Enterprise Techniques

ID Name Description
VT0029 Account Access Removal Adversaries may interrupt availability of system and network resources by inhibiting access to accounts utilized by legitimate users. Accounts may be deleted, locked, or manipulated (ex: changed credentials) to remove access to accounts.
VT0011 Account Manipulation Adversaries may manipulate accounts to maintain access to victim systems. Account manipulation may consist of any action that preserves adversary access to a compromised account, such as modifying credentials, machine identities or permission groups.
.001 Additional Cloud Credentials Adversaries may add adversary-controlled credentials to a cloud account to maintain persistent access to victim accounts and instances within the environment.
.002 SSH Authorized Keys Adversaries may modify the Secure Shell (SSH) authorized_keys file to maintain persistence on a victim host. SSH is the standard for remote access to Linux and Unix-based distributions, macOS, and Microsoft from Windows 10 machines. The most common way to implement SSH is using key-based authentication to secure the authentication for remote management sessions.
VT0006 Active Scanning Before compromising a victim, adversaries may execute active Reconnaissance scans to gather information that can be used during targeting. Active scans are those where adversaries probe victim infrastructure via network traffic.
.001 Scanning IP Blocks Before compromising a victim, adversaries may scan victim IP blocks to gather information that can be used during targeting. Public IP addresses may be allocated to organizations by block, or a range of sequential addresses.
.002 Vulnerability Scanning Before compromising a victim, adversaries may scan victims for vulnerabilities that can be used during targeting. Vulnerability scans typically check if the configuration of a target host/application (ex: software and version) are potentially vulnerable and can be potentially exploited by the adversary.
VT0013 Brute Force Adversaries may use brute force techniques to gain access to accounts when passwords are unknown or when password hashes are obtained. Without knowledge of the password for an account or set of accounts, an adversary may systematically guess the password using a repetitive or iterative mechanism. Brute forcing passwords can take place via interaction with a service that will check the validity of those credentials or offline against previously acquired credential data, such as password hashes.
VT0012 Command and Scripting Interpreter Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell.
.001 Unix Shell Adversaries may abuse Unix shell commands and scripts for execution. Unix shells are the primary command prompt on Linux and macOS systems, though many variations of the Unix shell exist (e.g. sh, bash, zsh, etc.) depending on the specific OS or distribution. Unix shells can control every aspect of a system, with certain commands requiring elevated privileges.
VT0014 Compromise Client Software Binary Adversaries may modify client software binaries to establish persistent access to systems. Client software enables users to access services provided by a server. Common client software types are SSH clients, FTP clients, email clients, and web browsers.
VT0023 Compromise Infrastructure Before compromising a victim, adversaries may compromise third-party infrastructure that can be used during targeting. Infrastructure solutions include physical or cloud servers, domains, and third-party web services. Instead of buying, leasing, or renting infrastructure an adversary may compromise infrastructure and use it during other phases of the adversary lifecycle.
.001 DNS Server Before compromising a victim, adversaries may compromise third-party DNS servers that can be used during targeting. During post-compromise activity, adversaries may utilize DNS traffic for various tasks, including for Command and Control (ex: Application Layer Protocol). Instead of setting up their own DNS servers, adversaries may compromise third-party DNS servers in support of operations.
.002 Domains Before compromising a victim, adversaries may hijack domains and/or subdomains that can be used during targeting. Domain registration hijacking is the act of changing the registration of a domain name without the permission of the original registrant. An adversary may gain access to an email account for the person listed as the owner of the domain. The adversary can then claim that they forgot their password in order to make changes to the domain registration. Other possibilities include social engineering a domain registration help desk to gain access to an account or taking advantage of renewal process gaps.
VT0021 Credentials from Password Stores Adversaries may search for common password storage locations to obtain machine identities and user credentials. Keys and passwords are often stored in several places on a system, depending on the operating system or application holding the them. There are also specific applications that store keys and passwords to make it easier for users manage and maintain. Once credentials are obtained, they can be used to perform Lateral Movement and access restricted information.
.001 Keychain Adversaries may collect the keychain storage data from a system to acquire machine identities. Keychains are the built-in way for macOS to keep track of users' keys and credentials for various services and features, such as certificates. Keychain files are located in ~/Library/Keychains/,/Library/Keychains/, and /Network/Library/Keychains/.
.002 Securityd Memory On MacOS, an adversary with root access can to read securityd’s memory and find the correct sequence of keys to decrypt the user’s logon keychain, enabling them to have access to all the information stored in the keychain, including keys and credentials in plaintext.
.003 Credentials from Web Browsers Adversaries may acquire credentials from web browsers by reading files specific to the target browser. Web browsers commonly save credentials and other sensitive information.
VT0030 Data Manipulation Adversaries may insert, delete, or manipulate data in order to manipulate external outcomes or hide activity. By manipulating data, adversaries may attempt to affect a business process, organizational understanding, or decision making.
.001 Transmitted Data Manipulation Adversaries may alter data en route to storage or other systems in order to manipulate external outcomes or hide activity. By manipulating transmitted data, adversaries may attempt to affect a business process, organizational understanding, and decision making.
VT0007 Develop Capabilities Before compromising a victim, adversaries may build in-house capabilities that can be used during targeting. Adversaries may develop capabilities to support their operations throughout numerous phases of the adversary lifecycle.
.001 Code Signing Certificates Before compromising a victim, adversaries may create a CA-signed or a self-signed code signing certificate to be used during targeting. Code Signing is simply a guarantee that the code of a program or software download has not been modifies after it was signed by the publisher. Code Signing uses the same public key infrastructure (PKI) used in HTTPS to sign and verify a software program on first run on Windows and macOS/OS X operating systems.
.002 Digital Certificates Before compromising a victim, adversaries may create self-signed or CA-signed SSL/TLS X.509 certificates that can be used during targeting. SSL/TLS X.509 certificates are digital files that are used for Secure Sockets Layer (SSL) or Transport Layer Security (TLS). An SSL/TLS certificate is one of the most popular types of X.509 certificates or a type of public-key certificate which uses the X.509 standard. X.509 certificates contain a public key and the identity of a hostname, organization, or individual and is functions as machine identities for authentication and data encryption.
.003 Malware Before compromising a victim, adversaries may develop malware and malware components that can be used during targeting. Building malicious software can include the development of payloads, droppers, post-compromise tools, backdoors, packers, C2 protocols, and the creation of infected removable media. Adversaries may develop malware to support their operations, creating a means for maintaining control of remote machines, evading defenses, and executing post-compromise behaviors.
VT0027 Encrypted Channel Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
.001 Symmetric Cryptography Adversaries may employ a known symmetric encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Symmetric encryption algorithms use the same key for plaintext encryption and ciphertext decryption. Common symmetric encryption algorithms include AES, DES, 3DES, Blowfish, and RC4.
VT0003 Exploit Public-Facing Application Adversaries may attempt to take advantage of a weakness or a vulnerability in an Internet-facing application to cause unintended or unanticipated behavior and execute arbitrary code on the hosting machine. The weakness in the system can be a bug, a glitch, or a design vulnerability.
VT0036 Exploitation for Defense Evasion Adversaries may exploit a system or application vulnerability to bypass security features. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Vulnerabilities may exist in defensive security software that can be used to disable or circumvent them.
VT0026 Exploitation of Remote Services Adversaries may exploit remote services to gain unauthorized access to internal systems once inside of a network. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. A common goal for post-compromise exploitation of remote services is for lateral movement to enable access to a remote system.
VT0002 External Remote Services External-facing remote services such as SSH, VPNs, Citrix, and other access mechanisms allow users to connect to internal enterprise network resources from external locations. Adversaries may leverage such remote services to initially access and persist within a network. Access to remote services may be used as a redundant or persistent access mechanism during an operation.
VT0018 Input Capture Adversaries may use methods of capturing user input to obtain machine identities and credentials or collect information. During normal system usage, users often provide machine identities and credentials to various different locations, such as system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking) or rely on deceiving the user into providing input into what they believe to be a genuine service.
.001 Keylogging Adversaries may log user keystrokes to intercept credentials and password-protected machine identities as the user types them. Keylogging is likely to be used to acquire credentials for new access opportunities when OS Credential Dumping efforts are not effective, and may require an adversary to intercept keystrokes on a system for a substantial period of time before credentials can be successfully captured.
VT0022 Man-in-the-Middle (MITM) A man in the middle (MITM) attack is a general term for when adversaries position themselves between a user and an application or a device for the purpose of eavesdropping or impersonation of legitimate communication.
.001 TLS Stripping An adversary managed to intercept a connection and tries to decrypt the secure communication between a client and a server, using SSL stripping. SSL stripping attack downgrades HTTPS connection to HTTP by intercepting the TLS authentication sent from the application to the user. The adversary sends an unencrypted version of the application’s site to the user while maintaining the secured session with the application, acting as a "bridge" between them.(Cirtation:Imperva)
.002 DNS Hijacking The adversary is trying to perform a Man in the Middle (MITM) attack using Domain Name Server (DNS) hijacking. DNS hijacking, also referred to as DNS redirection, is when DNS queries are incorrectly resolved in order to unexpectedly redirect the client to an attacker-controlled server. To enable this attack, the adversary must compromise the target client or router or intercept DNS communication by using other Man in the Middle (MITM) techniques.
.003 DNS Spoofing/Cache Poisoning The adversary attempts to perform Man in the Middle (MITM) attack using DNS spoofing. DNS spoofing, also known as DNS cache poisoning, involves altering cached IP addresses of a DNS server to attacker-controlled ones. Cache is a hardware or software component that stores data, so that future requests for that data can be served faster. In DNS servers cache is used to store previously translated names.
.003 DNS Spoofing/Cache Poisoning The adversary attempts to perform Man in the Middle (MITM) attack using DNS spoofing. DNS spoofing, also known as DNS cache poisoning, involves altering cached IP addresses of a DNS server to attacker-controlled ones. Cache is a hardware or software component that stores data, so that future requests for that data can be served faster. In DNS servers cache is used to store previously translated names.
.004 HTTPS Spoofing An adversary intercepted a secure communication and attempts to perform HTTPS spoofing for decrypting the traffic. In HTTPS spoofing, the adversary sends a rouge certificate to the victim’s browser once the initial connection request to a secure site is made. It holds a digital thumbprint associated with the compromised application, which the browser verifies according to an existing list of trusted sites. The adversary is then able to access any data entered by the victim before it’s passed to the application.
.005 SSL Hijacking An adversary intercepted a secure communication and attempts to perform Session Hijacking, also known as SSL or TLS hijacking, to decrypt the traffic. Session hijacking is a method of taking over a web user session by surreptitiously obtaining the session ID and masquerading as the authorized user. Once the user's session ID has been accessed, the adversary can masquerade as the user and perform anything the user is authorized to do on the network.
VT0015 Masquerading Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and security tools and evade monitoring. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
.001 Invalid Code Signature Adversaries may attempt to mimic features of valid code signatures to increase the chance of deceiving monitoring and security tools and users. Code signing provides a level of authenticity on a binary from the developer and a guarantee that the binary has not been tampered with. Adversaries can copy the metadata and signature information from a signed program, then use it as a template for an unsigned program. Files with invalid code signatures will fail digital signature validation checks, but they may appear more legitimate to users and security tools may and therefore improperly handled.
VT0024 Network Service Scanning Adversaries may attempt to get a listing of services running on remote hosts, including those that may be vulnerable to remote software exploitation. Methods to acquire this information include port scans and vulnerability scans using tools that are brought onto a system, similarly to the Active Scanning in the Reconnaissance phase.
VT0019 Network Sniffing Adversaries may sniff network traffic to capture information about an environment, including machine identities and authentication material passed over the network. Network sniffing refers to using the network interface on a system to monitor or capture information sent over a wired or wireless connection. An adversary may place a network interface into promiscuous mode to passively access data in transit over the network, or use span ports to capture a larger amount of data.
VT0009 Obtain Capabilities Before compromising a victim, adversaries may buy or steal capabilities that can be used during targeting. Rather than developing their own capabilities in-house, adversaries may purchase, freely download, or steal them. Activities may include the acquisition of malware, software (including licenses), exploits, certificates, and information relating to vulnerabilities. Adversaries may obtain capabilities to support their operations throughout numerous phases of the adversary lifecycle.
.001 Code Signing Certificates Before compromising a victim, adversaries may buy or steal code signing certificates that can be used during targeting. Code Signing is simply a guarantee that the code of a program or software download has not been corrupted and tampered with after it was signed by the publisher. Code Signing uses the same public key infrastructure (PKI) used in HTTPS to sign and verify a software program.
.002 Digital Certificates Before compromising a victim, adversaries may buy or steal SSL/TLS X.509 certificates that can be used during targeting. SSL/TLS X.509 certificates are digital files that are used for Secure Sockets Layer (SSL) or Transport Layer Security (TLS). An SSL/TLS certificate is one of the most popular types of X.509 certificates or a type of public-key certificate which uses the X.509 standard. X.509 certificates contain a public key and the identity of a hostname, organization, or individual and is functions as machine identities for authentication and data encryption.
VT0028 Protocol Tunneling Adversaries may tunnel network communications to and from a victim system within a separate protocol to avoid detection/network filtering and/or enable access to otherwise unreachable systems. Tunneling involves explicitly encapsulating a protocol within another. This behavior may conceal malicious traffic by blending in with existing traffic and/or provide an outer layer of encryption (similar to a VPN). Tunneling could also enable routing of network packets that would otherwise not reach their intended destination, such as SMB, RDP, or other traffic that would be filtered by network appliances or not routed over the Internet.
VT0025 Remote Service Session Hijacking Adversaries may take control of preexisting sessions with remote services to move laterally in an environment. Users may use valid credentials to log into a service specifically designed to accept remote connections, such as telnet, SSH, and RDP. When a user logs into a service, a session will be established that will allow them to maintain a continuous interaction with that service.
.001 SSH Hijacking Adversaries may hijack a legitimate user's SSH session to move laterally within an environment. Secure Shell (SSH) is a standard means of remote access on Linux, macOS and Windows 10 systems. It allows a user to connect to another system via an encrypted tunnel, commonly authenticating through a password, certificate or the use of an asymmetric encryption key pair.
VT0020 Remote Services Adversaries may use Valid Accounts to log into a service designed to accept remote connections, such as SSH, telnet, and VNC and perform actions as the logged-on user and its permissions.
.001 SSH Adversaries may use "living-off-the-land" approach and utilize Secure Shell (SSH) that is typically preinstalled on the victims' machines in order to perform Lateral Movement to other targets and to maintain External Remote Service.
VT0034 Remote System Discovery Adversaries may attempt to get a listing of other systems by IP address, hostname, or other logical identifier on a network that may be used for Lateral Movement from the compromised system.
VT0031 Resource Hijacking Adversaries may leverage the resources of co-opted systems in order to solve resource intensive problems which may impact system and/or hosted service availability.
VT0032 Service Stop Adversaries may stop or disable services on a system to render those services unavailable to legitimate users. Stopping critical services can inhibit or stop response to an incident or aid in the adversary's overall objectives to cause damage to the environment.
VT0016 Subvert Trust Controls Adversaries may undermine security controls that will either warn users of untrusted activity or prevent execution of untrusted programs. Operating systems and security products may contain mechanisms to identify programs or websites as possessing some level of trust. Examples of such features would include a program being allowed to run because it is signed by a valid code signing certificate, a program prompting the user with a warning because it has an attribute set from being downloaded from the Internet, or getting an indication that you are about to connect to an untrusted site.
.001 Install Root Certificate Adversaries may install a root certificate on a compromised system to avoid warnings when connecting to adversary controlled web servers. Root certificates are used in public key cryptography to identify a root certificate authority (CA). When a root certificate is installed, the system or application will trust certificates in the root's chain of trust that have been signed by the root certificate. Certificates are commonly used for establishing secure TLS/SSL communications within a web browser. When a user attempts to browse a website that presents a certificate that is not trusted an error message will be displayed to warn the user of the security risk. Depending on the security settings, the browser may not allow the user to establish a connection to the website.
.002 Code Signing Before compromising a victim, adversaries may buy, steal or create code signing certificates to be used during targeting. Code signing is simply a guarantee that the code of a program or software download has not been modifies after it was signed by the publisher. Code Signing uses the same public key infrastructure (PKI) used in HTTPS to sign and verify a software program.
VT0004 Supply Chain Compromise Adversaries may manipulate products or product delivery mechanisms prior to receipt by the end user to achieve data or system compromise.
.001 Compromise Software Dependencies and Development Tools Adversaries may target software dependencies and development tools by manipulating libraries, open source (OS) package manager repositories, container images and repositories, and others before they reach to the end user in order to cause data or system compromise.
.002 Compromise Software Supply Chain Adversaries may manipulate application software prior to receipt by the end user for the purpose of data or system compromise. Supply Chain Compromise of software can take place in a number of ways, including manipulation of the application source code, manipulation of the update/distribution mechanism for that software, or replacing compiled releases with a modified version.
.003 Compromise Hardware Supply Chain Adversaries may manipulate hardware components in products prior to receipt by a final consumer for the purpose of data or system compromise. By modifying hardware or firmware in the supply chain, adversaries can insert a backdoor into consumer networks that may be difficult to detect and give the adversary a high degree of control over the system. Hardware backdoors may be inserted into various devices, such as servers, workstations, network infrastructure, or peripherals.
VT0010 Trusted Relationship Adversaries may breach or otherwise leverage organizations who have access to intended victims. Access through trusted third party relationship exploits an existing connection that may not be protected or receives less scrutiny than standard mechanisms of gaining access to a network.
VT0017 Unsecured Credentials Adversaries may search compromised systems to find and obtain insecurely stored machine identities and credentials. These machine identities can be stored and/or misplaced in many locations on a system, including plaintext files (e.g. Bash History), operating system or application-specific repositories (e.g. Credentials in Registry), or other specialized files/artifacts (e.g. Private Keys).
.001 Credentials In Files Adversaries may search local file systems and remote file shares for files containing insecurely stored machine identities and credentials. These can be files created by users to store their own credentials, shared credential stores for a group of individuals, configuration files containing passwords or keys for a system or service, or source code/binary files containing embedded passwords or keys.
.002 Credentials in Registry In Windows OS, adversaries may search the Registry on compromised systems for insecurely stored machine identities and credentials. The Windows Registry stores configuration information that can be used by the system or other programs. Adversaries may query the Registry looking for credentials and keys that have been stored for use by other programs or services. Sometimes these credentials are used for automatic logons.
.003 Bash History Adversaries may search the bash command history on compromised systems for insecurely stored machine identities and credentials. Bash keeps track of the commands users type on the command-line with the "history" utility. Once a user logs out, the history is flushed to the user’s .bash_history file. For each user, this file resides at the same location: ~/.bash_history. Typically, this file keeps track of the user’s last 500 commands. Users often type their usernames, keys and passwords on the command-line as parameters to programs, which then get saved to this file when they log out. Attackers can abuse this by looking through the file for potential machine identities and credentials.
.004 Private Keys Adversaries may search for insecurely stored private key certificate files on compromised systems. Private cryptographic keys and certificates are used for authentication, encryption/decryption, and digital signatures and can be identified by their file extensions: .key, .pgp, .gpg, .ppk., .p12, .pem, .pfx, .cer, .p7b, .asc.
VT0005 Valid Accounts Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion.
.001 Default Accounts Adversaries may obtain and abuse credentials of a default account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Default accounts are those that are built-into an OS, such as the Guest or Administrator accounts on Windows systems or default factory/provider set accounts on other types of systems, software, or devices.