Home/Compliance/Report
Threat-informed report

cri-profile - threat & detection coverage

Generated 2026-06-04 12:23 UTC from TTPI engine data
This report maps cri-profile controls to the MITRE ATT&CK techniques they address, then checks each technique against our detection corpus (Sigma, CAR, IDS, YARA, Falco). It shows, control by control, what attacks each control is meant to stop and whether those attacks are actually detectable today. Use it as the threat-informed backbone of an audit response or pentest report.

Coverage Summary

60
threat-mapped controls
430
ATT&CK techniques addressed
290
techniques we can detect
67%
detection coverage
Coverage = of the distinct techniques mapped to this framework, the share for which we hold at least one detection rule. Gaps below list controls with zero detection coverage - the priority remediation set.

DE.AE

57/81 techniques covered
DE.AE-02.01 Event analysis and detection 57/81 detectable
T1001 · Data Obfuscation ✓T1001.001 · Junk DataT1001.002 · SteganographyT1001.003 · Protocol or Service Impersonation ✓T1008 · Fallback Channels ✓T1027 · Obfuscated Files or Information ✓T1027.002 · Software Packing ✓T1027.009 · Embedded Payloads ✓T1027.012 · LNK Icon SmugglingT1027.013 · Encrypted/Encoded FileT1027.014 · Polymorphic CodeT1029 · Scheduled Transfer ✓T1030 · Data Transfer Size Limits ✓T1036 · Masquerading ✓T1036.008 · Masquerade File TypeT1041 · Exfiltration Over C2 Channel ✓T1048 · Exfiltration Over Alternative Protocol ✓T1048.001 · Exfiltration Over Symmetric Encrypted Non-C2 Protocol ✓T1048.002 · Exfiltration Over Asymmetric Encrypted Non-C2 ProtocolT1048.003 · Exfiltration Over Unencrypted Non-C2 Protocol ✓T1059 · Command and Scripting Interpreter ✓T1059.001 · PowerShell ✓T1059.005 · Visual Basic ✓T1059.006 · Python ✓T1068 · Exploitation for Privilege Escalation ✓T1071 · Application Layer Protocol ✓T1071.001 · Web Protocols ✓T1071.002 · File Transfer ProtocolsT1071.003 · Mail ProtocolsT1071.004 · DNS ✓T1071.005 · Publish/Subscribe ProtocolsT1080 · Taint Shared ContentT1090 · Proxy ✓T1090.001 · Internal Proxy ✓T1090.002 · External Proxy ✓T1095 · Non-Application Layer Protocol ✓T1102 · Web Service ✓T1102.001 · Dead Drop Resolver ✓T1102.002 · Bidirectional Communication ✓T1102.003 · One-Way Communication ✓T1104 · Multi-Stage ChannelsT1105 · Ingress Tool Transfer ✓T1132 · Data Encoding ✓T1132.001 · Standard Encoding ✓T1132.002 · Non-Standard EncodingT1189 · Drive-by Compromise ✓T1203 · Exploitation for Client Execution ✓T1204 · User Execution ✓T1204.001 · Malicious Link ✓T1204.002 · Malicious File ✓T1204.003 · Malicious ImageT1210 · Exploitation of Remote Services ✓T1211 · Exploitation for Stealth ✓T1212 · Exploitation for Credential Access ✓T1218 · System Binary Proxy Execution ✓T1218.010 · Regsvr32 ✓T1218.011 · Rundll32 ✓T1218.015 · Electron ApplicationsT1219 · Remote Access Tools ✓T1221 · Template Injection ✓T1542.004 · ROMMONkitT1542.005 · TFTP BootT1557 · Adversary-in-the-Middle ✓T1557.001 · Name Resolution Poisoning and SMB Relay ✓T1557.002 · ARP Cache Poisoning ✓T1557.003 · DHCP Spoofing ✓T1557.004 · Evil TwinT1566 · Phishing ✓T1566.001 · Spearphishing Attachment ✓T1566.003 · Spearphishing via ServiceT1568 · Dynamic Resolution ✓T1568.002 · Domain Generation Algorithms ✓T1570 · Lateral Tool Transfer ✓T1571 · Non-Standard Port ✓T1572 · Protocol Tunneling ✓T1573 · Encrypted Channel ✓T1573.001 · Symmetric CryptographyT1573.002 · Asymmetric CryptographyT1602 · Data from Configuration RepositoryT1602.001 · SNMP (MIB Dump)T1602.002 · Network Device Configuration Dump

DE.CM

192/263 techniques covered
DE.CM-01.01 Intrusion detection and prevention 30/41 detectable
T1001 · Data Obfuscation ✓T1001.001 · Junk DataT1001.002 · SteganographyT1001.003 · Protocol or Service Impersonation ✓T1030 · Data Transfer Size Limits ✓T1036 · Masquerading ✓T1036.008 · Masquerade File TypeT1048 · Exfiltration Over Alternative Protocol ✓T1071 · Application Layer Protocol ✓T1071.001 · Web Protocols ✓T1071.002 · File Transfer ProtocolsT1071.003 · Mail ProtocolsT1071.004 · DNS ✓T1071.005 · Publish/Subscribe ProtocolsT1090 · Proxy ✓T1090.001 · Internal Proxy ✓T1090.002 · External Proxy ✓T1102 · Web Service ✓T1102.001 · Dead Drop Resolver ✓T1102.002 · Bidirectional Communication ✓T1102.003 · One-Way Communication ✓T1132 · Data Encoding ✓T1132.001 · Standard Encoding ✓T1132.002 · Non-Standard EncodingT1204 · User Execution ✓T1204.001 · Malicious Link ✓T1204.003 · Malicious ImageT1221 · Template Injection ✓T1557 · Adversary-in-the-Middle ✓T1557.001 · Name Resolution Poisoning and SMB Relay ✓T1557.002 · ARP Cache Poisoning ✓T1557.003 · DHCP Spoofing ✓T1557.004 · Evil TwinT1566 · Phishing ✓T1566.001 · Spearphishing Attachment ✓T1568 · Dynamic Resolution ✓T1568.002 · Domain Generation Algorithms ✓T1572 · Protocol Tunneling ✓T1573 · Encrypted Channel ✓T1573.001 · Symmetric CryptographyT1573.002 · Asymmetric Cryptography
DE.CM-01.02 Network traffic volume monitoring 4/8 detectable
T1498 · Network Denial of Service ✓T1498.001 · Direct Network FloodT1498.002 · Reflection AmplificationT1499 · Endpoint Denial of Service ✓T1499.001 · OS Exhaustion Flood ✓T1499.002 · Service Exhaustion FloodT1499.003 · Application Exhaustion FloodT1499.004 · Application or System Exploitation ✓
DE.CM-01.03 Unauthorized network connections and data transfers 11/14 detectable
T1008 · Fallback Channels ✓T1030 · Data Transfer Size Limits ✓T1041 · Exfiltration Over C2 Channel ✓T1048 · Exfiltration Over Alternative Protocol ✓T1048.001 · Exfiltration Over Symmetric Encrypted Non-C2 Protocol ✓T1048.002 · Exfiltration Over Asymmetric Encrypted Non-C2 ProtocolT1048.003 · Exfiltration Over Unencrypted Non-C2 Protocol ✓T1090 · Proxy ✓T1095 · Non-Application Layer Protocol ✓T1102 · Web Service ✓T1104 · Multi-Stage ChannelsT1571 · Non-Standard Port ✓T1572 · Protocol Tunneling ✓T1599 · Network Boundary Bridging
DE.CM-01.04 Unauthorized device connection 1/3 detectable
T1052 · Exfiltration Over Physical MediumT1052.001 · Exfiltration over USBT1200 · Hardware Additions ✓
DE.CM-01.05 Website and service blocking 20/22 detectable
T1059 · Command and Scripting Interpreter ✓T1059.005 · Visual Basic ✓T1059.007 · JavaScript ✓T1102 · Web Service ✓T1102.001 · Dead Drop Resolver ✓T1102.002 · Bidirectional Communication ✓T1102.003 · One-Way Communication ✓T1189 · Drive-by Compromise ✓T1204 · User Execution ✓T1204.001 · Malicious Link ✓T1204.002 · Malicious File ✓T1218 · System Binary Proxy Execution ✓T1218.001 · Compiled HTML File ✓T1528 · Steal Application Access Token ✓T1539 · Steal Web Session Cookie ✓T1550 · Use Alternate Authentication Material ✓T1555.003 · Credentials from Web Browsers ✓T1566 · Phishing ✓T1566.001 · Spearphishing Attachment ✓T1566.002 · Spearphishing Link ✓T1566.003 · Spearphishing via ServiceT1659 · Content Injection
DE.CM-03.03 Privileged account monitoring 29/41 detectable
T1047 · Windows Management Instrumentation ✓T1053 · Scheduled Task/Job ✓T1053.002 · At ✓T1053.005 · Scheduled Task ✓T1053.006 · Systemd TimersT1053.007 · Container Orchestration JobT1072 · Software Deployment Tools ✓T1078 · Valid Accounts ✓T1078.001 · Default Accounts ✓T1078.002 · Domain Accounts ✓T1078.003 · Local Accounts ✓T1078.004 · Cloud Accounts ✓T1098 · Account Manipulation ✓T1098.001 · Additional Cloud Credentials ✓T1098.002 · Additional Email Delegate PermissionsT1098.003 · Additional Cloud Roles ✓T1098.004 · SSH Authorized Keys ✓T1098.005 · Device Registration ✓T1098.006 · Additional Container Cluster RolesT1098.007 · Additional Local or Domain GroupsT1190 · Exploit Public-Facing Application ✓T1210 · Exploitation of Remote Services ✓T1543 · Create or Modify System Process ✓T1543.002 · Systemd Service ✓T1543.003 · Windows Service ✓T1543.004 · Launch Daemon ✓T1543.005 · Container ServiceT1548 · Abuse Elevation Control Mechanism ✓T1548.002 · Bypass User Account Control ✓T1548.003 · Sudo and Sudo Caching ✓T1548.006 · TCC ManipulationT1556 · Modify Authentication Process ✓T1556.001 · Domain Controller AuthenticationT1556.004 · Network Device Authentication ✓T1556.005 · Reversible EncryptionT1556.006 · Multi-Factor Authentication ✓T1556.007 · Hybrid IdentityT1606 · Forge Web Credentials ✓T1606.001 · Web CookiesT1606.002 · SAML Tokens ✓T1651 · Cloud Administration Command
DE.CM-06.02 Third-party access monitoring 57/73 detectable
T1003 · OS Credential Dumping ✓T1003.001 · LSASS Memory ✓T1003.002 · Security Account Manager ✓T1003.003 · NTDS ✓T1003.004 · LSA Secrets ✓T1003.005 · Cached Domain Credentials ✓T1003.006 · DCSync ✓T1003.007 · Proc FilesystemT1003.008 · /etc/passwd and /etc/shadowT1021 · Remote Services ✓T1021.001 · Remote Desktop Protocol ✓T1021.002 · SMB/Windows Admin Shares ✓T1021.003 · Distributed Component Object Model ✓T1021.006 · Windows Remote Management ✓T1021.007 · Cloud Services ✓T1047 · Windows Management Instrumentation ✓T1056.003 · Web Portal CaptureT1059.001 · PowerShell ✓T1059.008 · Network Device CLIT1059.009 · Cloud API ✓T1072 · Software Deployment Tools ✓T1078 · Valid Accounts ✓T1078.002 · Domain Accounts ✓T1078.003 · Local Accounts ✓T1078.004 · Cloud Accounts ✓T1098 · Account Manipulation ✓T1098.001 · Additional Cloud Credentials ✓T1098.002 · Additional Email Delegate PermissionsT1098.003 · Additional Cloud Roles ✓T1134 · Access Token Manipulation ✓T1134.001 · Token Impersonation/Theft ✓T1134.002 · Create Process with Token ✓T1134.003 · Make and Impersonate Token ✓T1136.001 · Local Account ✓T1136.002 · Domain Account ✓T1136.003 · Cloud Account ✓T1190 · Exploit Public-Facing Application ✓T1210 · Exploitation of Remote Services ✓T1218 · System Binary Proxy Execution ✓T1484 · Domain or Tenant Policy Modification ✓T1484.002 · Trust Modification ✓T1505 · Server Software Component ✓T1548 · Abuse Elevation Control Mechanism ✓T1548.002 · Bypass User Account Control ✓T1548.003 · Sudo and Sudo Caching ✓T1548.006 · TCC ManipulationT1550 · Use Alternate Authentication Material ✓T1550.002 · Pass the Hash ✓T1550.003 · Pass the Ticket ✓T1552 · Unsecured Credentials ✓T1552.002 · Credentials in Registry ✓T1552.007 · Container API ✓T1555 · Credentials from Password Stores ✓T1555.006 · Cloud Secrets Management StoresT1556 · Modify Authentication Process ✓T1556.001 · Domain Controller AuthenticationT1556.003 · Pluggable Authentication ModulesT1556.004 · Network Device Authentication ✓T1556.007 · Hybrid IdentityT1558 · Steal or Forge Kerberos Tickets ✓T1558.001 · Golden TicketT1558.002 · Silver TicketT1558.003 · Kerberoasting ✓T1563 · Remote Service Session HijackingT1563.001 · SSH HijackingT1563.002 · RDP Hijacking ✓T1569 · System Services ✓T1599 · Network Boundary BridgingT1599.001 · Network Address Translation Traversal ✓T1606 · Forge Web Credentials ✓T1606.002 · SAML Tokens ✓T1609 · Container Administration Command ✓T1651 · Cloud Administration Command
DE.CM-09.01 Software and data integrity checking 31/46 detectable
T1003 · OS Credential Dumping ✓T1003.001 · LSASS Memory ✓T1036 · Masquerading ✓T1036.001 · Invalid Code SignatureT1036.005 · Match Legitimate Resource Name or Location ✓T1059 · Command and Scripting Interpreter ✓T1059.001 · PowerShell ✓T1059.002 · AppleScript ✓T1127 · Trusted Developer Utilities Proxy Execution ✓T1127.002 · ClickOnceT1176 · Software ExtensionsT1195 · Supply Chain Compromise ✓T1195.001 · Compromise Software Dependencies and Development Tools ✓T1204.003 · Malicious ImageT1213.004 · Customer Relationship Management SoftwareT1495 · Firmware Corruption ✓T1505 · Server Software Component ✓T1505.001 · SQL Stored Procedures ✓T1505.002 · Transport Agent ✓T1505.004 · IIS Components ✓T1525 · Implant Internal Image ✓T1537 · Transfer Data to Cloud Account ✓T1539 · Steal Web Session Cookie ✓T1542 · Pre-OS BootT1542.001 · System Firmware ✓T1542.003 · Bootkit ✓T1542.004 · ROMMONkitT1542.005 · TFTP BootT1543 · Create or Modify System Process ✓T1543.002 · Systemd Service ✓T1543.003 · Windows Service ✓T1546.006 · LC_LOAD_DYLIB AdditionT1546.013 · PowerShell Profile ✓T1547.002 · Authentication Package ✓T1547.005 · Security Support Provider ✓T1547.008 · LSASS Driver ✓T1547.013 · XDG Autostart EntriesT1553.006 · Code Signing Policy ModificationT1554 · Compromise Host Software Binary ✓T1556 · Modify Authentication Process ✓T1556.001 · Domain Controller AuthenticationT1574 · Hijack Execution Flow ✓T1574.001 · DLL ✓T1601 · Modify System ImageT1601.001 · Patch System ImageT1601.002 · Downgrade System Image
DE.CM-09.02 Hardware integrity checking 4/8 detectable
T1091 · Replication Through Removable Media ✓T1195.003 · Compromise Hardware Supply ChainT1495 · Firmware Corruption ✓T1542 · Pre-OS BootT1542.001 · System Firmware ✓T1542.002 · Component FirmwareT1562.001 · Disable or Modify Tools ✓T1600.002 · Disable Crypto Hardware
DE.CM-09.03 Unauthorized software, hardware, or configuration changes 5/7 detectable
T1495 · Firmware Corruption ✓T1542.001 · System Firmware ✓T1542.002 · Component FirmwareT1543 · Create or Modify System Process ✓T1556 · Modify Authentication Process ✓T1562 · Impair Defenses ✓T1601 · Modify System Image

EX.DD

8/10 techniques covered
EX.DD-04.01 Third-party systems and software evaluation 8/10 detectable
T1036 · Masquerading ✓T1036.001 · Invalid Code SignatureT1072 · Software Deployment Tools ✓T1190 · Exploit Public-Facing Application ✓T1195 · Supply Chain Compromise ✓T1195.001 · Compromise Software Dependencies and Development Tools ✓T1195.002 · Compromise Software Supply Chain ✓T1210 · Exploitation of Remote Services ✓T1542.002 · Component FirmwareT1554 · Compromise Host Software Binary ✓

EX.MM

6/11 techniques covered
EX.MM-01.01 Third-party monitoring and management resources 6/11 detectable
T1195 · Supply Chain Compromise ✓T1195.001 · Compromise Software Dependencies and Development Tools ✓T1195.002 · Compromise Software Supply Chain ✓T1195.003 · Compromise Hardware Supply ChainT1199 · Trusted Relationship ✓T1525 · Implant Internal Image ✓T1530 · Data from Cloud StorageT1554 · Compromise Host Software Binary ✓T1601 · Modify System ImageT1601.001 · Patch System ImageT1601.002 · Downgrade System Image

ID.AM

34/50 techniques covered
ID.AM-08.03 Data governance and lifecycle management 17/25 detectable
T1003 · OS Credential Dumping ✓T1003.003 · NTDS ✓T1020.001 · Traffic DuplicationT1040 · Network Sniffing ✓T1070 · Indicator Removal ✓T1070.001 · Clear Windows Event Logs ✓T1070.002 · Clear Linux or Mac System LogsT1070.008 · Clear Mailbox DataT1114 · Email Collection ✓T1114.001 · Local Email Collection ✓T1114.002 · Remote Email CollectionT1114.003 · Email Forwarding Rule ✓T1119 · Automated Collection ✓T1213.004 · Customer Relationship Management SoftwareT1530 · Data from Cloud StorageT1548 · Abuse Elevation Control Mechanism ✓T1550.001 · Application Access Token ✓T1552 · Unsecured Credentials ✓T1552.004 · Private Keys ✓T1557 · Adversary-in-the-Middle ✓T1557.004 · Evil TwinT1558 · Steal or Forge Kerberos Tickets ✓T1558.005 · Ccache FilesT1565.001 · Stored Data Manipulation ✓T1565.002 · Transmitted Data Manipulation ✓
ID.AM-08.05 Data destruction procedures 17/25 detectable
T1003 · OS Credential Dumping ✓T1003.003 · NTDS ✓T1020.001 · Traffic DuplicationT1040 · Network Sniffing ✓T1070 · Indicator Removal ✓T1070.001 · Clear Windows Event Logs ✓T1070.002 · Clear Linux or Mac System LogsT1070.008 · Clear Mailbox DataT1114 · Email Collection ✓T1114.001 · Local Email Collection ✓T1114.002 · Remote Email CollectionT1114.003 · Email Forwarding Rule ✓T1119 · Automated Collection ✓T1213.004 · Customer Relationship Management SoftwareT1530 · Data from Cloud StorageT1548 · Abuse Elevation Control Mechanism ✓T1550.001 · Application Access Token ✓T1552 · Unsecured Credentials ✓T1552.004 · Private Keys ✓T1557 · Adversary-in-the-Middle ✓T1557.004 · Evil TwinT1558 · Steal or Forge Kerberos Tickets ✓T1558.005 · Ccache FilesT1565.001 · Stored Data Manipulation ✓T1565.002 · Transmitted Data Manipulation ✓

ID.IM

9/15 techniques covered
ID.IM-02.06 Accurate data recovery 9/15 detectable
T1485 · Data Destruction ✓T1485.001 · Lifecycle-Triggered DeletionT1486 · Data Encrypted for Impact ✓T1490 · Inhibit System Recovery ✓T1491 · DefacementT1491.001 · Internal Defacement ✓T1491.002 · External DefacementT1498 · Network Denial of Service ✓T1498.001 · Direct Network FloodT1498.002 · Reflection AmplificationT1561 · Disk WipeT1561.001 · Disk Content Wipe ✓T1561.002 · Disk Structure Wipe ✓T1565 · Data Manipulation ✓T1565.001 · Stored Data Manipulation ✓

ID.RA

11/11 techniques covered
ID.RA-01.03 Vulnerability management 11/11 detectable
T1072 · Software Deployment Tools ✓T1190 · Exploit Public-Facing Application ✓T1195 · Supply Chain Compromise ✓T1195.001 · Compromise Software Dependencies and Development Tools ✓T1195.002 · Compromise Software Supply Chain ✓T1203 · Exploitation for Client Execution ✓T1210 · Exploitation of Remote Services ✓T1211 · Exploitation for Stealth ✓T1212 · Exploitation for Credential Access ✓T1495 · Firmware Corruption ✓T1574 · Hijack Execution Flow ✓

PR.AA

386/508 techniques covered
PR.AA-01.01 Identity and credential management 126/175 detectable
T1003 · OS Credential Dumping ✓T1003.001 · LSASS Memory ✓T1003.002 · Security Account Manager ✓T1003.003 · NTDS ✓T1003.004 · LSA Secrets ✓T1003.005 · Cached Domain Credentials ✓T1003.006 · DCSync ✓T1003.007 · Proc FilesystemT1003.008 · /etc/passwd and /etc/shadowT1006 · Direct Volume Access ✓T1020.001 · Traffic DuplicationT1021 · Remote Services ✓T1021.001 · Remote Desktop Protocol ✓T1021.002 · SMB/Windows Admin Shares ✓T1021.004 · SSH ✓T1021.007 · Cloud Services ✓T1021.008 · Direct Cloud VM ConnectionsT1036 · Masquerading ✓T1036.010 · Masquerade Account NameT1040 · Network Sniffing ✓T1047 · Windows Management Instrumentation ✓T1048 · Exfiltration Over Alternative Protocol ✓T1053 · Scheduled Task/Job ✓T1053.002 · At ✓T1053.003 · Cron ✓T1053.005 · Scheduled Task ✓T1053.006 · Systemd TimersT1053.007 · Container Orchestration JobT1059 · Command and Scripting Interpreter ✓T1059.008 · Network Device CLIT1072 · Software Deployment Tools ✓T1078 · Valid Accounts ✓T1078.001 · Default Accounts ✓T1078.002 · Domain Accounts ✓T1078.003 · Local Accounts ✓T1078.004 · Cloud Accounts ✓T1087 · Account Discovery ✓T1087.004 · Cloud Account ✓T1098 · Account Manipulation ✓T1098.001 · Additional Cloud Credentials ✓T1098.002 · Additional Email Delegate PermissionsT1098.003 · Additional Cloud Roles ✓T1098.004 · SSH Authorized Keys ✓T1098.005 · Device Registration ✓T1098.006 · Additional Container Cluster RolesT1110 · Brute Force ✓T1110.001 · Password Guessing ✓T1110.002 · Password Cracking ✓T1110.003 · Password SprayingT1110.004 · Credential StuffingT1114 · Email Collection ✓T1114.002 · Remote Email CollectionT1133 · External Remote Services ✓T1134 · Access Token Manipulation ✓T1134.001 · Token Impersonation/Theft ✓T1134.002 · Create Process with Token ✓T1134.003 · Make and Impersonate Token ✓T1134.005 · SID-History Injection ✓T1136 · Create Account ✓T1136.001 · Local Account ✓T1136.002 · Domain Account ✓T1136.003 · Cloud Account ✓T1185 · Browser Session Hijacking ✓T1187 · Forced Authentication ✓T1195 · Supply Chain Compromise ✓T1197 · BITS Jobs ✓T1199 · Trusted Relationship ✓T1201 · Password Policy Discovery ✓T1213 · Data from Information Repositories ✓T1213.001 · ConfluenceT1213.002 · SharepointT1213.003 · Code Repositories ✓T1213.004 · Customer Relationship Management SoftwareT1484 · Domain or Tenant Policy Modification ✓T1484.001 · Group Policy Modification ✓T1484.002 · Trust Modification ✓T1485 · Data Destruction ✓T1485.001 · Lifecycle-Triggered DeletionT1489 · Service Stop ✓T1490 · Inhibit System Recovery ✓T1505 · Server Software Component ✓T1505.003 · Web Shell ✓T1528 · Steal Application Access Token ✓T1530 · Data from Cloud StorageT1537 · Transfer Data to Cloud Account ✓T1538 · Cloud Service DashboardT1539 · Steal Web Session Cookie ✓T1543 · Create or Modify System Process ✓T1543.002 · Systemd Service ✓T1543.003 · Windows Service ✓T1543.004 · Launch Daemon ✓T1543.005 · Container ServiceT1546 · Event Triggered Execution ✓T1546.003 · Windows Management Instrumentation Event Subscription ✓T1546.011 · Application Shimming ✓T1547 · Boot or Logon Autostart Execution ✓T1547.004 · Winlogon Helper DLL ✓T1547.006 · Kernel Modules and Extensions ✓T1547.009 · Shortcut Modification ✓T1547.012 · Print ProcessorsT1547.013 · XDG Autostart EntriesT1548 · Abuse Elevation Control Mechanism ✓T1548.002 · Bypass User Account Control ✓T1548.005 · Temporary Elevated Cloud AccessT1550 · Use Alternate Authentication Material ✓T1550.001 · Application Access Token ✓T1550.002 · Pass the Hash ✓T1550.003 · Pass the Ticket ✓T1552 · Unsecured Credentials ✓T1552.001 · Credentials In Files ✓T1552.002 · Credentials in Registry ✓T1552.004 · Private Keys ✓T1552.006 · Group Policy Preferences ✓T1552.007 · Container API ✓T1555 · Credentials from Password Stores ✓T1555.001 · Keychain ✓T1555.003 · Credentials from Web Browsers ✓T1555.005 · Password Managers ✓T1556 · Modify Authentication Process ✓T1556.001 · Domain Controller AuthenticationT1556.003 · Pluggable Authentication ModulesT1556.004 · Network Device Authentication ✓T1556.005 · Reversible EncryptionT1556.006 · Multi-Factor Authentication ✓T1556.007 · Hybrid IdentityT1556.009 · Conditional Access PoliciesT1558 · Steal or Forge Kerberos Tickets ✓T1558.001 · Golden TicketT1558.002 · Silver TicketT1558.003 · Kerberoasting ✓T1558.004 · AS-REP RoastingT1562 · Impair Defenses ✓T1562.001 · Disable or Modify Tools ✓T1562.002 · Disable Windows Event Logging ✓T1562.004 · Disable or Modify System FirewallT1562.006 · Indicator Blocking ✓T1562.007 · Disable or Modify Cloud FirewallT1562.008 · Disable or Modify Cloud LogsT1562.012 · Disable or Modify Linux Audit SystemT1563 · Remote Service Session HijackingT1563.001 · SSH HijackingT1563.002 · RDP Hijacking ✓T1566 · Phishing ✓T1566.001 · Spearphishing Attachment ✓T1566.002 · Spearphishing Link ✓T1566.003 · Spearphishing via ServiceT1569 · System Services ✓T1569.001 · Launchctl ✓T1574 · Hijack Execution Flow ✓T1574.005 · Executable Installer File Permissions Weakness ✓T1574.010 · Services File Permissions Weakness ✓T1574.012 · COR_PROFILER ✓T1578 · Modify Cloud Compute Infrastructure ✓T1578.001 · Create SnapshotT1578.002 · Create Cloud InstanceT1578.003 · Delete Cloud Instance ✓T1578.005 · Modify Cloud Compute ConfigurationsT1580 · Cloud Infrastructure Discovery ✓T1599 · Network Boundary BridgingT1599.001 · Network Address Translation Traversal ✓T1601 · Modify System ImageT1601.001 · Patch System ImageT1601.002 · Downgrade System ImageT1606 · Forge Web Credentials ✓T1606.002 · SAML Tokens ✓T1609 · Container Administration Command ✓T1610 · Deploy Container ✓T1613 · Container and Resource Discovery ✓T1619 · Cloud Storage Object Discovery ✓T1621 · Multi-Factor Authentication Request Generation ✓T1648 · Serverless ExecutionT1649 · Steal or Forge Authentication Certificates ✓T1654 · Log EnumerationT1657 · Financial TheftT1666 · Modify Cloud Resource Hierarchy
PR.AA-01.02 Physical and logical access 40/52 detectable
T1003 · OS Credential Dumping ✓T1006 · Direct Volume Access ✓T1020.001 · Traffic DuplicationT1021 · Remote Services ✓T1047 · Windows Management Instrumentation ✓T1059.008 · Network Device CLIT1072 · Software Deployment Tools ✓T1078 · Valid Accounts ✓T1078.001 · Default Accounts ✓T1078.002 · Domain Accounts ✓T1078.003 · Local Accounts ✓T1078.004 · Cloud Accounts ✓T1087 · Account Discovery ✓T1087.004 · Cloud Account ✓T1098 · Account Manipulation ✓T1098.001 · Additional Cloud Credentials ✓T1098.003 · Additional Cloud Roles ✓T1098.004 · SSH Authorized Keys ✓T1098.006 · Additional Container Cluster RolesT1110 · Brute Force ✓T1134 · Access Token Manipulation ✓T1134.001 · Token Impersonation/Theft ✓T1134.002 · Create Process with Token ✓T1134.003 · Make and Impersonate Token ✓T1197 · BITS Jobs ✓T1213 · Data from Information Repositories ✓T1530 · Data from Cloud StorageT1537 · Transfer Data to Cloud Account ✓T1538 · Cloud Service DashboardT1543 · Create or Modify System Process ✓T1543.002 · Systemd Service ✓T1543.005 · Container ServiceT1547.004 · Winlogon Helper DLL ✓T1547.006 · Kernel Modules and Extensions ✓T1547.009 · Shortcut Modification ✓T1547.012 · Print ProcessorsT1547.013 · XDG Autostart EntriesT1548 · Abuse Elevation Control Mechanism ✓T1548.005 · Temporary Elevated Cloud AccessT1555.003 · Credentials from Web Browsers ✓T1555.005 · Password Managers ✓T1556 · Modify Authentication Process ✓T1556.004 · Network Device Authentication ✓T1558 · Steal or Forge Kerberos Tickets ✓T1562 · Impair Defenses ✓T1563 · Remote Service Session HijackingT1578 · Modify Cloud Compute Infrastructure ✓T1578.005 · Modify Cloud Compute ConfigurationsT1580 · Cloud Infrastructure Discovery ✓T1609 · Container Administration Command ✓T1619 · Cloud Storage Object Discovery ✓T1657 · Financial Theft
PR.AA-02.01 Authentication of identity 20/24 detectable
T1021 · Remote Services ✓T1021.001 · Remote Desktop Protocol ✓T1021.004 · SSH ✓T1021.007 · Cloud Services ✓T1078 · Valid Accounts ✓T1078.001 · Default Accounts ✓T1087.001 · Local Account ✓T1087.002 · Domain Account ✓T1098 · Account Manipulation ✓T1098.001 · Additional Cloud Credentials ✓T1098.003 · Additional Cloud Roles ✓T1098.005 · Device Registration ✓T1098.006 · Additional Container Cluster RolesT1110 · Brute Force ✓T1110.001 · Password Guessing ✓T1110.003 · Password SprayingT1110.004 · Credential StuffingT1136 · Create Account ✓T1136.001 · Local Account ✓T1136.002 · Domain Account ✓T1136.003 · Cloud Account ✓T1556 · Modify Authentication Process ✓T1556.001 · Domain Controller AuthenticationT1586.003 · Cloud Accounts ✓
PR.AA-03.01 Authentication requirements 40/52 detectable
T1003 · OS Credential Dumping ✓T1003.001 · LSASS Memory ✓T1021 · Remote Services ✓T1021.001 · Remote Desktop Protocol ✓T1021.004 · SSH ✓T1021.007 · Cloud Services ✓T1059.008 · Network Device CLIT1072 · Software Deployment Tools ✓T1078 · Valid Accounts ✓T1078.001 · Default Accounts ✓T1078.002 · Domain Accounts ✓T1078.003 · Local Accounts ✓T1078.004 · Cloud Accounts ✓T1098 · Account Manipulation ✓T1098.001 · Additional Cloud Credentials ✓T1098.003 · Additional Cloud Roles ✓T1098.005 · Device Registration ✓T1098.006 · Additional Container Cluster RolesT1110 · Brute Force ✓T1110.001 · Password Guessing ✓T1110.002 · Password Cracking ✓T1110.003 · Password SprayingT1110.004 · Credential StuffingT1114 · Email Collection ✓T1133 · External Remote Services ✓T1136 · Create Account ✓T1136.001 · Local Account ✓T1136.002 · Domain Account ✓T1136.003 · Cloud Account ✓T1187 · Forced Authentication ✓T1213 · Data from Information Repositories ✓T1530 · Data from Cloud StorageT1539 · Steal Web Session Cookie ✓T1550 · Use Alternate Authentication Material ✓T1552 · Unsecured Credentials ✓T1555 · Credentials from Password Stores ✓T1555.005 · Password Managers ✓T1556 · Modify Authentication Process ✓T1556.001 · Domain Controller AuthenticationT1556.004 · Network Device Authentication ✓T1556.006 · Multi-Factor Authentication ✓T1556.007 · Hybrid IdentityT1558 · Steal or Forge Kerberos Tickets ✓T1593.003 · Code Repositories ✓T1599 · Network Boundary BridgingT1599.001 · Network Address Translation Traversal ✓T1601 · Modify System ImageT1601.001 · Patch System ImageT1601.002 · Downgrade System ImageT1609 · Container Administration Command ✓T1649 · Steal or Forge Authentication Certificates ✓T1651 · Cloud Administration Command
PR.AA-03.03 Email verification mechanisms 6/10 detectable
T1114 · Email Collection ✓T1114.001 · Local Email Collection ✓T1114.002 · Remote Email CollectionT1114.003 · Email Forwarding Rule ✓T1566 · Phishing ✓T1566.001 · Spearphishing Attachment ✓T1566.002 · Spearphishing Link ✓T1598 · Phishing for InformationT1598.002 · Spearphishing AttachmentT1598.003 · Spearphishing Link
PR.AA-04.01 Access control within and across security perimeters 5/5 detectable
T1087.004 · Cloud Account ✓T1098 · Account Manipulation ✓T1213 · Data from Information Repositories ✓T1548 · Abuse Elevation Control Mechanism ✓T1565 · Data Manipulation ✓
PR.AA-05.01 Access privilege limitation 28/31 detectable
T1021 · Remote Services ✓T1037 · Boot or Logon Initialization Scripts ✓T1037.001 · Logon Script (Windows) ✓T1087.004 · Cloud Account ✓T1098 · Account Manipulation ✓T1133 · External Remote Services ✓T1134 · Access Token Manipulation ✓T1134.001 · Token Impersonation/Theft ✓T1134.002 · Create Process with Token ✓T1134.003 · Make and Impersonate Token ✓T1200 · Hardware Additions ✓T1484 · Domain or Tenant Policy Modification ✓T1484.002 · Trust Modification ✓T1505 · Server Software Component ✓T1525 · Implant Internal Image ✓T1547.009 · Shortcut Modification ✓T1552.007 · Container API ✓T1557 · Adversary-in-the-Middle ✓T1562 · Impair Defenses ✓T1562.009 · Safe Mode BootT1562.012 · Disable or Modify Linux Audit SystemT1565 · Data Manipulation ✓T1574 · Hijack Execution Flow ✓T1574.011 · Services Registry Permissions Weakness ✓T1574.012 · COR_PROFILER ✓T1578 · Modify Cloud Compute Infrastructure ✓T1580 · Cloud Infrastructure Discovery ✓T1601 · Modify System ImageT1609 · Container Administration Command ✓T1610 · Deploy Container ✓T1613 · Container and Resource Discovery ✓
PR.AA-05.02 Privileged system access 98/130 detectable
T1003.006 · DCSync ✓T1003.007 · Proc FilesystemT1003.008 · /etc/passwd and /etc/shadowT1021 · Remote Services ✓T1021.001 · Remote Desktop Protocol ✓T1021.002 · SMB/Windows Admin Shares ✓T1021.003 · Distributed Component Object Model ✓T1021.004 · SSH ✓T1021.006 · Windows Remote Management ✓T1021.007 · Cloud Services ✓T1040 · Network Sniffing ✓T1047 · Windows Management Instrumentation ✓T1053 · Scheduled Task/Job ✓T1053.002 · At ✓T1053.005 · Scheduled Task ✓T1053.006 · Systemd TimersT1053.007 · Container Orchestration JobT1055 · Process Injection ✓T1055.008 · Ptrace System Calls ✓T1056 · Input Capture ✓T1056.003 · Web Portal CaptureT1059 · Command and Scripting Interpreter ✓T1059.001 · PowerShell ✓T1059.008 · Network Device CLIT1059.009 · Cloud API ✓T1072 · Software Deployment Tools ✓T1078 · Valid Accounts ✓T1078.001 · Default Accounts ✓T1078.002 · Domain Accounts ✓T1078.003 · Local Accounts ✓T1078.004 · Cloud Accounts ✓T1098 · Account Manipulation ✓T1098.001 · Additional Cloud Credentials ✓T1098.002 · Additional Email Delegate PermissionsT1098.003 · Additional Cloud Roles ✓T1098.005 · Device Registration ✓T1098.006 · Additional Container Cluster RolesT1110 · Brute Force ✓T1110.001 · Password Guessing ✓T1110.002 · Password Cracking ✓T1110.003 · Password SprayingT1110.004 · Credential StuffingT1114 · Email Collection ✓T1114.002 · Remote Email CollectionT1133 · External Remote Services ✓T1134 · Access Token Manipulation ✓T1134.001 · Token Impersonation/Theft ✓T1134.002 · Create Process with Token ✓T1134.003 · Make and Impersonate Token ✓T1136 · Create Account ✓T1136.001 · Local Account ✓T1136.002 · Domain Account ✓T1136.003 · Cloud Account ✓T1190 · Exploit Public-Facing Application ✓T1199 · Trusted Relationship ✓T1210 · Exploitation of Remote Services ✓T1213 · Data from Information Repositories ✓T1213.003 · Code Repositories ✓T1218 · System Binary Proxy Execution ✓T1218.007 · Msiexec ✓T1222 · File and Directory Permissions Modification ✓T1222.001 · Windows Permissions ✓T1222.002 · Linux and Mac Permissions ✓T1484 · Domain or Tenant Policy Modification ✓T1484.002 · Trust Modification ✓T1485 · Data Destruction ✓T1495 · Firmware Corruption ✓T1505 · Server Software Component ✓T1505.001 · SQL Stored Procedures ✓T1505.002 · Transport Agent ✓T1505.004 · IIS Components ✓T1525 · Implant Internal Image ✓T1530 · Data from Cloud StorageT1539 · Steal Web Session Cookie ✓T1542 · Pre-OS BootT1542.001 · System Firmware ✓T1542.003 · Bootkit ✓T1542.005 · TFTP BootT1543 · Create or Modify System Process ✓T1543.002 · Systemd Service ✓T1546 · Event Triggered Execution ✓T1546.003 · Windows Management Instrumentation Event Subscription ✓T1547 · Boot or Logon Autostart Execution ✓T1547.006 · Kernel Modules and Extensions ✓T1548 · Abuse Elevation Control Mechanism ✓T1548.002 · Bypass User Account Control ✓T1548.003 · Sudo and Sudo Caching ✓T1548.006 · TCC ManipulationT1550 · Use Alternate Authentication Material ✓T1550.002 · Pass the Hash ✓T1550.003 · Pass the Ticket ✓T1552 · Unsecured Credentials ✓T1552.002 · Credentials in Registry ✓T1552.007 · Container API ✓T1553 · Subvert Trust Controls ✓T1553.006 · Code Signing Policy ModificationT1555 · Credentials from Password Stores ✓T1555.006 · Cloud Secrets Management StoresT1556 · Modify Authentication Process ✓T1556.001 · Domain Controller AuthenticationT1556.003 · Pluggable Authentication ModulesT1556.004 · Network Device Authentication ✓T1556.005 · Reversible EncryptionT1556.006 · Multi-Factor Authentication ✓T1556.007 · Hybrid IdentityT1558 · Steal or Forge Kerberos Tickets ✓T1558.001 · Golden TicketT1558.002 · Silver TicketT1558.003 · Kerberoasting ✓T1559 · Inter-Process Communication ✓T1559.001 · Component Object Model ✓T1562 · Impair Defenses ✓T1562.009 · Safe Mode BootT1563 · Remote Service Session HijackingT1563.001 · SSH HijackingT1563.002 · RDP Hijacking ✓T1569 · System Services ✓T1569.002 · Service Execution ✓T1599 · Network Boundary BridgingT1599.001 · Network Address Translation Traversal ✓T1601 · Modify System ImageT1601.001 · Patch System ImageT1601.002 · Downgrade System ImageT1606 · Forge Web Credentials ✓T1606.002 · SAML Tokens ✓T1609 · Container Administration Command ✓T1611 · Escape to Host ✓T1612 · Build Image on HostT1621 · Multi-Factor Authentication Request Generation ✓T1651 · Cloud Administration Command
PR.AA-05.03 Service accounts 18/22 detectable
T1021 · Remote Services ✓T1021.002 · SMB/Windows Admin Shares ✓T1021.003 · Distributed Component Object Model ✓T1021.006 · Windows Remote Management ✓T1021.007 · Cloud Services ✓T1078 · Valid Accounts ✓T1078.002 · Domain Accounts ✓T1098 · Account Manipulation ✓T1190 · Exploit Public-Facing Application ✓T1210 · Exploitation of Remote Services ✓T1484 · Domain or Tenant Policy Modification ✓T1484.002 · Trust Modification ✓T1548 · Abuse Elevation Control Mechanism ✓T1558 · Steal or Forge Kerberos Tickets ✓T1558.001 · Golden TicketT1558.002 · Silver TicketT1558.003 · Kerberoasting ✓T1559 · Inter-Process Communication ✓T1559.001 · Component Object Model ✓T1563 · Remote Service Session HijackingT1563.001 · SSH HijackingT1563.002 · RDP Hijacking ✓
PR.AA-05.04 Third-party access management 5/7 detectable
T1078 · Valid Accounts ✓T1078.004 · Cloud Accounts ✓T1110 · Brute Force ✓T1110.001 · Password Guessing ✓T1110.003 · Password SprayingT1110.004 · Credential StuffingT1199 · Trusted Relationship ✓

PR.DS

43/59 techniques covered
PR.DS-01.01 Data-at-rest protection 11/12 detectable
T1003.003 · NTDS ✓T1005 · Data from Local System ✓T1040 · Network Sniffing ✓T1041 · Exfiltration Over C2 Channel ✓T1048.003 · Exfiltration Over Unencrypted Non-C2 Protocol ✓T1213 · Data from Information Repositories ✓T1530 · Data from Cloud StorageT1550.001 · Application Access Token ✓T1557 · Adversary-in-the-Middle ✓T1557.002 · ARP Cache Poisoning ✓T1565.001 · Stored Data Manipulation ✓T1565.002 · Transmitted Data Manipulation ✓
PR.DS-01.02 Data loss prevention 5/11 detectable
T1005 · Data from Local System ✓T1020.001 · Traffic DuplicationT1025 · Data from Removable MediaT1041 · Exfiltration Over C2 Channel ✓T1048 · Exfiltration Over Alternative Protocol ✓T1048.002 · Exfiltration Over Asymmetric Encrypted Non-C2 ProtocolT1048.003 · Exfiltration Over Unencrypted Non-C2 Protocol ✓T1052 · Exfiltration Over Physical MediumT1052.001 · Exfiltration over USBT1537 · Transfer Data to Cloud Account ✓T1567.004 · Exfiltration Over Webhook
PR.DS-01.03 Removable media protection 2/4 detectable
T1025 · Data from Removable MediaT1030 · Data Transfer Size Limits ✓T1092 · Communication Through Removable MediaT1200 · Hardware Additions ✓
PR.DS-02.01 Data-in-transit protection 6/6 detectable
T1040 · Network Sniffing ✓T1550 · Use Alternate Authentication Material ✓T1550.001 · Application Access Token ✓T1550.002 · Pass the Hash ✓T1550.003 · Pass the Ticket ✓T1565.002 · Transmitted Data Manipulation ✓
PR.DS-10.01 Data-in-use protection 12/17 detectable
T1005 · Data from Local System ✓T1020 · Automated Exfiltration ✓T1025 · Data from Removable MediaT1040 · Network Sniffing ✓T1041 · Exfiltration Over C2 Channel ✓T1048 · Exfiltration Over Alternative Protocol ✓T1052 · Exfiltration Over Physical MediumT1052.001 · Exfiltration over USBT1070 · Indicator Removal ✓T1119 · Automated Collection ✓T1213 · Data from Information Repositories ✓T1530 · Data from Cloud StorageT1537 · Transfer Data to Cloud Account ✓T1565 · Data Manipulation ✓T1565.001 · Stored Data Manipulation ✓T1567 · Exfiltration Over Web Service ✓T1602 · Data from Configuration Repository
PR.DS-11.01 Data backup and replication 7/9 detectable
T1485 · Data Destruction ✓T1485.001 · Lifecycle-Triggered DeletionT1486 · Data Encrypted for Impact ✓T1490 · Inhibit System Recovery ✓T1561 · Disk WipeT1561.001 · Disk Content Wipe ✓T1561.002 · Disk Structure Wipe ✓T1565 · Data Manipulation ✓T1565.001 · Stored Data Manipulation ✓

PR.IR

328/437 techniques covered
PR.IR-01.01 Network segmentation 33/40 detectable
T1021.001 · Remote Desktop Protocol ✓T1021.003 · Distributed Component Object Model ✓T1021.006 · Windows Remote Management ✓T1040 · Network Sniffing ✓T1046 · Network Service Discovery ✓T1048 · Exfiltration Over Alternative Protocol ✓T1048.001 · Exfiltration Over Symmetric Encrypted Non-C2 Protocol ✓T1048.002 · Exfiltration Over Asymmetric Encrypted Non-C2 ProtocolT1048.003 · Exfiltration Over Unencrypted Non-C2 Protocol ✓T1072 · Software Deployment Tools ✓T1095 · Non-Application Layer Protocol ✓T1098 · Account Manipulation ✓T1098.001 · Additional Cloud Credentials ✓T1133 · External Remote Services ✓T1136 · Create Account ✓T1136.002 · Domain Account ✓T1136.003 · Cloud Account ✓T1190 · Exploit Public-Facing Application ✓T1199 · Trusted Relationship ✓T1210 · Exploitation of Remote Services ✓T1482 · Domain Trust Discovery ✓T1489 · Service Stop ✓T1552 · Unsecured Credentials ✓T1552.005 · Cloud Instance Metadata API ✓T1552.007 · Container API ✓T1557 · Adversary-in-the-Middle ✓T1557.001 · Name Resolution Poisoning and SMB Relay ✓T1557.002 · ARP Cache Poisoning ✓T1557.003 · DHCP Spoofing ✓T1563 · Remote Service Session HijackingT1563.002 · RDP Hijacking ✓T1565 · Data Manipulation ✓T1565.003 · Runtime Data ManipulationT1571 · Non-Standard Port ✓T1602 · Data from Configuration RepositoryT1602.001 · SNMP (MIB Dump)T1602.002 · Network Device Configuration DumpT1610 · Deploy Container ✓T1612 · Build Image on HostT1613 · Container and Resource Discovery ✓
PR.IR-01.02 Network device configurations 29/39 detectable
T1021 · Remote Services ✓T1021.001 · Remote Desktop Protocol ✓T1021.003 · Distributed Component Object Model ✓T1021.005 · VNC ✓T1021.006 · Windows Remote Management ✓T1048 · Exfiltration Over Alternative Protocol ✓T1048.001 · Exfiltration Over Symmetric Encrypted Non-C2 Protocol ✓T1048.002 · Exfiltration Over Asymmetric Encrypted Non-C2 ProtocolT1048.003 · Exfiltration Over Unencrypted Non-C2 Protocol ✓T1071 · Application Layer Protocol ✓T1071.004 · DNS ✓T1071.005 · Publish/Subscribe ProtocolsT1095 · Non-Application Layer Protocol ✓T1133 · External Remote Services ✓T1187 · Forced Authentication ✓T1197 · BITS Jobs ✓T1218 · System Binary Proxy Execution ✓T1218.012 · VerclsidT1219 · Remote Access Tools ✓T1530 · Data from Cloud StorageT1537 · Transfer Data to Cloud Account ✓T1542 · Pre-OS BootT1542.005 · TFTP BootT1552 · Unsecured Credentials ✓T1552.005 · Cloud Instance Metadata API ✓T1552.007 · Container API ✓T1557 · Adversary-in-the-Middle ✓T1557.001 · Name Resolution Poisoning and SMB Relay ✓T1557.002 · ARP Cache Poisoning ✓T1557.003 · DHCP Spoofing ✓T1563.002 · RDP Hijacking ✓T1572 · Protocol Tunneling ✓T1602 · Data from Configuration RepositoryT1602.001 · SNMP (MIB Dump)T1602.002 · Network Device Configuration DumpT1609 · Container Administration Command ✓T1610 · Deploy Container ✓T1612 · Build Image on HostT1613 · Container and Resource Discovery ✓
PR.IR-01.03 Network communications integrity and availability 67/95 detectable
T1001 · Data Obfuscation ✓T1001.001 · Junk DataT1001.002 · SteganographyT1001.003 · Protocol or Service Impersonation ✓T1008 · Fallback Channels ✓T1021 · Remote Services ✓T1021.001 · Remote Desktop Protocol ✓T1021.002 · SMB/Windows Admin Shares ✓T1021.005 · VNC ✓T1029 · Scheduled Transfer ✓T1030 · Data Transfer Size Limits ✓T1041 · Exfiltration Over C2 Channel ✓T1046 · Network Service Discovery ✓T1048 · Exfiltration Over Alternative Protocol ✓T1048.001 · Exfiltration Over Symmetric Encrypted Non-C2 Protocol ✓T1048.002 · Exfiltration Over Asymmetric Encrypted Non-C2 ProtocolT1048.003 · Exfiltration Over Unencrypted Non-C2 Protocol ✓T1071 · Application Layer Protocol ✓T1071.001 · Web Protocols ✓T1071.002 · File Transfer ProtocolsT1071.003 · Mail ProtocolsT1071.004 · DNS ✓T1071.005 · Publish/Subscribe ProtocolsT1090 · Proxy ✓T1090.001 · Internal Proxy ✓T1090.002 · External Proxy ✓T1090.003 · Multi-hop Proxy ✓T1095 · Non-Application Layer Protocol ✓T1102 · Web Service ✓T1102.001 · Dead Drop Resolver ✓T1102.002 · Bidirectional Communication ✓T1102.003 · One-Way Communication ✓T1104 · Multi-Stage ChannelsT1105 · Ingress Tool Transfer ✓T1132 · Data Encoding ✓T1132.001 · Standard Encoding ✓T1132.002 · Non-Standard EncodingT1133 · External Remote Services ✓T1187 · Forced Authentication ✓T1197 · BITS Jobs ✓T1200 · Hardware Additions ✓T1204 · User Execution ✓T1204.001 · Malicious Link ✓T1204.003 · Malicious ImageT1205 · Traffic Signaling ✓T1205.001 · Port Knocking ✓T1205.002 · Socket FiltersT1218 · System Binary Proxy Execution ✓T1218.012 · VerclsidT1219 · Remote Access Tools ✓T1221 · Template Injection ✓T1498 · Network Denial of Service ✓T1498.001 · Direct Network FloodT1498.002 · Reflection AmplificationT1499 · Endpoint Denial of Service ✓T1499.001 · OS Exhaustion Flood ✓T1499.002 · Service Exhaustion FloodT1499.003 · Application Exhaustion FloodT1499.004 · Application or System Exploitation ✓T1530 · Data from Cloud StorageT1537 · Transfer Data to Cloud Account ✓T1542 · Pre-OS BootT1542.004 · ROMMONkitT1542.005 · TFTP BootT1546 · Event Triggered Execution ✓T1546.008 · Accessibility Features ✓T1552 · Unsecured Credentials ✓T1552.005 · Cloud Instance Metadata API ✓T1552.007 · Container API ✓T1557 · Adversary-in-the-Middle ✓T1557.001 · Name Resolution Poisoning and SMB Relay ✓T1557.002 · ARP Cache Poisoning ✓T1557.003 · DHCP Spoofing ✓T1557.004 · Evil TwinT1563 · Remote Service Session HijackingT1563.002 · RDP Hijacking ✓T1566 · Phishing ✓T1566.001 · Spearphishing Attachment ✓T1568 · Dynamic Resolution ✓T1568.002 · Domain Generation Algorithms ✓T1570 · Lateral Tool Transfer ✓T1571 · Non-Standard Port ✓T1572 · Protocol Tunneling ✓T1573 · Encrypted Channel ✓T1573.001 · Symmetric CryptographyT1573.002 · Asymmetric CryptographyT1599 · Network Boundary BridgingT1599.001 · Network Address Translation Traversal ✓T1602 · Data from Configuration RepositoryT1602.001 · SNMP (MIB Dump)T1602.002 · Network Device Configuration DumpT1609 · Container Administration Command ✓T1610 · Deploy Container ✓T1612 · Build Image on HostT1613 · Container and Resource Discovery ✓
PR.IR-01.04 Wireless network protection 17/20 detectable
T1021 · Remote Services ✓T1021.001 · Remote Desktop Protocol ✓T1021.002 · SMB/Windows Admin Shares ✓T1021.003 · Distributed Component Object Model ✓T1021.006 · Windows Remote Management ✓T1040 · Network Sniffing ✓T1046 · Network Service Discovery ✓T1048 · Exfiltration Over Alternative Protocol ✓T1048.001 · Exfiltration Over Symmetric Encrypted Non-C2 Protocol ✓T1048.002 · Exfiltration Over Asymmetric Encrypted Non-C2 ProtocolT1048.003 · Exfiltration Over Unencrypted Non-C2 Protocol ✓T1095 · Non-Application Layer Protocol ✓T1098 · Account Manipulation ✓T1200 · Hardware Additions ✓T1570 · Lateral Tool Transfer ✓T1571 · Non-Standard Port ✓T1572 · Protocol Tunneling ✓T1573 · Encrypted Channel ✓T1573.001 · Symmetric CryptographyT1573.002 · Asymmetric Cryptography
PR.IR-01.05 Remote access protection 53/75 detectable
T1021 · Remote Services ✓T1021.001 · Remote Desktop Protocol ✓T1021.002 · SMB/Windows Admin Shares ✓T1021.003 · Distributed Component Object Model ✓T1021.004 · SSH ✓T1021.005 · VNC ✓T1021.006 · Windows Remote Management ✓T1021.007 · Cloud Services ✓T1021.008 · Direct Cloud VM ConnectionsT1078 · Valid Accounts ✓T1078.001 · Default Accounts ✓T1078.002 · Domain Accounts ✓T1078.004 · Cloud Accounts ✓T1098 · Account Manipulation ✓T1098.001 · Additional Cloud Credentials ✓T1098.002 · Additional Email Delegate PermissionsT1098.003 · Additional Cloud Roles ✓T1098.006 · Additional Container Cluster RolesT1110 · Brute Force ✓T1110.001 · Password Guessing ✓T1110.003 · Password SprayingT1110.004 · Credential StuffingT1133 · External Remote Services ✓T1136 · Create Account ✓T1136.001 · Local Account ✓T1136.002 · Domain Account ✓T1136.003 · Cloud Account ✓T1199 · Trusted Relationship ✓T1484 · Domain or Tenant Policy Modification ✓T1484.001 · Group Policy Modification ✓T1484.002 · Trust Modification ✓T1542 · Pre-OS BootT1542.001 · System Firmware ✓T1542.003 · Bootkit ✓T1542.005 · TFTP BootT1543 · Create or Modify System Process ✓T1543.002 · Systemd Service ✓T1546 · Event Triggered Execution ✓T1546.003 · Windows Management Instrumentation Event Subscription ✓T1547.006 · Kernel Modules and Extensions ✓T1548 · Abuse Elevation Control Mechanism ✓T1548.002 · Bypass User Account Control ✓T1548.003 · Sudo and Sudo Caching ✓T1548.006 · TCC ManipulationT1550 · Use Alternate Authentication Material ✓T1552 · Unsecured Credentials ✓T1552.002 · Credentials in Registry ✓T1552.007 · Container API ✓T1556 · Modify Authentication Process ✓T1556.001 · Domain Controller AuthenticationT1556.003 · Pluggable Authentication ModulesT1556.004 · Network Device Authentication ✓T1556.005 · Reversible EncryptionT1556.006 · Multi-Factor Authentication ✓T1556.007 · Hybrid IdentityT1558 · Steal or Forge Kerberos Tickets ✓T1558.001 · Golden TicketT1558.002 · Silver TicketT1558.003 · Kerberoasting ✓T1563 · Remote Service Session HijackingT1563.001 · SSH HijackingT1563.002 · RDP Hijacking ✓T1569 · System Services ✓T1569.002 · Service Execution ✓T1601 · Modify System ImageT1601.001 · Patch System ImageT1601.002 · Downgrade System ImageT1606 · Forge Web Credentials ✓T1606.002 · SAML Tokens ✓T1609 · Container Administration Command ✓T1611 · Escape to Host ✓T1612 · Build Image on HostT1621 · Multi-Factor Authentication Request Generation ✓T1648 · Serverless ExecutionT1651 · Cloud Administration Command
PR.IR-01.06 Production environment segregation 66/78 detectable
T1021 · Remote Services ✓T1021.001 · Remote Desktop Protocol ✓T1021.002 · SMB/Windows Admin Shares ✓T1021.003 · Distributed Component Object Model ✓T1021.006 · Windows Remote Management ✓T1021.007 · Cloud Services ✓T1046 · Network Service Discovery ✓T1059 · Command and Scripting Interpreter ✓T1059.001 · PowerShell ✓T1059.008 · Network Device CLIT1059.009 · Cloud API ✓T1072 · Software Deployment Tools ✓T1095 · Non-Application Layer Protocol ✓T1098 · Account Manipulation ✓T1098.001 · Additional Cloud Credentials ✓T1098.002 · Additional Email Delegate PermissionsT1098.003 · Additional Cloud Roles ✓T1133 · External Remote Services ✓T1134 · Access Token Manipulation ✓T1134.001 · Token Impersonation/Theft ✓T1134.002 · Create Process with Token ✓T1134.003 · Make and Impersonate Token ✓T1136 · Create Account ✓T1136.001 · Local Account ✓T1136.002 · Domain Account ✓T1136.003 · Cloud Account ✓T1190 · Exploit Public-Facing Application ✓T1199 · Trusted Relationship ✓T1200 · Hardware Additions ✓T1210 · Exploitation of Remote Services ✓T1218 · System Binary Proxy Execution ✓T1218.007 · Msiexec ✓T1495 · Firmware Corruption ✓T1505 · Server Software Component ✓T1505.001 · SQL Stored Procedures ✓T1505.002 · Transport Agent ✓T1505.004 · IIS Components ✓T1542 · Pre-OS BootT1542.001 · System Firmware ✓T1542.003 · Bootkit ✓T1542.005 · TFTP BootT1543 · Create or Modify System Process ✓T1543.002 · Systemd Service ✓T1546 · Event Triggered Execution ✓T1546.003 · Windows Management Instrumentation Event Subscription ✓T1546.008 · Accessibility Features ✓T1547.006 · Kernel Modules and Extensions ✓T1548 · Abuse Elevation Control Mechanism ✓T1548.002 · Bypass User Account Control ✓T1548.003 · Sudo and Sudo Caching ✓T1548.006 · TCC ManipulationT1550 · Use Alternate Authentication Material ✓T1550.002 · Pass the Hash ✓T1550.003 · Pass the Ticket ✓T1552 · Unsecured Credentials ✓T1552.002 · Credentials in Registry ✓T1552.005 · Cloud Instance Metadata API ✓T1552.007 · Container API ✓T1553 · Subvert Trust Controls ✓T1553.006 · Code Signing Policy ModificationT1555 · Credentials from Password Stores ✓T1555.006 · Cloud Secrets Management StoresT1557 · Adversary-in-the-Middle ✓T1557.001 · Name Resolution Poisoning and SMB Relay ✓T1557.002 · ARP Cache Poisoning ✓T1559 · Inter-Process Communication ✓T1559.001 · Component Object Model ✓T1563 · Remote Service Session HijackingT1563.002 · RDP Hijacking ✓T1599 · Network Boundary BridgingT1599.001 · Network Address Translation Traversal ✓T1602 · Data from Configuration RepositoryT1602.001 · SNMP (MIB Dump)T1602.002 · Network Device Configuration DumpT1606 · Forge Web Credentials ✓T1606.002 · SAML Tokens ✓T1609 · Container Administration Command ✓T1611 · Escape to Host ✓
PR.IR-01.08 End-user device access 13/19 detectable
T1006 · Direct Volume Access ✓T1027 · Obfuscated Files or Information ✓T1027.002 · Software Packing ✓T1027.009 · Embedded Payloads ✓T1027.010 · Command Obfuscation ✓T1027.012 · LNK Icon SmugglingT1027.013 · Encrypted/Encoded FileT1027.014 · Polymorphic CodeT1036 · Masquerading ✓T1036.008 · Masquerade File TypeT1059 · Command and Scripting Interpreter ✓T1059.001 · PowerShell ✓T1059.005 · Visual Basic ✓T1059.006 · Python ✓T1080 · Taint Shared ContentT1221 · Template Injection ✓T1547.006 · Kernel Modules and Extensions ✓T1564 · Hide Artifacts ✓T1564.012 · File/Path Exclusions
PR.IR-03.01 Alternative resilience mechanisms 13/23 detectable
T1005 · Data from Local System ✓T1020 · Automated Exfiltration ✓T1020.001 · Traffic DuplicationT1025 · Data from Removable MediaT1041 · Exfiltration Over C2 Channel ✓T1048 · Exfiltration Over Alternative Protocol ✓T1048.002 · Exfiltration Over Asymmetric Encrypted Non-C2 ProtocolT1048.003 · Exfiltration Over Unencrypted Non-C2 Protocol ✓T1052 · Exfiltration Over Physical MediumT1052.001 · Exfiltration over USBT1485 · Data Destruction ✓T1485.001 · Lifecycle-Triggered DeletionT1486 · Data Encrypted for Impact ✓T1490 · Inhibit System Recovery ✓T1491 · DefacementT1491.001 · Internal Defacement ✓T1491.002 · External DefacementT1537 · Transfer Data to Cloud Account ✓T1561 · Disk WipeT1561.001 · Disk Content Wipe ✓T1561.002 · Disk Structure Wipe ✓T1567 · Exfiltration Over Web Service ✓T1567.004 · Exfiltration Over Webhook
PR.IR-04.01 Utilization monitoring 30/36 detectable
T1008 · Fallback Channels ✓T1020 · Automated Exfiltration ✓T1021 · Remote Services ✓T1021.002 · SMB/Windows Admin Shares ✓T1021.005 · VNC ✓T1030 · Data Transfer Size Limits ✓T1041 · Exfiltration Over C2 Channel ✓T1046 · Network Service Discovery ✓T1048 · Exfiltration Over Alternative Protocol ✓T1048.002 · Exfiltration Over Asymmetric Encrypted Non-C2 ProtocolT1048.003 · Exfiltration Over Unencrypted Non-C2 Protocol ✓T1071 · Application Layer Protocol ✓T1071.001 · Web Protocols ✓T1071.004 · DNS ✓T1071.005 · Publish/Subscribe ProtocolsT1090 · Proxy ✓T1090.003 · Multi-hop Proxy ✓T1095 · Non-Application Layer Protocol ✓T1102 · Web Service ✓T1104 · Multi-Stage ChannelsT1133 · External Remote Services ✓T1498 · Network Denial of Service ✓T1499 · Endpoint Denial of Service ✓T1552.005 · Cloud Instance Metadata API ✓T1552.007 · Container API ✓T1557 · Adversary-in-the-Middle ✓T1557.001 · Name Resolution Poisoning and SMB Relay ✓T1557.002 · ARP Cache Poisoning ✓T1557.003 · DHCP Spoofing ✓T1567 · Exfiltration Over Web Service ✓T1571 · Non-Standard Port ✓T1572 · Protocol Tunneling ✓T1573 · Encrypted Channel ✓T1599 · Network Boundary BridgingT1602 · Data from Configuration RepositoryT1602.002 · Network Device Configuration Dump
PR.IR-04.02 Availability and capacity management 7/12 detectable
T1485 · Data Destruction ✓T1486 · Data Encrypted for Impact ✓T1498 · Network Denial of Service ✓T1498.001 · Direct Network FloodT1498.002 · Reflection AmplificationT1499 · Endpoint Denial of Service ✓T1499.002 · Service Exhaustion FloodT1499.003 · Application Exhaustion FloodT1499.004 · Application or System Exploitation ✓T1561 · Disk WipeT1561.001 · Disk Content Wipe ✓T1561.002 · Disk Structure Wipe ✓

PR.PS

491/707 techniques covered
PR.PS-01.01 Configuration baselines 60/89 detectable
T1003 · OS Credential Dumping ✓T1003.001 · LSASS Memory ✓T1003.002 · Security Account Manager ✓T1003.005 · Cached Domain Credentials ✓T1011 · Exfiltration Over Other Network MediumT1011.001 · Exfiltration Over BluetoothT1021.001 · Remote Desktop Protocol ✓T1027 · Obfuscated Files or Information ✓T1027.002 · Software Packing ✓T1027.009 · Embedded Payloads ✓T1027.010 · Command Obfuscation ✓T1027.012 · LNK Icon SmugglingT1027.013 · Encrypted/Encoded FileT1027.014 · Polymorphic CodeT1036 · Masquerading ✓T1036.007 · Double File Extension ✓T1036.008 · Masquerade File TypeT1053 · Scheduled Task/Job ✓T1053.002 · At ✓T1053.005 · Scheduled Task ✓T1059 · Command and Scripting Interpreter ✓T1059.001 · PowerShell ✓T1059.005 · Visual Basic ✓T1059.006 · Python ✓T1087 · Account Discovery ✓T1087.001 · Local Account ✓T1087.002 · Domain Account ✓T1092 · Communication Through Removable MediaT1098 · Account Manipulation ✓T1135 · Network Share Discovery ✓T1136 · Create Account ✓T1136.002 · Domain Account ✓T1137 · Office Application Startup ✓T1137.002 · Office Test ✓T1197 · BITS Jobs ✓T1213 · Data from Information Repositories ✓T1213.001 · ConfluenceT1213.002 · SharepointT1213.003 · Code Repositories ✓T1213.004 · Customer Relationship Management SoftwareT1213.005 · Messaging ApplicationsT1221 · Template Injection ✓T1490 · Inhibit System Recovery ✓T1535 · Unused/Unsupported Cloud RegionsT1537 · Transfer Data to Cloud Account ✓T1539 · Steal Web Session Cookie ✓T1542.005 · TFTP BootT1543 · Create or Modify System Process ✓T1543.003 · Windows Service ✓T1543.005 · Container ServiceT1546.008 · Accessibility Features ✓T1547.006 · Kernel Modules and Extensions ✓T1548 · Abuse Elevation Control Mechanism ✓T1548.001 · Setuid and Setgid ✓T1548.003 · Sudo and Sudo Caching ✓T1550.004 · Web Session CookieT1552 · Unsecured Credentials ✓T1552.003 · Shell History ✓T1553 · Subvert Trust Controls ✓T1553.004 · Install Root Certificate ✓T1555.005 · Password Managers ✓T1556 · Modify Authentication Process ✓T1556.002 · Password Filter DLL ✓T1556.008 · Network Provider DLLT1559 · Inter-Process Communication ✓T1559.002 · Dynamic Data Exchange ✓T1562 · Impair Defenses ✓T1562.003 · Impair Command History LoggingT1562.006 · Indicator Blocking ✓T1562.009 · Safe Mode BootT1562.010 · Downgrade AttackT1563.002 · RDP Hijacking ✓T1564 · Hide Artifacts ✓T1564.002 · Hidden Users ✓T1564.012 · File/Path ExclusionsT1566 · Phishing ✓T1566.001 · Spearphishing Attachment ✓T1566.002 · Spearphishing Link ✓T1566.003 · Spearphishing via ServiceT1574.006 · Dynamic Linker Hijacking ✓T1598 · Phishing for InformationT1598.002 · Spearphishing AttachmentT1598.003 · Spearphishing LinkT1602 · Data from Configuration RepositoryT1602.001 · SNMP (MIB Dump)T1602.002 · Network Device Configuration DumpT1606 · Forge Web Credentials ✓T1606.001 · Web CookiesT1666 · Modify Cloud Resource Hierarchy
PR.PS-01.02 Least functionality 48/71 detectable
T1003 · OS Credential Dumping ✓T1003.001 · LSASS Memory ✓T1003.002 · Security Account Manager ✓T1003.005 · Cached Domain Credentials ✓T1011 · Exfiltration Over Other Network MediumT1011.001 · Exfiltration Over BluetoothT1021.001 · Remote Desktop Protocol ✓T1036.007 · Double File Extension ✓T1053 · Scheduled Task/Job ✓T1053.002 · At ✓T1053.005 · Scheduled Task ✓T1087 · Account Discovery ✓T1087.001 · Local Account ✓T1087.002 · Domain Account ✓T1092 · Communication Through Removable MediaT1098 · Account Manipulation ✓T1135 · Network Share Discovery ✓T1136 · Create Account ✓T1136.002 · Domain Account ✓T1137 · Office Application Startup ✓T1137.002 · Office Test ✓T1197 · BITS Jobs ✓T1213 · Data from Information Repositories ✓T1213.001 · ConfluenceT1213.002 · SharepointT1213.003 · Code Repositories ✓T1213.004 · Customer Relationship Management SoftwareT1213.005 · Messaging ApplicationsT1490 · Inhibit System Recovery ✓T1535 · Unused/Unsupported Cloud RegionsT1537 · Transfer Data to Cloud Account ✓T1539 · Steal Web Session Cookie ✓T1542.005 · TFTP BootT1543 · Create or Modify System Process ✓T1543.003 · Windows Service ✓T1543.005 · Container ServiceT1546.008 · Accessibility Features ✓T1548 · Abuse Elevation Control Mechanism ✓T1548.001 · Setuid and Setgid ✓T1548.003 · Sudo and Sudo Caching ✓T1550.004 · Web Session CookieT1552 · Unsecured Credentials ✓T1552.003 · Shell History ✓T1553 · Subvert Trust Controls ✓T1553.004 · Install Root Certificate ✓T1555.005 · Password Managers ✓T1556 · Modify Authentication Process ✓T1556.002 · Password Filter DLL ✓T1556.008 · Network Provider DLLT1559 · Inter-Process Communication ✓T1559.002 · Dynamic Data Exchange ✓T1562 · Impair Defenses ✓T1562.003 · Impair Command History LoggingT1562.006 · Indicator Blocking ✓T1562.009 · Safe Mode BootT1562.010 · Downgrade AttackT1563.002 · RDP Hijacking ✓T1564.002 · Hidden Users ✓T1566 · Phishing ✓T1566.001 · Spearphishing Attachment ✓T1566.002 · Spearphishing Link ✓T1574.006 · Dynamic Linker Hijacking ✓T1598 · Phishing for InformationT1598.002 · Spearphishing AttachmentT1598.003 · Spearphishing LinkT1602 · Data from Configuration RepositoryT1602.001 · SNMP (MIB Dump)T1602.002 · Network Device Configuration DumpT1606 · Forge Web Credentials ✓T1606.001 · Web CookiesT1666 · Modify Cloud Resource Hierarchy
PR.PS-01.03 Configuration deviation 70/101 detectable
T1003 · OS Credential Dumping ✓T1003.001 · LSASS Memory ✓T1003.002 · Security Account Manager ✓T1003.005 · Cached Domain Credentials ✓T1011 · Exfiltration Over Other Network MediumT1011.001 · Exfiltration Over BluetoothT1021 · Remote Services ✓T1021.001 · Remote Desktop Protocol ✓T1036 · Masquerading ✓T1036.001 · Invalid Code SignatureT1036.005 · Match Legitimate Resource Name or Location ✓T1036.007 · Double File Extension ✓T1053 · Scheduled Task/Job ✓T1053.002 · At ✓T1053.005 · Scheduled Task ✓T1059 · Command and Scripting Interpreter ✓T1059.001 · PowerShell ✓T1059.002 · AppleScript ✓T1087 · Account Discovery ✓T1087.001 · Local Account ✓T1087.002 · Domain Account ✓T1092 · Communication Through Removable MediaT1098 · Account Manipulation ✓T1127 · Trusted Developer Utilities Proxy Execution ✓T1127.002 · ClickOnceT1135 · Network Share Discovery ✓T1136 · Create Account ✓T1136.002 · Domain Account ✓T1137 · Office Application Startup ✓T1137.002 · Office Test ✓T1195 · Supply Chain Compromise ✓T1197 · BITS Jobs ✓T1204 · User Execution ✓T1204.003 · Malicious ImageT1213 · Data from Information Repositories ✓T1213.004 · Customer Relationship Management SoftwareT1490 · Inhibit System Recovery ✓T1495 · Firmware Corruption ✓T1505 · Server Software Component ✓T1505.001 · SQL Stored Procedures ✓T1505.002 · Transport Agent ✓T1505.004 · IIS Components ✓T1525 · Implant Internal Image ✓T1535 · Unused/Unsupported Cloud RegionsT1537 · Transfer Data to Cloud Account ✓T1539 · Steal Web Session Cookie ✓T1542 · Pre-OS BootT1542.001 · System Firmware ✓T1542.003 · Bootkit ✓T1542.004 · ROMMONkitT1542.005 · TFTP BootT1543 · Create or Modify System Process ✓T1543.003 · Windows Service ✓T1543.005 · Container ServiceT1546 · Event Triggered Execution ✓T1546.006 · LC_LOAD_DYLIB AdditionT1546.008 · Accessibility Features ✓T1546.013 · PowerShell Profile ✓T1548 · Abuse Elevation Control Mechanism ✓T1548.001 · Setuid and Setgid ✓T1548.002 · Bypass User Account Control ✓T1548.003 · Sudo and Sudo Caching ✓T1550.004 · Web Session CookieT1552 · Unsecured Credentials ✓T1552.003 · Shell History ✓T1553 · Subvert Trust Controls ✓T1553.004 · Install Root Certificate ✓T1553.006 · Code Signing Policy ModificationT1554 · Compromise Host Software Binary ✓T1555.005 · Password Managers ✓T1556 · Modify Authentication Process ✓T1556.002 · Password Filter DLL ✓T1556.008 · Network Provider DLLT1559 · Inter-Process Communication ✓T1559.002 · Dynamic Data Exchange ✓T1562 · Impair Defenses ✓T1562.003 · Impair Command History LoggingT1562.006 · Indicator Blocking ✓T1562.009 · Safe Mode BootT1562.010 · Downgrade AttackT1563 · Remote Service Session HijackingT1563.002 · RDP Hijacking ✓T1564 · Hide Artifacts ✓T1564.002 · Hidden Users ✓T1566 · Phishing ✓T1566.002 · Spearphishing Link ✓T1574 · Hijack Execution Flow ✓T1574.006 · Dynamic Linker Hijacking ✓T1590.002 · DNS ✓T1598 · Phishing for InformationT1598.002 · Spearphishing AttachmentT1598.003 · Spearphishing LinkT1601 · Modify System ImageT1601.001 · Patch System ImageT1601.002 · Downgrade System ImageT1602 · Data from Configuration RepositoryT1602.001 · SNMP (MIB Dump)T1602.002 · Network Device Configuration DumpT1606 · Forge Web Credentials ✓T1606.001 · Web CookiesT1666 · Modify Cloud Resource Hierarchy
PR.PS-01.04 Time services and synchronization 2/4 detectable
T1070.006 · Timestomp ✓T1497.003 · Time Based ChecksT1498.002 · Reflection AmplificationT1547.003 · Time Providers ✓
PR.PS-01.05 Encryption standards 17/28 detectable
T1020.001 · Traffic DuplicationT1040 · Network Sniffing ✓T1070 · Indicator Removal ✓T1070.001 · Clear Windows Event Logs ✓T1070.002 · Clear Linux or Mac System LogsT1098.004 · SSH Authorized Keys ✓T1114 · Email Collection ✓T1114.001 · Local Email Collection ✓T1114.002 · Remote Email CollectionT1213 · Data from Information Repositories ✓T1530 · Data from Cloud StorageT1552 · Unsecured Credentials ✓T1552.004 · Private Keys ✓T1557 · Adversary-in-the-Middle ✓T1557.002 · ARP Cache Poisoning ✓T1558 · Steal or Forge Kerberos Tickets ✓T1558.002 · Silver TicketT1558.003 · Kerberoasting ✓T1558.004 · AS-REP RoastingT1563.001 · SSH HijackingT1565 · Data Manipulation ✓T1565.001 · Stored Data Manipulation ✓T1565.002 · Transmitted Data Manipulation ✓T1602 · Data from Configuration RepositoryT1602.001 · SNMP (MIB Dump)T1602.002 · Network Device Configuration DumpT1649 · Steal or Forge Authentication Certificates ✓T1659 · Content Injection
PR.PS-01.06 Encryption management practices 17/28 detectable
T1020.001 · Traffic DuplicationT1040 · Network Sniffing ✓T1070 · Indicator Removal ✓T1070.001 · Clear Windows Event Logs ✓T1070.002 · Clear Linux or Mac System LogsT1098.004 · SSH Authorized Keys ✓T1114 · Email Collection ✓T1114.001 · Local Email Collection ✓T1114.002 · Remote Email CollectionT1213 · Data from Information Repositories ✓T1530 · Data from Cloud StorageT1552 · Unsecured Credentials ✓T1552.004 · Private Keys ✓T1557 · Adversary-in-the-Middle ✓T1557.002 · ARP Cache Poisoning ✓T1558 · Steal or Forge Kerberos Tickets ✓T1558.002 · Silver TicketT1558.003 · Kerberoasting ✓T1558.004 · AS-REP RoastingT1563.001 · SSH HijackingT1565 · Data Manipulation ✓T1565.001 · Stored Data Manipulation ✓T1565.002 · Transmitted Data Manipulation ✓T1602 · Data from Configuration RepositoryT1602.001 · SNMP (MIB Dump)T1602.002 · Network Device Configuration DumpT1649 · Steal or Forge Authentication Certificates ✓T1659 · Content Injection
PR.PS-01.07 Cryptographic keys and certificates 56/78 detectable
T1003 · OS Credential Dumping ✓T1003.001 · LSASS Memory ✓T1003.003 · NTDS ✓T1020 · Automated Exfiltration ✓T1020.001 · Traffic DuplicationT1021 · Remote Services ✓T1021.001 · Remote Desktop Protocol ✓T1021.004 · SSH ✓T1021.007 · Cloud Services ✓T1040 · Network Sniffing ✓T1070 · Indicator Removal ✓T1070.001 · Clear Windows Event Logs ✓T1070.002 · Clear Linux or Mac System LogsT1072 · Software Deployment Tools ✓T1078 · Valid Accounts ✓T1078.002 · Domain Accounts ✓T1078.003 · Local Accounts ✓T1078.004 · Cloud Accounts ✓T1098 · Account Manipulation ✓T1098.001 · Additional Cloud Credentials ✓T1098.002 · Additional Email Delegate PermissionsT1098.003 · Additional Cloud Roles ✓T1098.005 · Device Registration ✓T1098.006 · Additional Container Cluster RolesT1110 · Brute Force ✓T1110.001 · Password Guessing ✓T1110.002 · Password Cracking ✓T1110.003 · Password SprayingT1110.004 · Credential StuffingT1114 · Email Collection ✓T1114.001 · Local Email Collection ✓T1114.002 · Remote Email CollectionT1114.003 · Email Forwarding Rule ✓T1119 · Automated Collection ✓T1133 · External Remote Services ✓T1136 · Create Account ✓T1136.001 · Local Account ✓T1136.002 · Domain Account ✓T1136.003 · Cloud Account ✓T1199 · Trusted Relationship ✓T1213 · Data from Information Repositories ✓T1213.003 · Code Repositories ✓T1485 · Data Destruction ✓T1530 · Data from Cloud StorageT1539 · Steal Web Session Cookie ✓T1547 · Boot or Logon Autostart Execution ✓T1547.008 · LSASS Driver ✓T1550 · Use Alternate Authentication Material ✓T1550.001 · Application Access Token ✓T1552 · Unsecured Credentials ✓T1552.004 · Private Keys ✓T1556 · Modify Authentication Process ✓T1556.001 · Domain Controller AuthenticationT1556.003 · Pluggable Authentication ModulesT1556.004 · Network Device Authentication ✓T1556.006 · Multi-Factor Authentication ✓T1556.007 · Hybrid IdentityT1557 · Adversary-in-the-Middle ✓T1557.002 · ARP Cache Poisoning ✓T1558 · Steal or Forge Kerberos Tickets ✓T1558.002 · Silver TicketT1558.003 · Kerberoasting ✓T1558.004 · AS-REP RoastingT1558.005 · Ccache FilesT1565 · Data Manipulation ✓T1565.001 · Stored Data Manipulation ✓T1565.002 · Transmitted Data Manipulation ✓T1599 · Network Boundary BridgingT1599.001 · Network Address Translation Traversal ✓T1601 · Modify System ImageT1601.001 · Patch System ImageT1601.002 · Downgrade System ImageT1602 · Data from Configuration RepositoryT1602.001 · SNMP (MIB Dump)T1602.002 · Network Device Configuration DumpT1621 · Multi-Factor Authentication Request Generation ✓T1649 · Steal or Forge Authentication Certificates ✓T1659 · Content Injection
PR.PS-01.08 End-user device protection 64/92 detectable
T1021 · Remote Services ✓T1021.001 · Remote Desktop Protocol ✓T1021.002 · SMB/Windows Admin Shares ✓T1021.005 · VNC ✓T1027 · Obfuscated Files or Information ✓T1027.002 · Software Packing ✓T1027.009 · Embedded Payloads ✓T1027.010 · Command Obfuscation ✓T1027.012 · LNK Icon SmugglingT1027.013 · Encrypted/Encoded FileT1027.014 · Polymorphic CodeT1036 · Masquerading ✓T1036.008 · Masquerade File TypeT1048 · Exfiltration Over Alternative Protocol ✓T1048.001 · Exfiltration Over Symmetric Encrypted Non-C2 Protocol ✓T1048.002 · Exfiltration Over Asymmetric Encrypted Non-C2 ProtocolT1048.003 · Exfiltration Over Unencrypted Non-C2 Protocol ✓T1052 · Exfiltration Over Physical MediumT1052.001 · Exfiltration over USBT1059 · Command and Scripting Interpreter ✓T1059.001 · PowerShell ✓T1059.005 · Visual Basic ✓T1059.006 · Python ✓T1071 · Application Layer Protocol ✓T1071.004 · DNS ✓T1071.005 · Publish/Subscribe ProtocolsT1080 · Taint Shared ContentT1090 · Proxy ✓T1090.003 · Multi-hop Proxy ✓T1091 · Replication Through Removable Media ✓T1095 · Non-Application Layer Protocol ✓T1133 · External Remote Services ✓T1187 · Forced Authentication ✓T1190 · Exploit Public-Facing Application ✓T1197 · BITS Jobs ✓T1200 · Hardware Additions ✓T1205 · Traffic Signaling ✓T1205.001 · Port Knocking ✓T1205.002 · Socket FiltersT1218 · System Binary Proxy Execution ✓T1218.012 · VerclsidT1219 · Remote Access Tools ✓T1221 · Template Injection ✓T1498 · Network Denial of Service ✓T1498.001 · Direct Network FloodT1498.002 · Reflection AmplificationT1499 · Endpoint Denial of Service ✓T1499.001 · OS Exhaustion Flood ✓T1499.002 · Service Exhaustion FloodT1499.003 · Application Exhaustion FloodT1499.004 · Application or System Exploitation ✓T1530 · Data from Cloud StorageT1537 · Transfer Data to Cloud Account ✓T1542 · Pre-OS BootT1542.005 · TFTP BootT1546 · Event Triggered Execution ✓T1546.008 · Accessibility Features ✓T1547 · Boot or Logon Autostart Execution ✓T1547.006 · Kernel Modules and Extensions ✓T1552 · Unsecured Credentials ✓T1552.005 · Cloud Instance Metadata API ✓T1552.007 · Container API ✓T1557 · Adversary-in-the-Middle ✓T1557.001 · Name Resolution Poisoning and SMB Relay ✓T1557.002 · ARP Cache Poisoning ✓T1557.003 · DHCP Spoofing ✓T1563 · Remote Service Session HijackingT1563.002 · RDP Hijacking ✓T1564 · Hide Artifacts ✓T1564.012 · File/Path ExclusionsT1566.001 · Spearphishing Attachment ✓T1566.003 · Spearphishing via ServiceT1570 · Lateral Tool Transfer ✓T1572 · Protocol Tunneling ✓T1574 · Hijack Execution Flow ✓T1574.001 · DLL ✓T1574.002 · DLL Side-LoadingT1574.006 · Dynamic Linker Hijacking ✓T1574.007 · Path Interception by PATH Environment Variable ✓T1574.008 · Path Interception by Search Order Hijacking ✓T1574.009 · Path Interception by Unquoted Path ✓T1574.012 · COR_PROFILER ✓T1574.013 · KernelCallbackTableT1599 · Network Boundary BridgingT1599.001 · Network Address Translation Traversal ✓T1602 · Data from Configuration RepositoryT1602.001 · SNMP (MIB Dump)T1602.002 · Network Device Configuration DumpT1609 · Container Administration Command ✓T1610 · Deploy Container ✓T1612 · Build Image on HostT1613 · Container and Resource Discovery ✓
PR.PS-01.09 Virtualized end point protection 23/32 detectable
T1021.002 · SMB/Windows Admin Shares ✓T1027.006 · HTML SmugglingT1039 · Data from Network Shared Drive ✓T1068 · Exploitation for Privilege Escalation ✓T1080 · Taint Shared ContentT1098 · Account Manipulation ✓T1129 · Shared Modules ✓T1189 · Drive-by Compromise ✓T1190 · Exploit Public-Facing Application ✓T1203 · Exploitation for Client Execution ✓T1204 · User Execution ✓T1204.003 · Malicious ImageT1210 · Exploitation of Remote Services ✓T1211 · Exploitation for Stealth ✓T1212 · Exploitation for Credential Access ✓T1213 · Data from Information Repositories ✓T1485 · Data Destruction ✓T1525 · Implant Internal Image ✓T1552.001 · Credentials In Files ✓T1562 · Impair Defenses ✓T1564.006 · Run Virtual Instance ✓T1567 · Exfiltration Over Web Service ✓T1570 · Lateral Tool Transfer ✓T1578 · Modify Cloud Compute Infrastructure ✓T1578.001 · Create SnapshotT1578.002 · Create Cloud InstanceT1578.003 · Delete Cloud Instance ✓T1578.004 · Revert Cloud InstanceT1578.005 · Modify Cloud Compute ConfigurationsT1611 · Escape to Host ✓T1612 · Build Image on HostT1651 · Cloud Administration Command
PR.PS-02.01 Patch identification and application 26/34 detectable
T1068 · Exploitation for Privilege Escalation ✓T1072 · Software Deployment Tools ✓T1137 · Office Application Startup ✓T1137.003 · Outlook Forms ✓T1137.004 · Outlook Home PageT1137.005 · Outlook RulesT1176 · Software ExtensionsT1189 · Drive-by Compromise ✓T1190 · Exploit Public-Facing Application ✓T1195 · Supply Chain Compromise ✓T1195.001 · Compromise Software Dependencies and Development Tools ✓T1195.002 · Compromise Software Supply Chain ✓T1210 · Exploitation of Remote Services ✓T1211 · Exploitation for Stealth ✓T1212 · Exploitation for Credential Access ✓T1495 · Firmware Corruption ✓T1539 · Steal Web Session Cookie ✓T1542 · Pre-OS BootT1542.001 · System Firmware ✓T1546 · Event Triggered Execution ✓T1546.010 · AppInit DLLs ✓T1546.011 · Application Shimming ✓T1548 · Abuse Elevation Control Mechanism ✓T1548.002 · Bypass User Account Control ✓T1550.002 · Pass the Hash ✓T1552.006 · Group Policy Preferences ✓T1555 · Credentials from Password Stores ✓T1555.003 · Credentials from Web Browsers ✓T1555.005 · Password Managers ✓T1574 · Hijack Execution Flow ✓T1574.002 · DLL Side-LoadingT1602 · Data from Configuration RepositoryT1602.001 · SNMP (MIB Dump)T1602.002 · Network Device Configuration Dump
PR.PS-05.01 Malware prevention 13/18 detectable
T1027 · Obfuscated Files or Information ✓T1027.002 · Software Packing ✓T1027.009 · Embedded Payloads ✓T1027.010 · Command Obfuscation ✓T1027.013 · Encrypted/Encoded FileT1027.014 · Polymorphic CodeT1036 · Masquerading ✓T1036.008 · Masquerade File TypeT1059 · Command and Scripting Interpreter ✓T1059.001 · PowerShell ✓T1059.005 · Visual Basic ✓T1059.006 · Python ✓T1080 · Taint Shared ContentT1221 · Template Injection ✓T1547.006 · Kernel Modules and Extensions ✓T1566 · Phishing ✓T1566.001 · Spearphishing Attachment ✓T1566.003 · Spearphishing via Service
PR.PS-05.02 Mobile code prevention 40/55 detectable
T1021 · Remote Services ✓T1021.003 · Distributed Component Object Model ✓T1036 · Masquerading ✓T1036.001 · Invalid Code SignatureT1036.005 · Match Legitimate Resource Name or Location ✓T1036.008 · Masquerade File TypeT1047 · Windows Management Instrumentation ✓T1055 · Process Injection ✓T1055.001 · Dynamic-link Library Injection ✓T1055.002 · Portable Executable InjectionT1055.003 · Thread Execution Hijacking ✓T1055.004 · Asynchronous Procedure CallT1055.005 · Thread Local StorageT1055.008 · Ptrace System Calls ✓T1055.009 · Proc Memory ✓T1055.011 · Extra Window Memory Injection ✓T1055.012 · Process Hollowing ✓T1055.013 · Process DoppelgängingT1055.014 · VDSO HijackingT1059 · Command and Scripting Interpreter ✓T1059.001 · PowerShell ✓T1059.002 · AppleScript ✓T1059.005 · Visual Basic ✓T1059.006 · Python ✓T1059.007 · JavaScript ✓T1127.002 · ClickOnceT1137 · Office Application Startup ✓T1137.001 · Office Template MacrosT1137.002 · Office Test ✓T1137.003 · Outlook Forms ✓T1137.004 · Outlook Home PageT1137.005 · Outlook RulesT1137.006 · Add-ins ✓T1189 · Drive-by Compromise ✓T1190 · Exploit Public-Facing Application ✓T1203 · Exploitation for Client Execution ✓T1210 · Exploitation of Remote Services ✓T1211 · Exploitation for Stealth ✓T1212 · Exploitation for Credential Access ✓T1218.001 · Compiled HTML File ✓T1218.002 · Control Panel ✓T1218.003 · CMSTP ✓T1218.004 · InstallUtilT1218.005 · Mshta ✓T1218.008 · Odbcconf ✓T1218.009 · Regsvcs/Regasm ✓T1218.012 · VerclsidT1218.013 · Mavinject ✓T1218.014 · MMC ✓T1218.015 · Electron ApplicationsT1548 · Abuse Elevation Control Mechanism ✓T1548.004 · Elevated Execution with PromptT1559 · Inter-Process Communication ✓T1559.001 · Component Object Model ✓T1559.002 · Dynamic Data Exchange ✓
PR.PS-05.03 Email and message service protection 5/10 detectable
T1071.003 · Mail ProtocolsT1204.001 · Malicious Link ✓T1204.002 · Malicious File ✓T1566 · Phishing ✓T1566.001 · Spearphishing Attachment ✓T1566.002 · Spearphishing Link ✓T1566.003 · Spearphishing via ServiceT1566.004 · Spearphishing VoiceT1598 · Phishing for InformationT1598.003 · Spearphishing Link
PR.PS-06.01 Secure SDLC process 15/21 detectable
T1078 · Valid Accounts ✓T1078.001 · Default Accounts ✓T1078.002 · Domain Accounts ✓T1078.003 · Local Accounts ✓T1078.004 · Cloud Accounts ✓T1195 · Supply Chain Compromise ✓T1195.001 · Compromise Software Dependencies and Development Tools ✓T1212 · Exploitation for Credential Access ✓T1496.003 · SMS PumpingT1550 · Use Alternate Authentication Material ✓T1550.001 · Application Access Token ✓T1559 · Inter-Process Communication ✓T1559.003 · XPC ServicesT1564 · Hide Artifacts ✓T1564.009 · Resource ForkingT1564.012 · File/Path ExclusionsT1574 · Hijack Execution Flow ✓T1574.002 · DLL Side-LoadingT1593 · Search Open Websites/Domains ✓T1593.003 · Code Repositories ✓T1647 · Plist File Modification
PR.PS-06.05 Testing and validation strategy 9/10 detectable
T1036.001 · Invalid Code SignatureT1068 · Exploitation for Privilege Escalation ✓T1127 · Trusted Developer Utilities Proxy Execution ✓T1190 · Exploit Public-Facing Application ✓T1203 · Exploitation for Client Execution ✓T1210 · Exploitation of Remote Services ✓T1211 · Exploitation for Stealth ✓T1212 · Exploitation for Credential Access ✓T1505 · Server Software Component ✓T1554 · Compromise Host Software Binary ✓
PR.PS-06.06 Vulnerability remediation 13/18 detectable
T1068 · Exploitation for Privilege Escalation ✓T1137 · Office Application Startup ✓T1137.003 · Outlook Forms ✓T1137.004 · Outlook Home PageT1137.005 · Outlook RulesT1176 · Software ExtensionsT1190 · Exploit Public-Facing Application ✓T1195 · Supply Chain Compromise ✓T1195.001 · Compromise Software Dependencies and Development Tools ✓T1195.002 · Compromise Software Supply Chain ✓T1203 · Exploitation for Client Execution ✓T1210 · Exploitation of Remote Services ✓T1211 · Exploitation for Stealth ✓T1212 · Exploitation for Credential Access ✓T1495 · Firmware Corruption ✓T1542 · Pre-OS BootT1542.001 · System Firmware ✓T1542.002 · Component Firmware
PR.PS-06.07 Development and operational process alignment 13/18 detectable
T1078 · Valid Accounts ✓T1195 · Supply Chain Compromise ✓T1195.001 · Compromise Software Dependencies and Development Tools ✓T1212 · Exploitation for Credential Access ✓T1496 · Resource Hijacking ✓T1496.003 · SMS PumpingT1550 · Use Alternate Authentication Material ✓T1550.001 · Application Access Token ✓T1559 · Inter-Process Communication ✓T1559.003 · XPC ServicesT1564 · Hide Artifacts ✓T1564.009 · Resource ForkingT1564.012 · File/Path ExclusionsT1574 · Hijack Execution Flow ✓T1574.001 · DLL ✓T1593 · Search Open Websites/Domains ✓T1593.003 · Code Repositories ✓T1647 · Plist File Modification
Switch framework: NIST 800-53 · NIST CSF · CIS v8.1 · OWASP Web
Vulnerabilities
CISA KEV catalog
CWE weaknesses
CAPEC attack patterns
Package vulnerabilities
Threat intelligence
Threat actors
Tools & malware
ATT&CK techniques
IOCs
Detection & defense
Sigma rules
YARA rules
Atomic Red Team tests
D3FEND countermeasures
Compliance
NIST 800-53
ISO 27001:2022
SOC 2 TSC
PCI-DSS v4.0
CIS Controls v8.1
About
All capabilities
Live statistics
Data sources
Privacy policy
Terms of service
threatengine.sh  ·  Open-source threat intelligence platform  ·  100+ authoritative sources  ·  Every fact traces to its origin