Loading AttackTrace...
MITRE ATT&CK
A reviewed, source-linked view of MITRE ATT&CK techniques across enterprise tactics, platforms, detections, investigations, and mitigations.
SMB/Windows Admin Shares (T1021.002) is a MITRE ATT&CK technique associated with Lateral Movement . Adversaries may use Valid Accounts to interact with a remote network share using Server Message Block (SMB).
Distributed Component Object Model (T1021.003) is a MITRE ATT&CK technique associated with Lateral Movement . Adversaries may use Valid Accounts to interact with remote machines by taking advantage of Distributed Component Object Model (DCOM).
SSH (T1021.004) is a MITRE ATT&CK technique associated with Lateral Movement . Adversaries may use Valid Accounts to log into remote machines using Secure Shell (SSH).
VNC (T1021.005) is a MITRE ATT&CK technique associated with Lateral Movement . Adversaries may use Valid Accounts to remotely control machines using Virtual Network Computing (VNC).
Windows Remote Management (T1021.006) is a MITRE ATT&CK technique associated with Lateral Movement . Adversaries may use Valid Accounts to interact with remote systems using Windows Remote Management (WinRM).
Cloud Services (T1021.007) is a MITRE ATT&CK technique associated with Lateral Movement . Adversaries may log into accessible cloud services within a compromised environment using Valid Accounts that are synchronized with or federated to on premises user identities.
Direct Cloud VM Connections (T1021.008) is a MITRE ATT&CK technique associated with Lateral Movement . Adversaries may leverage Valid Accounts to log directly into accessible cloud hosted compute infrastructure through cloud native methods.
Data from Removable Media (T1025) is a MITRE ATT&CK technique associated with Collection . Adversaries may search connected removable media on computers they have compromised to find files of interest.
Obfuscated Files or Information (T1027) is a MITRE ATT&CK technique associated with Stealth . Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit.
Binary Padding (T1027.001) is a MITRE ATT&CK technique associated with Stealth . Adversaries may use binary padding to add junk data and change the on disk representation of malware.
Software Packing (T1027.002) is a MITRE ATT&CK technique associated with Stealth . Adversaries may perform software packing or virtual machine software protection to conceal their code.
Steganography (T1027.003) is a MITRE ATT&CK technique associated with Stealth . Adversaries may use steganography techniques in order to prevent the detection of hidden information.
Compile After Delivery (T1027.004) is a MITRE ATT&CK technique associated with Stealth . Adversaries may attempt to make payloads difficult to discover and analyze by delivering files to victims as uncompiled code.
Indicator Removal from Tools (T1027.005) is a MITRE ATT&CK technique associated with Stealth . Adversaries may remove indicators from tools if they believe their malicious tool was detected, quarantined, or otherwise curtailed.
HTML Smuggling (T1027.006) is a MITRE ATT&CK technique associated with Stealth . Adversaries may smuggle data and files past content filters by hiding malicious payloads inside of seemingly benign HTML files.
Dynamic API Resolution (T1027.007) is a MITRE ATT&CK technique associated with Stealth . Adversaries may obfuscate then dynamically resolve API functions called by their malware in order to conceal malicious functionalities and impair defensive analysis.
Stripped Payloads (T1027.008) is a MITRE ATT&CK technique associated with Stealth . Adversaries may attempt to make a payload difficult to analyze by removing symbols, strings, and other human readable information.
Embedded Payloads (T1027.009) is a MITRE ATT&CK technique associated with Stealth . Adversaries may embed payloads within other files to conceal malicious content from defenses.
Command Obfuscation (T1027.010) is a MITRE ATT&CK technique associated with Stealth . Adversaries may obfuscate content during command execution to impede detection.
Fileless Storage (T1027.011) is a MITRE ATT&CK technique associated with Stealth . Adversaries may store data in "fileless" formats to conceal malicious activity from defenses.
LNK Icon Smuggling (T1027.012) is a MITRE ATT&CK technique associated with Stealth . Adversaries may smuggle commands to download malicious payloads past content filters by hiding them within otherwise seemingly benign windows shortcut files.
Encrypted/Encoded File (T1027.013) is a MITRE ATT&CK technique associated with Stealth . Adversaries may encrypt or encode files to obfuscate strings, bytes, and other specific patterns to impede detection.
Polymorphic Code (T1027.014) is a MITRE ATT&CK technique associated with Stealth . Adversaries may utilize polymorphic code (also known as metamorphic or mutating code) to evade detection.
Compression (T1027.015) is a MITRE ATT&CK technique associated with Stealth . Adversaries may use compression to obfuscate their payloads or files.
Junk Code Insertion (T1027.016) is a MITRE ATT&CK technique associated with Stealth . Adversaries may use junk code / dead code to obfuscate a malware’s functionality.
SVG Smuggling (T1027.017) is a MITRE ATT&CK technique associated with Stealth . Adversaries may smuggle data and files past content filters by hiding malicious payloads inside of seemingly benign SVG files. SVGs, or Scalable Vector Graphics, are vector based image files constr…
Invisible Unicode (T1027.018) is a MITRE ATT&CK technique associated with Stealth . Adversaries may abuse invisible or non printing Unicode characters to conceal malicious content within files, scripts, or text.
Scheduled Transfer (T1029) is a MITRE ATT&CK technique associated with Exfiltration . Adversaries may schedule data exfiltration to be performed only at certain times of day or at certain intervals.
Data Transfer Size Limits (T1030) is a MITRE ATT&CK technique associated with Exfiltration . An adversary may exfiltrate data in fixed size chunks instead of whole files or limit packet sizes below certain thresholds.
System Owner/User Discovery (T1033) is a MITRE ATT&CK technique associated with Discovery . Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system.