Sammi De Blas | Knowledge Base

MITRE ATT&CK Index

Se lee en 7 min

MITRE ATT&CK Index

Enterprise Attack Framework reference index. Only top-level techniques listed.

TA0001 - Initial Access

  • T1078 - Valid Accounts
  • T1091 - Replication Through Removable Media
  • T1133 - External Remote Services
  • T1189 - Drive-by Compromise
  • T1190 - Exploit Public-Facing Application
  • T1195 - Supply Chain Compromise
  • T1199 - Trusted Relationship
  • T1200 - Hardware Additions
  • T1566 - Phishing
  • T1659 - Content Injection
  • T1669 - Wi-Fi Networks

TA0002 - Execution

  • T1047 - Windows Management Instrumentation
  • T1053 - Scheduled Task/Job
  • T1059 - Command and Scripting Interpreter
  • T1061 - Graphical User Interface
  • T1064 - Scripting
  • T1072 - Software Deployment Tools
  • T1106 - Native API
  • T1127 - Trusted Developer Utilities Proxy Execution
  • T1129 - Shared Modules
  • T1153 - Source
  • T1175 - Component Object Model and Distributed COM
  • T1197 - BITS Jobs
  • T1203 - Exploitation for Client Execution
  • T1204 - User Execution
  • T1559 - Inter-Process Communication
  • T1569 - System Services
  • T1574 - Hijack Execution Flow
  • T1609 - Container Administration Command
  • T1610 - Deploy Container
  • T1648 - Serverless Execution
  • T1651 - Cloud Administration Command
  • T1674 - Input Injection
  • T1675 - ESXi Administration Command
  • T1677 - Poisoned Pipeline Execution

TA0003 - Persistence

  • T1034 - Path Interception
  • T1037 - Boot or Logon Initialization Scripts
  • T1053 - Scheduled Task/Job
  • T1062 - Hypervisor
  • T1078 - Valid Accounts
  • T1098 - Account Manipulation
  • T1108 - Redundant Access
  • T1112 - Modify Registry
  • T1133 - External Remote Services
  • T1136 - Create Account
  • T1137 - Office Application Startup
  • T1176 - Software Extensions
  • T1197 - BITS Jobs
  • T1205 - Traffic Signaling
  • T1505 - Server Software Component
  • T1525 - Implant Internal Image
  • T1542 - Pre-OS Boot
  • T1543 - Create or Modify System Process
  • T1546 - Event Triggered Execution
  • T1547 - Boot or Logon Autostart Execution
  • T1554 - Compromise Host Software Binary
  • T1556 - Modify Authentication Process
  • T1653 - Power Settings
  • T1668 - Exclusive Control
  • T1671 - Cloud Application Integration

TA0004 - Privilege Escalation

  • T1034 - Path Interception
  • T1037 - Boot or Logon Initialization Scripts
  • T1053 - Scheduled Task/Job
  • T1055 - Process Injection
  • T1068 - Exploitation for Privilege Escalation
  • T1078 - Valid Accounts
  • T1098 - Account Manipulation
  • T1134 - Access Token Manipulation
  • T1484 - Domain or Tenant Policy Modification
  • T1543 - Create or Modify System Process
  • T1546 - Event Triggered Execution
  • T1547 - Boot or Logon Autostart Execution
  • T1548 - Abuse Elevation Control Mechanism
  • T1611 - Escape to Host

TA0005 - Stealth

  • T1006 - Direct Volume Access
  • T1014 - Rootkit
  • T1027 - Obfuscated Files or Information
  • T1036 - Masquerading
  • T1055 - Process Injection
  • T1064 - Scripting
  • T1070 - Indicator Removal
  • T1078 - Valid Accounts
  • T1108 - Redundant Access
  • T1127 - Trusted Developer Utilities Proxy Execution
  • T1134 - Access Token Manipulation
  • T1140 - Deobfuscate/Decode Files or Information
  • T1149 - LC_MAIN Hijacking
  • T1197 - BITS Jobs
  • T1202 - Indirect Command Execution
  • T1205 - Traffic Signaling
  • T1211 - Exploitation for Stealth
  • T1216 - System Script Proxy Execution
  • T1218 - System Binary Proxy Execution
  • T1220 - XSL Script Processing
  • T1221 - Template Injection
  • T1480 - Execution Guardrails
  • T1497 - Virtualization/Sandbox Evasion
  • T1535 - Unused/Unsupported Cloud Regions
  • T1542 - Pre-OS Boot
  • T1564 - Hide Artifacts
  • T1574 - Hijack Execution Flow
  • T1612 - Build Image on Host
  • T1620 - Reflective Code Loading
  • T1622 - Debugger Evasion
  • T1678 - Delay Execution
  • T1679 - Selective Exclusion
  • T1684 - Social Engineering

TA0006 - Credential Access

  • T1003 - OS Credential Dumping
  • T1040 - Network Sniffing
  • T1056 - Input Capture
  • T1110 - Brute Force
  • T1111 - Multi-Factor Authentication Interception
  • T1187 - Forced Authentication
  • T1212 - Exploitation for Credential Access
  • T1528 - Steal Application Access Token
  • T1539 - Steal Web Session Cookie
  • T1552 - Unsecured Credentials
  • T1555 - Credentials from Password Stores
  • T1556 - Modify Authentication Process
  • T1557 - Adversary-in-the-Middle
  • T1558 - Steal or Forge Kerberos Tickets
  • T1606 - Forge Web Credentials
  • T1621 - Multi-Factor Authentication Request Generation
  • T1649 - Steal or Forge Authentication Certificates

TA0007 - Discovery

  • T1007 - System Service Discovery
  • T1010 - Application Window Discovery
  • T1012 - Query Registry
  • T1016 - System Network Configuration Discovery
  • T1018 - Remote System Discovery
  • T1033 - System Owner/User Discovery
  • T1040 - Network Sniffing
  • T1046 - Network Service Discovery
  • T1049 - System Network Connections Discovery
  • T1057 - Process Discovery
  • T1069 - Permission Groups Discovery
  • T1082 - System Information Discovery
  • T1083 - File and Directory Discovery
  • T1087 - Account Discovery
  • T1120 - Peripheral Device Discovery
  • T1124 - System Time Discovery
  • T1135 - Network Share Discovery
  • T1201 - Password Policy Discovery
  • T1217 - Browser Information Discovery
  • T1482 - Domain Trust Discovery
  • T1497 - Virtualization/Sandbox Evasion
  • T1518 - Software Discovery
  • T1526 - Cloud Service Discovery
  • T1538 - Cloud Service Dashboard
  • T1580 - Cloud Infrastructure Discovery
  • T1613 - Container and Resource Discovery
  • T1614 - System Location Discovery
  • T1615 - Group Policy Discovery
  • T1619 - Cloud Storage Object Discovery
  • T1622 - Debugger Evasion
  • T1652 - Device Driver Discovery
  • T1654 - Log Enumeration
  • T1673 - Virtual Machine Discovery
  • T1680 - Local Storage Discovery

TA0008 - Lateral Movement

  • T1021 - Remote Services
  • T1051 - Shared Webroot
  • T1072 - Software Deployment Tools
  • T1080 - Taint Shared Content
  • T1091 - Replication Through Removable Media
  • T1175 - Component Object Model and Distributed COM
  • T1210 - Exploitation of Remote Services
  • T1534 - Internal Spearphishing
  • T1550 - Use Alternate Authentication Material
  • T1563 - Remote Service Session Hijacking
  • T1570 - Lateral Tool Transfer

TA0009 - Collection

  • T1005 - Data from Local System
  • T1025 - Data from Removable Media
  • T1039 - Data from Network Shared Drive
  • T1056 - Input Capture
  • T1074 - Data Staged
  • T1113 - Screen Capture
  • T1114 - Email Collection
  • T1115 - Clipboard Data
  • T1119 - Automated Collection
  • T1123 - Audio Capture
  • T1125 - Video Capture
  • T1185 - Browser Session Hijacking
  • T1213 - Data from Information Repositories
  • T1530 - Data from Cloud Storage
  • T1557 - Adversary-in-the-Middle
  • T1560 - Archive Collected Data
  • T1602 - Data from Configuration Repository

TA0010 - Exfiltration

  • T1011 - Exfiltration Over Other Network Medium
  • T1020 - Automated Exfiltration
  • T1029 - Scheduled Transfer
  • T1030 - Data Transfer Size Limits
  • T1041 - Exfiltration Over C2 Channel
  • T1048 - Exfiltration Over Alternative Protocol
  • T1052 - Exfiltration Over Physical Medium
  • T1537 - Transfer Data to Cloud Account
  • T1567 - Exfiltration Over Web Service

TA0011 - Command and Control

  • T1001 - Data Obfuscation
  • T1008 - Fallback Channels
  • T1026 - Multiband Communication
  • T1043 - Commonly Used Port
  • T1071 - Application Layer Protocol
  • T1090 - Proxy
  • T1092 - Communication Through Removable Media
  • T1095 - Non-Application Layer Protocol
  • T1102 - Web Service
  • T1104 - Multi-Stage Channels
  • T1105 - Ingress Tool Transfer
  • T1132 - Data Encoding
  • T1205 - Traffic Signaling
  • T1219 - Remote Access Tools
  • T1568 - Dynamic Resolution
  • T1571 - Non-Standard Port
  • T1572 - Protocol Tunneling
  • T1573 - Encrypted Channel
  • T1659 - Content Injection
  • T1665 - Hide Infrastructure

TA0040 - Impact

  • T1485 - Data Destruction
  • T1486 - Data Encrypted for Impact
  • T1489 - Service Stop
  • T1490 - Inhibit System Recovery
  • T1491 - Defacement
  • T1495 - Firmware Corruption
  • T1496 - Resource Hijacking
  • T1498 - Network Denial of Service
  • T1499 - Endpoint Denial of Service
  • T1529 - System Shutdown/Reboot
  • T1531 - Account Access Removal
  • T1561 - Disk Wipe
  • T1565 - Data Manipulation
  • T1657 - Financial Theft
  • T1667 - Email Bombing

TA0042 - Resource Development

  • T1583 - Acquire Infrastructure
  • T1584 - Compromise Infrastructure
  • T1585 - Establish Accounts
  • T1586 - Compromise Accounts
  • T1587 - Develop Capabilities
  • T1588 - Obtain Capabilities
  • T1608 - Stage Capabilities
  • T1650 - Acquire Access
  • T1683 - Generate Content

TA0043 - Reconnaissance

  • T1589 - Gather Victim Identity Information
  • T1590 - Gather Victim Network Information
  • T1591 - Gather Victim Org Information
  • T1592 - Gather Victim Host Information
  • T1593 - Search Open Websites/Domains
  • T1594 - Search Victim-Owned Websites
  • T1595 - Active Scanning
  • T1596 - Search Open Technical Databases
  • T1597 - Search Closed Sources
  • T1598 - Phishing for Information
  • T1681 - Search Threat Vendor Data
  • T1682 - Query Public AI Services

TA0112 - Defense Impairment

  • T1112 - Modify Registry
  • T1207 - Rogue Domain Controller
  • T1222 - File and Directory Permissions Modification
  • T1484 - Domain or Tenant Policy Modification
  • T1553 - Subvert Trust Controls
  • T1556 - Modify Authentication Process
  • T1578 - Modify Cloud Compute Infrastructure
  • T1599 - Network Boundary Bridging
  • T1600 - Weaken Encryption
  • T1601 - Modify System Image
  • T1647 - Plist File Modification
  • T1666 - Modify Cloud Resource Hierarchy
  • T1685 - Disable or Modify Tools
  • T1686 - Disable or Modify System Firewall
  • T1687 - Exploitation for Defense Impairment
  • T1688 - Safe Mode Boot
  • T1689 - Downgrade Attack
  • T1690 - Prevent Command History Logging

Vista Gráfica