Threat-informed report
nist-800-53 - threat & detection coverage
Generated 2026-06-14 02:07 UTC from TTPI engine data
This report maps nist-800-53 controls to the MITRE ATT&CK techniques they address, then checks each technique against our detection corpus (Sigma, CAR, IDS, YARA, Falco). It shows, control by control, what attacks each control is meant to stop and whether those attacks are actually detectable today. Use it as the threat-informed backbone of an audit response or pentest report.
What this measures: whether a public detection rule exists for each technique, not whether you have deployed it in your environment. It is the detectable-in-principle ceiling, not your live coverage. For coverage against your own rules and telemetry, use the Detection workspace.
▤
Coverage Summary
109
threat-mapped controls
470
ATT&CK techniques addressed
308
techniques we can detect
65%
detection coverage
Coverage = of the distinct techniques mapped to this framework, the share for which we hold at least one detection rule. Gaps below list controls with zero detection coverage - the priority remediation set.
⚠
Priority Gaps - controls with no detection coverage
3These controls map to attacker techniques we currently cannot detect. Each is a candidate for a new detection or a compensating control.
SC-05Denial-of-service Protection1 technique uncovered
SC-06Resource Availability1 technique uncovered
SC-40Wireless Link Protection1 technique uncovered
◈
AC
953/1400 techniques covered
AC-02
Account Management
150/220 detectable
T1003 · OS Credential Dumping ✓T1003.001 · LSASS Memory ✓T1003.002 · Security Account Manager ✓T1003.003 · NTDS ✓T1003.004 · LSA Secrets ✓T1003.005 · Cached Domain Credentials ✓T1003.006 · DCSync ✓T1003.007 · Proc FilesystemT1003.008 · /etc/passwd and /etc/shadowT1005 · Data from Local System ✓T1020.001 · Traffic DuplicationT1021 · Remote Services ✓T1021.001 · Remote Desktop Protocol ✓T1021.002 · SMB/Windows Admin Shares ✓T1021.003 · Distributed Component Object Model ✓T1021.004 · SSH ✓T1021.005 · VNC ✓T1021.006 · Windows Remote Management ✓T1021.007 · Cloud Services ✓T1021.008 · Direct Cloud VM ConnectionsT1025 · Data from Removable MediaT1036 · Masquerading ✓T1036.003 · Rename Legitimate Utilities ✓T1036.005 · Match Legitimate Resource Name or Location ✓T1036.010 · Masquerade Account NameT1041 · Exfiltration Over C2 Channel ✓T1047 · Windows Management Instrumentation ✓T1048 · Exfiltration Over Alternative Protocol ✓T1048.002 · Exfiltration Over Asymmetric Encrypted Non-C2 ProtocolT1048.003 · Exfiltration Over Unencrypted Non-C2 Protocol ✓T1052 · Exfiltration Over Physical MediumT1052.001 · Exfiltration over USBT1053 · Scheduled Task/Job ✓T1053.002 · At ✓T1053.003 · Cron ✓T1053.005 · Scheduled Task ✓T1053.006 · Systemd TimersT1053.007 · Container Orchestration JobT1055 · Process Injection ✓T1055.008 · Ptrace System Calls ✓T1056.003 · Web Portal CaptureT1059 · Command and Scripting Interpreter ✓T1059.001 · PowerShell ✓T1059.002 · AppleScript ✓T1059.003 · Windows Command Shell ✓T1059.004 · Unix Shell ✓T1059.005 · Visual Basic ✓T1059.006 · Python ✓T1059.007 · JavaScript ✓T1059.008 · Network Device CLIT1059.009 · Cloud API ✓T1059.010 · AutoHotKey & AutoITT1059.011 · LuaT1068 · Exploitation for Privilege Escalation ✓T1070 · Indicator Removal ✓T1070.001 · Clear Windows Event Logs ✓T1070.002 · Clear Linux or Mac System LogsT1070.003 · Clear Command History ✓T1070.007 · Clear Network Connection History and ConfigurationsT1070.008 · Clear Mailbox DataT1070.009 · Clear PersistenceT1072 · Software Deployment Tools ✓T1078 · Valid Accounts ✓T1078.001 · Default Accounts ✓T1078.002 · Domain Accounts ✓T1078.003 · Local Accounts ✓T1078.004 · Cloud Accounts ✓T1087 · Account Discovery ✓T1087.004 · Cloud Account ✓T1098 · Account Manipulation ✓T1098.001 · Additional Cloud Credentials ✓T1098.002 · Additional Email Delegate PermissionsT1098.003 · Additional Cloud Roles ✓T1098.005 · Device Registration ✓T1098.006 · Additional Container Cluster RolesT1098.007 · Additional Local or Domain GroupsT1110 · Brute Force ✓T1110.001 · Password Guessing ✓T1110.002 · Password Cracking ✓T1110.003 · Password SprayingT1110.004 · Credential StuffingT1134 · Access Token Manipulation ✓T1134.001 · Token Impersonation/Theft ✓T1134.002 · Create Process with Token ✓T1134.003 · Make and Impersonate Token ✓T1136 · Create Account ✓T1136.001 · Local Account ✓T1136.002 · Domain Account ✓T1136.003 · Cloud Account ✓T1185 · Browser Session Hijacking ✓T1190 · Exploit Public-Facing Application ✓T1195 · Supply Chain Compromise ✓T1197 · BITS Jobs ✓T1210 · Exploitation of Remote Services ✓T1212 · Exploitation for Credential Access ✓T1213 · Data from Information Repositories ✓T1213.001 · ConfluenceT1213.002 · SharepointT1213.003 · Code Repositories ✓T1213.004 · Customer Relationship Management SoftwareT1213.005 · Messaging ApplicationsT1218 · System Binary Proxy Execution ✓T1218.007 · Msiexec ✓T1218.015 · Electron ApplicationsT1222 · File and Directory Permissions Modification ✓T1222.001 · Windows Permissions ✓T1222.002 · Linux and Mac Permissions ✓T1484 · Domain or Tenant Policy Modification ✓T1485.001 · Lifecycle-Triggered DeletionT1489 · Service Stop ✓T1490 · Inhibit System Recovery ✓T1495 · Firmware Corruption ✓T1505 · Server Software Component ✓T1505.002 · Transport Agent ✓T1505.003 · Web Shell ✓T1505.005 · Terminal Services DLL ✓T1525 · Implant Internal Image ✓T1528 · Steal Application Access Token ✓T1530 · Data from Cloud StorageT1537 · Transfer Data to Cloud Account ✓T1538 · Cloud Service DashboardT1542 · Pre-OS BootT1542.001 · System Firmware ✓T1542.003 · Bootkit ✓T1542.005 · TFTP BootT1543 · Create or Modify System Process ✓T1543.001 · Launch Agent ✓T1543.002 · Systemd Service ✓T1543.003 · Windows Service ✓T1543.004 · Launch Daemon ✓T1543.005 · Container ServiceT1546 · Event Triggered Execution ✓T1546.003 · Windows Management Instrumentation Event Subscription ✓T1547.004 · Winlogon Helper DLL ✓T1547.006 · Kernel Modules and Extensions ✓T1547.009 · Shortcut Modification ✓T1547.012 · Print ProcessorsT1547.013 · XDG Autostart EntriesT1548 · Abuse Elevation Control Mechanism ✓T1548.002 · Bypass User Account Control ✓T1548.003 · Sudo and Sudo Caching ✓T1548.005 · Temporary Elevated Cloud AccessT1548.006 · TCC ManipulationT1550 · Use Alternate Authentication Material ✓T1550.002 · Pass the Hash ✓T1550.003 · Pass the Ticket ✓T1552 · Unsecured Credentials ✓T1552.001 · Credentials In Files ✓T1552.002 · Credentials in Registry ✓T1552.004 · Private Keys ✓T1552.006 · Group Policy Preferences ✓T1552.007 · Container API ✓T1553 · Subvert Trust Controls ✓T1555.005 · Password Managers ✓T1555.006 · Cloud Secrets Management StoresT1556 · Modify Authentication Process ✓T1556.001 · Domain Controller AuthenticationT1556.003 · Pluggable Authentication ModulesT1556.004 · Network Device Authentication ✓T1556.005 · Reversible EncryptionT1556.006 · Multi-Factor Authentication ✓T1556.007 · Hybrid IdentityT1556.009 · Conditional Access PoliciesT1558 · Steal or Forge Kerberos Tickets ✓T1558.001 · Golden TicketT1558.002 · Silver TicketT1558.003 · Kerberoasting ✓T1558.004 · AS-REP RoastingT1558.005 · Ccache FilesT1559 · Inter-Process Communication ✓T1559.001 · Component Object Model ✓T1562 · Impair Defenses ✓T1562.001 · Disable or Modify Tools ✓T1562.002 · Disable Windows Event Logging ✓T1562.004 · Disable or Modify System FirewallT1562.006 · Indicator Blocking ✓T1562.007 · Disable or Modify Cloud FirewallT1562.008 · Disable or Modify Cloud LogsT1562.009 · Safe Mode BootT1562.012 · Disable or Modify Linux Audit SystemT1563 · Remote Service Session HijackingT1563.001 · SSH HijackingT1563.002 · RDP Hijacking ✓T1566.003 · Spearphishing via ServiceT1567 · Exfiltration Over Web Service ✓T1569 · System Services ✓T1569.001 · Launchctl ✓T1569.002 · Service Execution ✓T1574 · Hijack Execution Flow ✓T1574.004 · Dylib HijackingT1574.005 · Executable Installer File Permissions Weakness ✓T1574.007 · Path Interception by PATH Environment Variable ✓T1574.008 · Path Interception by Search Order Hijacking ✓T1574.009 · Path Interception by Unquoted Path ✓T1574.010 · Services File Permissions Weakness ✓T1574.012 · COR_PROFILER ✓T1578 · Modify Cloud Compute Infrastructure ✓T1578.001 · Create SnapshotT1578.002 · Create Cloud InstanceT1578.003 · Delete Cloud Instance ✓T1578.005 · Modify Cloud Compute ConfigurationsT1580 · Cloud Infrastructure Discovery ✓T1599 · Network Boundary BridgingT1599.001 · Network Address Translation Traversal ✓T1601 · Modify System ImageT1601.001 · Patch System ImageT1601.002 · Downgrade System ImageT1606 · Forge Web Credentials ✓T1606.001 · Web CookiesT1606.002 · SAML Tokens ✓T1609 · Container Administration Command ✓T1610 · Deploy Container ✓T1611 · Escape to Host ✓T1612 · Build Image on HostT1613 · Container and Resource Discovery ✓T1619 · Cloud Storage Object Discovery ✓T1621 · Multi-Factor Authentication Request Generation ✓T1648 · Serverless ExecutionT1651 · Cloud Administration CommandT1654 · Log Enumeration
AC-03
Access Enforcement
191/281 detectable
T1003 · OS Credential Dumping ✓T1003.001 · LSASS Memory ✓T1003.002 · Security Account Manager ✓T1003.003 · NTDS ✓T1003.004 · LSA Secrets ✓T1003.005 · Cached Domain Credentials ✓T1003.006 · DCSync ✓T1003.007 · Proc FilesystemT1003.008 · /etc/passwd and /etc/shadowT1005 · Data from Local System ✓T1020.001 · Traffic DuplicationT1021 · Remote Services ✓T1021.001 · Remote Desktop Protocol ✓T1021.002 · SMB/Windows Admin Shares ✓T1021.003 · Distributed Component Object Model ✓T1021.004 · SSH ✓T1021.005 · VNC ✓T1021.006 · Windows Remote Management ✓T1021.007 · Cloud Services ✓T1021.008 · Direct Cloud VM ConnectionsT1025 · Data from Removable MediaT1027 · Obfuscated Files or Information ✓T1036 · Masquerading ✓T1036.003 · Rename Legitimate Utilities ✓T1036.005 · Match Legitimate Resource Name or Location ✓T1036.010 · Masquerade Account NameT1037 · Boot or Logon Initialization Scripts ✓T1037.002 · Login HookT1037.003 · Network Logon ScriptT1037.004 · RC ScriptsT1037.005 · Startup Items ✓T1041 · Exfiltration Over C2 Channel ✓T1047 · Windows Management Instrumentation ✓T1048 · Exfiltration Over Alternative Protocol ✓T1048.001 · Exfiltration Over Symmetric Encrypted Non-C2 Protocol ✓T1048.002 · Exfiltration Over Asymmetric Encrypted Non-C2 ProtocolT1048.003 · Exfiltration Over Unencrypted Non-C2 Protocol ✓T1052 · Exfiltration Over Physical MediumT1052.001 · Exfiltration over USBT1053 · Scheduled Task/Job ✓T1053.002 · At ✓T1053.003 · Cron ✓T1053.005 · Scheduled Task ✓T1053.006 · Systemd TimersT1053.007 · Container Orchestration JobT1055 · Process Injection ✓T1055.008 · Ptrace System Calls ✓T1055.009 · Proc Memory ✓T1056.003 · Web Portal CaptureT1059 · Command and Scripting Interpreter ✓T1059.001 · PowerShell ✓T1059.002 · AppleScript ✓T1059.003 · Windows Command Shell ✓T1059.004 · Unix Shell ✓T1059.005 · Visual Basic ✓T1059.006 · Python ✓T1059.007 · JavaScript ✓T1059.008 · Network Device CLIT1059.009 · Cloud API ✓T1059.010 · AutoHotKey & AutoITT1059.011 · LuaT1070 · Indicator Removal ✓T1070.001 · Clear Windows Event Logs ✓T1070.002 · Clear Linux or Mac System LogsT1070.003 · Clear Command History ✓T1070.007 · Clear Network Connection History and ConfigurationsT1070.008 · Clear Mailbox DataT1070.009 · Clear PersistenceT1071.004 · DNS ✓T1072 · Software Deployment Tools ✓T1078 · Valid Accounts ✓T1078.002 · Domain Accounts ✓T1078.003 · Local Accounts ✓T1078.004 · Cloud Accounts ✓T1080 · Taint Shared ContentT1087.004 · Cloud Account ✓T1090 · Proxy ✓T1090.003 · Multi-hop Proxy ✓T1091 · Replication Through Removable Media ✓T1095 · Non-Application Layer Protocol ✓T1098 · Account Manipulation ✓T1098.001 · Additional Cloud Credentials ✓T1098.002 · Additional Email Delegate PermissionsT1098.003 · Additional Cloud Roles ✓T1098.004 · SSH Authorized Keys ✓T1098.005 · Device Registration ✓T1098.006 · Additional Container Cluster RolesT1098.007 · Additional Local or Domain GroupsT1110 · Brute Force ✓T1110.001 · Password Guessing ✓T1110.002 · Password Cracking ✓T1110.003 · Password SprayingT1110.004 · Credential StuffingT1114 · Email Collection ✓T1114.002 · Remote Email CollectionT1133 · External Remote Services ✓T1134 · Access Token Manipulation ✓T1134.001 · Token Impersonation/Theft ✓T1134.002 · Create Process with Token ✓T1134.003 · Make and Impersonate Token ✓T1134.005 · SID-History Injection ✓T1136 · Create Account ✓T1136.001 · Local Account ✓T1136.002 · Domain Account ✓T1136.003 · Cloud Account ✓T1185 · Browser Session Hijacking ✓T1187 · Forced Authentication ✓T1190 · Exploit Public-Facing Application ✓T1195 · Supply Chain Compromise ✓T1197 · BITS Jobs ✓T1199 · Trusted Relationship ✓T1200 · Hardware Additions ✓T1205 · Traffic Signaling ✓T1205.001 · Port Knocking ✓T1210 · Exploitation of Remote Services ✓T1213 · Data from Information Repositories ✓T1213.001 · ConfluenceT1213.002 · SharepointT1213.003 · Code Repositories ✓T1213.004 · Customer Relationship Management SoftwareT1213.005 · Messaging ApplicationsT1218 · System Binary Proxy Execution ✓T1218.002 · Control Panel ✓T1218.007 · Msiexec ✓T1218.012 · VerclsidT1219 · Remote Access Tools ✓T1222 · File and Directory Permissions Modification ✓T1222.001 · Windows Permissions ✓T1222.002 · Linux and Mac Permissions ✓T1484 · Domain or Tenant Policy Modification ✓T1485 · Data Destruction ✓T1485.001 · Lifecycle-Triggered DeletionT1486 · Data Encrypted for Impact ✓T1489 · Service Stop ✓T1490 · Inhibit System Recovery ✓T1491 · DefacementT1491.001 · Internal Defacement ✓T1491.002 · External DefacementT1495 · Firmware Corruption ✓T1498 · Network Denial of Service ✓T1498.001 · Direct Network FloodT1498.002 · Reflection AmplificationT1499 · Endpoint Denial of Service ✓T1499.001 · OS Exhaustion Flood ✓T1499.002 · Service Exhaustion FloodT1499.003 · Application Exhaustion FloodT1499.004 · Application or System Exploitation ✓T1505 · Server Software Component ✓T1505.002 · Transport Agent ✓T1505.003 · Web Shell ✓T1505.004 · IIS Components ✓T1505.005 · Terminal Services DLL ✓T1525 · Implant Internal Image ✓T1528 · Steal Application Access Token ✓T1530 · Data from Cloud StorageT1537 · Transfer Data to Cloud Account ✓T1538 · Cloud Service DashboardT1539 · Steal Web Session Cookie ✓T1542 · Pre-OS BootT1542.001 · System Firmware ✓T1542.003 · Bootkit ✓T1542.004 · ROMMONkitT1542.005 · TFTP BootT1543 · Create or Modify System Process ✓T1543.001 · Launch Agent ✓T1543.002 · Systemd Service ✓T1543.003 · Windows Service ✓T1543.004 · Launch Daemon ✓T1543.005 · Container ServiceT1546 · Event Triggered Execution ✓T1546.003 · Windows Management Instrumentation Event Subscription ✓T1546.004 · Unix Shell Configuration Modification ✓T1546.013 · PowerShell Profile ✓T1547.003 · Time Providers ✓T1547.004 · Winlogon Helper DLL ✓T1547.006 · Kernel Modules and Extensions ✓T1547.007 · Re-opened ApplicationsT1547.009 · Shortcut Modification ✓T1547.012 · Print ProcessorsT1547.013 · XDG Autostart EntriesT1548 · Abuse Elevation Control Mechanism ✓T1548.002 · Bypass User Account Control ✓T1548.003 · Sudo and Sudo Caching ✓T1548.005 · Temporary Elevated Cloud AccessT1548.006 · TCC ManipulationT1550 · Use Alternate Authentication Material ✓T1550.002 · Pass the Hash ✓T1550.003 · Pass the Ticket ✓T1552 · Unsecured Credentials ✓T1552.002 · Credentials in Registry ✓T1552.005 · Cloud Instance Metadata API ✓T1552.007 · Container API ✓T1553 · Subvert Trust Controls ✓T1553.003 · SIP and Trust Provider Hijacking ✓T1555 · Credentials from Password Stores ✓T1555.002 · Securityd MemoryT1555.005 · Password Managers ✓T1555.006 · Cloud Secrets Management StoresT1556 · Modify Authentication Process ✓T1556.001 · Domain Controller AuthenticationT1556.003 · Pluggable Authentication ModulesT1556.004 · Network Device Authentication ✓T1556.006 · Multi-Factor Authentication ✓T1556.007 · Hybrid IdentityT1556.008 · Network Provider DLLT1556.009 · Conditional Access PoliciesT1557 · Adversary-in-the-Middle ✓T1557.001 · Name Resolution Poisoning and SMB Relay ✓T1557.002 · ARP Cache Poisoning ✓T1557.003 · DHCP Spoofing ✓T1557.004 · Evil TwinT1558 · Steal or Forge Kerberos Tickets ✓T1558.001 · Golden TicketT1558.002 · Silver TicketT1558.003 · Kerberoasting ✓T1558.004 · AS-REP RoastingT1558.005 · Ccache FilesT1559 · Inter-Process Communication ✓T1559.001 · Component Object Model ✓T1561 · Disk WipeT1561.001 · Disk Content Wipe ✓T1561.002 · Disk Structure Wipe ✓T1562 · Impair Defenses ✓T1562.001 · Disable or Modify Tools ✓T1562.002 · Disable Windows Event Logging ✓T1562.004 · Disable or Modify System FirewallT1562.006 · Indicator Blocking ✓T1562.007 · Disable or Modify Cloud FirewallT1562.008 · Disable or Modify Cloud LogsT1562.009 · Safe Mode BootT1562.012 · Disable or Modify Linux Audit SystemT1563 · Remote Service Session HijackingT1563.001 · SSH HijackingT1563.002 · RDP Hijacking ✓T1564.004 · NTFS File Attributes ✓T1565 · Data Manipulation ✓T1565.001 · Stored Data Manipulation ✓T1565.003 · Runtime Data ManipulationT1567 · Exfiltration Over Web Service ✓T1569 · System Services ✓T1569.001 · Launchctl ✓T1569.002 · Service Execution ✓T1570 · Lateral Tool Transfer ✓T1572 · Protocol Tunneling ✓T1574 · Hijack Execution Flow ✓T1574.004 · Dylib HijackingT1574.005 · Executable Installer File Permissions Weakness ✓T1574.007 · Path Interception by PATH Environment Variable ✓T1574.008 · Path Interception by Search Order Hijacking ✓T1574.009 · Path Interception by Unquoted Path ✓T1574.010 · Services File Permissions Weakness ✓T1574.012 · COR_PROFILER ✓T1574.014 · AppDomainManager ✓T1578 · Modify Cloud Compute Infrastructure ✓T1578.001 · Create SnapshotT1578.002 · Create Cloud InstanceT1578.003 · Delete Cloud Instance ✓T1578.005 · Modify Cloud Compute ConfigurationsT1580 · Cloud Infrastructure Discovery ✓T1599 · Network Boundary BridgingT1599.001 · Network Address Translation Traversal ✓T1601 · Modify System ImageT1601.001 · Patch System ImageT1601.002 · Downgrade System ImageT1602 · Data from Configuration RepositoryT1602.001 · SNMP (MIB Dump)T1602.002 · Network Device Configuration DumpT1606 · Forge Web Credentials ✓T1606.001 · Web CookiesT1606.002 · SAML Tokens ✓T1609 · Container Administration Command ✓T1610 · Deploy Container ✓T1611 · Escape to Host ✓T1612 · Build Image on HostT1613 · Container and Resource Discovery ✓T1619 · Cloud Storage Object Discovery ✓T1622 · Debugger Evasion ✓T1647 · Plist File ModificationT1648 · Serverless ExecutionT1651 · Cloud Administration CommandT1654 · Log Enumeration
AC-04
Information Flow Enforcement
110/158 detectable
T1001 · Data Obfuscation ✓T1001.001 · Junk DataT1001.002 · SteganographyT1001.003 · Protocol or Service Impersonation ✓T1003 · OS Credential Dumping ✓T1003.001 · LSASS Memory ✓T1003.005 · Cached Domain Credentials ✓T1003.006 · DCSync ✓T1008 · Fallback Channels ✓T1020.001 · Traffic DuplicationT1021.001 · Remote Desktop Protocol ✓T1021.002 · SMB/Windows Admin Shares ✓T1021.003 · Distributed Component Object Model ✓T1021.005 · VNC ✓T1021.006 · Windows Remote Management ✓T1029 · Scheduled Transfer ✓T1030 · Data Transfer Size Limits ✓T1041 · Exfiltration Over C2 Channel ✓T1046 · Network Service Discovery ✓T1048 · Exfiltration Over Alternative Protocol ✓T1048.001 · Exfiltration Over Symmetric Encrypted Non-C2 Protocol ✓T1048.002 · Exfiltration Over Asymmetric Encrypted Non-C2 ProtocolT1048.003 · Exfiltration Over Unencrypted Non-C2 Protocol ✓T1068 · Exploitation for Privilege Escalation ✓T1070.008 · Clear Mailbox DataT1071 · Application Layer Protocol ✓T1071.001 · Web Protocols ✓T1071.002 · File Transfer ProtocolsT1071.003 · Mail ProtocolsT1071.004 · DNS ✓T1071.005 · Publish/Subscribe ProtocolsT1072 · Software Deployment Tools ✓T1090 · Proxy ✓T1090.001 · Internal Proxy ✓T1090.002 · External Proxy ✓T1090.003 · Multi-hop Proxy ✓T1095 · Non-Application Layer Protocol ✓T1098 · Account Manipulation ✓T1098.001 · Additional Cloud Credentials ✓T1098.007 · Additional Local or Domain GroupsT1102 · Web Service ✓T1102.001 · Dead Drop Resolver ✓T1102.002 · Bidirectional Communication ✓T1102.003 · One-Way Communication ✓T1104 · Multi-Stage ChannelsT1105 · Ingress Tool Transfer ✓T1114 · Email Collection ✓T1114.001 · Local Email Collection ✓T1114.002 · Remote Email CollectionT1114.003 · Email Forwarding Rule ✓T1132 · Data Encoding ✓T1132.001 · Standard Encoding ✓T1132.002 · Non-Standard EncodingT1133 · External Remote Services ✓T1134.005 · SID-History Injection ✓T1136 · Create Account ✓T1136.002 · Domain Account ✓T1136.003 · Cloud Account ✓T1187 · Forced Authentication ✓T1189 · Drive-by Compromise ✓T1190 · Exploit Public-Facing Application ✓T1197 · BITS Jobs ✓T1199 · Trusted Relationship ✓T1203 · Exploitation for Client Execution ✓T1204 · User Execution ✓T1204.001 · Malicious Link ✓T1204.002 · Malicious File ✓T1204.003 · Malicious ImageT1205 · Traffic Signaling ✓T1205.001 · Port Knocking ✓T1205.002 · Socket FiltersT1210 · Exploitation of Remote Services ✓T1211 · Exploitation for Stealth ✓T1212 · Exploitation for Credential Access ✓T1213 · Data from Information Repositories ✓T1213.001 · ConfluenceT1213.002 · SharepointT1213.004 · Customer Relationship Management SoftwareT1213.005 · Messaging ApplicationsT1218 · System Binary Proxy Execution ✓T1218.012 · VerclsidT1219 · Remote Access Tools ✓T1482 · Domain Trust Discovery ✓T1484 · Domain or Tenant Policy Modification ✓T1489 · Service Stop ✓T1498 · Network Denial of Service ✓T1498.001 · Direct Network FloodT1498.002 · Reflection AmplificationT1499 · Endpoint Denial of Service ✓T1499.001 · OS Exhaustion Flood ✓T1499.002 · Service Exhaustion FloodT1499.003 · Application Exhaustion FloodT1499.004 · Application or System Exploitation ✓T1505.004 · IIS Components ✓T1528 · Steal Application Access Token ✓T1530 · Data from Cloud StorageT1537 · Transfer Data to Cloud Account ✓T1547.003 · Time Providers ✓T1552 · Unsecured Credentials ✓T1552.001 · Credentials In Files ✓T1552.005 · Cloud Instance Metadata API ✓T1552.007 · Container API ✓T1552.008 · Chat MessagesT1557 · Adversary-in-the-Middle ✓T1557.001 · Name Resolution Poisoning and SMB Relay ✓T1557.002 · ARP Cache Poisoning ✓T1557.003 · DHCP Spoofing ✓T1557.004 · Evil TwinT1559 · Inter-Process Communication ✓T1559.001 · Component Object Model ✓T1559.002 · Dynamic Data Exchange ✓T1563 · Remote Service Session HijackingT1563.002 · RDP Hijacking ✓T1564.008 · Email Hiding RulesT1565 · Data Manipulation ✓T1565.003 · Runtime Data ManipulationT1566 · Phishing ✓T1566.001 · Spearphishing Attachment ✓T1566.002 · Spearphishing Link ✓T1566.003 · Spearphishing via ServiceT1567 · Exfiltration Over Web Service ✓T1567.001 · Exfiltration to Code Repository ✓T1567.002 · Exfiltration to Cloud Storage ✓T1567.003 · Exfiltration to Text Storage SitesT1567.004 · Exfiltration Over WebhookT1568 · Dynamic Resolution ✓T1568.002 · Domain Generation Algorithms ✓T1570 · Lateral Tool Transfer ✓T1571 · Non-Standard Port ✓T1572 · Protocol Tunneling ✓T1573 · Encrypted Channel ✓T1573.001 · Symmetric CryptographyT1573.002 · Asymmetric CryptographyT1574 · Hijack Execution Flow ✓T1574.004 · Dylib HijackingT1574.005 · Executable Installer File Permissions Weakness ✓T1574.007 · Path Interception by PATH Environment Variable ✓T1574.008 · Path Interception by Search Order Hijacking ✓T1574.009 · Path Interception by Unquoted Path ✓T1574.010 · Services File Permissions Weakness ✓T1590.002 · DNS ✓T1598 · Phishing for InformationT1598.001 · Spearphishing ServiceT1598.002 · Spearphishing AttachmentT1598.003 · Spearphishing LinkT1599 · Network Boundary BridgingT1599.001 · Network Address Translation Traversal ✓T1601 · Modify System ImageT1601.001 · Patch System ImageT1601.002 · Downgrade System ImageT1602 · Data from Configuration RepositoryT1602.001 · SNMP (MIB Dump)T1602.002 · Network Device Configuration DumpT1609 · Container Administration Command ✓T1611 · Escape to Host ✓T1622 · Debugger Evasion ✓T1654 · Log EnumerationT1659 · Content Injection
AC-05
Separation of Duties
122/167 detectable
T1003 · OS Credential Dumping ✓T1003.001 · LSASS Memory ✓T1003.002 · Security Account Manager ✓T1003.003 · NTDS ✓T1003.004 · LSA Secrets ✓T1003.005 · Cached Domain Credentials ✓T1003.006 · DCSync ✓T1003.007 · Proc FilesystemT1003.008 · /etc/passwd and /etc/shadowT1021 · Remote Services ✓T1021.001 · Remote Desktop Protocol ✓T1021.002 · SMB/Windows Admin Shares ✓T1021.003 · Distributed Component Object Model ✓T1021.004 · SSH ✓T1021.006 · Windows Remote Management ✓T1021.007 · Cloud Services ✓T1047 · Windows Management Instrumentation ✓T1053 · Scheduled Task/Job ✓T1053.002 · At ✓T1053.003 · Cron ✓T1053.005 · Scheduled Task ✓T1053.006 · Systemd TimersT1053.007 · Container Orchestration JobT1055 · Process Injection ✓T1055.008 · Ptrace System Calls ✓T1056.003 · Web Portal CaptureT1059 · Command and Scripting Interpreter ✓T1059.001 · PowerShell ✓T1059.008 · Network Device CLIT1070 · Indicator Removal ✓T1070.001 · Clear Windows Event Logs ✓T1070.002 · Clear Linux or Mac System LogsT1070.003 · Clear Command History ✓T1070.007 · Clear Network Connection History and ConfigurationsT1070.008 · Clear Mailbox DataT1070.009 · Clear PersistenceT1072 · Software Deployment Tools ✓T1078 · Valid Accounts ✓T1078.001 · Default Accounts ✓T1078.002 · Domain Accounts ✓T1078.003 · Local Accounts ✓T1078.004 · Cloud Accounts ✓T1087.004 · Cloud Account ✓T1098 · Account Manipulation ✓T1098.001 · Additional Cloud Credentials ✓T1098.002 · Additional Email Delegate PermissionsT1098.003 · Additional Cloud Roles ✓T1098.004 · SSH Authorized Keys ✓T1098.005 · Device Registration ✓T1098.007 · Additional Local or Domain GroupsT1110 · Brute Force ✓T1110.001 · Password Guessing ✓T1110.002 · Password Cracking ✓T1110.003 · Password SprayingT1110.004 · Credential StuffingT1134 · Access Token Manipulation ✓T1134.001 · Token Impersonation/Theft ✓T1134.002 · Create Process with Token ✓T1134.003 · Make and Impersonate Token ✓T1134.005 · SID-History Injection ✓T1136 · Create Account ✓T1136.001 · Local Account ✓T1136.002 · Domain Account ✓T1136.003 · Cloud Account ✓T1185 · Browser Session Hijacking ✓T1190 · Exploit Public-Facing Application ✓T1197 · BITS Jobs ✓T1210 · Exploitation of Remote Services ✓T1213 · Data from Information Repositories ✓T1213.001 · ConfluenceT1213.002 · SharepointT1213.003 · Code Repositories ✓T1213.004 · Customer Relationship Management SoftwareT1218 · System Binary Proxy Execution ✓T1218.007 · Msiexec ✓T1222 · File and Directory Permissions Modification ✓T1222.001 · Windows Permissions ✓T1222.002 · Linux and Mac Permissions ✓T1484 · Domain or Tenant Policy Modification ✓T1489 · Service Stop ✓T1495 · Firmware Corruption ✓T1505 · Server Software Component ✓T1505.002 · Transport Agent ✓T1505.003 · Web Shell ✓T1505.005 · Terminal Services DLL ✓T1525 · Implant Internal Image ✓T1528 · Steal Application Access Token ✓T1530 · Data from Cloud StorageT1537 · Transfer Data to Cloud Account ✓T1538 · Cloud Service DashboardT1542 · Pre-OS BootT1542.001 · System Firmware ✓T1542.003 · Bootkit ✓T1542.005 · TFTP BootT1543 · Create or Modify System Process ✓T1543.001 · Launch Agent ✓T1543.002 · Systemd Service ✓T1543.003 · Windows Service ✓T1543.004 · Launch Daemon ✓T1543.005 · Container ServiceT1546.003 · Windows Management Instrumentation Event Subscription ✓T1547.004 · Winlogon Helper DLL ✓T1547.006 · Kernel Modules and Extensions ✓T1547.009 · Shortcut Modification ✓T1547.012 · Print ProcessorsT1547.013 · XDG Autostart EntriesT1548 · Abuse Elevation Control Mechanism ✓T1548.002 · Bypass User Account Control ✓T1548.003 · Sudo and Sudo Caching ✓T1548.006 · TCC ManipulationT1550 · Use Alternate Authentication Material ✓T1550.002 · Pass the Hash ✓T1550.003 · Pass the Ticket ✓T1552 · Unsecured Credentials ✓T1552.001 · Credentials In Files ✓T1552.002 · Credentials in Registry ✓T1552.006 · Group Policy Preferences ✓T1552.007 · Container API ✓T1556 · Modify Authentication Process ✓T1556.001 · Domain Controller AuthenticationT1556.003 · Pluggable Authentication ModulesT1556.004 · Network Device Authentication ✓T1556.005 · Reversible EncryptionT1556.009 · Conditional Access PoliciesT1558 · Steal or Forge Kerberos Tickets ✓T1558.001 · Golden TicketT1558.002 · Silver TicketT1558.003 · Kerberoasting ✓T1559 · Inter-Process Communication ✓T1559.001 · Component Object Model ✓T1562 · Impair Defenses ✓T1562.001 · Disable or Modify Tools ✓T1562.002 · Disable Windows Event Logging ✓T1562.004 · Disable or Modify System FirewallT1562.006 · Indicator Blocking ✓T1562.007 · Disable or Modify Cloud FirewallT1562.008 · Disable or Modify Cloud LogsT1562.009 · Safe Mode BootT1563 · Remote Service Session HijackingT1563.001 · SSH HijackingT1563.002 · RDP Hijacking ✓T1569 · System Services ✓T1569.001 · Launchctl ✓T1569.002 · Service Execution ✓T1574 · Hijack Execution Flow ✓T1574.004 · Dylib HijackingT1574.005 · Executable Installer File Permissions Weakness ✓T1574.007 · Path Interception by PATH Environment Variable ✓T1574.008 · Path Interception by Search Order Hijacking ✓T1574.009 · Path Interception by Unquoted Path ✓T1574.010 · Services File Permissions Weakness ✓T1574.012 · COR_PROFILER ✓T1578 · Modify Cloud Compute Infrastructure ✓T1578.001 · Create SnapshotT1578.002 · Create Cloud InstanceT1578.003 · Delete Cloud Instance ✓T1580 · Cloud Infrastructure Discovery ✓T1599 · Network Boundary BridgingT1599.001 · Network Address Translation Traversal ✓T1601 · Modify System ImageT1601.001 · Patch System ImageT1601.002 · Downgrade System ImageT1606 · Forge Web Credentials ✓T1609 · Container Administration Command ✓T1611 · Escape to Host ✓T1619 · Cloud Storage Object Discovery ✓T1657 · Financial Theft
AC-06
Least Privilege
183/270 detectable
T1003 · OS Credential Dumping ✓T1003.001 · LSASS Memory ✓T1003.002 · Security Account Manager ✓T1003.003 · NTDS ✓T1003.004 · LSA Secrets ✓T1003.005 · Cached Domain Credentials ✓T1003.006 · DCSync ✓T1003.007 · Proc FilesystemT1003.008 · /etc/passwd and /etc/shadowT1005 · Data from Local System ✓T1020.001 · Traffic DuplicationT1021 · Remote Services ✓T1021.001 · Remote Desktop Protocol ✓T1021.002 · SMB/Windows Admin Shares ✓T1021.003 · Distributed Component Object Model ✓T1021.004 · SSH ✓T1021.005 · VNC ✓T1021.006 · Windows Remote Management ✓T1021.007 · Cloud Services ✓T1021.008 · Direct Cloud VM ConnectionsT1025 · Data from Removable MediaT1036 · Masquerading ✓T1036.003 · Rename Legitimate Utilities ✓T1036.005 · Match Legitimate Resource Name or Location ✓T1041 · Exfiltration Over C2 Channel ✓T1047 · Windows Management Instrumentation ✓T1048 · Exfiltration Over Alternative Protocol ✓T1048.002 · Exfiltration Over Asymmetric Encrypted Non-C2 ProtocolT1048.003 · Exfiltration Over Unencrypted Non-C2 Protocol ✓T1052 · Exfiltration Over Physical MediumT1052.001 · Exfiltration over USBT1053 · Scheduled Task/Job ✓T1053.002 · At ✓T1053.003 · Cron ✓T1053.005 · Scheduled Task ✓T1053.006 · Systemd TimersT1053.007 · Container Orchestration JobT1055 · Process Injection ✓T1055.001 · Dynamic-link Library Injection ✓T1055.002 · Portable Executable InjectionT1055.003 · Thread Execution Hijacking ✓T1055.004 · Asynchronous Procedure CallT1055.005 · Thread Local StorageT1055.008 · Ptrace System Calls ✓T1055.009 · Proc Memory ✓T1055.011 · Extra Window Memory Injection ✓T1055.012 · Process Hollowing ✓T1055.013 · Process DoppelgängingT1055.014 · VDSO HijackingT1056.003 · Web Portal CaptureT1059 · Command and Scripting Interpreter ✓T1059.001 · PowerShell ✓T1059.002 · AppleScript ✓T1059.003 · Windows Command Shell ✓T1059.004 · Unix Shell ✓T1059.005 · Visual Basic ✓T1059.006 · Python ✓T1059.007 · JavaScript ✓T1059.008 · Network Device CLIT1059.009 · Cloud API ✓T1059.010 · AutoHotKey & AutoITT1059.011 · LuaT1068 · Exploitation for Privilege Escalation ✓T1070 · Indicator Removal ✓T1070.001 · Clear Windows Event Logs ✓T1070.002 · Clear Linux or Mac System LogsT1070.003 · Clear Command History ✓T1070.007 · Clear Network Connection History and ConfigurationsT1070.008 · Clear Mailbox DataT1070.009 · Clear PersistenceT1072 · Software Deployment Tools ✓T1078 · Valid Accounts ✓T1078.001 · Default Accounts ✓T1078.002 · Domain Accounts ✓T1078.003 · Local Accounts ✓T1078.004 · Cloud Accounts ✓T1087.004 · Cloud Account ✓T1091 · Replication Through Removable Media ✓T1098 · Account Manipulation ✓T1098.001 · Additional Cloud Credentials ✓T1098.002 · Additional Email Delegate PermissionsT1098.003 · Additional Cloud Roles ✓T1098.004 · SSH Authorized Keys ✓T1098.005 · Device Registration ✓T1098.006 · Additional Container Cluster RolesT1098.007 · Additional Local or Domain GroupsT1106 · Native API ✓T1110 · Brute Force ✓T1110.001 · Password Guessing ✓T1110.002 · Password Cracking ✓T1110.003 · Password SprayingT1110.004 · Credential StuffingT1112 · Modify Registry ✓T1133 · External Remote Services ✓T1134 · Access Token Manipulation ✓T1134.001 · Token Impersonation/Theft ✓T1134.002 · Create Process with Token ✓T1134.003 · Make and Impersonate Token ✓T1134.005 · SID-History Injection ✓T1136 · Create Account ✓T1136.001 · Local Account ✓T1136.002 · Domain Account ✓T1136.003 · Cloud Account ✓T1137 · Office Application Startup ✓T1137.001 · Office Template MacrosT1137.002 · Office Test ✓T1137.003 · Outlook Forms ✓T1137.004 · Outlook Home PageT1137.005 · Outlook RulesT1137.006 · Add-ins ✓T1176 · Software ExtensionsT1185 · Browser Session Hijacking ✓T1189 · Drive-by Compromise ✓T1190 · Exploit Public-Facing Application ✓T1195 · Supply Chain Compromise ✓T1197 · BITS Jobs ✓T1199 · Trusted Relationship ✓T1200 · Hardware Additions ✓T1203 · Exploitation for Client Execution ✓T1210 · Exploitation of Remote Services ✓T1211 · Exploitation for Stealth ✓T1212 · Exploitation for Credential Access ✓T1213 · Data from Information Repositories ✓T1213.001 · ConfluenceT1213.002 · SharepointT1213.003 · Code Repositories ✓T1213.004 · Customer Relationship Management SoftwareT1213.005 · Messaging ApplicationsT1218 · System Binary Proxy Execution ✓T1218.007 · Msiexec ✓T1218.015 · Electron ApplicationsT1222 · File and Directory Permissions Modification ✓T1222.001 · Windows Permissions ✓T1222.002 · Linux and Mac Permissions ✓T1484 · Domain or Tenant Policy Modification ✓T1485 · Data Destruction ✓T1485.001 · Lifecycle-Triggered DeletionT1486 · Data Encrypted for Impact ✓T1489 · Service Stop ✓T1490 · Inhibit System Recovery ✓T1491 · DefacementT1491.001 · Internal Defacement ✓T1491.002 · External DefacementT1495 · Firmware Corruption ✓T1505 · Server Software Component ✓T1505.002 · Transport Agent ✓T1505.003 · Web Shell ✓T1505.004 · IIS Components ✓T1505.005 · Terminal Services DLL ✓T1525 · Implant Internal Image ✓T1528 · Steal Application Access Token ✓T1530 · Data from Cloud StorageT1537 · Transfer Data to Cloud Account ✓T1538 · Cloud Service DashboardT1539 · Steal Web Session Cookie ✓T1542 · Pre-OS BootT1542.001 · System Firmware ✓T1542.003 · Bootkit ✓T1542.004 · ROMMONkitT1542.005 · TFTP BootT1543 · Create or Modify System Process ✓T1543.001 · Launch Agent ✓T1543.002 · Systemd Service ✓T1543.003 · Windows Service ✓T1543.004 · Launch Daemon ✓T1543.005 · Container ServiceT1546 · Event Triggered Execution ✓T1546.003 · Windows Management Instrumentation Event Subscription ✓T1546.004 · Unix Shell Configuration Modification ✓T1546.011 · Application Shimming ✓T1546.013 · PowerShell Profile ✓T1546.016 · Installer PackagesT1547.003 · Time Providers ✓T1547.004 · Winlogon Helper DLL ✓T1547.006 · Kernel Modules and Extensions ✓T1547.009 · Shortcut Modification ✓T1547.012 · Print ProcessorsT1547.013 · XDG Autostart EntriesT1548 · Abuse Elevation Control Mechanism ✓T1548.002 · Bypass User Account Control ✓T1548.003 · Sudo and Sudo Caching ✓T1548.005 · Temporary Elevated Cloud AccessT1548.006 · TCC ManipulationT1550 · Use Alternate Authentication Material ✓T1550.002 · Pass the Hash ✓T1550.003 · Pass the Ticket ✓T1552 · Unsecured Credentials ✓T1552.001 · Credentials In Files ✓T1552.002 · Credentials in Registry ✓T1552.006 · Group Policy Preferences ✓T1552.007 · Container API ✓T1553 · Subvert Trust Controls ✓T1553.003 · SIP and Trust Provider Hijacking ✓T1553.006 · Code Signing Policy ModificationT1555 · Credentials from Password Stores ✓T1555.002 · Securityd MemoryT1555.006 · Cloud Secrets Management StoresT1556 · Modify Authentication Process ✓T1556.001 · Domain Controller AuthenticationT1556.003 · Pluggable Authentication ModulesT1556.004 · Network Device Authentication ✓T1556.005 · Reversible EncryptionT1556.006 · Multi-Factor Authentication ✓T1556.007 · Hybrid IdentityT1556.008 · Network Provider DLLT1556.009 · Conditional Access PoliciesT1558 · Steal or Forge Kerberos Tickets ✓T1558.001 · Golden TicketT1558.002 · Silver TicketT1558.003 · Kerberoasting ✓T1558.005 · Ccache FilesT1559 · Inter-Process Communication ✓T1559.001 · Component Object Model ✓T1559.002 · Dynamic Data Exchange ✓T1561 · Disk WipeT1561.001 · Disk Content Wipe ✓T1561.002 · Disk Structure Wipe ✓T1562 · Impair Defenses ✓T1562.001 · Disable or Modify Tools ✓T1562.002 · Disable Windows Event Logging ✓T1562.004 · Disable or Modify System FirewallT1562.006 · Indicator Blocking ✓T1562.007 · Disable or Modify Cloud FirewallT1562.008 · Disable or Modify Cloud LogsT1562.009 · Safe Mode BootT1562.012 · Disable or Modify Linux Audit SystemT1563 · Remote Service Session HijackingT1563.001 · SSH HijackingT1563.002 · RDP Hijacking ✓T1566.003 · Spearphishing via ServiceT1567 · Exfiltration Over Web Service ✓T1569 · System Services ✓T1569.001 · Launchctl ✓T1569.002 · Service Execution ✓T1574 · Hijack Execution Flow ✓T1574.004 · Dylib HijackingT1574.005 · Executable Installer File Permissions Weakness ✓T1574.007 · Path Interception by PATH Environment Variable ✓T1574.008 · Path Interception by Search Order Hijacking ✓T1574.009 · Path Interception by Unquoted Path ✓T1574.010 · Services File Permissions Weakness ✓T1574.011 · Services Registry Permissions Weakness ✓T1574.012 · COR_PROFILER ✓T1574.014 · AppDomainManager ✓T1578 · Modify Cloud Compute Infrastructure ✓T1578.001 · Create SnapshotT1578.002 · Create Cloud InstanceT1578.003 · Delete Cloud Instance ✓T1578.005 · Modify Cloud Compute ConfigurationsT1580 · Cloud Infrastructure Discovery ✓T1599 · Network Boundary BridgingT1599.001 · Network Address Translation Traversal ✓T1601 · Modify System ImageT1601.001 · Patch System ImageT1601.002 · Downgrade System ImageT1606 · Forge Web Credentials ✓T1606.001 · Web CookiesT1606.002 · SAML Tokens ✓T1609 · Container Administration Command ✓T1610 · Deploy Container ✓T1611 · Escape to Host ✓T1612 · Build Image on HostT1613 · Container and Resource Discovery ✓T1619 · Cloud Storage Object Discovery ✓T1621 · Multi-Factor Authentication Request Generation ✓T1647 · Plist File ModificationT1648 · Serverless ExecutionT1651 · Cloud Administration CommandT1654 · Log EnumerationT1657 · Financial Theft
AC-07
Unsuccessful Logon Attempts
11/16 detectable
T1021 · Remote Services ✓T1021.001 · Remote Desktop Protocol ✓T1021.004 · SSH ✓T1078.002 · Domain Accounts ✓T1078.004 · Cloud Accounts ✓T1110 · Brute Force ✓T1110.001 · Password Guessing ✓T1110.002 · Password Cracking ✓T1110.003 · Password SprayingT1110.004 · Credential StuffingT1133 · External Remote Services ✓T1530 · Data from Cloud StorageT1556 · Modify Authentication Process ✓T1556.001 · Domain Controller AuthenticationT1556.003 · Pluggable Authentication ModulesT1556.004 · Network Device Authentication ✓
AC-08
System Use Notification
1/1 detectable
AC-10
Concurrent Session Control
4/4 detectable
AC-11
Device Lock
2/2 detectable
AC-12
Session Termination
5/6 detectable
AC-14
Permitted Actions Without Identification or Authentication
1/1 detectable
AC-16
Security and Privacy Attributes
35/57 detectable
T1003 · OS Credential Dumping ✓T1003.003 · NTDS ✓T1005 · Data from Local System ✓T1020.001 · Traffic DuplicationT1025 · Data from Removable MediaT1040 · Network Sniffing ✓T1041 · Exfiltration Over C2 Channel ✓T1048 · Exfiltration Over Alternative Protocol ✓T1048.002 · Exfiltration Over Asymmetric Encrypted Non-C2 ProtocolT1048.003 · Exfiltration Over Unencrypted Non-C2 Protocol ✓T1052 · Exfiltration Over Physical MediumT1052.001 · Exfiltration over USBT1070 · Indicator Removal ✓T1070.001 · Clear Windows Event Logs ✓T1070.002 · Clear Linux or Mac System LogsT1070.008 · Clear Mailbox DataT1114 · Email Collection ✓T1114.001 · Local Email Collection ✓T1114.002 · Remote Email CollectionT1114.003 · Email Forwarding Rule ✓T1119 · Automated Collection ✓T1213 · Data from Information Repositories ✓T1213.001 · ConfluenceT1213.002 · SharepointT1213.004 · Customer Relationship Management SoftwareT1213.005 · Messaging ApplicationsT1222 · File and Directory Permissions Modification ✓T1222.001 · Windows Permissions ✓T1222.002 · Linux and Mac Permissions ✓T1505 · Server Software Component ✓T1505.002 · Transport Agent ✓T1530 · Data from Cloud StorageT1537 · Transfer Data to Cloud Account ✓T1547.007 · Re-opened ApplicationsT1548 · Abuse Elevation Control Mechanism ✓T1548.003 · Sudo and Sudo Caching ✓T1548.006 · TCC ManipulationT1550.001 · Application Access Token ✓T1552 · Unsecured Credentials ✓T1552.004 · Private Keys ✓T1552.005 · Cloud Instance Metadata API ✓T1556.009 · Conditional Access PoliciesT1557 · Adversary-in-the-Middle ✓T1557.002 · ARP Cache Poisoning ✓T1558 · Steal or Forge Kerberos Tickets ✓T1558.002 · Silver TicketT1558.003 · Kerberoasting ✓T1558.004 · AS-REP RoastingT1564.004 · NTFS File Attributes ✓T1565 · Data Manipulation ✓T1565.001 · Stored Data Manipulation ✓T1565.002 · Transmitted Data Manipulation ✓T1567 · Exfiltration Over Web Service ✓T1602 · Data from Configuration RepositoryT1602.001 · SNMP (MIB Dump)T1602.002 · Network Device Configuration DumpT1647 · Plist File Modification
AC-17
Remote Access
55/81 detectable
T1020.001 · Traffic DuplicationT1021 · Remote Services ✓T1021.001 · Remote Desktop Protocol ✓T1021.002 · SMB/Windows Admin Shares ✓T1021.003 · Distributed Component Object Model ✓T1021.004 · SSH ✓T1021.005 · VNC ✓T1021.006 · Windows Remote Management ✓T1021.008 · Direct Cloud VM ConnectionsT1037 · Boot or Logon Initialization Scripts ✓T1037.001 · Logon Script (Windows) ✓T1040 · Network Sniffing ✓T1047 · Windows Management Instrumentation ✓T1059 · Command and Scripting Interpreter ✓T1059.001 · PowerShell ✓T1059.002 · AppleScript ✓T1059.003 · Windows Command Shell ✓T1059.004 · Unix Shell ✓T1059.005 · Visual Basic ✓T1059.006 · Python ✓T1059.007 · JavaScript ✓T1059.008 · Network Device CLIT1070 · Indicator Removal ✓T1070.001 · Clear Windows Event Logs ✓T1070.002 · Clear Linux or Mac System LogsT1070.008 · Clear Mailbox DataT1114 · Email Collection ✓T1114.001 · Local Email Collection ✓T1114.002 · Remote Email CollectionT1114.003 · Email Forwarding Rule ✓T1119 · Automated Collection ✓T1127.002 · ClickOnceT1133 · External Remote Services ✓T1137 · Office Application Startup ✓T1137.002 · Office Test ✓T1213 · Data from Information Repositories ✓T1213.001 · ConfluenceT1213.002 · SharepointT1213.005 · Messaging ApplicationsT1219 · Remote Access Tools ✓T1505.004 · IIS Components ✓T1505.005 · Terminal Services DLL ✓T1530 · Data from Cloud StorageT1537 · Transfer Data to Cloud Account ✓T1543 · Create or Modify System Process ✓T1547.003 · Time Providers ✓T1547.004 · Winlogon Helper DLL ✓T1547.009 · Shortcut Modification ✓T1547.012 · Print ProcessorsT1547.013 · XDG Autostart EntriesT1550.001 · Application Access Token ✓T1552 · Unsecured Credentials ✓T1552.002 · Credentials in Registry ✓T1552.004 · Private Keys ✓T1552.005 · Cloud Instance Metadata API ✓T1552.007 · Container API ✓T1557 · Adversary-in-the-Middle ✓T1557.002 · ARP Cache Poisoning ✓T1558 · Steal or Forge Kerberos Tickets ✓T1558.002 · Silver TicketT1558.003 · Kerberoasting ✓T1558.004 · AS-REP RoastingT1563 · Remote Service Session HijackingT1563.001 · SSH HijackingT1563.002 · RDP Hijacking ✓T1565 · Data Manipulation ✓T1565.001 · Stored Data Manipulation ✓T1565.002 · Transmitted Data Manipulation ✓T1567.003 · Exfiltration to Text Storage SitesT1567.004 · Exfiltration Over WebhookT1602 · Data from Configuration RepositoryT1602.001 · SNMP (MIB Dump)T1602.002 · Network Device Configuration DumpT1609 · Container Administration Command ✓T1610 · Deploy Container ✓T1612 · Build Image on HostT1613 · Container and Resource Discovery ✓T1619 · Cloud Storage Object Discovery ✓T1647 · Plist File ModificationT1651 · Cloud Administration CommandT1659 · Content Injection
AC-18
Wireless Access
13/25 detectable
T1011 · Exfiltration Over Other Network MediumT1011.001 · Exfiltration Over BluetoothT1020.001 · Traffic DuplicationT1040 · Network Sniffing ✓T1070 · Indicator Removal ✓T1070.001 · Clear Windows Event Logs ✓T1070.002 · Clear Linux or Mac System LogsT1070.008 · Clear Mailbox DataT1119 · Automated Collection ✓T1530 · Data from Cloud StorageT1552 · Unsecured Credentials ✓T1552.004 · Private Keys ✓T1557 · Adversary-in-the-Middle ✓T1557.002 · ARP Cache Poisoning ✓T1557.004 · Evil TwinT1558 · Steal or Forge Kerberos Tickets ✓T1558.002 · Silver TicketT1558.003 · Kerberoasting ✓T1558.004 · AS-REP RoastingT1565 · Data Manipulation ✓T1565.001 · Stored Data Manipulation ✓T1565.002 · Transmitted Data Manipulation ✓T1602 · Data from Configuration RepositoryT1602.001 · SNMP (MIB Dump)T1602.002 · Network Device Configuration Dump
AC-19
Access Control for Mobile Devices
16/27 detectable
T1020.001 · Traffic DuplicationT1040 · Network Sniffing ✓T1070.001 · Clear Windows Event Logs ✓T1070.002 · Clear Linux or Mac System LogsT1070.008 · Clear Mailbox DataT1114 · Email Collection ✓T1114.001 · Local Email Collection ✓T1114.002 · Remote Email CollectionT1114.003 · Email Forwarding Rule ✓T1119 · Automated Collection ✓T1530 · Data from Cloud StorageT1550.001 · Application Access Token ✓T1552 · Unsecured Credentials ✓T1552.004 · Private Keys ✓T1557 · Adversary-in-the-Middle ✓T1557.002 · ARP Cache Poisoning ✓T1557.004 · Evil TwinT1558 · Steal or Forge Kerberos Tickets ✓T1558.002 · Silver TicketT1558.003 · Kerberoasting ✓T1558.004 · AS-REP RoastingT1565 · Data Manipulation ✓T1565.001 · Stored Data Manipulation ✓T1565.002 · Transmitted Data Manipulation ✓T1602 · Data from Configuration RepositoryT1602.001 · SNMP (MIB Dump)T1602.002 · Network Device Configuration Dump
AC-20
Use of External Systems
46/64 detectable
T1020.001 · Traffic DuplicationT1021 · Remote Services ✓T1021.001 · Remote Desktop Protocol ✓T1021.004 · SSH ✓T1021.007 · Cloud Services ✓T1021.008 · Direct Cloud VM ConnectionsT1041 · Exfiltration Over C2 Channel ✓T1048 · Exfiltration Over Alternative Protocol ✓T1048.002 · Exfiltration Over Asymmetric Encrypted Non-C2 ProtocolT1048.003 · Exfiltration Over Unencrypted Non-C2 Protocol ✓T1052 · Exfiltration Over Physical MediumT1052.001 · Exfiltration over USBT1070.008 · Clear Mailbox DataT1072 · Software Deployment Tools ✓T1078.002 · Domain Accounts ✓T1078.004 · Cloud Accounts ✓T1098.001 · Additional Cloud Credentials ✓T1098.002 · Additional Email Delegate PermissionsT1098.003 · Additional Cloud Roles ✓T1098.004 · SSH Authorized Keys ✓T1098.005 · Device Registration ✓T1110 · Brute Force ✓T1110.001 · Password Guessing ✓T1110.002 · Password Cracking ✓T1110.003 · Password SprayingT1110.004 · Credential StuffingT1111 · Multi-Factor Authentication InterceptionT1114 · Email Collection ✓T1114.001 · Local Email Collection ✓T1114.002 · Remote Email CollectionT1114.003 · Email Forwarding Rule ✓T1119 · Automated Collection ✓T1133 · External Remote Services ✓T1134.005 · SID-History Injection ✓T1136 · Create Account ✓T1136.001 · Local Account ✓T1136.002 · Domain Account ✓T1136.003 · Cloud Account ✓T1200 · Hardware Additions ✓T1505.005 · Terminal Services DLL ✓T1530 · Data from Cloud StorageT1537 · Transfer Data to Cloud Account ✓T1539 · Steal Web Session Cookie ✓T1550.001 · Application Access Token ✓T1552 · Unsecured Credentials ✓T1552.004 · Private Keys ✓T1552.005 · Cloud Instance Metadata API ✓T1555 · Credentials from Password Stores ✓T1556 · Modify Authentication Process ✓T1556.001 · Domain Controller AuthenticationT1556.003 · Pluggable Authentication ModulesT1556.004 · Network Device Authentication ✓T1557 · Adversary-in-the-Middle ✓T1557.002 · ARP Cache Poisoning ✓T1565 · Data Manipulation ✓T1565.001 · Stored Data Manipulation ✓T1565.002 · Transmitted Data Manipulation ✓T1567 · Exfiltration Over Web Service ✓T1567.001 · Exfiltration to Code Repository ✓T1567.002 · Exfiltration to Cloud Storage ✓T1578.005 · Modify Cloud Compute ConfigurationsT1602 · Data from Configuration RepositoryT1602.001 · SNMP (MIB Dump)T1602.002 · Network Device Configuration Dump
AC-21
Information Sharing
1/5 detectable
AC-23
Data Mining Protection
7/15 detectable
T1005 · Data from Local System ✓T1025 · Data from Removable MediaT1041 · Exfiltration Over C2 Channel ✓T1048 · Exfiltration Over Alternative Protocol ✓T1048.002 · Exfiltration Over Asymmetric Encrypted Non-C2 ProtocolT1048.003 · Exfiltration Over Unencrypted Non-C2 Protocol ✓T1052 · Exfiltration Over Physical MediumT1052.001 · Exfiltration over USBT1213 · Data from Information Repositories ✓T1213.001 · ConfluenceT1213.002 · SharepointT1213.004 · Customer Relationship Management SoftwareT1213.005 · Messaging ApplicationsT1552.007 · Container API ✓T1567 · Exfiltration Over Web Service ✓
◈
CA
154/222 techniques covered
CA-02
Control Assessments
5/5 detectable
CA-03
Information Exchange
5/7 detectable
T1020.001 · Traffic DuplicationT1041 · Exfiltration Over C2 Channel ✓T1048 · Exfiltration Over Alternative Protocol ✓T1048.002 · Exfiltration Over Asymmetric Encrypted Non-C2 ProtocolT1048.003 · Exfiltration Over Unencrypted Non-C2 Protocol ✓T1078 · Valid Accounts ✓T1567 · Exfiltration Over Web Service ✓
CA-07
Continuous Monitoring
144/210 detectable
T1001 · Data Obfuscation ✓T1001.001 · Junk DataT1001.002 · SteganographyT1001.003 · Protocol or Service Impersonation ✓T1003 · OS Credential Dumping ✓T1003.001 · LSASS Memory ✓T1003.002 · Security Account Manager ✓T1003.003 · NTDS ✓T1003.004 · LSA Secrets ✓T1003.005 · Cached Domain Credentials ✓T1003.006 · DCSync ✓T1003.007 · Proc FilesystemT1003.008 · /etc/passwd and /etc/shadowT1008 · Fallback Channels ✓T1021.002 · SMB/Windows Admin Shares ✓T1021.005 · VNC ✓T1029 · Scheduled Transfer ✓T1030 · Data Transfer Size Limits ✓T1036 · Masquerading ✓T1036.003 · Rename Legitimate Utilities ✓T1036.005 · Match Legitimate Resource Name or Location ✓T1036.007 · Double File Extension ✓T1037 · Boot or Logon Initialization Scripts ✓T1037.002 · Login HookT1037.003 · Network Logon ScriptT1037.004 · RC ScriptsT1037.005 · Startup Items ✓T1041 · Exfiltration Over C2 Channel ✓T1046 · Network Service Discovery ✓T1048 · Exfiltration Over Alternative Protocol ✓T1048.001 · Exfiltration Over Symmetric Encrypted Non-C2 Protocol ✓T1048.002 · Exfiltration Over Asymmetric Encrypted Non-C2 ProtocolT1048.003 · Exfiltration Over Unencrypted Non-C2 Protocol ✓T1052 · Exfiltration Over Physical MediumT1052.001 · Exfiltration over USBT1053.006 · Systemd TimersT1055.009 · Proc Memory ✓T1056.002 · GUI Input Capture ✓T1059 · Command and Scripting Interpreter ✓T1059.005 · Visual Basic ✓T1059.007 · JavaScript ✓T1059.010 · AutoHotKey & AutoITT1068 · Exploitation for Privilege Escalation ✓T1070 · Indicator Removal ✓T1070.001 · Clear Windows Event Logs ✓T1070.002 · Clear Linux or Mac System LogsT1070.003 · Clear Command History ✓T1070.007 · Clear Network Connection History and ConfigurationsT1070.008 · Clear Mailbox DataT1070.009 · Clear PersistenceT1071 · Application Layer Protocol ✓T1071.001 · Web Protocols ✓T1071.002 · File Transfer ProtocolsT1071.003 · Mail ProtocolsT1071.004 · DNS ✓T1072 · Software Deployment Tools ✓T1078 · Valid Accounts ✓T1078.001 · Default Accounts ✓T1078.003 · Local Accounts ✓T1078.004 · Cloud Accounts ✓T1080 · Taint Shared ContentT1090 · Proxy ✓T1090.001 · Internal Proxy ✓T1090.002 · External Proxy ✓T1090.003 · Multi-hop Proxy ✓T1095 · Non-Application Layer Protocol ✓T1102 · Web Service ✓T1102.001 · Dead Drop Resolver ✓T1102.002 · Bidirectional Communication ✓T1102.003 · One-Way Communication ✓T1104 · Multi-Stage ChannelsT1105 · Ingress Tool Transfer ✓T1110 · Brute Force ✓T1110.001 · Password Guessing ✓T1110.002 · Password Cracking ✓T1110.003 · Password SprayingT1110.004 · Credential StuffingT1111 · Multi-Factor Authentication InterceptionT1132 · Data Encoding ✓T1132.001 · Standard Encoding ✓T1132.002 · Non-Standard EncodingT1176 · Software ExtensionsT1185 · Browser Session Hijacking ✓T1187 · Forced Authentication ✓T1189 · Drive-by Compromise ✓T1190 · Exploit Public-Facing Application ✓T1195 · Supply Chain Compromise ✓T1195.001 · Compromise Software Dependencies and Development Tools ✓T1195.002 · Compromise Software Supply Chain ✓T1197 · BITS Jobs ✓T1201 · Password Policy Discovery ✓T1203 · Exploitation for Client Execution ✓T1204 · User Execution ✓T1204.001 · Malicious Link ✓T1204.002 · Malicious File ✓T1204.003 · Malicious ImageT1205 · Traffic Signaling ✓T1205.001 · Port Knocking ✓T1210 · Exploitation of Remote Services ✓T1211 · Exploitation for Stealth ✓T1212 · Exploitation for Credential Access ✓T1213 · Data from Information Repositories ✓T1213.001 · ConfluenceT1213.002 · SharepointT1213.003 · Code Repositories ✓T1213.004 · Customer Relationship Management SoftwareT1213.005 · Messaging ApplicationsT1218 · System Binary Proxy Execution ✓T1218.002 · Control Panel ✓T1218.010 · Regsvr32 ✓T1218.011 · Rundll32 ✓T1218.012 · VerclsidT1218.015 · Electron ApplicationsT1219 · Remote Access Tools ✓T1221 · Template Injection ✓T1222 · File and Directory Permissions Modification ✓T1222.001 · Windows Permissions ✓T1222.002 · Linux and Mac Permissions ✓T1489 · Service Stop ✓T1498 · Network Denial of Service ✓T1498.001 · Direct Network FloodT1498.002 · Reflection AmplificationT1499 · Endpoint Denial of Service ✓T1499.001 · OS Exhaustion Flood ✓T1499.002 · Service Exhaustion FloodT1499.003 · Application Exhaustion FloodT1499.004 · Application or System Exploitation ✓T1528 · Steal Application Access Token ✓T1530 · Data from Cloud StorageT1537 · Transfer Data to Cloud Account ✓T1539 · Steal Web Session Cookie ✓T1542.004 · ROMMONkitT1542.005 · TFTP BootT1543 · Create or Modify System Process ✓T1543.002 · Systemd Service ✓T1546.003 · Windows Management Instrumentation Event Subscription ✓T1546.004 · Unix Shell Configuration Modification ✓T1546.013 · PowerShell Profile ✓T1546.016 · Installer PackagesT1547.003 · Time Providers ✓T1547.013 · XDG Autostart EntriesT1548 · Abuse Elevation Control Mechanism ✓T1548.003 · Sudo and Sudo Caching ✓T1548.006 · TCC ManipulationT1550.003 · Pass the Ticket ✓T1552 · Unsecured Credentials ✓T1552.001 · Credentials In Files ✓T1552.002 · Credentials in Registry ✓T1552.004 · Private Keys ✓T1552.005 · Cloud Instance Metadata API ✓T1553.003 · SIP and Trust Provider Hijacking ✓T1555 · Credentials from Password Stores ✓T1555.001 · Keychain ✓T1555.002 · Securityd MemoryT1556 · Modify Authentication Process ✓T1556.001 · Domain Controller AuthenticationT1557 · Adversary-in-the-Middle ✓T1557.001 · Name Resolution Poisoning and SMB Relay ✓T1557.002 · ARP Cache Poisoning ✓T1557.003 · DHCP Spoofing ✓T1557.004 · Evil TwinT1558 · Steal or Forge Kerberos Tickets ✓T1558.002 · Silver TicketT1558.003 · Kerberoasting ✓T1558.004 · AS-REP RoastingT1558.005 · Ccache FilesT1562 · Impair Defenses ✓T1562.001 · Disable or Modify Tools ✓T1562.002 · Disable Windows Event Logging ✓T1562.004 · Disable or Modify System FirewallT1562.006 · Indicator Blocking ✓T1563.001 · SSH HijackingT1564.004 · NTFS File Attributes ✓T1564.010 · Process Argument SpoofingT1565 · Data Manipulation ✓T1565.001 · Stored Data Manipulation ✓T1565.003 · Runtime Data ManipulationT1566 · Phishing ✓T1566.001 · Spearphishing Attachment ✓T1566.002 · Spearphishing Link ✓T1566.003 · Spearphishing via ServiceT1567 · Exfiltration Over Web Service ✓T1568 · Dynamic Resolution ✓T1568.002 · Domain Generation Algorithms ✓T1569 · System Services ✓T1569.002 · Service Execution ✓T1570 · Lateral Tool Transfer ✓T1571 · Non-Standard Port ✓T1572 · Protocol Tunneling ✓T1573 · Encrypted Channel ✓T1573.001 · Symmetric CryptographyT1573.002 · Asymmetric CryptographyT1574 · Hijack Execution Flow ✓T1574.004 · Dylib HijackingT1574.007 · Path Interception by PATH Environment Variable ✓T1574.008 · Path Interception by Search Order Hijacking ✓T1574.009 · Path Interception by Unquoted Path ✓T1574.013 · KernelCallbackTableT1574.014 · AppDomainManager ✓T1598 · Phishing for InformationT1598.001 · Spearphishing ServiceT1598.002 · Spearphishing AttachmentT1598.003 · Spearphishing LinkT1599 · Network Boundary BridgingT1599.001 · Network Address Translation Traversal ✓T1602 · Data from Configuration RepositoryT1602.001 · SNMP (MIB Dump)T1602.002 · Network Device Configuration DumpT1622 · Debugger Evasion ✓T1647 · Plist File Modification
◈
CM
835/1198 techniques covered
CM-02
Baseline Configuration
200/287 detectable
T1001 · Data Obfuscation ✓T1001.001 · Junk DataT1001.002 · SteganographyT1001.003 · Protocol or Service Impersonation ✓T1003 · OS Credential Dumping ✓T1003.001 · LSASS Memory ✓T1003.002 · Security Account Manager ✓T1003.003 · NTDS ✓T1003.004 · LSA Secrets ✓T1003.005 · Cached Domain Credentials ✓T1003.006 · DCSync ✓T1003.007 · Proc FilesystemT1003.008 · /etc/passwd and /etc/shadowT1008 · Fallback Channels ✓T1011.001 · Exfiltration Over BluetoothT1020.001 · Traffic DuplicationT1021 · Remote Services ✓T1021.001 · Remote Desktop Protocol ✓T1021.002 · SMB/Windows Admin Shares ✓T1021.003 · Distributed Component Object Model ✓T1021.004 · SSH ✓T1021.005 · VNC ✓T1021.006 · Windows Remote Management ✓T1027 · Obfuscated Files or Information ✓T1029 · Scheduled Transfer ✓T1030 · Data Transfer Size Limits ✓T1036 · Masquerading ✓T1036.001 · Invalid Code SignatureT1036.003 · Rename Legitimate Utilities ✓T1036.005 · Match Legitimate Resource Name or Location ✓T1036.007 · Double File Extension ✓T1037 · Boot or Logon Initialization Scripts ✓T1037.002 · Login HookT1037.003 · Network Logon ScriptT1037.004 · RC ScriptsT1037.005 · Startup Items ✓T1046 · Network Service Discovery ✓T1047 · Windows Management Instrumentation ✓T1048 · Exfiltration Over Alternative Protocol ✓T1048.001 · Exfiltration Over Symmetric Encrypted Non-C2 Protocol ✓T1048.002 · Exfiltration Over Asymmetric Encrypted Non-C2 ProtocolT1048.003 · Exfiltration Over Unencrypted Non-C2 Protocol ✓T1052 · Exfiltration Over Physical MediumT1052.001 · Exfiltration over USBT1053 · Scheduled Task/Job ✓T1053.002 · At ✓T1053.003 · Cron ✓T1053.005 · Scheduled Task ✓T1059 · Command and Scripting Interpreter ✓T1059.001 · PowerShell ✓T1059.002 · AppleScript ✓T1059.003 · Windows Command Shell ✓T1059.004 · Unix Shell ✓T1059.005 · Visual Basic ✓T1059.006 · Python ✓T1059.007 · JavaScript ✓T1059.008 · Network Device CLIT1059.010 · AutoHotKey & AutoITT1059.011 · LuaT1068 · Exploitation for Privilege Escalation ✓T1070 · Indicator Removal ✓T1070.001 · Clear Windows Event Logs ✓T1070.002 · Clear Linux or Mac System LogsT1070.003 · Clear Command History ✓T1070.007 · Clear Network Connection History and ConfigurationsT1070.008 · Clear Mailbox DataT1070.009 · Clear PersistenceT1071 · Application Layer Protocol ✓T1071.001 · Web Protocols ✓T1071.002 · File Transfer ProtocolsT1071.003 · Mail ProtocolsT1071.004 · DNS ✓T1072 · Software Deployment Tools ✓T1080 · Taint Shared ContentT1090 · Proxy ✓T1090.001 · Internal Proxy ✓T1090.002 · External Proxy ✓T1091 · Replication Through Removable Media ✓T1092 · Communication Through Removable MediaT1095 · Non-Application Layer Protocol ✓T1098.004 · SSH Authorized Keys ✓T1102 · Web Service ✓T1102.001 · Dead Drop Resolver ✓T1102.002 · Bidirectional Communication ✓T1102.003 · One-Way Communication ✓T1104 · Multi-Stage ChannelsT1105 · Ingress Tool Transfer ✓T1106 · Native API ✓T1110 · Brute Force ✓T1110.001 · Password Guessing ✓T1110.002 · Password Cracking ✓T1110.003 · Password SprayingT1110.004 · Credential StuffingT1111 · Multi-Factor Authentication InterceptionT1114 · Email Collection ✓T1114.002 · Remote Email CollectionT1119 · Automated Collection ✓T1127 · Trusted Developer Utilities Proxy Execution ✓T1127.001 · MSBuild ✓T1127.002 · ClickOnceT1129 · Shared Modules ✓T1132 · Data Encoding ✓T1132.001 · Standard Encoding ✓T1132.002 · Non-Standard EncodingT1133 · External Remote Services ✓T1134.005 · SID-History Injection ✓T1137 · Office Application Startup ✓T1137.001 · Office Template MacrosT1137.002 · Office Test ✓T1137.003 · Outlook Forms ✓T1137.004 · Outlook Home PageT1137.005 · Outlook RulesT1137.006 · Add-ins ✓T1176 · Software ExtensionsT1185 · Browser Session Hijacking ✓T1187 · Forced Authentication ✓T1189 · Drive-by Compromise ✓T1195 · Supply Chain Compromise ✓T1195.003 · Compromise Hardware Supply ChainT1201 · Password Policy Discovery ✓T1204 · User Execution ✓T1204.001 · Malicious Link ✓T1204.002 · Malicious File ✓T1204.003 · Malicious ImageT1205 · Traffic Signaling ✓T1210 · Exploitation of Remote Services ✓T1211 · Exploitation for Stealth ✓T1212 · Exploitation for Credential Access ✓T1213 · Data from Information Repositories ✓T1213.001 · ConfluenceT1213.002 · SharepointT1213.005 · Messaging ApplicationsT1216 · System Script Proxy Execution ✓T1216.001 · PubPrn ✓T1216.002 · SyncAppvPublishingServerT1218 · System Binary Proxy Execution ✓T1218.001 · Compiled HTML File ✓T1218.002 · Control Panel ✓T1218.003 · CMSTP ✓T1218.004 · InstallUtilT1218.005 · Mshta ✓T1218.007 · Msiexec ✓T1218.008 · Odbcconf ✓T1218.009 · Regsvcs/Regasm ✓T1218.012 · VerclsidT1218.013 · Mavinject ✓T1218.014 · MMC ✓T1218.015 · Electron ApplicationsT1219 · Remote Access Tools ✓T1220 · XSL Script Processing ✓T1221 · Template Injection ✓T1482 · Domain Trust Discovery ✓T1484 · Domain or Tenant Policy Modification ✓T1485 · Data Destruction ✓T1486 · Data Encrypted for Impact ✓T1490 · Inhibit System Recovery ✓T1491 · DefacementT1491.001 · Internal Defacement ✓T1491.002 · External DefacementT1495 · Firmware Corruption ✓T1505 · Server Software Component ✓T1505.001 · SQL Stored Procedures ✓T1505.002 · Transport Agent ✓T1505.003 · Web Shell ✓T1505.004 · IIS Components ✓T1505.005 · Terminal Services DLL ✓T1525 · Implant Internal Image ✓T1528 · Steal Application Access Token ✓T1530 · Data from Cloud StorageT1539 · Steal Web Session Cookie ✓T1542 · Pre-OS BootT1542.003 · Bootkit ✓T1542.004 · ROMMONkitT1542.005 · TFTP BootT1543 · Create or Modify System Process ✓T1543.001 · Launch Agent ✓T1543.002 · Systemd Service ✓T1543.003 · Windows Service ✓T1543.004 · Launch Daemon ✓T1546 · Event Triggered Execution ✓T1546.002 · Screensaver ✓T1546.003 · Windows Management Instrumentation Event Subscription ✓T1546.004 · Unix Shell Configuration Modification ✓T1546.006 · LC_LOAD_DYLIB AdditionT1546.010 · AppInit DLLs ✓T1546.013 · PowerShell Profile ✓T1546.014 · Emond ✓T1547.003 · Time Providers ✓T1547.007 · Re-opened ApplicationsT1547.008 · LSASS Driver ✓T1547.013 · XDG Autostart EntriesT1548 · Abuse Elevation Control Mechanism ✓T1548.002 · Bypass User Account Control ✓T1548.003 · Sudo and Sudo Caching ✓T1548.004 · Elevated Execution with PromptT1548.006 · TCC ManipulationT1550.001 · Application Access Token ✓T1550.003 · Pass the Ticket ✓T1552 · Unsecured Credentials ✓T1552.001 · Credentials In Files ✓T1552.002 · Credentials in Registry ✓T1552.004 · Private Keys ✓T1552.006 · Group Policy Preferences ✓T1553 · Subvert Trust Controls ✓T1553.001 · Gatekeeper Bypass ✓T1553.003 · SIP and Trust Provider Hijacking ✓T1553.005 · Mark-of-the-Web Bypass ✓T1553.006 · Code Signing Policy ModificationT1554 · Compromise Host Software Binary ✓T1555.004 · Windows Credential Manager ✓T1555.005 · Password Managers ✓T1556 · Modify Authentication Process ✓T1556.004 · Network Device Authentication ✓T1556.008 · Network Provider DLLT1557 · Adversary-in-the-Middle ✓T1557.001 · Name Resolution Poisoning and SMB Relay ✓T1557.002 · ARP Cache Poisoning ✓T1557.003 · DHCP Spoofing ✓T1557.004 · Evil TwinT1558 · Steal or Forge Kerberos Tickets ✓T1558.001 · Golden TicketT1558.002 · Silver TicketT1558.003 · Kerberoasting ✓T1558.004 · AS-REP RoastingT1559 · Inter-Process Communication ✓T1559.001 · Component Object Model ✓T1559.002 · Dynamic Data Exchange ✓T1560 · Archive Collected Data ✓T1560.001 · Archive via Utility ✓T1561 · Disk WipeT1561.001 · Disk Content Wipe ✓T1561.002 · Disk Structure Wipe ✓T1562 · Impair Defenses ✓T1562.001 · Disable or Modify Tools ✓T1562.002 · Disable Windows Event Logging ✓T1562.003 · Impair Command History LoggingT1562.004 · Disable or Modify System FirewallT1562.006 · Indicator Blocking ✓T1562.010 · Downgrade AttackT1563 · Remote Service Session HijackingT1563.001 · SSH HijackingT1563.002 · RDP Hijacking ✓T1564.006 · Run Virtual Instance ✓T1564.007 · VBA StompingT1564.009 · Resource ForkingT1565 · Data Manipulation ✓T1565.001 · Stored Data Manipulation ✓T1565.002 · Transmitted Data Manipulation ✓T1566 · Phishing ✓T1566.001 · Spearphishing Attachment ✓T1566.002 · Spearphishing Link ✓T1569 · System Services ✓T1569.002 · Service Execution ✓T1570 · Lateral Tool Transfer ✓T1571 · Non-Standard Port ✓T1572 · Protocol Tunneling ✓T1573 · Encrypted Channel ✓T1573.001 · Symmetric CryptographyT1573.002 · Asymmetric CryptographyT1574 · Hijack Execution Flow ✓T1574.001 · DLL ✓T1574.004 · Dylib HijackingT1574.005 · Executable Installer File Permissions Weakness ✓T1574.007 · Path Interception by PATH Environment Variable ✓T1574.008 · Path Interception by Search Order Hijacking ✓T1574.009 · Path Interception by Unquoted Path ✓T1574.010 · Services File Permissions Weakness ✓T1574.013 · KernelCallbackTableT1578 · Modify Cloud Compute Infrastructure ✓T1578.001 · Create SnapshotT1578.002 · Create Cloud InstanceT1578.003 · Delete Cloud Instance ✓T1598 · Phishing for InformationT1598.002 · Spearphishing AttachmentT1598.003 · Spearphishing LinkT1599 · Network Boundary BridgingT1599.001 · Network Address Translation Traversal ✓T1601 · Modify System ImageT1601.001 · Patch System ImageT1601.002 · Downgrade System ImageT1602 · Data from Configuration RepositoryT1602.001 · SNMP (MIB Dump)T1602.002 · Network Device Configuration DumpT1612 · Build Image on HostT1622 · Debugger Evasion ✓T1647 · Plist File ModificationT1653 · Power Settings ✓
CM-03
Configuration Change Control
14/35 detectable
T1021.005 · VNC ✓T1059.006 · Python ✓T1176 · Software ExtensionsT1195 · Supply Chain Compromise ✓T1195.003 · Compromise Hardware Supply ChainT1213 · Data from Information Repositories ✓T1213.001 · ConfluenceT1213.002 · SharepointT1213.005 · Messaging ApplicationsT1495 · Firmware Corruption ✓T1542 · Pre-OS BootT1542.001 · System Firmware ✓T1542.003 · Bootkit ✓T1542.004 · ROMMONkitT1542.005 · TFTP BootT1543 · Create or Modify System Process ✓T1543.002 · Systemd Service ✓T1546 · Event Triggered Execution ✓T1547.007 · Re-opened ApplicationsT1547.013 · XDG Autostart EntriesT1548 · Abuse Elevation Control Mechanism ✓T1553 · Subvert Trust Controls ✓T1553.006 · Code Signing Policy ModificationT1555 · Credentials from Password Stores ✓T1556.008 · Network Provider DLLT1562.008 · Disable or Modify Cloud LogsT1562.012 · Disable or Modify Linux Audit SystemT1564.008 · Email Hiding RulesT1578.005 · Modify Cloud Compute ConfigurationsT1601 · Modify System ImageT1601.001 · Patch System ImageT1601.002 · Downgrade System ImageT1647 · Plist File ModificationT1653 · Power Settings ✓T1666 · Modify Cloud Resource Hierarchy
CM-05
Access Restrictions for Change
112/162 detectable
T1003 · OS Credential Dumping ✓T1003.001 · LSASS Memory ✓T1003.002 · Security Account Manager ✓T1003.003 · NTDS ✓T1003.004 · LSA Secrets ✓T1003.005 · Cached Domain Credentials ✓T1003.006 · DCSync ✓T1003.007 · Proc FilesystemT1003.008 · /etc/passwd and /etc/shadowT1020.001 · Traffic DuplicationT1021 · Remote Services ✓T1021.001 · Remote Desktop Protocol ✓T1021.002 · SMB/Windows Admin Shares ✓T1021.003 · Distributed Component Object Model ✓T1021.004 · SSH ✓T1021.005 · VNC ✓T1021.006 · Windows Remote Management ✓T1021.008 · Direct Cloud VM ConnectionsT1047 · Windows Management Instrumentation ✓T1053 · Scheduled Task/Job ✓T1053.002 · At ✓T1053.003 · Cron ✓T1053.005 · Scheduled Task ✓T1053.006 · Systemd TimersT1053.007 · Container Orchestration JobT1055 · Process Injection ✓T1055.008 · Ptrace System Calls ✓T1056.003 · Web Portal CaptureT1059 · Command and Scripting Interpreter ✓T1059.001 · PowerShell ✓T1059.006 · Python ✓T1059.008 · Network Device CLIT1072 · Software Deployment Tools ✓T1078 · Valid Accounts ✓T1078.002 · Domain Accounts ✓T1078.003 · Local Accounts ✓T1078.004 · Cloud Accounts ✓T1098 · Account Manipulation ✓T1098.001 · Additional Cloud Credentials ✓T1098.002 · Additional Email Delegate PermissionsT1098.003 · Additional Cloud Roles ✓T1098.004 · SSH Authorized Keys ✓T1098.005 · Device Registration ✓T1098.007 · Additional Local or Domain GroupsT1134 · Access Token Manipulation ✓T1134.001 · Token Impersonation/Theft ✓T1134.002 · Create Process with Token ✓T1134.003 · Make and Impersonate Token ✓T1136 · Create Account ✓T1136.001 · Local Account ✓T1136.002 · Domain Account ✓T1136.003 · Cloud Account ✓T1137.002 · Office Test ✓T1176 · Software ExtensionsT1185 · Browser Session Hijacking ✓T1190 · Exploit Public-Facing Application ✓T1195 · Supply Chain Compromise ✓T1195.001 · Compromise Software Dependencies and Development Tools ✓T1195.003 · Compromise Hardware Supply ChainT1197 · BITS Jobs ✓T1210 · Exploitation of Remote Services ✓T1213 · Data from Information Repositories ✓T1213.001 · ConfluenceT1213.002 · SharepointT1213.005 · Messaging ApplicationsT1218 · System Binary Proxy Execution ✓T1218.007 · Msiexec ✓T1218.015 · Electron ApplicationsT1222 · File and Directory Permissions Modification ✓T1222.001 · Windows Permissions ✓T1222.002 · Linux and Mac Permissions ✓T1484 · Domain or Tenant Policy Modification ✓T1489 · Service Stop ✓T1495 · Firmware Corruption ✓T1505 · Server Software Component ✓T1505.002 · Transport Agent ✓T1525 · Implant Internal Image ✓T1528 · Steal Application Access Token ✓T1530 · Data from Cloud StorageT1537 · Transfer Data to Cloud Account ✓T1542 · Pre-OS BootT1542.001 · System Firmware ✓T1542.003 · Bootkit ✓T1542.004 · ROMMONkitT1542.005 · TFTP BootT1543 · Create or Modify System Process ✓T1543.001 · Launch Agent ✓T1543.002 · Systemd Service ✓T1543.003 · Windows Service ✓T1543.004 · Launch Daemon ✓T1546.003 · Windows Management Instrumentation Event Subscription ✓T1546.016 · Installer PackagesT1547.003 · Time Providers ✓T1547.004 · Winlogon Helper DLL ✓T1547.006 · Kernel Modules and Extensions ✓T1547.007 · Re-opened ApplicationsT1547.009 · Shortcut Modification ✓T1547.012 · Print ProcessorsT1547.013 · XDG Autostart EntriesT1548 · Abuse Elevation Control Mechanism ✓T1548.002 · Bypass User Account Control ✓T1548.003 · Sudo and Sudo Caching ✓T1548.005 · Temporary Elevated Cloud AccessT1548.006 · TCC ManipulationT1550 · Use Alternate Authentication Material ✓T1550.002 · Pass the Hash ✓T1550.003 · Pass the Ticket ✓T1552 · Unsecured Credentials ✓T1552.002 · Credentials in Registry ✓T1552.007 · Container API ✓T1553 · Subvert Trust Controls ✓T1553.006 · Code Signing Policy ModificationT1554 · Compromise Host Software Binary ✓T1556 · Modify Authentication Process ✓T1556.001 · Domain Controller AuthenticationT1556.003 · Pluggable Authentication ModulesT1556.004 · Network Device Authentication ✓T1556.008 · Network Provider DLLT1556.009 · Conditional Access PoliciesT1558 · Steal or Forge Kerberos Tickets ✓T1558.001 · Golden TicketT1558.002 · Silver TicketT1558.003 · Kerberoasting ✓T1559 · Inter-Process Communication ✓T1559.001 · Component Object Model ✓T1559.003 · XPC ServicesT1562 · Impair Defenses ✓T1562.001 · Disable or Modify Tools ✓T1562.002 · Disable Windows Event Logging ✓T1562.004 · Disable or Modify System FirewallT1562.006 · Indicator Blocking ✓T1562.007 · Disable or Modify Cloud FirewallT1562.008 · Disable or Modify Cloud LogsT1562.009 · Safe Mode BootT1562.011 · Spoof Security AlertingT1562.012 · Disable or Modify Linux Audit SystemT1563 · Remote Service Session HijackingT1563.001 · SSH HijackingT1563.002 · RDP Hijacking ✓T1564.008 · Email Hiding RulesT1569 · System Services ✓T1569.001 · Launchctl ✓T1569.002 · Service Execution ✓T1574 · Hijack Execution Flow ✓T1574.005 · Executable Installer File Permissions Weakness ✓T1574.010 · Services File Permissions Weakness ✓T1574.011 · Services Registry Permissions Weakness ✓T1574.012 · COR_PROFILER ✓T1574.014 · AppDomainManager ✓T1578 · Modify Cloud Compute Infrastructure ✓T1578.001 · Create SnapshotT1578.002 · Create Cloud InstanceT1578.003 · Delete Cloud Instance ✓T1599 · Network Boundary BridgingT1599.001 · Network Address Translation Traversal ✓T1601 · Modify System ImageT1601.001 · Patch System ImageT1601.002 · Downgrade System ImageT1611 · Escape to Host ✓T1619 · Cloud Storage Object Discovery ✓T1621 · Multi-Factor Authentication Request Generation ✓T1647 · Plist File Modification
CM-06
Configuration Settings
244/344 detectable
T1001 · Data Obfuscation ✓T1001.001 · Junk DataT1001.002 · SteganographyT1001.003 · Protocol or Service Impersonation ✓T1003 · OS Credential Dumping ✓T1003.001 · LSASS Memory ✓T1003.002 · Security Account Manager ✓T1003.003 · NTDS ✓T1003.004 · LSA Secrets ✓T1003.005 · Cached Domain Credentials ✓T1003.006 · DCSync ✓T1003.007 · Proc FilesystemT1003.008 · /etc/passwd and /etc/shadowT1008 · Fallback Channels ✓T1011 · Exfiltration Over Other Network MediumT1011.001 · Exfiltration Over BluetoothT1020.001 · Traffic DuplicationT1021 · Remote Services ✓T1021.001 · Remote Desktop Protocol ✓T1021.002 · SMB/Windows Admin Shares ✓T1021.003 · Distributed Component Object Model ✓T1021.004 · SSH ✓T1021.005 · VNC ✓T1021.006 · Windows Remote Management ✓T1021.008 · Direct Cloud VM ConnectionsT1027 · Obfuscated Files or Information ✓T1027.010 · Command Obfuscation ✓T1029 · Scheduled Transfer ✓T1030 · Data Transfer Size Limits ✓T1036 · Masquerading ✓T1036.001 · Invalid Code SignatureT1036.003 · Rename Legitimate Utilities ✓T1036.005 · Match Legitimate Resource Name or Location ✓T1036.007 · Double File Extension ✓T1036.010 · Masquerade Account NameT1037 · Boot or Logon Initialization Scripts ✓T1037.002 · Login HookT1037.003 · Network Logon ScriptT1037.004 · RC ScriptsT1037.005 · Startup Items ✓T1046 · Network Service Discovery ✓T1047 · Windows Management Instrumentation ✓T1048 · Exfiltration Over Alternative Protocol ✓T1048.001 · Exfiltration Over Symmetric Encrypted Non-C2 Protocol ✓T1048.002 · Exfiltration Over Asymmetric Encrypted Non-C2 ProtocolT1048.003 · Exfiltration Over Unencrypted Non-C2 Protocol ✓T1052 · Exfiltration Over Physical MediumT1052.001 · Exfiltration over USBT1053 · Scheduled Task/Job ✓T1053.002 · At ✓T1053.005 · Scheduled Task ✓T1053.006 · Systemd TimersT1055 · Process Injection ✓T1055.008 · Ptrace System Calls ✓T1056.003 · Web Portal CaptureT1059 · Command and Scripting Interpreter ✓T1059.001 · PowerShell ✓T1059.002 · AppleScript ✓T1059.003 · Windows Command Shell ✓T1059.004 · Unix Shell ✓T1059.005 · Visual Basic ✓T1059.006 · Python ✓T1059.007 · JavaScript ✓T1059.008 · Network Device CLIT1059.010 · AutoHotKey & AutoITT1059.011 · LuaT1068 · Exploitation for Privilege Escalation ✓T1070 · Indicator Removal ✓T1070.001 · Clear Windows Event Logs ✓T1070.002 · Clear Linux or Mac System LogsT1070.003 · Clear Command History ✓T1070.007 · Clear Network Connection History and ConfigurationsT1070.008 · Clear Mailbox DataT1070.009 · Clear PersistenceT1071 · Application Layer Protocol ✓T1071.001 · Web Protocols ✓T1071.002 · File Transfer ProtocolsT1071.003 · Mail ProtocolsT1071.004 · DNS ✓T1072 · Software Deployment Tools ✓T1078 · Valid Accounts ✓T1078.002 · Domain Accounts ✓T1078.003 · Local Accounts ✓T1078.004 · Cloud Accounts ✓T1087 · Account Discovery ✓T1087.001 · Local Account ✓T1087.002 · Domain Account ✓T1090 · Proxy ✓T1090.001 · Internal Proxy ✓T1090.002 · External Proxy ✓T1090.003 · Multi-hop Proxy ✓T1091 · Replication Through Removable Media ✓T1092 · Communication Through Removable MediaT1095 · Non-Application Layer Protocol ✓T1098 · Account Manipulation ✓T1098.001 · Additional Cloud Credentials ✓T1098.002 · Additional Email Delegate PermissionsT1098.003 · Additional Cloud Roles ✓T1098.004 · SSH Authorized Keys ✓T1098.005 · Device Registration ✓T1098.007 · Additional Local or Domain GroupsT1102 · Web Service ✓T1102.001 · Dead Drop Resolver ✓T1102.002 · Bidirectional Communication ✓T1102.003 · One-Way Communication ✓T1104 · Multi-Stage ChannelsT1105 · Ingress Tool Transfer ✓T1106 · Native API ✓T1110 · Brute Force ✓T1110.001 · Password Guessing ✓T1110.002 · Password Cracking ✓T1110.003 · Password SprayingT1110.004 · Credential StuffingT1111 · Multi-Factor Authentication InterceptionT1114 · Email Collection ✓T1114.002 · Remote Email CollectionT1114.003 · Email Forwarding Rule ✓T1119 · Automated Collection ✓T1127 · Trusted Developer Utilities Proxy Execution ✓T1127.001 · MSBuild ✓T1127.002 · ClickOnceT1132 · Data Encoding ✓T1132.001 · Standard Encoding ✓T1132.002 · Non-Standard EncodingT1133 · External Remote Services ✓T1134 · Access Token Manipulation ✓T1134.001 · Token Impersonation/Theft ✓T1134.002 · Create Process with Token ✓T1134.003 · Make and Impersonate Token ✓T1134.005 · SID-History Injection ✓T1135 · Network Share Discovery ✓T1136 · Create Account ✓T1136.001 · Local Account ✓T1136.002 · Domain Account ✓T1136.003 · Cloud Account ✓T1137 · Office Application Startup ✓T1137.001 · Office Template MacrosT1137.002 · Office Test ✓T1137.003 · Outlook Forms ✓T1137.004 · Outlook Home PageT1137.005 · Outlook RulesT1137.006 · Add-ins ✓T1176 · Software ExtensionsT1187 · Forced Authentication ✓T1189 · Drive-by Compromise ✓T1190 · Exploit Public-Facing Application ✓T1195 · Supply Chain Compromise ✓T1195.001 · Compromise Software Dependencies and Development Tools ✓T1197 · BITS Jobs ✓T1199 · Trusted Relationship ✓T1201 · Password Policy Discovery ✓T1204 · User Execution ✓T1204.001 · Malicious Link ✓T1204.002 · Malicious File ✓T1204.003 · Malicious ImageT1205 · Traffic Signaling ✓T1205.001 · Port Knocking ✓T1210 · Exploitation of Remote Services ✓T1211 · Exploitation for Stealth ✓T1212 · Exploitation for Credential Access ✓T1213 · Data from Information Repositories ✓T1213.001 · ConfluenceT1213.002 · SharepointT1213.004 · Customer Relationship Management SoftwareT1213.005 · Messaging ApplicationsT1216 · System Script Proxy Execution ✓T1216.001 · PubPrn ✓T1216.002 · SyncAppvPublishingServerT1218 · System Binary Proxy Execution ✓T1218.001 · Compiled HTML File ✓T1218.002 · Control Panel ✓T1218.003 · CMSTP ✓T1218.004 · InstallUtilT1218.005 · Mshta ✓T1218.007 · Msiexec ✓T1218.008 · Odbcconf ✓T1218.009 · Regsvcs/Regasm ✓T1218.012 · VerclsidT1218.013 · Mavinject ✓T1218.014 · MMC ✓T1218.015 · Electron ApplicationsT1219 · Remote Access Tools ✓T1220 · XSL Script Processing ✓T1221 · Template Injection ✓T1222 · File and Directory Permissions Modification ✓T1222.001 · Windows Permissions ✓T1222.002 · Linux and Mac Permissions ✓T1482 · Domain Trust Discovery ✓T1484 · Domain or Tenant Policy Modification ✓T1489 · Service Stop ✓T1490 · Inhibit System Recovery ✓T1495 · Firmware Corruption ✓T1498 · Network Denial of Service ✓T1498.001 · Direct Network FloodT1498.002 · Reflection AmplificationT1499 · Endpoint Denial of Service ✓T1499.001 · OS Exhaustion Flood ✓T1499.002 · Service Exhaustion FloodT1499.003 · Application Exhaustion FloodT1499.004 · Application or System Exploitation ✓T1505 · Server Software Component ✓T1505.001 · SQL Stored Procedures ✓T1505.002 · Transport Agent ✓T1505.003 · Web Shell ✓T1505.004 · IIS Components ✓T1505.005 · Terminal Services DLL ✓T1525 · Implant Internal Image ✓T1528 · Steal Application Access Token ✓T1530 · Data from Cloud StorageT1537 · Transfer Data to Cloud Account ✓T1539 · Steal Web Session Cookie ✓T1542 · Pre-OS BootT1542.001 · System Firmware ✓T1542.003 · Bootkit ✓T1542.004 · ROMMONkitT1542.005 · TFTP BootT1543 · Create or Modify System Process ✓T1543.002 · Systemd Service ✓T1546 · Event Triggered Execution ✓T1546.002 · Screensaver ✓T1546.003 · Windows Management Instrumentation Event Subscription ✓T1546.004 · Unix Shell Configuration Modification ✓T1546.006 · LC_LOAD_DYLIB AdditionT1546.008 · Accessibility Features ✓T1546.013 · PowerShell Profile ✓T1546.014 · Emond ✓T1546.016 · Installer PackagesT1547.002 · Authentication Package ✓T1547.003 · Time Providers ✓T1547.005 · Security Support Provider ✓T1547.006 · Kernel Modules and Extensions ✓T1547.007 · Re-opened ApplicationsT1547.008 · LSASS Driver ✓T1547.009 · Shortcut Modification ✓T1547.013 · XDG Autostart EntriesT1548 · Abuse Elevation Control Mechanism ✓T1548.001 · Setuid and Setgid ✓T1548.002 · Bypass User Account Control ✓T1548.003 · Sudo and Sudo Caching ✓T1548.004 · Elevated Execution with PromptT1548.006 · TCC ManipulationT1550 · Use Alternate Authentication Material ✓T1550.001 · Application Access Token ✓T1550.002 · Pass the Hash ✓T1550.003 · Pass the Ticket ✓T1552 · Unsecured Credentials ✓T1552.001 · Credentials In Files ✓T1552.002 · Credentials in Registry ✓T1552.003 · Shell History ✓T1552.004 · Private Keys ✓T1552.005 · Cloud Instance Metadata API ✓T1552.006 · Group Policy Preferences ✓T1552.007 · Container API ✓T1553 · Subvert Trust Controls ✓T1553.001 · Gatekeeper Bypass ✓T1553.003 · SIP and Trust Provider Hijacking ✓T1553.004 · Install Root Certificate ✓T1553.005 · Mark-of-the-Web Bypass ✓T1554 · Compromise Host Software Binary ✓T1555.004 · Windows Credential Manager ✓T1555.005 · Password Managers ✓T1556 · Modify Authentication Process ✓T1556.001 · Domain Controller AuthenticationT1556.002 · Password Filter DLL ✓T1556.003 · Pluggable Authentication ModulesT1556.004 · Network Device Authentication ✓T1556.008 · Network Provider DLLT1556.009 · Conditional Access PoliciesT1557 · Adversary-in-the-Middle ✓T1557.001 · Name Resolution Poisoning and SMB Relay ✓T1557.002 · ARP Cache Poisoning ✓T1557.003 · DHCP Spoofing ✓T1557.004 · Evil TwinT1558 · Steal or Forge Kerberos Tickets ✓T1558.001 · Golden TicketT1558.002 · Silver TicketT1558.003 · Kerberoasting ✓T1558.004 · AS-REP RoastingT1559 · Inter-Process Communication ✓T1559.001 · Component Object Model ✓T1559.002 · Dynamic Data Exchange ✓T1559.003 · XPC ServicesT1562 · Impair Defenses ✓T1562.001 · Disable or Modify Tools ✓T1562.002 · Disable Windows Event Logging ✓T1562.003 · Impair Command History LoggingT1562.004 · Disable or Modify System FirewallT1562.006 · Indicator Blocking ✓T1562.009 · Safe Mode BootT1562.010 · Downgrade AttackT1562.011 · Spoof Security AlertingT1562.012 · Disable or Modify Linux Audit SystemT1563 · Remote Service Session HijackingT1563.001 · SSH HijackingT1563.002 · RDP Hijacking ✓T1564.002 · Hidden Users ✓T1564.006 · Run Virtual Instance ✓T1564.007 · VBA StompingT1564.009 · Resource ForkingT1565 · Data Manipulation ✓T1565.001 · Stored Data Manipulation ✓T1565.002 · Transmitted Data Manipulation ✓T1565.003 · Runtime Data ManipulationT1566 · Phishing ✓T1566.001 · Spearphishing Attachment ✓T1566.002 · Spearphishing Link ✓T1569 · System Services ✓T1569.002 · Service Execution ✓T1570 · Lateral Tool Transfer ✓T1571 · Non-Standard Port ✓T1572 · Protocol Tunneling ✓T1573 · Encrypted Channel ✓T1573.001 · Symmetric CryptographyT1573.002 · Asymmetric CryptographyT1574 · Hijack Execution Flow ✓T1574.001 · DLL ✓T1574.004 · Dylib HijackingT1574.005 · Executable Installer File Permissions Weakness ✓T1574.006 · Dynamic Linker Hijacking ✓T1574.007 · Path Interception by PATH Environment Variable ✓T1574.008 · Path Interception by Search Order Hijacking ✓T1574.009 · Path Interception by Unquoted Path ✓T1574.010 · Services File Permissions Weakness ✓T1574.014 · AppDomainManager ✓T1590.002 · DNS ✓T1598 · Phishing for InformationT1598.002 · Spearphishing AttachmentT1598.003 · Spearphishing LinkT1599 · Network Boundary BridgingT1599.001 · Network Address Translation Traversal ✓T1601 · Modify System ImageT1601.001 · Patch System ImageT1601.002 · Downgrade System ImageT1602 · Data from Configuration RepositoryT1602.001 · SNMP (MIB Dump)T1602.002 · Network Device Configuration DumpT1609 · Container Administration Command ✓T1610 · Deploy Container ✓T1611 · Escape to Host ✓T1612 · Build Image on HostT1613 · Container and Resource Discovery ✓T1622 · Debugger Evasion ✓T1647 · Plist File ModificationT1648 · Serverless Execution
CM-07
Least Functionality
162/225 detectable
T1003 · OS Credential Dumping ✓T1003.001 · LSASS Memory ✓T1003.002 · Security Account Manager ✓T1003.005 · Cached Domain Credentials ✓T1008 · Fallback Channels ✓T1011 · Exfiltration Over Other Network MediumT1011.001 · Exfiltration Over BluetoothT1020.001 · Traffic DuplicationT1021 · Remote Services ✓T1021.001 · Remote Desktop Protocol ✓T1021.002 · SMB/Windows Admin Shares ✓T1021.003 · Distributed Component Object Model ✓T1021.005 · VNC ✓T1021.006 · Windows Remote Management ✓T1021.008 · Direct Cloud VM ConnectionsT1027 · Obfuscated Files or Information ✓T1036 · Masquerading ✓T1036.005 · Match Legitimate Resource Name or Location ✓T1036.007 · Double File Extension ✓T1036.008 · Masquerade File TypeT1037 · Boot or Logon Initialization Scripts ✓T1037.001 · Logon Script (Windows) ✓T1040 · Network Sniffing ✓T1046 · Network Service Discovery ✓T1047 · Windows Management Instrumentation ✓T1048 · Exfiltration Over Alternative Protocol ✓T1048.001 · Exfiltration Over Symmetric Encrypted Non-C2 Protocol ✓T1048.002 · Exfiltration Over Asymmetric Encrypted Non-C2 ProtocolT1048.003 · Exfiltration Over Unencrypted Non-C2 Protocol ✓T1052 · Exfiltration Over Physical MediumT1052.001 · Exfiltration over USBT1053 · Scheduled Task/Job ✓T1053.002 · At ✓T1053.005 · Scheduled Task ✓T1059 · Command and Scripting Interpreter ✓T1059.005 · Visual Basic ✓T1059.007 · JavaScript ✓T1059.009 · Cloud API ✓T1059.010 · AutoHotKey & AutoITT1068 · Exploitation for Privilege Escalation ✓T1071 · Application Layer Protocol ✓T1071.001 · Web Protocols ✓T1071.002 · File Transfer ProtocolsT1071.003 · Mail ProtocolsT1071.004 · DNS ✓T1072 · Software Deployment Tools ✓T1078 · Valid Accounts ✓T1078.004 · Cloud Accounts ✓T1080 · Taint Shared ContentT1087 · Account Discovery ✓T1087.001 · Local Account ✓T1087.002 · Domain Account ✓T1090 · Proxy ✓T1090.001 · Internal Proxy ✓T1090.002 · External Proxy ✓T1090.003 · Multi-hop Proxy ✓T1092 · Communication Through Removable MediaT1095 · Non-Application Layer Protocol ✓T1098 · Account Manipulation ✓T1098.001 · Additional Cloud Credentials ✓T1098.004 · SSH Authorized Keys ✓T1098.007 · Additional Local or Domain GroupsT1102 · Web Service ✓T1102.001 · Dead Drop Resolver ✓T1102.002 · Bidirectional Communication ✓T1102.003 · One-Way Communication ✓T1104 · Multi-Stage ChannelsT1105 · Ingress Tool Transfer ✓T1106 · Native API ✓T1112 · Modify Registry ✓T1127 · Trusted Developer Utilities Proxy Execution ✓T1127.002 · ClickOnceT1129 · Shared Modules ✓T1133 · External Remote Services ✓T1135 · Network Share Discovery ✓T1136 · Create Account ✓T1136.002 · Domain Account ✓T1136.003 · Cloud Account ✓T1176 · Software ExtensionsT1187 · Forced Authentication ✓T1190 · Exploit Public-Facing Application ✓T1195 · Supply Chain Compromise ✓T1195.001 · Compromise Software Dependencies and Development Tools ✓T1195.002 · Compromise Software Supply Chain ✓T1197 · BITS Jobs ✓T1199 · Trusted Relationship ✓T1204 · User Execution ✓T1204.001 · Malicious Link ✓T1204.002 · Malicious File ✓T1204.003 · Malicious ImageT1205 · Traffic Signaling ✓T1205.001 · Port Knocking ✓T1210 · Exploitation of Remote Services ✓T1213 · Data from Information Repositories ✓T1213.001 · ConfluenceT1213.002 · SharepointT1213.004 · Customer Relationship Management SoftwareT1213.005 · Messaging ApplicationsT1216 · System Script Proxy Execution ✓T1216.001 · PubPrn ✓T1216.002 · SyncAppvPublishingServerT1218 · System Binary Proxy Execution ✓T1218.001 · Compiled HTML File ✓T1218.002 · Control Panel ✓T1218.003 · CMSTP ✓T1218.004 · InstallUtilT1218.005 · Mshta ✓T1218.007 · Msiexec ✓T1218.008 · Odbcconf ✓T1218.009 · Regsvcs/Regasm ✓T1218.012 · VerclsidT1218.013 · Mavinject ✓T1218.014 · MMC ✓T1218.015 · Electron ApplicationsT1219 · Remote Access Tools ✓T1220 · XSL Script Processing ✓T1221 · Template Injection ✓T1482 · Domain Trust Discovery ✓T1484 · Domain or Tenant Policy Modification ✓T1489 · Service Stop ✓T1490 · Inhibit System Recovery ✓T1498 · Network Denial of Service ✓T1498.001 · Direct Network FloodT1498.002 · Reflection AmplificationT1499 · Endpoint Denial of Service ✓T1499.001 · OS Exhaustion Flood ✓T1499.002 · Service Exhaustion FloodT1499.003 · Application Exhaustion FloodT1499.004 · Application or System Exploitation ✓T1505.004 · IIS Components ✓T1525 · Implant Internal Image ✓T1530 · Data from Cloud StorageT1537 · Transfer Data to Cloud Account ✓T1542.004 · ROMMONkitT1542.005 · TFTP BootT1543 · Create or Modify System Process ✓T1546.002 · Screensaver ✓T1546.006 · LC_LOAD_DYLIB AdditionT1546.008 · Accessibility Features ✓T1546.009 · AppCert DLLs ✓T1546.010 · AppInit DLLs ✓T1547.004 · Winlogon Helper DLL ✓T1547.006 · Kernel Modules and Extensions ✓T1547.007 · Re-opened ApplicationsT1547.009 · Shortcut Modification ✓T1548 · Abuse Elevation Control Mechanism ✓T1548.001 · Setuid and Setgid ✓T1548.003 · Sudo and Sudo Caching ✓T1548.004 · Elevated Execution with PromptT1548.006 · TCC ManipulationT1552 · Unsecured Credentials ✓T1552.003 · Shell History ✓T1552.005 · Cloud Instance Metadata API ✓T1552.007 · Container API ✓T1553 · Subvert Trust Controls ✓T1553.001 · Gatekeeper Bypass ✓T1553.003 · SIP and Trust Provider Hijacking ✓T1553.004 · Install Root Certificate ✓T1553.005 · Mark-of-the-Web Bypass ✓T1553.006 · Code Signing Policy ModificationT1555.004 · Windows Credential Manager ✓T1555.006 · Cloud Secrets Management StoresT1556 · Modify Authentication Process ✓T1556.002 · Password Filter DLL ✓T1556.008 · Network Provider DLLT1556.009 · Conditional Access PoliciesT1557 · Adversary-in-the-Middle ✓T1557.001 · Name Resolution Poisoning and SMB Relay ✓T1557.002 · ARP Cache Poisoning ✓T1557.003 · DHCP Spoofing ✓T1559 · Inter-Process Communication ✓T1559.002 · Dynamic Data Exchange ✓T1559.003 · XPC ServicesT1562 · Impair Defenses ✓T1562.001 · Disable or Modify Tools ✓T1562.002 · Disable Windows Event Logging ✓T1562.003 · Impair Command History LoggingT1562.004 · Disable or Modify System FirewallT1562.006 · Indicator Blocking ✓T1562.009 · Safe Mode BootT1562.010 · Downgrade AttackT1563 · Remote Service Session HijackingT1563.001 · SSH HijackingT1563.002 · RDP Hijacking ✓T1564.002 · Hidden Users ✓T1564.003 · Hidden Window ✓T1564.006 · Run Virtual Instance ✓T1564.008 · Email Hiding RulesT1564.009 · Resource ForkingT1565 · Data Manipulation ✓T1565.003 · Runtime Data ManipulationT1569 · System Services ✓T1569.002 · Service Execution ✓T1570 · Lateral Tool Transfer ✓T1571 · Non-Standard Port ✓T1572 · Protocol Tunneling ✓T1573 · Encrypted Channel ✓T1573.001 · Symmetric CryptographyT1573.002 · Asymmetric CryptographyT1574 · Hijack Execution Flow ✓T1574.001 · DLL ✓T1574.006 · Dynamic Linker Hijacking ✓T1574.007 · Path Interception by PATH Environment Variable ✓T1574.008 · Path Interception by Search Order Hijacking ✓T1574.009 · Path Interception by Unquoted Path ✓T1574.012 · COR_PROFILER ✓T1574.014 · AppDomainManager ✓T1590.002 · DNS ✓T1599 · Network Boundary BridgingT1599.001 · Network Address Translation Traversal ✓T1601 · Modify System ImageT1601.001 · Patch System ImageT1601.002 · Downgrade System ImageT1602 · Data from Configuration RepositoryT1602.001 · SNMP (MIB Dump)T1602.002 · Network Device Configuration DumpT1609 · Container Administration Command ✓T1610 · Deploy Container ✓T1611 · Escape to Host ✓T1612 · Build Image on HostT1613 · Container and Resource Discovery ✓T1622 · Debugger Evasion ✓T1647 · Plist File ModificationT1648 · Serverless ExecutionT1653 · Power Settings ✓
CM-08
System Component Inventory
66/101 detectable
T1011.001 · Exfiltration Over BluetoothT1020.001 · Traffic DuplicationT1021.001 · Remote Desktop Protocol ✓T1021.003 · Distributed Component Object Model ✓T1021.004 · SSH ✓T1021.005 · VNC ✓T1021.006 · Windows Remote Management ✓T1046 · Network Service Discovery ✓T1052 · Exfiltration Over Physical MediumT1052.001 · Exfiltration over USBT1053 · Scheduled Task/Job ✓T1053.002 · At ✓T1053.005 · Scheduled Task ✓T1059 · Command and Scripting Interpreter ✓T1059.001 · PowerShell ✓T1059.005 · Visual Basic ✓T1059.007 · JavaScript ✓T1059.010 · AutoHotKey & AutoITT1068 · Exploitation for Privilege Escalation ✓T1072 · Software Deployment Tools ✓T1091 · Replication Through Removable Media ✓T1092 · Communication Through Removable MediaT1098.004 · SSH Authorized Keys ✓T1119 · Automated Collection ✓T1127 · Trusted Developer Utilities Proxy Execution ✓T1127.001 · MSBuild ✓T1127.002 · ClickOnceT1133 · External Remote Services ✓T1137 · Office Application Startup ✓T1137.001 · Office Template MacrosT1189 · Drive-by Compromise ✓T1190 · Exploit Public-Facing Application ✓T1195 · Supply Chain Compromise ✓T1195.003 · Compromise Hardware Supply ChainT1203 · Exploitation for Client Execution ✓T1210 · Exploitation of Remote Services ✓T1211 · Exploitation for Stealth ✓T1212 · Exploitation for Credential Access ✓T1213 · Data from Information Repositories ✓T1213.001 · ConfluenceT1213.002 · SharepointT1213.005 · Messaging ApplicationsT1218 · System Binary Proxy Execution ✓T1218.003 · CMSTP ✓T1218.004 · InstallUtilT1218.005 · Mshta ✓T1218.008 · Odbcconf ✓T1218.009 · Regsvcs/Regasm ✓T1218.012 · VerclsidT1218.013 · Mavinject ✓T1218.014 · MMC ✓T1218.015 · Electron ApplicationsT1221 · Template Injection ✓T1495 · Firmware Corruption ✓T1505 · Server Software Component ✓T1505.001 · SQL Stored Procedures ✓T1505.002 · Transport Agent ✓T1505.004 · IIS Components ✓T1530 · Data from Cloud StorageT1542 · Pre-OS BootT1542.001 · System Firmware ✓T1542.003 · Bootkit ✓T1542.004 · ROMMONkitT1542.005 · TFTP BootT1546.002 · Screensaver ✓T1546.006 · LC_LOAD_DYLIB AdditionT1546.014 · Emond ✓T1547.007 · Re-opened ApplicationsT1548 · Abuse Elevation Control Mechanism ✓T1548.004 · Elevated Execution with PromptT1548.006 · TCC ManipulationT1553 · Subvert Trust Controls ✓T1553.006 · Code Signing Policy ModificationT1556.009 · Conditional Access PoliciesT1557 · Adversary-in-the-Middle ✓T1557.001 · Name Resolution Poisoning and SMB Relay ✓T1557.002 · ARP Cache Poisoning ✓T1557.003 · DHCP Spoofing ✓T1559 · Inter-Process Communication ✓T1559.002 · Dynamic Data Exchange ✓T1563 · Remote Service Session HijackingT1563.001 · SSH HijackingT1563.002 · RDP Hijacking ✓T1564.006 · Run Virtual Instance ✓T1564.007 · VBA StompingT1565 · Data Manipulation ✓T1565.001 · Stored Data Manipulation ✓T1565.002 · Transmitted Data Manipulation ✓T1574 · Hijack Execution Flow ✓T1574.004 · Dylib HijackingT1574.007 · Path Interception by PATH Environment Variable ✓T1574.008 · Path Interception by Search Order Hijacking ✓T1574.009 · Path Interception by Unquoted Path ✓T1593.003 · Code Repositories ✓T1601 · Modify System ImageT1601.001 · Patch System ImageT1601.002 · Downgrade System ImageT1602 · Data from Configuration RepositoryT1602.001 · SNMP (MIB Dump)T1602.002 · Network Device Configuration DumpT1622 · Debugger Evasion ✓
CM-10
Software Usage Restrictions
8/9 detectable
T1546.008 · Accessibility Features ✓T1546.013 · PowerShell Profile ✓T1550.001 · Application Access Token ✓T1553 · Subvert Trust Controls ✓T1553.004 · Install Root Certificate ✓T1559 · Inter-Process Communication ✓T1559.002 · Dynamic Data Exchange ✓T1562.006 · Indicator Blocking ✓T1562.009 · Safe Mode Boot
CM-11
User-installed Software
28/33 detectable
T1021.005 · VNC ✓T1059 · Command and Scripting Interpreter ✓T1059.006 · Python ✓T1072 · Software Deployment Tools ✓T1176 · Software ExtensionsT1195 · Supply Chain Compromise ✓T1195.001 · Compromise Software Dependencies and Development Tools ✓T1195.002 · Compromise Software Supply Chain ✓T1218 · System Binary Proxy Execution ✓T1218.001 · Compiled HTML File ✓T1218.002 · Control Panel ✓T1218.003 · CMSTP ✓T1218.004 · InstallUtilT1218.005 · Mshta ✓T1218.008 · Odbcconf ✓T1218.009 · Regsvcs/Regasm ✓T1218.012 · VerclsidT1218.013 · Mavinject ✓T1218.014 · MMC ✓T1505 · Server Software Component ✓T1505.001 · SQL Stored Procedures ✓T1505.002 · Transport Agent ✓T1505.004 · IIS Components ✓T1543 · Create or Modify System Process ✓T1543.001 · Launch Agent ✓T1543.002 · Systemd Service ✓T1543.003 · Windows Service ✓T1543.004 · Launch Daemon ✓T1547.013 · XDG Autostart EntriesT1550.001 · Application Access Token ✓T1564.009 · Resource ForkingT1569 · System Services ✓T1569.001 · Launchctl ✓
CM-12
Information Location
1/2 detectable
◈
CP
45/67 techniques covered
CP-02
Contingency Plan
6/9 detectable
CP-06
Alternate Storage Site
6/8 detectable
CP-07
Alternate Processing Site
11/16 detectable
T1070 · Indicator Removal ✓T1070.001 · Clear Windows Event Logs ✓T1070.002 · Clear Linux or Mac System LogsT1070.008 · Clear Mailbox DataT1119 · Automated Collection ✓T1485 · Data Destruction ✓T1486 · Data Encrypted for Impact ✓T1490 · Inhibit System Recovery ✓T1491 · DefacementT1491.001 · Internal Defacement ✓T1491.002 · External DefacementT1561 · Disk WipeT1561.001 · Disk Content Wipe ✓T1561.002 · Disk Structure Wipe ✓T1565 · Data Manipulation ✓T1565.001 · Stored Data Manipulation ✓
CP-09
System Backup
14/22 detectable
T1003 · OS Credential Dumping ✓T1003.003 · NTDS ✓T1005 · Data from Local System ✓T1025 · Data from Removable MediaT1070 · Indicator Removal ✓T1070.001 · Clear Windows Event Logs ✓T1070.002 · Clear Linux or Mac System LogsT1070.008 · Clear Mailbox DataT1119 · Automated Collection ✓T1485 · Data Destruction ✓T1485.001 · Lifecycle-Triggered DeletionT1486 · Data Encrypted for Impact ✓T1490 · Inhibit System Recovery ✓T1491 · DefacementT1491.001 · Internal Defacement ✓T1491.002 · External DefacementT1561 · Disk WipeT1561.001 · Disk Content Wipe ✓T1561.002 · Disk Structure Wipe ✓T1565 · Data Manipulation ✓T1565.001 · Stored Data Manipulation ✓T1565.003 · Runtime Data Manipulation
CP-10
System Recovery and Reconstitution
8/12 detectable
T1485 · Data Destruction ✓T1485.001 · Lifecycle-Triggered DeletionT1486 · Data Encrypted for Impact ✓T1490 · Inhibit System Recovery ✓T1491 · DefacementT1491.001 · Internal Defacement ✓T1491.002 · External DefacementT1561 · Disk WipeT1561.001 · Disk Content Wipe ✓T1561.002 · Disk Structure Wipe ✓T1565 · Data Manipulation ✓T1565.001 · Stored Data Manipulation ✓
◈
IA
258/381 techniques covered
IA-02
Identification and Authentication (Organizational Users)
126/173 detectable
T1003 · OS Credential Dumping ✓T1003.001 · LSASS Memory ✓T1003.002 · Security Account Manager ✓T1003.003 · NTDS ✓T1003.004 · LSA Secrets ✓T1003.005 · Cached Domain Credentials ✓T1003.006 · DCSync ✓T1003.007 · Proc FilesystemT1003.008 · /etc/passwd and /etc/shadowT1021 · Remote Services ✓T1021.001 · Remote Desktop Protocol ✓T1021.002 · SMB/Windows Admin Shares ✓T1021.003 · Distributed Component Object Model ✓T1021.004 · SSH ✓T1021.005 · VNC ✓T1021.006 · Windows Remote Management ✓T1021.007 · Cloud Services ✓T1021.008 · Direct Cloud VM ConnectionsT1036.007 · Double File Extension ✓T1036.010 · Masquerade Account NameT1040 · Network Sniffing ✓T1047 · Windows Management Instrumentation ✓T1053 · Scheduled Task/Job ✓T1053.002 · At ✓T1053.003 · Cron ✓T1053.005 · Scheduled Task ✓T1053.006 · Systemd TimersT1053.007 · Container Orchestration JobT1055 · Process Injection ✓T1055.008 · Ptrace System Calls ✓T1056.003 · Web Portal CaptureT1059 · Command and Scripting Interpreter ✓T1059.001 · PowerShell ✓T1059.008 · Network Device CLIT1059.009 · Cloud API ✓T1072 · Software Deployment Tools ✓T1078 · Valid Accounts ✓T1078.002 · Domain Accounts ✓T1078.003 · Local Accounts ✓T1078.004 · Cloud Accounts ✓T1087.004 · Cloud Account ✓T1098 · Account Manipulation ✓T1098.001 · Additional Cloud Credentials ✓T1098.002 · Additional Email Delegate PermissionsT1098.003 · Additional Cloud Roles ✓T1098.004 · SSH Authorized Keys ✓T1098.007 · Additional Local or Domain GroupsT1110 · Brute Force ✓T1110.001 · Password Guessing ✓T1110.002 · Password Cracking ✓T1110.003 · Password SprayingT1110.004 · Credential StuffingT1111 · Multi-Factor Authentication InterceptionT1114 · Email Collection ✓T1114.002 · Remote Email CollectionT1133 · External Remote Services ✓T1134 · Access Token Manipulation ✓T1134.001 · Token Impersonation/Theft ✓T1134.002 · Create Process with Token ✓T1134.003 · Make and Impersonate Token ✓T1136 · Create Account ✓T1136.001 · Local Account ✓T1136.002 · Domain Account ✓T1136.003 · Cloud Account ✓T1185 · Browser Session Hijacking ✓T1190 · Exploit Public-Facing Application ✓T1197 · BITS Jobs ✓T1210 · Exploitation of Remote Services ✓T1212 · Exploitation for Credential Access ✓T1213 · Data from Information Repositories ✓T1213.001 · ConfluenceT1213.002 · SharepointT1213.003 · Code Repositories ✓T1213.004 · Customer Relationship Management SoftwareT1213.005 · Messaging ApplicationsT1218 · System Binary Proxy Execution ✓T1218.007 · Msiexec ✓T1222 · File and Directory Permissions Modification ✓T1222.001 · Windows Permissions ✓T1222.002 · Linux and Mac Permissions ✓T1484 · Domain or Tenant Policy Modification ✓T1489 · Service Stop ✓T1495 · Firmware Corruption ✓T1505 · Server Software Component ✓T1505.002 · Transport Agent ✓T1505.004 · IIS Components ✓T1525 · Implant Internal Image ✓T1528 · Steal Application Access Token ✓T1530 · Data from Cloud StorageT1537 · Transfer Data to Cloud Account ✓T1538 · Cloud Service DashboardT1539 · Steal Web Session Cookie ✓T1542 · Pre-OS BootT1542.001 · System Firmware ✓T1542.003 · Bootkit ✓T1542.005 · TFTP BootT1543 · Create or Modify System Process ✓T1543.001 · Launch Agent ✓T1543.002 · Systemd Service ✓T1543.003 · Windows Service ✓T1543.004 · Launch Daemon ✓T1543.005 · Container ServiceT1546.003 · Windows Management Instrumentation Event Subscription ✓T1547.004 · Winlogon Helper DLL ✓T1547.006 · Kernel Modules and Extensions ✓T1547.009 · Shortcut Modification ✓T1547.012 · Print ProcessorsT1547.013 · XDG Autostart EntriesT1548 · Abuse Elevation Control Mechanism ✓T1548.002 · Bypass User Account Control ✓T1548.003 · Sudo and Sudo Caching ✓T1550 · Use Alternate Authentication Material ✓T1550.001 · Application Access Token ✓T1550.002 · Pass the Hash ✓T1550.003 · Pass the Ticket ✓T1552 · Unsecured Credentials ✓T1552.001 · Credentials In Files ✓T1552.002 · Credentials in Registry ✓T1552.004 · Private Keys ✓T1552.006 · Group Policy Preferences ✓T1552.007 · Container API ✓T1555.005 · Password Managers ✓T1556 · Modify Authentication Process ✓T1556.001 · Domain Controller AuthenticationT1556.003 · Pluggable Authentication ModulesT1556.004 · Network Device Authentication ✓T1556.006 · Multi-Factor Authentication ✓T1556.007 · Hybrid IdentityT1556.009 · Conditional Access PoliciesT1558 · Steal or Forge Kerberos Tickets ✓T1558.001 · Golden TicketT1558.002 · Silver TicketT1558.003 · Kerberoasting ✓T1558.004 · AS-REP RoastingT1558.005 · Ccache FilesT1559 · Inter-Process Communication ✓T1559.001 · Component Object Model ✓T1562 · Impair Defenses ✓T1562.001 · Disable or Modify Tools ✓T1562.002 · Disable Windows Event Logging ✓T1562.004 · Disable or Modify System FirewallT1562.006 · Indicator Blocking ✓T1562.007 · Disable or Modify Cloud FirewallT1562.008 · Disable or Modify Cloud LogsT1562.009 · Safe Mode BootT1563 · Remote Service Session HijackingT1563.001 · SSH HijackingT1563.002 · RDP Hijacking ✓T1569 · System Services ✓T1569.001 · Launchctl ✓T1569.002 · Service Execution ✓T1574 · Hijack Execution Flow ✓T1574.005 · Executable Installer File Permissions Weakness ✓T1574.010 · Services File Permissions Weakness ✓T1574.012 · COR_PROFILER ✓T1578 · Modify Cloud Compute Infrastructure ✓T1578.001 · Create SnapshotT1578.002 · Create Cloud InstanceT1578.003 · Delete Cloud Instance ✓T1580 · Cloud Infrastructure Discovery ✓T1599 · Network Boundary BridgingT1599.001 · Network Address Translation Traversal ✓T1601 · Modify System ImageT1601.001 · Patch System ImageT1601.002 · Downgrade System ImageT1610 · Deploy Container ✓T1611 · Escape to Host ✓T1613 · Container and Resource Discovery ✓T1619 · Cloud Storage Object Discovery ✓T1621 · Multi-Factor Authentication Request Generation ✓T1648 · Serverless ExecutionT1649 · Steal or Forge Authentication Certificates ✓T1651 · Cloud Administration Command
IA-03
Device Identification and Authentication
4/8 detectable
T1530 · Data from Cloud StorageT1537 · Transfer Data to Cloud Account ✓T1552 · Unsecured Credentials ✓T1552.005 · Cloud Instance Metadata API ✓T1602 · Data from Configuration RepositoryT1602.001 · SNMP (MIB Dump)T1602.002 · Network Device Configuration DumpT1621 · Multi-Factor Authentication Request Generation ✓
IA-04
Identifier Management
22/36 detectable
T1003 · OS Credential Dumping ✓T1003.005 · Cached Domain Credentials ✓T1003.006 · DCSync ✓T1021.001 · Remote Desktop Protocol ✓T1021.005 · VNC ✓T1053 · Scheduled Task/Job ✓T1053.002 · At ✓T1053.005 · Scheduled Task ✓T1098.007 · Additional Local or Domain GroupsT1110 · Brute Force ✓T1110.001 · Password Guessing ✓T1110.002 · Password Cracking ✓T1110.003 · Password SprayingT1110.004 · Credential StuffingT1213 · Data from Information Repositories ✓T1213.001 · ConfluenceT1213.002 · SharepointT1213.004 · Customer Relationship Management SoftwareT1213.005 · Messaging ApplicationsT1528 · Steal Application Access Token ✓T1530 · Data from Cloud StorageT1537 · Transfer Data to Cloud Account ✓T1543 · Create or Modify System Process ✓T1547.006 · Kernel Modules and Extensions ✓T1550.001 · Application Access Token ✓T1552 · Unsecured Credentials ✓T1552.005 · Cloud Instance Metadata API ✓T1562 · Impair Defenses ✓T1563 · Remote Service Session HijackingT1578 · Modify Cloud Compute Infrastructure ✓T1578.001 · Create SnapshotT1578.002 · Create Cloud InstanceT1578.003 · Delete Cloud Instance ✓T1602 · Data from Configuration RepositoryT1602.001 · SNMP (MIB Dump)T1602.002 · Network Device Configuration Dump
IA-05
Authenticator Management
48/72 detectable
T1003 · OS Credential Dumping ✓T1003.001 · LSASS Memory ✓T1003.002 · Security Account Manager ✓T1003.003 · NTDS ✓T1003.004 · LSA Secrets ✓T1003.005 · Cached Domain Credentials ✓T1003.006 · DCSync ✓T1003.007 · Proc FilesystemT1003.008 · /etc/passwd and /etc/shadowT1021 · Remote Services ✓T1021.001 · Remote Desktop Protocol ✓T1021.004 · SSH ✓T1021.007 · Cloud Services ✓T1021.008 · Direct Cloud VM ConnectionsT1040 · Network Sniffing ✓T1072 · Software Deployment Tools ✓T1078 · Valid Accounts ✓T1078.002 · Domain Accounts ✓T1078.004 · Cloud Accounts ✓T1098.001 · Additional Cloud Credentials ✓T1098.002 · Additional Email Delegate PermissionsT1098.003 · Additional Cloud Roles ✓T1098.004 · SSH Authorized Keys ✓T1098.006 · Additional Container Cluster RolesT1110 · Brute Force ✓T1110.001 · Password Guessing ✓T1110.002 · Password Cracking ✓T1110.003 · Password SprayingT1110.004 · Credential StuffingT1111 · Multi-Factor Authentication InterceptionT1114 · Email Collection ✓T1114.002 · Remote Email CollectionT1133 · External Remote Services ✓T1136 · Create Account ✓T1136.001 · Local Account ✓T1136.002 · Domain Account ✓T1136.003 · Cloud Account ✓T1212 · Exploitation for Credential Access ✓T1528 · Steal Application Access Token ✓T1530 · Data from Cloud StorageT1539 · Steal Web Session Cookie ✓T1550.003 · Pass the Ticket ✓T1552 · Unsecured Credentials ✓T1552.001 · Credentials In Files ✓T1552.002 · Credentials in Registry ✓T1552.004 · Private Keys ✓T1552.006 · Group Policy Preferences ✓T1555 · Credentials from Password Stores ✓T1555.001 · Keychain ✓T1555.002 · Securityd MemoryT1555.004 · Windows Credential Manager ✓T1555.005 · Password Managers ✓T1556 · Modify Authentication Process ✓T1556.001 · Domain Controller AuthenticationT1556.003 · Pluggable Authentication ModulesT1556.004 · Network Device Authentication ✓T1556.005 · Reversible EncryptionT1556.009 · Conditional Access PoliciesT1558 · Steal or Forge Kerberos Tickets ✓T1558.001 · Golden TicketT1558.002 · Silver TicketT1558.003 · Kerberoasting ✓T1558.004 · AS-REP RoastingT1558.005 · Ccache FilesT1563.001 · SSH HijackingT1599 · Network Boundary BridgingT1599.001 · Network Address Translation Traversal ✓T1601 · Modify System ImageT1601.001 · Patch System ImageT1601.002 · Downgrade System ImageT1621 · Multi-Factor Authentication Request Generation ✓T1649 · Steal or Forge Authentication Certificates ✓
IA-06
Authentication Feedback
4/8 detectable
IA-07
Cryptographic Module Authentication
4/12 detectable
T1195.003 · Compromise Hardware Supply ChainT1495 · Firmware Corruption ✓T1542 · Pre-OS BootT1542.001 · System Firmware ✓T1542.003 · Bootkit ✓T1542.004 · ROMMONkitT1542.005 · TFTP BootT1553 · Subvert Trust Controls ✓T1553.006 · Code Signing Policy ModificationT1601 · Modify System ImageT1601.001 · Patch System ImageT1601.002 · Downgrade System Image
IA-08
Identification and Authentication (Non-Organizational Users)
12/22 detectable
T1053 · Scheduled Task/Job ✓T1053.007 · Container Orchestration JobT1059 · Command and Scripting Interpreter ✓T1059.001 · PowerShell ✓T1059.008 · Network Device CLIT1087.004 · Cloud Account ✓T1190 · Exploit Public-Facing Application ✓T1210 · Exploitation of Remote Services ✓T1213 · Data from Information Repositories ✓T1213.001 · ConfluenceT1213.002 · SharepointT1213.004 · Customer Relationship Management SoftwareT1213.005 · Messaging ApplicationsT1528 · Steal Application Access Token ✓T1530 · Data from Cloud StorageT1537 · Transfer Data to Cloud Account ✓T1538 · Cloud Service DashboardT1542 · Pre-OS BootT1542.001 · System Firmware ✓T1542.003 · Bootkit ✓T1542.005 · TFTP BootT1547.006 · Kernel Modules and Extensions ✓
IA-09
Service Identification and Authentication
16/22 detectable
T1036 · Masquerading ✓T1036.001 · Invalid Code SignatureT1036.005 · Match Legitimate Resource Name or Location ✓T1059 · Command and Scripting Interpreter ✓T1059.001 · PowerShell ✓T1059.002 · AppleScript ✓T1213.003 · Code Repositories ✓T1525 · Implant Internal Image ✓T1546 · Event Triggered Execution ✓T1546.006 · LC_LOAD_DYLIB AdditionT1546.013 · PowerShell Profile ✓T1553 · Subvert Trust Controls ✓T1553.004 · Install Root Certificate ✓T1554 · Compromise Host Software Binary ✓T1562.006 · Indicator Blocking ✓T1562.009 · Safe Mode BootT1566 · Phishing ✓T1566.001 · Spearphishing Attachment ✓T1566.002 · Spearphishing Link ✓T1598 · Phishing for InformationT1598.002 · Spearphishing AttachmentT1598.003 · Spearphishing Link
IA-11
Re-authentication
4/7 detectable
IA-12
Identity Proofing
4/4 detectable
IA-13
Identity Providers and Authorization Servers
14/17 detectable
T1078 · Valid Accounts ✓T1078.002 · Domain Accounts ✓T1078.004 · Cloud Accounts ✓T1111 · Multi-Factor Authentication InterceptionT1134 · Access Token Manipulation ✓T1134.001 · Token Impersonation/Theft ✓T1134.003 · Make and Impersonate Token ✓T1134.005 · SID-History Injection ✓T1528 · Steal Application Access Token ✓T1556 · Modify Authentication Process ✓T1556.006 · Multi-Factor Authentication ✓T1556.007 · Hybrid IdentityT1556.009 · Conditional Access PoliciesT1606 · Forge Web Credentials ✓T1606.002 · SAML Tokens ✓T1621 · Multi-Factor Authentication Request Generation ✓T1649 · Steal or Forge Authentication Certificates ✓
◈
MP
2/6 techniques covered◈
RA
92/127 techniques covered
RA-05
Vulnerability Monitoring and Scanning
80/107 detectable
T1011.001 · Exfiltration Over BluetoothT1021.001 · Remote Desktop Protocol ✓T1021.003 · Distributed Component Object Model ✓T1021.004 · SSH ✓T1021.005 · VNC ✓T1021.006 · Windows Remote Management ✓T1046 · Network Service Discovery ✓T1047 · Windows Management Instrumentation ✓T1052 · Exfiltration Over Physical MediumT1052.001 · Exfiltration over USBT1053 · Scheduled Task/Job ✓T1053.002 · At ✓T1053.003 · Cron ✓T1053.005 · Scheduled Task ✓T1059 · Command and Scripting Interpreter ✓T1059.001 · PowerShell ✓T1059.005 · Visual Basic ✓T1059.007 · JavaScript ✓T1068 · Exploitation for Privilege Escalation ✓T1078 · Valid Accounts ✓T1091 · Replication Through Removable Media ✓T1092 · Communication Through Removable MediaT1098.004 · SSH Authorized Keys ✓T1127 · Trusted Developer Utilities Proxy Execution ✓T1127.001 · MSBuild ✓T1127.002 · ClickOnceT1133 · External Remote Services ✓T1137 · Office Application Startup ✓T1137.001 · Office Template MacrosT1176 · Software ExtensionsT1190 · Exploit Public-Facing Application ✓T1195 · Supply Chain Compromise ✓T1195.001 · Compromise Software Dependencies and Development Tools ✓T1195.002 · Compromise Software Supply Chain ✓T1204.003 · Malicious ImageT1210 · Exploitation of Remote Services ✓T1211 · Exploitation for Stealth ✓T1212 · Exploitation for Credential Access ✓T1213 · Data from Information Repositories ✓T1213.001 · ConfluenceT1213.002 · SharepointT1213.003 · Code Repositories ✓T1213.005 · Messaging ApplicationsT1218 · System Binary Proxy Execution ✓T1218.003 · CMSTP ✓T1218.004 · InstallUtilT1218.005 · Mshta ✓T1218.008 · Odbcconf ✓T1218.009 · Regsvcs/Regasm ✓T1218.012 · VerclsidT1218.013 · Mavinject ✓T1218.014 · MMC ✓T1218.015 · Electron ApplicationsT1221 · Template Injection ✓T1482 · Domain Trust Discovery ✓T1484 · Domain or Tenant Policy Modification ✓T1505 · Server Software Component ✓T1505.001 · SQL Stored Procedures ✓T1505.002 · Transport Agent ✓T1505.003 · Web Shell ✓T1505.004 · IIS Components ✓T1505.005 · Terminal Services DLL ✓T1525 · Implant Internal Image ✓T1528 · Steal Application Access Token ✓T1530 · Data from Cloud StorageT1542.004 · ROMMONkitT1542.005 · TFTP BootT1543 · Create or Modify System Process ✓T1546.002 · Screensaver ✓T1546.014 · Emond ✓T1547.006 · Kernel Modules and Extensions ✓T1547.007 · Re-opened ApplicationsT1547.008 · LSASS Driver ✓T1548 · Abuse Elevation Control Mechanism ✓T1548.002 · Bypass User Account Control ✓T1548.003 · Sudo and Sudo Caching ✓T1548.006 · TCC ManipulationT1552 · Unsecured Credentials ✓T1552.001 · Credentials In Files ✓T1552.002 · Credentials in Registry ✓T1552.004 · Private Keys ✓T1552.006 · Group Policy Preferences ✓T1557 · Adversary-in-the-Middle ✓T1558.004 · AS-REP RoastingT1559 · Inter-Process Communication ✓T1559.002 · Dynamic Data Exchange ✓T1560 · Archive Collected Data ✓T1560.001 · Archive via Utility ✓T1562 · Impair Defenses ✓T1562.010 · Downgrade AttackT1563 · Remote Service Session HijackingT1563.001 · SSH HijackingT1563.002 · RDP Hijacking ✓T1566 · Phishing ✓T1574 · Hijack Execution Flow ✓T1574.001 · DLL ✓T1574.004 · Dylib HijackingT1574.005 · Executable Installer File Permissions Weakness ✓T1574.007 · Path Interception by PATH Environment Variable ✓T1574.008 · Path Interception by Search Order Hijacking ✓T1574.009 · Path Interception by Unquoted Path ✓T1574.010 · Services File Permissions Weakness ✓T1578 · Modify Cloud Compute Infrastructure ✓T1578.001 · Create SnapshotT1578.002 · Create Cloud InstanceT1578.003 · Delete Cloud Instance ✓T1612 · Build Image on Host
RA-09
Criticality Analysis
4/12 detectable
T1195.003 · Compromise Hardware Supply ChainT1495 · Firmware Corruption ✓T1542 · Pre-OS BootT1542.001 · System Firmware ✓T1542.003 · Bootkit ✓T1542.004 · ROMMONkitT1542.005 · TFTP BootT1553 · Subvert Trust Controls ✓T1553.006 · Code Signing Policy ModificationT1601 · Modify System ImageT1601.001 · Patch System ImageT1601.002 · Downgrade System Image
RA-10
Threat Hunting
8/8 detectable
T1068 · Exploitation for Privilege Escalation ✓T1190 · Exploit Public-Facing Application ✓T1195 · Supply Chain Compromise ✓T1195.001 · Compromise Software Dependencies and Development Tools ✓T1195.002 · Compromise Software Supply Chain ✓T1210 · Exploitation of Remote Services ✓T1211 · Exploitation for Stealth ✓T1212 · Exploitation for Credential Access ✓
◈
SA
90/129 techniques covered
SA-03
System Development Life Cycle
5/6 detectable
SA-04
Acquisition Process
5/6 detectable
SA-08
Security and Privacy Engineering Principles
13/20 detectable
T1005 · Data from Local System ✓T1025 · Data from Removable MediaT1041 · Exfiltration Over C2 Channel ✓T1048 · Exfiltration Over Alternative Protocol ✓T1048.002 · Exfiltration Over Asymmetric Encrypted Non-C2 ProtocolT1048.003 · Exfiltration Over Unencrypted Non-C2 Protocol ✓T1052 · Exfiltration Over Physical MediumT1052.001 · Exfiltration over USBT1078 · Valid Accounts ✓T1078.001 · Default Accounts ✓T1078.003 · Local Accounts ✓T1078.004 · Cloud Accounts ✓T1134.005 · SID-History Injection ✓T1190 · Exploit Public-Facing Application ✓T1213.003 · Code Repositories ✓T1482 · Domain Trust Discovery ✓T1559.003 · XPC ServicesT1567 · Exfiltration Over Web Service ✓T1574.002 · DLL Side-LoadingT1647 · Plist File Modification
SA-09
External System Services
5/6 detectable
SA-10
Developer Configuration Management
15/27 detectable
T1072 · Software Deployment Tools ✓T1078 · Valid Accounts ✓T1078.001 · Default Accounts ✓T1078.003 · Local Accounts ✓T1078.004 · Cloud Accounts ✓T1195.001 · Compromise Software Dependencies and Development Tools ✓T1195.003 · Compromise Hardware Supply ChainT1213.003 · Code Repositories ✓T1495 · Firmware Corruption ✓T1505 · Server Software Component ✓T1505.001 · SQL Stored Procedures ✓T1505.002 · Transport Agent ✓T1505.004 · IIS Components ✓T1542 · Pre-OS BootT1542.001 · System Firmware ✓T1542.003 · Bootkit ✓T1542.004 · ROMMONkitT1542.005 · TFTP BootT1553 · Subvert Trust Controls ✓T1553.006 · Code Signing Policy ModificationT1559.003 · XPC ServicesT1564.009 · Resource ForkingT1574.002 · DLL Side-LoadingT1601 · Modify System ImageT1601.001 · Patch System ImageT1601.002 · Downgrade System ImageT1647 · Plist File Modification
SA-11
Developer Testing and Evaluation
21/34 detectable
T1078 · Valid Accounts ✓T1078.001 · Default Accounts ✓T1078.003 · Local Accounts ✓T1078.004 · Cloud Accounts ✓T1134.005 · SID-History Injection ✓T1195.001 · Compromise Software Dependencies and Development Tools ✓T1195.003 · Compromise Hardware Supply ChainT1213.003 · Code Repositories ✓T1495 · Firmware Corruption ✓T1505 · Server Software Component ✓T1505.001 · SQL Stored Procedures ✓T1505.002 · Transport Agent ✓T1505.004 · IIS Components ✓T1528 · Steal Application Access Token ✓T1542 · Pre-OS BootT1542.001 · System Firmware ✓T1542.003 · Bootkit ✓T1542.004 · ROMMONkitT1542.005 · TFTP BootT1552 · Unsecured Credentials ✓T1552.001 · Credentials In Files ✓T1552.002 · Credentials in Registry ✓T1552.004 · Private Keys ✓T1552.006 · Group Policy Preferences ✓T1553 · Subvert Trust Controls ✓T1553.006 · Code Signing Policy ModificationT1558.004 · AS-REP RoastingT1559.003 · XPC ServicesT1574.002 · DLL Side-LoadingT1601 · Modify System ImageT1601.001 · Patch System ImageT1601.002 · Downgrade System ImageT1612 · Build Image on HostT1647 · Plist File Modification
SA-15
Development Process, Standards, and Tools
12/14 detectable
T1078 · Valid Accounts ✓T1078.001 · Default Accounts ✓T1078.003 · Local Accounts ✓T1078.004 · Cloud Accounts ✓T1195.001 · Compromise Software Dependencies and Development Tools ✓T1213.003 · Code Repositories ✓T1528 · Steal Application Access Token ✓T1552 · Unsecured Credentials ✓T1552.001 · Credentials In Files ✓T1552.002 · Credentials in Registry ✓T1552.004 · Private Keys ✓T1552.006 · Group Policy Preferences ✓T1558.004 · AS-REP RoastingT1574.002 · DLL Side-Loading
SA-16
Developer-provided Training
2/3 detectable
SA-17
Developer Security and Privacy Architecture and Design
6/7 detectable
◈
SC
364/537 techniques covered
SC-02
Separation of System and User Functionality
8/8 detectable
T1068 · Exploitation for Privilege Escalation ✓T1189 · Drive-by Compromise ✓T1190 · Exploit Public-Facing Application ✓T1203 · Exploitation for Client Execution ✓T1210 · Exploitation of Remote Services ✓T1211 · Exploitation for Stealth ✓T1212 · Exploitation for Credential Access ✓T1611 · Escape to Host ✓
SC-03
Security Function Isolation
15/18 detectable
T1003.001 · LSASS Memory ✓T1021.003 · Distributed Component Object Model ✓T1047 · Windows Management Instrumentation ✓T1068 · Exploitation for Privilege Escalation ✓T1134.005 · SID-History Injection ✓T1189 · Drive-by Compromise ✓T1190 · Exploit Public-Facing Application ✓T1203 · Exploitation for Client Execution ✓T1210 · Exploitation of Remote Services ✓T1211 · Exploitation for Stealth ✓T1212 · Exploitation for Credential Access ✓T1559 · Inter-Process Communication ✓T1559.001 · Component Object Model ✓T1559.002 · Dynamic Data Exchange ✓T1602 · Data from Configuration RepositoryT1602.001 · SNMP (MIB Dump)T1602.002 · Network Device Configuration DumpT1611 · Escape to Host ✓
SC-04
Information in Shared System Resources
15/29 detectable
T1020.001 · Traffic DuplicationT1040 · Network Sniffing ✓T1070 · Indicator Removal ✓T1070.001 · Clear Windows Event Logs ✓T1070.002 · Clear Linux or Mac System LogsT1070.008 · Clear Mailbox DataT1080 · Taint Shared ContentT1119 · Automated Collection ✓T1530 · Data from Cloud StorageT1552 · Unsecured Credentials ✓T1552.001 · Credentials In Files ✓T1552.002 · Credentials in Registry ✓T1552.004 · Private Keys ✓T1557 · Adversary-in-the-Middle ✓T1557.002 · ARP Cache Poisoning ✓T1558 · Steal or Forge Kerberos Tickets ✓T1558.002 · Silver TicketT1558.003 · Kerberoasting ✓T1558.004 · AS-REP RoastingT1558.005 · Ccache FilesT1564.009 · Resource ForkingT1565 · Data Manipulation ✓T1565.001 · Stored Data Manipulation ✓T1565.002 · Transmitted Data Manipulation ✓T1565.003 · Runtime Data ManipulationT1595.003 · Wordlist ScanningT1602 · Data from Configuration RepositoryT1602.001 · SNMP (MIB Dump)T1602.002 · Network Device Configuration Dump
SC-05
Denial-of-service Protection
0/1 detectable
SC-06
Resource Availability
0/1 detectable
SC-07
Boundary Protection
109/156 detectable
T1001 · Data Obfuscation ✓T1001.001 · Junk DataT1001.002 · SteganographyT1001.003 · Protocol or Service Impersonation ✓T1008 · Fallback Channels ✓T1020.001 · Traffic DuplicationT1021.001 · Remote Desktop Protocol ✓T1021.002 · SMB/Windows Admin Shares ✓T1021.003 · Distributed Component Object Model ✓T1021.005 · VNC ✓T1021.006 · Windows Remote Management ✓T1029 · Scheduled Transfer ✓T1030 · Data Transfer Size Limits ✓T1036.008 · Masquerade File TypeT1041 · Exfiltration Over C2 Channel ✓T1046 · Network Service Discovery ✓T1048 · Exfiltration Over Alternative Protocol ✓T1048.001 · Exfiltration Over Symmetric Encrypted Non-C2 Protocol ✓T1048.002 · Exfiltration Over Asymmetric Encrypted Non-C2 ProtocolT1048.003 · Exfiltration Over Unencrypted Non-C2 Protocol ✓T1055 · Process Injection ✓T1055.001 · Dynamic-link Library Injection ✓T1055.002 · Portable Executable InjectionT1055.003 · Thread Execution Hijacking ✓T1055.004 · Asynchronous Procedure CallT1055.005 · Thread Local StorageT1055.008 · Ptrace System Calls ✓T1055.009 · Proc Memory ✓T1055.011 · Extra Window Memory Injection ✓T1055.012 · Process Hollowing ✓T1055.013 · Process DoppelgängingT1055.014 · VDSO HijackingT1068 · Exploitation for Privilege Escalation ✓T1071 · Application Layer Protocol ✓T1071.001 · Web Protocols ✓T1071.002 · File Transfer ProtocolsT1071.003 · Mail ProtocolsT1071.004 · DNS ✓T1071.005 · Publish/Subscribe ProtocolsT1072 · Software Deployment Tools ✓T1078 · Valid Accounts ✓T1080 · Taint Shared ContentT1090 · Proxy ✓T1090.001 · Internal Proxy ✓T1090.002 · External Proxy ✓T1090.003 · Multi-hop Proxy ✓T1095 · Non-Application Layer Protocol ✓T1098 · Account Manipulation ✓T1098.001 · Additional Cloud Credentials ✓T1102 · Web Service ✓T1102.001 · Dead Drop Resolver ✓T1102.002 · Bidirectional Communication ✓T1102.003 · One-Way Communication ✓T1104 · Multi-Stage ChannelsT1105 · Ingress Tool Transfer ✓T1114 · Email Collection ✓T1114.003 · Email Forwarding Rule ✓T1132 · Data Encoding ✓T1132.001 · Standard Encoding ✓T1132.002 · Non-Standard EncodingT1133 · External Remote Services ✓T1136 · Create Account ✓T1136.002 · Domain Account ✓T1136.003 · Cloud Account ✓T1176 · Software ExtensionsT1187 · Forced Authentication ✓T1189 · Drive-by Compromise ✓T1190 · Exploit Public-Facing Application ✓T1197 · BITS Jobs ✓T1199 · Trusted Relationship ✓T1203 · Exploitation for Client Execution ✓T1204 · User Execution ✓T1204.001 · Malicious Link ✓T1204.002 · Malicious File ✓T1204.003 · Malicious ImageT1205 · Traffic Signaling ✓T1205.001 · Port Knocking ✓T1210 · Exploitation of Remote Services ✓T1211 · Exploitation for Stealth ✓T1212 · Exploitation for Credential Access ✓T1218 · System Binary Proxy Execution ✓T1218.012 · VerclsidT1218.015 · Electron ApplicationsT1219 · Remote Access Tools ✓T1221 · Template Injection ✓T1482 · Domain Trust Discovery ✓T1489 · Service Stop ✓T1498 · Network Denial of Service ✓T1498.001 · Direct Network FloodT1498.002 · Reflection AmplificationT1499 · Endpoint Denial of Service ✓T1499.001 · OS Exhaustion Flood ✓T1499.002 · Service Exhaustion FloodT1499.003 · Application Exhaustion FloodT1499.004 · Application or System Exploitation ✓T1505.004 · IIS Components ✓T1530 · Data from Cloud StorageT1537 · Transfer Data to Cloud Account ✓T1542 · Pre-OS BootT1542.004 · ROMMONkitT1542.005 · TFTP BootT1552 · Unsecured Credentials ✓T1552.001 · Credentials In Files ✓T1552.004 · Private Keys ✓T1552.005 · Cloud Instance Metadata API ✓T1552.007 · Container API ✓T1557 · Adversary-in-the-Middle ✓T1557.001 · Name Resolution Poisoning and SMB Relay ✓T1557.002 · ARP Cache Poisoning ✓T1557.003 · DHCP Spoofing ✓T1557.004 · Evil TwinT1559 · Inter-Process Communication ✓T1559.001 · Component Object Model ✓T1559.002 · Dynamic Data Exchange ✓T1560 · Archive Collected Data ✓T1560.001 · Archive via Utility ✓T1563 · Remote Service Session HijackingT1563.002 · RDP Hijacking ✓T1565 · Data Manipulation ✓T1565.001 · Stored Data Manipulation ✓T1565.003 · Runtime Data ManipulationT1566 · Phishing ✓T1566.001 · Spearphishing Attachment ✓T1566.002 · Spearphishing Link ✓T1566.003 · Spearphishing via ServiceT1567 · Exfiltration Over Web Service ✓T1567.001 · Exfiltration to Code Repository ✓T1567.002 · Exfiltration to Cloud Storage ✓T1567.003 · Exfiltration to Text Storage SitesT1567.004 · Exfiltration Over WebhookT1568 · Dynamic Resolution ✓T1568.002 · Domain Generation Algorithms ✓T1570 · Lateral Tool Transfer ✓T1571 · Non-Standard Port ✓T1572 · Protocol Tunneling ✓T1573 · Encrypted Channel ✓T1573.001 · Symmetric CryptographyT1573.002 · Asymmetric CryptographyT1590.002 · DNS ✓T1598 · Phishing for InformationT1598.001 · Spearphishing ServiceT1598.002 · Spearphishing AttachmentT1598.003 · Spearphishing LinkT1599 · Network Boundary BridgingT1599.001 · Network Address Translation Traversal ✓T1602 · Data from Configuration RepositoryT1602.001 · SNMP (MIB Dump)T1602.002 · Network Device Configuration DumpT1609 · Container Administration Command ✓T1610 · Deploy Container ✓T1611 · Escape to Host ✓T1612 · Build Image on HostT1613 · Container and Resource Discovery ✓T1622 · Debugger Evasion ✓T1648 · Serverless ExecutionT1659 · Content Injection
SC-08
Transmission Confidentiality and Integrity
11/20 detectable
T1020.001 · Traffic DuplicationT1040 · Network Sniffing ✓T1090 · Proxy ✓T1090.004 · Domain FrontingT1550.001 · Application Access Token ✓T1550.004 · Web Session CookieT1552.007 · Container API ✓T1557 · Adversary-in-the-Middle ✓T1557.001 · Name Resolution Poisoning and SMB Relay ✓T1557.002 · ARP Cache Poisoning ✓T1557.003 · DHCP Spoofing ✓T1557.004 · Evil TwinT1562 · Impair Defenses ✓T1562.006 · Indicator Blocking ✓T1562.009 · Safe Mode BootT1562.010 · Downgrade AttackT1602 · Data from Configuration RepositoryT1602.001 · SNMP (MIB Dump)T1602.002 · Network Device Configuration DumpT1622 · Debugger Evasion ✓
SC-10
Network Disconnect
3/5 detectable
SC-12
Cryptographic Key Establishment and Management
7/11 detectable
T1072 · Software Deployment Tools ✓T1098.004 · SSH Authorized Keys ✓T1521.003T1552 · Unsecured Credentials ✓T1552.001 · Credentials In Files ✓T1552.002 · Credentials in Registry ✓T1552.004 · Private Keys ✓T1563.001 · SSH HijackingT1573 · Encrypted Channel ✓T1573.001 · Symmetric CryptographyT1573.002 · Asymmetric Cryptography
SC-13
Cryptographic Protection
3/5 detectable
SC-16
Transmission of Security and Privacy Attributes
3/5 detectable
SC-17
Public Key Infrastructure Certificates
2/2 detectable
SC-18
Mobile Code
27/38 detectable
T1021.003 · Distributed Component Object Model ✓T1055 · Process Injection ✓T1055.001 · Dynamic-link Library Injection ✓T1055.002 · Portable Executable InjectionT1055.003 · Thread Execution Hijacking ✓T1055.004 · Asynchronous Procedure CallT1055.005 · Thread Local StorageT1055.008 · Ptrace System Calls ✓T1055.009 · Proc Memory ✓T1055.011 · Extra Window Memory Injection ✓T1055.012 · Process Hollowing ✓T1055.013 · Process DoppelgängingT1055.014 · VDSO HijackingT1059 · Command and Scripting Interpreter ✓T1059.005 · Visual Basic ✓T1059.007 · JavaScript ✓T1068 · Exploitation for Privilege Escalation ✓T1127.002 · ClickOnceT1137 · Office Application Startup ✓T1137.001 · Office Template MacrosT1137.002 · Office Test ✓T1137.003 · Outlook Forms ✓T1137.004 · Outlook Home PageT1137.005 · Outlook RulesT1137.006 · Add-ins ✓T1189 · Drive-by Compromise ✓T1190 · Exploit Public-Facing Application ✓T1203 · Exploitation for Client Execution ✓T1210 · Exploitation of Remote Services ✓T1211 · Exploitation for Stealth ✓T1212 · Exploitation for Credential Access ✓T1218.001 · Compiled HTML File ✓T1218.015 · Electron ApplicationsT1548 · Abuse Elevation Control Mechanism ✓T1548.004 · Elevated Execution with PromptT1559 · Inter-Process Communication ✓T1559.001 · Component Object Model ✓T1559.002 · Dynamic Data Exchange ✓
SC-20
Secure Name/Address Resolution Service (Authoritative Source)
9/14 detectable
T1071 · Application Layer Protocol ✓T1071.001 · Web Protocols ✓T1071.002 · File Transfer ProtocolsT1071.003 · Mail ProtocolsT1071.004 · DNS ✓T1553.004 · Install Root Certificate ✓T1566 · Phishing ✓T1566.001 · Spearphishing Attachment ✓T1566.002 · Spearphishing Link ✓T1568 · Dynamic Resolution ✓T1568.002 · Domain Generation Algorithms ✓T1598 · Phishing for InformationT1598.002 · Spearphishing AttachmentT1598.003 · Spearphishing Link
SC-21
Secure Name/Address Resolution Service (Recursive or Caching Resolver)
5/7 detectable
SC-22
Architecture and Provisioning for Name/Address Resolution Service
5/7 detectable
SC-23
Session Authenticity
11/20 detectable
T1071 · Application Layer Protocol ✓T1071.001 · Web Protocols ✓T1071.002 · File Transfer ProtocolsT1071.003 · Mail ProtocolsT1071.004 · DNS ✓T1185 · Browser Session Hijacking ✓T1535 · Unused/Unsupported Cloud RegionsT1550.004 · Web Session CookieT1557 · Adversary-in-the-Middle ✓T1557.001 · Name Resolution Poisoning and SMB Relay ✓T1557.002 · ARP Cache Poisoning ✓T1557.003 · DHCP Spoofing ✓T1557.004 · Evil TwinT1562.006 · Indicator Blocking ✓T1562.009 · Safe Mode BootT1563.001 · SSH HijackingT1573 · Encrypted Channel ✓T1573.001 · Symmetric CryptographyT1573.002 · Asymmetric CryptographyT1622 · Debugger Evasion ✓
SC-26
Decoys
3/3 detectable
SC-28
Protection of Information at Rest
26/42 detectable
T1003 · OS Credential Dumping ✓T1003.001 · LSASS Memory ✓T1003.002 · Security Account Manager ✓T1003.003 · NTDS ✓T1003.004 · LSA Secrets ✓T1003.005 · Cached Domain Credentials ✓T1003.006 · DCSync ✓T1003.007 · Proc FilesystemT1003.008 · /etc/passwd and /etc/shadowT1005 · Data from Local System ✓T1025 · Data from Removable MediaT1041 · Exfiltration Over C2 Channel ✓T1048 · Exfiltration Over Alternative Protocol ✓T1048.002 · Exfiltration Over Asymmetric Encrypted Non-C2 ProtocolT1048.003 · Exfiltration Over Unencrypted Non-C2 Protocol ✓T1052 · Exfiltration Over Physical MediumT1052.001 · Exfiltration over USBT1078 · Valid Accounts ✓T1078.001 · Default Accounts ✓T1078.003 · Local Accounts ✓T1078.004 · Cloud Accounts ✓T1213 · Data from Information Repositories ✓T1213.001 · ConfluenceT1213.002 · SharepointT1213.004 · Customer Relationship Management SoftwareT1213.005 · Messaging ApplicationsT1530 · Data from Cloud StorageT1550.001 · Application Access Token ✓T1552 · Unsecured Credentials ✓T1552.001 · Credentials In Files ✓T1552.002 · Credentials in Registry ✓T1552.003 · Shell History ✓T1552.004 · Private Keys ✓T1565 · Data Manipulation ✓T1565.001 · Stored Data Manipulation ✓T1565.003 · Runtime Data ManipulationT1567 · Exfiltration Over Web Service ✓T1599 · Network Boundary BridgingT1599.001 · Network Address Translation Traversal ✓T1602 · Data from Configuration RepositoryT1602.001 · SNMP (MIB Dump)T1602.002 · Network Device Configuration Dump
SC-29
Heterogeneity
5/5 detectable
SC-30
Concealment and Misdirection
7/7 detectable
SC-31
Covert Channel Analysis
7/11 detectable
T1041 · Exfiltration Over C2 Channel ✓T1048 · Exfiltration Over Alternative Protocol ✓T1048.002 · Exfiltration Over Asymmetric Encrypted Non-C2 ProtocolT1048.003 · Exfiltration Over Unencrypted Non-C2 Protocol ✓T1071 · Application Layer Protocol ✓T1071.001 · Web Protocols ✓T1071.002 · File Transfer ProtocolsT1071.003 · Mail ProtocolsT1071.004 · DNS ✓T1071.005 · Publish/Subscribe ProtocolsT1567 · Exfiltration Over Web Service ✓
SC-32
Information System Partitioning
1/1 detectable
SC-34
Non-modifiable Executable Programs
5/15 detectable
T1195.003 · Compromise Hardware Supply ChainT1218.015 · Electron ApplicationsT1542 · Pre-OS BootT1542.001 · System Firmware ✓T1542.003 · Bootkit ✓T1542.004 · ROMMONkitT1542.005 · TFTP BootT1548 · Abuse Elevation Control Mechanism ✓T1548.004 · Elevated Execution with PromptT1553 · Subvert Trust Controls ✓T1553.006 · Code Signing Policy ModificationT1601 · Modify System ImageT1601.001 · Patch System ImageT1601.002 · Downgrade System ImageT1611 · Escape to Host ✓
SC-35
External Malicious Code Identification
3/3 detectable
SC-36
Distributed Processing and Storage
5/7 detectable
SC-37
Out-of-band Channels
8/12 detectable
T1071 · Application Layer Protocol ✓T1071.001 · Web Protocols ✓T1071.002 · File Transfer ProtocolsT1071.003 · Mail ProtocolsT1071.004 · DNS ✓T1114 · Email Collection ✓T1114.001 · Local Email Collection ✓T1114.002 · Remote Email CollectionT1114.003 · Email Forwarding Rule ✓T1213 · Data from Information Repositories ✓T1213.005 · Messaging ApplicationsT1489 · Service Stop ✓
SC-38
Operations Security
1/2 detectable
SC-39
Process Isolation
19/22 detectable
T1003 · OS Credential Dumping ✓T1003.001 · LSASS Memory ✓T1003.002 · Security Account Manager ✓T1003.003 · NTDS ✓T1003.004 · LSA Secrets ✓T1003.005 · Cached Domain Credentials ✓T1003.006 · DCSync ✓T1003.007 · Proc FilesystemT1003.008 · /etc/passwd and /etc/shadowT1068 · Exploitation for Privilege Escalation ✓T1189 · Drive-by Compromise ✓T1190 · Exploit Public-Facing Application ✓T1203 · Exploitation for Client Execution ✓T1210 · Exploitation of Remote Services ✓T1211 · Exploitation for Stealth ✓T1212 · Exploitation for Credential Access ✓T1547.002 · Authentication Package ✓T1547.005 · Security Support Provider ✓T1547.008 · LSASS Driver ✓T1556 · Modify Authentication Process ✓T1556.001 · Domain Controller AuthenticationT1611 · Escape to Host ✓
SC-40
Wireless Link Protection
0/1 detectable
SC-41
Port and I/O Device Access
2/5 detectable
SC-43
Usage Restrictions
4/5 detectable
SC-44
Detonation Chambers
12/22 detectable
T1137 · Office Application Startup ✓T1137.001 · Office Template MacrosT1137.002 · Office Test ✓T1137.003 · Outlook Forms ✓T1137.004 · Outlook Home PageT1137.005 · Outlook RulesT1137.006 · Add-ins ✓T1203 · Exploitation for Client Execution ✓T1204 · User Execution ✓T1204.001 · Malicious Link ✓T1204.002 · Malicious File ✓T1204.003 · Malicious ImageT1221 · Template Injection ✓T1564.009 · Resource ForkingT1566 · Phishing ✓T1566.001 · Spearphishing Attachment ✓T1566.002 · Spearphishing Link ✓T1566.003 · Spearphishing via ServiceT1598 · Phishing for InformationT1598.001 · Spearphishing ServiceT1598.002 · Spearphishing AttachmentT1598.003 · Spearphishing Link
SC-46
Cross Domain Policy Enforcement
23/27 detectable
T1021.001 · Remote Desktop Protocol ✓T1021.003 · Distributed Component Object Model ✓T1021.006 · Windows Remote Management ✓T1046 · Network Service Discovery ✓T1048 · Exfiltration Over Alternative Protocol ✓T1048.001 · Exfiltration Over Symmetric Encrypted Non-C2 Protocol ✓T1048.002 · Exfiltration Over Asymmetric Encrypted Non-C2 ProtocolT1072 · Software Deployment Tools ✓T1098.001 · Additional Cloud Credentials ✓T1133 · External Remote Services ✓T1136 · Create Account ✓T1136.002 · Domain Account ✓T1190 · Exploit Public-Facing Application ✓T1199 · Trusted Relationship ✓T1210 · Exploitation of Remote Services ✓T1482 · Domain Trust Discovery ✓T1489 · Service Stop ✓T1552.007 · Container API ✓T1557 · Adversary-in-the-Middle ✓T1557.001 · Name Resolution Poisoning and SMB Relay ✓T1557.003 · DHCP Spoofing ✓T1557.004 · Evil TwinT1563 · Remote Service Session HijackingT1563.002 · RDP Hijacking ✓T1565 · Data Manipulation ✓T1565.003 · Runtime Data ManipulationT1622 · Debugger Evasion ✓
◈
SI
787/1145 techniques covered
SI-02
Flaw Remediation
58/84 detectable
T1003 · OS Credential Dumping ✓T1003.001 · LSASS Memory ✓T1027 · Obfuscated Files or Information ✓T1027.002 · Software Packing ✓T1027.007 · Dynamic API ResolutionT1027.008 · Stripped PayloadsT1027.009 · Embedded Payloads ✓T1047 · Windows Management Instrumentation ✓T1055 · Process Injection ✓T1055.001 · Dynamic-link Library Injection ✓T1055.002 · Portable Executable InjectionT1055.003 · Thread Execution Hijacking ✓T1055.004 · Asynchronous Procedure CallT1055.005 · Thread Local StorageT1055.008 · Ptrace System Calls ✓T1055.009 · Proc Memory ✓T1055.011 · Extra Window Memory Injection ✓T1055.012 · Process Hollowing ✓T1055.013 · Process DoppelgängingT1055.014 · VDSO HijackingT1059 · Command and Scripting Interpreter ✓T1059.001 · PowerShell ✓T1059.005 · Visual Basic ✓T1059.006 · Python ✓T1068 · Exploitation for Privilege Escalation ✓T1072 · Software Deployment Tools ✓T1106 · Native API ✓T1137 · Office Application Startup ✓T1137.003 · Outlook Forms ✓T1137.004 · Outlook Home PageT1137.005 · Outlook RulesT1189 · Drive-by Compromise ✓T1190 · Exploit Public-Facing Application ✓T1195 · Supply Chain Compromise ✓T1195.001 · Compromise Software Dependencies and Development Tools ✓T1195.002 · Compromise Software Supply Chain ✓T1195.003 · Compromise Hardware Supply ChainT1203 · Exploitation for Client Execution ✓T1204 · User Execution ✓T1204.001 · Malicious Link ✓T1204.003 · Malicious ImageT1210 · Exploitation of Remote Services ✓T1211 · Exploitation for Stealth ✓T1212 · Exploitation for Credential Access ✓T1213.003 · Code Repositories ✓T1213.005 · Messaging ApplicationsT1221 · Template Injection ✓T1495 · Firmware Corruption ✓T1525 · Implant Internal Image ✓T1542 · Pre-OS BootT1542.001 · System Firmware ✓T1542.003 · Bootkit ✓T1542.004 · ROMMONkitT1542.005 · TFTP BootT1546 · Event Triggered Execution ✓T1546.006 · LC_LOAD_DYLIB AdditionT1546.010 · AppInit DLLs ✓T1546.011 · Application Shimming ✓T1546.016 · Installer PackagesT1547.006 · Kernel Modules and Extensions ✓T1548 · Abuse Elevation Control Mechanism ✓T1548.002 · Bypass User Account Control ✓T1548.006 · TCC ManipulationT1550.002 · Pass the Hash ✓T1552 · Unsecured Credentials ✓T1552.006 · Group Policy Preferences ✓T1553 · Subvert Trust Controls ✓T1553.006 · Code Signing Policy ModificationT1555 · Credentials from Password Stores ✓T1555.005 · Password Managers ✓T1559 · Inter-Process Communication ✓T1559.002 · Dynamic Data Exchange ✓T1566 · Phishing ✓T1566.001 · Spearphishing Attachment ✓T1566.003 · Spearphishing via ServiceT1574 · Hijack Execution Flow ✓T1574.002 · DLL Side-LoadingT1574.013 · KernelCallbackTableT1601 · Modify System ImageT1601.001 · Patch System ImageT1601.002 · Downgrade System ImageT1606 · Forge Web Credentials ✓T1606.001 · Web CookiesT1611 · Escape to Host ✓
SI-03
Malicious Code Protection
153/226 detectable
T1001 · Data Obfuscation ✓T1001.001 · Junk DataT1001.002 · SteganographyT1001.003 · Protocol or Service Impersonation ✓T1003 · OS Credential Dumping ✓T1003.001 · LSASS Memory ✓T1003.002 · Security Account Manager ✓T1003.003 · NTDS ✓T1003.004 · LSA Secrets ✓T1003.005 · Cached Domain Credentials ✓T1003.006 · DCSync ✓T1003.007 · Proc FilesystemT1003.008 · /etc/passwd and /etc/shadowT1005 · Data from Local System ✓T1008 · Fallback Channels ✓T1011.001 · Exfiltration Over BluetoothT1021.003 · Distributed Component Object Model ✓T1021.005 · VNC ✓T1025 · Data from Removable MediaT1027 · Obfuscated Files or Information ✓T1027.002 · Software Packing ✓T1027.007 · Dynamic API ResolutionT1027.008 · Stripped PayloadsT1027.009 · Embedded Payloads ✓T1027.010 · Command Obfuscation ✓T1027.012 · LNK Icon SmugglingT1027.013 · Encrypted/Encoded FileT1027.014 · Polymorphic CodeT1029 · Scheduled Transfer ✓T1030 · Data Transfer Size Limits ✓T1036 · Masquerading ✓T1036.003 · Rename Legitimate Utilities ✓T1036.005 · Match Legitimate Resource Name or Location ✓T1036.008 · Masquerade File TypeT1037 · Boot or Logon Initialization Scripts ✓T1037.002 · Login HookT1037.003 · Network Logon ScriptT1037.004 · RC ScriptsT1037.005 · Startup Items ✓T1041 · Exfiltration Over C2 Channel ✓T1046 · Network Service Discovery ✓T1047 · Windows Management Instrumentation ✓T1048 · Exfiltration Over Alternative Protocol ✓T1048.001 · Exfiltration Over Symmetric Encrypted Non-C2 Protocol ✓T1048.002 · Exfiltration Over Asymmetric Encrypted Non-C2 ProtocolT1048.003 · Exfiltration Over Unencrypted Non-C2 Protocol ✓T1052 · Exfiltration Over Physical MediumT1052.001 · Exfiltration over USBT1055 · Process Injection ✓T1055.001 · Dynamic-link Library Injection ✓T1055.002 · Portable Executable InjectionT1055.003 · Thread Execution Hijacking ✓T1055.004 · Asynchronous Procedure CallT1055.005 · Thread Local StorageT1055.008 · Ptrace System Calls ✓T1055.009 · Proc Memory ✓T1055.011 · Extra Window Memory Injection ✓T1055.012 · Process Hollowing ✓T1055.013 · Process DoppelgängingT1055.014 · VDSO HijackingT1055.015 · ListPlantingT1056.002 · GUI Input Capture ✓T1059 · Command and Scripting Interpreter ✓T1059.001 · PowerShell ✓T1059.002 · AppleScript ✓T1059.003 · Windows Command Shell ✓T1059.004 · Unix Shell ✓T1059.005 · Visual Basic ✓T1059.006 · Python ✓T1059.007 · JavaScript ✓T1059.008 · Network Device CLIT1059.010 · AutoHotKey & AutoITT1059.011 · LuaT1068 · Exploitation for Privilege Escalation ✓T1070 · Indicator Removal ✓T1070.001 · Clear Windows Event Logs ✓T1070.002 · Clear Linux or Mac System LogsT1070.003 · Clear Command History ✓T1070.007 · Clear Network Connection History and ConfigurationsT1070.008 · Clear Mailbox DataT1070.009 · Clear PersistenceT1070.010 · Relocate MalwareT1071 · Application Layer Protocol ✓T1071.001 · Web Protocols ✓T1071.002 · File Transfer ProtocolsT1071.003 · Mail ProtocolsT1071.004 · DNS ✓T1072 · Software Deployment Tools ✓T1080 · Taint Shared ContentT1090 · Proxy ✓T1090.001 · Internal Proxy ✓T1090.002 · External Proxy ✓T1091 · Replication Through Removable Media ✓T1092 · Communication Through Removable MediaT1095 · Non-Application Layer Protocol ✓T1098.004 · SSH Authorized Keys ✓T1102 · Web Service ✓T1102.001 · Dead Drop Resolver ✓T1102.002 · Bidirectional Communication ✓T1102.003 · One-Way Communication ✓T1104 · Multi-Stage ChannelsT1105 · Ingress Tool Transfer ✓T1106 · Native API ✓T1111 · Multi-Factor Authentication InterceptionT1129 · Shared Modules ✓T1132 · Data Encoding ✓T1132.001 · Standard Encoding ✓T1132.002 · Non-Standard EncodingT1137 · Office Application Startup ✓T1137.001 · Office Template MacrosT1176 · Software ExtensionsT1185 · Browser Session Hijacking ✓T1189 · Drive-by Compromise ✓T1190 · Exploit Public-Facing Application ✓T1195 · Supply Chain Compromise ✓T1201 · Password Policy Discovery ✓T1203 · Exploitation for Client Execution ✓T1204 · User Execution ✓T1204.001 · Malicious Link ✓T1204.002 · Malicious File ✓T1204.003 · Malicious ImageT1210 · Exploitation of Remote Services ✓T1211 · Exploitation for Stealth ✓T1212 · Exploitation for Credential Access ✓T1218 · System Binary Proxy Execution ✓T1218.001 · Compiled HTML File ✓T1218.002 · Control Panel ✓T1218.003 · CMSTP ✓T1218.004 · InstallUtilT1218.005 · Mshta ✓T1218.008 · Odbcconf ✓T1218.009 · Regsvcs/Regasm ✓T1218.012 · VerclsidT1218.013 · Mavinject ✓T1218.014 · MMC ✓T1218.015 · Electron ApplicationsT1219 · Remote Access Tools ✓T1221 · Template Injection ✓T1485 · Data Destruction ✓T1486 · Data Encrypted for Impact ✓T1490 · Inhibit System Recovery ✓T1491 · DefacementT1491.001 · Internal Defacement ✓T1491.002 · External DefacementT1505.004 · IIS Components ✓T1525 · Implant Internal Image ✓T1539 · Steal Web Session Cookie ✓T1543 · Create or Modify System Process ✓T1543.002 · Systemd Service ✓T1546.002 · Screensaver ✓T1546.003 · Windows Management Instrumentation Event Subscription ✓T1546.004 · Unix Shell Configuration Modification ✓T1546.006 · LC_LOAD_DYLIB AdditionT1546.013 · PowerShell Profile ✓T1546.014 · Emond ✓T1546.016 · Installer PackagesT1547.002 · Authentication Package ✓T1547.005 · Security Support Provider ✓T1547.006 · Kernel Modules and Extensions ✓T1547.007 · Re-opened ApplicationsT1547.008 · LSASS Driver ✓T1547.009 · Shortcut Modification ✓T1547.013 · XDG Autostart EntriesT1548 · Abuse Elevation Control Mechanism ✓T1548.004 · Elevated Execution with PromptT1548.006 · TCC ManipulationT1553.003 · SIP and Trust Provider Hijacking ✓T1554 · Compromise Host Software Binary ✓T1557 · Adversary-in-the-Middle ✓T1557.001 · Name Resolution Poisoning and SMB Relay ✓T1557.002 · ARP Cache Poisoning ✓T1557.003 · DHCP Spoofing ✓T1558 · Steal or Forge Kerberos Tickets ✓T1558.002 · Silver TicketT1558.003 · Kerberoasting ✓T1558.004 · AS-REP RoastingT1559 · Inter-Process Communication ✓T1559.001 · Component Object Model ✓T1559.002 · Dynamic Data Exchange ✓T1560 · Archive Collected Data ✓T1560.001 · Archive via Utility ✓T1561 · Disk WipeT1561.001 · Disk Content Wipe ✓T1561.002 · Disk Structure Wipe ✓T1562 · Impair Defenses ✓T1562.001 · Disable or Modify Tools ✓T1562.002 · Disable Windows Event Logging ✓T1562.004 · Disable or Modify System FirewallT1562.006 · Indicator Blocking ✓T1562.011 · Spoof Security AlertingT1564.004 · NTFS File Attributes ✓T1564.008 · Email Hiding RulesT1564.009 · Resource ForkingT1564.012 · File/Path ExclusionsT1566 · Phishing ✓T1566.001 · Spearphishing Attachment ✓T1566.002 · Spearphishing Link ✓T1566.003 · Spearphishing via ServiceT1567 · Exfiltration Over Web Service ✓T1568 · Dynamic Resolution ✓T1568.002 · Domain Generation Algorithms ✓T1569 · System Services ✓T1569.002 · Service Execution ✓T1570 · Lateral Tool Transfer ✓T1571 · Non-Standard Port ✓T1572 · Protocol Tunneling ✓T1573 · Encrypted Channel ✓T1573.001 · Symmetric CryptographyT1573.002 · Asymmetric CryptographyT1574 · Hijack Execution Flow ✓T1574.001 · DLL ✓T1574.004 · Dylib HijackingT1574.007 · Path Interception by PATH Environment Variable ✓T1574.008 · Path Interception by Search Order Hijacking ✓T1574.009 · Path Interception by Unquoted Path ✓T1574.013 · KernelCallbackTableT1574.014 · AppDomainManager ✓T1598 · Phishing for InformationT1598.001 · Spearphishing ServiceT1598.002 · Spearphishing AttachmentT1598.003 · Spearphishing LinkT1602 · Data from Configuration RepositoryT1602.001 · SNMP (MIB Dump)T1602.002 · Network Device Configuration DumpT1611 · Escape to Host ✓T1622 · Debugger Evasion ✓
SI-04
System Monitoring
254/375 detectable
T1001 · Data Obfuscation ✓T1001.001 · Junk DataT1001.002 · SteganographyT1001.003 · Protocol or Service Impersonation ✓T1003 · OS Credential Dumping ✓T1003.001 · LSASS Memory ✓T1003.002 · Security Account Manager ✓T1003.003 · NTDS ✓T1003.004 · LSA Secrets ✓T1003.005 · Cached Domain Credentials ✓T1003.006 · DCSync ✓T1003.007 · Proc FilesystemT1003.008 · /etc/passwd and /etc/shadowT1005 · Data from Local System ✓T1008 · Fallback Channels ✓T1011 · Exfiltration Over Other Network MediumT1011.001 · Exfiltration Over BluetoothT1020.001 · Traffic DuplicationT1021 · Remote Services ✓T1021.001 · Remote Desktop Protocol ✓T1021.002 · SMB/Windows Admin Shares ✓T1021.003 · Distributed Component Object Model ✓T1021.004 · SSH ✓T1021.005 · VNC ✓T1021.006 · Windows Remote Management ✓T1021.008 · Direct Cloud VM ConnectionsT1025 · Data from Removable MediaT1027 · Obfuscated Files or Information ✓T1027.002 · Software Packing ✓T1027.007 · Dynamic API ResolutionT1027.008 · Stripped PayloadsT1027.009 · Embedded Payloads ✓T1027.010 · Command Obfuscation ✓T1027.011 · Fileless StorageT1027.012 · LNK Icon SmugglingT1029 · Scheduled Transfer ✓T1030 · Data Transfer Size Limits ✓T1036 · Masquerading ✓T1036.001 · Invalid Code SignatureT1036.003 · Rename Legitimate Utilities ✓T1036.005 · Match Legitimate Resource Name or Location ✓T1036.007 · Double File Extension ✓T1036.008 · Masquerade File TypeT1036.010 · Masquerade Account NameT1037 · Boot or Logon Initialization Scripts ✓T1037.002 · Login HookT1037.003 · Network Logon ScriptT1037.004 · RC ScriptsT1037.005 · Startup Items ✓T1040 · Network Sniffing ✓T1041 · Exfiltration Over C2 Channel ✓T1046 · Network Service Discovery ✓T1047 · Windows Management Instrumentation ✓T1048 · Exfiltration Over Alternative Protocol ✓T1048.001 · Exfiltration Over Symmetric Encrypted Non-C2 Protocol ✓T1048.002 · Exfiltration Over Asymmetric Encrypted Non-C2 ProtocolT1048.003 · Exfiltration Over Unencrypted Non-C2 Protocol ✓T1052 · Exfiltration Over Physical MediumT1052.001 · Exfiltration over USBT1053 · Scheduled Task/Job ✓T1053.002 · At ✓T1053.003 · Cron ✓T1053.005 · Scheduled Task ✓T1053.006 · Systemd TimersT1055 · Process Injection ✓T1055.001 · Dynamic-link Library Injection ✓T1055.002 · Portable Executable InjectionT1055.003 · Thread Execution Hijacking ✓T1055.004 · Asynchronous Procedure CallT1055.005 · Thread Local StorageT1055.008 · Ptrace System Calls ✓T1055.009 · Proc Memory ✓T1055.011 · Extra Window Memory Injection ✓T1055.012 · Process Hollowing ✓T1055.013 · Process DoppelgängingT1055.014 · VDSO HijackingT1056.002 · GUI Input Capture ✓T1059 · Command and Scripting Interpreter ✓T1059.001 · PowerShell ✓T1059.002 · AppleScript ✓T1059.003 · Windows Command Shell ✓T1059.004 · Unix Shell ✓T1059.005 · Visual Basic ✓T1059.006 · Python ✓T1059.007 · JavaScript ✓T1059.008 · Network Device CLIT1059.009 · Cloud API ✓T1059.010 · AutoHotKey & AutoITT1059.011 · LuaT1068 · Exploitation for Privilege Escalation ✓T1070 · Indicator Removal ✓T1070.001 · Clear Windows Event Logs ✓T1070.002 · Clear Linux or Mac System LogsT1070.003 · Clear Command History ✓T1070.007 · Clear Network Connection History and ConfigurationsT1070.008 · Clear Mailbox DataT1070.009 · Clear PersistenceT1070.010 · Relocate MalwareT1071 · Application Layer Protocol ✓T1071.001 · Web Protocols ✓T1071.002 · File Transfer ProtocolsT1071.003 · Mail ProtocolsT1071.004 · DNS ✓T1071.005 · Publish/Subscribe ProtocolsT1072 · Software Deployment Tools ✓T1078 · Valid Accounts ✓T1078.001 · Default Accounts ✓T1078.002 · Domain Accounts ✓T1078.003 · Local Accounts ✓T1078.004 · Cloud Accounts ✓T1080 · Taint Shared ContentT1087 · Account Discovery ✓T1087.001 · Local Account ✓T1087.002 · Domain Account ✓T1090 · Proxy ✓T1090.001 · Internal Proxy ✓T1090.002 · External Proxy ✓T1091 · Replication Through Removable Media ✓T1092 · Communication Through Removable MediaT1095 · Non-Application Layer Protocol ✓T1098 · Account Manipulation ✓T1098.001 · Additional Cloud Credentials ✓T1098.002 · Additional Email Delegate PermissionsT1098.003 · Additional Cloud Roles ✓T1098.004 · SSH Authorized Keys ✓T1098.007 · Additional Local or Domain GroupsT1102 · Web Service ✓T1102.001 · Dead Drop Resolver ✓T1102.002 · Bidirectional Communication ✓T1102.003 · One-Way Communication ✓T1104 · Multi-Stage ChannelsT1105 · Ingress Tool Transfer ✓T1106 · Native API ✓T1110 · Brute Force ✓T1110.001 · Password Guessing ✓T1110.002 · Password Cracking ✓T1110.003 · Password SprayingT1110.004 · Credential StuffingT1111 · Multi-Factor Authentication InterceptionT1114 · Email Collection ✓T1114.001 · Local Email Collection ✓T1114.002 · Remote Email CollectionT1114.003 · Email Forwarding Rule ✓T1119 · Automated Collection ✓T1127 · Trusted Developer Utilities Proxy Execution ✓T1127.001 · MSBuild ✓T1127.002 · ClickOnceT1129 · Shared Modules ✓T1132 · Data Encoding ✓T1132.001 · Standard Encoding ✓T1132.002 · Non-Standard EncodingT1133 · External Remote Services ✓T1135 · Network Share Discovery ✓T1136 · Create Account ✓T1136.001 · Local Account ✓T1136.002 · Domain Account ✓T1136.003 · Cloud Account ✓T1137 · Office Application Startup ✓T1137.001 · Office Template MacrosT1176 · Software ExtensionsT1185 · Browser Session Hijacking ✓T1187 · Forced Authentication ✓T1189 · Drive-by Compromise ✓T1190 · Exploit Public-Facing Application ✓T1195 · Supply Chain Compromise ✓T1195.001 · Compromise Software Dependencies and Development Tools ✓T1197 · BITS Jobs ✓T1201 · Password Policy Discovery ✓T1203 · Exploitation for Client Execution ✓T1204 · User Execution ✓T1204.001 · Malicious Link ✓T1204.002 · Malicious File ✓T1204.003 · Malicious ImageT1205 · Traffic Signaling ✓T1205.001 · Port Knocking ✓T1205.002 · Socket FiltersT1210 · Exploitation of Remote Services ✓T1211 · Exploitation for Stealth ✓T1212 · Exploitation for Credential Access ✓T1213 · Data from Information Repositories ✓T1213.001 · ConfluenceT1213.002 · SharepointT1213.004 · Customer Relationship Management SoftwareT1213.005 · Messaging ApplicationsT1216 · System Script Proxy Execution ✓T1216.001 · PubPrn ✓T1218 · System Binary Proxy Execution ✓T1218.001 · Compiled HTML File ✓T1218.002 · Control Panel ✓T1218.003 · CMSTP ✓T1218.004 · InstallUtilT1218.005 · Mshta ✓T1218.008 · Odbcconf ✓T1218.009 · Regsvcs/Regasm ✓T1218.010 · Regsvr32 ✓T1218.011 · Rundll32 ✓T1218.012 · VerclsidT1218.013 · Mavinject ✓T1218.014 · MMC ✓T1218.015 · Electron ApplicationsT1219 · Remote Access Tools ✓T1220 · XSL Script Processing ✓T1221 · Template Injection ✓T1222 · File and Directory Permissions Modification ✓T1222.001 · Windows Permissions ✓T1222.002 · Linux and Mac Permissions ✓T1484 · Domain or Tenant Policy Modification ✓T1485 · Data Destruction ✓T1486 · Data Encrypted for Impact ✓T1489 · Service Stop ✓T1490 · Inhibit System Recovery ✓T1491 · DefacementT1491.001 · Internal Defacement ✓T1491.002 · External DefacementT1499 · Endpoint Denial of Service ✓T1499.001 · OS Exhaustion Flood ✓T1499.002 · Service Exhaustion FloodT1499.003 · Application Exhaustion FloodT1499.004 · Application or System Exploitation ✓T1505 · Server Software Component ✓T1505.002 · Transport Agent ✓T1505.003 · Web Shell ✓T1505.004 · IIS Components ✓T1505.005 · Terminal Services DLL ✓T1525 · Implant Internal Image ✓T1528 · Steal Application Access Token ✓T1530 · Data from Cloud StorageT1537 · Transfer Data to Cloud Account ✓T1539 · Steal Web Session Cookie ✓T1542.004 · ROMMONkitT1542.005 · TFTP BootT1543 · Create or Modify System Process ✓T1543.002 · Systemd Service ✓T1546.002 · Screensaver ✓T1546.003 · Windows Management Instrumentation Event Subscription ✓T1546.004 · Unix Shell Configuration Modification ✓T1546.006 · LC_LOAD_DYLIB AdditionT1546.008 · Accessibility Features ✓T1546.013 · PowerShell Profile ✓T1546.014 · Emond ✓T1546.016 · Installer PackagesT1547.002 · Authentication Package ✓T1547.003 · Time Providers ✓T1547.004 · Winlogon Helper DLL ✓T1547.005 · Security Support Provider ✓T1547.006 · Kernel Modules and Extensions ✓T1547.007 · Re-opened ApplicationsT1547.008 · LSASS Driver ✓T1547.009 · Shortcut Modification ✓T1547.012 · Print ProcessorsT1547.013 · XDG Autostart EntriesT1548 · Abuse Elevation Control Mechanism ✓T1548.001 · Setuid and Setgid ✓T1548.002 · Bypass User Account Control ✓T1548.003 · Sudo and Sudo Caching ✓T1548.004 · Elevated Execution with PromptT1548.006 · TCC ManipulationT1550.001 · Application Access Token ✓T1550.003 · Pass the Ticket ✓T1552 · Unsecured Credentials ✓T1552.001 · Credentials In Files ✓T1552.002 · Credentials in Registry ✓T1552.003 · Shell History ✓T1552.004 · Private Keys ✓T1552.005 · Cloud Instance Metadata API ✓T1552.006 · Group Policy Preferences ✓T1552.008 · Chat MessagesT1553 · Subvert Trust Controls ✓T1553.001 · Gatekeeper Bypass ✓T1553.003 · SIP and Trust Provider Hijacking ✓T1553.004 · Install Root Certificate ✓T1553.005 · Mark-of-the-Web Bypass ✓T1555 · Credentials from Password Stores ✓T1555.001 · Keychain ✓T1555.002 · Securityd MemoryT1555.004 · Windows Credential Manager ✓T1555.005 · Password Managers ✓T1556 · Modify Authentication Process ✓T1556.001 · Domain Controller AuthenticationT1556.002 · Password Filter DLL ✓T1556.003 · Pluggable Authentication ModulesT1556.004 · Network Device Authentication ✓T1556.008 · Network Provider DLLT1556.009 · Conditional Access PoliciesT1557 · Adversary-in-the-Middle ✓T1557.001 · Name Resolution Poisoning and SMB Relay ✓T1557.002 · ARP Cache Poisoning ✓T1557.003 · DHCP Spoofing ✓T1557.004 · Evil TwinT1558 · Steal or Forge Kerberos Tickets ✓T1558.002 · Silver TicketT1558.003 · Kerberoasting ✓T1558.004 · AS-REP RoastingT1558.005 · Ccache FilesT1559 · Inter-Process Communication ✓T1559.002 · Dynamic Data Exchange ✓T1559.003 · XPC ServicesT1560 · Archive Collected Data ✓T1560.001 · Archive via Utility ✓T1561 · Disk WipeT1561.001 · Disk Content Wipe ✓T1561.002 · Disk Structure Wipe ✓T1562 · Impair Defenses ✓T1562.001 · Disable or Modify Tools ✓T1562.002 · Disable Windows Event Logging ✓T1562.003 · Impair Command History LoggingT1562.004 · Disable or Modify System FirewallT1562.006 · Indicator Blocking ✓T1562.010 · Downgrade AttackT1562.011 · Spoof Security AlertingT1562.012 · Disable or Modify Linux Audit SystemT1563 · Remote Service Session HijackingT1563.001 · SSH HijackingT1563.002 · RDP Hijacking ✓T1564.002 · Hidden Users ✓T1564.004 · NTFS File Attributes ✓T1564.006 · Run Virtual Instance ✓T1564.007 · VBA StompingT1564.008 · Email Hiding RulesT1564.009 · Resource ForkingT1564.010 · Process Argument SpoofingT1565 · Data Manipulation ✓T1565.001 · Stored Data Manipulation ✓T1565.002 · Transmitted Data Manipulation ✓T1565.003 · Runtime Data ManipulationT1566 · Phishing ✓T1566.001 · Spearphishing Attachment ✓T1566.002 · Spearphishing Link ✓T1566.003 · Spearphishing via ServiceT1567 · Exfiltration Over Web Service ✓T1568 · Dynamic Resolution ✓T1568.002 · Domain Generation Algorithms ✓T1569 · System Services ✓T1569.002 · Service Execution ✓T1570 · Lateral Tool Transfer ✓T1571 · Non-Standard Port ✓T1572 · Protocol Tunneling ✓T1573 · Encrypted Channel ✓T1573.001 · Symmetric CryptographyT1573.002 · Asymmetric CryptographyT1574 · Hijack Execution Flow ✓T1574.001 · DLL ✓T1574.004 · Dylib HijackingT1574.005 · Executable Installer File Permissions Weakness ✓T1574.007 · Path Interception by PATH Environment Variable ✓T1574.008 · Path Interception by Search Order Hijacking ✓T1574.009 · Path Interception by Unquoted Path ✓T1574.010 · Services File Permissions Weakness ✓T1574.013 · KernelCallbackTableT1574.014 · AppDomainManager ✓T1578 · Modify Cloud Compute Infrastructure ✓T1578.001 · Create SnapshotT1578.002 · Create Cloud InstanceT1578.003 · Delete Cloud Instance ✓T1598 · Phishing for InformationT1598.001 · Spearphishing ServiceT1598.002 · Spearphishing AttachmentT1598.003 · Spearphishing LinkT1599 · Network Boundary BridgingT1599.001 · Network Address Translation Traversal ✓T1601 · Modify System ImageT1601.001 · Patch System ImageT1601.002 · Downgrade System ImageT1602 · Data from Configuration RepositoryT1602.001 · SNMP (MIB Dump)T1602.002 · Network Device Configuration DumpT1610 · Deploy Container ✓T1611 · Escape to Host ✓T1612 · Build Image on HostT1613 · Container and Resource Discovery ✓T1622 · Debugger Evasion ✓T1647 · Plist File ModificationT1648 · Serverless ExecutionT1651 · Cloud Administration CommandT1653 · Power Settings ✓
SI-05
Security Alerts, Advisories, and Directives
4/4 detectable
SI-07
Software, Firmware, and Information Integrity
137/209 detectable
T1003 · OS Credential Dumping ✓T1003.003 · NTDS ✓T1020.001 · Traffic DuplicationT1027 · Obfuscated Files or Information ✓T1027.002 · Software Packing ✓T1027.007 · Dynamic API ResolutionT1027.008 · Stripped PayloadsT1027.009 · Embedded Payloads ✓T1036 · Masquerading ✓T1036.001 · Invalid Code SignatureT1036.005 · Match Legitimate Resource Name or Location ✓T1037 · Boot or Logon Initialization Scripts ✓T1037.002 · Login HookT1037.003 · Network Logon ScriptT1037.004 · RC ScriptsT1037.005 · Startup Items ✓T1040 · Network Sniffing ✓T1047 · Windows Management Instrumentation ✓T1053.006 · Systemd TimersT1056.002 · GUI Input Capture ✓T1059 · Command and Scripting Interpreter ✓T1059.001 · PowerShell ✓T1059.002 · AppleScript ✓T1059.003 · Windows Command Shell ✓T1059.004 · Unix Shell ✓T1059.005 · Visual Basic ✓T1059.006 · Python ✓T1059.007 · JavaScript ✓T1059.008 · Network Device CLIT1059.010 · AutoHotKey & AutoITT1059.011 · LuaT1068 · Exploitation for Privilege Escalation ✓T1070 · Indicator Removal ✓T1070.001 · Clear Windows Event Logs ✓T1070.002 · Clear Linux or Mac System LogsT1070.003 · Clear Command History ✓T1070.007 · Clear Network Connection History and ConfigurationsT1070.008 · Clear Mailbox DataT1070.009 · Clear PersistenceT1070.010 · Relocate MalwareT1072 · Software Deployment Tools ✓T1080 · Taint Shared ContentT1098.001 · Additional Cloud Credentials ✓T1098.002 · Additional Email Delegate PermissionsT1098.003 · Additional Cloud Roles ✓T1112 · Modify Registry ✓T1114 · Email Collection ✓T1114.001 · Local Email Collection ✓T1114.002 · Remote Email CollectionT1114.003 · Email Forwarding Rule ✓T1119 · Automated Collection ✓T1127 · Trusted Developer Utilities Proxy Execution ✓T1127.002 · ClickOnceT1129 · Shared Modules ✓T1133 · External Remote Services ✓T1136 · Create Account ✓T1136.001 · Local Account ✓T1136.002 · Domain Account ✓T1136.003 · Cloud Account ✓T1176 · Software ExtensionsT1185 · Browser Session Hijacking ✓T1189 · Drive-by Compromise ✓T1190 · Exploit Public-Facing Application ✓T1195 · Supply Chain Compromise ✓T1195.001 · Compromise Software Dependencies and Development Tools ✓T1195.003 · Compromise Hardware Supply ChainT1203 · Exploitation for Client Execution ✓T1204 · User Execution ✓T1204.002 · Malicious File ✓T1204.003 · Malicious ImageT1210 · Exploitation of Remote Services ✓T1211 · Exploitation for Stealth ✓T1212 · Exploitation for Credential Access ✓T1213 · Data from Information Repositories ✓T1213.001 · ConfluenceT1213.002 · SharepointT1213.004 · Customer Relationship Management SoftwareT1213.005 · Messaging ApplicationsT1216 · System Script Proxy Execution ✓T1216.001 · PubPrn ✓T1216.002 · SyncAppvPublishingServerT1218 · System Binary Proxy Execution ✓T1218.001 · Compiled HTML File ✓T1218.002 · Control Panel ✓T1218.003 · CMSTP ✓T1218.004 · InstallUtilT1218.005 · Mshta ✓T1218.008 · Odbcconf ✓T1218.009 · Regsvcs/Regasm ✓T1218.010 · Regsvr32 ✓T1218.011 · Rundll32 ✓T1218.012 · VerclsidT1218.013 · Mavinject ✓T1218.014 · MMC ✓T1218.015 · Electron ApplicationsT1219 · Remote Access Tools ✓T1220 · XSL Script Processing ✓T1221 · Template Injection ✓T1222 · File and Directory Permissions Modification ✓T1222.001 · Windows Permissions ✓T1222.002 · Linux and Mac Permissions ✓T1485 · Data Destruction ✓T1485.001 · Lifecycle-Triggered DeletionT1486 · Data Encrypted for Impact ✓T1490 · Inhibit System Recovery ✓T1491 · DefacementT1491.001 · Internal Defacement ✓T1491.002 · External DefacementT1495 · Firmware Corruption ✓T1505 · Server Software Component ✓T1505.001 · SQL Stored Procedures ✓T1505.002 · Transport Agent ✓T1505.004 · IIS Components ✓T1525 · Implant Internal Image ✓T1530 · Data from Cloud StorageT1542 · Pre-OS BootT1542.001 · System Firmware ✓T1542.003 · Bootkit ✓T1542.004 · ROMMONkitT1542.005 · TFTP BootT1543 · Create or Modify System Process ✓T1543.002 · Systemd Service ✓T1546 · Event Triggered Execution ✓T1546.002 · Screensaver ✓T1546.004 · Unix Shell Configuration Modification ✓T1546.006 · LC_LOAD_DYLIB AdditionT1546.008 · Accessibility Features ✓T1546.009 · AppCert DLLs ✓T1546.010 · AppInit DLLs ✓T1546.013 · PowerShell Profile ✓T1547.002 · Authentication Package ✓T1547.003 · Time Providers ✓T1547.004 · Winlogon Helper DLL ✓T1547.005 · Security Support Provider ✓T1547.006 · Kernel Modules and Extensions ✓T1547.008 · LSASS Driver ✓T1547.013 · XDG Autostart EntriesT1548 · Abuse Elevation Control Mechanism ✓T1548.004 · Elevated Execution with PromptT1548.006 · TCC ManipulationT1550.001 · Application Access Token ✓T1550.004 · Web Session CookieT1552 · Unsecured Credentials ✓T1552.004 · Private Keys ✓T1553 · Subvert Trust Controls ✓T1553.001 · Gatekeeper Bypass ✓T1553.003 · SIP and Trust Provider Hijacking ✓T1553.005 · Mark-of-the-Web Bypass ✓T1553.006 · Code Signing Policy ModificationT1554 · Compromise Host Software Binary ✓T1556 · Modify Authentication Process ✓T1556.001 · Domain Controller AuthenticationT1556.003 · Pluggable Authentication ModulesT1556.004 · Network Device Authentication ✓T1556.008 · Network Provider DLLT1556.009 · Conditional Access PoliciesT1557 · Adversary-in-the-Middle ✓T1557.002 · ARP Cache Poisoning ✓T1557.004 · Evil TwinT1558 · Steal or Forge Kerberos Tickets ✓T1558.002 · Silver TicketT1558.003 · Kerberoasting ✓T1558.004 · AS-REP RoastingT1558.005 · Ccache FilesT1561 · Disk WipeT1561.001 · Disk Content Wipe ✓T1561.002 · Disk Structure Wipe ✓T1562 · Impair Defenses ✓T1562.001 · Disable or Modify Tools ✓T1562.002 · Disable Windows Event Logging ✓T1562.004 · Disable or Modify System FirewallT1562.006 · Indicator Blocking ✓T1562.009 · Safe Mode BootT1562.010 · Downgrade AttackT1562.011 · Spoof Security AlertingT1562.012 · Disable or Modify Linux Audit SystemT1564.003 · Hidden Window ✓T1564.004 · NTFS File Attributes ✓T1564.006 · Run Virtual Instance ✓T1564.008 · Email Hiding RulesT1564.009 · Resource ForkingT1564.010 · Process Argument SpoofingT1565 · Data Manipulation ✓T1565.001 · Stored Data Manipulation ✓T1565.002 · Transmitted Data Manipulation ✓T1565.003 · Runtime Data ManipulationT1569 · System Services ✓T1569.002 · Service Execution ✓T1574 · Hijack Execution Flow ✓T1574.001 · DLL ✓T1574.004 · Dylib HijackingT1574.006 · Dynamic Linker Hijacking ✓T1574.007 · Path Interception by PATH Environment Variable ✓T1574.008 · Path Interception by Search Order Hijacking ✓T1574.009 · Path Interception by Unquoted Path ✓T1574.012 · COR_PROFILER ✓T1574.013 · KernelCallbackTableT1574.014 · AppDomainManager ✓T1599 · Network Boundary BridgingT1599.001 · Network Address Translation Traversal ✓T1601 · Modify System ImageT1601.001 · Patch System ImageT1601.002 · Downgrade System ImageT1602 · Data from Configuration RepositoryT1602.001 · SNMP (MIB Dump)T1602.002 · Network Device Configuration DumpT1609 · Container Administration Command ✓T1611 · Escape to Host ✓T1647 · Plist File Modification
SI-08
Spam Protection
11/20 detectable
T1137 · Office Application Startup ✓T1137.001 · Office Template MacrosT1137.002 · Office Test ✓T1137.003 · Outlook Forms ✓T1137.004 · Outlook Home PageT1137.005 · Outlook RulesT1137.006 · Add-ins ✓T1204 · User Execution ✓T1204.001 · Malicious Link ✓T1204.002 · Malicious File ✓T1204.003 · Malicious ImageT1221 · Template Injection ✓T1566 · Phishing ✓T1566.001 · Spearphishing Attachment ✓T1566.002 · Spearphishing Link ✓T1566.003 · Spearphishing via ServiceT1598 · Phishing for InformationT1598.001 · Spearphishing ServiceT1598.002 · Spearphishing AttachmentT1598.003 · Spearphishing Link
SI-10
Information Input Validation
79/101 detectable
T1021.002 · SMB/Windows Admin Shares ✓T1021.005 · VNC ✓T1027.010 · Command Obfuscation ✓T1036 · Masquerading ✓T1036.005 · Match Legitimate Resource Name or Location ✓T1036.008 · Masquerade File TypeT1048 · Exfiltration Over Alternative Protocol ✓T1048.001 · Exfiltration Over Symmetric Encrypted Non-C2 Protocol ✓T1048.002 · Exfiltration Over Asymmetric Encrypted Non-C2 ProtocolT1048.003 · Exfiltration Over Unencrypted Non-C2 Protocol ✓T1059 · Command and Scripting Interpreter ✓T1059.001 · PowerShell ✓T1059.002 · AppleScript ✓T1059.003 · Windows Command Shell ✓T1059.004 · Unix Shell ✓T1059.005 · Visual Basic ✓T1059.006 · Python ✓T1059.007 · JavaScript ✓T1059.008 · Network Device CLIT1071.004 · DNS ✓T1080 · Taint Shared ContentT1090 · Proxy ✓T1090.003 · Multi-hop Proxy ✓T1095 · Non-Application Layer Protocol ✓T1127 · Trusted Developer Utilities Proxy Execution ✓T1127.002 · ClickOnceT1129 · Shared Modules ✓T1176 · Software ExtensionsT1187 · Forced Authentication ✓T1190 · Exploit Public-Facing Application ✓T1197 · BITS Jobs ✓T1204 · User Execution ✓T1204.002 · Malicious File ✓T1216 · System Script Proxy Execution ✓T1216.001 · PubPrn ✓T1218 · System Binary Proxy Execution ✓T1218.001 · Compiled HTML File ✓T1218.002 · Control Panel ✓T1218.003 · CMSTP ✓T1218.004 · InstallUtilT1218.005 · Mshta ✓T1218.008 · Odbcconf ✓T1218.009 · Regsvcs/Regasm ✓T1218.010 · Regsvr32 ✓T1218.011 · Rundll32 ✓T1218.012 · VerclsidT1218.013 · Mavinject ✓T1218.014 · MMC ✓T1218.015 · Electron ApplicationsT1219 · Remote Access Tools ✓T1220 · XSL Script Processing ✓T1221 · Template Injection ✓T1498 · Network Denial of Service ✓T1498.001 · Direct Network FloodT1498.002 · Reflection AmplificationT1499 · Endpoint Denial of Service ✓T1499.001 · OS Exhaustion Flood ✓T1499.002 · Service Exhaustion FloodT1499.003 · Application Exhaustion FloodT1499.004 · Application or System Exploitation ✓T1530 · Data from Cloud StorageT1537 · Transfer Data to Cloud Account ✓T1546.002 · Screensaver ✓T1546.006 · LC_LOAD_DYLIB AdditionT1546.008 · Accessibility Features ✓T1546.009 · AppCert DLLs ✓T1546.010 · AppInit DLLs ✓T1547.004 · Winlogon Helper DLL ✓T1547.006 · Kernel Modules and Extensions ✓T1548.006 · TCC ManipulationT1552 · Unsecured Credentials ✓T1552.005 · Cloud Instance Metadata API ✓T1553 · Subvert Trust Controls ✓T1553.001 · Gatekeeper Bypass ✓T1553.003 · SIP and Trust Provider Hijacking ✓T1553.005 · Mark-of-the-Web Bypass ✓T1557 · Adversary-in-the-Middle ✓T1557.001 · Name Resolution Poisoning and SMB Relay ✓T1557.002 · ARP Cache Poisoning ✓T1557.003 · DHCP Spoofing ✓T1564.003 · Hidden Window ✓T1564.006 · Run Virtual Instance ✓T1564.009 · Resource ForkingT1570 · Lateral Tool Transfer ✓T1572 · Protocol Tunneling ✓T1574 · Hijack Execution Flow ✓T1574.001 · DLL ✓T1574.006 · Dynamic Linker Hijacking ✓T1574.007 · Path Interception by PATH Environment Variable ✓T1574.008 · Path Interception by Search Order Hijacking ✓T1574.009 · Path Interception by Unquoted Path ✓T1574.012 · COR_PROFILER ✓T1574.013 · KernelCallbackTableT1574.014 · AppDomainManager ✓T1599 · Network Boundary BridgingT1599.001 · Network Address Translation Traversal ✓T1602 · Data from Configuration RepositoryT1602.001 · SNMP (MIB Dump)T1602.002 · Network Device Configuration DumpT1609 · Container Administration Command ✓T1622 · Debugger Evasion ✓
SI-12
Information Management and Retention
20/34 detectable
T1003 · OS Credential Dumping ✓T1003.003 · NTDS ✓T1020.001 · Traffic DuplicationT1040 · Network Sniffing ✓T1070 · Indicator Removal ✓T1070.001 · Clear Windows Event Logs ✓T1070.002 · Clear Linux or Mac System LogsT1070.008 · Clear Mailbox DataT1114 · Email Collection ✓T1114.001 · Local Email Collection ✓T1114.002 · Remote Email CollectionT1114.003 · Email Forwarding Rule ✓T1119 · Automated Collection ✓T1213.004 · Customer Relationship Management SoftwareT1530 · Data from Cloud StorageT1548 · Abuse Elevation Control Mechanism ✓T1548.004 · Elevated Execution with PromptT1550.001 · Application Access Token ✓T1552 · Unsecured Credentials ✓T1552.004 · Private Keys ✓T1557 · Adversary-in-the-Middle ✓T1557.002 · ARP Cache Poisoning ✓T1557.004 · Evil TwinT1558 · Steal or Forge Kerberos Tickets ✓T1558.002 · Silver TicketT1558.003 · Kerberoasting ✓T1558.004 · AS-REP RoastingT1558.005 · Ccache FilesT1565 · Data Manipulation ✓T1565.001 · Stored Data Manipulation ✓T1565.002 · Transmitted Data Manipulation ✓T1602 · Data from Configuration RepositoryT1602.001 · SNMP (MIB Dump)T1602.002 · Network Device Configuration Dump
SI-14
Non-persistence
7/7 detectable
SI-15
Information Output Filtering
29/42 detectable
T1021.002 · SMB/Windows Admin Shares ✓T1021.005 · VNC ✓T1048 · Exfiltration Over Alternative Protocol ✓T1048.001 · Exfiltration Over Symmetric Encrypted Non-C2 Protocol ✓T1048.002 · Exfiltration Over Asymmetric Encrypted Non-C2 ProtocolT1048.003 · Exfiltration Over Unencrypted Non-C2 Protocol ✓T1071.004 · DNS ✓T1090 · Proxy ✓T1090.003 · Multi-hop Proxy ✓T1095 · Non-Application Layer Protocol ✓T1187 · Forced Authentication ✓T1197 · BITS Jobs ✓T1205 · Traffic Signaling ✓T1205.001 · Port Knocking ✓T1218.012 · VerclsidT1218.015 · Electron ApplicationsT1219 · Remote Access Tools ✓T1498 · Network Denial of Service ✓T1498.001 · Direct Network FloodT1498.002 · Reflection AmplificationT1499 · Endpoint Denial of Service ✓T1499.001 · OS Exhaustion Flood ✓T1499.002 · Service Exhaustion FloodT1499.003 · Application Exhaustion FloodT1499.004 · Application or System Exploitation ✓T1530 · Data from Cloud StorageT1537 · Transfer Data to Cloud Account ✓T1552 · Unsecured Credentials ✓T1552.005 · Cloud Instance Metadata API ✓T1557 · Adversary-in-the-Middle ✓T1557.001 · Name Resolution Poisoning and SMB Relay ✓T1557.002 · ARP Cache Poisoning ✓T1557.003 · DHCP Spoofing ✓T1564.009 · Resource ForkingT1570 · Lateral Tool Transfer ✓T1572 · Protocol Tunneling ✓T1599 · Network Boundary BridgingT1599.001 · Network Address Translation Traversal ✓T1602 · Data from Configuration RepositoryT1602.001 · SNMP (MIB Dump)T1602.002 · Network Device Configuration DumpT1622 · Debugger Evasion ✓
SI-16
Memory Protection
29/36 detectable
T1003.001 · LSASS Memory ✓T1047 · Windows Management Instrumentation ✓T1055.009 · Proc Memory ✓T1059 · Command and Scripting Interpreter ✓T1059.001 · PowerShell ✓T1059.002 · AppleScript ✓T1059.003 · Windows Command Shell ✓T1059.004 · Unix Shell ✓T1059.005 · Visual Basic ✓T1059.006 · Python ✓T1059.007 · JavaScript ✓T1059.008 · Network Device CLIT1059.011 · LuaT1218 · System Binary Proxy Execution ✓T1218.001 · Compiled HTML File ✓T1218.002 · Control Panel ✓T1218.003 · CMSTP ✓T1218.004 · InstallUtilT1218.005 · Mshta ✓T1218.008 · Odbcconf ✓T1218.009 · Regsvcs/Regasm ✓T1218.012 · VerclsidT1218.013 · Mavinject ✓T1218.014 · MMC ✓T1218.015 · Electron ApplicationsT1505.004 · IIS Components ✓T1543 · Create or Modify System Process ✓T1543.002 · Systemd Service ✓T1547.004 · Winlogon Helper DLL ✓T1547.006 · Kernel Modules and Extensions ✓T1548 · Abuse Elevation Control Mechanism ✓T1548.004 · Elevated Execution with PromptT1565 · Data Manipulation ✓T1565.001 · Stored Data Manipulation ✓T1565.003 · Runtime Data ManipulationT1611 · Escape to Host ✓
◈
SR
31/52 techniques covered
SR-04
Provenance
13/22 detectable
T1041 · Exfiltration Over C2 Channel ✓T1048 · Exfiltration Over Alternative Protocol ✓T1048.002 · Exfiltration Over Asymmetric Encrypted Non-C2 ProtocolT1048.003 · Exfiltration Over Unencrypted Non-C2 Protocol ✓T1052 · Exfiltration Over Physical MediumT1052.001 · Exfiltration over USBT1059.002 · AppleScript ✓T1195 · Supply Chain Compromise ✓T1195.001 · Compromise Software Dependencies and Development Tools ✓T1195.002 · Compromise Software Supply Chain ✓T1195.003 · Compromise Hardware Supply ChainT1204.003 · Malicious ImageT1505 · Server Software Component ✓T1505.001 · SQL Stored Procedures ✓T1505.002 · Transport Agent ✓T1505.004 · IIS Components ✓T1546.006 · LC_LOAD_DYLIB AdditionT1554 · Compromise Host Software Binary ✓T1567 · Exfiltration Over Web Service ✓T1601 · Modify System ImageT1601.001 · Patch System ImageT1601.002 · Downgrade System Image
SR-05
Acquisition Strategies, Tools, and Methods
9/15 detectable
T1059.002 · AppleScript ✓T1195 · Supply Chain Compromise ✓T1195.001 · Compromise Software Dependencies and Development Tools ✓T1195.002 · Compromise Software Supply Chain ✓T1195.003 · Compromise Hardware Supply ChainT1204.003 · Malicious ImageT1505 · Server Software Component ✓T1505.001 · SQL Stored Procedures ✓T1505.002 · Transport Agent ✓T1505.004 · IIS Components ✓T1546.006 · LC_LOAD_DYLIB AdditionT1554 · Compromise Host Software Binary ✓T1601 · Modify System ImageT1601.001 · Patch System ImageT1601.002 · Downgrade System Image
SR-11
Component Authenticity
9/15 detectable
T1059.002 · AppleScript ✓T1195 · Supply Chain Compromise ✓T1195.001 · Compromise Software Dependencies and Development Tools ✓T1195.002 · Compromise Software Supply Chain ✓T1195.003 · Compromise Hardware Supply ChainT1204.003 · Malicious ImageT1505 · Server Software Component ✓T1505.001 · SQL Stored Procedures ✓T1505.002 · Transport Agent ✓T1505.004 · IIS Components ✓T1546.006 · LC_LOAD_DYLIB AdditionT1554 · Compromise Host Software Binary ✓T1601 · Modify System ImageT1601.001 · Patch System ImageT1601.002 · Downgrade System Image