From 5ad469d6e794e20358490c6015307f33df8903e8 Mon Sep 17 00:00:00 2001 From: maride Date: Tue, 3 Feb 2026 18:58:42 +0100 Subject: [PATCH] Add support for MITRE ATT&CK --- README.md | 1 + addons/addons.typ | 1 + addons/mitre.typ | 15 + extern/README.md | 21 + extern/mitre-attack.json | 4177 ++++++++++++++++++++++++++++++++++++++ findings.typ | 5 +- pages/mgmtsum.typ | 10 +- 7 files changed, 4228 insertions(+), 2 deletions(-) create mode 100644 addons/mitre.typ create mode 100644 extern/README.md create mode 100644 extern/mitre-attack.json diff --git a/README.md b/README.md index 1d13772..a3be822 100644 --- a/README.md +++ b/README.md @@ -8,6 +8,7 @@ Penetration Test report template written in [typst](https://typst.app). - Easy to use, handles the formatting and typesetting hassle for you - as well as all those text you copy-paste anyway - Supports [CVSS V3.1](https://www.first.org/cvss/v3-1/) - Supports [TLP V2.0](https://www.first.org/tlp/) +- Supports [MITRE ATT&CK](https://attack.mitre.org/) references ## Usage diff --git a/addons/addons.typ b/addons/addons.typ index 4ffea2d..a0677d7 100644 --- a/addons/addons.typ +++ b/addons/addons.typ @@ -1,3 +1,4 @@ #import "cia.typ" #import "cvss.typ" +#import "mitre.typ" #import "tlp.typ" \ No newline at end of file diff --git a/addons/mitre.typ b/addons/mitre.typ new file mode 100644 index 0000000..fbecc0a --- /dev/null +++ b/addons/mitre.typ @@ -0,0 +1,15 @@ +#let isUsed = state("mitreIsUsed", false) +#let mitreData = json("../extern/mitre-attack.json") + +#let reference(name: str, id: str) = { + let elem = mitreData.find(d => d.name == name or d.id == id) + if elem == none { + panic("Referenced MITRE ATT&CK attack pattern, but it couldn't be found: id=" + str(id) + ", name=" + str(name)) + } + + text([ + _#elem.name _ (#elem.id)#footnote(elem.url) + ]) + + context(isUsed.update(true)) +} diff --git a/extern/README.md b/extern/README.md new file mode 100644 index 0000000..1284c42 --- /dev/null +++ b/extern/README.md @@ -0,0 +1,21 @@ +# External data + +Some data is required for either core functions or addons. + +## MITRE ATT&CK data + +The attacks described in the MITRE ATT&CK framework is available on GitHub: [mitre-attack/attack-data-model](https://github.com/mitre-attack/attack-data-model). + +It is filtered to only required values using this [nushell](https://www.nushell.sh/) one-liner: +```nu +http get https://raw.githubusercontent.com/mitre-attack/attack-stix-data/refs/heads/master/enterprise-attack/enterprise-attack-18.1.json | get objects | where type == "attack-pattern" | each {|e| let ref = ($e.external_references | where source_name == 'mitre-attack' | first | get external_id url); {name:$e.name, id: ($ref | first), url: ($ref | last) } } | to json | save mitre-attack.json +``` + +The filtered output is saved to `mitre-attack.json` and used by `addons/mitre.typ`. + +### License + +> The MITRE Corporation (MITRE) hereby grants you a non-exclusive, royalty-free license to use ATT&CK® for research, development, and commercial purposes. Any copy you make for such purposes is authorized provided that you reproduce MITRE's copyright designation and this license in any such copy. +> "© 2025 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation." + +For more information, see [MITRE's Terms of Use](https://attack.mitre.org/resources/legal-and-branding/terms-of-use/). diff --git a/extern/mitre-attack.json b/extern/mitre-attack.json new file mode 100644 index 0000000..3fee8fe --- /dev/null +++ b/extern/mitre-attack.json @@ -0,0 +1,4177 @@ +[ + { + "name": "Extra Window Memory Injection", + "id": "T1055.011", + "url": "https://attack.mitre.org/techniques/T1055/011" + }, + { + "name": "Scheduled Task", + "id": "T1053.005", + "url": "https://attack.mitre.org/techniques/T1053/005" + }, + { + "name": "Socket Filters", + "id": "T1205.002", + "url": "https://attack.mitre.org/techniques/T1205/002" + }, + { + "name": "Indicator Removal from Tools", + "id": "T1066", + "url": "https://attack.mitre.org/techniques/T1066" + }, + { + "name": "Archive via Utility", + "id": "T1560.001", + "url": "https://attack.mitre.org/techniques/T1560/001" + }, + { + "name": "VNC", + "id": "T1021.005", + "url": "https://attack.mitre.org/techniques/T1021/005" + }, + { + "name": "Windows Management Instrumentation", + "id": "T1047", + "url": "https://attack.mitre.org/techniques/T1047" + }, + { + "name": "Malicious Shell Modification", + "id": "T1156", + "url": "https://attack.mitre.org/techniques/T1156" + }, + { + "name": "Screen Capture", + "id": "T1113", + "url": "https://attack.mitre.org/techniques/T1113" + }, + { + "name": "Fileless Storage", + "id": "T1027.011", + "url": "https://attack.mitre.org/techniques/T1027/011" + }, + { + "name": "Bootkit", + "id": "T1067", + "url": "https://attack.mitre.org/techniques/T1067" + }, + { + "name": "Boot or Logon Initialization Scripts", + "id": "T1037", + "url": "https://attack.mitre.org/techniques/T1037" + }, + { + "name": "Adversary-in-the-Middle", + "id": "T1557", + "url": "https://attack.mitre.org/techniques/T1557" + }, + { + "name": "System Owner/User Discovery", + "id": "T1033", + "url": "https://attack.mitre.org/techniques/T1033" + }, + { + "name": "Acquire Infrastructure", + "id": "T1583", + "url": "https://attack.mitre.org/techniques/T1583" + }, + { + "name": "Rundll32", + "id": "T1218.011", + "url": "https://attack.mitre.org/techniques/T1218/011" + }, + { + "name": "Container and Resource Discovery", + "id": "T1613", + "url": "https://attack.mitre.org/techniques/T1613" + }, + { + "name": "Serverless", + "id": "T1583.007", + "url": "https://attack.mitre.org/techniques/T1583/007" + }, + { + "name": "Hidden Window", + "id": "T1143", + "url": "https://attack.mitre.org/techniques/T1143" + }, + { + "name": "LC_LOAD_DYLIB Addition", + "id": "T1161", + "url": "https://attack.mitre.org/techniques/T1161" + }, + { + "name": "Standard Encoding", + "id": "T1132.001", + "url": "https://attack.mitre.org/techniques/T1132/001" + }, + { + "name": "Embedded Payloads", + "id": "T1027.009", + "url": "https://attack.mitre.org/techniques/T1027/009" + }, + { + "name": "Plist Modification", + "id": "T1150", + "url": "https://attack.mitre.org/techniques/T1150" + }, + { + "name": "Pluggable Authentication Modules", + "id": "T1556.003", + "url": "https://attack.mitre.org/techniques/T1556/003" + }, + { + "name": "Revert Cloud Instance", + "id": "T1578.004", + "url": "https://attack.mitre.org/techniques/T1578/004" + }, + { + "name": "HISTCONTROL", + "id": "T1148", + "url": "https://attack.mitre.org/techniques/T1148" + }, + { + "name": "Gather Victim Host Information", + "id": "T1592", + "url": "https://attack.mitre.org/techniques/T1592" + }, + { + "name": "Digital Certificates", + "id": "T1596.003", + "url": "https://attack.mitre.org/techniques/T1596/003" + }, + { + "name": "Keylogging", + "id": "T1056.001", + "url": "https://attack.mitre.org/techniques/T1056/001" + }, + { + "name": "File/Path Exclusions", + "id": "T1564.012", + "url": "https://attack.mitre.org/techniques/T1564/012" + }, + { + "name": "Linux and Mac File and Directory Permissions Modification", + "id": "T1222.002", + "url": "https://attack.mitre.org/techniques/T1222/002" + }, + { + "name": "Password Guessing", + "id": "T1110.001", + "url": "https://attack.mitre.org/techniques/T1110/001" + }, + { + "name": "PubPrn", + "id": "T1216.001", + "url": "https://attack.mitre.org/techniques/T1216/001" + }, + { + "name": "Purchase Technical Data", + "id": "T1597.002", + "url": "https://attack.mitre.org/techniques/T1597/002" + }, + { + "name": "OS Credential Dumping", + "id": "T1003", + "url": "https://attack.mitre.org/techniques/T1003" + }, + { + "name": "Shared Modules", + "id": "T1129", + "url": "https://attack.mitre.org/techniques/T1129" + }, + { + "name": "Data from Configuration Repository", + "id": "T1602", + "url": "https://attack.mitre.org/techniques/T1602" + }, + { + "name": "Disk Structure Wipe", + "id": "T1561.002", + "url": "https://attack.mitre.org/techniques/T1561/002" + }, + { + "name": "Direct Network Flood", + "id": "T1498.001", + "url": "https://attack.mitre.org/techniques/T1498/001" + }, + { + "name": "Stored Data Manipulation", + "id": "T1492", + "url": "https://attack.mitre.org/techniques/T1492" + }, + { + "name": "Path Interception by PATH Environment Variable", + "id": "T1574.007", + "url": "https://attack.mitre.org/techniques/T1574/007" + }, + { + "name": "Sharepoint", + "id": "T1213.002", + "url": "https://attack.mitre.org/techniques/T1213/002" + }, + { + "name": "Direct Volume Access", + "id": "T1006", + "url": "https://attack.mitre.org/techniques/T1006" + }, + { + "name": "File System Permissions Weakness", + "id": "T1044", + "url": "https://attack.mitre.org/techniques/T1044" + }, + { + "name": "Artificial Intelligence", + "id": "T1588.007", + "url": "https://attack.mitre.org/techniques/T1588/007" + }, + { + "name": "Modify Cloud Resource Hierarchy", + "id": "T1666", + "url": "https://attack.mitre.org/techniques/T1666" + }, + { + "name": "Email Hiding Rules", + "id": "T1564.008", + "url": "https://attack.mitre.org/techniques/T1564/008" + }, + { + "name": "External Defacement", + "id": "T1491.002", + "url": "https://attack.mitre.org/techniques/T1491/002" + }, + { + "name": "Encrypted/Encoded File", + "id": "T1027.013", + "url": "https://attack.mitre.org/techniques/T1027/013" + }, + { + "name": "LLMNR/NBT-NS Poisoning and Relay", + "id": "T1171", + "url": "https://attack.mitre.org/techniques/T1171" + }, + { + "name": "IP Addresses", + "id": "T1590.005", + "url": "https://attack.mitre.org/techniques/T1590/005" + }, + { + "name": "OS Exhaustion Flood", + "id": "T1499.001", + "url": "https://attack.mitre.org/techniques/T1499/001" + }, + { + "name": "Rootkit", + "id": "T1014", + "url": "https://attack.mitre.org/techniques/T1014" + }, + { + "name": "PowerShell Profile", + "id": "T1546.013", + "url": "https://attack.mitre.org/techniques/T1546/013" + }, + { + "name": "JavaScript", + "id": "T1059.007", + "url": "https://attack.mitre.org/techniques/T1059/007" + }, + { + "name": "DNS", + "id": "T1590.002", + "url": "https://attack.mitre.org/techniques/T1590/002" + }, + { + "name": "Systemd Service", + "id": "T1501", + "url": "https://attack.mitre.org/techniques/T1501" + }, + { + "name": "Lifecycle-Triggered Deletion", + "id": "T1485.001", + "url": "https://attack.mitre.org/techniques/T1485/001" + }, + { + "name": "Elevated Execution with Prompt", + "id": "T1514", + "url": "https://attack.mitre.org/techniques/T1514" + }, + { + "name": "Audio Capture", + "id": "T1123", + "url": "https://attack.mitre.org/techniques/T1123" + }, + { + "name": "Create or Modify System Process", + "id": "T1543", + "url": "https://attack.mitre.org/techniques/T1543" + }, + { + "name": "External Remote Services", + "id": "T1133", + "url": "https://attack.mitre.org/techniques/T1133" + }, + { + "name": "Component Firmware", + "id": "T1109", + "url": "https://attack.mitre.org/techniques/T1109" + }, + { + "name": "LC_LOAD_DYLIB Addition", + "id": "T1546.006", + "url": "https://attack.mitre.org/techniques/T1546/006" + }, + { + "name": "Steal Web Session Cookie", + "id": "T1539", + "url": "https://attack.mitre.org/techniques/T1539" + }, + { + "name": "Container Orchestration Job", + "id": "T1053.007", + "url": "https://attack.mitre.org/techniques/T1053/007" + }, + { + "name": "Domain Generation Algorithms", + "id": "T1568.002", + "url": "https://attack.mitre.org/techniques/T1568/002" + }, + { + "name": "Double File Extension", + "id": "T1036.007", + "url": "https://attack.mitre.org/techniques/T1036/007" + }, + { + "name": "Bypass User Account Control", + "id": "T1548.002", + "url": "https://attack.mitre.org/techniques/T1548/002" + }, + { + "name": "Timestomp", + "id": "T1099", + "url": "https://attack.mitre.org/techniques/T1099" + }, + { + "name": "SMS Pumping", + "id": "T1496.003", + "url": "https://attack.mitre.org/techniques/T1496/003" + }, + { + "name": "Internet Connection Discovery", + "id": "T1016.001", + "url": "https://attack.mitre.org/techniques/T1016/001" + }, + { + "name": "Sudo and Sudo Caching", + "id": "T1548.003", + "url": "https://attack.mitre.org/techniques/T1548/003" + }, + { + "name": "Archive via Custom Method", + "id": "T1560.003", + "url": "https://attack.mitre.org/techniques/T1560/003" + }, + { + "name": "Modify Cloud Compute Infrastructure", + "id": "T1578", + "url": "https://attack.mitre.org/techniques/T1578" + }, + { + "name": "Network Devices", + "id": "T1584.008", + "url": "https://attack.mitre.org/techniques/T1584/008" + }, + { + "name": "Malvertising", + "id": "T1583.008", + "url": "https://attack.mitre.org/techniques/T1583/008" + }, + { + "name": "Permission Groups Discovery", + "id": "T1069", + "url": "https://attack.mitre.org/techniques/T1069" + }, + { + "name": "Email Collection", + "id": "T1114", + "url": "https://attack.mitre.org/techniques/T1114" + }, + { + "name": "Security Account Manager", + "id": "T1003.002", + "url": "https://attack.mitre.org/techniques/T1003/002" + }, + { + "name": "WHOIS", + "id": "T1596.002", + "url": "https://attack.mitre.org/techniques/T1596/002" + }, + { + "name": "System Firmware", + "id": "T1542.001", + "url": "https://attack.mitre.org/techniques/T1542/001" + }, + { + "name": "Search Victim-Owned Websites", + "id": "T1594", + "url": "https://attack.mitre.org/techniques/T1594" + }, + { + "name": "Cloud Groups", + "id": "T1069.003", + "url": "https://attack.mitre.org/techniques/T1069/003" + }, + { + "name": "Services Registry Permissions Weakness", + "id": "T1574.011", + "url": "https://attack.mitre.org/techniques/T1574/011" + }, + { + "name": "DNS/Passive DNS", + "id": "T1596.001", + "url": "https://attack.mitre.org/techniques/T1596/001" + }, + { + "name": "Application Exhaustion Flood", + "id": "T1499.003", + "url": "https://attack.mitre.org/techniques/T1499/003" + }, + { + "name": "Rc.common", + "id": "T1163", + "url": "https://attack.mitre.org/techniques/T1163" + }, + { + "name": "Compromise Software Dependencies and Development Tools", + "id": "T1195.001", + "url": "https://attack.mitre.org/techniques/T1195/001" + }, + { + "name": "Digital Certificates", + "id": "T1588.004", + "url": "https://attack.mitre.org/techniques/T1588/004" + }, + { + "name": "DNS Server", + "id": "T1583.002", + "url": "https://attack.mitre.org/techniques/T1583/002" + }, + { + "name": "Disk Wipe", + "id": "T1561", + "url": "https://attack.mitre.org/techniques/T1561" + }, + { + "name": "DNS", + "id": "T1071.004", + "url": "https://attack.mitre.org/techniques/T1071/004" + }, + { + "name": "Cloud Instance Metadata API", + "id": "T1552.005", + "url": "https://attack.mitre.org/techniques/T1552/005" + }, + { + "name": "Securityd Memory", + "id": "T1555.002", + "url": "https://attack.mitre.org/techniques/T1555/002" + }, + { + "name": "Group Policy Discovery", + "id": "T1615", + "url": "https://attack.mitre.org/techniques/T1615" + }, + { + "name": "Bootkit", + "id": "T1542.003", + "url": "https://attack.mitre.org/techniques/T1542/003" + }, + { + "name": "Data from Removable Media", + "id": "T1025", + "url": "https://attack.mitre.org/techniques/T1025" + }, + { + "name": "Code Signing", + "id": "T1116", + "url": "https://attack.mitre.org/techniques/T1116" + }, + { + "name": "Mavinject", + "id": "T1218.013", + "url": "https://attack.mitre.org/techniques/T1218/013" + }, + { + "name": "Cloud Instance Metadata API", + "id": "T1522", + "url": "https://attack.mitre.org/techniques/T1522" + }, + { + "name": "Process Hollowing", + "id": "T1093", + "url": "https://attack.mitre.org/techniques/T1093" + }, + { + "name": "Local Data Staging", + "id": "T1074.001", + "url": "https://attack.mitre.org/techniques/T1074/001" + }, + { + "name": "Match Legitimate Resource Name or Location", + "id": "T1036.005", + "url": "https://attack.mitre.org/techniques/T1036/005" + }, + { + "name": "Domain Fronting", + "id": "T1172", + "url": "https://attack.mitre.org/techniques/T1172" + }, + { + "name": "Digital Certificates", + "id": "T1587.003", + "url": "https://attack.mitre.org/techniques/T1587/003" + }, + { + "name": "Stored Data Manipulation", + "id": "T1565.001", + "url": "https://attack.mitre.org/techniques/T1565/001" + }, + { + "name": "Password Cracking", + "id": "T1110.002", + "url": "https://attack.mitre.org/techniques/T1110/002" + }, + { + "name": "SID-History Injection", + "id": "T1178", + "url": "https://attack.mitre.org/techniques/T1178" + }, + { + "name": "Local Email Collection", + "id": "T1114.001", + "url": "https://attack.mitre.org/techniques/T1114/001" + }, + { + "name": "Keychain", + "id": "T1555.001", + "url": "https://attack.mitre.org/techniques/T1555/001" + }, + { + "name": "Boot or Logon Autostart Execution", + "id": "T1547", + "url": "https://attack.mitre.org/techniques/T1547" + }, + { + "name": "LSA Secrets", + "id": "T1003.004", + "url": "https://attack.mitre.org/techniques/T1003/004" + }, + { + "name": "Port Monitors", + "id": "T1013", + "url": "https://attack.mitre.org/techniques/T1013" + }, + { + "name": "Weaken Encryption", + "id": "T1600", + "url": "https://attack.mitre.org/techniques/T1600" + }, + { + "name": "SAML Tokens", + "id": "T1606.002", + "url": "https://attack.mitre.org/techniques/T1606/002" + }, + { + "name": "Spearphishing Link", + "id": "T1192", + "url": "https://attack.mitre.org/techniques/T1192" + }, + { + "name": "Masquerade File Type", + "id": "T1036.008", + "url": "https://attack.mitre.org/techniques/T1036/008" + }, + { + "name": "Service Stop", + "id": "T1489", + "url": "https://attack.mitre.org/techniques/T1489" + }, + { + "name": "Malware", + "id": "T1587.001", + "url": "https://attack.mitre.org/techniques/T1587/001" + }, + { + "name": "Regsvcs/Regasm", + "id": "T1121", + "url": "https://attack.mitre.org/techniques/T1121" + }, + { + "name": "Device Driver Discovery", + "id": "T1652", + "url": "https://attack.mitre.org/techniques/T1652" + }, + { + "name": "Sudo Caching", + "id": "T1206", + "url": "https://attack.mitre.org/techniques/T1206" + }, + { + "name": "Domain Account", + "id": "T1087.002", + "url": "https://attack.mitre.org/techniques/T1087/002" + }, + { + "name": "Active Setup", + "id": "T1547.014", + "url": "https://attack.mitre.org/techniques/T1547/014" + }, + { + "name": "Hide Artifacts", + "id": "T1564", + "url": "https://attack.mitre.org/techniques/T1564" + }, + { + "name": "Dynamic Data Exchange", + "id": "T1559.002", + "url": "https://attack.mitre.org/techniques/T1559/002" + }, + { + "name": "Malicious File", + "id": "T1204.002", + "url": "https://attack.mitre.org/techniques/T1204/002" + }, + { + "name": "Identify Business Tempo", + "id": "T1591.003", + "url": "https://attack.mitre.org/techniques/T1591/003" + }, + { + "name": "Security Software Discovery", + "id": "T1063", + "url": "https://attack.mitre.org/techniques/T1063" + }, + { + "name": "Publish/Subscribe Protocols", + "id": "T1071.005", + "url": "https://attack.mitre.org/techniques/T1071/005" + }, + { + "name": "Hardware", + "id": "T1592.001", + "url": "https://attack.mitre.org/techniques/T1592/001" + }, + { + "name": "Taint Shared Content", + "id": "T1080", + "url": "https://attack.mitre.org/techniques/T1080" + }, + { + "name": "Trust Modification", + "id": "T1484.002", + "url": "https://attack.mitre.org/techniques/T1484/002" + }, + { + "name": "Databases", + "id": "T1213.006", + "url": "https://attack.mitre.org/techniques/T1213/006" + }, + { + "name": "Symmetric Cryptography", + "id": "T1573.001", + "url": "https://attack.mitre.org/techniques/T1573/001" + }, + { + "name": "Local Account", + "id": "T1087.001", + "url": "https://attack.mitre.org/techniques/T1087/001" + }, + { + "name": "Securityd Memory", + "id": "T1167", + "url": "https://attack.mitre.org/techniques/T1167" + }, + { + "name": "Social Media Accounts", + "id": "T1586.001", + "url": "https://attack.mitre.org/techniques/T1586/001" + }, + { + "name": "Browser Extensions", + "id": "T1176.001", + "url": "https://attack.mitre.org/techniques/T1176/001" + }, + { + "name": "Application Access Token", + "id": "T1527", + "url": "https://attack.mitre.org/techniques/T1527" + }, + { + "name": "Safe Mode Boot", + "id": "T1562.009", + "url": "https://attack.mitre.org/techniques/T1562/009" + }, + { + "name": "Screensaver", + "id": "T1180", + "url": "https://attack.mitre.org/techniques/T1180" + }, + { + "name": "TFTP Boot", + "id": "T1542.005", + "url": "https://attack.mitre.org/techniques/T1542/005" + }, + { + "name": "Windows Service", + "id": "T1543.003", + "url": "https://attack.mitre.org/techniques/T1543/003" + }, + { + "name": "Fast Flux DNS", + "id": "T1568.001", + "url": "https://attack.mitre.org/techniques/T1568/001" + }, + { + "name": "System Checks", + "id": "T1497.001", + "url": "https://attack.mitre.org/techniques/T1497/001" + }, + { + "name": "Cron", + "id": "T1053.003", + "url": "https://attack.mitre.org/techniques/T1053/003" + }, + { + "name": "Domain Groups", + "id": "T1069.002", + "url": "https://attack.mitre.org/techniques/T1069/002" + }, + { + "name": "Vulnerabilities", + "id": "T1588.006", + "url": "https://attack.mitre.org/techniques/T1588/006" + }, + { + "name": "Spearphishing Link", + "id": "T1566.002", + "url": "https://attack.mitre.org/techniques/T1566/002" + }, + { + "name": "Startup Items", + "id": "T1165", + "url": "https://attack.mitre.org/techniques/T1165" + }, + { + "name": "Clear Linux or Mac System Logs", + "id": "T1070.002", + "url": "https://attack.mitre.org/techniques/T1070/002" + }, + { + "name": "Application or System Exploitation", + "id": "T1499.004", + "url": "https://attack.mitre.org/techniques/T1499/004" + }, + { + "name": "Office Application Startup", + "id": "T1137", + "url": "https://attack.mitre.org/techniques/T1137" + }, + { + "name": "InstallUtil", + "id": "T1218.004", + "url": "https://attack.mitre.org/techniques/T1218/004" + }, + { + "name": "Spearphishing Link", + "id": "T1598.003", + "url": "https://attack.mitre.org/techniques/T1598/003" + }, + { + "name": "SSH", + "id": "T1021.004", + "url": "https://attack.mitre.org/techniques/T1021/004" + }, + { + "name": "Additional Cloud Roles", + "id": "T1098.003", + "url": "https://attack.mitre.org/techniques/T1098/003" + }, + { + "name": "Print Processors", + "id": "T1547.012", + "url": "https://attack.mitre.org/techniques/T1547/012" + }, + { + "name": "Disabling Security Tools", + "id": "T1089", + "url": "https://attack.mitre.org/techniques/T1089" + }, + { + "name": "Disk Structure Wipe", + "id": "T1487", + "url": "https://attack.mitre.org/techniques/T1487" + }, + { + "name": "Spearphishing Attachment", + "id": "T1566.001", + "url": "https://attack.mitre.org/techniques/T1566/001" + }, + { + "name": "Credentials in Registry", + "id": "T1214", + "url": "https://attack.mitre.org/techniques/T1214" + }, + { + "name": "Stripped Payloads", + "id": "T1027.008", + "url": "https://attack.mitre.org/techniques/T1027/008" + }, + { + "name": "Component Object Model", + "id": "T1559.001", + "url": "https://attack.mitre.org/techniques/T1559/001" + }, + { + "name": "DLL", + "id": "T1574.001", + "url": "https://attack.mitre.org/techniques/T1574/001" + }, + { + "name": "Automated Collection", + "id": "T1119", + "url": "https://attack.mitre.org/techniques/T1119" + }, + { + "name": "Clipboard Data", + "id": "T1115", + "url": "https://attack.mitre.org/techniques/T1115" + }, + { + "name": "Proc Filesystem", + "id": "T1003.007", + "url": "https://attack.mitre.org/techniques/T1003/007" + }, + { + "name": "Botnet", + "id": "T1583.005", + "url": "https://attack.mitre.org/techniques/T1583/005" + }, + { + "name": "Password Managers", + "id": "T1555.005", + "url": "https://attack.mitre.org/techniques/T1555/005" + }, + { + "name": "AppInit DLLs", + "id": "T1103", + "url": "https://attack.mitre.org/techniques/T1103" + }, + { + "name": "Gatekeeper Bypass", + "id": "T1553.001", + "url": "https://attack.mitre.org/techniques/T1553/001" + }, + { + "name": "ESXi Administration Command", + "id": "T1675", + "url": "https://attack.mitre.org/techniques/T1675" + }, + { + "name": "Drive-by Target", + "id": "T1608.004", + "url": "https://attack.mitre.org/techniques/T1608/004" + }, + { + "name": "System Service Discovery", + "id": "T1007", + "url": "https://attack.mitre.org/techniques/T1007" + }, + { + "name": "Network Sniffing", + "id": "T1040", + "url": "https://attack.mitre.org/techniques/T1040" + }, + { + "name": "Application Deployment Software", + "id": "T1017", + "url": "https://attack.mitre.org/techniques/T1017" + }, + { + "name": "Code Signing", + "id": "T1553.002", + "url": "https://attack.mitre.org/techniques/T1553/002" + }, + { + "name": "Data from Cloud Storage", + "id": "T1530", + "url": "https://attack.mitre.org/techniques/T1530" + }, + { + "name": "Runtime Data Manipulation", + "id": "T1565.003", + "url": "https://attack.mitre.org/techniques/T1565/003" + }, + { + "name": "Credentials in Registry", + "id": "T1552.002", + "url": "https://attack.mitre.org/techniques/T1552/002" + }, + { + "name": "Network Share Discovery", + "id": "T1135", + "url": "https://attack.mitre.org/techniques/T1135" + }, + { + "name": "Peripheral Device Discovery", + "id": "T1120", + "url": "https://attack.mitre.org/techniques/T1120" + }, + { + "name": "Break Process Trees", + "id": "T1036.009", + "url": "https://attack.mitre.org/techniques/T1036/009" + }, + { + "name": "Network Topology", + "id": "T1590.004", + "url": "https://attack.mitre.org/techniques/T1590/004" + }, + { + "name": "Code Signing Certificates", + "id": "T1587.002", + "url": "https://attack.mitre.org/techniques/T1587/002" + }, + { + "name": "Windows File and Directory Permissions Modification", + "id": "T1222.001", + "url": "https://attack.mitre.org/techniques/T1222/001" + }, + { + "name": "Add-ins", + "id": "T1137.006", + "url": "https://attack.mitre.org/techniques/T1137/006" + }, + { + "name": "Transport Agent", + "id": "T1505.002", + "url": "https://attack.mitre.org/techniques/T1505/002" + }, + { + "name": "System Information Discovery", + "id": "T1082", + "url": "https://attack.mitre.org/techniques/T1082" + }, + { + "name": "Application Layer Protocol", + "id": "T1071", + "url": "https://attack.mitre.org/techniques/T1071" + }, + { + "name": "AppDomainManager", + "id": "T1574.014", + "url": "https://attack.mitre.org/techniques/T1574/014" + }, + { + "name": "Remote Data Staging", + "id": "T1074.002", + "url": "https://attack.mitre.org/techniques/T1074/002" + }, + { + "name": "Additional Container Cluster Roles", + "id": "T1098.006", + "url": "https://attack.mitre.org/techniques/T1098/006" + }, + { + "name": "Scheduled Task/Job", + "id": "T1053", + "url": "https://attack.mitre.org/techniques/T1053" + }, + { + "name": "Msiexec", + "id": "T1218.007", + "url": "https://attack.mitre.org/techniques/T1218/007" + }, + { + "name": "Login Item", + "id": "T1162", + "url": "https://attack.mitre.org/techniques/T1162" + }, + { + "name": "Network Trust Dependencies", + "id": "T1590.003", + "url": "https://attack.mitre.org/techniques/T1590/003" + }, + { + "name": "Reflection Amplification", + "id": "T1498.002", + "url": "https://attack.mitre.org/techniques/T1498/002" + }, + { + "name": "Password Filter DLL", + "id": "T1556.002", + "url": "https://attack.mitre.org/techniques/T1556/002" + }, + { + "name": "Terminal Services DLL", + "id": "T1505.005", + "url": "https://attack.mitre.org/techniques/T1505/005" + }, + { + "name": "AppleScript", + "id": "T1059.002", + "url": "https://attack.mitre.org/techniques/T1059/002" + }, + { + "name": "Software Extensions", + "id": "T1176", + "url": "https://attack.mitre.org/techniques/T1176" + }, + { + "name": "Service Exhaustion Flood", + "id": "T1499.002", + "url": "https://attack.mitre.org/techniques/T1499/002" + }, + { + "name": "Compromise Hardware Supply Chain", + "id": "T1195.003", + "url": "https://attack.mitre.org/techniques/T1195/003" + }, + { + "name": "Native API", + "id": "T1106", + "url": "https://attack.mitre.org/techniques/T1106" + }, + { + "name": "Ccache Files", + "id": "T1558.005", + "url": "https://attack.mitre.org/techniques/T1558/005" + }, + { + "name": "Clear Network Connection History and Configurations", + "id": "T1070.007", + "url": "https://attack.mitre.org/techniques/T1070/007" + }, + { + "name": "AS-REP Roasting", + "id": "T1558.004", + "url": "https://attack.mitre.org/techniques/T1558/004" + }, + { + "name": "Service Registry Permissions Weakness", + "id": "T1058", + "url": "https://attack.mitre.org/techniques/T1058" + }, + { + "name": "Virtual Private Server", + "id": "T1584.003", + "url": "https://attack.mitre.org/techniques/T1584/003" + }, + { + "name": "AutoHotKey & AutoIT", + "id": "T1059.010", + "url": "https://attack.mitre.org/techniques/T1059/010" + }, + { + "name": "Reduce Key Space", + "id": "T1600.001", + "url": "https://attack.mitre.org/techniques/T1600/001" + }, + { + "name": "Clear Command History", + "id": "T1070.003", + "url": "https://attack.mitre.org/techniques/T1070/003" + }, + { + "name": "Indirect Command Execution", + "id": "T1202", + "url": "https://attack.mitre.org/techniques/T1202" + }, + { + "name": "Custom Cryptographic Protocol", + "id": "T1024", + "url": "https://attack.mitre.org/techniques/T1024" + }, + { + "name": "Revert Cloud Instance", + "id": "T1536", + "url": "https://attack.mitre.org/techniques/T1536" + }, + { + "name": "Replication Through Removable Media", + "id": "T1091", + "url": "https://attack.mitre.org/techniques/T1091" + }, + { + "name": "Data from Local System", + "id": "T1005", + "url": "https://attack.mitre.org/techniques/T1005" + }, + { + "name": "Deobfuscate/Decode Files or Information", + "id": "T1140", + "url": "https://attack.mitre.org/techniques/T1140" + }, + { + "name": "Outlook Rules", + "id": "T1137.005", + "url": "https://attack.mitre.org/techniques/T1137/005" + }, + { + "name": "Impair Defenses", + "id": "T1562", + "url": "https://attack.mitre.org/techniques/T1562" + }, + { + "name": "Cloud Accounts", + "id": "T1586.003", + "url": "https://attack.mitre.org/techniques/T1586/003" + }, + { + "name": "Email Accounts", + "id": "T1586.002", + "url": "https://attack.mitre.org/techniques/T1586/002" + }, + { + "name": "Additional Local or Domain Groups", + "id": "T1098.007", + "url": "https://attack.mitre.org/techniques/T1098/007" + }, + { + "name": "Upload Malware", + "id": "T1608.001", + "url": "https://attack.mitre.org/techniques/T1608/001" + }, + { + "name": "Supply Chain Compromise", + "id": "T1195", + "url": "https://attack.mitre.org/techniques/T1195" + }, + { + "name": "Exploit Public-Facing Application", + "id": "T1190", + "url": "https://attack.mitre.org/techniques/T1190" + }, + { + "name": "Steal or Forge Kerberos Tickets", + "id": "T1558", + "url": "https://attack.mitre.org/techniques/T1558" + }, + { + "name": "Credentials from Password Stores", + "id": "T1555", + "url": "https://attack.mitre.org/techniques/T1555" + }, + { + "name": "Exfiltration Over Web Service", + "id": "T1567", + "url": "https://attack.mitre.org/techniques/T1567" + }, + { + "name": "Remote Access Tools", + "id": "T1219", + "url": "https://attack.mitre.org/techniques/T1219" + }, + { + "name": "Domains", + "id": "T1583.001", + "url": "https://attack.mitre.org/techniques/T1583/001" + }, + { + "name": "Archive via Library", + "id": "T1560.002", + "url": "https://attack.mitre.org/techniques/T1560/002" + }, + { + "name": "Thread Execution Hijacking", + "id": "T1055.003", + "url": "https://attack.mitre.org/techniques/T1055/003" + }, + { + "name": "Multilayer Encryption", + "id": "T1079", + "url": "https://attack.mitre.org/techniques/T1079" + }, + { + "name": "Masquerading", + "id": "T1036", + "url": "https://attack.mitre.org/techniques/T1036" + }, + { + "name": "Application Shimming", + "id": "T1546.011", + "url": "https://attack.mitre.org/techniques/T1546/011" + }, + { + "name": "Unsecured Credentials", + "id": "T1552", + "url": "https://attack.mitre.org/techniques/T1552" + }, + { + "name": "Port Monitors", + "id": "T1547.010", + "url": "https://attack.mitre.org/techniques/T1547/010" + }, + { + "name": "Clear Mailbox Data", + "id": "T1070.008", + "url": "https://attack.mitre.org/techniques/T1070/008" + }, + { + "name": "Login Hook", + "id": "T1037.002", + "url": "https://attack.mitre.org/techniques/T1037/002" + }, + { + "name": "Content Injection", + "id": "T1659", + "url": "https://attack.mitre.org/techniques/T1659" + }, + { + "name": "Process Injection", + "id": "T1055", + "url": "https://attack.mitre.org/techniques/T1055" + }, + { + "name": "Exfiltration Over Webhook", + "id": "T1567.004", + "url": "https://attack.mitre.org/techniques/T1567/004" + }, + { + "name": "Bash History", + "id": "T1139", + "url": "https://attack.mitre.org/techniques/T1139" + }, + { + "name": "Traffic Signaling", + "id": "T1205", + "url": "https://attack.mitre.org/techniques/T1205" + }, + { + "name": "Direct Cloud VM Connections", + "id": "T1021.008", + "url": "https://attack.mitre.org/techniques/T1021/008" + }, + { + "name": "Credentials from Web Browsers", + "id": "T1503", + "url": "https://attack.mitre.org/techniques/T1503" + }, + { + "name": "System Binary Proxy Execution", + "id": "T1218", + "url": "https://attack.mitre.org/techniques/T1218" + }, + { + "name": "Source", + "id": "T1153", + "url": "https://attack.mitre.org/techniques/T1153" + }, + { + "name": "DLL Search Order Hijacking", + "id": "T1038", + "url": "https://attack.mitre.org/techniques/T1038" + }, + { + "name": "New Service", + "id": "T1050", + "url": "https://attack.mitre.org/techniques/T1050" + }, + { + "name": "Timestomp", + "id": "T1070.006", + "url": "https://attack.mitre.org/techniques/T1070/006" + }, + { + "name": "Evil Twin", + "id": "T1557.004", + "url": "https://attack.mitre.org/techniques/T1557/004" + }, + { + "name": "Reflective Code Loading", + "id": "T1620", + "url": "https://attack.mitre.org/techniques/T1620" + }, + { + "name": "Wi-Fi Discovery", + "id": "T1016.002", + "url": "https://attack.mitre.org/techniques/T1016/002" + }, + { + "name": "Mutual Exclusion", + "id": "T1480.002", + "url": "https://attack.mitre.org/techniques/T1480/002" + }, + { + "name": "Ignore Process Interrupts", + "id": "T1564.011", + "url": "https://attack.mitre.org/techniques/T1564/011" + }, + { + "name": "Escape to Host", + "id": "T1611", + "url": "https://attack.mitre.org/techniques/T1611" + }, + { + "name": "Backup Software Discovery", + "id": "T1518.002", + "url": "https://attack.mitre.org/techniques/T1518/002" + }, + { + "name": "Shortcut Modification", + "id": "T1547.009", + "url": "https://attack.mitre.org/techniques/T1547/009" + }, + { + "name": "Application Window Discovery", + "id": "T1010", + "url": "https://attack.mitre.org/techniques/T1010" + }, + { + "name": "Systemctl", + "id": "T1569.003", + "url": "https://attack.mitre.org/techniques/T1569/003" + }, + { + "name": "Standard Cryptographic Protocol", + "id": "T1032", + "url": "https://attack.mitre.org/techniques/T1032" + }, + { + "name": "Email Account", + "id": "T1087.003", + "url": "https://attack.mitre.org/techniques/T1087/003" + }, + { + "name": "Hypervisor", + "id": "T1062", + "url": "https://attack.mitre.org/techniques/T1062" + }, + { + "name": "Time Based Checks", + "id": "T1497.003", + "url": "https://attack.mitre.org/techniques/T1497/003" + }, + { + "name": "AppCert DLLs", + "id": "T1182", + "url": "https://attack.mitre.org/techniques/T1182" + }, + { + "name": "CMSTP", + "id": "T1218.003", + "url": "https://attack.mitre.org/techniques/T1218/003" + }, + { + "name": "SSH Hijacking", + "id": "T1563.001", + "url": "https://attack.mitre.org/techniques/T1563/001" + }, + { + "name": "Disable Windows Event Logging", + "id": "T1562.002", + "url": "https://attack.mitre.org/techniques/T1562/002" + }, + { + "name": "Scheduled Transfer", + "id": "T1029", + "url": "https://attack.mitre.org/techniques/T1029" + }, + { + "name": "SMB/Windows Admin Shares", + "id": "T1021.002", + "url": "https://attack.mitre.org/techniques/T1021/002" + }, + { + "name": "Implant Internal Image", + "id": "T1525", + "url": "https://attack.mitre.org/techniques/T1525" + }, + { + "name": "Protocol Tunneling", + "id": "T1572", + "url": "https://attack.mitre.org/techniques/T1572" + }, + { + "name": "Control Panel", + "id": "T1218.002", + "url": "https://attack.mitre.org/techniques/T1218/002" + }, + { + "name": "Network Address Translation Traversal", + "id": "T1599.001", + "url": "https://attack.mitre.org/techniques/T1599/001" + }, + { + "name": "Upload Tool", + "id": "T1608.002", + "url": "https://attack.mitre.org/techniques/T1608/002" + }, + { + "name": "Security Support Provider", + "id": "T1547.005", + "url": "https://attack.mitre.org/techniques/T1547/005" + }, + { + "name": "Overwrite Process Arguments", + "id": "T1036.011", + "url": "https://attack.mitre.org/techniques/T1036/011" + }, + { + "name": "Winlogon Helper DLL", + "id": "T1004", + "url": "https://attack.mitre.org/techniques/T1004" + }, + { + "name": "Binary Padding", + "id": "T1009", + "url": "https://attack.mitre.org/techniques/T1009" + }, + { + "name": "Use Alternate Authentication Material", + "id": "T1550", + "url": "https://attack.mitre.org/techniques/T1550" + }, + { + "name": "Remote Desktop Protocol", + "id": "T1076", + "url": "https://attack.mitre.org/techniques/T1076" + }, + { + "name": "Threat Intel Vendors", + "id": "T1597.001", + "url": "https://attack.mitre.org/techniques/T1597/001" + }, + { + "name": "Exfiltration Over Other Network Medium", + "id": "T1011", + "url": "https://attack.mitre.org/techniques/T1011" + }, + { + "name": "Network Device Configuration Dump", + "id": "T1602.002", + "url": "https://attack.mitre.org/techniques/T1602/002" + }, + { + "name": "Gather Victim Identity Information", + "id": "T1589", + "url": "https://attack.mitre.org/techniques/T1589" + }, + { + "name": "Authentication Package", + "id": "T1131", + "url": "https://attack.mitre.org/techniques/T1131" + }, + { + "name": "Extra Window Memory Injection", + "id": "T1181", + "url": "https://attack.mitre.org/techniques/T1181" + }, + { + "name": "Disable or Modify System Firewall", + "id": "T1562.004", + "url": "https://attack.mitre.org/techniques/T1562/004" + }, + { + "name": "Archive Collected Data", + "id": "T1560", + "url": "https://attack.mitre.org/techniques/T1560" + }, + { + "name": "Launchctl", + "id": "T1152", + "url": "https://attack.mitre.org/techniques/T1152" + }, + { + "name": "SIP and Trust Provider Hijacking", + "id": "T1553.003", + "url": "https://attack.mitre.org/techniques/T1553/003" + }, + { + "name": "Domain Generation Algorithms", + "id": "T1483", + "url": "https://attack.mitre.org/techniques/T1483" + }, + { + "name": "Browser Session Hijacking", + "id": "T1185", + "url": "https://attack.mitre.org/techniques/T1185" + }, + { + "name": "Remote Services", + "id": "T1021", + "url": "https://attack.mitre.org/techniques/T1021" + }, + { + "name": "Mail Protocols", + "id": "T1071.003", + "url": "https://attack.mitre.org/techniques/T1071/003" + }, + { + "name": "Hybrid Identity", + "id": "T1556.007", + "url": "https://attack.mitre.org/techniques/T1556/007" + }, + { + "name": "Vulnerability Scanning", + "id": "T1595.002", + "url": "https://attack.mitre.org/techniques/T1595/002" + }, + { + "name": "Cloud API", + "id": "T1059.009", + "url": "https://attack.mitre.org/techniques/T1059/009" + }, + { + "name": "Search Open Technical Databases", + "id": "T1596", + "url": "https://attack.mitre.org/techniques/T1596" + }, + { + "name": "Electron Applications", + "id": "T1218.015", + "url": "https://attack.mitre.org/techniques/T1218/015" + }, + { + "name": "Disable or Modify Linux Audit System", + "id": "T1562.012", + "url": "https://attack.mitre.org/techniques/T1562/012" + }, + { + "name": "Rogue Domain Controller", + "id": "T1207", + "url": "https://attack.mitre.org/techniques/T1207" + }, + { + "name": "Code Signing Policy Modification", + "id": "T1553.006", + "url": "https://attack.mitre.org/techniques/T1553/006" + }, + { + "name": "Deploy Container", + "id": "T1610", + "url": "https://attack.mitre.org/techniques/T1610" + }, + { + "name": "File Deletion", + "id": "T1107", + "url": "https://attack.mitre.org/techniques/T1107" + }, + { + "name": "Private Keys", + "id": "T1145", + "url": "https://attack.mitre.org/techniques/T1145" + }, + { + "name": "Modify Registry", + "id": "T1112", + "url": "https://attack.mitre.org/techniques/T1112" + }, + { + "name": "Launch Daemon", + "id": "T1543.004", + "url": "https://attack.mitre.org/techniques/T1543/004" + }, + { + "name": "Cloud Infrastructure Discovery", + "id": "T1580", + "url": "https://attack.mitre.org/techniques/T1580" + }, + { + "name": "Credentials from Web Browsers", + "id": "T1555.003", + "url": "https://attack.mitre.org/techniques/T1555/003" + }, + { + "name": "Path Interception by Search Order Hijacking", + "id": "T1574.008", + "url": "https://attack.mitre.org/techniques/T1574/008" + }, + { + "name": "Defacement", + "id": "T1491", + "url": "https://attack.mitre.org/techniques/T1491" + }, + { + "name": "Unused/Unsupported Cloud Regions", + "id": "T1535", + "url": "https://attack.mitre.org/techniques/T1535" + }, + { + "name": "DHCP Spoofing", + "id": "T1557.003", + "url": "https://attack.mitre.org/techniques/T1557/003" + }, + { + "name": "AppleScript", + "id": "T1155", + "url": "https://attack.mitre.org/techniques/T1155" + }, + { + "name": "Remote Service Session Hijacking", + "id": "T1563", + "url": "https://attack.mitre.org/techniques/T1563" + }, + { + "name": "Bind Mounts", + "id": "T1564.013", + "url": "https://attack.mitre.org/techniques/T1564/013" + }, + { + "name": "Binary Padding", + "id": "T1027.001", + "url": "https://attack.mitre.org/techniques/T1027/001" + }, + { + "name": "Web Shell", + "id": "T1505.003", + "url": "https://attack.mitre.org/techniques/T1505/003" + }, + { + "name": "Group Policy Modification", + "id": "T1484.001", + "url": "https://attack.mitre.org/techniques/T1484/001" + }, + { + "name": "Browser Information Discovery", + "id": "T1217", + "url": "https://attack.mitre.org/techniques/T1217" + }, + { + "name": "Private Keys", + "id": "T1552.004", + "url": "https://attack.mitre.org/techniques/T1552/004" + }, + { + "name": "Server", + "id": "T1583.004", + "url": "https://attack.mitre.org/techniques/T1583/004" + }, + { + "name": "Windows Remote Management", + "id": "T1021.006", + "url": "https://attack.mitre.org/techniques/T1021/006" + }, + { + "name": "Exfiltration Over Bluetooth", + "id": "T1011.001", + "url": "https://attack.mitre.org/techniques/T1011/001" + }, + { + "name": "Default Accounts", + "id": "T1078.001", + "url": "https://attack.mitre.org/techniques/T1078/001" + }, + { + "name": "Time Providers", + "id": "T1547.003", + "url": "https://attack.mitre.org/techniques/T1547/003" + }, + { + "name": "Image File Execution Options Injection", + "id": "T1183", + "url": "https://attack.mitre.org/techniques/T1183" + }, + { + "name": "Rundll32", + "id": "T1085", + "url": "https://attack.mitre.org/techniques/T1085" + }, + { + "name": "Modify Existing Service", + "id": "T1031", + "url": "https://attack.mitre.org/techniques/T1031" + }, + { + "name": "Trap", + "id": "T1546.005", + "url": "https://attack.mitre.org/techniques/T1546/005" + }, + { + "name": "Dynamic Linker Hijacking", + "id": "T1574.006", + "url": "https://attack.mitre.org/techniques/T1574/006" + }, + { + "name": "Local Account", + "id": "T1136.001", + "url": "https://attack.mitre.org/techniques/T1136/001" + }, + { + "name": "Search Threat Vendor Data", + "id": "T1681", + "url": "https://attack.mitre.org/techniques/T1681" + }, + { + "name": "Input Injection", + "id": "T1674", + "url": "https://attack.mitre.org/techniques/T1674" + }, + { + "name": "Communication Through Removable Media", + "id": "T1092", + "url": "https://attack.mitre.org/techniques/T1092" + }, + { + "name": "Clear Windows Event Logs", + "id": "T1070.001", + "url": "https://attack.mitre.org/techniques/T1070/001" + }, + { + "name": "Email Accounts", + "id": "T1585.002", + "url": "https://attack.mitre.org/techniques/T1585/002" + }, + { + "name": "LLMNR/NBT-NS Poisoning and SMB Relay", + "id": "T1557.001", + "url": "https://attack.mitre.org/techniques/T1557/001" + }, + { + "name": "File and Directory Permissions Modification", + "id": "T1222", + "url": "https://attack.mitre.org/techniques/T1222" + }, + { + "name": "LSASS Memory", + "id": "T1003.001", + "url": "https://attack.mitre.org/techniques/T1003/001" + }, + { + "name": "At (Linux)", + "id": "T1053.001", + "url": "https://attack.mitre.org/techniques/T1053/001" + }, + { + "name": "IDE Extensions", + "id": "T1176.002", + "url": "https://attack.mitre.org/techniques/T1176/002" + }, + { + "name": "Hooking", + "id": "T1179", + "url": "https://attack.mitre.org/techniques/T1179" + }, + { + "name": "Active Scanning", + "id": "T1595", + "url": "https://attack.mitre.org/techniques/T1595" + }, + { + "name": "Junk Code Insertion", + "id": "T1027.016", + "url": "https://attack.mitre.org/techniques/T1027/016" + }, + { + "name": "Plist Modification", + "id": "T1547.011", + "url": "https://attack.mitre.org/techniques/T1547/011" + }, + { + "name": "Abuse Elevation Control Mechanism", + "id": "T1548", + "url": "https://attack.mitre.org/techniques/T1548" + }, + { + "name": "Create Process with Token", + "id": "T1134.002", + "url": "https://attack.mitre.org/techniques/T1134/002" + }, + { + "name": "Setuid and Setgid", + "id": "T1548.001", + "url": "https://attack.mitre.org/techniques/T1548/001" + }, + { + "name": "Winlogon Helper DLL", + "id": "T1547.004", + "url": "https://attack.mitre.org/techniques/T1547/004" + }, + { + "name": "System Firmware", + "id": "T1019", + "url": "https://attack.mitre.org/techniques/T1019" + }, + { + "name": "Distributed Component Object Model", + "id": "T1021.003", + "url": "https://attack.mitre.org/techniques/T1021/003" + }, + { + "name": "Change Default File Association", + "id": "T1042", + "url": "https://attack.mitre.org/techniques/T1042" + }, + { + "name": "Regsvr32", + "id": "T1117", + "url": "https://attack.mitre.org/techniques/T1117" + }, + { + "name": "Password Spraying", + "id": "T1110.003", + "url": "https://attack.mitre.org/techniques/T1110/003" + }, + { + "name": "External Proxy", + "id": "T1090.002", + "url": "https://attack.mitre.org/techniques/T1090/002" + }, + { + "name": "Web Portal Capture", + "id": "T1056.003", + "url": "https://attack.mitre.org/techniques/T1056/003" + }, + { + "name": "Email Addresses", + "id": "T1589.002", + "url": "https://attack.mitre.org/techniques/T1589/002" + }, + { + "name": "Re-opened Applications", + "id": "T1164", + "url": "https://attack.mitre.org/techniques/T1164" + }, + { + "name": "Indicator Blocking", + "id": "T1054", + "url": "https://attack.mitre.org/techniques/T1054" + }, + { + "name": "Spearphishing Voice", + "id": "T1598.004", + "url": "https://attack.mitre.org/techniques/T1598/004" + }, + { + "name": "Redundant Access", + "id": "T1108", + "url": "https://attack.mitre.org/techniques/T1108" + }, + { + "name": "Spearphishing Attachment", + "id": "T1193", + "url": "https://attack.mitre.org/techniques/T1193" + }, + { + "name": "Cached Domain Credentials", + "id": "T1003.005", + "url": "https://attack.mitre.org/techniques/T1003/005" + }, + { + "name": "SSH Authorized Keys", + "id": "T1098.004", + "url": "https://attack.mitre.org/techniques/T1098/004" + }, + { + "name": "Virtual Machine Discovery", + "id": "T1673", + "url": "https://attack.mitre.org/techniques/T1673" + }, + { + "name": "Kernel Modules and Extensions", + "id": "T1215", + "url": "https://attack.mitre.org/techniques/T1215" + }, + { + "name": "Security Support Provider", + "id": "T1101", + "url": "https://attack.mitre.org/techniques/T1101" + }, + { + "name": "Network Security Appliances", + "id": "T1590.006", + "url": "https://attack.mitre.org/techniques/T1590/006" + }, + { + "name": "Image File Execution Options Injection", + "id": "T1546.012", + "url": "https://attack.mitre.org/techniques/T1546/012" + }, + { + "name": "Odbcconf", + "id": "T1218.008", + "url": "https://attack.mitre.org/techniques/T1218/008" + }, + { + "name": "Search Engines", + "id": "T1593.002", + "url": "https://attack.mitre.org/techniques/T1593/002" + }, + { + "name": "LSASS Driver", + "id": "T1177", + "url": "https://attack.mitre.org/techniques/T1177" + }, + { + "name": "Business Relationships", + "id": "T1591.002", + "url": "https://attack.mitre.org/techniques/T1591/002" + }, + { + "name": "Temporary Elevated Cloud Access", + "id": "T1548.005", + "url": "https://attack.mitre.org/techniques/T1548/005" + }, + { + "name": "Video Capture", + "id": "T1125", + "url": "https://attack.mitre.org/techniques/T1125" + }, + { + "name": "Gatekeeper Bypass", + "id": "T1144", + "url": "https://attack.mitre.org/techniques/T1144" + }, + { + "name": "Software Packing", + "id": "T1045", + "url": "https://attack.mitre.org/techniques/T1045" + }, + { + "name": "Process Doppelgänging", + "id": "T1055.013", + "url": "https://attack.mitre.org/techniques/T1055/013" + }, + { + "name": "System Network Configuration Discovery", + "id": "T1016", + "url": "https://attack.mitre.org/techniques/T1016" + }, + { + "name": "Delete Cloud Instance", + "id": "T1578.003", + "url": "https://attack.mitre.org/techniques/T1578/003" + }, + { + "name": "Code Repositories", + "id": "T1593.003", + "url": "https://attack.mitre.org/techniques/T1593/003" + }, + { + "name": "Executable Installer File Permissions Weakness", + "id": "T1574.005", + "url": "https://attack.mitre.org/techniques/T1574/005" + }, + { + "name": "Accessibility Features", + "id": "T1546.008", + "url": "https://attack.mitre.org/techniques/T1546/008" + }, + { + "name": "Bandwidth Hijacking", + "id": "T1496.002", + "url": "https://attack.mitre.org/techniques/T1496/002" + }, + { + "name": "PowerShell Profile", + "id": "T1504", + "url": "https://attack.mitre.org/techniques/T1504" + }, + { + "name": "SIP and Trust Provider Hijacking", + "id": "T1198", + "url": "https://attack.mitre.org/techniques/T1198" + }, + { + "name": "Account Discovery", + "id": "T1087", + "url": "https://attack.mitre.org/techniques/T1087" + }, + { + "name": "Proxy", + "id": "T1090", + "url": "https://attack.mitre.org/techniques/T1090" + }, + { + "name": "Command and Scripting Interpreter", + "id": "T1059", + "url": "https://attack.mitre.org/techniques/T1059" + }, + { + "name": "Malicious Library", + "id": "T1204.005", + "url": "https://attack.mitre.org/techniques/T1204/005" + }, + { + "name": "Indicator Blocking", + "id": "T1562.006", + "url": "https://attack.mitre.org/techniques/T1562/006" + }, + { + "name": "Domain Account", + "id": "T1136.002", + "url": "https://attack.mitre.org/techniques/T1136/002" + }, + { + "name": "Extended Attributes", + "id": "T1564.014", + "url": "https://attack.mitre.org/techniques/T1564/014" + }, + { + "name": "Employee Names", + "id": "T1589.003", + "url": "https://attack.mitre.org/techniques/T1589/003" + }, + { + "name": "Poisoned Pipeline Execution", + "id": "T1677", + "url": "https://attack.mitre.org/techniques/T1677" + }, + { + "name": "Domain Trust Discovery", + "id": "T1482", + "url": "https://attack.mitre.org/techniques/T1482" + }, + { + "name": "Golden Ticket", + "id": "T1558.001", + "url": "https://attack.mitre.org/techniques/T1558/001" + }, + { + "name": "Component Object Model and Distributed COM", + "id": "T1175", + "url": "https://attack.mitre.org/techniques/T1175" + }, + { + "name": "Automated Exfiltration", + "id": "T1020", + "url": "https://attack.mitre.org/techniques/T1020" + }, + { + "name": "Client Configurations", + "id": "T1592.004", + "url": "https://attack.mitre.org/techniques/T1592/004" + }, + { + "name": "Disable or Modify Cloud Firewall", + "id": "T1562.007", + "url": "https://attack.mitre.org/techniques/T1562/007" + }, + { + "name": "IDE Tunneling", + "id": "T1219.001", + "url": "https://attack.mitre.org/techniques/T1219/001" + }, + { + "name": "Right-to-Left Override", + "id": "T1036.002", + "url": "https://attack.mitre.org/techniques/T1036/002" + }, + { + "name": "Malware", + "id": "T1588.001", + "url": "https://attack.mitre.org/techniques/T1588/001" + }, + { + "name": "SVG Smuggling", + "id": "T1027.017", + "url": "https://attack.mitre.org/techniques/T1027/017" + }, + { + "name": "Component Firmware", + "id": "T1542.002", + "url": "https://attack.mitre.org/techniques/T1542/002" + }, + { + "name": "Indicator Removal", + "id": "T1070", + "url": "https://attack.mitre.org/techniques/T1070" + }, + { + "name": "Exfiltration Over Symmetric Encrypted Non-C2 Protocol", + "id": "T1048.001", + "url": "https://attack.mitre.org/techniques/T1048/001" + }, + { + "name": "Office Template Macros", + "id": "T1137.001", + "url": "https://attack.mitre.org/techniques/T1137/001" + }, + { + "name": "Virtual Private Server", + "id": "T1583.003", + "url": "https://attack.mitre.org/techniques/T1583/003" + }, + { + "name": "Confluence", + "id": "T1213.001", + "url": "https://attack.mitre.org/techniques/T1213/001" + }, + { + "name": "Pass the Ticket", + "id": "T1550.003", + "url": "https://attack.mitre.org/techniques/T1550/003" + }, + { + "name": "Container Administration Command", + "id": "T1609", + "url": "https://attack.mitre.org/techniques/T1609" + }, + { + "name": "File and Directory Discovery", + "id": "T1083", + "url": "https://attack.mitre.org/techniques/T1083" + }, + { + "name": "Dynamic Resolution", + "id": "T1568", + "url": "https://attack.mitre.org/techniques/T1568" + }, + { + "name": "Masquerade Task or Service", + "id": "T1036.004", + "url": "https://attack.mitre.org/techniques/T1036/004" + }, + { + "name": "Asynchronous Procedure Call", + "id": "T1055.004", + "url": "https://attack.mitre.org/techniques/T1055/004" + }, + { + "name": "Traffic Duplication", + "id": "T1020.001", + "url": "https://attack.mitre.org/techniques/T1020/001" + }, + { + "name": "Application Shimming", + "id": "T1138", + "url": "https://attack.mitre.org/techniques/T1138" + }, + { + "name": "Plist File Modification", + "id": "T1647", + "url": "https://attack.mitre.org/techniques/T1647" + }, + { + "name": "JamPlus", + "id": "T1127.003", + "url": "https://attack.mitre.org/techniques/T1127/003" + }, + { + "name": "AppCert DLLs", + "id": "T1546.009", + "url": "https://attack.mitre.org/techniques/T1546/009" + }, + { + "name": "CMSTP", + "id": "T1191", + "url": "https://attack.mitre.org/techniques/T1191" + }, + { + "name": "Multi-hop Proxy", + "id": "T1188", + "url": "https://attack.mitre.org/techniques/T1188" + }, + { + "name": "Email Forwarding Rule", + "id": "T1114.003", + "url": "https://attack.mitre.org/techniques/T1114/003" + }, + { + "name": "Data Staged", + "id": "T1074", + "url": "https://attack.mitre.org/techniques/T1074" + }, + { + "name": "Steal or Forge Authentication Certificates", + "id": "T1649", + "url": "https://attack.mitre.org/techniques/T1649" + }, + { + "name": "Device Registration", + "id": "T1098.005", + "url": "https://attack.mitre.org/techniques/T1098/005" + }, + { + "name": "System Network Connections Discovery", + "id": "T1049", + "url": "https://attack.mitre.org/techniques/T1049" + }, + { + "name": "Compromise Infrastructure", + "id": "T1584", + "url": "https://attack.mitre.org/techniques/T1584" + }, + { + "name": "Mark-of-the-Web Bypass", + "id": "T1553.005", + "url": "https://attack.mitre.org/techniques/T1553/005" + }, + { + "name": "Disable Crypto Hardware", + "id": "T1600.002", + "url": "https://attack.mitre.org/techniques/T1600/002" + }, + { + "name": "Pre-OS Boot", + "id": "T1542", + "url": "https://attack.mitre.org/techniques/T1542" + }, + { + "name": "Scripting", + "id": "T1064", + "url": "https://attack.mitre.org/techniques/T1064" + }, + { + "name": "Build Image on Host", + "id": "T1612", + "url": "https://attack.mitre.org/techniques/T1612" + }, + { + "name": "Shared Webroot", + "id": "T1051", + "url": "https://attack.mitre.org/techniques/T1051" + }, + { + "name": "Portable Executable Injection", + "id": "T1055.002", + "url": "https://attack.mitre.org/techniques/T1055/002" + }, + { + "name": "Verclsid", + "id": "T1218.012", + "url": "https://attack.mitre.org/techniques/T1218/012" + }, + { + "name": "Compromise Accounts", + "id": "T1586", + "url": "https://attack.mitre.org/techniques/T1586" + }, + { + "name": "Launchctl", + "id": "T1569.001", + "url": "https://attack.mitre.org/techniques/T1569/001" + }, + { + "name": "Botnet", + "id": "T1584.005", + "url": "https://attack.mitre.org/techniques/T1584/005" + }, + { + "name": "Network Device CLI", + "id": "T1059.008", + "url": "https://attack.mitre.org/techniques/T1059/008" + }, + { + "name": "Shell History", + "id": "T1552.003", + "url": "https://attack.mitre.org/techniques/T1552/003" + }, + { + "name": "Downgrade Attack", + "id": "T1562.010", + "url": "https://attack.mitre.org/techniques/T1562/010" + }, + { + "name": "XPC Services", + "id": "T1559.003", + "url": "https://attack.mitre.org/techniques/T1559/003" + }, + { + "name": "Virtualization/Sandbox Evasion", + "id": "T1497", + "url": "https://attack.mitre.org/techniques/T1497" + }, + { + "name": "Web Service", + "id": "T1102", + "url": "https://attack.mitre.org/techniques/T1102" + }, + { + "name": "Credentials In Files", + "id": "T1552.001", + "url": "https://attack.mitre.org/techniques/T1552/001" + }, + { + "name": "DNS Calculation", + "id": "T1568.003", + "url": "https://attack.mitre.org/techniques/T1568/003" + }, + { + "name": "Mshta", + "id": "T1218.005", + "url": "https://attack.mitre.org/techniques/T1218/005" + }, + { + "name": "Login Items", + "id": "T1547.015", + "url": "https://attack.mitre.org/techniques/T1547/015" + }, + { + "name": "Stage Capabilities", + "id": "T1608", + "url": "https://attack.mitre.org/techniques/T1608" + }, + { + "name": "Link Target", + "id": "T1608.005", + "url": "https://attack.mitre.org/techniques/T1608/005" + }, + { + "name": "Multi-Stage Channels", + "id": "T1104", + "url": "https://attack.mitre.org/techniques/T1104" + }, + { + "name": "Financial Theft", + "id": "T1657", + "url": "https://attack.mitre.org/techniques/T1657" + }, + { + "name": "Execution Guardrails", + "id": "T1480", + "url": "https://attack.mitre.org/techniques/T1480" + }, + { + "name": "Cloud Storage Object Discovery", + "id": "T1619", + "url": "https://attack.mitre.org/techniques/T1619" + }, + { + "name": "Web Cookies", + "id": "T1606.001", + "url": "https://attack.mitre.org/techniques/T1606/001" + }, + { + "name": "Log Enumeration", + "id": "T1654", + "url": "https://attack.mitre.org/techniques/T1654" + }, + { + "name": "Token Impersonation/Theft", + "id": "T1134.001", + "url": "https://attack.mitre.org/techniques/T1134/001" + }, + { + "name": "Exfiltration to Code Repository", + "id": "T1567.001", + "url": "https://attack.mitre.org/techniques/T1567/001" + }, + { + "name": "Cloud Services", + "id": "T1021.007", + "url": "https://attack.mitre.org/techniques/T1021/007" + }, + { + "name": "Port Knocking", + "id": "T1205.001", + "url": "https://attack.mitre.org/techniques/T1205/001" + }, + { + "name": "LNK Icon Smuggling", + "id": "T1027.012", + "url": "https://attack.mitre.org/techniques/T1027/012" + }, + { + "name": "Web Services", + "id": "T1583.006", + "url": "https://attack.mitre.org/techniques/T1583/006" + }, + { + "name": "Steal Application Access Token", + "id": "T1528", + "url": "https://attack.mitre.org/techniques/T1528" + }, + { + "name": "Spearphishing Attachment", + "id": "T1598.002", + "url": "https://attack.mitre.org/techniques/T1598/002" + }, + { + "name": "Additional Cloud Credentials", + "id": "T1098.001", + "url": "https://attack.mitre.org/techniques/T1098/001" + }, + { + "name": "User Execution", + "id": "T1204", + "url": "https://attack.mitre.org/techniques/T1204" + }, + { + "name": "Internal Defacement", + "id": "T1491.001", + "url": "https://attack.mitre.org/techniques/T1491/001" + }, + { + "name": "Hidden Users", + "id": "T1564.002", + "url": "https://attack.mitre.org/techniques/T1564/002" + }, + { + "name": "Make and Impersonate Token", + "id": "T1134.003", + "url": "https://attack.mitre.org/techniques/T1134/003" + }, + { + "name": "Group Policy Preferences", + "id": "T1552.006", + "url": "https://attack.mitre.org/techniques/T1552/006" + }, + { + "name": "Control Panel Items", + "id": "T1196", + "url": "https://attack.mitre.org/techniques/T1196" + }, + { + "name": "Exfiltration Over Asymmetric Encrypted Non-C2 Protocol", + "id": "T1048.002", + "url": "https://attack.mitre.org/techniques/T1048/002" + }, + { + "name": "Cloud Account", + "id": "T1087.004", + "url": "https://attack.mitre.org/techniques/T1087/004" + }, + { + "name": "Process Discovery", + "id": "T1057", + "url": "https://attack.mitre.org/techniques/T1057" + }, + { + "name": "Impair Command History Logging", + "id": "T1562.003", + "url": "https://attack.mitre.org/techniques/T1562/003" + }, + { + "name": "Launchd", + "id": "T1053.004", + "url": "https://attack.mitre.org/techniques/T1053/004" + }, + { + "name": "Network Provider DLL", + "id": "T1556.008", + "url": "https://attack.mitre.org/techniques/T1556/008" + }, + { + "name": "Windows Management Instrumentation Event Subscription", + "id": "T1546.003", + "url": "https://attack.mitre.org/techniques/T1546/003" + }, + { + "name": "CDNs", + "id": "T1596.004", + "url": "https://attack.mitre.org/techniques/T1596/004" + }, + { + "name": "User Activity Based Checks", + "id": "T1497.002", + "url": "https://attack.mitre.org/techniques/T1497/002" + }, + { + "name": "Input Prompt", + "id": "T1141", + "url": "https://attack.mitre.org/techniques/T1141" + }, + { + "name": "Cloud Service Hijacking", + "id": "T1496.004", + "url": "https://attack.mitre.org/techniques/T1496/004" + }, + { + "name": "Cloud Accounts", + "id": "T1585.003", + "url": "https://attack.mitre.org/techniques/T1585/003" + }, + { + "name": "Software Deployment Tools", + "id": "T1072", + "url": "https://attack.mitre.org/techniques/T1072" + }, + { + "name": "Exfiltration Over C2 Channel", + "id": "T1041", + "url": "https://attack.mitre.org/techniques/T1041" + }, + { + "name": "Parent PID Spoofing", + "id": "T1134.004", + "url": "https://attack.mitre.org/techniques/T1134/004" + }, + { + "name": "Gather Victim Org Information", + "id": "T1591", + "url": "https://attack.mitre.org/techniques/T1591" + }, + { + "name": "Registry Run Keys / Startup Folder", + "id": "T1060", + "url": "https://attack.mitre.org/techniques/T1060" + }, + { + "name": "Forge Web Credentials", + "id": "T1606", + "url": "https://attack.mitre.org/techniques/T1606" + }, + { + "name": "Multi-Factor Authentication Request Generation", + "id": "T1621", + "url": "https://attack.mitre.org/techniques/T1621" + }, + { + "name": "Compromise Host Software Binary", + "id": "T1554", + "url": "https://attack.mitre.org/techniques/T1554" + }, + { + "name": "Chat Messages", + "id": "T1552.008", + "url": "https://attack.mitre.org/techniques/T1552/008" + }, + { + "name": "PowerShell", + "id": "T1059.001", + "url": "https://attack.mitre.org/techniques/T1059/001" + }, + { + "name": "Shortcut Modification", + "id": "T1023", + "url": "https://attack.mitre.org/techniques/T1023" + }, + { + "name": "Change Default File Association", + "id": "T1546.001", + "url": "https://attack.mitre.org/techniques/T1546/001" + }, + { + "name": "VDSO Hijacking", + "id": "T1055.014", + "url": "https://attack.mitre.org/techniques/T1055/014" + }, + { + "name": "Multiband Communication", + "id": "T1026", + "url": "https://attack.mitre.org/techniques/T1026" + }, + { + "name": "File Transfer Protocols", + "id": "T1071.002", + "url": "https://attack.mitre.org/techniques/T1071/002" + }, + { + "name": "Selective Exclusion", + "id": "T1679", + "url": "https://attack.mitre.org/techniques/T1679" + }, + { + "name": "Component Object Model Hijacking", + "id": "T1122", + "url": "https://attack.mitre.org/techniques/T1122" + }, + { + "name": "Accessibility Features", + "id": "T1015", + "url": "https://attack.mitre.org/techniques/T1015" + }, + { + "name": "Exploitation for Credential Access", + "id": "T1212", + "url": "https://attack.mitre.org/techniques/T1212" + }, + { + "name": "Emond", + "id": "T1546.014", + "url": "https://attack.mitre.org/techniques/T1546/014" + }, + { + "name": "One-Way Communication", + "id": "T1102.003", + "url": "https://attack.mitre.org/techniques/T1102/003" + }, + { + "name": "Gather Victim Network Information", + "id": "T1590", + "url": "https://attack.mitre.org/techniques/T1590" + }, + { + "name": "Exploitation of Remote Services", + "id": "T1210", + "url": "https://attack.mitre.org/techniques/T1210" + }, + { + "name": "Parent PID Spoofing", + "id": "T1502", + "url": "https://attack.mitre.org/techniques/T1502" + }, + { + "name": "Keychain", + "id": "T1142", + "url": "https://attack.mitre.org/techniques/T1142" + }, + { + "name": "Internal Spearphishing", + "id": "T1534", + "url": "https://attack.mitre.org/techniques/T1534" + }, + { + "name": "Sudo", + "id": "T1169", + "url": "https://attack.mitre.org/techniques/T1169" + }, + { + "name": "Services File Permissions Weakness", + "id": "T1574.010", + "url": "https://attack.mitre.org/techniques/T1574/010" + }, + { + "name": "Registry Run Keys / Startup Folder", + "id": "T1547.001", + "url": "https://attack.mitre.org/techniques/T1547/001" + }, + { + "name": "Trusted Relationship", + "id": "T1199", + "url": "https://attack.mitre.org/techniques/T1199" + }, + { + "name": "Cloud Account", + "id": "T1136.003", + "url": "https://attack.mitre.org/techniques/T1136/003" + }, + { + "name": "Local Groups", + "id": "T1069.001", + "url": "https://attack.mitre.org/techniques/T1069/001" + }, + { + "name": "LC_MAIN Hijacking", + "id": "T1149", + "url": "https://attack.mitre.org/techniques/T1149" + }, + { + "name": "Search Open Websites/Domains", + "id": "T1593", + "url": "https://attack.mitre.org/techniques/T1593" + }, + { + "name": "Disable or Modify Network Device Firewall", + "id": "T1562.013", + "url": "https://attack.mitre.org/techniques/T1562/013" + }, + { + "name": "Account Manipulation", + "id": "T1098", + "url": "https://attack.mitre.org/techniques/T1098" + }, + { + "name": "Mshta", + "id": "T1170", + "url": "https://attack.mitre.org/techniques/T1170" + }, + { + "name": "Exfiltration Over Alternative Protocol", + "id": "T1048", + "url": "https://attack.mitre.org/techniques/T1048" + }, + { + "name": "Kernel Modules and Extensions", + "id": "T1547.006", + "url": "https://attack.mitre.org/techniques/T1547/006" + }, + { + "name": "Delay Execution", + "id": "T1678", + "url": "https://attack.mitre.org/techniques/T1678" + }, + { + "name": "GUI Input Capture", + "id": "T1056.002", + "url": "https://attack.mitre.org/techniques/T1056/002" + }, + { + "name": "Pass the Ticket", + "id": "T1097", + "url": "https://attack.mitre.org/techniques/T1097" + }, + { + "name": "Tool", + "id": "T1588.002", + "url": "https://attack.mitre.org/techniques/T1588/002" + }, + { + "name": "Exfiltration over USB", + "id": "T1052.001", + "url": "https://attack.mitre.org/techniques/T1052/001" + }, + { + "name": "KernelCallbackTable", + "id": "T1574.013", + "url": "https://attack.mitre.org/techniques/T1574/013" + }, + { + "name": "Search Closed Sources", + "id": "T1597", + "url": "https://attack.mitre.org/techniques/T1597" + }, + { + "name": "Systemd Timers", + "id": "T1053.006", + "url": "https://attack.mitre.org/techniques/T1053/006" + }, + { + "name": "Phishing", + "id": "T1566", + "url": "https://attack.mitre.org/techniques/T1566" + }, + { + "name": "Graphical User Interface", + "id": "T1061", + "url": "https://attack.mitre.org/techniques/T1061" + }, + { + "name": "ROMMONkit", + "id": "T1542.004", + "url": "https://attack.mitre.org/techniques/T1542/004" + }, + { + "name": "Compiled HTML File", + "id": "T1218.001", + "url": "https://attack.mitre.org/techniques/T1218/001" + }, + { + "name": "Compute Hijacking", + "id": "T1496.001", + "url": "https://attack.mitre.org/techniques/T1496/001" + }, + { + "name": "Network Share Connection Removal", + "id": "T1070.005", + "url": "https://attack.mitre.org/techniques/T1070/005" + }, + { + "name": "Multi-hop Proxy", + "id": "T1090.003", + "url": "https://attack.mitre.org/techniques/T1090/003" + }, + { + "name": "Brute Force", + "id": "T1110", + "url": "https://attack.mitre.org/techniques/T1110" + }, + { + "name": "Unix Shell", + "id": "T1059.004", + "url": "https://attack.mitre.org/techniques/T1059/004" + }, + { + "name": "Outlook Forms", + "id": "T1137.003", + "url": "https://attack.mitre.org/techniques/T1137/003" + }, + { + "name": "Remote Access Hardware", + "id": "T1219.003", + "url": "https://attack.mitre.org/techniques/T1219/003" + }, + { + "name": "Dylib Hijacking", + "id": "T1157", + "url": "https://attack.mitre.org/techniques/T1157" + }, + { + "name": "Disable or Modify Tools", + "id": "T1562.001", + "url": "https://attack.mitre.org/techniques/T1562/001" + }, + { + "name": "Data Manipulation", + "id": "T1565", + "url": "https://attack.mitre.org/techniques/T1565" + }, + { + "name": "Inter-Process Communication", + "id": "T1559", + "url": "https://attack.mitre.org/techniques/T1559" + }, + { + "name": "Data Obfuscation", + "id": "T1001", + "url": "https://attack.mitre.org/techniques/T1001" + }, + { + "name": "Data from Network Shared Drive", + "id": "T1039", + "url": "https://attack.mitre.org/techniques/T1039" + }, + { + "name": "Web Services", + "id": "T1584.006", + "url": "https://attack.mitre.org/techniques/T1584/006" + }, + { + "name": "Modify System Image", + "id": "T1601", + "url": "https://attack.mitre.org/techniques/T1601" + }, + { + "name": "Hijack Execution Flow", + "id": "T1574", + "url": "https://attack.mitre.org/techniques/T1574" + }, + { + "name": "Browser Fingerprint", + "id": "T1036.012", + "url": "https://attack.mitre.org/techniques/T1036/012" + }, + { + "name": "Lua", + "id": "T1059.011", + "url": "https://attack.mitre.org/techniques/T1059/011" + }, + { + "name": "Indicator Removal from Tools", + "id": "T1027.005", + "url": "https://attack.mitre.org/techniques/T1027/005" + }, + { + "name": "Malicious Image", + "id": "T1204.003", + "url": "https://attack.mitre.org/techniques/T1204/003" + }, + { + "name": "Container Service", + "id": "T1543.005", + "url": "https://attack.mitre.org/techniques/T1543/005" + }, + { + "name": "Valid Accounts", + "id": "T1078", + "url": "https://attack.mitre.org/techniques/T1078" + }, + { + "name": "Non-Standard Port", + "id": "T1571", + "url": "https://attack.mitre.org/techniques/T1571" + }, + { + "name": "Social Media Accounts", + "id": "T1585.001", + "url": "https://attack.mitre.org/techniques/T1585/001" + }, + { + "name": "DLL Side-Loading", + "id": "T1073", + "url": "https://attack.mitre.org/techniques/T1073" + }, + { + "name": "Process Hollowing", + "id": "T1055.012", + "url": "https://attack.mitre.org/techniques/T1055/012" + }, + { + "name": "Exploitation for Privilege Escalation", + "id": "T1068", + "url": "https://attack.mitre.org/techniques/T1068" + }, + { + "name": "Resource Forking", + "id": "T1564.009", + "url": "https://attack.mitre.org/techniques/T1564/009" + }, + { + "name": "Account Access Removal", + "id": "T1531", + "url": "https://attack.mitre.org/techniques/T1531" + }, + { + "name": "Credential Stuffing", + "id": "T1110.004", + "url": "https://attack.mitre.org/techniques/T1110/004" + }, + { + "name": "Kerberoasting", + "id": "T1208", + "url": "https://attack.mitre.org/techniques/T1208" + }, + { + "name": "Obfuscated Files or Information", + "id": "T1027", + "url": "https://attack.mitre.org/techniques/T1027" + }, + { + "name": "Multi-Factor Authentication", + "id": "T1556.006", + "url": "https://attack.mitre.org/techniques/T1556/006" + }, + { + "name": "Remote Email Collection", + "id": "T1114.002", + "url": "https://attack.mitre.org/techniques/T1114/002" + }, + { + "name": "IIS Components", + "id": "T1505.004", + "url": "https://attack.mitre.org/techniques/T1505/004" + }, + { + "name": "Invalid Code Signature", + "id": "T1036.001", + "url": "https://attack.mitre.org/techniques/T1036/001" + }, + { + "name": "Run Virtual Instance", + "id": "T1564.006", + "url": "https://attack.mitre.org/techniques/T1564/006" + }, + { + "name": "Trap", + "id": "T1154", + "url": "https://attack.mitre.org/techniques/T1154" + }, + { + "name": "Polymorphic Code", + "id": "T1027.014", + "url": "https://attack.mitre.org/techniques/T1027/014" + }, + { + "name": "Password Policy Discovery", + "id": "T1201", + "url": "https://attack.mitre.org/techniques/T1201" + }, + { + "name": "Event Triggered Execution", + "id": "T1546", + "url": "https://attack.mitre.org/techniques/T1546" + }, + { + "name": "Unix Shell Configuration Modification", + "id": "T1546.004", + "url": "https://attack.mitre.org/techniques/T1546/004" + }, + { + "name": "Forced Authentication", + "id": "T1187", + "url": "https://attack.mitre.org/techniques/T1187" + }, + { + "name": "SID-History Injection", + "id": "T1134.005", + "url": "https://attack.mitre.org/techniques/T1134/005" + }, + { + "name": "Network Boundary Bridging", + "id": "T1599", + "url": "https://attack.mitre.org/techniques/T1599" + }, + { + "name": "Data Encrypted for Impact", + "id": "T1486", + "url": "https://attack.mitre.org/techniques/T1486" + }, + { + "name": "Disk Content Wipe", + "id": "T1488", + "url": "https://attack.mitre.org/techniques/T1488" + }, + { + "name": "Subvert Trust Controls", + "id": "T1553", + "url": "https://attack.mitre.org/techniques/T1553" + }, + { + "name": "Elevated Execution with Prompt", + "id": "T1548.004", + "url": "https://attack.mitre.org/techniques/T1548/004" + }, + { + "name": "Firmware", + "id": "T1592.003", + "url": "https://attack.mitre.org/techniques/T1592/003" + }, + { + "name": "Encrypted Channel", + "id": "T1573", + "url": "https://attack.mitre.org/techniques/T1573" + }, + { + "name": "Password Filter DLL", + "id": "T1174", + "url": "https://attack.mitre.org/techniques/T1174" + }, + { + "name": "Authentication Package", + "id": "T1547.002", + "url": "https://attack.mitre.org/techniques/T1547/002" + }, + { + "name": "Regsvr32", + "id": "T1218.010", + "url": "https://attack.mitre.org/techniques/T1218/010" + }, + { + "name": "Data Compressed", + "id": "T1002", + "url": "https://attack.mitre.org/techniques/T1002" + }, + { + "name": "Exfiltration to Text Storage Sites", + "id": "T1567.003", + "url": "https://attack.mitre.org/techniques/T1567/003" + }, + { + "name": "Credentials in Files", + "id": "T1081", + "url": "https://attack.mitre.org/techniques/T1081" + }, + { + "name": "Software", + "id": "T1592.002", + "url": "https://attack.mitre.org/techniques/T1592/002" + }, + { + "name": "Netsh Helper DLL", + "id": "T1128", + "url": "https://attack.mitre.org/techniques/T1128" + }, + { + "name": "Input Capture", + "id": "T1056", + "url": "https://attack.mitre.org/techniques/T1056" + }, + { + "name": "Spearphishing Voice", + "id": "T1566.004", + "url": "https://attack.mitre.org/techniques/T1566/004" + }, + { + "name": "Exploits", + "id": "T1587.004", + "url": "https://attack.mitre.org/techniques/T1587/004" + }, + { + "name": "Social Media", + "id": "T1593.001", + "url": "https://attack.mitre.org/techniques/T1593/001" + }, + { + "name": "Customer Relationship Management Software", + "id": "T1213.004", + "url": "https://attack.mitre.org/techniques/T1213/004" + }, + { + "name": "Component Object Model Hijacking", + "id": "T1546.015", + "url": "https://attack.mitre.org/techniques/T1546/015" + }, + { + "name": "Credentials", + "id": "T1589.001", + "url": "https://attack.mitre.org/techniques/T1589/001" + }, + { + "name": "Compromise Software Supply Chain", + "id": "T1195.002", + "url": "https://attack.mitre.org/techniques/T1195/002" + }, + { + "name": "Rename Legitimate Utilities", + "id": "T1036.003", + "url": "https://attack.mitre.org/techniques/T1036/003" + }, + { + "name": "Bidirectional Communication", + "id": "T1102.002", + "url": "https://attack.mitre.org/techniques/T1102/002" + }, + { + "name": "Exploitation for Client Execution", + "id": "T1203", + "url": "https://attack.mitre.org/techniques/T1203" + }, + { + "name": "Wordlist Scanning", + "id": "T1595.003", + "url": "https://attack.mitre.org/techniques/T1595/003" + }, + { + "name": "Email Bombing", + "id": "T1667", + "url": "https://attack.mitre.org/techniques/T1667" + }, + { + "name": "Spoof Security Alerting", + "id": "T1562.011", + "url": "https://attack.mitre.org/techniques/T1562/011" + }, + { + "name": "Outlook Home Page", + "id": "T1137.004", + "url": "https://attack.mitre.org/techniques/T1137/004" + }, + { + "name": "Asymmetric Cryptography", + "id": "T1573.002", + "url": "https://attack.mitre.org/techniques/T1573/002" + }, + { + "name": "Exfiltration to Cloud Storage", + "id": "T1567.002", + "url": "https://attack.mitre.org/techniques/T1567/002" + }, + { + "name": "Lateral Tool Transfer", + "id": "T1570", + "url": "https://attack.mitre.org/techniques/T1570" + }, + { + "name": "Path Interception by Unquoted Path", + "id": "T1574.009", + "url": "https://attack.mitre.org/techniques/T1574/009" + }, + { + "name": "Install Digital Certificate", + "id": "T1608.003", + "url": "https://attack.mitre.org/techniques/T1608/003" + }, + { + "name": "Local Job Scheduling", + "id": "T1168", + "url": "https://attack.mitre.org/techniques/T1168" + }, + { + "name": "Setuid and Setgid", + "id": "T1166", + "url": "https://attack.mitre.org/techniques/T1166" + }, + { + "name": "Startup Items", + "id": "T1037.005", + "url": "https://attack.mitre.org/techniques/T1037/005" + }, + { + "name": "Web Shell", + "id": "T1100", + "url": "https://attack.mitre.org/techniques/T1100" + }, + { + "name": "Process Doppelgänging", + "id": "T1186", + "url": "https://attack.mitre.org/techniques/T1186" + }, + { + "name": "SSH Hijacking", + "id": "T1184", + "url": "https://attack.mitre.org/techniques/T1184" + }, + { + "name": "System Language Discovery", + "id": "T1614.001", + "url": "https://attack.mitre.org/techniques/T1614/001" + }, + { + "name": "Non-Application Layer Protocol", + "id": "T1095", + "url": "https://attack.mitre.org/techniques/T1095" + }, + { + "name": "Pass the Hash", + "id": "T1075", + "url": "https://attack.mitre.org/techniques/T1075" + }, + { + "name": "Container CLI/API", + "id": "T1059.013", + "url": "https://attack.mitre.org/techniques/T1059/013" + }, + { + "name": "Steganography", + "id": "T1027.003", + "url": "https://attack.mitre.org/techniques/T1027/003" + }, + { + "name": "DNS Server", + "id": "T1584.002", + "url": "https://attack.mitre.org/techniques/T1584/002" + }, + { + "name": "Cloud Application Integration", + "id": "T1671", + "url": "https://attack.mitre.org/techniques/T1671" + }, + { + "name": "Protocol or Service Impersonation", + "id": "T1001.003", + "url": "https://attack.mitre.org/techniques/T1001/003" + }, + { + "name": "Query Registry", + "id": "T1012", + "url": "https://attack.mitre.org/techniques/T1012" + }, + { + "name": "Data Transfer Size Limits", + "id": "T1030", + "url": "https://attack.mitre.org/techniques/T1030" + }, + { + "name": "Windows Remote Management", + "id": "T1028", + "url": "https://attack.mitre.org/techniques/T1028" + }, + { + "name": "Web Session Cookie", + "id": "T1550.004", + "url": "https://attack.mitre.org/techniques/T1550/004" + }, + { + "name": "Domain Accounts", + "id": "T1078.002", + "url": "https://attack.mitre.org/techniques/T1078/002" + }, + { + "name": "Regsvcs/Regasm", + "id": "T1218.009", + "url": "https://attack.mitre.org/techniques/T1218/009" + }, + { + "name": "Path Interception", + "id": "T1034", + "url": "https://attack.mitre.org/techniques/T1034" + }, + { + "name": "Python Startup Hooks", + "id": "T1546.018", + "url": "https://attack.mitre.org/techniques/T1546/018" + }, + { + "name": "Web Session Cookie", + "id": "T1506", + "url": "https://attack.mitre.org/techniques/T1506" + }, + { + "name": "Install Root Certificate", + "id": "T1553.004", + "url": "https://attack.mitre.org/techniques/T1553/004" + }, + { + "name": "Network Logon Script", + "id": "T1037.003", + "url": "https://attack.mitre.org/techniques/T1037/003" + }, + { + "name": "Endpoint Denial of Service", + "id": "T1499", + "url": "https://attack.mitre.org/techniques/T1499" + }, + { + "name": "Compile After Delivery", + "id": "T1027.004", + "url": "https://attack.mitre.org/techniques/T1027/004" + }, + { + "name": "Uncommonly Used Port", + "id": "T1065", + "url": "https://attack.mitre.org/techniques/T1065" + }, + { + "name": "System Location Discovery", + "id": "T1614", + "url": "https://attack.mitre.org/techniques/T1614" + }, + { + "name": "VBA Stomping", + "id": "T1564.007", + "url": "https://attack.mitre.org/techniques/T1564/007" + }, + { + "name": "BITS Jobs", + "id": "T1197", + "url": "https://attack.mitre.org/techniques/T1197" + }, + { + "name": "MSBuild", + "id": "T1127.001", + "url": "https://attack.mitre.org/techniques/T1127/001" + }, + { + "name": "Impersonation", + "id": "T1656", + "url": "https://attack.mitre.org/techniques/T1656" + }, + { + "name": "Modify Cloud Compute Configurations", + "id": "T1578.005", + "url": "https://attack.mitre.org/techniques/T1578/005" + }, + { + "name": "Bypass User Account Control", + "id": "T1088", + "url": "https://attack.mitre.org/techniques/T1088" + }, + { + "name": "Runtime Data Manipulation", + "id": "T1494", + "url": "https://attack.mitre.org/techniques/T1494" + }, + { + "name": "Domain Fronting", + "id": "T1090.004", + "url": "https://attack.mitre.org/techniques/T1090/004" + }, + { + "name": "ARP Cache Poisoning", + "id": "T1557.002", + "url": "https://attack.mitre.org/techniques/T1557/002" + }, + { + "name": "Disable or Modify Cloud Logs", + "id": "T1562.008", + "url": "https://attack.mitre.org/techniques/T1562/008" + }, + { + "name": "Security Software Discovery", + "id": "T1518.001", + "url": "https://attack.mitre.org/techniques/T1518/001" + }, + { + "name": "Hidden Window", + "id": "T1564.003", + "url": "https://attack.mitre.org/techniques/T1564/003" + }, + { + "name": "Transmitted Data Manipulation", + "id": "T1493", + "url": "https://attack.mitre.org/techniques/T1493" + }, + { + "name": "ClickOnce", + "id": "T1127.002", + "url": "https://attack.mitre.org/techniques/T1127/002" + }, + { + "name": "Python", + "id": "T1059.006", + "url": "https://attack.mitre.org/techniques/T1059/006" + }, + { + "name": "Relocate Malware", + "id": "T1070.010", + "url": "https://attack.mitre.org/techniques/T1070/010" + }, + { + "name": "Identify Roles", + "id": "T1591.004", + "url": "https://attack.mitre.org/techniques/T1591/004" + }, + { + "name": "Data Encoding", + "id": "T1132", + "url": "https://attack.mitre.org/techniques/T1132" + }, + { + "name": "AppInit DLLs", + "id": "T1546.010", + "url": "https://attack.mitre.org/techniques/T1546/010" + }, + { + "name": "Phishing for Information", + "id": "T1598", + "url": "https://attack.mitre.org/techniques/T1598" + }, + { + "name": "Resource Hijacking", + "id": "T1496", + "url": "https://attack.mitre.org/techniques/T1496" + }, + { + "name": "Establish Accounts", + "id": "T1585", + "url": "https://attack.mitre.org/techniques/T1585" + }, + { + "name": "Obtain Capabilities", + "id": "T1588", + "url": "https://attack.mitre.org/techniques/T1588" + }, + { + "name": "Screensaver", + "id": "T1546.002", + "url": "https://attack.mitre.org/techniques/T1546/002" + }, + { + "name": "Hidden Users", + "id": "T1147", + "url": "https://attack.mitre.org/techniques/T1147" + }, + { + "name": "Conditional Access Policies", + "id": "T1556.009", + "url": "https://attack.mitre.org/techniques/T1556/009" + }, + { + "name": "Create Cloud Instance", + "id": "T1578.002", + "url": "https://attack.mitre.org/techniques/T1578/002" + }, + { + "name": "Compile After Delivery", + "id": "T1500", + "url": "https://attack.mitre.org/techniques/T1500" + }, + { + "name": "Cloud Secrets Management Stores", + "id": "T1555.006", + "url": "https://attack.mitre.org/techniques/T1555/006" + }, + { + "name": "Code Repositories", + "id": "T1213.003", + "url": "https://attack.mitre.org/techniques/T1213/003" + }, + { + "name": "Transmitted Data Manipulation", + "id": "T1565.002", + "url": "https://attack.mitre.org/techniques/T1565/002" + }, + { + "name": "/etc/passwd and /etc/shadow", + "id": "T1003.008", + "url": "https://attack.mitre.org/techniques/T1003/008" + }, + { + "name": "Launch Agent", + "id": "T1543.001", + "url": "https://attack.mitre.org/techniques/T1543/001" + }, + { + "name": "System Services", + "id": "T1569", + "url": "https://attack.mitre.org/techniques/T1569" + }, + { + "name": "Windows Command Shell", + "id": "T1059.003", + "url": "https://attack.mitre.org/techniques/T1059/003" + }, + { + "name": "Proc Memory", + "id": "T1055.009", + "url": "https://attack.mitre.org/techniques/T1055/009" + }, + { + "name": "Compiled HTML File", + "id": "T1223", + "url": "https://attack.mitre.org/techniques/T1223" + }, + { + "name": "Acquire Access", + "id": "T1650", + "url": "https://attack.mitre.org/techniques/T1650" + }, + { + "name": "Patch System Image", + "id": "T1601.001", + "url": "https://attack.mitre.org/techniques/T1601/001" + }, + { + "name": "Silver Ticket", + "id": "T1558.002", + "url": "https://attack.mitre.org/techniques/T1558/002" + }, + { + "name": "Data from Information Repositories", + "id": "T1213", + "url": "https://attack.mitre.org/techniques/T1213" + }, + { + "name": "Clear Persistence", + "id": "T1070.009", + "url": "https://attack.mitre.org/techniques/T1070/009" + }, + { + "name": "Hypervisor CLI", + "id": "T1059.012", + "url": "https://attack.mitre.org/techniques/T1059/012" + }, + { + "name": "Clear Command History", + "id": "T1146", + "url": "https://attack.mitre.org/techniques/T1146" + }, + { + "name": "Windows Credential Manager", + "id": "T1555.004", + "url": "https://attack.mitre.org/techniques/T1555/004" + }, + { + "name": "Masquerade Account Name", + "id": "T1036.010", + "url": "https://attack.mitre.org/techniques/T1036/010" + }, + { + "name": "Emond", + "id": "T1519", + "url": "https://attack.mitre.org/techniques/T1519" + }, + { + "name": "Spearphishing via Service", + "id": "T1194", + "url": "https://attack.mitre.org/techniques/T1194" + }, + { + "name": "Hardware Additions", + "id": "T1200", + "url": "https://attack.mitre.org/techniques/T1200" + }, + { + "name": "Remote Desktop Software", + "id": "T1219.002", + "url": "https://attack.mitre.org/techniques/T1219/002" + }, + { + "name": "Server Software Component", + "id": "T1505", + "url": "https://attack.mitre.org/techniques/T1505" + }, + { + "name": "Data Destruction", + "id": "T1485", + "url": "https://attack.mitre.org/techniques/T1485" + }, + { + "name": "Non-Standard Encoding", + "id": "T1132.002", + "url": "https://attack.mitre.org/techniques/T1132/002" + }, + { + "name": "Domain Controller Authentication", + "id": "T1556.001", + "url": "https://attack.mitre.org/techniques/T1556/001" + }, + { + "name": "Transfer Data to Cloud Account", + "id": "T1537", + "url": "https://attack.mitre.org/techniques/T1537" + }, + { + "name": "HTML Smuggling", + "id": "T1027.006", + "url": "https://attack.mitre.org/techniques/T1027/006" + }, + { + "name": "Reversible Encryption", + "id": "T1556.005", + "url": "https://attack.mitre.org/techniques/T1556/005" + }, + { + "name": "Command Obfuscation", + "id": "T1027.010", + "url": "https://attack.mitre.org/techniques/T1027/010" + }, + { + "name": "Install Root Certificate", + "id": "T1130", + "url": "https://attack.mitre.org/techniques/T1130" + }, + { + "name": "Data Encrypted", + "id": "T1022", + "url": "https://attack.mitre.org/techniques/T1022" + }, + { + "name": "File Deletion", + "id": "T1070.004", + "url": "https://attack.mitre.org/techniques/T1070/004" + }, + { + "name": "Drive-by Compromise", + "id": "T1189", + "url": "https://attack.mitre.org/techniques/T1189" + }, + { + "name": "Network Denial of Service", + "id": "T1498", + "url": "https://attack.mitre.org/techniques/T1498" + }, + { + "name": "Cloud Administration Command", + "id": "T1651", + "url": "https://attack.mitre.org/techniques/T1651" + }, + { + "name": "Installer Packages", + "id": "T1546.016", + "url": "https://attack.mitre.org/techniques/T1546/016" + }, + { + "name": "Scanning IP Blocks", + "id": "T1595.001", + "url": "https://attack.mitre.org/techniques/T1595/001" + }, + { + "name": "Hidden Files and Directories", + "id": "T1158", + "url": "https://attack.mitre.org/techniques/T1158" + }, + { + "name": "Template Injection", + "id": "T1221", + "url": "https://attack.mitre.org/techniques/T1221" + }, + { + "name": "RC Scripts", + "id": "T1037.004", + "url": "https://attack.mitre.org/techniques/T1037/004" + }, + { + "name": "Access Token Manipulation", + "id": "T1134", + "url": "https://attack.mitre.org/techniques/T1134" + }, + { + "name": "Time Providers", + "id": "T1209", + "url": "https://attack.mitre.org/techniques/T1209" + }, + { + "name": "Multi-Factor Authentication Interception", + "id": "T1111", + "url": "https://attack.mitre.org/techniques/T1111" + }, + { + "name": "Launch Agent", + "id": "T1159", + "url": "https://attack.mitre.org/techniques/T1159" + }, + { + "name": "Software Packing", + "id": "T1027.002", + "url": "https://attack.mitre.org/techniques/T1027/002" + }, + { + "name": "Serverless", + "id": "T1584.007", + "url": "https://attack.mitre.org/techniques/T1584/007" + }, + { + "name": "Web Protocols", + "id": "T1071.001", + "url": "https://attack.mitre.org/techniques/T1071/001" + }, + { + "name": "Visual Basic", + "id": "T1059.005", + "url": "https://attack.mitre.org/techniques/T1059/005" + }, + { + "name": "Hidden File System", + "id": "T1564.005", + "url": "https://attack.mitre.org/techniques/T1564/005" + }, + { + "name": "Systemd Service", + "id": "T1543.002", + "url": "https://attack.mitre.org/techniques/T1543/002" + }, + { + "name": "Exclusive Control", + "id": "T1668", + "url": "https://attack.mitre.org/techniques/T1668" + }, + { + "name": "RDP Hijacking", + "id": "T1563.002", + "url": "https://attack.mitre.org/techniques/T1563/002" + }, + { + "name": "Create Account", + "id": "T1136", + "url": "https://attack.mitre.org/techniques/T1136" + }, + { + "name": "XDG Autostart Entries", + "id": "T1547.013", + "url": "https://attack.mitre.org/techniques/T1547/013" + }, + { + "name": "Server", + "id": "T1584.004", + "url": "https://attack.mitre.org/techniques/T1584/004" + }, + { + "name": "Email Spoofing", + "id": "T1672", + "url": "https://attack.mitre.org/techniques/T1672" + }, + { + "name": "Cloud Service Discovery", + "id": "T1526", + "url": "https://attack.mitre.org/techniques/T1526" + }, + { + "name": "Malicious Copy and Paste", + "id": "T1204.004", + "url": "https://attack.mitre.org/techniques/T1204/004" + }, + { + "name": "Space after Filename", + "id": "T1151", + "url": "https://attack.mitre.org/techniques/T1151" + }, + { + "name": "Remote System Discovery", + "id": "T1018", + "url": "https://attack.mitre.org/techniques/T1018" + }, + { + "name": "Network Service Discovery", + "id": "T1046", + "url": "https://attack.mitre.org/techniques/T1046" + }, + { + "name": "Domain Properties", + "id": "T1590.001", + "url": "https://attack.mitre.org/techniques/T1590/001" + }, + { + "name": "Software Discovery", + "id": "T1518", + "url": "https://attack.mitre.org/techniques/T1518" + }, + { + "name": "Cloud Service Dashboard", + "id": "T1538", + "url": "https://attack.mitre.org/techniques/T1538" + }, + { + "name": "Thread Local Storage", + "id": "T1055.005", + "url": "https://attack.mitre.org/techniques/T1055/005" + }, + { + "name": "Debugger Evasion", + "id": "T1622", + "url": "https://attack.mitre.org/techniques/T1622" + }, + { + "name": "Space after Filename", + "id": "T1036.006", + "url": "https://attack.mitre.org/techniques/T1036/006" + }, + { + "name": "Re-opened Applications", + "id": "T1547.007", + "url": "https://attack.mitre.org/techniques/T1547/007" + }, + { + "name": "SEO Poisoning", + "id": "T1608.006", + "url": "https://attack.mitre.org/techniques/T1608/006" + }, + { + "name": "Pass the Hash", + "id": "T1550.002", + "url": "https://attack.mitre.org/techniques/T1550/002" + }, + { + "name": "Exfiltration Over Physical Medium", + "id": "T1052", + "url": "https://attack.mitre.org/techniques/T1052" + }, + { + "name": "DLL Side-Loading", + "id": "T1574.002", + "url": "https://attack.mitre.org/techniques/T1574/002" + }, + { + "name": "Ingress Tool Transfer", + "id": "T1105", + "url": "https://attack.mitre.org/techniques/T1105" + }, + { + "name": "SyncAppvPublishingServer", + "id": "T1216.002", + "url": "https://attack.mitre.org/techniques/T1216/002" + }, + { + "name": "Additional Email Delegate Permissions", + "id": "T1098.002", + "url": "https://attack.mitre.org/techniques/T1098/002" + }, + { + "name": "Code Signing Certificates", + "id": "T1588.003", + "url": "https://attack.mitre.org/techniques/T1588/003" + }, + { + "name": "Network Share Connection Removal", + "id": "T1126", + "url": "https://attack.mitre.org/techniques/T1126" + }, + { + "name": "Serverless Execution", + "id": "T1648", + "url": "https://attack.mitre.org/techniques/T1648" + }, + { + "name": "TCC Manipulation", + "id": "T1548.006", + "url": "https://attack.mitre.org/techniques/T1548/006" + }, + { + "name": "Windows Management Instrumentation Event Subscription", + "id": "T1084", + "url": "https://attack.mitre.org/techniques/T1084" + }, + { + "name": "Launch Daemon", + "id": "T1160", + "url": "https://attack.mitre.org/techniques/T1160" + }, + { + "name": "Ptrace System Calls", + "id": "T1055.008", + "url": "https://attack.mitre.org/techniques/T1055/008" + }, + { + "name": "Power Settings", + "id": "T1653", + "url": "https://attack.mitre.org/techniques/T1653" + }, + { + "name": "Dynamic API Resolution", + "id": "T1027.007", + "url": "https://attack.mitre.org/techniques/T1027/007" + }, + { + "name": "Remote Desktop Protocol", + "id": "T1021.001", + "url": "https://attack.mitre.org/techniques/T1021/001" + }, + { + "name": "Logon Script (Windows)", + "id": "T1037.001", + "url": "https://attack.mitre.org/techniques/T1037/001" + }, + { + "name": "ListPlanting", + "id": "T1055.015", + "url": "https://attack.mitre.org/techniques/T1055/015" + }, + { + "name": "Hide Infrastructure", + "id": "T1665", + "url": "https://attack.mitre.org/techniques/T1665" + }, + { + "name": "Domain or Tenant Policy Modification", + "id": "T1484", + "url": "https://attack.mitre.org/techniques/T1484" + }, + { + "name": "XSL Script Processing", + "id": "T1220", + "url": "https://attack.mitre.org/techniques/T1220" + }, + { + "name": "Scan Databases", + "id": "T1596.005", + "url": "https://attack.mitre.org/techniques/T1596/005" + }, + { + "name": "Hidden Files and Directories", + "id": "T1564.001", + "url": "https://attack.mitre.org/techniques/T1564/001" + }, + { + "name": "Create Snapshot", + "id": "T1578.001", + "url": "https://attack.mitre.org/techniques/T1578/001" + }, + { + "name": "Determine Physical Locations", + "id": "T1591.001", + "url": "https://attack.mitre.org/techniques/T1591/001" + }, + { + "name": "Office Test", + "id": "T1137.002", + "url": "https://attack.mitre.org/techniques/T1137/002" + }, + { + "name": "Develop Capabilities", + "id": "T1587", + "url": "https://attack.mitre.org/techniques/T1587" + }, + { + "name": "Dynamic Data Exchange", + "id": "T1173", + "url": "https://attack.mitre.org/techniques/T1173" + }, + { + "name": "NTDS", + "id": "T1003.003", + "url": "https://attack.mitre.org/techniques/T1003/003" + }, + { + "name": "SNMP (MIB Dump)", + "id": "T1602.001", + "url": "https://attack.mitre.org/techniques/T1602/001" + }, + { + "name": "Steganography", + "id": "T1001.002", + "url": "https://attack.mitre.org/techniques/T1001/002" + }, + { + "name": "Malicious Link", + "id": "T1204.001", + "url": "https://attack.mitre.org/techniques/T1204/001" + }, + { + "name": "Application Access Token", + "id": "T1550.001", + "url": "https://attack.mitre.org/techniques/T1550/001" + }, + { + "name": "LSASS Driver", + "id": "T1547.008", + "url": "https://attack.mitre.org/techniques/T1547/008" + }, + { + "name": "Service Execution", + "id": "T1569.002", + "url": "https://attack.mitre.org/techniques/T1569/002" + }, + { + "name": "Cloud Accounts", + "id": "T1078.004", + "url": "https://attack.mitre.org/techniques/T1078/004" + }, + { + "name": "Environmental Keying", + "id": "T1480.001", + "url": "https://attack.mitre.org/techniques/T1480/001" + }, + { + "name": "Fallback Channels", + "id": "T1008", + "url": "https://attack.mitre.org/techniques/T1008" + }, + { + "name": "Local Storage Discovery", + "id": "T1680", + "url": "https://attack.mitre.org/techniques/T1680" + }, + { + "name": "NTFS File Attributes", + "id": "T1564.004", + "url": "https://attack.mitre.org/techniques/T1564/004" + }, + { + "name": "Kerberoasting", + "id": "T1558.003", + "url": "https://attack.mitre.org/techniques/T1558/003" + }, + { + "name": "NTFS File Attributes", + "id": "T1096", + "url": "https://attack.mitre.org/techniques/T1096" + }, + { + "name": "DCSync", + "id": "T1003.006", + "url": "https://attack.mitre.org/techniques/T1003/006" + }, + { + "name": "System Time Discovery", + "id": "T1124", + "url": "https://attack.mitre.org/techniques/T1124" + }, + { + "name": "At", + "id": "T1053.002", + "url": "https://attack.mitre.org/techniques/T1053/002" + }, + { + "name": "Service Execution", + "id": "T1035", + "url": "https://attack.mitre.org/techniques/T1035" + }, + { + "name": "Dynamic-link Library Injection", + "id": "T1055.001", + "url": "https://attack.mitre.org/techniques/T1055/001" + }, + { + "name": "PowerShell", + "id": "T1086", + "url": "https://attack.mitre.org/techniques/T1086" + }, + { + "name": "Exploits", + "id": "T1588.005", + "url": "https://attack.mitre.org/techniques/T1588/005" + }, + { + "name": "Modify Authentication Process", + "id": "T1556", + "url": "https://attack.mitre.org/techniques/T1556" + }, + { + "name": "Udev Rules", + "id": "T1546.017", + "url": "https://attack.mitre.org/techniques/T1546/017" + }, + { + "name": "Credential API Hooking", + "id": "T1056.004", + "url": "https://attack.mitre.org/techniques/T1056/004" + }, + { + "name": "Firmware Corruption", + "id": "T1495", + "url": "https://attack.mitre.org/techniques/T1495" + }, + { + "name": "Inhibit System Recovery", + "id": "T1490", + "url": "https://attack.mitre.org/techniques/T1490" + }, + { + "name": "Netsh Helper DLL", + "id": "T1546.007", + "url": "https://attack.mitre.org/techniques/T1546/007" + }, + { + "name": "Spearphishing via Service", + "id": "T1566.003", + "url": "https://attack.mitre.org/techniques/T1566/003" + }, + { + "name": "Internal Proxy", + "id": "T1090.001", + "url": "https://attack.mitre.org/techniques/T1090/001" + }, + { + "name": "System Script Proxy Execution", + "id": "T1216", + "url": "https://attack.mitre.org/techniques/T1216" + }, + { + "name": "Custom Command and Control Protocol", + "id": "T1094", + "url": "https://attack.mitre.org/techniques/T1094" + }, + { + "name": "Dead Drop Resolver", + "id": "T1102.001", + "url": "https://attack.mitre.org/techniques/T1102/001" + }, + { + "name": "InstallUtil", + "id": "T1118", + "url": "https://attack.mitre.org/techniques/T1118" + }, + { + "name": "Junk Data", + "id": "T1001.001", + "url": "https://attack.mitre.org/techniques/T1001/001" + }, + { + "name": "Spearphishing Service", + "id": "T1598.001", + "url": "https://attack.mitre.org/techniques/T1598/001" + }, + { + "name": "Commonly Used Port", + "id": "T1043", + "url": "https://attack.mitre.org/techniques/T1043" + }, + { + "name": "vSphere Installation Bundles", + "id": "T1505.006", + "url": "https://attack.mitre.org/techniques/T1505/006" + }, + { + "name": "Container API", + "id": "T1552.007", + "url": "https://attack.mitre.org/techniques/T1552/007" + }, + { + "name": "Domains", + "id": "T1584.001", + "url": "https://attack.mitre.org/techniques/T1584/001" + }, + { + "name": "SQL Stored Procedures", + "id": "T1505.001", + "url": "https://attack.mitre.org/techniques/T1505/001" + }, + { + "name": "Network Device Authentication", + "id": "T1556.004", + "url": "https://attack.mitre.org/techniques/T1556/004" + }, + { + "name": "Disk Content Wipe", + "id": "T1561.001", + "url": "https://attack.mitre.org/techniques/T1561/001" + }, + { + "name": "Messaging Applications", + "id": "T1213.005", + "url": "https://attack.mitre.org/techniques/T1213/005" + }, + { + "name": "Exfiltration Over Unencrypted Non-C2 Protocol", + "id": "T1048.003", + "url": "https://attack.mitre.org/techniques/T1048/003" + }, + { + "name": "Compression", + "id": "T1027.015", + "url": "https://attack.mitre.org/techniques/T1027/015" + }, + { + "name": "Dylib Hijacking", + "id": "T1574.004", + "url": "https://attack.mitre.org/techniques/T1574/004" + }, + { + "name": "Downgrade System Image", + "id": "T1601.002", + "url": "https://attack.mitre.org/techniques/T1601/002" + }, + { + "name": "Local Accounts", + "id": "T1078.003", + "url": "https://attack.mitre.org/techniques/T1078/003" + }, + { + "name": "Wi-Fi Networks", + "id": "T1669", + "url": "https://attack.mitre.org/techniques/T1669" + }, + { + "name": "Exploitation for Defense Evasion", + "id": "T1211", + "url": "https://attack.mitre.org/techniques/T1211" + }, + { + "name": "Trusted Developer Utilities Proxy Execution", + "id": "T1127", + "url": "https://attack.mitre.org/techniques/T1127" + }, + { + "name": "System Shutdown/Reboot", + "id": "T1529", + "url": "https://attack.mitre.org/techniques/T1529" + }, + { + "name": "MMC", + "id": "T1218.014", + "url": "https://attack.mitre.org/techniques/T1218/014" + }, + { + "name": "Process Argument Spoofing", + "id": "T1564.010", + "url": "https://attack.mitre.org/techniques/T1564/010" + }, + { + "name": "Windows Admin Shares", + "id": "T1077", + "url": "https://attack.mitre.org/techniques/T1077" + }, + { + "name": "COR_PROFILER", + "id": "T1574.012", + "url": "https://attack.mitre.org/techniques/T1574/012" + } +] \ No newline at end of file diff --git a/findings.typ b/findings.typ index 48e0840..d391742 100644 --- a/findings.typ +++ b/findings.typ @@ -1,4 +1,5 @@ -#import "addons/cvss.typ" as cvss +#import "addons/cvss.typ" +#import "addons/mitre.typ" = Findings @@ -29,6 +30,8 @@ Both applications have a login screen and cannot be used by unauthorized visitor The version of `Uptime Kuma` is not specified, while the version of `Nginx Proxy Manager` is 2.11.2 and free of publicly known vulnerabilities (CVEs). +This is referenced in MITRE's ATT&CK framework as #mitre.reference(name: "External Remote Services"). + === Evaluation The administration interfaces are not vulnerable and cannot be used without valid credentials. Because of this, the findings are considered purely informative. diff --git a/pages/mgmtsum.typ b/pages/mgmtsum.typ index 6b11f10..2709465 100644 --- a/pages/mgmtsum.typ +++ b/pages/mgmtsum.typ @@ -1,6 +1,7 @@ #import "@preview/diagraph:0.3.6" #import "../addons/cvss.typ" +#import "../addons/mitre.typ" #let render(target: str, targetInSentence: str, testFocus: str, testObject: str, testScenario: str, recommendation: str, start: str, end: str, setup: str, nodes: raw, scope: array) = { [ @@ -18,7 +19,14 @@ == Test Methodology - The aim of the test was to uncover vulnerabilities and weaknesses of all kinds and chaining findings and vulnerabilities accordingly to gain a deep understanding of the audited hosts, following a security-in-depth approach. The tests were carried out in accordance with the MITRE ATT&CK Framework#footnote("https://attack.mitre.org"). + The aim of the test was to uncover vulnerabilities and weaknesses of all kinds and chaining findings and vulnerabilities accordingly to gain a deep understanding of the audited hosts, following a security-in-depth approach. #context([ + #let methods = ( + if mitre.isUsed.final() { [the MITRE ATT&CK Framework#footnote("https://attack.mitre.org")] }, + ).filter(m => m != none) + #if methods.len() > 0 { + [The tests were carried out in accordance with #methods.join(", ", last: ", and ").] + } + ]) The penetration test was performed as a #testScenario.