检查时误导操作系统和应用程序控制工具。在用户模式下,Windows 验证码数字签名用于验证文件的来源和完整性,这些变量可用于在签名代码中建立信任(例如:具有有效Microsoft签名的驱动程序可能被视为安全)。签名验证过程通过 WinVerifyTrust 应用程序编程接口 (API) 函数处理,该函数接受查询并与负责验证签名参数的相应信任提供程序协调。 | |
| .004 | 安装根证书 | 攻击者可能会在受感染的系统上安装根证书,以避免在连接到对手控制的 Web 服务器时出现警告。根证书在公钥加密中用于标识根证书颁发机构 (CA)。安装根证书后,系统或应用程序将信任根信任链中已由根证书签名的证书。证书通常用于在 Web 浏览器中建立安全的 TLS/SSL 通信。当用户尝试浏览提供不受信任的证书的网站时,将显示一条错误消息,警告用户存在安全风险。根据安全设置,浏览器可能不允许用户建立与网站的连接。 | |
| .005 | 网络标记绕过 | 攻击者可能会滥用特定文件格式来破坏网络标记 (MOTW) 控件。在 Windows 中,当从 Internet 下载文件时,它们会使用隐藏的 NTFS 备用数据流 (ADS) 进行标记,该流以称为 MOTW 的特定值命名。使用 MOTW 标记的文件受到保护,无法执行某些操作。例如,从 MS Office 10 开始,如果 MS Office 文件具有 MOTW,它将在受保护的视图中打开。标记为 MOTW 的可执行文件将由 Windows Defender SmartScreen 处理,该屏幕将文件与已知可执行文件的允许列表进行比较。如果文件未知/不可信,SmartScreen 将阻止执行并警告用户不要运行它。Zone.Identifier |
|
| .006 | 代码签名策略修改 | 攻击者可以修改代码签名策略,以启用未签名或自签名代码的执行。代码签名提供开发人员对程序的真实性级别,并保证程序未被篡改。安全控制可以包括强制机制,以确保只能在操作系统上运行有效的签名代码。 | |
| T1218 | 系统二进制代理执行 | 攻击者可能会通过使用签名或其他受信任的二进制文件代理执行恶意内容来绕过基于进程和/或签名的防御。此技术中使用的二进制文件通常是Microsoft签名的文件,表明它们要么是从Microsoft下载的,要么已经在操作系统中本机下载。使用受信任的数字证书签名的二进制文件通常可以在受数字签名验证保护的 Windows 系统上执行。Windows 安装上默认的多个Microsoft签名二进制文件可用于代理其他文件或命令的执行。 | |
| .001 | 编译的 HTML 文件 | 攻击者可能会滥用编译的 HTML 文件 (.chm) 来隐藏恶意代码。CHM文件通常作为Microsoft HTML帮助系统的一部分分发。CHM文件是各种内容的压缩编译,如HTML文档,图像和脚本/Web相关的编程语言,如VBA,JScript,Java和ActiveX。CHM 内容使用由 HTML 帮助可执行程序 (hh.exe) 加载的 Internet Explorer 浏览器的基础组件显示。 | |
| .002 | 控制面板 | 攻击者可能会滥用控制.exe来代理恶意负载的执行。Windows 控制面板进程二进制 (control.exe) 处理控制面板项的执行,这些项是允许用户查看和调整计算机设置的实用程序。 | |
| .003 | CMSTP | 攻击者可能会滥用 CMSTP 来代理恶意代码的执行。Microsoft连接管理器配置文件安装程序 (CMSTP.exe) 是用于安装连接管理器服务配置文件的命令行程序。CMSTP.exe 接受安装信息文件 (INF) 作为参数,并安装用于远程访问连接的服务配置文件。 | |
| .004 | 安装实用程序 | 攻击者可以使用 InstallUtil 通过受信任的 Windows 实用程序代理代码的执行。InstallUtil 是一个命令行实用工具,它允许通过执行 .NET 二进制文件中指定的特定安装程序组件来安装和卸载资源。InstallUtil 二进制文件也可以由 Microsoft 进行数字签名,并位于 Windows 系统上的 .NET 目录中:和 。C:\Windows\Microsoft.NET\Framework\v\InstallUtil.exe``C:\Windows\Microsoft.NET\Framework64\v\InstallUtil.exe |
|
| .005 | 姆什塔 | 攻击者可能会滥用 mshta.exe 通过受信任的 Windows 实用程序代理执行恶意 .hta 文件和 Javascript 或 VBScript。有几个不同类型的威胁利用 mshta 的示例.exe在初始入侵期间和执行代码 | |
| .007 | 姆西克塞克 | 攻击者可能会滥用 msiexec.exe 来代理恶意负载的执行。Msiexec.exe 是 Windows 安装程序的命令行实用程序,因此通常与执行安装包 (.msi) 相关联。Msiexec.exe二进制文件也可以由Microsoft进行数字签名。 | |
| .008 | 奥德布康 | 攻击者可能会滥用 odbcconf.exe 来代理恶意负载的执行。Odbcconf.exe 是一个 Windows 实用程序,允许您配置开放式数据库连接 (ODBC) 驱动程序和数据源名称。Odbcconf.exe二进制文件可以由Microsoft进行数字签名。 | |
| .009 | Regsvcs/Regasm | 攻击者可能会滥用Regsvcs和Regasm通过受信任的Windows实用程序代理代码的执行。Regsvcs 和 Regasm 是用于注册 .NET 组件对象模型 (COM) 程序集的 Windows 命令行实用工具。两者都是二进制文件,可以由Microsoft进行数字签名。 | |
| .010 | Regsvr32 | 攻击者可能会滥用 Regsvr32.exe 来代理恶意代码的执行。Regsvr32.exe 是一个命令行程序,用于在 Windows 系统上注册和注销对象链接和嵌入控件,包括动态链接库 (DLL)。Regsvr32.exe二进制文件也可以由Microsoft签名。 | |
| .011 | 伦德尔32 | 攻击者可能会滥用 rundll32.exe 来代理恶意代码的执行。使用 rundll32.exe,直接执行 vice(即共享模块)可以避免触发安全工具,这些工具可能由于允许列表或正常操作的误报而无法监视 rundll32.exe 进程的执行。Rundll32.exe 通常与执行 DLL 有效负载相关联(例如:)。rundll32.exe {DLLname, DLLfunction} |
|
| .012 | 韦尔西德 | 攻击者可能会滥用 verclsid.exe 来代理执行恶意代码。Verclsid.exe 称为扩展 CLSID 验证主机,负责在 Windows 资源管理器或 Windows Shell 使用每个 shell 扩展之前对其进行验证。 | |
| .013 | 马文杰特 | 攻击者可能会滥用 mavinject.exe 来代理执行恶意代码。Mavinject.exe 是Microsoft应用程序虚拟化注入器,这是一个 Windows 实用程序,可以将代码作为应用程序虚拟化 (App-V) 的一部分注入外部进程Microsoft。 | |
| .014 | MMC | 攻击者可能会滥用 mmc.exe 来代理执行恶意 .msc 文件。Microsoft管理控制台 (MMC) 是一个二进制文件,可以由Microsoft签名,并在其 GUI 或命令提示符中以多种方式使用。MMC 可用于创建、打开和保存包含Microsoft创建的管理工具(称为管理单元)的自定义控制台。这些管理单元可用于本地或远程管理 Windows 系统。MMC 还可用于打开Microsoft创建的 .msc 文件以管理系统配置。 | |
| T1216 | 系统脚本代理执行 | 攻击者可能会使用受信任的脚本(通常使用证书签名)来代理恶意文件的执行。从Microsoft下载的多个Microsoft签名脚本或 Windows 安装中的默认脚本可用于代理其他文件的执行。攻击者可能会滥用此行为来执行恶意文件,这些文件可能会绕过系统上的应用程序控制和签名验证。 | |
| .001 | PubPrn | 攻击者可以使用 PubPrn 来代理恶意远程文件的执行。PubPrn.vbs 是一个 Visual Basic 脚本,用于将打印机发布到 Active Directory 域服务。该脚本可以由Microsoft签名,并且通常通过 Windows 命令外壳通过 执行。例如,以下代码在指定的域中发布打印机:。Cscript.exe``cscript pubprn Printer1 LDAP://CN=Container1,DC=Domain1,DC=Com |
|
| T1221 | 模板注入 | 攻击者可能会在用户文档模板中创建或修改引用,以隐藏恶意代码或强制身份验证尝试。例如,Microsoft的 Office Open XML (OOXML) 规范为 Office 文档(.docx、xlsx、.pptx)定义了基于 XML 的格式,以替换旧的二进制格式(.doc、.xls、.ppt)。OOXML 文件打包在一起,这些存档被各种 XML 文件(称为部件)破坏,其中包含共同定义文档呈现方式的属性。 | |
| T1205 | 交通信号 | 攻击者可以使用流量信号来隐藏用于持久性或命令和控制的开放端口或其他恶意功能。流量信令涉及使用魔术值或序列,必须将其发送到系统以触发特殊响应,例如打开关闭的端口或执行恶意任务。这可以采取在打开对手可用于命令和控制的端口之前发送一系列具有某些特征的数据包的形式。通常,这一系列数据包包括尝试连接到预定义的封闭端口序列(即端口敲击),但可能涉及异常标志、特定字符串或其他独特特征。序列完成后,打开端口可以通过基于主机的防火墙完成,但也可以通过自定义软件实现。 | |
| .001 | 端口敲门 | 攻击者可能会使用端口敲击来隐藏用于持久性或命令和控制的开放端口。为了启用端口,攻击者会向预定义的关闭端口序列发送一系列尝试的连接。序列完成后,打开端口通常由基于主机的防火墙完成,但也可以通过自定义软件实现。 | |
| .002 | 插座过滤器 | 攻击者可以将过滤器连接到网络套接字,以监视然后激活用于持久性或命令和控制的后门。通过提升的权限,攻击者可以使用库等功能打开套接字并安装筛选器,以允许或禁止某些类型的数据通过套接字。过滤器可能适用于通过指定网络接口(如果未指定,则应用于每个接口)的所有流量。当网络接口收到与筛选条件匹配的数据包时,可以在主机上触发其他操作,例如激活反向外壳。libpcap |
|
| T1127 | 受信任的开发人员实用程序代理执行 | 攻击者可能会利用受信任的开发人员实用程序来代理恶意负载的执行。有许多实用程序可用于与软件开发相关的任务,可用于以各种形式执行代码,以帮助开发、调试和逆向工程。这些实用程序通常可能使用合法证书进行签名,这些证书允许它们在系统上执行,并通过有效绕过应用程序控制解决方案的受信任进程代理执行恶意代码。 | |
| .001 | MSBuild | 攻击者可以使用 MSBuild 通过受信任的 Windows 实用工具代理代码的执行。MSBuild.exe(Microsoft Build Engine)是Visual Studio使用的软件构建平台。它处理 XML 格式的项目文件,这些文件定义加载和构建各种平台和配置的要求。 | |
| T1535 | 未使用/不支持的云区域 | 攻击者可能会在未使用的地理服务区域中创建云实例,以逃避检测。访问通常是通过用于管理云基础架构的泄露帐户获得的。 | |
| T1550 | 使用备用身份验证材料 | 攻击者可能会使用备用身份验证材料(如密码哈希、Kerberos 票证和应用程序访问令牌),以便在环境中横向移动并绕过正常的系统访问控制。 | |
| .001 | 应用程序访问令牌 | 攻击者可能会使用被盗的应用程序访问令牌来绕过典型的身份验证过程,并访问远程系统上的受限帐户、信息或服务。这些令牌通常是从用户或服务中窃取的,用于代替登录凭据。 | |
| .002 | 传递哈希 | 攻击者可能会使用被盗的密码哈希“传递哈希”,绕过正常的系统访问控制,在环境中横向移动。传递哈希 (PtH) 是一种在无权访问用户的明文密码的情况下以用户身份进行身份验证的方法。此方法绕过需要明文密码的标准身份验证步骤,直接移动到使用密码哈希的身份验证部分。 | |
| .003 | 通过门票 | 攻击者可能会使用被盗的 Kerberos 票证“传递票证”,绕过正常的系统访问控制,在环境中横向移动。传递票证 (PtT) 是一种使用 Kerberos 票证向系统进行身份验证的方法,无需访问帐户密码。Kerberos 身份验证可用作横向移动到远程系统的第一步。 | |
| .004 | 网络会话饼干 | 攻击者可以使用被盗的会话 Cookie 对 Web 应用程序和服务进行身份验证。此技术绕过某些多重身份验证协议,因为会话已经过身份验证。 | |
| T1078 | 有效帐户 | 攻击者可能会获取和滥用现有帐户的凭据,作为获取初始访问权限、持久性、权限提升或防御规避的一种手段。泄露的凭据可用于绕过对网络中系统上各种资源的访问控制,甚至可用于对远程系统和外部可用服务(如 VPN、Outlook Web 访问、网络设备和远程桌面)的持久访问。泄露的凭据还可能授予攻击者对特定系统或访问网络受限区域的更多权限。攻击者可以选择不将恶意软件或工具与这些凭据提供的合法访问权限结合使用,以使其更难检测到它们的存在。 | |
| .001 | 默认帐户 | 攻击者可能会获取和滥用默认帐户的凭据,作为获取初始访问权限、持久性、权限提升或防御规避的一种手段。默认帐户是内置于操作系统中的帐户,例如 Windows 系统上的来宾或管理员帐户。默认账户还包括其他类型的系统、软件或设备上的默认工厂/提供商集账户,包括 AWS 中的根用户账户和 Kubernetes 中的默认服务账户。 | |
| .002 | 域帐户 | 攻击者可能会获取和滥用域帐户的凭据,作为获取初始访问权限、持久性、权限提升或防御规避的一种手段。域帐户是由 Active Directory 域服务管理的帐户,其中访问和权限是在属于该域的系统和服务之间配置的。域帐户可以涵盖用户、管理员和服务。 | |
| .003 | 本地帐户 | 攻击者可能会获取和滥用本地帐户的凭据,作为获取初始访问、持久性、权限提升或防御规避的一种手段。本地帐户是由组织配置的帐户,供用户、远程支持、服务使用或在单个系统或服务上进行管理。 | |
| .004 | 云帐户 | 攻击者可能会获取和滥用云帐户的凭据,作为获取初始访问、持久性、权限提升或防御规避的一种手段。云帐户是由组织创建和配置的帐户,供用户、远程支持、服务使用,或用于管理云服务提供商或 SaaS 应用程序中的资源。在某些情况下,云帐户可能与传统的身份管理系统(如 Windows Active Directory)联合。 | |
| T1497 | 虚拟化/沙盒规避 | 攻击者可能会采用各种方法来检测和避开虚拟化和分析环境。这可能包括根据检查是否存在指示虚拟机环境 (VME) 或沙盒的项目来更改行为。如果攻击者检测到 VME,他们可能会更改其恶意软件以脱离受害者或隐藏植入物的核心功能。他们还可能在丢弃辅助或附加有效负载之前搜索 VME 项目。攻击者可能会使用在自动发现期间从虚拟化/沙盒规避中学到的信息来塑造后续行为。 | |
| .001 | 系统检查 | 攻击者可能会采用各种系统检查来检测和避开虚拟化和分析环境。这可能包括根据检查是否存在指示虚拟机环境 (VME) 或沙盒的项目来更改行为。如果攻击者检测到 VME,他们可能会更改其恶意软件以脱离受害者或隐藏植入物的核心功能。他们还可能在丢弃辅助或附加有效负载之前搜索 VME 项目。攻击者可能会使用在自动发现期间从虚拟化/沙盒规避中学到的信息来塑造后续行为。 | |
| .002 | 基于用户活动的检查 | 攻击者可能会采用各种用户活动检查来检测和避开虚拟化和分析环境。这可能包括根据检查是否存在指示虚拟机环境 (VME) 或沙盒的项目来更改行为。如果攻击者检测到 VME,他们可能会更改其恶意软件以脱离受害者或隐藏植入物的核心功能。他们还可能在丢弃辅助或附加有效负载之前搜索 VME 项目。攻击者可能会使用在自动发现期间从虚拟化/沙盒规避中学到的信息来塑造后续行为。 | |
| .003 | 基于时间的规避 | 攻击者可能会采用各种基于时间的方法来检测和避开虚拟化和分析环境。这可能包括枚举基于时间的属性,例如运行时间或系统时钟,以及使用计时器或其他触发器来避免虚拟机环境 (VME) 或沙盒,特别是那些自动化或仅在有限时间内运行的属性。 | |
| T1600 | 削弱加密 | 攻击者可能会破坏网络设备的加密功能,以绕过原本会保护数据通信的加密。 | |
| .001 | 减少密钥空间 | 攻击者可以通过降低加密通信的密码强度来降低解密通过网络传输的数据所需的工作量。 | |
| .002 | 禁用加密硬件 | 攻击者禁用网络设备的专用硬件加密,这可能使他们能够利用软件加密中的弱点来减少收集、操作和泄露传输数据所涉及的工作量。 | |
| T1220 | XSL 脚本处理 | 攻击者可能会通过在 XSL 文件中嵌入脚本来绕过应用程序控制和模糊代码执行。可扩展样式表语言 (XSL) 文件通常用于描述 XML 文件中数据的处理和呈现。为了支持复杂的操作,XSL 标准包括对各种语言的嵌入式脚本的支持。 |
The adversary is trying to avoid being detected.
Defense Evasion consists of techniques that adversaries use to avoid detection throughout their compromise. Techniques used for defense evasion include uninstalling/disabling security software or obfuscating/encrypting data and scripts. Adversaries also leverage and abuse trusted processes to hide and masquerade their malware. Other tactics’ techniques are cross-listed here when those techniques include the added benefit of subverting defenses.
Techniques: 42
| ID | Name | Description | |
|---|---|---|---|
| T1548 | Abuse Elevation Control Mechanism | Adversaries may circumvent mechanisms designed to control elevate privileges to gain higher-level permissions. Most modern systems contain native elevation control mechanisms that are intended to limit privileges that a user can perform on a machine. Authorization has to be granted to specific users in order to perform tasks that can be considered of higher risk. An adversary can perform several methods to take advantage of built-in control mechanisms in order to escalate privileges on a system. | |
| .001 | Setuid and Setgid | An adversary may abuse configurations where an application has the setuid or setgid bits set in order to get code running in a different (and possibly more privileged) user’s context. On Linux or macOS, when the setuid or setgid bits are set for an application binary, the application will run with the privileges of the owning user or group respectively. Normally an application is run in the current user’s context, regardless of which user or group owns the application. However, there are instances where programs need to be executed in an elevated context to function properly, but the user running them may not have the specific required privileges. | |
| .002 | Bypass User Account Control | Adversaries may bypass UAC mechanisms to elevate process privileges on system. Windows User Account Control (UAC) allows a program to elevate its privileges (tracked as integrity levels ranging from low to high) to perform a task under administrator-level permissions, possibly by prompting the user for confirmation. The impact to the user ranges from denying the operation under high enforcement to allowing the user to perform the action if they are in the local administrators group and click through the prompt or allowing them to enter an administrator password to complete the action. | |
| .003 | Sudo and Sudo Caching | Adversaries may perform sudo caching and/or use the sudoers file to elevate privileges. Adversaries may do this to execute commands as other users or spawn processes with higher privileges. | |
| .004 | Elevated Execution with Prompt | Adversaries may leverage the AuthorizationExecuteWithPrivileges API to escalate privileges by prompting the user for credentials. The purpose of this API is to give application developers an easy way to perform operations with root privileges, such as for application installation or updating. This API does not validate that the program requesting root privileges comes from a reputable source or has been maliciously modified. |
|
| T1134 | Access Token Manipulation | Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token. | |
| .001 | Token Impersonation/Theft | Adversaries may duplicate then impersonate another user's existing token to escalate privileges and bypass access controls. For example, an adversary can duplicate an existing token using DuplicateToken or DuplicateTokenEx. The token can then be used with ImpersonateLoggedOnUser to allow the calling thread to impersonate a logged on user's security context, or with SetThreadToken to assign the impersonated token to a thread. |
|
| .002 | Create Process with Token | Adversaries may create a new process with an existing token to escalate privileges and bypass access controls. Processes can be created with the token and resulting security context of another user using features such as CreateProcessWithTokenW and runas. |
|
| .003 | Make and Impersonate Token | Adversaries may make new tokens and impersonate users to escalate privileges and bypass access controls. For example, if an adversary has a username and password but the user is not logged onto the system the adversary can then create a logon session for the user using the LogonUser function. The function will return a copy of the new session's access token and the adversary can use SetThreadToken to assign the token to a thread. |
|
| .004 | Parent PID Spoofing | Adversaries may spoof the parent process identifier (PPID) of a new process to evade process-monitoring defenses or to elevate privileges. New processes are typically spawned directly from their parent, or calling, process unless explicitly specified. One way of explicitly assigning the PPID of a new process is via the CreateProcess API call, which supports a parameter that defines the PPID to use. This functionality is used by Windows features such as User Account Control (UAC) to correctly set the PPID after a requested elevated process is spawned by SYSTEM (typically via svchost.exe or consent.exe) rather than the current user context. |
|
| .005 | SID-History Injection | Adversaries may use SID-History Injection to escalate privileges and bypass access controls. The Windows security identifier (SID) is a unique value that identifies a user or group account. SIDs are used by Windows security in both security descriptors and access tokens. An account can hold additional SIDs in the SID-History Active Directory attribute , allowing inter-operable account migration between domains (e.g., all values in SID-History are included in access tokens). | |
| T1197 | BITS Jobs | Adversaries may abuse BITS jobs to persistently execute code and perform various background tasks. Windows Background Intelligent Transfer Service (BITS) is a low-bandwidth, asynchronous file transfer mechanism exposed through Component Object Model (COM). BITS is commonly used by updaters, messengers, and other applications preferred to operate in the background (using available idle bandwidth) without interrupting other networked applications. File transfer tasks are implemented as BITS jobs, which contain a queue of one or more file operations. | |
| T1612 | Build Image on Host | Adversaries may build a container image directly on a host to bypass defenses that monitor for the retrieval of malicious images from a public registry. A remote build request may be sent to the Docker API that includes a Dockerfile that pulls a vanilla base image, such as alpine, from a public or local registry and then builds a custom image upon it. |
|
| T1622 | Debugger Evasion | Adversaries may employ various means to detect and avoid debuggers. Debuggers are typically used by defenders to trace and/or analyze the execution of potential malware payloads. | |
| T1140 | Deobfuscate/Decode Files or Information | Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system. | |
| T1610 | Deploy Container | Adversaries may deploy a container into an environment to facilitate execution or evade defenses. In some cases, adversaries may deploy a new container to execute processes associated with a particular image or deployment, such as processes that execute or download malware. In others, an adversary may deploy a new container configured without network rules, user limitations, etc. to bypass existing defenses within the environment. | |
| T1006 | Direct Volume Access | Adversaries may directly access a volume to bypass file access controls and file system monitoring. Windows allows programs to have direct access to logical volumes. Programs with direct access may read and write files directly from the drive by analyzing file system data structures. This technique bypasses Windows file access controls as well as file system monitoring tools. | |
| T1484 | Domain Policy Modification | Adversaries may modify the configuration settings of a domain to evade defenses and/or escalate privileges in domain environments. Domains provide a centralized means of managing how computer resources (ex: computers, user accounts) can act, and interact with each other, on a network. The policy of the domain also includes configuration settings that may apply between domains in a multi-domain/forest environment. Modifications to domain settings may include altering domain Group Policy Objects (GPOs) or changing trust settings for domains, including federation trusts. | |
| .001 | Group Policy Modification | Adversaries may modify Group Policy Objects (GPOs) to subvert the intended discretionary access controls for a domain, usually with the intention of escalating privileges on the domain. Group policy allows for centralized management of user and computer settings in Active Directory (AD). GPOs are containers for group policy settings made up of files stored within a predictable network path \<DOMAIN>\SYSVOL\<DOMAIN>\Policies\. |
|
| .002 | Domain Trust Modification | Adversaries may add new domain trusts or modify the properties of existing domain trusts to evade defenses and/or elevate privileges. Domain trust details, such as whether or not a domain is federated, allow authentication and authorization properties to apply between domains for the purpose of accessing shared resources. These trust objects may include accounts, credentials, and other authentication material applied to servers, tokens, and domains. | |
| T1480 | Execution Guardrails | Adversaries may use execution guardrails to constrain execution or actions based on adversary supplied and environment specific conditions that are expected to be present on the target. Guardrails ensure that a payload only executes against an intended target and reduces collateral damage from an adversary’s campaign. Values an adversary can provide about a target system or environment to use as guardrails may include specific network share names, attached physical devices, files, joined Active Directory (AD) domains, and local/external IP addresses. | |
| .001 | Environmental Keying | Adversaries may environmentally key payloads or other features of malware to evade defenses and constraint execution to a specific target environment. Environmental keying uses cryptography to constrain execution or actions based on adversary supplied environment specific conditions that are expected to be present on the target. Environmental keying is an implementation of Execution Guardrails that utilizes cryptographic techniques for deriving encryption/decryption keys from specific types of values in a given computing environment. | |
| T1211 | Exploitation for Defense Evasion | Adversaries may exploit a system or application vulnerability to bypass security features. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Vulnerabilities may exist in defensive security software that can be used to disable or circumvent them. | |
| T1222 | File and Directory Permissions Modification | Adversaries may modify file or directory permissions/attributes to evade access control lists (ACLs) and access protected files. File and directory permissions are commonly managed by ACLs configured by the file or directory owner, or users with the appropriate permissions. File and directory ACL implementations vary by platform, but generally explicitly designate which users or groups can perform which actions (read, write, execute, etc.). | |
| .001 | Windows File and Directory Permissions Modification | Adversaries may modify file or directory permissions/attributes to evade access control lists (ACLs) and access protected files. File and directory permissions are commonly managed by ACLs configured by the file or directory owner, or users with the appropriate permissions. File and directory ACL implementations vary by platform, but generally explicitly designate which users or groups can perform which actions (read, write, execute, etc.). | |
| .002 | Linux and Mac File and Directory Permissions Modification | Adversaries may modify file or directory permissions/attributes to evade access control lists (ACLs) and access protected files. File and directory permissions are commonly managed by ACLs configured by the file or directory owner, or users with the appropriate permissions. File and directory ACL implementations vary by platform, but generally explicitly designate which users or groups can perform which actions (read, write, execute, etc.). | |
| T1564 | Hide Artifacts | Adversaries may attempt to hide artifacts associated with their behaviors to evade detection. Operating systems may have features to hide various artifacts, such as important system files and administrative task execution, to avoid disrupting user work environments and prevent users from changing files or features on the system. Adversaries may abuse these features to hide artifacts such as files, directories, user accounts, or other system activity to evade detection. | |
| .001 | Hidden Files and Directories | Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches (dir /a for Windows and ls –a for Linux and macOS). |
|
| .002 | Hidden Users | Adversaries may use hidden users to hide the presence of user accounts they create or modify. Administrators may want to hide users when there are many user accounts on a given system or if they want to hide their administrative or other management accounts from other users. | |
| .003 | Hidden Window | Adversaries may use hidden windows to conceal malicious activity from the plain sight of users. In some cases, windows that would typically be displayed when an application carries out an operation can be hidden. This may be utilized by system administrators to avoid disrupting user work environments when carrying out administrative tasks. | |
| .004 | NTFS File Attributes | Adversaries may use NTFS file attributes to hide their malicious data in order to evade detection. Every New Technology File System (NTFS) formatted partition contains a Master File Table (MFT) that maintains a record for every file/directory on the partition. Within MFT entries are file attributes, such as Extended Attributes (EA) and Data [known as Alternate Data Streams (ADSs) when more than one Data attribute is present], that can be used to store arbitrary data (and even complete files). | |
| .005 | Hidden File System | Adversaries may use a hidden file system to conceal malicious activity from users and security tools. File systems provide a structure to store and access data from physical storage. Typically, a user engages with a file system through applications that allow them to access files and directories, which are an abstraction from their physical location (ex: disk sector). Standard file systems include FAT, NTFS, ext4, and APFS. File systems can also contain other structures, such as the Volume Boot Record (VBR) and Master File Table (MFT) in NTFS. | |
| .006 | Run Virtual Instance | Adversaries may carry out malicious operations using a virtual instance to avoid detection. A wide variety of virtualization technologies exist that allow for the emulation of a computer or computing environment. By running malicious code inside of a virtual instance, adversaries can hide artifacts associated with their behavior from security tools that are unable to monitor activity inside the virtual instance. Additionally, depending on the virtual networking implementation (ex: bridged adapter), network traffic generated by the virtual instance can be difficult to trace back to the compromised host as the IP address and hostname might not match known values. | |
| .007 | VBA Stomping | Adversaries may hide malicious Visual Basic for Applications (VBA) payloads embedded within MS Office documents by replacing the VBA source code with benign data. | |
| .008 | Email Hiding Rules | Adversaries may use email rules to hide inbound emails in a compromised user's mailbox. Many email clients allow users to create inbox rules for various email functions, including moving emails to other folders, marking emails as read, or deleting emails. Rules may be created or modified within email clients or through external features such as the New-InboxRule or Set-InboxRule PowerShell cmdlets on Windows systems. |
|
| .009 | Resource Forking | Adversaries may abuse resource forks to hide malicious code or executables to evade detection and bypass security applications. A resource fork provides applications a structured way to store resources such as thumbnail images, menu definitions, icons, dialog boxes, and code. Usage of a resource fork is identifiable when displaying a file’s extended attributes, using ls -l@ or xattr -l commands. Resource forks have been deprecated and replaced with the application bundle structure. Non-localized resources are placed at the top level directory of an application bundle, while localized resources are placed in the /Resources folder. |
|
| .010 | Process Argument Spoofing | Adversaries may attempt to hide process command-line arguments by overwriting process memory. Process command-line arguments are stored in the process environment block (PEB), a data structure used by Windows to store various information about/used by a process. The PEB includes the process command-line arguments that are referenced when executing the process. When a process is created, defensive tools/sensors that monitor process creations may retrieve the process arguments from the PEB. | |
| T1574 | Hijack Execution Flow | Adversaries may execute their own malicious payloads by hijacking the way operating systems run programs. Hijacking execution flow can be for the purposes of persistence, since this hijacked execution may reoccur over time. Adversaries may also use these mechanisms to elevate privileges or evade defenses, such as application control or other restrictions on execution. | |
| .001 | DLL Search Order Hijacking | Adversaries may execute their own malicious payloads by hijacking the search order used to load DLLs. Windows systems use a common method to look for required DLLs to load into a program. Hijacking DLL loads may be for the purpose of establishing persistence as well as elevating privileges and/or evading restrictions on file execution. | |
| .002 | DLL Side-Loading | Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking, side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s). | |
| .004 | Dylib Hijacking | Adversaries may execute their own payloads by placing a malicious dynamic library (dylib) with an expected name in a path a victim application searches at runtime. The dynamic loader will try to find the dylibs based on the sequential order of the search paths. Paths to dylibs may be prefixed with @rpath, which allows developers to use relative paths to specify an array of search paths used at runtime based on the location of the executable. Additionally, if weak linking is used, such as the LC_LOAD_WEAK_DYLIB function, an application will still execute even if an expected dylib is not present. Weak linking enables developers to run an application on multiple macOS versions as new APIs are added. |
|
| .005 | Executable Installer File Permissions Weakness | Adversaries may execute their own malicious payloads by hijacking the binaries used by an installer. These processes may automatically execute specific binaries as part of their functionality or to perform other actions. If the permissions on the file system directory containing a target binary, or permissions on the binary itself, are improperly set, then the target binary may be overwritten with another binary using user-level permissions and executed by the original process. If the original process and thread are running under a higher permissions level, then the replaced binary will also execute under higher-level permissions, which could include SYSTEM. | |
| .006 | Dynamic Linker Hijacking | Adversaries may execute their own malicious payloads by hijacking environment variables the dynamic linker uses to load shared libraries. During the execution preparation phase of a program, the dynamic linker loads specified absolute paths of shared libraries from environment variables and files, such as LD_PRELOAD on Linux or DYLD_INSERT_LIBRARIES on macOS. Libraries specified in environment variables are loaded first, taking precedence over system libraries with the same function name. These variables are often used by developers to debug binaries without needing to recompile, deconflict mapped symbols, and implement custom functions without changing the original library. |
|
| .007 | Path Interception by PATH Environment Variable | Adversaries may execute their own malicious payloads by hijacking environment variables used to load libraries. Adversaries may place a program in an earlier entry in the list of directories stored in the PATH environment variable, which Windows will then execute when it searches sequentially through that PATH listing in search of the binary that was called from a script or the command line. | |
| .008 | Path Interception by Search Order Hijacking | Adversaries may execute their own malicious payloads by hijacking the search order used to load other programs. Because some programs do not call other programs using the full path, adversaries may place their own file in the directory where the calling program is located, causing the operating system to launch their malicious software at the request of the calling program. | |
| .009 | Path Interception by Unquoted Path | Adversaries may execute their own malicious payloads by hijacking vulnerable file path references. Adversaries can take advantage of paths that lack surrounding quotations by placing an executable in a higher level directory within the path, so that Windows will choose the adversary's executable to launch. | |
| .010 | Services File Permissions Weakness | Adversaries may execute their own malicious payloads by hijacking the binaries used by services. Adversaries may use flaws in the permissions of Windows services to replace the binary that is executed upon service start. These service processes may automatically execute specific binaries as part of their functionality or to perform other actions. If the permissions on the file system directory containing a target binary, or permissions on the binary itself are improperly set, then the target binary may be overwritten with another binary using user-level permissions and executed by the original process. If the original process and thread are running under a higher permissions level, then the replaced binary will also execute under higher-level permissions, which could include SYSTEM. | |
| .011 | Services Registry Permissions Weakness | Adversaries may execute their own malicious payloads by hijacking the Registry entries used by services. Adversaries may use flaws in the permissions for Registry keys related to services to redirect from the originally specified executable to one that they control, in order to launch their own code when a service starts. Windows stores local service configuration information in the Registry under HKLM\SYSTEM\CurrentControlSet\Services. The information stored under a service's Registry keys can be manipulated to modify a service's execution parameters through tools such as the service controller, sc.exe, PowerShell, or Reg. Access to Registry keys is controlled through access control lists and user permissions. |
|
| .012 | COR_PROFILER | Adversaries may leverage the COR_PROFILER environment variable to hijack the execution flow of programs that load the .NET CLR. The COR_PROFILER is a .NET Framework feature which allows developers to specify an unmanaged (or external of .NET) profiling DLL to be loaded into each .NET process that loads the Common Language Runtime (CLR). These profilers are designed to monitor, troubleshoot, and debug managed code executed by the .NET CLR. | |
| .013 | KernelCallbackTable | Adversaries may abuse the KernelCallbackTable of a process to hijack its execution flow in order to run their own payloads. The KernelCallbackTable can be found in the Process Environment Block (PEB) and is initialized to an array of graphic functions available to a GUI process once user32.dll is loaded. |
|
| T1562 | Impair Defenses | Adversaries may maliciously modify components of a victim environment in order to hinder or disable defensive mechanisms. This not only involves impairing preventative defenses, such as firewalls and anti-virus, but also detection capabilities that defenders can use to audit activity and identify malicious behavior. This may also span both native defenses as well as supplemental capabilities installed by users and administrators. | |
| .001 | Disable or Modify Tools | Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems. | |
| .002 | Disable Windows Event Logging | Adversaries may disable Windows event logging to limit data that can be leveraged for detections and audits. Windows event logs record user and system activity such as login attempts, process creation, and much more. This data is used by security tools and analysts to generate detections. | |
| .003 | Impair Command History Logging | Adversaries may impair command history logging to hide commands they run on a compromised system. Various command interpreters keep track of the commands users type in their terminal so that users can retrace what they've done. | |
| .004 | Disable or Modify System Firewall | Adversaries may disable or modify system firewalls in order to bypass controls limiting network usage. Changes could be disabling the entire mechanism as well as adding, deleting, or modifying particular rules. This can be done numerous ways depending on the operating system, including via command-line, editing Windows Registry keys, and Windows Control Panel. | |
| .006 | Indicator Blocking | An adversary may attempt to block indicators or events typically captured by sensors from being gathered and analyzed. This could include maliciously redirecting or even disabling host-based sensors, such as Event Tracing for Windows (ETW), by tampering settings that control the collection and flow of event telemetry. These settings may be stored on the system in configuration files and/or in the Registry as well as being accessible via administrative utilities such as PowerShell or Windows Management Instrumentation. | |
| .007 | Disable or Modify Cloud Firewall | Adversaries may disable or modify a firewall within a cloud environment to bypass controls that limit access to cloud resources. Cloud firewalls are separate from system firewalls that are described in Disable or Modify System Firewall. | |
| .008 | Disable Cloud Logs | An adversary may disable cloud logging capabilities and integrations to limit what data is collected on their activities and avoid detection. Cloud environments allow for collection and analysis of audit and application logs that provide insight into what activities a user does within the environment. If an adversary has sufficient permissions, they can disable logging to avoid detection of their activities. | |
| .009 | Safe Mode Boot | Adversaries may abuse Windows safe mode to disable endpoint defenses. Safe mode starts up the Windows operating system with a limited set of drivers and services. Third-party security software such as endpoint detection and response (EDR) tools may not start after booting Windows in safe mode. There are two versions of safe mode: Safe Mode and Safe Mode with Networking. It is possible to start additional services after a safe mode boot. | |
| .010 | Downgrade Attack | Adversaries may downgrade or use a version of system features that may be outdated, vulnerable, and/or does not support updated security controls such as logging. For example, PowerShell versions 5+ includes Script Block Logging (SBL) which can record executed script content. However, adversaries may attempt to execute a previous version of PowerShell that does not support SBL with the intent to Impair Defenses while running malicious scripts that may have otherwise been detected. | |
| .011 | Spoof Security Alerting | Adversaries may spoof security alerting from tools, presenting false evidence to impair defenders’ awareness of malicious activity. Messages produced by defensive tools contain information about potential security events as well as the functioning status of security software and the system. Security reporting messages are important for monitoring the normal operation of a system and identifying important events that can signal a security incident. | |
| T1070 | Indicator Removal | Adversaries may delete or modify artifacts generated within systems to remove evidence of their presence or hinder defenses. Various artifacts may be created by an adversary or something that can be attributed to an adversary’s actions. Typically these artifacts are used as defensive indicators related to monitored events, such as strings from downloaded files, logs that are generated from user actions, and other data analyzed by defenders. Location, format, and type of artifact (such as command or login history) are often specific to each platform. | |
| .001 | Clear Windows Event Logs | Adversaries may clear Windows Event Logs to hide the activity of an intrusion. Windows Event Logs are a record of a computer's alerts and notifications. There are three system-defined sources of events: System, Application, and Security, with five event types: Error, Warning, Information, Success Audit, and Failure Audit. | |
| .002 | Clear Linux or Mac System Logs | Adversaries may clear system logs to hide evidence of an intrusion. macOS and Linux both keep track of system or user-initiated actions via system logs. The majority of native system logging is stored under the /var/log/ directory. Subfolders in this directory categorize logs by their related functions, such as: |
|
| .003 | Clear Command History | In addition to clearing system logs, an adversary may clear the command history of a compromised account to conceal the actions undertaken during an intrusion. Various command interpreters keep track of the commands users type in their terminal so that users can retrace what they've done. | |
| .004 | File Deletion | Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary (ex: Ingress Tool Transfer) may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint. | |
| .005 | Network Share Connection Removal | Adversaries may remove share connections that are no longer useful in order to clean up traces of their operation. Windows shared drive and SMB/Windows Admin Shares connections can be removed when no longer needed. Net is an example utility that can be used to remove network share connections with the net use \system\share /delete command. |
|
| .006 | Timestomp | Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools. | |
| .007 | Clear Network Connection History and Configurations | Adversaries may clear or remove evidence of malicious network connections in order to clean up traces of their operations. Configuration settings as well as various artifacts that highlight connection history may be created on a system from behaviors that require network connections, such as Remote Services or External Remote Services. Defenders may use these artifacts to monitor or otherwise analyze network connections created by adversaries. | |
| .008 | Clear Mailbox Data | Adversaries may modify mail and mail application data to remove evidence of their activity. Email applications allow users and other programs to export and delete mailbox data via command line tools or use of APIs. Mail application data can be emails, email metadata, or logs generated by the application or operating system, such as export requests. | |
| .009 | Clear Persistence | Adversaries may clear artifacts associated with previously established persistence on a host system to remove evidence of their activity. This may involve various actions, such as removing services, deleting executables, Modify Registry, Plist File Modification, or other methods of cleanup to prevent defenders from collecting evidence of their persistent presence. Adversaries may also delete accounts previously created to maintain persistence (i.e. Create Account). | |
| T1202 | Indirect Command Execution | Adversaries may abuse utilities that allow for command execution to bypass security restrictions that limit the use of command-line interpreters. Various Windows utilities may be used to execute commands, possibly without invoking cmd. For example, Forfiles, the Program Compatibility Assistant (pcalua.exe), components of the Windows Subsystem for Linux (WSL), as well as other utilities may invoke the execution of programs and commands from a Command and Scripting Interpreter, Run window, or via scripts. | |
| T1036 | Masquerading | Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names. | |
| .001 | Invalid Code Signature | Adversaries may attempt to mimic features of valid code signatures to increase the chance of deceiving a user, analyst, or tool. Code signing provides a level of authenticity on a binary from the developer and a guarantee that the binary has not been tampered with. Adversaries can copy the metadata and signature information from a signed program, then use it as a template for an unsigned program. Files with invalid code signatures will fail digital signature validation checks, but they may appear more legitimate to users and security tools may improperly handle these files. | |
| .002 | Right-to-Left Override | Adversaries may abuse the right-to-left override (RTLO or RLO) character (U+202E) to disguise a string and/or file name to make it appear benign. RTLO is a non-printing Unicode character that causes the text that follows it to be displayed in reverse. For example, a Windows screensaver executable named March 25 \u202Excod.scr will display as March 25 rcs.docx. A JavaScript file named photo_high_re\u202Egnp.js will be displayed as photo_high_resj.png. |
|
| .003 | Rename System Utilities | Adversaries may rename legitimate system utilities to try to evade security mechanisms concerning the usage of those utilities. Security monitoring and control mechanisms may be in place for system utilities adversaries are capable of abusing. It may be possible to bypass those security mechanisms by renaming the utility prior to utilization (ex: rename rundll32.exe). An alternative case occurs when a legitimate utility is copied or moved to a different directory and renamed to avoid detections based on system utilities executing from non-standard paths. |
|
| .004 | Masquerade Task or Service | Adversaries may attempt to manipulate the name of a task or service to make it appear legitimate or benign. Tasks/services executed by the Task Scheduler or systemd will typically be given a name and/or description. Windows services will have a service name as well as a display name. Many benign tasks and services exist that have commonly associated names. Adversaries may give tasks or services names that are similar or identical to those of legitimate ones. | |
| .005 | Match Legitimate Name or Location | Adversaries may match or approximate the name or location of legitimate files or resources when naming/placing them. This is done for the sake of evading defenses and observation. This may be done by placing an executable in a commonly trusted directory (ex: under System32) or giving it the name of a legitimate, trusted program (ex: svchost.exe). In containerized environments, this may also be done by creating a resource in a namespace that matches the naming convention of a container pod or cluster. Alternatively, a file or container image name given may be a close approximation to legitimate programs/images or something innocuous. | |
| .006 | Space after Filename | Adversaries can hide a program's true filetype by changing the extension of a file. With certain file types (specifically this does not work with .app extensions), appending a space to the end of a filename will change how the file is processed by the operating system. | |
| .007 | Double File Extension | Adversaries may abuse a double extension in the filename as a means of masquerading the true file type. A file name may include a secondary file type extension that may cause only the first extension to be displayed (ex: File.txt.exe may render in some views as just File.txt). However, the second extension is the true file type that determines how the file is opened and executed. The real file extension may be hidden by the operating system in the file browser (ex: explorer.exe), as well as in any software configured using or similar to the system’s policies. |
|
| .008 | Masquerade File Type | Adversaries may masquerade malicious payloads as legitimate files through changes to the payload's formatting, including the file’s signature, extension, and contents. Various file types have a typical standard format, including how they are encoded and organized. For example, a file’s signature (also known as header or magic bytes) is the beginning bytes of a file and is often used to identify the file’s type. For example, the header of a JPEG file, is 0xFF 0xD8 and the file extension is either .JPE, .JPEG or .JPG. |
|
| T1556 | Modify Authentication Process | Adversaries may modify authentication mechanisms and processes to access user credentials or enable otherwise unwarranted access to accounts. The authentication process is handled by mechanisms, such as the Local Security Authentication Server (LSASS) process and the Security Accounts Manager (SAM) on Windows, pluggable authentication modules (PAM) on Unix-based systems, and authorization plugins on MacOS systems, responsible for gathering, storing, and validating credentials. By modifying an authentication process, an adversary may be able to authenticate to a service or system without using Valid Accounts. | |
| .001 | Domain Controller Authentication | Adversaries may patch the authentication process on a domain controller to bypass the typical authentication mechanisms and enable access to accounts. | |
| .002 | Password Filter DLL | Adversaries may register malicious password filter dynamic link libraries (DLLs) into the authentication process to acquire user credentials as they are validated. | |
| .003 | Pluggable Authentication Modules | Adversaries may modify pluggable authentication modules (PAM) to access user credentials or enable otherwise unwarranted access to accounts. PAM is a modular system of configuration files, libraries, and executable files which guide authentication for many services. The most common authentication module is pam_unix.so, which retrieves, sets, and verifies account authentication information in /etc/passwd and /etc/shadow. |
|
| .004 | Network Device Authentication | Adversaries may use Patch System Image to hard code a password in the operating system, thus bypassing of native authentication mechanisms for local accounts on network devices. | |
| .005 | Reversible Encryption | An adversary may abuse Active Directory authentication encryption properties to gain access to credentials on Windows systems. The AllowReversiblePasswordEncryption property specifies whether reversible password encryption for an account is enabled or disabled. By default this property is disabled (instead storing user credentials as the output of one-way hashing functions) and should not be enabled unless legacy or other software require it. |
|
| .006 | Multi-Factor Authentication | Adversaries may disable or modify multi-factor authentication (MFA) mechanisms to enable persistent access to compromised accounts. | |
| .007 | Hybrid Identity | Adversaries may patch, modify, or otherwise backdoor cloud authentication processes that are tied to on-premises user identities in order to bypass typical authentication mechanisms, access credentials, and enable persistent access to accounts. | |
| .008 | Network Provider DLL | Adversaries may register malicious network provider dynamic link libraries (DLLs) to capture cleartext user credentials during the authentication process. Network provider DLLs allow Windows to interface with specific network protocols and can also support add-on credential management functions. During the logon process, Winlogon (the interactive logon module) sends credentials to the local mpnotify.exe process via RPC. The mpnotify.exe process then shares the credentials in cleartext with registered credential managers when notifying that a logon event is happening. |
|
| T1578 | Modify Cloud Compute Infrastructure | An adversary may attempt to modify a cloud account's compute service infrastructure to evade defenses. A modification to the compute service infrastructure can include the creation, deletion, or modification of one or more components such as compute instances, virtual machines, and snapshots. | |
| .001 | Create Snapshot | An adversary may create a snapshot or data backup within a cloud account to evade defenses. A snapshot is a point-in-time copy of an existing cloud compute component such as a virtual machine (VM), virtual hard drive, or volume. An adversary may leverage permissions to create a snapshot in order to bypass restrictions that prevent access to existing compute service infrastructure, unlike in Revert Cloud Instance where an adversary may revert to a snapshot to evade detection and remove evidence of their presence. | |
| .002 | Create Cloud Instance | An adversary may create a new instance or virtual machine (VM) within the compute service of a cloud account to evade defenses. Creating a new instance may allow an adversary to bypass firewall rules and permissions that exist on instances currently residing within an account. An adversary may Create Snapshot of one or more volumes in an account, create a new instance, mount the snapshots, and then apply a less restrictive security policy to collect Data from Local System or for Remote Data Staging. | |
| .003 | Delete Cloud Instance | An adversary may delete a cloud instance after they have performed malicious activities in an attempt to evade detection and remove evidence of their presence. Deleting an instance or virtual machine can remove valuable forensic artifacts and other evidence of suspicious behavior if the instance is not recoverable. | |
| .004 | Revert Cloud Instance | An adversary may revert changes made to a cloud instance after they have performed malicious activities in attempt to evade detection and remove evidence of their presence. In highly virtualized environments, such as cloud-based infrastructure, this may be accomplished by restoring virtual machine (VM) or data storage snapshots through the cloud management dashboard or cloud APIs. | |
| T1112 | Modify Registry | Adversaries may interact with the Windows Registry to hide configuration information within Registry keys, remove information as part of cleaning up, or as part of other techniques to aid in persistence and execution. | |
| T1601 | Modify System Image | Adversaries may make changes to the operating system of embedded network devices to weaken defenses and provide new capabilities for themselves. On such devices, the operating systems are typically monolithic and most of the device functionality and capabilities are contained within a single file. | |
| .001 | Patch System Image | Adversaries may modify the operating system of a network device to introduce new capabilities or weaken existing defenses. Some network devices are built with a monolithic architecture, where the entire operating system and most of the functionality of the device is contained within a single file. Adversaries may change this file in storage, to be loaded in a future boot, or in memory during runtime. | |
| .002 | Downgrade System Image | Adversaries may install an older version of the operating system of a network device to weaken security. Older operating system versions on network devices often have weaker encryption ciphers and, in general, fewer/less updated defensive features. | |
| T1599 | Network Boundary Bridging | Adversaries may bridge network boundaries by compromising perimeter network devices or internal devices responsible for network segmentation. Breaching these devices may enable an adversary to bypass restrictions on traffic routing that otherwise separate trusted and untrusted networks. | |
| .001 | Network Address Translation Traversal | Adversaries may bridge network boundaries by modifying a network device’s Network Address Translation (NAT) configuration. Malicious modifications to NAT may enable an adversary to bypass restrictions on traffic routing that otherwise separate trusted and untrusted networks. | |
| T1027 | Obfuscated Files or Information | Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses. | |
| .001 | Binary Padding | Adversaries may use binary padding to add junk data and change the on-disk representation of malware. This can be done without affecting the functionality or behavior of a binary, but can increase the size of the binary beyond what some security tools are capable of handling due to file size limitations. | |
| .002 | Software Packing | Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code. | |
| .003 | Steganography | Adversaries may use steganography techniques in order to prevent the detection of hidden information. Steganographic techniques can be used to hide data in digital media such as images, audio tracks, video clips, or text files. | |
| .004 | Compile After Delivery | Adversaries may attempt to make payloads difficult to discover and analyze by delivering files to victims as uncompiled code. Text-based source code files may subvert analysis and scrutiny from protections targeting executables/binaries. These payloads will need to be compiled before execution; typically via native utilities such as csc.exe or GCC/MinGW. | |
| .005 | Indicator Removal from Tools | Adversaries may remove indicators from tools if they believe their malicious tool was detected, quarantined, or otherwise curtailed. They can modify the tool by removing the indicator and using the updated version that is no longer detected by the target's defensive systems or subsequent targets that may use similar systems. | |
| .006 | HTML Smuggling | Adversaries may smuggle data and files past content filters by hiding malicious payloads inside of seemingly benign HTML files. HTML documents can store large binary objects known as JavaScript Blobs (immutable data that represents raw bytes) that can later be constructed into file-like objects. Data may also be stored in Data URLs, which enable embedding media type or MIME files inline of HTML documents. HTML5 also introduced a download attribute that may be used to initiate file downloads. | |
| .007 | Dynamic API Resolution | Adversaries may obfuscate then dynamically resolve API functions called by their malware in order to conceal malicious functionalities and impair defensive analysis. Malware commonly uses various Native API functions provided by the OS to perform various tasks such as those involving processes, files, and other system artifacts. | |
| .008 | Stripped Payloads | Adversaries may attempt to make a payload difficult to analyze by removing symbols, strings, and other human readable information. Scripts and executables may contain variables names and other strings that help developers document code functionality. Symbols are often created by an operating system’s linker when executable payloads are compiled. Reverse engineers use these symbols and strings to analyze code and to identify functionality in payloads. |
|
| .009 | Embedded Payloads | Adversaries may embed payloads within other files to conceal malicious content from defenses. Otherwise seemingly benign files (such as scripts and executables) may be abused to carry and obfuscate malicious payloads and content. In some cases, embedded payloads may also enable adversaries to Subvert Trust Controls by not impacting execution controls such as digital signatures and notarization tickets. | |
| .010 | Command Obfuscation | Adversaries may obfuscate content during command execution to impede detection. Command-line obfuscation is a method of making strings and patterns within commands and scripts more difficult to signature and analyze. This type of obfuscation can be included within commands executed by delivered payloads (e.g., Phishing and Drive-by Compromise) or interactively via Command and Scripting Interpreter. | |
| .011 | Fileless Storage | Adversaries may store data in "fileless" formats to conceal malicious activity from defenses. Fileless storage can be broadly defined as any format other than a file. Common examples of non-volatile fileless storage include the Windows Registry, event logs, or WMI repository. | |
| T1647 | Plist File Modification | Adversaries may modify property list files (plist files) to enable other malicious activity, while also potentially evading and bypassing system defenses. macOS applications use plist files, such as the info.plist file, to store properties and configuration settings that inform the operating system how to handle the application at runtime. Plist files are structured metadata in key-value pairs formatted in XML based on Apple's Core Foundation DTD. Plist files can be saved in text or binary format. |
|
| T1542 | Pre-OS Boot | Adversaries may abuse Pre-OS Boot mechanisms as a way to establish persistence on a system. During the booting process of a computer, firmware and various startup services are loaded before the operating system. These programs control flow of execution before the operating system takes control. | |
| .001 | System Firmware | Adversaries may modify system firmware to persist on systems.The BIOS (Basic Input/Output System) and The Unified Extensible Firmware Interface (UEFI) or Extensible Firmware Interface (EFI) are examples of system firmware that operate as the software interface between the operating system and hardware of a computer. | |
| .002 | Component Firmware | Adversaries may modify component firmware to persist on systems. Some adversaries may employ sophisticated means to compromise computer components and install malicious firmware that will execute adversary code outside of the operating system and main system firmware or BIOS. This technique may be similar to System Firmware but conducted upon other system components/devices that may not have the same capability or level of integrity checking. | |
| .003 | Bootkit | Adversaries may use bootkits to persist on systems. Bootkits reside at a layer below the operating system and may make it difficult to perform full remediation unless an organization suspects one was used and can act accordingly. | |
| .004 | ROMMONkit | Adversaries may abuse the ROM Monitor (ROMMON) by loading an unauthorized firmware with adversary code to provide persistent access and manipulate device behavior that is difficult to detect. | |
| .005 | TFTP Boot | Adversaries may abuse netbooting to load an unauthorized network device operating system from a Trivial File Transfer Protocol (TFTP) server. TFTP boot (netbooting) is commonly used by network administrators to load configuration-controlled network device images from a centralized management server. Netbooting is one option in the boot sequence and can be used to centralize, manage, and control device images. | |
| T1055 | Process Injection | Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process. | |
| .001 | Dynamic-link Library Injection | Adversaries may inject dynamic-link libraries (DLLs) into processes in order to evade process-based defenses as well as possibly elevate privileges. DLL injection is a method of executing arbitrary code in the address space of a separate live process. | |
| .002 | Portable Executable Injection | Adversaries may inject portable executables (PE) into processes in order to evade process-based defenses as well as possibly elevate privileges. PE injection is a method of executing arbitrary code in the address space of a separate live process. | |
| .003 | Thread Execution Hijacking | Adversaries may inject malicious code into hijacked processes in order to evade process-based defenses as well as possibly elevate privileges. Thread Execution Hijacking is a method of executing arbitrary code in the address space of a separate live process. | |
| .004 | Asynchronous Procedure Call | Adversaries may inject malicious code into processes via the asynchronous procedure call (APC) queue in order to evade process-based defenses as well as possibly elevate privileges. APC injection is a method of executing arbitrary code in the address space of a separate live process. | |
| .005 | Thread Local Storage | Adversaries may inject malicious code into processes via thread local storage (TLS) callbacks in order to evade process-based defenses as well as possibly elevate privileges. TLS callback injection is a method of executing arbitrary code in the address space of a separate live process. | |
| .008 | Ptrace System Calls | Adversaries may inject malicious code into processes via ptrace (process trace) system calls in order to evade process-based defenses as well as possibly elevate privileges. Ptrace system call injection is a method of executing arbitrary code in the address space of a separate live process. | |
| .009 | Proc Memory | Adversaries may inject malicious code into processes via the /proc filesystem in order to evade process-based defenses as well as possibly elevate privileges. Proc memory injection is a method of executing arbitrary code in the address space of a separate live process. | |
| .011 | Extra Window Memory Injection | Adversaries may inject malicious code into process via Extra Window Memory (EWM) in order to evade process-based defenses as well as possibly elevate privileges. EWM injection is a method of executing arbitrary code in the address space of a separate live process. | |
| .012 | Process Hollowing | Adversaries may inject malicious code into suspended and hollowed processes in order to evade process-based defenses. Process hollowing is a method of executing arbitrary code in the address space of a separate live process. | |
| .013 | Process Doppelgänging | Adversaries may inject malicious code into process via process doppelgänging in order to evade process-based defenses as well as possibly elevate privileges. Process doppelgänging is a method of executing arbitrary code in the address space of a separate live process. | |
| .014 | VDSO Hijacking | Adversaries may inject malicious code into processes via VDSO hijacking in order to evade process-based defenses as well as possibly elevate privileges. Virtual dynamic shared object (vdso) hijacking is a method of executing arbitrary code in the address space of a separate live process. | |
| .015 | ListPlanting | Adversaries may abuse list-view controls to inject malicious code into hijacked processes in order to evade process-based defenses as well as possibly elevate privileges. ListPlanting is a method of executing arbitrary code in the address space of a separate live process. Code executed via ListPlanting may also evade detection from security products since the execution is masked under a legitimate process. | |
| T1620 | Reflective Code Loading | Adversaries may reflectively load code into a process in order to conceal the execution of malicious payloads. Reflective loading involves allocating then executing payloads directly within the memory of the process, vice creating a thread or process backed by a file path on disk. Reflectively loaded payloads may be compiled binaries, anonymous files (only present in RAM), or just snubs of fileless executable code (ex: position-independent shellcode). | |
| T1207 | Rogue Domain Controller | Adversaries may register a rogue Domain Controller to enable manipulation of Active Directory data. DCShadow may be used to create a rogue Domain Controller (DC). DCShadow is a method of manipulating Active Directory (AD) data, including objects and schemas, by registering (or reusing an inactive registration) and simulating the behavior of a DC. Once registered, a rogue DC may be able to inject and replicate changes into AD infrastructure for any domain object, including credentials and keys. | |
| T1014 | Rootkit | Adversaries may use rootkits to hide the presence of programs, files, network connections, services, drivers, and other system components. Rootkits are programs that hide the existence of malware by intercepting/hooking and modifying operating system API calls that supply system information. | |
| T1553 | Subvert Trust Controls | Adversaries may undermine security controls that will either warn users of untrusted activity or prevent execution of untrusted programs. Operating systems and security products may contain mechanisms to identify programs or websites as possessing some level of trust. Examples of such features would include a program being allowed to run because it is signed by a valid code signing certificate, a program prompting the user with a warning because it has an attribute set from being downloaded from the Internet, or getting an indication that you are about to connect to an untrusted site. | |
| .001 | Gatekeeper Bypass | Adversaries may modify file attributes and subvert Gatekeeper functionality to evade user prompts and execute untrusted programs. Gatekeeper is a set of technologies that act as layer of Apple’s security model to ensure only trusted applications are executed on a host. Gatekeeper was built on top of File Quarantine in Snow Leopard (10.6, 2009) and has grown to include Code Signing, security policy compliance, Notarization, and more. Gatekeeper also treats applications running for the first time differently than reopened applications. | |
| .002 | Code Signing | Adversaries may create, acquire, or steal code signing materials to sign their malware or tools. Code signing provides a level of authenticity on a binary from the developer and a guarantee that the binary has not been tampered with. The certificates used during an operation may be created, acquired, or stolen by the adversary. Unlike Invalid Code Signature, this activity will result in a valid signature. | |
| .003 | SIP and Trust Provider Hijacking | Adversaries may tamper with SIP and trust provider components to mislead the operating system and application control tools when conducting signature validation checks. In user mode, Windows Authenticode digital signatures are used to verify a file's origin and integrity, variables that may be used to establish trust in signed code (ex: a driver with a valid Microsoft signature may be handled as safe). The signature validation process is handled via the WinVerifyTrust application programming interface (API) function, which accepts an inquiry and coordinates with the appropriate trust provider, which is responsible for validating parameters of a signature. | |
| .004 | Install Root Certificate | Adversaries may install a root certificate on a compromised system to avoid warnings when connecting to adversary controlled web servers. Root certificates are used in public key cryptography to identify a root certificate authority (CA). When a root certificate is installed, the system or application will trust certificates in the root's chain of trust that have been signed by the root certificate. Certificates are commonly used for establishing secure TLS/SSL communications within a web browser. When a user attempts to browse a website that presents a certificate that is not trusted an error message will be displayed to warn the user of the security risk. Depending on the security settings, the browser may not allow the user to establish a connection to the website. | |
| .005 | Mark-of-the-Web Bypass | Adversaries may abuse specific file formats to subvert Mark-of-the-Web (MOTW) controls. In Windows, when files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW. Files that are tagged with MOTW are protected and cannot perform certain actions. For example, starting in MS Office 10, if a MS Office file has the MOTW, it will open in Protected View. Executables tagged with the MOTW will be processed by Windows Defender SmartScreen that compares files with an allowlist of well-known executables. If the file is not known/trusted, SmartScreen will prevent the execution and warn the user not to run it. |
|
| .006 | Code Signing Policy Modification | Adversaries may modify code signing policies to enable execution of unsigned or self-signed code. Code signing provides a level of authenticity on a program from a developer and a guarantee that the program has not been tampered with. Security controls can include enforcement mechanisms to ensure that only valid, signed code can be run on an operating system. | |
| T1218 | System Binary Proxy Execution | Adversaries may bypass process and/or signature-based defenses by proxying execution of malicious content with signed, or otherwise trusted, binaries. Binaries used in this technique are often Microsoft-signed files, indicating that they have been either downloaded from Microsoft or are already native in the operating system. Binaries signed with trusted digital certificates can typically execute on Windows systems protected by digital signature validation. Several Microsoft signed binaries that are default on Windows installations can be used to proxy execution of other files or commands. | |
| .001 | Compiled HTML File | Adversaries may abuse Compiled HTML files (.chm) to conceal malicious code. CHM files are commonly distributed as part of the Microsoft HTML Help system. CHM files are compressed compilations of various content such as HTML documents, images, and scripting/web related programming languages such VBA, JScript, Java, and ActiveX. CHM content is displayed using underlying components of the Internet Explorer browser loaded by the HTML Help executable program (hh.exe). | |
| .002 | Control Panel | Adversaries may abuse control.exe to proxy execution of malicious payloads. The Windows Control Panel process binary (control.exe) handles execution of Control Panel items, which are utilities that allow users to view and adjust computer settings. | |
| .003 | CMSTP | Adversaries may abuse CMSTP to proxy execution of malicious code. The Microsoft Connection Manager Profile Installer (CMSTP.exe) is a command-line program used to install Connection Manager service profiles. CMSTP.exe accepts an installation information file (INF) as a parameter and installs a service profile leveraged for remote access connections. | |
| .004 | InstallUtil | Adversaries may use InstallUtil to proxy execution of code through a trusted Windows utility. InstallUtil is a command-line utility that allows for installation and uninstallation of resources by executing specific installer components specified in .NET binaries. The InstallUtil binary may also be digitally signed by Microsoft and located in the .NET directories on a Windows system: C:\Windows\Microsoft.NET\Framework\v\InstallUtil.exe and C:\Windows\Microsoft.NET\Framework64\v\InstallUtil.exe. |
|
| .005 | Mshta | Adversaries may abuse mshta.exe to proxy execution of malicious .hta files and Javascript or VBScript through a trusted Windows utility. There are several examples of different types of threats leveraging mshta.exe during initial compromise and for execution of code | |
| .007 | Msiexec | Adversaries may abuse msiexec.exe to proxy execution of malicious payloads. Msiexec.exe is the command-line utility for the Windows Installer and is thus commonly associated with executing installation packages (.msi). The Msiexec.exe binary may also be digitally signed by Microsoft. | |
| .008 | Odbcconf | Adversaries may abuse odbcconf.exe to proxy execution of malicious payloads. Odbcconf.exe is a Windows utility that allows you to configure Open Database Connectivity (ODBC) drivers and data source names. The Odbcconf.exe binary may be digitally signed by Microsoft. | |
| .009 | Regsvcs/Regasm | Adversaries may abuse Regsvcs and Regasm to proxy execution of code through a trusted Windows utility. Regsvcs and Regasm are Windows command-line utilities that are used to register .NET Component Object Model (COM) assemblies. Both are binaries that may be digitally signed by Microsoft. | |
| .010 | Regsvr32 | Adversaries may abuse Regsvr32.exe to proxy execution of malicious code. Regsvr32.exe is a command-line program used to register and unregister object linking and embedding controls, including dynamic link libraries (DLLs), on Windows systems. The Regsvr32.exe binary may also be signed by Microsoft. | |
| .011 | Rundll32 | Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe, vice executing directly (i.e. Shared Modules), may avoid triggering security tools that may not monitor execution of the rundll32.exe process because of allowlists or false positives from normal operations. Rundll32.exe is commonly associated with executing DLL payloads (ex: rundll32.exe {DLLname, DLLfunction}). |
|
| .012 | Verclsid | Adversaries may abuse verclsid.exe to proxy execution of malicious code. Verclsid.exe is known as the Extension CLSID Verification Host and is responsible for verifying each shell extension before they are used by Windows Explorer or the Windows Shell. | |
| .013 | Mavinject | Adversaries may abuse mavinject.exe to proxy execution of malicious code. Mavinject.exe is the Microsoft Application Virtualization Injector, a Windows utility that can inject code into external processes as part of Microsoft Application Virtualization (App-V). | |
| .014 | MMC | Adversaries may abuse mmc.exe to proxy execution of malicious .msc files. Microsoft Management Console (MMC) is a binary that may be signed by Microsoft and is used in several ways in either its GUI or in a command prompt. MMC can be used to create, open, and save custom consoles that contain administrative tools created by Microsoft, called snap-ins. These snap-ins may be used to manage Windows systems locally or remotely. MMC can also be used to open Microsoft created .msc files to manage system configuration. | |
| T1216 | System Script Proxy Execution | Adversaries may use trusted scripts, often signed with certificates, to proxy the execution of malicious files. Several Microsoft signed scripts that have been downloaded from Microsoft or are default on Windows installations can be used to proxy execution of other files. This behavior may be abused by adversaries to execute malicious files that could bypass application control and signature validation on systems. | |
| .001 | PubPrn | Adversaries may use PubPrn to proxy execution of malicious remote files. PubPrn.vbs is a Visual Basic script that publishes a printer to Active Directory Domain Services. The script may be signed by Microsoft and is commonly executed through the Windows Command Shell via Cscript.exe. For example, the following code publishes a printer within the specified domain: cscript pubprn Printer1 LDAP://CN=Container1,DC=Domain1,DC=Com. |
|
| T1221 | Template Injection | Adversaries may create or modify references in user document templates to conceal malicious code or force authentication attempts. For example, Microsoft’s Office Open XML (OOXML) specification defines an XML-based format for Office documents (.docx, xlsx, .pptx) to replace older binary formats (.doc, .xls, .ppt). OOXML files are packed together ZIP archives compromised of various XML files, referred to as parts, containing properties that collectively define how a document is rendered. | |
| T1205 | Traffic Signaling | Adversaries may use traffic signaling to hide open ports or other malicious functionality used for persistence or command and control. Traffic signaling involves the use of a magic value or sequence that must be sent to a system to trigger a special response, such as opening a closed port or executing a malicious task. This may take the form of sending a series of packets with certain characteristics before a port will be opened that the adversary can use for command and control. Usually this series of packets consists of attempted connections to a predefined sequence of closed ports (i.e. Port Knocking), but can involve unusual flags, specific strings, or other unique characteristics. After the sequence is completed, opening a port may be accomplished by the host-based firewall, but could also be implemented by custom software. | |
| .001 | Port Knocking | Adversaries may use port knocking to hide open ports used for persistence or command and control. To enable a port, an adversary sends a series of attempted connections to a predefined sequence of closed ports. After the sequence is completed, opening a port is often accomplished by the host based firewall, but could also be implemented by custom software. | |
| .002 | Socket Filters | Adversaries may attach filters to a network socket to monitor then activate backdoors used for persistence or command and control. With elevated permissions, adversaries can use features such as the libpcap library to open sockets and install filters to allow or disallow certain types of data to come through the socket. The filter may apply to all traffic passing through the specified network interface (or every interface if not specified). When the network interface receives a packet matching the filter criteria, additional actions can be triggered on the host, such as activation of a reverse shell. |
|
| T1127 | Trusted Developer Utilities Proxy Execution | Adversaries may take advantage of trusted developer utilities to proxy execution of malicious payloads. There are many utilities used for software development related tasks that can be used to execute code in various forms to assist in development, debugging, and reverse engineering. These utilities may often be signed with legitimate certificates that allow them to execute on a system and proxy execution of malicious code through a trusted process that effectively bypasses application control solutions. | |
| .001 | MSBuild | Adversaries may use MSBuild to proxy execution of code through a trusted Windows utility. MSBuild.exe (Microsoft Build Engine) is a software build platform used by Visual Studio. It handles XML formatted project files that define requirements for loading and building various platforms and configurations. | |
| T1535 | Unused/Unsupported Cloud Regions | Adversaries may create cloud instances in unused geographic service regions in order to evade detection. Access is usually obtained through compromising accounts used to manage cloud infrastructure. | |
| T1550 | Use Alternate Authentication Material | Adversaries may use alternate authentication material, such as password hashes, Kerberos tickets, and application access tokens, in order to move laterally within an environment and bypass normal system access controls. | |
| .001 | Application Access Token | Adversaries may use stolen application access tokens to bypass the typical authentication process and access restricted accounts, information, or services on remote systems. These tokens are typically stolen from users or services and used in lieu of login credentials. | |
| .002 | Pass the Hash | Adversaries may "pass the hash" using stolen password hashes to move laterally within an environment, bypassing normal system access controls. Pass the hash (PtH) is a method of authenticating as a user without having access to the user's cleartext password. This method bypasses standard authentication steps that require a cleartext password, moving directly into the portion of the authentication that uses the password hash. | |
| .003 | Pass the Ticket | Adversaries may "pass the ticket" using stolen Kerberos tickets to move laterally within an environment, bypassing normal system access controls. Pass the ticket (PtT) is a method of authenticating to a system using Kerberos tickets without having access to an account's password. Kerberos authentication can be used as the first step to lateral movement to a remote system. | |
| .004 | Web Session Cookie | Adversaries can use stolen session cookies to authenticate to web applications and services. This technique bypasses some multi-factor authentication protocols since the session is already authenticated. | |
| T1078 | Valid Accounts | Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop. Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence. | |
| .001 | Default Accounts | Adversaries may obtain and abuse credentials of a default account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Default accounts are those that are built-into an OS, such as the Guest or Administrator accounts on Windows systems. Default accounts also include default factory/provider set accounts on other types of systems, software, or devices, including the root user account in AWS and the default service account in Kubernetes. | |
| .002 | Domain Accounts | Adversaries may obtain and abuse credentials of a domain account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Domain accounts are those managed by Active Directory Domain Services where access and permissions are configured across systems and services that are part of that domain. Domain accounts can cover users, administrators, and services. | |
| .003 | Local Accounts | Adversaries may obtain and abuse credentials of a local account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Local accounts are those configured by an organization for use by users, remote support, services, or for administration on a single system or service. | |
| .004 | Cloud Accounts | Adversaries may obtain and abuse credentials of a cloud account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Cloud accounts are those created and configured by an organization for use by users, remote support, services, or for administration of resources within a cloud service provider or SaaS application. In some cases, cloud accounts may be federated with traditional identity management systems, such as Windows Active Directory. | |
| T1497 | Virtualization/Sandbox Evasion | Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from Virtualization/Sandbox Evasion during automated discovery to shape follow-on behaviors. | |
| .001 | System Checks | Adversaries may employ various system checks to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from Virtualization/Sandbox Evasion during automated discovery to shape follow-on behaviors. | |
| .002 | User Activity Based Checks | Adversaries may employ various user activity checks to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from Virtualization/Sandbox Evasion during automated discovery to shape follow-on behaviors. | |
| .003 | Time Based Evasion | Adversaries may employ various time-based methods to detect and avoid virtualization and analysis environments. This may include enumerating time-based properties, such as uptime or the system clock, as well as the use of timers or other triggers to avoid a virtual machine environment (VME) or sandbox, specifically those that are automated or only operate for a limited amount of time. | |
| T1600 | Weaken Encryption | Adversaries may compromise a network device’s encryption capability in order to bypass encryption that would otherwise protect data communications. | |
| .001 | Reduce Key Space | Adversaries may reduce the level of effort required to decrypt data transmitted over the network by reducing the cipher strength of encrypted communications. | |
| .002 | Disable Crypto Hardware | Adversaries disable a network device’s dedicated hardware encryption, which may enable them to leverage weaknesses in software encryption in order to reduce the effort involved in collecting, manipulating, and exfiltrating transmitted data. | |
| T1220 | XSL Script Processing | Adversaries may bypass application control and obscure execution of code by embedding scripts inside XSL files. Extensible Stylesheet Language (XSL) files are commonly used to describe the processing and rendering of data within XML files. To support complex operations, the XSL standard includes support for embedded scripting in various languages. |