_techniques - RunkIntel

# TTPs - Táticas, Técnicas e Procedimentos O framework [MITRE ATT&CK Enterprise](https://attack.mitre.org/) organiza o comportamento dos adversários em três dimensões complementares: **Táticas** (o que o adversário quer alcançar), **Técnicas** (como ele alcança) e **Procedimentos** (a implementação específica em um ataque real). Este vault documenta os três níveis com cobertura priorizada para campanhas que afetam o Brasil e a América Latina. --- ## Seção 1 - Táticas As **táticas** representam os objetivos táticos do adversário - a razão por trás de cada ação durante um ataque. O MITRE ATT&CK Enterprise define **14 táticas**, organizadas na sequência lógica de uma intrusão, desde a preparação até o impacto final. Cada tática é um container para um conjunto de técnicas. Entender as táticas permite estruturar a defesa em profundidade: em vez de bloquear ferramentas específicas, as equipes de defesa identificam e interrompem categorias inteiras de comportamento adversarial. ```mermaid graph TB subgraph killchain["MITRE ATT&CK Enterprise - 14 Táticas"] RECON["TA0043 Reconnaissance"] RA["TA0042 Resource Development"] IA["TA0001 Initial Access"] EXEC["TA0002 Execution"] PERS["TA0003 Persistence"] PE["TA0004 Privilege Escalation"] DE["TA0005 Defense Evasion"] CA["TA0006 Credential Access"] DISC["TA0007 Discovery"] LM["TA0008 Lateral Movement"] COLL["TA0009 Collection"] C2["TA0011 Command & Control"] EX["TA0010 Exfiltration"] IMP["TA0040 Impact"] end RECON --> RA --> IA --> EXEC --> PERS --> PE --> DE --> CA --> DISC --> LM --> COLL --> C2 --> EX --> IMP classDef tactic fill:#1a3a5c,color:#fff,stroke:#2980b9 class RECON,RA,IA,EXEC,PERS,PE,DE,CA,DISC,LM,COLL,C2,EX,IMP tactic ``` > [!info] Cobertura ATT&CK > As 14 táticas Enterprise representam a estrutura completa de uma intrusão - desde o reconhecimento inicial até o impacto no alvo. Cada nota de tática detalha as técnicas associadas, os atores que as utilizam e os controles defensivos recomendados. ### Táticas Documentadas no Vault %% ```dataview TABLE WITHOUT ID link(file.link, title) AS "Nota", mitre-id AS "ID", mitre-tactic AS "Tática", technique-count AS "Técnicas" FROM "ttp/techniques" WHERE type = "tactic" SORT mitre-id ASC ``` %%   | Nota | ID | Tática | Técnicas | | ---- | -- | ------ | -------- |  --- ## Seção 2 - Técnicas As **técnicas** descrevem *como* um adversário alcança um objetivo tático. Uma tática pode ter dezenas de técnicas associadas, e cada técnica pode ter sub-técnicas que descrevem implementações específicas. O vault documenta **740 técnicas e sub-técnicas** do MITRE ATT&CK Enterprise - cobertura completa com foco em campanhas que afetam a LATAM. ### Técnicas por Tática %% ```dataview TABLE WITHOUT ID link(file.link, title) AS "Nota", mitre-id AS "ID ATT&CK", mitre-tactic AS "Tática", join(platforms, ", ") AS "Plataformas" FROM "ttp/techniques" WHERE type = "technique" SORT mitre-id ASC ``` %%   | Nota | ID ATT&CK | Tática | Plataformas | | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | --------- | -------------------------------------------- | ----------------------------------------------------------------------------------------------------- | | [[t0866-exploitation-of-remote-services-ics\|T0866 - Exploitation of Remote Services (ICS)]] | T0866 | Lateral Movement (ICS) | ICS/OT | | [[t1001-data-obfuscation\|T1001 - Data Obfuscation]] | T1001 | Command and Control | ESXi, Linux, macOS, Windows | | [[t1001-001-junk-data\|T1001.001 - Junk Data]] | T1001.001 | Command and Control | ESXi, Linux, macOS, Windows | | [[t1001-002-steganography\|T1001.002 - Steganography]] | T1001.002 | Command and Control | Linux, macOS, Windows, ESXi | | [[t1001-003-protocol-or-service-impersonation\|T1001.003 - Protocol or Service Impersonation]] | T1001.003 | Command and Control | ESXi, Linux, macOS, Windows | | [[t1003-os-credential-dumping\|T1003 - OS Credential Dumping]] | T1003 | Credential Access | Linux, macOS, Windows | | [[t1003-001-lsass-memory\|T1003.001 - LSASS Memory]] | T1003.001 | Credential Access | Windows | | [[t1003-002-security-account-manager\|T1003.002 - Security Account Manager]] | T1003.002 | Credential Access | Windows | | [[t1003-003-ntds\|T1003.003 - NTDS]] | T1003.003 | Credential Access | Windows | | [[t1003-004-lsa-secrets\|T1003.004 - LSA Secrets]] | T1003.004 | Credential Access | Windows | | [[t1003-005-cached-domain-credentials\|T1003.005 - Cached Domain Credentials]] | T1003.005 | Credential Access | Windows, Linux | | [[t1003-006-dcsync\|T1003.006 - DCSync]] | T1003.006 | Credential Access | Windows | | [[t1003-007-proc-filesystem\|T1003.007 - Proc Filesystem]] | T1003.007 | Credential Access | Linux | | [[t1003-008-etcpasswd-and-etcshadow\|T1003.008 - /etc/passwd and /etc/shadow]] | T1003.008 | Credential Access | Linux | | [[t1005-data-from-local-system\|T1005 - Data from Local System]] | T1005 | Collection | ESXi, Linux, macOS, Network Devices, Windows | | [[t1006-direct-volume-access\|T1006 - Direct Volume Access]] | T1006 | Defense Evasion | Network Devices, Windows | | [[t1007-system-service-discovery\|T1007 - System Service Discovery]] | T1007 | Discovery | Linux, macOS, Windows | | [[t1008-fallback-channels\|T1008 - Fallback Channels]] | T1008 | Command and Control | Linux, Windows, macOS, ESXi | | [[t1010-application-window-discovery\|T1010 - Application Window Discovery]] | T1010 | Discovery | Linux, Windows, macOS | | [[t1011-exfiltration-over-other-network-medium\|T1011 - Exfiltração por Outro Meio de Rede]] | T1011 | Exfiltration | Linux, macOS, Windows | | [[t1011-001-exfiltration-over-bluetooth\|T1011.001 - Exfiltração por Bluetooth]] | T1011.001 | Exfiltration | Linux, macOS, Windows | | [[t1012-query-registry\|T1012 - Query Registry]] | T1012 | Discovery | Windows | | [[t1014-rootkit\|T1014 - Rootkit]] | T1014 | Defense Evasion | Linux, macOS, Windows | | [[t1016-system-network-configuration-discovery\|T1016 - System Network Configuration Discovery]] | T1016 | Discovery | ESXi, Linux, macOS, Network Devices, Windows | | [[t1016-001-internet-connection-discovery\|T1016.001 - Internet Connection Discovery]] | T1016.001 | Discovery | Windows, Linux, macOS, ESXi | | [[t1016-002-wi-fi-discovery\|T1016.002 - Wi-Fi Discovery]] | T1016.002 | Discovery | Linux, Windows, macOS | | [[t1018-remote-system-discovery\|T1018 - Remote System Discovery]] | T1018 | Discovery | ESXi, Linux, macOS, Network Devices, Windows | | [[t1020-automated-exfiltration\|T1020 - Exfiltração Automatizada]] | T1020 | Exfiltration | Linux, macOS, Network Devices, Windows | | [[t1020-001-traffic-duplication\|T1020.001 - Traffic Duplication]] | T1020.001 | Exfiltration | Network Devices, IaaS | | [[t1021-remote-services\|T1021 - Remote Services]] | T1021 | Lateral Movement | Linux, macOS, Windows, IaaS, ESXi | | [[t1021-001-remote-desktop-protocol\|T1021.001 - Remote Desktop Protocol]] | T1021.001 | Lateral Movement | Windows | | [[t1021-002-smb-windows-admin-shares-lateral\|T1021.002 - SMB/Windows Admin Shares]] | T1021.002 | Lateral Movement | Windows | | [[t1021-002-smb-windows-admin-shares\|T1021.002 - SMB/Windows Admin Shares]] | T1021.002 | Lateral Movement | Windows | | [[t1021-002-smbwindows-admin-shares\|T1021.002 - SMB/Windows Admin Shares]] | T1021.002 | Lateral Movement | Windows | | [[t1021-003-distributed-component-object-model\|T1021.003 - Distributed Component Object Model]] | T1021.003 | Lateral Movement | Windows | | [[t1021-004-ssh\|T1021.004 - SSH]] | T1021.004 | Lateral Movement | ESXi, Linux, macOS | | [[t1021-005-vnc\|T1021.005 - VNC]] | T1021.005 | Lateral Movement | Linux, Windows, macOS | | [[t1021-006-windows-remote-management\|T1021.006 - Windows Remote Management]] | T1021.006 | Lateral Movement | Windows | | [[t1021-007-cloud-services\|T1021.007 - Cloud Services]] | T1021.007 | Lateral Movement | IaaS, Identity Provider, Office Suite, SaaS | | [[t1021-008-direct-cloud-vm-connections\|T1021.008 - Direct Cloud VM Connections]] | T1021.008 | Lateral Movement | IaaS | | [[t1025-data-from-removable-media\|T1025 - Data from Removable Media]] | T1025 | Collection | Linux, macOS, Windows | | [[t1027-obfuscated-files-or-information\|T1027 - Obfuscated Files or Information]] | T1027 | Defense Evasion | ESXi, Linux, macOS, Network Devices, Windows | | [[t1027-obfuscated-files\|T1027 - Obfuscated Files or Information]] | T1027 | Defense Evasion | Windows, Linux, macOS | | [[t1027-001-binary-padding\|T1027.001 - Binary Padding]] | T1027.001 | Defense Evasion | Linux, Windows, macOS | | [[t1027-002-software-packing\|T1027.002 - Software Packing]] | T1027.002 | Defense Evasion | Linux, macOS, Windows | | [[t1027-003-steganography\|T1027.003 - Steganography]] | T1027.003 | Defense Evasion | Linux, macOS, Windows | | [[t1027-004-compile-after-delivery\|T1027.004 - Compile After Delivery]] | T1027.004 | Defense Evasion | Linux, macOS, Windows | | [[t1027-005-indicator-removal-from-tools\|T1027.005 - Indicator Removal from Tools]] | T1027.005 | Defense Evasion | Linux, macOS, Windows | | [[t1027-006-html-smuggling\|T1027.006 - HTML Smuggling]] | T1027.006 | Defense Evasion | Windows, Linux, macOS | | [[t1027-007-dynamic-api-resolution\|T1027.007 - Dynamic API Resolution]] | T1027.007 | Defense Evasion | Windows | | [[t1027-008-stripped-payloads\|T1027.008 - Stripped Payloads]] | T1027.008 | Defense Evasion | macOS, Linux, Windows, Network Devices | | [[t1027-009-embedded-payloads\|T1027.009 - Embedded Payloads]] | T1027.009 | Defense Evasion | Linux, macOS, Windows | | [[t1027-010-command-obfuscation\|T1027.010 - Command Obfuscation]] | T1027.010 | Defense Evasion | Linux, macOS, Windows | | [[t1027-011-fileless-storage\|T1027.011 - Fileless Storage]] | T1027.011 | Defense Evasion | Windows, Linux | | [[t1027-012-lnk-icon-smuggling\|T1027.012 - LNK Icon Smuggling]] | T1027.012 | Defense Evasion | Windows | | [[t1027-013-encryptedencoded-file\|T1027.013 - Encrypted/Encoded File]] | T1027.013 | Defense Evasion | Linux, macOS, Windows | | [[t1027-014-polymorphic-code\|T1027.014 - Polymorphic Code]] | T1027.014 | Defense Evasion | Windows, macOS, Linux | | [[t1027-015-compression\|T1027.015 - Compression]] | T1027.015 | Defense Evasion | Linux, Windows, macOS | | [[t1027-016-junk-code-insertion\|T1027.016 - Junk Code Insertion]] | T1027.016 | Defense Evasion | Linux, macOS, Windows | | [[t1027-017-svg-smuggling\|T1027.017 - SVG Smuggling]] | T1027.017 | Defense Evasion | Linux, macOS, Windows | | [[t1029-scheduled-transfer\|T1029 - Scheduled Transfer]] | T1029 | Exfiltration | Linux, macOS, Windows | | [[t1030-data-transfer-size-limits\|T1030 - Data Transfer Size Limits]] | T1030 | Exfiltration | Linux, macOS, Windows, ESXi | | [[t1033-system-owneruser-discovery\|T1033 - System Owner/User Discovery]] | T1033 | Discovery | Linux, macOS, Network Devices, Windows | | [[t1036-masquerading\|T1036 - Masquerading]] | T1036 | Defense Evasion | Containers, ESXi, Linux, macOS, Windows | | [[t1036-001-invalid-code-signature\|T1036.001 - Invalid Code Signature]] | T1036.001 | Defense Evasion | Windows, macOS | | [[t1036-002-right-to-left-override\|T1036.002 - Right-to-Left Override]] | T1036.002 | Defense Evasion | Linux, macOS, Windows | | [[t1036-003-rename-legitimate-utilities\|T1036.003 - Rename Legitimaté Utilities]] | T1036.003 | Defense Evasion | Linux, macOS, Windows | | [[t1036-004-masquerade-task-or-service\|T1036.004 - Masquerade Task or Service]] | T1036.004 | Defense Evasion | Linux, macOS, Windows | | [[t1036-005-match-legitimate-resource-name-or-location\|T1036.005 - Match Legitimaté Resource Name or Location]] | T1036.005 | Defense Evasion | Containers, ESXi, Linux, macOS, Windows | | [[t1036-006-space-after-filename\|T1036.006 - Space after Filename]] | T1036.006 | Defense Evasion | Linux, macOS | | [[t1036-007-double-file-extension\|T1036.007 - Double File Extension]] | T1036.007 | Defense Evasion | Windows | | [[t1036-008-masquerade-file-type\|T1036.008 - Masquerade File Type]] | T1036.008 | Defense Evasion | Linux, macOS, Windows | | [[t1036-009-break-process-trees\|T1036.009 - Break Process Trees]] | T1036.009 | Defense Evasion | Linux, macOS | | [[t1036-010-masquerade-account-name\|T1036.010 - Masquerade Account Name]] | T1036.010 | Defense Evasion | Linux, macOS, Windows, SaaS, IaaS, Containers, Office Suite, Identity Provider | | [[t1036-011-overwrite-process-arguments\|T1036.011 - Overwrite Process Arguments]] | T1036.011 | Defense Evasion | Linux | | [[t1036-012-browser-fingerprint\|T1036.012 - Browser Fingerprint]] | T1036.012 | Defense Evasion | Linux, macOS, Windows | | [[t1037-boot-or-logon-initialization-scripts\|T1037 - Boot or Logon Initialization Scripts]] | T1037 | Persistence | macOS, Windows, Linux, Network Devices, ESXi | | [[t1037-001-logon-script-windows\|T1037.001 - Logon Script (Windows)]] | T1037.001 | Persistence | Windows | | [[t1037-002-login-hook\|T1037.002 - Login Hook]] | T1037.002 | Persistence | macOS | | [[t1037-003-network-logon-script\|T1037.003 - Network Logon Script]] | T1037.003 | Persistence | Windows | | [[t1037-004-rc-scripts\|T1037.004 - RC Scripts]] | T1037.004 | Persistence | macOS, Linux, Network Devices, ESXi | | [[t1037-005-startup-items\|T1037.005 - Startup Items]] | T1037.005 | Persistence | macOS | | [[t1039-data-from-network-shared-drive\|T1039 - Data from Network Shared Drive]] | T1039 | Collection | Linux, macOS, Windows | | [[t1040-network-sniffing\|T1040 - Network Sniffing]] | T1040 | Credential Access | Linux, macOS, Windows, Network Devices, IaaS | | [[t1041-exfiltration-c2\|T1041 - Exfiltration Over C2 Channel]] | T1041 | Exfiltration | Windows, macOS, Linux | | [[t1041-exfiltration-over-c2-channel\|T1041 - Exfiltration Over C2 Channel]] | T1041 | Exfiltration | ESXi, Linux, macOS, Windows | | [[t1046-network-service-discovery\|T1046 - Network Service Discovery]] | T1046 | Discovery | Containers, IaaS, Linux, macOS, Network Devices, Windows | | [[t1047-windows-management-instrumentation\|T1047 - Windows Management Instrumentation]] | T1047 | Execution | Windows | | [[t1048-exfiltration-alternative-protocol\|T1048 - Exfiltration Over Alternative Protocol]] | T1048 | Exfiltration | Windows, Linux, macOS, Network | | [[t1048-exfiltration-over-alternative-protocol\|T1048 - Exfiltration Over Alternative Protocol]] | T1048 | Exfiltration | ESXi, IaaS, Linux, macOS, Network Devices, Office Suite, SaaS, Windows | | [[t1048-001-exfiltration-over-symmetric-encrypted-non-c2-protocol\|T1048.001 - Exfiltration Over Symmetric Encrypted Non-C2 Protocol]] | T1048.001 | Exfiltration | Linux, macOS, Windows, ESXi | | [[t1048-002-exfiltration-over-asymmetric-encrypted-non-c2-protocol\|T1048.002 - Exfiltration Over Asymmetric Encrypted Non-C2 Protocol]] | T1048.002 | Exfiltration | Linux, macOS, Windows, ESXi | | [[t1048-003-exfiltration-over-unencrypted-non-c2-protocol\|T1048.003 - Exfiltration Over Unencrypted Non-C2 Protocol]] | T1048.003 | Exfiltration | ESXi, Linux, macOS, Network Devices, Windows | | [[t1049-system-network-connections-discovery\|T1049 - System Network Connections Discovery]] | T1049 | Discovery | Windows, IaaS, Linux, macOS, Network Devices, ESXi | | [[t1052-exfiltration-over-physical-medium\|T1052 - Exfiltration Over Physical Medium]] | T1052 | Exfiltration | Linux, macOS, Windows | | [[t1052-001-exfiltration-over-usb\|T1052.001 - Exfiltration over USB]] | T1052.001 | Exfiltration | Linux, Windows, macOS | | [[t1053-scheduled-task-job\|T1053 - Scheduled Task/Job]] | T1053 | Execution, Persistence, Privilege Escalation | Windows, Linux, macOS, Containers | | [[t1053-scheduled-taskjob\|T1053 - Scheduled Task/Job]] | T1053 | Execution | Windows, Linux, macOS, Containers, ESXi | | [[t1053-002-at\|T1053.002 - At]] | T1053.002 | Execution | Windows, Linux, macOS | | [[t1053-003-cron\|T1053.003 - Cron]] | T1053.003 | Execution | Linux, macOS, ESXi | | [[t1053-005-scheduled-task\|T1053.005 - Scheduled Task]] | T1053.005 | Execution | Windows | | [[t1053-006-systemd-timers\|T1053.006 - Systemd Timers]] | T1053.006 | Execution | Linux | | [[t1053-007-container-orchestration-job\|T1053.007 - Container Orchestration Job]] | T1053.007 | Execution | Containers | | [[t1055-process-injection\|T1055 - Process Injection]] | T1055 | Defense Evasion | Linux, macOS, Windows | | [[t1055-001-dynamic-link-library-injection\|T1055.001 - Dynamic-link Library Injection]] | T1055.001 | Defense Evasion | Windows | | [[t1055-002-portable-executable-injection\|T1055.002 - Portable Executable Injection]] | T1055.002 | Defense Evasion | Windows | | [[t1055-003-thread-execution-hijacking\|T1055.003 - Thread Execution Hijacking]] | T1055.003 | Defense Evasion | Windows | | [[t1055-004-asynchronous-procedure-call\|T1055.004 - Asynchronous Procedure Call]] | T1055.004 | Defense Evasion | Windows | | [[t1055-005-thread-local-storage\|T1055.005 - Thread Local Storage]] | T1055.005 | Defense Evasion | Windows | | [[t1055-008-ptrace-system-calls\|T1055.008 - Ptrace System Calls]] | T1055.008 | Defense Evasion | Linux | | [[t1055-009-proc-memory\|T1055.009 - Proc Memory]] | T1055.009 | Defense Evasion | Linux | | [[t1055-011-extra-window-memory-injection\|T1055.011 - Extra Window Memory Injection]] | T1055.011 | Defense Evasion | Windows | | [[t1055-012-process-hollowing\|T1055.012 - Process Hollowing]] | T1055.012 | Defense Evasion | Windows | | [[t1055-013-process-doppelgnging\|T1055.013 - Process Doppelgänging]] | T1055.013 | Defense Evasion | Windows | | [[t1055-014-vdso-hijacking\|T1055.014 - VDSO Hijacking]] | T1055.014 | Defense Evasion | Linux | | [[t1055-015-listplanting\|T1055.015 - ListPlanting]] | T1055.015 | Defense Evasion | Windows | | [[t1056-input-capture\|T1056 - Input Capture]] | T1056 | Collection | Linux, macOS, Network Devices, Windows | | [[t1056-001-keylogging\|T1056.001 - Keylogging]] | T1056.001 | Collection | Linux, macOS, Network Devices, Windows | | [[t1056-002-gui-input-capture\|T1056.002 - GUI Input Capture]] | T1056.002 | Collection | macOS, Windows, Linux | | [[t1056-003-web-portal-capture\|T1056.003 - Web Portal Capture]] | T1056.003 | Collection | Linux, macOS, Windows | | [[t1056-004-credential-api-hooking\|T1056.004 - Credential API Hooking]] | T1056.004 | Collection | Windows, Linux, macOS | | [[t1057-process-discovery\|T1057 - Process Discovery]] | T1057 | Discovery | ESXi, Linux, macOS, Network Devices, Windows | | [[t1059-command-and-scripting-interpreter\|T1059 - Command and Scripting Interpreter]] | T1059 | Execution | ESXi, IaaS, Identity Provider, Linux, macOS, Network Devices, Office Suite, Windows | | [[t1059-command-scripting-interpreter\|T1059 - Command and Scripting Interpreter]] | T1059 | Execution | Windows, macOS, Linux, Network | | [[t1059-001-powershell\|T1059.001 - PowerShell]] | T1059.001 | Execution | Windows | | [[t1059-002-applescript\|T1059.002 - AppleScript]] | T1059.002 | Execution | macOS | | [[t1059-003-windows-command-shell\|T1059.003 - Windows Command Shell]] | T1059.003 | Execution | Windows | | [[t1059-004-unix-shell\|T1059.004 - Unix Shell]] | T1059.004 | Execution | ESXi, Linux, macOS, Network Devices | | [[t1059-005-visual-basic\|T1059.005 - Visual Basic]] | T1059.005 | Execution | Linux, macOS, Windows | | [[t1059-006-python\|T1059.006 - Python]] | T1059.006 | Execution | ESXi, Linux, macOS, Windows | | [[t1059-007-javascript\|T1059.007 - JavaScript]] | T1059.007 | Execution | Linux, macOS, Windows | | [[t1059-008-network-device-cli\|T1059.008 - Network Device CLI]] | T1059.008 | Execution | Network Devices | | [[t1059-009-cloud-api\|T1059.009 - Cloud API]] | T1059.009 | Execution | IaaS, Identity Provider, Office Suite, SaaS | | [[t1059-010-autohotkey-autoit\|T1059.010 - AutoHotKey & AutoIT]] | T1059.010 | Execution | Windows | | [[t1059-011-lua\|T1059.011 - Lua]] | T1059.011 | Execution | Linux, Network Devices, Windows, macOS | | [[t1059-012-hypervisor-cli\|T1059.012 - Hypervisor CLI]] | T1059.012 | Execution | ESXi | | [[t1059-013-container-cliapi\|T1059.013 - Container CLI/API]] | T1059.013 | Execution | Containers | | [[t1068-exploitation-for-privilege-escalation\|T1068 - Exploitation for Privilege Escalation]] | T1068 | Privilege Escalation | Containers, Linux, macOS, Windows | | [[t1068-exploitation-privilege-escalation\|T1068 - Exploitation for Privilege Escalation]] | T1068 | Privilege Escalation | Windows, Linux, macOS | | [[t1069-permission-groups-discovery\|T1069 - Permission Groups Discovery]] | T1069 | Discovery | Containers, IaaS, Identity Provider, Linux, macOS, Office Suite, SaaS, Windows | | [[t1069-001-local-groups\|T1069.001 - Local Groups]] | T1069.001 | Discovery | Linux, macOS, Windows | | [[t1069-002-domain-groups\|T1069.002 - Domain Groups]] | T1069.002 | Discovery | Linux, macOS, Windows | | [[t1069-003-cloud-groups\|T1069.003 - Cloud Groups]] | T1069.003 | Discovery | SaaS, IaaS, Office Suite, Identity Provider | | [[t1070-indicator-removal\|T1070 - Indicator Removal]] | T1070 | Defense Evasion | Containers, ESXi, Linux, macOS, Network Devices, Office Suite, Windows | | [[t1070-001-clear-windows-event-logs\|T1070.001 - Clear Windows Event Logs]] | T1070.001 | Defense Evasion | Windows | | [[t1070-002-clear-linux-or-mac-system-logs\|T1070.002 - Clear Linux or Mac System Logs]] | T1070.002 | Defense Evasion | Linux, macOS | | [[t1070-003-clear-command-history\|T1070.003 - Clear Command History]] | T1070.003 | Defense Evasion | ESXi, Linux, macOS, Network Devices, Windows | | [[t1070-004-file-deletion\|T1070.004 - File Deletion]] | T1070.004 | Defense Evasion | ESXi, Linux, macOS, Windows | | [[t1070-005-network-share-connection-removal\|T1070.005 - Network Share Connection Removal]] | T1070.005 | Defense Evasion | Windows | | [[t1070-006-timestomp\|T1070.006 - Timestomp]] | T1070.006 | Defense Evasion | ESXi, Linux, macOS, Windows | | [[t1070-007-clear-network-connection-history-and-configurations\|T1070.007 - Clear Network Connection History and Configurations]] | T1070.007 | Defense Evasion | Linux, macOS, Windows, Network Devices | | [[t1070-008-clear-mailbox-data\|T1070.008 - Clear Mailbox Data]] | T1070.008 | Defense Evasion | Linux, macOS, Office Suite, Windows | | [[t1070-009-clear-persistence\|T1070.009 - Clear Persistence]] | T1070.009 | Defense Evasion | ESXi, Linux, Windows, macOS | | [[t1070-010-relocate-malware\|T1070.010 - Relocaté Malware]] | T1070.010 | Defense Evasion | Linux, macOS, Windows, Network Devices | | [[t1071-application-layer-protocol\|T1071 - Application Layer Protocol]] | T1071 | Command and Control | Linux, macOS, Windows, Network Devices, ESXi | | [[t1071-001-web-protocols\|T1071.001 - Web Protocols]] | T1071.001 | Command and Control | ESXi, Linux, macOS, Network Devices, Windows | | [[t1071-002-file-transfer-protocols\|T1071.002 - File Transfer Protocols]] | T1071.002 | Command and Control | ESXi, Linux, macOS, Network Devices, Windows | | [[t1071-003-mail-protocols\|T1071.003 - Mail Protocols]] | T1071.003 | Command and Control | Linux, macOS, Network Devices, Windows | | [[t1071-004-dns\|T1071.004 - DNS]] | T1071.004 | Command and Control | Linux, macOS, Windows, Network Devices, ESXi | | [[t1071-005-publishsubscribe-protocols\|T1071.005 - Publish/Subscribe Protocols]] | T1071.005 | Command and Control | macOS, Linux, Windows, Network Devices | | [[t1072-software-deployment-tools\|T1072 - Software Deployment Tools]] | T1072 | Execution | Linux, macOS, Network Devices, SaaS, Windows | | [[t1074-data-staged\|T1074 - Data Staged]] | T1074 | Collection | Windows, IaaS, Linux, macOS, ESXi | | [[t1074-001-local-data-staging\|T1074.001 - Local Data Staging]] | T1074.001 | Collection | ESXi, Linux, macOS, Windows | | [[t1074-002-remote-data-staging\|T1074.002 - Remote Data Staging]] | T1074.002 | Collection | Windows, IaaS, Linux, macOS, ESXi | | [[t1078-valid-accounts\|T1078 - Valid Accounts]] | T1078 | Defense Evasion | Containers, ESXi, IaaS, Identity Provider, Linux, macOS, Network Devices, Office Suite, SaaS, Windows | | [[t1078-001-default-accounts\|T1078.001 - Default Accounts]] | T1078.001 | Defense Evasion | Windows, SaaS, IaaS, Linux, macOS, Containers, Network Devices, ESXi, Office Suite, Identity Provider | | [[t1078-002-domain-accounts\|T1078.002 - Domain Accounts]] | T1078.002 | Defense Evasion | ESXi, Linux, macOS, Windows | | [[t1078-003-local-accounts\|T1078.003 - Local Accounts]] | T1078.003 | Defense Evasion | Linux, macOS, Windows, Containers, Network Devices, ESXi | | [[t1078-004-cloud-accounts\|T1078.004 - Cloud Accounts]] | T1078.004 | Defense Evasion | IaaS, Identity Provider, Office Suite, SaaS | | [[t1080-taint-shared-content\|T1080 - Taint Shared Content]] | T1080 | Lateral Movement | Windows, SaaS, Linux, macOS, Office Suite | | [[t1082-system-information-discovery\|T1082 - System Information Discovery]] | T1082 | Discovery | ESXi, IaaS, Linux, macOS, Network Devices, Windows | | [[t1083-file-and-directory-discovery\|T1083 - File and Directory Discovery]] | T1083 | Discovery | ESXi, Linux, macOS, Network Devices, Windows | | [[t1087-account-discovery\|T1087 - Account Discovery]] | T1087 | Discovery | ESXi, IaaS, Identity Provider, Linux, macOS, Office Suite, SaaS, Windows | | [[t1087-001-local-account\|T1087.001 - Local Account]] | T1087.001 | Discovery | ESXi, Linux, macOS, Windows | | [[t1087-002-domain-account\|T1087.002 - Domain Account]] | T1087.002 | Discovery | Linux, macOS, Windows | | [[t1087-003-email-account\|T1087.003 - Email Account]] | T1087.003 | Discovery | Windows, Office Suite | | [[t1087-004-cloud-account\|T1087.004 - Cloud Account]] | T1087.004 | Discovery | IaaS, Identity Provider, Office Suite, SaaS | | [[t1090-proxy\|T1090 - Proxy]] | T1090 | Command and Control | ESXi, Linux, macOS, Network Devices, Windows | | [[t1090-001-internal-proxy\|T1090.001 - Internal Proxy]] | T1090.001 | Command and Control | Linux, Network Devices, Windows, macOS, ESXi | | [[t1090-002-external-proxy\|T1090.002 - External Proxy]] | T1090.002 | Command and Control | ESXi, Linux, Network Devices, Windows, macOS | | [[t1090-003-multi-hop-proxy\|T1090.003 - Multi-hop Proxy]] | T1090.003 | Command and Control | ESXi, Linux, macOS, Network Devices, Windows | | [[t1090-004-domain-fronting\|T1090.004 - Domain Fronting]] | T1090.004 | Command and Control | Linux, macOS, Windows, ESXi | | [[t1091-replication-through-removable-media\|T1091 - Replication Through Removable Media]] | T1091 | Lateral Movement | Windows | | [[t1092-communication-through-removable-media\|T1092 - Commúnication Through Removable Media]] | T1092 | Command and Control | Linux, macOS, Windows | | [[t1095-non-application-layer-protocol\|T1095 - Non-Application Layer Protocol]] | T1095 | Command and Control | ESXi, Linux, macOS, Network Devices, Windows | | [[t1098-account-manipulation\|T1098 - Account Manipulation]] | T1098 | Persistence | Containers, ESXi, IaaS, Identity Provider, Linux, macOS, Network Devices, Office Suite, SaaS, Windows | | [[t1098-001-additional-cloud-credentials\|T1098.001 - Additional Cloud Credentials]] | T1098.001 | Persistence | IaaS, Identity Provider, SaaS | | [[t1098-002-additional-email-delegate-permissions\|T1098.002 - Additional Email Delegaté Permissions]] | T1098.002 | Persistence | Windows, Office Suite | | [[t1098-003-additional-cloud-roles\|T1098.003 - Funções Adicionais em Nuvem]] | T1098.003 | Persistence | IaaS, Identity Provider, Office Suite, SaaS | | [[t1098-004-ssh-authorized-keys\|T1098.004 - SSH Authorized Keys]] | T1098.004 | Persistence | Linux, macOS, IaaS, Network Devices, ESXi | | [[t1098-005-device-registration\|T1098.005 - Device Registration]] | T1098.005 | Persistence | Windows, Identity Provider | | [[t1098-006-additional-container-cluster-roles\|T1098.006 - Additional Container Cluster Roles]] | T1098.006 | Persistence | Containers | | [[t1098-007-additional-local-or-domain-groups\|T1098.007 - Additional Local or Domain Groups]] | T1098.007 | Persistence | Windows, macOS, Linux | | [[t1102-web-service\|T1102 - Web Service]] | T1102 | Command and Control | ESXi, Linux, Windows, macOS | | [[t1102-001-dead-drop-resolver\|T1102.001 - Dead Drop Resolver]] | T1102.001 | Command and Control | ESXi, Linux, macOS, Windows | | [[t1102-002-bidirectional-communication\|T1102.002 - Bidirectional Commúnication]] | T1102.002 | Command and Control | Linux, macOS, Windows, ESXi | | [[t1102-003-one-way-communication\|T1102.003 - One-Way Commúnication]] | T1102.003 | Command and Control | Linux, macOS, Windows, ESXi | | [[t1104-multi-stage-channels\|T1104 - Multi-Stage Channels]] | T1104 | Command and Control | Linux, macOS, Windows, ESXi | | [[t1105-ingress-tool-transfer\|T1105 - Ingress Tool Transfer]] | T1105 | Command and Control | ESXi, Linux, macOS, Network Devices, Windows | | [[t1106-native-api\|T1106 - Native API]] | T1106 | Execution | Linux, macOS, Windows | | [[t1110-brute-force\|T1110 - Brute Force]] | T1110 | Credential Access | Containers, ESXi, IaaS, Identity Provider, Linux, macOS, Network Devices, Office Suite, SaaS, Windows | | [[t1110-001-password-guessing\|T1110.001 - Password Guessing]] | T1110.001 | Credential Access | Windows, SaaS, IaaS, Linux, macOS, Containers, Network Devices, Office Suite, Identity Provider, ESXi | | [[t1110-002-password-cracking\|T1110.002 - Password Cracking]] | T1110.002 | Credential Access | Linux, macOS, Windows, Network Devices, Office Suite, Identity Provider | | [[t1110-003-password-spraying\|T1110.003 - Password Spraying]] | T1110.003 | Credential Access | Containers, ESXi, IaaS, Identity Provider, Linux, Network Devices, Office Suite, SaaS, Windows, macOS | | [[t1110-004-credential-stuffing\|T1110.004 - Credential Stuffing]] | T1110.004 | Credential Access | Windows, SaaS, IaaS, Linux, macOS, Containers, Network Devices, Office Suite, Identity Provider, ESXi | | [[t1111-multi-factor-authentication-interception\|T1111 - Multi-Factor Authentication Interception]] | T1111 | Credential Access | Linux, Windows, macOS | | [[t1112-modify-registry\|T1112 - Modify Registry]] | T1112 | Defense Evasion | Windows | | [[t1113-screen-capture\|T1113 - Screen Capture]] | T1113 | Collection | Linux, Windows, macOS | | [[t1114-email-collection\|T1114 - Email Collection]] | T1114 | Collection | Windows, macOS, Linux, Office Suite | | [[t1114-001-local-email-collection\|T1114.001 - Local Email Collection]] | T1114.001 | Collection | Windows | | [[t1114-002-remote-email-collection\|T1114.002 - Remote Email Collection]] | T1114.002 | Collection | Windows, Office Suite | | [[t1114-003-email-forwarding-rule\|T1114.003 - Email Forwarding Rule]] | T1114.003 | Collection | Linux, macOS, Office Suite, Windows | | [[t1115-clipboard-data\|T1115 - Clipboard Data]] | T1115 | Collection | Linux, macOS, Windows | | [[t1119-automated-collection\|T1119 - Automated Collection]] | T1119 | Collection | IaaS, Linux, macOS, Office Suite, SaaS, Windows | | [[t1120-peripheral-device-discovery\|T1120 - Peripheral Device Discovery]] | T1120 | Discovery | Linux, Windows, macOS | | [[t1123-audio-capture\|T1123 - Audio Capture]] | T1123 | Collection | Linux, macOS, Windows | | [[t1124-system-time-discovery\|T1124 - System Time Discovery]] | T1124 | Discovery | ESXi, Linux, macOS, Network Devices, Windows | | [[t1125-video-capture\|T1125 - Video Capture]] | T1125 | Collection | Windows, macOS, Linux | | [[t1127-trusted-developer-utilities-proxy-execution\|T1127 - Trusted Developer Utilities Proxy Execution]] | T1127 | Defense Evasion | Windows | | [[t1127-001-msbuild\|T1127.001 - MSBuild]] | T1127.001 | Defense Evasion | Windows | | [[t1127-002-clickonce\|T1127.002 - ClickOnce]] | T1127.002 | Defense Evasion | Windows | | [[t1127-003-jamplus\|T1127.003 - JámPlus]] | T1127.003 | Defense Evasion | Windows | | [[t1129-shared-modules\|T1129 - Shared Modules]] | T1129 | Execution | Linux, macOS, Windows | | [[t1132-data-encoding\|T1132 - Data Encoding]] | T1132 | Command and Control | Linux, macOS, Windows, ESXi | | [[t1132-001-standard-encoding\|T1132.001 - Standard Encoding]] | T1132.001 | Command and Control | ESXi, Linux, Windows, macOS | | [[t1132-002-non-standard-encoding\|T1132.002 - Non-Standard Encoding]] | T1132.002 | Command and Control | ESXi, Linux, macOS, Windows | | [[t1133-external-remote-services\|T1133 - External Remote Services]] | T1133 | Persistence | Containers, Linux, macOS, Windows | | [[t1134-access-token-manipulation\|T1134 - Access Token Manipulation]] | T1134 | Defense Evasion | Windows | | [[t1134-001-token-impersonationtheft\|T1134.001 - Token Impersonation/Theft]] | T1134.001 | Defense Evasion | Windows | | [[t1134-002-create-process-with-token\|T1134.002 - Creaté Process with Token]] | T1134.002 | Defense Evasion | Windows | | [[t1134-003-make-and-impersonate-token\|T1134.003 - Make and Impersonaté Token]] | T1134.003 | Defense Evasion | Windows | | [[t1134-004-parent-pid-spoofing\|T1134.004 - Parent PID Spoofing]] | T1134.004 | Defense Evasion | Windows | | [[t1134-005-sid-history-injection\|T1134.005 - SID-History Injection]] | T1134.005 | Defense Evasion | Windows | | [[t1135-network-share-discovery\|T1135 - Network Share Discovery]] | T1135 | Discovery | Linux, macOS, Windows | | [[t1136-create-account\|T1136 - Criar Conta]] | T1136 | Persistence | Windows, IaaS, Linux, macOS, Network Devices, Containers, SaaS, Office Suite, Identity Provider, ESXi | | [[t1136-001-local-account\|T1136.001 - Local Account]] | T1136.001 | Persistence | Linux, macOS, Windows, Network Devices, Containers, ESXi | | [[t1136-002-domain-account\|T1136.002 - Domain Account]] | T1136.002 | Persistence | Linux, macOS, Windows | | [[t1136-003-cloud-account\|T1136.003 - Criação de Conta em Nuvem]] | T1136.003 | Persistence | IaaS, SaaS, Office Suite, Identity Provider | | [[t1137-office-application-startup\|T1137 - Office Application Startup]] | T1137 | Persistence | Windows, Office Suite | | [[t1137-001-office-template-macros\|T1137.001 - Office Templaté Macros]] | T1137.001 | Persistence | Windows, Office Suite | | [[t1137-002-office-test\|T1137.002 - Office Test]] | T1137.002 | Persistence | Windows, Office Suite | | [[t1137-003-outlook-forms\|T1137.003 - Outlook Forms]] | T1137.003 | Persistence | Windows, Office Suite | | [[t1137-004-outlook-home-page\|T1137.004 - Outlook Home Page]] | T1137.004 | Persistence | Windows, Office Suite | | [[t1137-005-outlook-rules\|T1137.005 - Outlook Rules]] | T1137.005 | Persistence | Windows, Office Suite | | [[t1137-006-add-ins\|T1137.006 - Add-ins]] | T1137.006 | Persistence | Windows, Office Suite | | [[t1140-deobfuscate-decode\|T1140 - Deobfuscaté/Decode Files or Information]] | T1140 | Defense Evasion | Windows, macOS, Linux | | [[t1140-deobfuscatedecode-files-or-information\|T1140 - Deobfuscaté/Decode Files or Information]] | T1140 | Defense Evasion | ESXi, Linux, macOS, Windows | | [[t1176-browser-extensions\|T1176 - Browser Extensions]] | T1176 | Persistence | Linux, macOS, Windows | | [[t1176-software-extensions\|T1176 - Software Extensions]] | T1176 | Persistence | Linux, macOS, Windows | | [[t1176-001-browser-extensions\|T1176.001 - Browser Extensions]] | T1176.001 | Persistence | Linux, Windows, macOS | | [[t1176-002-ide-extensions\|T1176.002 - IDE Extensions]] | T1176.002 | Persistence | Linux, macOS, Windows | | [[t1185-browser-session-hijacking\|T1185 - Browser Session Hijacking]] | T1185 | Collection | Windows | | [[t1187-forced-authentication\|T1187 - Forced Authentication]] | T1187 | Credential Access | Windows | | [[t1189-drive-by-compromise\|T1189 - Drive-by Compromise]] | T1189 | Initial Access | Identity Provider, Linux, macOS, Windows | | [[t1190-exploit-public-facing-application\|T1190 - Exploit Public-Facing Application]] | T1190 | Initial Access | Containers, ESXi, IaaS, Linux, macOS, Network Devices, Windows | | [[t1195-supply-chain-compromise\|T1195 - Supply Chain Compromise]] | T1195 | Initial Access | Linux, Windows, macOS, SaaS | | [[t1195-001-compromise-software-dependencies\|T1195.001 - Compromise Software Dependencies and Development Tools]] | T1195.001 | Initial Access | Windows, Linux, macOS | | [[t1195-001-compromise-software-dependencies-and-development-tools\|T1195.001 - Compromise Software Dependencies and Development Tools]] | T1195.001 | Initial Access | Linux, macOS, Windows | | [[t1195-002-compromise-software-supply-chain\|T1195.002 - Compromise Software Supply Chain]] | T1195.002 | Initial Access | Linux, Windows, macOS | | [[t1195-002-supply-chain-compromise\|T1195.002 - Supply Chain Compromise: Compromise Software Supply Chain]] | T1195.002 | Initial Access | Windows, macOS, Linux | | [[t1195-003-compromise-hardware-supply-chain\|T1195.003 - Compromise Hardware Supply Chain]] | T1195.003 | Initial Access | Linux, macOS, Windows | | [[t1197-bits-jobs\|T1197 - BITS Jobs]] | T1197 | Defense Evasion | Windows | | [[t1199-trusted-relationship\|T1199 - Trusted Relationship]] | T1199 | Initial Access | Windows, SaaS, IaaS, Linux, macOS, Identity Provider, Office Suite | | [[t1200-hardware-additions\|T1200 - Hardware Additions]] | T1200 | Initial Access | Windows, Linux, macOS | | [[t1201-password-policy-discovery\|T1201 - Password Policy Discovery]] | T1201 | Discovery | Windows, Linux, macOS, IaaS, Network Devices, Identity Provider, SaaS, Office Suite | | [[t1202-indirect-command-execution\|T1202 - Indirect Command Execution]] | T1202 | Defense Evasion | Windows | | [[t1203-exploitation-client-execution\|T1203 - Exploitation for Client Execution]] | T1203 | Execution | Windows, macOS, Linux | | [[t1203-exploitation-for-client-execution\|T1203 - Exploitation for Client Execution]] | T1203 | Execution | Linux, macOS, Windows | | [[t1204-user-execution\|T1204 - User Execution]] | T1204 | Execution | Linux, Windows, macOS, IaaS, Containers | | [[t1204-001-malicious-link\|T1204.001 - Malicious Link]] | T1204.001 | Execution | Linux, macOS, Windows | | [[t1204-002-malicious-file\|T1204.002 - Malicious File]] | T1204.002 | Execution | Linux, macOS, Windows | | [[t1204-003-malicious-image\|T1204.003 - Malicious Image]] | T1204.003 | Execution | IaaS, Containers | | [[t1204-004-malicious-copy-and-paste\|T1204.004 - Malicious Copy and Paste]] | T1204.004 | Execution | Linux, macOS, Windows | | [[t1204-005-malicious-library\|T1204.005 - Malicious Library]] | T1204.005 | Execution | Linux, macOS, Windows | | [[t1205-traffic-signaling\|T1205 - Traffic Signaling]] | T1205 | Defense Evasion | Linux, macOS, Network Devices, Windows | | [[t1205-001-port-knocking\|T1205.001 - Port Knocking]] | T1205.001 | Defense Evasion | Linux, macOS, Windows, Network Devices | | [[t1205-002-socket-filters\|T1205.002 - Socket Filters]] | T1205.002 | Defense Evasion | Linux, macOS, Windows | | [[t1207-rogue-domain-controller\|T1207 - Rogue Domain Controller]] | T1207 | Defense Evasion | Windows | | [[t1210-exploitation-of-remote-services\|T1210 - Exploitation of Remote Services]] | T1210 | Lateral Movement | Linux, Windows, macOS, ESXi | | [[t1211-exploitation-for-defense-evasion\|T1211 - Exploitation for Defense Evasion]] | T1211 | Defense Evasion | Linux, Windows, macOS, SaaS, IaaS | | [[t1212-exploitation-for-credential-access\|T1212 - Exploitation for Credential Access]] | T1212 | Credential Access | Linux, Windows, macOS, Identity Provider | | [[t1213-data-from-information-repositories\|T1213 - Data from Information Repositories]] | T1213 | Collection | Linux, Windows, macOS, SaaS, IaaS, Office Suite | | [[t1213-001-confluence\|T1213.001 - Confluence]] | T1213.001 | Collection | SaaS | | [[t1213-002-sharepoint\|T1213.002 - Sharepoint]] | T1213.002 | Collection | Windows, Office Suite | | [[t1213-003-code-repositories\|T1213.003 - Code Repositories]] | T1213.003 | Collection | SaaS | | [[t1213-004-customer-relationship-management-software\|T1213.004 - Customer Relationship Management Software]] | T1213.004 | Collection | SaaS | | [[t1213-005-messaging-applications\|T1213.005 - Messaging Applications]] | T1213.005 | Collection | SaaS, Office Suite | | [[t1213-006-databases\|T1213.006 - Databases]] | T1213.006 | Collection | Linux, Windows, macOS, IaaS, SaaS | | [[t1216-system-script-proxy-execution\|T1216 - System Script Proxy Execution]] | T1216 | Defense Evasion | Windows | | [[t1216-001-pubprn\|T1216.001 - PubPrn]] | T1216.001 | Defense Evasion | Windows | | [[t1216-002-syncappvpublishingserver\|T1216.002 - SyncAppvPublishingServer]] | T1216.002 | Defense Evasion | Windows | | [[t1217-browser-information-discovery\|T1217 - Browser Information Discovery]] | T1217 | Discovery | Linux, macOS, Windows | | [[t1218-system-binary-proxy-execution\|T1218 - System Binary Proxy Execution]] | T1218 | Defense Evasion | Windows, Linux, macOS | | [[t1218-001-compiled-html-file\|T1218.001 - Compiled HTML File]] | T1218.001 | Defense Evasion | Windows | | [[t1218-002-control-panel\|T1218.002 - Control Panel]] | T1218.002 | Defense Evasion | Windows | | [[t1218-003-cmstp\|T1218.003 - CMSTP]] | T1218.003 | Defense Evasion | Windows | | [[t1218-004-installutil\|T1218.004 - InstallUtil]] | T1218.004 | Defense Evasion | Windows | | [[t1218-005-mshta\|T1218.005 - Mshta]] | T1218.005 | Defense Evasion | Windows | | [[t1218-007-msiexec\|T1218.007 - Msiexec]] | T1218.007 | Defense Evasion | Windows | | [[t1218-008-odbcconf\|T1218.008 - Odbcconf]] | T1218.008 | Defense Evasion | Windows | | [[t1218-009-regsvcsregasm\|T1218.009 - Regsvcs/Regasm]] | T1218.009 | Defense Evasion | Windows | | [[t1218-010-regsvr32\|T1218.010 - Regsvr32]] | T1218.010 | Defense Evasion | Windows | | [[t1218-011-rundll32\|T1218.011 - Rundll32]] | T1218.011 | Defense Evasion | Windows | | [[t1218-012-verclsid\|T1218.012 - Verclsid]] | T1218.012 | Defense Evasion | Windows | | [[t1218-013-mavinject\|T1218.013 - Mavinject]] | T1218.013 | Defense Evasion | Windows | | [[t1218-014-mmc\|T1218.014 - MMC]] | T1218.014 | Defense Evasion | Windows | | [[t1218-015-electron-applications\|T1218.015 - Electron Applications]] | T1218.015 | Defense Evasion | Linux, macOS, Windows | | [[t1219-remote-access-tools\|T1219 - Remote Access Tools]] | T1219 | Command and Control | Linux, macOS, Windows | | [[t1219-001-ide-tunneling\|T1219.001 - IDE Tunneling]] | T1219.001 | Command and Control | Linux, macOS, Windows | | [[t1219-002-remote-desktop-software\|T1219.002 - Remote Desktop Software]] | T1219.002 | Command and Control | Linux, macOS, Windows | | [[t1219-003-remote-access-hardware\|T1219.003 - Remote Access Hardware]] | T1219.003 | Command and Control | Linux, macOS, Windows | | [[t1220-xsl-script-processing\|T1220 - XSL Script Processing]] | T1220 | Defense Evasion | Windows | | [[t1221-template-injection\|T1221 - Templaté Injection]] | T1221 | Defense Evasion | Windows | | [[t1222-file-and-directory-permissions-modification\|T1222 - File and Directory Permissions Modification]] | T1222 | Defense Evasion | ESXi, Linux, macOS, Windows | | [[t1222-001-windows-file-and-directory-permissions-modification\|T1222.001 - Windows File and Directory Permissions Modification]] | T1222.001 | Defense Evasion | Windows | | [[t1222-002-linux-and-mac-file-and-directory-permissions-modification\|T1222.002 - Linux and Mac File and Directory Permissions Modification]] | T1222.002 | Defense Evasion | macOS, Linux | | [[t1406-obfuscated-files-or-information\|T1406 - Obfuscated Files or Information]] | T1406 | Defense Evasion | Android, iOS | | [[t1407-download-new-code-at-runtime\|T1407 - Download New Code at Runtime]] | T1407 | Defense Evasion | Android, iOS | | [[t1416-active-application-window\|T1416 - Active Application Window]] | T1416 | Discovery | Android | | [[t1417-input-capture-android\|T1417 - Input Capture (Android)]] | T1417 | Collection | Android, iOS | | [[t1417-002-gui-input-capture\|T1417.002 - Input Capture: GUI Input Capture]] | T1417.002 | Collection | Android, iOS | | [[t1417-002-input-capture\|T1417.002 - Input Capture: Keystroke Capture]] | T1417.002 | Collection | Android, iOS | | [[t1422-system-network-configuration-discovery\|T1422 - System Network Configuration Discovery]] | T1422 | Discovery | Android, iOS | | [[t1430-location-tracking\|T1430 - Location Tracking]] | T1430 | Collection | Android, iOS | | [[t1433-access-contact-list\|T1433 - Access Contact List]] | T1433 | Collection | Android, iOS | | [[t1437-application-layer-protocol\|T1437 - Application Layer Protocol]] | T1437 | Command and Control | Android, iOS | | [[t1437-001-web-protocols\|T1437.001 - Application Layer Protocol: Web Protocols]] | T1437.001 | Command and Control | Android, iOS | | [[t1480-execution-guardrails\|T1480 - Execution Guardrails]] | T1480 | Defense Evasion | ESXi, Linux, macOS, Windows | | [[t1480-001-environmental-keying\|T1480.001 - Environmental Keying]] | T1480.001 | Defense Evasion | Linux, Windows, macOS | | [[t1480-002-mutual-exclusion\|T1480.002 - Mutual Exclusion]] | T1480.002 | Defense Evasion | Linux, macOS, Windows | | [[t1482-domain-trust-discovery\|T1482 - Domain Trust Discovery]] | T1482 | Discovery | Windows | | [[t1484-domain-or-tenant-policy-modification\|T1484 - Domain or Tenant Policy Modification]] | T1484 | Defense Evasion | Windows, Identity Provider | | [[t1484-001-group-policy-modification\|T1484.001 - Group Policy Modification]] | T1484.001 | Defense Evasion | Windows | | [[t1484-002-trust-modification\|T1484.002 - Trust Modification]] | T1484.002 | Defense Evasion | Identity Provider, Windows | | [[t1485-data-destruction\|T1485 - Data Destruction]] | T1485 | Impact | Containers, ESXi, IaaS, Linux, macOS, Windows | | [[t1485-001-lifecycle-triggered-deletion\|T1485.001 - Lifecycle-Triggered Deletion]] | T1485.001 | Impact | IaaS | | [[t1486-data-encrypted-for-impact\|T1486 - Data Encrypted for Impact]] | T1486 | Impact | ESXi, IaaS, Linux, macOS, Windows | | [[t1489-service-stop\|T1489 - Service Stop]] | T1489 | Impact | ESXi, IaaS, Linux, macOS, Windows | | [[t1490-inhibit-system-recovery\|T1490 - Inhibit System Recovery]] | T1490 | Impact | Containers, ESXi, IaaS, Linux, macOS, Network Devices, Windows | | [[t1491-defacement\|T1491 - Defacement]] | T1491 | Impact | Windows, IaaS, Linux, macOS, ESXi | | [[t1491-001-internal-defacement\|T1491.001 - Internal Defacement]] | T1491.001 | Impact | ESXi, Linux, macOS, Windows | | [[t1491-002-external-defacement\|T1491.002 - External Defacement]] | T1491.002 | Impact | Windows, IaaS, Linux, macOS | | [[t1495-firmware-corruption\|T1495 - Firmware Corruption]] | T1495 | Impact | Linux, macOS, Network Devices, Windows | | [[t1496-resource-hijacking\|T1496 - Resource Hijacking]] | T1496 | Impact | Windows, IaaS, Linux, macOS, Containers, SaaS | | [[t1496-001-compute-hijacking\|T1496.001 - Compute Hijacking]] | T1496.001 | Impact | Windows, IaaS, Linux, macOS, Containers | | [[t1496-002-bandwidth-hijacking\|T1496.002 - Bandwidth Hijacking]] | T1496.002 | Impact | Linux, Windows, macOS, IaaS, Containers | | [[t1496-003-sms-pumping\|T1496.003 - SMS Pumping]] | T1496.003 | Impact | SaaS | | [[t1496-004-cloud-service-hijacking\|T1496.004 - Cloud Service Hijacking]] | T1496.004 | Impact | SaaS | | [[t1497-virtualization-evasion\|T1497 - Virtualization/Sandbox Evasion]] | T1497 | Defense Evasion | Windows, macOS, Linux | | [[t1497-virtualizationsandbox-evasion\|T1497 - Virtualization/Sandbox Evasion]] | T1497 | Defense Evasion | Linux, macOS, Windows | | [[t1497-001-system-checks\|T1497.001 - System Checks]] | T1497.001 | Defense Evasion | Linux, macOS, Windows | | [[t1497-002-user-activity-based-checks\|T1497.002 - User Activity Based Checks]] | T1497.002 | Defense Evasion | Linux, Windows, macOS | | [[t1497-003-time-based-checks\|T1497.003 - Time Based Checks]] | T1497.003 | Defense Evasion | Linux, macOS, Windows | | [[t1498-network-denial-of-service\|T1498 - Network Denial of Service]] | T1498 | Impact | Windows, IaaS, Linux, macOS, Containers | | [[t1498-001-direct-network-flood\|T1498.001 - Direct Network Flood]] | T1498.001 | Impact | Windows, IaaS, Linux, macOS | | [[t1498-002-reflection-amplification\|T1498.002 - Reflection Amplification]] | T1498.002 | Impact | Windows, IaaS, Linux, macOS | | [[t1499-endpoint-denial-of-service\|T1499 - Endpoint Denial of Service]] | T1499 | Impact | Windows, Linux, macOS, Containers, IaaS | | [[t1499-001-os-exhaustion-flood\|T1499.001 - OS Exhaustion Flood]] | T1499.001 | Impact | Linux, macOS, Windows | | [[t1499-002-service-exhaustion-flood\|T1499.002 - Service Exhaustion Flood]] | T1499.002 | Impact | Windows, IaaS, Linux, macOS | | [[t1499-003-application-exhaustion-flood\|T1499.003 - Application Exhaustion Flood]] | T1499.003 | Impact | Windows, IaaS, Linux, macOS | | [[t1499-004-application-or-system-exploitation\|T1499.004 - Application or System Exploitation]] | T1499.004 | Impact | Windows, IaaS, Linux, macOS | | [[t1505-server-software-component\|T1505 - Server Software Component]] | T1505 | Persistence | Windows, Linux, macOS, Network Devices, ESXi | | [[t1505-001-sql-stored-procedures\|T1505.001 - SQL Stored Procedures]] | T1505.001 | Persistence | Windows, Linux | | [[t1505-002-transport-agent\|T1505.002 - Agente de Transporte]] | T1505.002 | Persistence | Linux, Windows | | [[t1505-003-web-shell\|T1505.003 - Server Software Component: Web Shell]] | T1505.003 | Persistence | Windows, Linux, macOS, Network | | [[t1505-004-iis-components\|T1505.004 - IIS Components]] | T1505.004 | Persistence | Windows | | [[t1505-005-terminal-services-dll\|T1505.005 - Terminal Services DLL]] | T1505.005 | Persistence | Windows | | [[t1505-006-vsphere-installation-bundles\|T1505.006 - vSphere Installation Bundles]] | T1505.006 | Persistence | ESXi | | [[t1508-suppress-application-icon\|T1508 - Suppress Application Icon]] | T1508 | Defense Evasion | Android | | [[t1513-screen-capture\|T1513 - Screen Capture]] | T1513 | Collection | Android, iOS | | [[t1518-software-discovery\|T1518 - Software Discovery]] | T1518 | Discovery | ESXi, IaaS, Linux, macOS, Windows | | [[t1518-001-security-software-discovery\|T1518.001 - Security Software Discovery]] | T1518.001 | Discovery | IaaS, Linux, macOS, Windows | | [[t1518-002-backup-software-discovery\|T1518.002 - Backup Software Discovery]] | T1518.002 | Discovery | Windows, macOS, Linux | | [[t1521-encrypted-channel\|T1521 - Encrypted Channel]] | T1521 | Command and Control | Android, iOS | | [[t1521-001-web-protocols\|T1521.001 - Encrypted Channel: Web Protocols]] | T1521.001 | Command and Control | Android, iOS | | [[t1525-implant-internal-image\|T1525 - Implant Internal Image]] | T1525 | Persistence | IaaS, Containers | | [[t1526-cloud-service-discovery\|T1526 - Cloud Service Discovery]] | T1526 | Discovery | IaaS, Identity Provider, Office Suite, SaaS | | [[t1528-steal-application-access-token\|T1528 - Steal Application Access Token]] | T1528 | Credential Access | SaaS, Containers, IaaS, Office Suite, Identity Provider | | [[t1529-system-shutdownreboot\|T1529 - System Shutdown/Reboot]] | T1529 | Impact | ESXi, Linux, macOS, Network Devices, Windows | | [[t1530-data-from-cloud-storage\|T1530 - Data from Cloud Storage]] | T1530 | Collection | IaaS, Office Suite, SaaS | | [[t1531-account-access-removal\|T1531 - Account Access Removal]] | T1531 | Impact | Linux, macOS, Windows, SaaS, IaaS, Office Suite, ESXi | | [[t1533-data-from-local-system\|T1533 - Data from Local System]] | T1533 | Collection | Android, iOS | | [[t1534-internal-spearphishing\|T1534 - Internal Spearphishing]] | T1534 | Lateral Movement | Windows, macOS, Linux, SaaS, Office Suite | | [[t1535-unusedunsupported-cloud-regions\|T1535 - Unused/Unsupported Cloud Regions]] | T1535 | Defense Evasion | IaaS | | [[t1537-transfer-data-to-cloud-account\|T1537 - Transfer Data to Cloud Account]] | T1537 | Exfiltration | IaaS, Office Suite, SaaS | | [[t1538-cloud-service-dashboard\|T1538 - Cloud Service Dashboard]] | T1538 | Discovery | IaaS, SaaS, Office Suite, Identity Provider | | [[t1539-steal-web-session-cookie\|T1539 - Steal Web Session Cookie]] | T1539 | Credential Access | Linux, Office Suite, SaaS, Windows, macOS | | [[t1542-pre-os-boot\|T1542 - Pre-OS Boot]] | T1542 | Defense Evasion | Linux, Network Devices, Windows, macOS | | [[t1542-001-system-firmware\|T1542.001 - Firmware do Sistema]] | T1542.001 | Persistence | Windows, Network Devices | | [[t1542-002-component-firmware\|T1542.002 - Component Firmware]] | T1542.002 | Persistence | Windows, Linux, macOS | | [[t1542-003-bootkit\|T1542.003 - Pre-OS Boot: Bootkit]] | T1542.003 | Persistence | Windows, Linux | | [[t1542-004-rommonkit\|T1542.004 - ROMMONkit]] | T1542.004 | Defense Evasion | Network Devices | | [[t1542-005-tftp-boot\|T1542.005 - TFTP Boot]] | T1542.005 | Defense Evasion | Network Devices | | [[t1543-create-or-modify-system-process\|T1543 - Creaté or Modify System Process]] | T1543 | Persistence | Windows, macOS, Linux, Containers | | [[t1543-001-launch-agent\|T1543.001 - Launch Agent]] | T1543.001 | Persistence | macOS | | [[t1543-002-systemd-service\|T1543.002 - Systemd Service]] | T1543.002 | Persistence | Linux | | [[t1543-003-windows-service\|T1543.003 - Windows Service]] | T1543.003 | Persistence | Windows | | [[t1543-004-launch-daemon\|T1543.004 - Launch Daemon]] | T1543.004 | Persistence | macOS | | [[t1543-005-container-service\|T1543.005 - Container Service]] | T1543.005 | Persistence | Containers | | [[t1546-event-triggered-execution\|T1546 - Event Triggered Execution]] | T1546 | Privilege Escalation | Linux, macOS, Windows, SaaS, IaaS, Office Suite | | [[t1546-001-change-default-file-association\|T1546.001 - Change Default File Association]] | T1546.001 | Privilege Escalation | Windows | | [[t1546-002-screensaver\|T1546.002 - Screensaver]] | T1546.002 | Privilege Escalation | Windows | | [[ttp/techniques/persistence/t1546-003-windows-management-instrumentation-event-subscription.md\|T1546.003 - Event Triggered Execution: Windows Management Instrumentation Event Subscription]] | T1546.003 | Persistence | Windows | | [[ttp/techniques/privilege-escalation/t1546-003-windows-management-instrumentation-event-subscription.md\|T1546.003 - Windows Management Instrumentation Event Subscription]] | T1546.003 | Privilege Escalation | Windows | | [[t1546-004-unix-shell-configuration-modification\|T1546.004 - Unix Shell Configuration Modification]] | T1546.004 | Privilege Escalation | Linux, macOS | | [[t1546-005-trap\|T1546.005 - Trap]] | T1546.005 | Privilege Escalation | macOS, Linux | | [[t1546-006-lcloaddylib-addition\|T1546.006 - LC_LOAD_DYLIB Addition]] | T1546.006 | Privilege Escalation | macOS | | [[t1546-007-netsh-helper-dll\|T1546.007 - Netsh Helper DLL]] | T1546.007 | Privilege Escalation | Windows | | [[t1546-008-accessibility-features\|T1546.008 - Accessibility Features]] | T1546.008 | Privilege Escalation | Windows | | [[t1546-009-appcert-dlls\|T1546.009 - AppCert DLLs]] | T1546.009 | Privilege Escalation | Windows | | [[t1546-010-appinit-dlls\|T1546.010 - AppInit DLLs]] | T1546.010 | Privilege Escalation | Windows | | [[t1546-011-application-shimming\|T1546.011 - Application Shimming]] | T1546.011 | Privilege Escalation | Windows | | [[t1546-012-image-file-execution-options-injection\|T1546.012 - Image File Execution Options Injection]] | T1546.012 | Privilege Escalation | Windows | | [[t1546-013-powershell-profile\|T1546.013 - PowerShell Profile]] | T1546.013 | Privilege Escalation | Windows | | [[ttp/techniques/persistence/t1546-014-emond.md\|T1546.014 - Event Triggered Execution: Emond]] | T1546.014 | Persistence | macOS | | [[ttp/techniques/privilege-escalation/t1546-014-emond.md\|T1546.014 - Emond]] | T1546.014 | Privilege Escalation | macOS | | [[ttp/techniques/persistence/t1546-015-component-object-model-hijacking.md\|T1546.015 - Event Triggered Execution: Component Object Model Hijacking]] | T1546.015 | Persistence | Windows | | [[ttp/techniques/privilege-escalation/t1546-015-component-object-model-hijacking.md\|T1546.015 - Component Object Model Hijacking]] | T1546.015 | Privilege Escalation | Windows | | [[t1546-016-installer-packages\|T1546.016 - Installer Packages]] | T1546.016 | Privilege Escalation | Linux, Windows, macOS | | [[t1546-017-udev-rules\|T1546.017 - Udev Rules]] | T1546.017 | Persistence | Linux | | [[t1546-018-python-startup-hooks\|T1546.018 - Python Startup Hooks]] | T1546.018 | Persistence | Linux, macOS, Windows | | [[t1547-boot-logon-autostart-execution\|T1547 - Boot or Logon Autostart Execution]] | T1547 | Persistence | Windows, macOS, Linux | | [[t1547-boot-or-logon-autostart-execution\|T1547 - Boot or Logon Autostart Execution]] | T1547 | Persistence | Windows, macOS, Linux, Network Devices | | [[t1547-001-registry-run-keys-startup-folder\|T1547.001 - Registry Run Keys / Startup Folder]] | T1547.001 | Persistence | Windows | | [[t1547-001-registry-run-keys\|T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys]] | T1547.001 | Persistence | Windows | | [[t1547-002-authentication-package\|T1547.002 - Authentication Package]] | T1547.002 | Persistence | Windows | | [[t1547-003-time-providers\|T1547.003 - Time Providers]] | T1547.003 | Persistence | Windows | | [[t1547-004-winlogon-helper-dll\|T1547.004 - Winlogon Helper DLL]] | T1547.004 | Persistence | Windows | | [[t1547-005-security-support-provider\|T1547.005 - Security Support Provider]] | T1547.005 | Persistence | Windows | | [[t1547-006-kernel-modules-and-extensions\|T1547.006 - Kernel Modules and Extensions]] | T1547.006 | Persistence | macOS, Linux | | [[t1547-007-re-opened-applications\|T1547.007 - Re-opened Applications]] | T1547.007 | Persistence | macOS | | [[t1547-008-lsass-driver\|T1547.008 - LSASS Driver]] | T1547.008 | Persistence | Windows | | [[t1547-009-shortcut-modification\|T1547.009 - Shortcut Modification]] | T1547.009 | Persistence | Windows | | [[t1547-010-port-monitors\|T1547.010 - Port Monitors]] | T1547.010 | Persistence | Windows | | [[t1547-012-print-processors\|T1547.012 - Print Processors]] | T1547.012 | Persistence | Windows | | [[t1547-013-xdg-autostart-entries\|T1547.013 - XDG Autostart Entries]] | T1547.013 | Persistence | Linux | | [[t1547-014-active-setup\|T1547.014 - Active Setup]] | T1547.014 | Persistence | Windows | | [[t1547-015-login-items\|T1547.015 - Login Items]] | T1547.015 | Persistence | macOS | | [[t1548-abuse-elevation-control-mechanism\|T1548 - Abuse Elevation Control Mechanism]] | T1548 | Privilege Escalation | Linux, macOS, Windows, IaaS, Office Suite, Identity Provider | | [[t1548-001-setuid-and-setgid\|T1548.001 - Setuid and Setgid]] | T1548.001 | Privilege Escalation | Linux, macOS | | [[t1548-002-bypass-uac\|T1548.002 - Abuse Elevation Control Mechanism: Bypass User Account Control]] | T1548.002 | Privilege Escalation | Windows | | [[t1548-002-bypass-user-account-control\|T1548.002 - Bypass User Account Control]] | T1548.002 | Privilege Escalation | Windows | | [[t1548-003-sudo-and-sudo-caching\|T1548.003 - Sudo and Sudo Caching]] | T1548.003 | Privilege Escalation | Linux, macOS | | [[t1548-004-elevated-execution-with-prompt\|T1548.004 - Elevated Execution with Prompt]] | T1548.004 | Privilege Escalation | macOS | | [[t1548-005-temporary-elevated-cloud-access\|T1548.005 - Temporary Elevated Cloud Access]] | T1548.005 | Privilege Escalation | IaaS, Office Suite, Identity Provider | | [[t1548-006-tcc-manipulation\|T1548.006 - TCC Manipulation]] | T1548.006 | Defense Evasion | macOS | | [[t1550-use-alternate-authentication-material\|T1550 - Use Alternaté Authentication Material]] | T1550 | Defense Evasion | Windows, SaaS, IaaS, Containers, Identity Provider, Office Suite, Linux | | [[t1550-001-app-access-token\|T1550.001 - Use Alternaté Authentication Material: Application Access Token]] | T1550.001 | Defense Evasion / Lateral Movement | SaaS, Office 365, Google Workspace, Azure AD | | [[t1550-001-application-access-token\|T1550.001 - Application Access Token]] | T1550.001 | Defense Evasion | SaaS, Containers, IaaS, Office Suite, Identity Provider | | [[t1550-002-pass-the-hash\|T1550.002 - Pass the Hash]] | T1550.002 | Defense Evasion | Windows | | [[t1550-003-pass-the-ticket\|T1550.003 - Pass the Ticket]] | T1550.003 | Defense Evasion | Windows | | [[t1550-004-web-session-cookie\|T1550.004 - Web Session Cookie]] | T1550.004 | Defense Evasion | SaaS, IaaS, Office Suite | | [[t1552-unsecured-credentials\|T1552 - Unsecured Credentials]] | T1552 | Credential Access | Windows, SaaS, IaaS, Linux, macOS, Containers, Network Devices, Office Suite, Identity Provider | | [[t1552-001-credentials-in-files\|T1552.001 - Credentials In Files]] | T1552.001 | Credential Access | Containers, IaaS, Linux, macOS, Windows | | [[t1552-002-credentials-in-registry\|T1552.002 - Credentials in Registry]] | T1552.002 | Credential Access | Windows | | [[t1552-003-shell-history\|T1552.003 - Shell History]] | T1552.003 | Credential Access | Linux, macOS, Windows | | [[t1552-004-private-keys\|T1552.004 - Private Keys]] | T1552.004 | Credential Access | Linux, macOS, Network Devices, Windows | | [[t1552-005-cloud-instance-metadata-api\|T1552.005 - Cloud Instance Metadata API]] | T1552.005 | Credential Access | IaaS | | [[t1552-006-group-policy-preferences\|T1552.006 - Group Policy Preferences]] | T1552.006 | Credential Access | Windows | | [[t1552-007-container-api\|T1552.007 - Container API]] | T1552.007 | Credential Access | Containers | | [[t1552-008-chat-messages\|T1552.008 - Chat Messages]] | T1552.008 | Credential Access | SaaS, Office Suite | | [[t1553-subvert-trust-controls\|T1553 - Subvert Trust Controls]] | T1553 | Defense Evasion | Windows, macOS, Linux | | [[t1553-001-gatekeeper-bypass\|T1553.001 - Gatekeeper Bypass]] | T1553.001 | Defense Evasion | macOS | | [[t1553-002-code-signing\|T1553.002 - Code Signing]] | T1553.002 | Defense Evasion | macOS, Windows | | [[t1553-003-sip-and-trust-provider-hijacking\|T1553.003 - SIP and Trust Provider Hijacking]] | T1553.003 | Defense Evasion | Windows | | [[t1553-004-install-root-certificate\|T1553.004 - Install Root Certificaté]] | T1553.004 | Defense Evasion | Linux, macOS, Windows | | [[t1553-005-mark-of-the-web-bypass\|T1553.005 - Mark-of-the-Web Bypass]] | T1553.005 | Defense Evasion | Windows | | [[t1553-006-code-signing-policy-modification\|T1553.006 - Code Signing Policy Modification]] | T1553.006 | Defense Evasion | Windows, macOS | | [[t1554-compromise-host-software-binary\|T1554 - Compromise Host Software Binary]] | T1554 | Persistence | Linux, macOS, Windows, ESXi | | [[t1555-credentials-from-password-stores\|T1555 - Credentials from Password Stores]] | T1555 | Credential Access | IaaS, Linux, macOS, Windows | | [[t1555-001-keychain\|T1555.001 - Keychain]] | T1555.001 | Credential Access | macOS | | [[t1555-002-securityd-memory\|T1555.002 - Securityd Memory]] | T1555.002 | Credential Access | Linux, macOS | | [[t1555-003-credentials-from-web-browsers\|T1555.003 - Credentials from Web Browsers]] | T1555.003 | Credential Access | Linux, macOS, Windows | | [[t1555-004-windows-credential-manager\|T1555.004 - Windows Credential Manager]] | T1555.004 | Credential Access | Windows | | [[t1555-005-password-managers\|T1555.005 - Password Managers]] | T1555.005 | Credential Access | Linux, macOS, Windows | | [[t1555-006-cloud-secrets-management-stores\|T1555.006 - Cloud Secrets Management Stores]] | T1555.006 | Credential Access | IaaS | | [[t1556-modify-authentication-process\|T1556 - Modify Authentication Process]] | T1556 | Credential Access | Windows, Linux, macOS, Network Devices, IaaS, SaaS, Office Suite, Identity Provider | | [[t1556-001-domain-controller-authentication\|T1556.001 - Domain Controller Authentication]] | T1556.001 | Credential Access | Windows | | [[t1556-002-password-filter-dll\|T1556.002 - Password Filter DLL]] | T1556.002 | Credential Access | Windows | | [[t1556-003-pluggable-authentication-modules\|T1556.003 - Pluggable Authentication Modules]] | T1556.003 | Credential Access | Linux, macOS | | [[t1556-004-network-device-authentication\|T1556.004 - Network Device Authentication]] | T1556.004 | Credential Access | Network Devices | | [[t1556-005-reversible-encryption\|T1556.005 - Reversible Encryption]] | T1556.005 | Credential Access | Windows | | [[t1556-006-multi-factor-authentication\|T1556.006 - Multi-Factor Authentication]] | T1556.006 | Credential Access | Windows, SaaS, IaaS, Linux, macOS, Office Suite, Identity Provider | | [[t1556-007-hybrid-identity\|T1556.007 - Hybrid Identity]] | T1556.007 | Credential Access | Windows, SaaS, IaaS, Office Suite, Identity Provider | | [[t1556-008-network-provider-dll\|T1556.008 - Network Provider DLL]] | T1556.008 | Credential Access | Windows | | [[t1556-009-conditional-access-policies\|T1556.009 - Conditional Access Policies]] | T1556.009 | Credential Access | IaaS, Identity Provider | | [[t1557-adversary-in-the-middle\|T1557 - Adversary-in-the-Middle]] | T1557 | Credential Access | Linux, macOS, Network Devices, Windows | | [[t1557-001-llmnrnbt-ns-poisoning-and-smb-relay\|T1557.001 - LLMNR/NBT-NS Poisoning and SMB Relay]] | T1557.001 | Credential Access | Windows | | [[t1557-002-arp-cache-poisoning\|T1557.002 - ARP Cache Poisoning]] | T1557.002 | Credential Access | Linux, Windows, macOS | | [[t1557-003-dhcp-spoofing\|T1557.003 - DHCP Spoofing]] | T1557.003 | Credential Access | Linux, Windows, macOS | | [[t1557-004-evil-twin\|T1557.004 - Evil Twin]] | T1557.004 | Credential Access | Network Devices | | [[t1558-steal-or-forge-kerberos-tickets\|T1558 - Steal or Forge Kerberos Tickets]] | T1558 | Credential Access | Windows, Linux, macOS | | [[t1558-001-golden-ticket\|T1558.001 - Golden Ticket]] | T1558.001 | Credential Access | Windows | | [[t1558-002-silver-ticket\|T1558.002 - Silver Ticket]] | T1558.002 | Credential Access | Windows | | [[t1558-003-kerberoasting\|T1558.003 - Kerberoasting]] | T1558.003 | Credential Access | Windows | | [[t1558-004-as-rep-roasting\|T1558.004 - AS-REP Roasting]] | T1558.004 | Credential Access | Windows | | [[t1558-005-ccache-files\|T1558.005 - Ccache Files]] | T1558.005 | Credential Access | Linux, macOS | | [[t1559-inter-process-communication\|T1559 - Inter-Process Commúnication]] | T1559 | Execution | Linux, macOS, Windows | | [[t1559-001-component-object-model\|T1559.001 - Component Object Model]] | T1559.001 | Execution | Windows | | [[t1559-002-dynamic-data-exchange\|T1559.002 - Inter-Process Commúnication: Dynamic Data Exchange]] | T1559.002 | Execution | Windows | | [[t1559-003-xpc-services\|T1559.003 - XPC Services]] | T1559.003 | Execution | macOS | | [[t1560-archive-collected-data\|T1560 - Archive Collected Data]] | T1560 | Collection | Linux, macOS, Windows | | [[t1560-001-archive-via-utility\|T1560.001 - Archive via Utility]] | T1560.001 | Collection | Linux, macOS, Windows | | [[t1560-002-archive-via-library\|T1560.002 - Archive via Library]] | T1560.002 | Collection | Linux, macOS, Windows | | [[t1560-003-archive-via-custom-method\|T1560.003 - Archive via Custom Method]] | T1560.003 | Collection | Linux, macOS, Windows | | [[t1561-disk-wipe\|T1561 - Disk Wipe]] | T1561 | Impact | Windows, Linux, macOS | | [[t1561-001-disk-content-wipe\|T1561.001 - Disk Wipe: Disk Content Wipe]] | T1561.001 | Impact | Windows, Linux, macOS | | [[t1561-002-disk-structure-wipe\|T1561.002 - Disk Structure Wipe]] | T1561.002 | Impact | Linux, macOS, Windows, Network Devices | | [[t1562-impair-defenses\|T1562 - Impair Defenses]] | T1562 | Defense Evasion | Windows, IaaS, Linux, macOS, Containers, Network Devices, Identity Provider, Office Suite, ESXi | | [[t1562-001-disable-or-modify-tools\|T1562.001 - Disable or Modify Tools]] | T1562.001 | Defense Evasion | Containers, IaaS, Linux, macOS, Network Devices, Windows | | [[t1562-001-disable-tools\|T1562.001 - Disable or Modify Tools]] | T1562.001 | Defense Evasion | Windows, macOS, Linux | | [[t1562-001-impair-defenses-disable-or-modify-tools\|T1562.001 - Impair Defenses: Disable or Modify Tools]] | T1562.001 | Defense Evasion | Windows, Linux, macOS | | [[t1562-002-disable-windows-event-logging\|T1562.002 - Disable Windows Event Logging]] | T1562.002 | Defense Evasion | Windows | | [[t1562-003-impair-command-history-logging\|T1562.003 - Impair Command History Logging]] | T1562.003 | Defense Evasion | ESXi, Linux, macOS, Network Devices, Windows | | [[t1562-004-disable-or-modify-system-firewall\|T1562.004 - Disable or Modify System Firewall]] | T1562.004 | Defense Evasion | ESXi, Linux, macOS, Network Devices, Windows | | [[t1562-006-indicator-blocking\|T1562.006 - Indicator Blocking]] | T1562.006 | Defense Evasion | Windows, macOS, Linux, ESXi | | [[t1562-007-disable-or-modify-cloud-firewall\|T1562.007 - Disable or Modify Cloud Firewall]] | T1562.007 | Defense Evasion | IaaS | | [[t1562-008-disable-or-modify-cloud-logs\|T1562.008 - Disable or Modify Cloud Logs]] | T1562.008 | Defense Evasion | IaaS, SaaS, Office Suite, Identity Provider | | [[t1562-009-safe-mode-boot\|T1562.009 - Safe Mode Boot]] | T1562.009 | Defense Evasion | Windows | | [[t1562-010-downgrade-attack\|T1562.010 - Downgrade Attack]] | T1562.010 | Defense Evasion | Windows, Linux, macOS | | [[t1562-011-spoof-security-alerting\|T1562.011 - Spoof Security Alerting]] | T1562.011 | Defense Evasion | Windows, macOS, Linux | | [[t1562-012-disable-or-modify-linux-audit-system\|T1562.012 - Disable or Modify Linux Audit System]] | T1562.012 | Defense Evasion | Linux | | [[t1562-013-disable-or-modify-network-device-firewall\|T1562.013 - Disable or Modify Network Device Firewall]] | T1562.013 | Defense Evasion | Network Devices | | [[t1563-remote-service-session-hijacking\|T1563 - Remote Service Session Hijacking]] | T1563 | Lateral Movement | Linux, macOS, Windows | | [[t1563-001-ssh-hijacking\|T1563.001 - SSH Hijacking]] | T1563.001 | Lateral Movement | Linux, macOS | | [[t1563-002-rdp-hijacking\|T1563.002 - RDP Hijacking]] | T1563.002 | Lateral Movement | Windows | | [[t1564-hide-artifacts\|T1564 - Hide Artifacts]] | T1564 | Defense Evasion | Linux, Office Suite, Windows, macOS, ESXi | | [[t1564-001-hidden-files-and-directories\|T1564.001 - Hidden Files and Directories]] | T1564.001 | Defense Evasion | Linux, Windows, macOS | | [[t1564-002-hidden-users\|T1564.002 - Hidden Users]] | T1564.002 | Defense Evasion | macOS, Windows, Linux | | [[t1564-003-hidden-window\|T1564.003 - Hidden Window]] | T1564.003 | Defense Evasion | Linux, macOS, Windows | | [[t1564-004-ntfs-file-attributes\|T1564.004 - NTFS File Attributes]] | T1564.004 | Defense Evasion | Windows | | [[t1564-005-hidden-file-system\|T1564.005 - Hidden File System]] | T1564.005 | Defense Evasion | Linux, macOS, Windows | | [[t1564-006-run-virtual-instance\|T1564.006 - Run Virtual Instance]] | T1564.006 | Defense Evasion | Linux, macOS, Windows, ESXi | | [[t1564-007-vba-stomping\|T1564.007 - VBA Stomping]] | T1564.007 | Defense Evasion | Linux, Windows, macOS | | [[t1564-008-email-hiding-rules\|T1564.008 - Email Hiding Rules]] | T1564.008 | Defense Evasion | Windows, Linux, macOS, Office Suite | | [[t1564-009-resource-forking\|T1564.009 - Resource Forking]] | T1564.009 | Defense Evasion | macOS | | [[t1564-010-process-argument-spoofing\|T1564.010 - Process Argument Spoofing]] | T1564.010 | Defense Evasion | Windows | | [[t1564-011-ignore-process-interrupts\|T1564.011 - Ignore Process Interrupts]] | T1564.011 | Defense Evasion | Linux, macOS, Windows | | [[t1564-012-filepath-exclusions\|T1564.012 - File/Path Exclusions]] | T1564.012 | Defense Evasion | Linux, macOS, Windows | | [[t1564-013-bind-mounts\|T1564.013 - Bind Mounts]] | T1564.013 | Defense Evasion | Linux | | [[t1564-014-extended-attributes\|T1564.014 - Extended Attributes]] | T1564.014 | Defense Evasion | Linux, macOS | | [[t1565-data-manipulation\|T1565 - Data Manipulation]] | T1565 | Impact | Linux, macOS, Windows | | [[t1565-001-stored-data-manipulation\|T1565.001 - Stored Data Manipulation]] | T1565.001 | Impact | Linux, macOS, Windows | | [[t1565-002-transmitted-data-manipulation\|T1565.002 - Transmitted Data Manipulation]] | T1565.002 | Impact | Linux, macOS, Windows | | [[t1565-003-runtime-data-manipulation\|T1565.003 - Runtime Data Manipulation]] | T1565.003 | Impact | Linux, macOS, Windows | | [[t1566-phishing\|T1566 - Phishing]] | T1566 | Initial Access | Identity Provider, Linux, macOS, Office Suite, SaaS, Windows | | [[t1566-001-spearphishing-attachment\|T1566.001 - Spearphishing Attachment]] | T1566.001 | Initial Access | Linux, macOS, Windows | | [[t1566-002-spearphishing-link\|T1566.002 - Spearphishing Link]] | T1566.002 | Initial Access | Identity Provider, Linux, macOS, Office Suite, SaaS, Windows | | [[t1566-003-spearphishing-via-service\|T1566.003 - Spearphishing via Service]] | T1566.003 | Initial Access | Linux, macOS, Windows | | [[t1566-004-spearphishing-voice\|T1566.004 - Spearphishing Voice]] | T1566.004 | Initial Access | Linux, macOS, Windows, Identity Provider | | [[t1567-exfiltration-over-web-service\|T1567 - Exfiltration Over Web Service]] | T1567 | Exfiltration | ESXi, Linux, macOS, Office Suite, SaaS, Windows | | [[t1567-001-exfiltration-to-code-repository\|T1567.001 - Exfiltration to Code Repository]] | T1567.001 | Exfiltration | Linux, macOS, Windows, ESXi | | [[t1567-002-exfiltration-cloud-storage\|T1567.002 - Exfiltration Over Web Service: Exfiltration to Cloud Storage]] | T1567.002 | Exfiltration | Windows, Linux, macOS, ESXi | | [[t1567-002-exfiltration-to-cloud-storage\|T1567.002 - Exfiltration to Cloud Storage]] | T1567.002 | Exfiltration | ESXi, Linux, macOS, Windows | | [[t1567-003-exfiltration-to-text-storage-sites\|T1567.003 - Exfiltration to Text Storage Sites]] | T1567.003 | Exfiltration | Linux, macOS, Windows, ESXi | | [[t1567-004-exfiltration-over-webhook\|T1567.004 - Exfiltration Over Webhook]] | T1567.004 | Exfiltration | Windows, macOS, Linux, SaaS, Office Suite, ESXi | | [[t1568-dynamic-resolution\|T1568 - Dynamic Resolution]] | T1568 | Command and Control | Linux, macOS, Windows, ESXi | | [[t1568-001-fast-flux-dns\|T1568.001 - Fast Flux DNS]] | T1568.001 | Command and Control | Linux, macOS, Windows, ESXi | | [[t1568-002-domain-generation-algorithms\|T1568.002 - Domain Generation Algorithms]] | T1568.002 | Command and Control | Linux, macOS, Windows, ESXi | | [[t1568-003-dns-calculation\|T1568.003 - DNS Calculation]] | T1568.003 | Command and Control | Linux, macOS, Windows, ESXi | | [[t1569-system-services\|T1569 - System Services]] | T1569 | Execution | Windows, macOS, Linux | | [[t1569-001-launchctl\|T1569.001 - Launchctl]] | T1569.001 | Execution | macOS | | [[t1569-002-service-execution\|T1569.002 - Service Execution]] | T1569.002 | Execution | Windows | | [[t1569-003-systemctl\|T1569.003 - Systemctl]] | T1569.003 | Execution | Linux | | [[t1570-lateral-tool-transfer\|T1570 - Lateral Tool Transfer]] | T1570 | Lateral Movement | ESXi, Linux, macOS, Windows | | [[t1571-non-standard-port\|T1571 - Non-Standard Port]] | T1571 | Command and Control | ESXi, Linux, macOS, Windows | | [[t1572-protocol-tunneling\|T1572 - Protocol Tunneling]] | T1572 | Command and Control | ESXi, Linux, macOS, Windows | | [[t1573-encrypted-channel\|T1573 - Encrypted Channel]] | T1573 | Command and Control | ESXi, Linux, macOS, Network Devices, Windows | | [[t1573-symmetric-cryptography\|T1573 - Encrypted Channel (Mobile)]] | T1573 | Command and Control | Android, iOS | | [[t1573-001-symmetric-cryptography\|T1573.001 - Encrypted Channel: Symmetric Cryptography]] | T1573.001 | Command and Control | Android, iOS, Windows, Linux, macOS | | [[t1573-002-asymmetric-cryptography\|T1573.002 - Asymmetric Cryptography]] | T1573.002 | Command and Control | ESXi, Linux, macOS, Network Devices, Windows | | [[t1574-hijack-execution-flow\|T1574 - Hijack Execution Flow]] | T1574 | Persistence | Linux, macOS, Windows | | [[t1574-001-dll\|T1574.001 - DLL]] | T1574.001 | Persistence | Windows | | [[t1574-002-dll-side-loading\|T1574.002 - Hijack Execution Flow: DLL Side-Loading]] | T1574.002 | Defense Evasion | Windows | | [[t1574-004-dylib-hijacking\|T1574.004 - Dylib Hijacking]] | T1574.004 | Persistence | macOS | | [[t1574-005-executable-installer-file-permissions-weakness\|T1574.005 - Executable Installer File Permissions Weakness]] | T1574.005 | Persistence | Windows | | [[t1574-006-dynamic-linker-hijacking\|T1574.006 - Sequestro do Vinculador Dinâmico]] | T1574.006 | Persistence | Linux, macOS | | [[t1574-007-path-interception-by-path-environment-variable\|T1574.007 - Path Interception by PATH Environment Variable]] | T1574.007 | Persistence | Windows, macOS, Linux | | [[t1574-008-path-interception-by-search-order-hijacking\|T1574.008 - Interceptação de Caminho por Sequestro de Ordem de Busca]] | T1574.008 | Persistence | Windows | | [[t1574-009-path-interception-by-unquoted-path\|T1574.009 - Path Interception by Unquoted Path]] | T1574.009 | Persistence | Windows | | [[t1574-010-services-file-permissions-weakness\|T1574.010 - Services File Permissions Weakness]] | T1574.010 | Persistence | Windows | | [[t1574-011-services-registry-permissions-weakness\|T1574.011 - Services Registry Permissions Weakness]] | T1574.011 | Persistence | Windows | | [[t1574-012-corprofiler\|T1574.012 - COR_PROFILER]] | T1574.012 | Persistence | Windows | | [[t1574-013-kernelcallbacktable\|T1574.013 - KernelCallbackTable]] | T1574.013 | Persistence | Windows | | [[t1574-014-appdomainmanager\|T1574.014 - AppDomainManager]] | T1574.014 | Persistence | Windows | | [[t1578-modify-cloud-compute-infrastructure\|T1578 - Modify Cloud Compute Infrastructure]] | T1578 | Defense Evasion | IaaS | | [[t1578-001-create-snapshot\|T1578.001 - Creaté Snapshot]] | T1578.001 | Defense Evasion | IaaS | | [[t1578-002-create-cloud-instance\|T1578.002 - Creaté Cloud Instance]] | T1578.002 | Defense Evasion | IaaS | | [[t1578-003-delete-cloud-instance\|T1578.003 - Delete Cloud Instance]] | T1578.003 | Defense Evasion | IaaS | | [[t1578-004-revert-cloud-instance\|T1578.004 - Revert Cloud Instance]] | T1578.004 | Defense Evasion | IaaS | | [[t1578-005-modify-cloud-compute-configurations\|T1578.005 - Modify Cloud Compute Configurations]] | T1578.005 | Defense Evasion | IaaS | | [[t1580-cloud-infrastructure-discovery\|T1580 - Cloud Infrastructure Discovery]] | T1580 | Discovery | IaaS | | [[t1582-sms-control\|T1582 - SMS Control]] | T1582 | Impact | Android, iOS | | [[t1583-acquire-infrastructure\|T1583 - Acquire Infrastructure]] | T1583 | Resource Development | PRE | | [[t1583-001-domains\|T1583.001 - Domains]] | T1583.001 | Resource Development | PRE | | [[t1583-002-dns-server\|T1583.002 - DNS Server]] | T1583.002 | Resource Development | PRE | | [[t1583-003-virtual-private-server\|T1583.003 - Virtual Private Server]] | T1583.003 | Resource Development | PRE | | [[t1583-004-server\|T1583.004 - Server]] | T1583.004 | Resource Development | PRE | | [[t1583-005-botnet\|T1583.005 - Botnet]] | T1583.005 | Resource Development | PRE | | [[t1583-006-web-services\|T1583.006 - Web Services]] | T1583.006 | Resource Development | PRE | | [[t1583-007-serverless\|T1583.007 - Serverless]] | T1583.007 | Resource Development | PRE | | [[t1583-008-malvertising\|T1583.008 - Malvertising]] | T1583.008 | Resource Development | PRE | | [[t1584-compromise-infrastructure\|T1584 - Compromise Infrastructure]] | T1584 | Resource Development | PRE | | [[t1584-001-domains\|T1584.001 - Domains]] | T1584.001 | Resource Development | PRE | | [[t1584-002-dns-server\|T1584.002 - DNS Server]] | T1584.002 | Resource Development | PRE | | [[t1584-003-virtual-private-server\|T1584.003 - Virtual Private Server]] | T1584.003 | Resource Development | PRE | | [[t1584-004-server\|T1584.004 - Server]] | T1584.004 | Resource Development | PRE | | [[t1584-005-botnet\|T1584.005 - Botnet]] | T1584.005 | Resource Development | PRE | | [[t1584-006-web-services\|T1584.006 - Web Services]] | T1584.006 | Resource Development | PRE | | [[t1584-007-serverless\|T1584.007 - Serverless]] | T1584.007 | Resource Development | PRE | | [[t1584-008-network-devices\|T1584.008 - Network Devices]] | T1584.008 | Resource Development | PRE | | [[t1585-establish-accounts\|T1585 - Establish Accounts]] | T1585 | Resource Development | PRE | | [[t1585-001-social-media-accounts\|T1585.001 - Social Media Accounts]] | T1585.001 | Resource Development | PRE | | [[t1585-002-email-accounts\|T1585.002 - Email Accounts]] | T1585.002 | Resource Development | PRE | | [[t1585-003-cloud-accounts\|T1585.003 - Cloud Accounts]] | T1585.003 | Resource Development | PRE | | [[t1586-compromise-accounts\|T1586 - Compromise Accounts]] | T1586 | Resource Development | PRE | | [[t1586-001-social-media-accounts\|T1586.001 - Social Media Accounts]] | T1586.001 | Resource Development | PRE | | [[t1586-002-email-accounts\|T1586.002 - Email Accounts]] | T1586.002 | Resource Development | PRE | | [[t1586-003-cloud-accounts\|T1586.003 - Cloud Accounts]] | T1586.003 | Resource Development | PRE | | [[t1587-develop-capabilities\|T1587 - Develop Capabilities]] | T1587 | Resource Development | PRE | | [[t1587-001-malware\|T1587.001 - Malware]] | T1587.001 | Resource Development | PRE | | [[t1587-002-code-signing-certificates\|T1587.002 - Code Signing Certificates]] | T1587.002 | Resource Development | PRE | | [[t1587-003-digital-certificates\|T1587.003 - Digital Certificates]] | T1587.003 | Resource Development | PRE | | [[t1587-004-exploits\|T1587.004 - Exploits]] | T1587.004 | Resource Development | PRE | | [[t1588-obtain-capabilities\|T1588 - Obtain Capabilities]] | T1588 | Resource Development | PRE | | [[t1588-001-malware\|T1588.001 - Malware]] | T1588.001 | Resource Development | PRE | | [[t1588-002-tool\|T1588.002 - Tool]] | T1588.002 | Resource Development | PRE | | [[t1588-003-code-signing-certificates\|T1588.003 - Code Signing Certificates]] | T1588.003 | Resource Development | PRE | | [[t1588-004-digital-certificates\|T1588.004 - Digital Certificates]] | T1588.004 | Resource Development | PRE | | [[t1588-005-exploits\|T1588.005 - Exploits]] | T1588.005 | Resource Development | PRE | | [[t1588-006-vulnerabilities\|T1588.006 - Vulnerabilities]] | T1588.006 | Resource Development | PRE | | [[t1588-007-artificial-intelligence\|T1588.007 - Artificial Intelligence]] | T1588.007 | Resource Development | PRE | | [[t1589-gather-victim-identity-information\|T1589 - Gather Victim Identity Information]] | T1589 | Reconnaissance | PRE | | [[t1589-001-credentials\|T1589.001 - Credentials]] | T1589.001 | Reconnaissance | PRE | | [[t1589-002-email-addresses\|T1589.002 - Email Addresses]] | T1589.002 | Reconnaissance | PRE | | [[t1589-003-employee-names\|T1589.003 - Employee Names]] | T1589.003 | Reconnaissance | PRE | | [[t1590-gather-victim-network-information\|T1590 - Gather Victim Network Information]] | T1590 | Reconnaissance | PRE | | [[t1590-001-domain-properties\|T1590.001 - Domain Properties]] | T1590.001 | Reconnaissance | PRE | | [[t1590-002-dns\|T1590.002 - DNS]] | T1590.002 | Reconnaissance | PRE | | [[t1590-003-network-trust-dependencies\|T1590.003 - Network Trust Dependencies]] | T1590.003 | Reconnaissance | PRE | | [[t1590-004-network-topology\|T1590.004 - Network Topology]] | T1590.004 | Reconnaissance | PRE | | [[t1590-005-ip-addresses\|T1590.005 - IP Addresses]] | T1590.005 | Reconnaissance | PRE | | [[t1590-006-network-security-appliances\|T1590.006 - Network Security Appliances]] | T1590.006 | Reconnaissance | PRE | | [[t1591-gather-victim-org-information\|T1591 - Gather Victim Org Information]] | T1591 | Reconnaissance | PRE | | [[t1591-001-determine-physical-locations\|T1591.001 - Determine Physical Locations]] | T1591.001 | Reconnaissance | PRE | | [[t1591-002-business-relationships\|T1591.002 - Business Relationships]] | T1591.002 | Reconnaissance | PRE | | [[t1591-003-identify-business-tempo\|T1591.003 - Identify Business Tempo]] | T1591.003 | Reconnaissance | PRE | | [[t1591-004-identify-roles\|T1591.004 - Identify Roles]] | T1591.004 | Reconnaissance | PRE | | [[t1592-gather-victim-host-information\|T1592 - Gather Victim Host Information]] | T1592 | Reconnaissance | PRE | | [[t1592-001-hardware\|T1592.001 - Hardware]] | T1592.001 | Reconnaissance | PRE | | [[t1592-002-software\|T1592.002 - Software]] | T1592.002 | Reconnaissance | PRE | | [[t1592-003-firmware\|T1592.003 - Firmware]] | T1592.003 | Reconnaissance | PRE | | [[t1592-004-client-configurations\|T1592.004 - Client Configurations]] | T1592.004 | Reconnaissance | PRE | | [[t1593-search-open-websitesdomains\|T1593 - Search Open Websites/Domains]] | T1593 | Reconnaissance | PRE | | [[t1593-001-social-media\|T1593.001 - Social Media]] | T1593.001 | Reconnaissance | PRE | | [[t1593-002-search-engines\|T1593.002 - Search Engines]] | T1593.002 | Reconnaissance | PRE | | [[t1593-003-code-repositories\|T1593.003 - Code Repositories]] | T1593.003 | Reconnaissance | PRE | | [[t1594-search-victim-owned-websites\|T1594 - Search Victim-Owned Websites]] | T1594 | Reconnaissance | PRE | | [[t1595-active-scanning\|T1595 - Active Scanning]] | T1595 | Reconnaissance | PRE | | [[t1595-001-scanning-ip-blocks\|T1595.001 - Scanning IP Blocks]] | T1595.001 | Reconnaissance | PRE | | [[t1595-002-vulnerability-scanning\|T1595.002 - Vulnerability Scanning]] | T1595.002 | Reconnaissance | PRE | | [[t1595-003-wordlist-scanning\|T1595.003 - Wordlist Scanning]] | T1595.003 | Reconnaissance | PRE | | [[t1596-search-open-technical-databases\|T1596 - Search Open Technical Databases]] | T1596 | Reconnaissance | PRE | | [[t1596-001-dnspassive-dns\|T1596.001 - DNS/Passive DNS]] | T1596.001 | Reconnaissance | PRE | | [[t1596-002-whois\|T1596.002 - WHOIS]] | T1596.002 | Reconnaissance | PRE | | [[t1596-003-digital-certificates\|T1596.003 - Digital Certificates]] | T1596.003 | Reconnaissance | PRE | | [[t1596-004-cdns\|T1596.004 - CDNs]] | T1596.004 | Reconnaissance | PRE | | [[t1596-005-scan-databases\|T1596.005 - Scan Databases]] | T1596.005 | Reconnaissance | PRE | | [[t1597-search-closed-sources\|T1597 - Search Closed Sources]] | T1597 | Reconnaissance | PRE | | [[t1597-001-threat-intel-vendors\|T1597.001 - Threat Intel Vendors]] | T1597.001 | Reconnaissance | PRE | | [[t1597-002-purchase-technical-data\|T1597.002 - Purchase Technical Data]] | T1597.002 | Reconnaissance | PRE | | [[t1598-phishing-for-information\|T1598 - Phishing for Information]] | T1598 | Reconnaissance | PRE | | [[t1598-001-spearphishing-service\|T1598.001 - Spearphishing Service]] | T1598.001 | Reconnaissance | PRE | | [[t1598-002-spearphishing-attachment\|T1598.002 - Spearphishing Attachment]] | T1598.002 | Reconnaissance | PRE | | [[t1598-003-spearphishing-link\|T1598.003 - Spearphishing Link]] | T1598.003 | Reconnaissance | PRE | | [[t1598-004-spearphishing-voice\|T1598.004 - Spearphishing Voice]] | T1598.004 | Reconnaissance | PRE | | [[t1599-network-boundary-bridging\|T1599 - Network Boundary Bridging]] | T1599 | Defense Evasion | Network Devices | | [[t1599-001-network-address-translation-traversal\|T1599.001 - Network Address Translation Traversal]] | T1599.001 | Defense Evasion | Network Devices | | [[t1600-weaken-encryption\|T1600 - Weaken Encryption]] | T1600 | Defense Evasion | Network Devices | | [[t1600-001-reduce-key-space\|T1600.001 - Reduce Key Space]] | T1600.001 | Defense Evasion | Network Devices | | [[t1600-002-disable-crypto-hardware\|T1600.002 - Disable Crypto Hardware]] | T1600.002 | Defense Evasion | Network Devices | | [[t1601-modify-system-image\|T1601 - Modify System Image]] | T1601 | Defense Evasion | Network Devices | | [[t1601-001-patch-system-image\|T1601.001 - Patch System Image]] | T1601.001 | Defense Evasion | Network Devices | | [[t1601-002-downgrade-system-image\|T1601.002 - Downgrade System Image]] | T1601.002 | Defense Evasion | Network Devices | | [[t1602-data-from-configuration-repository\|T1602 - Data from Configuration Repository]] | T1602 | Collection | Network Devices | | [[t1602-001-snmp-mib-dump\|T1602.001 - SNMP (MIB Dump)]] | T1602.001 | Collection | Network Devices | | [[t1602-002-network-device-configuration-dump\|T1602.002 - Network Device Configuration Dump]] | T1602.002 | Collection | Network Devices | | [[t1606-forge-web-credentials\|T1606 - Forge Web Credentials]] | T1606 | Credential Access | SaaS, Windows, macOS, Linux, IaaS, Office Suite, Identity Provider | | [[t1606-001-web-cookies\|T1606.001 - Web Cookies]] | T1606.001 | Credential Access | Linux, macOS, Windows, SaaS, IaaS | | [[t1606-002-saml-tokens\|T1606.002 - SAML Tokens]] | T1606.002 | Credential Access | SaaS, Windows, IaaS, Office Suite, Identity Provider | | [[t1608-stage-capabilities\|T1608 - Stage Capabilities]] | T1608 | Resource Development | PRE | | [[t1608-001-upload-malware\|T1608.001 - Upload Malware]] | T1608.001 | Resource Development | PRE | | [[t1608-002-upload-tool\|T1608.002 - Upload Tool]] | T1608.002 | Resource Development | PRE | | [[t1608-003-install-digital-certificate\|T1608.003 - Install Digital Certificaté]] | T1608.003 | Resource Development | PRE | | [[t1608-004-drive-by-target\|T1608.004 - Drive-by Target]] | T1608.004 | Resource Development | PRE | | [[t1608-005-link-target\|T1608.005 - Link Target]] | T1608.005 | Resource Development | PRE | | [[t1608-006-seo-poisoning\|T1608.006 - Stage Capabilities: SEO Poisoning]] | T1608.006 | Resource Development | Windows, Linux, macOS | | [[t1609-container-administration-command\|T1609 - Container Administration Command]] | T1609 | Execution | Containers | | [[t1610-deploy-container\|T1610 - Deploy Container]] | T1610 | Defense Evasion | Containers | | [[t1611-escape-to-host\|T1611 - Escape to Host]] | T1611 | Privilege Escalation | Windows, Linux, Containers, ESXi | | [[t1612-build-image-on-host\|T1612 - Build Image on Host]] | T1612 | Defense Evasion | Containers | | [[t1613-container-and-resource-discovery\|T1613 - Container and Resource Discovery]] | T1613 | Discovery | Containers | | [[t1614-system-location-discovery\|T1614 - System Location Discovery]] | T1614 | Discovery | IaaS, Linux, macOS, Windows | | [[t1614-001-system-language-discovery\|T1614.001 - System Language Discovery]] | T1614.001 | Discovery | Linux, macOS, Windows | | [[t1615-group-policy-discovery\|T1615 - Group Policy Discovery]] | T1615 | Discovery | Windows | | [[t1619-cloud-storage-object-discovery\|T1619 - Cloud Storage Object Discovery]] | T1619 | Discovery | IaaS | | [[t1620-reflective-code-loading\|T1620 - Reflective Code Loading]] | T1620 | Defense Evasion | Linux, macOS, Windows | | [[t1621-multi-factor-authentication-request-generation\|T1621 - Multi-Factor Authentication Request Generation]] | T1621 | Credential Access | Windows, Linux, macOS, IaaS, SaaS, Office Suite, Identity Provider | | [[t1622-debugger-evasion\|T1622 - Debugger Evasion]] | T1622 | Defense Evasion | Linux, macOS, Windows | | [[t1636-contact-list\|T1636 - Collection (Contact List)]] | T1636 | Collection | Android, iOS | | [[t1636-004-sms-messages\|T1636.004 - Collection: SMS Messages]] | T1636.004 | Collection | Android, iOS | | [[t1638-system-information-discovery\|T1638 - System Information Discovery]] | T1638 | Collection | Android, iOS | | [[t1647-plist-file-modification\|T1647 - Plist File Modification]] | T1647 | Defense Evasion | macOS | | [[t1648-serverless-execution\|T1648 - Serverless Execution]] | T1648 | Execution | SaaS, IaaS, Office Suite | | [[t1649-steal-or-forge-authentication-certificates\|T1649 - Steal or Forge Authentication Certificates]] | T1649 | Credential Access | Windows, Linux, macOS, Identity Provider | | [[t1650-acquire-access\|T1650 - Acquire Access]] | T1650 | Resource Development | PRE | | [[t1651-cloud-administration-command\|T1651 - Cloud Administration Command]] | T1651 | Execution | IaaS | | [[t1652-device-driver-discovery\|T1652 - Device Driver Discovery]] | T1652 | Discovery | Linux, macOS, Windows | | [[t1653-power-settings\|T1653 - Power Settings]] | T1653 | Persistence | Windows, Linux, macOS, Network Devices | | [[t1654-log-enumeration\|T1654 - Log Enumeration]] | T1654 | Discovery | ESXi, IaaS, Linux, macOS, Windows | | [[t1655-hide-artifacts-android\|T1655 - Hide Artifacts (Android)]] | T1655 | Defense Evasion | Android | | [[t1656-impersonation\|T1656 - Impersonation]] | T1656 | Defense Evasion | Linux, macOS, Office Suite, SaaS, Windows | | [[t1657-financial-theft\|T1657 - Financial Theft]] | T1657 | Impact | Linux, macOS, Office Suite, SaaS, Windows | | [[t1659-content-injection\|T1659 - Content Injection]] | T1659 | Initial Access | Linux, macOS, Windows | | [[t1665-hide-infrastructure\|T1665 - Hide Infrastructure]] | T1665 | Command and Control | ESXi, Linux, Network Devices, Windows, macOS | | [[t1666-modify-cloud-resource-hierarchy\|T1666 - Modify Cloud Resource Hierarchy]] | T1666 | Defense Evasion | IaaS | | [[t1667-email-bombing\|T1667 - Email Bombing]] | T1667 | Impact | Linux, Office Suite, Windows, macOS | | [[t1668-exclusive-control\|T1668 - Exclusive Control]] | T1668 | Persistence | Linux, macOS, Windows | | [[t1669-wi-fi-networks\|T1669 - Wi-Fi Networks]] | T1669 | Initial Access | Linux, Network Devices, Windows, macOS | | [[ttp/techniques/execution/t1671-cloud-application-integration.md\|T1671 - Cloud Application Integration]] | T1671 | Execution | SaaS, IaaS, Office Suite | | [[ttp/techniques/persistence/t1671-cloud-application-integration.md\|T1671 - Cloud Application Integration]] | T1671 | Persistence | Office Suite, SaaS | | [[t1672-email-spoofing\|T1672 - Email Spoofing]] | T1672 | Defense Evasion | Office Suite, Windows, macOS, Linux | | [[t1673-virtual-machine-discovery\|T1673 - Virtual Machine Discovery]] | T1673 | Discovery | ESXi, Linux, macOS, Windows | | [[t1674-input-injection\|T1674 - Input Injection]] | T1674 | Execution | Windows, macOS, Linux | | [[t1675-esxi-administration-command\|T1675 - ESXi Administration Command]] | T1675 | Execution | ESXi | | [[t1677-poisoned-pipeline-execution\|T1677 - Poisoned Pipeline Execution]] | T1677 | Execution | SaaS | | [[t1678-delay-execution\|T1678 - Delay Execution]] | T1678 | Defense Evasion | Linux, macOS, Windows | | [[t1679-selective-exclusion\|T1679 - Selective Exclusion]] | T1679 | Defense Evasion | Windows | | [[t1680-local-storage-discovery\|T1680 - Local Storage Discovery]] | T1680 | Discovery | ESXi, IaaS, Linux, macOS, Windows | | [[t1681-search-threat-vendor-data\|T1681 - Search Threat Vendor Data]] | T1681 | Reconnaissance | PRE |  ### Técnicas Mais Utilizadas em LATAM %% ```dataview TABLE WITHOUT ID link(file.link, title) AS "Nota", mitre-id AS "ID", mitre-tactic AS "Tática", join(platforms, ", ") AS "Plataformas", join(used-by, ", ") AS "Usado por" FROM "ttp/techniques" WHERE contains(tags, "latam-relevant") SORT file.mtime DESC LIMIT 20 ``` %%   | Nota | ID | Tática | Plataformas | Usado por | | ------------------------------------------------------------------------------------------------------------------------------- | --------- | --------------- | --------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | | [[t1547-001-registry-run-keys\|T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys]] | T1547.001 | Persistence | Windows | [[g0032-lazarus-group\|Lazarus Group]], [[s0531-grandoreiro\|Grandoreiro]], [[cti/groups/qilin.md\|Qilin]] | | [[t1027-obfuscated-files\|T1027 - Obfuscated Files or Information]] | T1027 | Defense Evasion | Windows, Linux, macOS | [[g0016-apt29\|Cozy Bear]], [[g0032-lazarus-group\|Lazarus Group]], [[s0531-grandoreiro\|Grandoreiro Operators]], [[lockbit\|LockBit Operators]], [[g0050-apt32\|APT32]], [[g0046-fin7\|FIN7]] |  --- ## Seção 3 - Procedimentos Os **procedimentos** são as implementações específicas e observadas de técnicas em ataques reais. São o nível mais granular do modelo ATT&CK e representam a "assinatura comportamental" de um grupo adversarial: enquanto múltiplos grupos podem usar a técnica T1566 (Phishing), cada grupo tem um procedimento distinto - o formato do email, o arquivo de isca, a cadeia de entrega do payload. Documentar procedimentos é fundamental para a defesa porque: - Permitem criar detecções comportamentais altamente específicas (menos falsos positivos) - Revelam padrões operacionais que persistem mesmo quando ferramentas mudam - Facilitam a atribuição baseada em evidências técnicas - Alimentam regras SIGMA, YARA e playbooks de threat hunting com dados reais > [!tip] Procedimentos vs Técnicas > **Técnica:** T1574.002 - DLL Side-Loading (qualquer uso desse método) > **Procedimento:** [[proc-venon-dll-sideloading]] - VENON usa DLL side-loading via `OneDriveStandaloneUpdater.exe` (legítimo) + `vcruntime140.dll` (malicioso) + `version.dll` para manter persistência, executado via tarefa agendada criada em `%APPDATA%\Microsoft\Windows\Start Menu` ### Relação Tática → Técnica → Procedimento → Ator ```mermaid graph TD T["🎯 Tática Objetivo adversarial ex: Initial Access"] TE["⚙️ Técnica Método para atingir o objetivo ex: T1566 - Phishing"] P1["📋 Procedimento A Implementação específica ex: Grandoreiro phishing via PIX fake"] P2["📋 Procedimento B Implementação específica ex: APT28 NATO spearphishing MSHTML"] A1["👤 Ator Grandoreiro Operators"] A2["👤 Ator fancy bear"] T --> TE TE --> P1 TE --> P2 P1 --> A1 P2 --> A2 classDef tactic fill:#1a3a5c,color:#fff,stroke:#2980b9 classDef technique fill:#1a5c3a,color:#fff,stroke:#27ae60 classDef proc fill:#5c3a1a,color:#fff,stroke:#e67e22 classDef actor fill:#5c1a1a,color:#fff,stroke:#e74c3c class T tactic class TE technique class P1,P2 proc class A1,A2 actor ``` ### Procedimentos Documentados no Vault %% ```dataview TABLE WITHOUT ID link(file.link, title) AS "Nota", related-technique AS "Técnica", join(related-actors, ", ") AS "Ator(es)", join(related-campaigns, ", ") AS "Campanha(s)" FROM "ttp/techniques" WHERE type = "procedure" SORT file.name ASC ``` %%   | Nota | Técnica | Ator(es) | Campanha(s) | | ---- | ------- | -------- | ----------- |  > [!abstract] Onde encontrar mais procedimentos > Procedimentos específicos também estão documentados nas notas de [[_groups|Threat Actors]] (seção "TTPs Detalhadas"), nas notas de [[_campaigns|Campanhas]] (seção "Cadeia de Ataque") e nos [[_playbooks|Playbooks de Resposta a Incidentes]] (seção "Indicadores Comportamentais"). A separação aqui como notas dedicadas (`PROC-*.md`) é para os procedimentos mais complexos e bem documentados, com diagrama de sequência próprio. --- *Para correlacionar técnicas com threat actors, consulte [[_groups|Threat Actors]]. Para detecções, regras Sigma/YARA e mitigações, acesse cada nota de técnica individualmente.* --- ## Defesas Associadas | Seção | Notas | Descrição | |-------|-------|-----------| | [[_mitigations\|Mitigações]] | 44 | Controles M-series que previnem técnicas ATT&CK | | [[_detections\|Detecções]] | 2.536 | Analytics, data-components e detection-strategies | | [[_data-sources\|Data Sources]] | 33 | Telemetria DS-series para alimentar detecções | | [[_defenses\|Hub de Defesas]] | - | Visão geral defensiva integrada | --- **Navegação:** [[_techniques|Técnicas]] · [[_tactics|Táticas]] · [[_procedures|Procedimentos]] · [[_cti|CTI Hub]]