---
type: "mapping-set"
title: "ATT&CK techniques → #1 Abuse of Functions"
description: "471 ATT&CK techniques entries mapped to TLCTC #1 Abuse of Functions."
resource: "tlctc:mapping:attack:cluster-1"
tags:
  - "mapping"
  - "attack"
  - "cluster-1"
---
# ATT&CK techniques → #1 Abuse of Functions

> Source: MITRE ATT&CK Enterprise → TLCTC mapping (`mappings/mitre-attack-enterprise/`).

Mapped entries: **471**. Cluster: [#1 Abuse of Functions](/clusters/cluster-1.md).

| Technique | Name | TLCTC | Rationale |
|---|---|---|---|
| T1003 | OS Credential Dumping | #1 \| #7 | OS credential dumping is **acquisition**. Per **R-CRED / Axiom X**, acquisition maps to its enabling cluster: (`#1`) abuse of designed memory/file/replication APIs (`procdump`, `comsvcs.dll`, registry export, AD replication via DCSync); (`#7`) malware that performs the dump (Mimikatz, custom credential stealers). The application of dumped credentials is a separate later step, always `#4`. Path: `#1 \| #7` (acquisition) → … → `#4` (application). |
| T1003.001 | OS Credential Dumping: LSASS Memory | #1 \| #7 | LSASS memory dumping. Acquisition via designed Windows debugging/dump APIs (`MiniDumpWriteDump`, `comsvcs.dll`, Task Manager) — `#1`; or via malware (`#7`). R-CRED: application of harvested credentials is a separate later `#4` step. |
| T1003.002 | Security Account Manager | #1 \| #7 | SAM hive extraction (registry SAM/SYSTEM hives offline). Acquisition via designed registry export / volume shadow copy — `#1`; or malware-driven — `#7`. R-CRED. |
| T1003.003 | NTDS | #1 \| #7 | NTDS.dit extraction (Active Directory database). Acquisition via designed VSS / `ntdsutil` / replication APIs — `#1`; or malware-driven — `#7`. R-CRED. |
| T1003.004 | OS Credential Dumping: LSA Secrets | #1 \| #7 | LSA secrets extraction. Acquisition via designed registry / LSA APIs — `#1`; or malware — `#7`. R-CRED. |
| T1003.005 | OS Credential Dumping: Cached Domain Credentials | #1 \| #7 | Cached domain credentials extraction. Acquisition via designed registry access — `#1`; or malware — `#7`. R-CRED. |
| T1003.006 | OS Credential Dumping: DCSync | #1 | DCSync abuses the **designed Active Directory replication protocol** (DRSUAPI / GetNCChanges) with replicating-directory-changes rights. No foreign code needs to execute on the DC — the attacker uses the legitimate replication function from any host with the right. `#1` per R-ABUSE / R-CRED. (Tool implementations like Mimikatz `lsadump::dcsync` invoke the legitimate API; the malware-on-attacker-host doesn't cross into @Org as FEC.) Application of harvested hashes is a separate later `#4` step. |
| T1003.007 | Proc Filesystem | #1 \| #7 | Linux `/proc` filesystem credential extraction. Acquisition via designed proc-fs reads — `#1`; or malware — `#7`. R-CRED. |
| T1003.008 | OS Credential Dumping: /etc/passwd and /etc/shadow | #1 \| #7 | Linux `/etc/passwd` and `/etc/shadow` extraction. Acquisition via designed file-system reads (privileged) — `#1`; or malware — `#7`. R-CRED. |
| T1005 | Data from Local System | #1 | Read files of interest from the local file system using designed file-access functions (`type`, `cat`, `Get-Content`, file APIs). `#1` per R-ABUSE. Outcome `[DRE: C]` — confidentiality of @Org data breached at the moment the attacker reads it (regardless of whether subsequent exfiltration occurs). Path: `#1 + [DRE: C]`. |
| T1006 | Direct Volume Access | #1 | Direct Volume Access: bypass file-system access controls by reading the raw volume through designed Windows volume APIs (`\\.\C:`, `Win32_LogicalDisk` raw read, ESXi `vmdk` direct access). `#1` per R-ABUSE — the volume-read function is designed for legitimate backup/forensic use; attacker uses it to read locked or ACL-protected files. |
| T1007 | System Service Discovery | #1 | System Service Discovery: enumerate running services via `sc query`, `tasklist /svc`, `systemctl list-units`, service-manager APIs. Designed system functions used for reconnaissance from a foothold inside @Org — `#1` per R-ABUSE. No implementation flaw exploited. |
| T1010 | Application Window Discovery | #1 | Application Window Discovery: enumerate open application windows and titles via `EnumWindows`, accessibility/UI APIs, AppleScript window queries. Designed system functions used for reconnaissance from a foothold inside @Org — `#1` per R-ABUSE. No implementation flaw exploited. |
| T1011 | Exfiltration Over Other Network Medium | #1 | Exfiltration over a non-primary network medium (Bluetooth, cellular modem, side-channel RF, peer wireless). Data leaves @Org through a designed network/transfer function — `#1` per R-ABUSE. Path: `#1 \|\|[network][@Org→@External]\|\| + [DRE: C]`. |
| T1011.001 | Exfiltration Over Other Network Medium: Exfiltration Over Bluetooth | #1 | Bluetooth exfiltration: data is sent through the Bluetooth stack's designed transfer functions to a paired or attacker-controlled receiver. `#1` per R-ABUSE. Path: `#1 \|\|[network][@Org→@External]\|\| + [DRE: C]`. |
| T1012 | Query Registry | #1 | Query Registry: enumerate registry keys and values via `reg query`, `Get-ItemProperty`, RegOpenKeyEx APIs. Designed system functions used for reconnaissance from a foothold inside @Org — `#1` per R-ABUSE. No implementation flaw exploited. |
| T1016 | System Network Configuration Discovery | #1 | System Network Configuration Discovery: enumerate host network configuration via `ipconfig`, `ifconfig`, `ip addr`, `route print`, `netsh`, `Get-NetIPConfiguration`. Designed system functions used for reconnaissance from a foothold inside @Org — `#1` per R-ABUSE. No implementation flaw exploited. |
| T1016.001 | System Network Configuration Discovery: Internet Connection Discovery | #1 | Internet Connection Discovery: enumerate whether the host has internet egress via `ping`, captive-portal detection endpoints, designed connectivity-test APIs. Designed system functions used for reconnaissance from a foothold inside @Org — `#1` per R-ABUSE. No implementation flaw exploited. |
| T1016.002 | System Network Configuration Discovery: Wi-Fi Discovery | #1 | Wi-Fi Discovery: enumerate visible Wi-Fi networks and saved profiles via `netsh wlan show`, `airport`, `iw`, `nmcli`. Designed system functions used for reconnaissance from a foothold inside @Org — `#1` per R-ABUSE. No implementation flaw exploited. |
| T1018 | Remote System Discovery | #1 | Remote System Discovery: enumerate remote hosts on the network via `ping`, `net view`, `nltest /dclist`, `arp -a`, AD enumeration via LDAP. Designed system functions used for reconnaissance from a foothold inside @Org — `#1` per R-ABUSE. No implementation flaw exploited. |
| T1020 | Automated Exfiltration | #1 | Automated/scheduled exfiltration uses legitimate scheduling (`cron`, Task Scheduler, systemd timers, cloud schedulers) and transfer functions to move data continuously or on a trigger. `#1` per R-ABUSE. Path: `#1 + [DRE: C]`. |
| T1020.001 | Automated Exfiltration: Traffic Duplication | #1 | Traffic duplication: network device features (port mirroring, SPAN ports, traffic-mirror cloud APIs) are configured to copy traffic toward attacker-accessible collection. Designed mirroring functionality used for exfiltration — `#1` per R-ABUSE. Path: `#1 + [DRE: C]`. |
| T1025 | Data from Removable Media | #1 | Read data from a connected removable medium (USB, optical, mounted removable disk) via designed file-system APIs. `#1` per R-ABUSE. Path: `#1 + [DRE: C]`. |
| T1027 | Obfuscated Files or Information | #1 \| #7 | Obfuscated Files or Information: render attacker payloads/commands harder to analyze. Modes: (`#1`) reuse of designed encoding/compression/encryption libraries; (`#7`) malware-implemented obfuscation routines as FEC features. See sub-techniques for specific mechanisms. |
| T1027.002 | Software Packing | #1 \| #7 | Software Packing: pack the attacker binary with a runtime unpacker stub (UPX, custom packer). `#1` when standard packers are used; `#7` when malware-implemented custom packers ship as part of the FEC. |
| T1027.003 | Steganography | #1 \| #7 | Steganography: hide attacker payload inside image/audio/document carriers. `#1` when designed image/audio APIs do the embedding; `#7` when stego routines are FEC features. |
| T1027.004 | Compile After Delivery | #1 → #7 | Compile After Delivery: deliver source / IL and compile on the target using a designed compiler (`csc.exe`, `gcc`, `tcc`) to evade signature-based detection of pre-compiled binaries. `#1` (designed compiler abuse) → `#7` (compiled FEC executes). |
| T1027.006 | HTML Smuggling | #1 → #7 | HTML Smuggling: deliver attacker payload via HTML/JS that reconstructs a binary blob in the browser (using designed `Blob`/`<a download>` APIs) so perimeter inspection sees only HTML. `#1` (designed browser APIs) → `#7` (reconstructed payload runs). |
| T1027.010 | Command Obfuscation | #1 \| #7 | Command Obfuscation: obscure attacker commands (PowerShell encoded commands, batch tricks, base64 chains, environmental substitution). `#1` when designed encoding APIs are reused; `#7` when commands ship as FEC. |
| T1027.011 | Fileless Storage | #1 | Fileless Storage: store attacker payload/data in non-file locations — registry, WMI repository, Win32 named pipes, ADS. Designed storage feature abused — `#1`. (Subsequent execution from fileless storage is captured by the relevant execution technique.) |
| T1027.012 | LNK Icon Smuggling | #1 → #7 | LNK Icon Smuggling: weaponize `.lnk` files with crafted target/icon strings that smuggle execution context past security controls. `#1` (designed LNK fields) → `#7`. |
| T1027.013 | Encrypted/Encoded File | #1 \| #7 | Encrypted/Encoded File: encrypt/encode attacker file at rest so AV signature scanners cannot match. `#1` when designed crypto APIs are used; `#7` when malware-implemented crypto. |
| T1027.015 | Compression | #1 \| #7 | Compression: compress attacker payload with standard compressors (gzip, zlib, LZMA) or custom compression. `#1` for standard libraries; `#7` for malware-implemented. |
| T1027.017 | SVG Smuggling | #1 → #7 | SVG Smuggling: embed attacker payload inside SVG `<script>` or data URIs; SVG renderer interprets and executes embedded code. `#1` (designed SVG/script handling) → `#7`. |
| T1029 | Scheduled Transfer | #1 | Scheduled data transfer uses OS or cloud scheduling features to move data at chosen times (low-monitoring windows, blend with backups). Designed scheduling + transfer functions — `#1` per R-ABUSE. Path: `#1 + [DRE: C]`. |
| T1030 | Data Transfer Size Limits | #1 | Chunking/throttling exfiltration to stay under DLP or network-monitoring thresholds. Designed transfer functions invoked with crafted size/timing parameters — `#1` per R-ABUSE. Path: `#1 + [DRE: C]`. |
| T1033 | System Owner/User Discovery | #1 | System Owner/User Discovery: enumerate logged-in users and current user identity via `whoami`, `query user`, `who`, `w`, `Get-LocalUser`. Designed system functions used for reconnaissance from a foothold inside @Org — `#1` per R-ABUSE. No implementation flaw exploited. |
| T1036 | Masquerading | #1 \| #7 | Masquerading: disguise attacker artifacts (files, processes, accounts, services) to look legitimate. Modes: (`#1`) abuse of naming/labeling/path conventions; (`#7`) FEC-build features that name/structure artifacts to mimic legit ones. See sub-techniques. |
| T1036.002 | Right-to-Left Override | #1 | Right-to-Left Override: use Unicode RTL-override character (U+202E) in filenames so `evil_cod[U+202E]gpj.exe` displays as `evil_codexe.jpg`. Designed Unicode display feature abused — `#1`. |
| T1036.003 | Rename System Utilities | #1 | Rename System Utilities: copy a legitimate system binary to an unexpected name so security telemetry and naming-based rules miss it. Designed file-copy/rename used — `#1`. (The renamed binary is still legit code; if it then executes attacker content, T1216/T1218 LOLBAS applies.) |
| T1036.004 | Masquerade Task or Service | #1 \| #7 | Masquerade Task or Service: create a scheduled task or service whose name closely mimics legitimate Windows components. `#1` (designed task/service create) when no FEC component, `#7` when malware-implemented naming-as-feature. |
| T1036.006 | Space after Filename | #1 \| #7 | Space after Filename: rename attacker file with trailing space to confuse path resolution and double-click handlers. Naming trick — `#1` or `#7` depending on whether the trick is system-level or FEC build-time. |
| T1036.008 | Masquerade File Type | #1 \| #7 | Masquerade File Type: file extension/header crafted to misclassify (.scr disguised as .pdf icon). `#1` or `#7` depending on whether it's file-system trick or FEC build feature. |
| T1036.009 | Break Process Trees | #1 | Break Process Trees: spawn attacker process under a chosen-but-misleading parent to break parent-tree detection (`STARTUPINFOEX` extended attributes, `WMI Win32_Process::Create`). Designed process-creation feature — `#1`. (Cf. T1134.004 Parent PID Spoofing for the privesc-tactic mapping.) |
| T1036.010 | Masquerade Account Name | #1 | Masquerade Account Name: create attacker account with a name closely mimicking legitimate ones (`svc_admin`, `DefaultAccount`). Designed identity-management — `#1`. |
| T1036.011 | Overwrite Process Arguments | #1 | Overwrite Process Arguments: modify the command-line strings of a running process via designed PEB manipulation so process explorers see legit args. `#1`. |
| T1036.012 | Masquerading: Browser Fingerprint | #1 \| #7 | Browser Fingerprint Masquerade: spoof browser/User-Agent/TLS-JA3 fingerprint to evade anti-bot/security tooling. `#1` (designed fingerprint config) or `#7` (FEC implementation). |
| T1037 | Boot or Logon Initialization Scripts | #1 → #7 | Boot/Logon Initialization Scripts: register attacker-supplied script in a designed startup script location (Group Policy Logon, RC scripts, login hooks, Startup Items folder). `#1` (designed startup mechanism) → `#7` (FEC executes at boot/logon per R-EXEC). |
| T1037.001 | Boot or Logon Initialization Scripts: Logon Script (Windows) | #1 → #7 | Logon Script (Windows): register attacker script in the Group Policy logon-script slot or `HKCU\Environment\UserInitMprLogonScript`. `#1` → `#7`. |
| T1037.002 | Boot or Logon Initialization Scripts: Login Hook | #1 → #7 | Login Hook (macOS): register attacker script via `com.apple.loginwindow LoginHook`/`LogoutHook`. `#1` → `#7`. |
| T1037.003 | Network Logon Script | #1 → #7 | Network Logon Script: register attacker script in netlogon share / domain logon-script slot, executed for each domain user logon. `#1` → `#7` per logon event. |
| T1037.004 | RC Scripts | #1 → #7 | RC Scripts (Linux/BSD): add attacker command to `/etc/rc.local` or service-init scripts. `#1` (designed init mechanism) → `#7`. |
| T1037.005 | Boot or Logon Initialization Scripts: Startup Items | #1 → #7 | Startup Items (macOS legacy): register attacker bundle in `/Library/StartupItems`. `#1` → `#7`. |
| T1039 | Data from Network Shared Drive | #1 | Read data from a network shared drive (SMB share, NFS export, distributed file system) via designed file-access functions. `#1` per R-ABUSE. Path: `#1 + [DRE: C]`. |
| T1040 | Network Sniffing | #1 \| #5 | Network sniffing has two cluster modes per acquisition position: (`#1`) abuse of designed NIC promiscuous-mode functions on a host where the attacker has access (passive observation of broadcast/local traffic); (`#5`) Man-in-the-Middle interception where the attacker is positioned on the wire (LAN tap, span port, ARP poisoning result). Captured credentials are subsequently used in a separate `#4` step per R-CRED. |
| T1041 | Exfiltration Over C2 Channel | #1 \| #7 | Exfiltration piggybacks on the existing C2 channel: (`#1`) when the C2 protocol is a legitimate protocol abused for the C2 (HTTPS, DNS, named pipes) — the data movement reuses the abused legitimate function; (`#7`) when the C2 is implemented through a custom malware protocol/channel and exfiltration is carried by the malware's own networking code. Cluster expanded from prior `#7`-only to align with the T1048/T1567 family (which the older mapping already had as `#1 \| #7`). Path: `#1 + [DRE: C]` or `#7 + [DRE: C]` per mode. |
| T1046 | Network Service Scanning | #1 | Network Service Scanning: enumerate reachable services on internal hosts via TCP/UDP probes via designed networking APIs (post-foothold port scanning); legitimate ping/connect functions used at scale. Designed system functions used for reconnaissance from a foothold inside @Org — `#1` per R-ABUSE. No implementation flaw exploited. |
| T1047 | Windows Management Instrumentation | #1 → #7 | Windows Management Instrumentation: invoking WMI methods (`Win32_Process::Create`, `Win32_Service`, etc.) through their designed COM/DCOM interfaces — `#1` per R-ABUSE — to execute attacker-supplied commands or binaries — `#7` per R-EXEC. Path: `#1 → #7`. (When WMI is used purely for enumeration without code execution, classify as `#1` only — typically a Discovery-tactic technique.) |
| T1048 | Exfiltration Over Alternative Protocol | #1 \| #7 | Exfiltration over an alternative network protocol (not the established C2 channel): (`#1`) abuse of legitimate egress protocols and services (HTTPS to attacker site, DNS, FTP, ICMP); (`#7`) malware-driven transfer using the malware's own network code. Path: `(#1 \| #7) \|\|[network][@Org→@External]\|\| + [DRE: C]`. |
| T1048.001 | Exfiltration Over Alternative Protocol: Exfiltration Over Symmetric Encrypted Non-C2 Protocol | #1 \| #7 | Symmetric-encrypted non-C2 protocol (custom-keyed AES tunnel, encrypted FTP). Same `#1 \| #7` modes as parent. Path: `(#1 \| #7) \|\|[network][@Org→@External]\|\| + [DRE: C]`. |
| T1048.002 | Exfiltration Over Alternative Protocol: Exfiltration Over Asymmetric Encrypted Non-C2 Protocol | #1 \| #7 | Asymmetric-encrypted non-C2 protocol (HTTPS, SSH, custom TLS). Same `#1 \| #7` modes as parent. Path: `(#1 \| #7) \|\|[network][@Org→@External]\|\| + [DRE: C]`. |
| T1048.003 | Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted Non-C2 Protocol | #1 \| #7 | Unencrypted non-C2 protocol (cleartext HTTP, FTP, SMTP, DNS query payload). Same `#1 \| #7` modes as parent. Path: `(#1 \| #7) \|\|[network][@Org→@External]\|\| + [DRE: C]`. |
| T1049 | System Network Connections Discovery | #1 | System Network Connections Discovery: enumerate active network connections via `netstat`, `ss`, `Get-NetTCPConnection`, `lsof -i`. Designed system functions used for reconnaissance from a foothold inside @Org — `#1` per R-ABUSE. No implementation flaw exploited. |
| T1052 | Exfiltration Over Physical Medium | #1 | Exfiltration to a physical medium (USB drive, external disk, optical media, mobile device acting as storage). The data movement itself uses designed file-write / mass-storage functions on an already-connected medium — `#1` per R-ABUSE. Cluster corrected from prior `#8` (Physical Attack): the generic vulnerability here is the OS/application treating a connected medium as writable storage, not physical bypass of access controls. Path: `#1 + [DRE: C]`. (When the attacker first physically inserts an attacker-owned medium to extract data — bypassing physical security — prepend `#8`: `#8 \|\|[physical][@External→@Org]\|\| → #1 + [DRE: C]`. When the medium is dropped/abandoned for a recipient to recover, prepend `#9` for the human-link step in air-gap scenarios.) |
| T1052.001 | Exfiltration Over Physical Medium: Exfiltration over USB | #1 | USB exfiltration: data is copied to a connected USB mass-storage device using OS file-system functions. `#1` per R-ABUSE. Cluster corrected from prior `#8` — the copy operation is designed-function abuse, not physical attack. Path: `#1 + [DRE: C]`. (Physical-insertion variants prepend `#8` per the parent rationale.) |
| T1053 | Scheduled Task/Job | #1 → #7 | Scheduled Task/Job parent: abuse of OS task-scheduling features (`schtasks`, `at`, `cron`, systemd timers, container orchestration jobs) — `#1` per R-ABUSE — to register a job that executes attacker-supplied code at a chosen time — `#7` per R-EXEC. Path: `#1 → #7`. |
| T1053.002 | Scheduled Task/Job: At | #1 → #7 | `at`: legacy Windows job-scheduling utility used to register attacker-supplied commands for one-time execution. `#1` (designed scheduling function) → `#7` (FEC). |
| T1053.003 | Scheduled Task/Job: Cron | #1 → #7 | cron: Linux/Unix job-scheduling daemon used to register recurring or one-time attacker jobs (entries in user `crontab`, `/etc/cron.*` directories). `#1` → `#7`. |
| T1053.005 | Scheduled Task | #1 → #7 | Windows Task Scheduler (`schtasks.exe`, Task Scheduler API): register attacker-supplied executables/scripts for triggered execution (login, idle, time, event). `#1` → `#7`. |
| T1053.006 | Scheduled Task/Job: Systemd Timers | #1 → #7 | systemd timers: register a `.timer` unit that triggers a `.service` running attacker-supplied code. `#1` (systemd unit-file management) → `#7`. |
| T1053.007 | Scheduled Task/Job: Container Orchestration Job | #1 → #7 | Container orchestration jobs: Kubernetes CronJobs / Job objects, Nomad periodic jobs, ECS scheduled tasks — abuse the orchestrator's designed scheduling APIs to run attacker-controlled containers. `#1` (orchestrator API) → `#7` (container image/command). |
| T1055 | Process Injection | #1 → #7 | Process Injection: insert attacker code/data into the address space of a live legitimate process via designed inter-process memory APIs (`OpenProcess`, `WriteProcessMemory`, `CreateRemoteThread`, `ptrace`, `/proc/PID/mem`). `#1` per R-ABUSE; the injected code subsequently executes in the target process — `#7` per R-EXEC. Path: `\|[process][@procA→@procB]\| #1 → #7` (intra-system boundary marks the cross-process step). Cluster corrected from prior `#1 \| #2` — process injection is fundamentally `#1 → #7`; the `#2` framing was misleading. |
| T1055.001 | Process Injection: Dynamic-link Library Injection | #1 → #7 | DLL Injection: write attacker DLL path into target process and call `LoadLibrary` via remote thread (or equivalent), causing `DllMain` to run in the target. `#1 → #7` per R-EXEC. `\|[process][@procA→@procB]\|`. |
| T1055.002 | Portable Executable Injection | #1 → #7 | Portable Executable Injection: write a complete PE image into target process memory, fix relocations and IAT, then create a thread at the entry point. `#1 → #7`. `\|[process][@procA→@procB]\|`. |
| T1055.003 | Process Injection: Thread Execution Hijacking | #1 → #7 | Thread Execution Hijacking: suspend a thread in target process, redirect its context to attacker code, resume. `#1 → #7`. `\|[process][@procA→@procB]\|`. |
| T1055.004 | Process Injection: Asynchronous Procedure Call | #1 → #7 | Asynchronous Procedure Call: queue an APC pointing to attacker code in a target thread (`QueueUserAPC`); fires when the thread enters alertable wait. `#1 → #7`. `\|[process][@procA→@procB]\|`. |
| T1055.005 | Process Injection: Thread Local Storage | #1 → #7 | Thread Local Storage: hijack TLS callbacks of a target binary so attacker code runs at TLS init points. `#1 → #7`. `\|[process][@procA→@procB]\|`. |
| T1055.008 | Ptrace System Calls | #1 → #7 | Ptrace System Calls (Linux): attach to target process via `ptrace`, write attacker code into its memory, redirect execution. `#1 → #7`. `\|[process][@procA→@procB]\|`. (Read-only ptrace use for credential access is a different technique — see T1003.007.) |
| T1055.009 | Proc Memory | #1 → #7 | Proc Memory (`/proc/PID/mem`): write attacker code into target process via `/proc` filesystem and trigger execution. `#1 → #7`. `\|[process][@procA→@procB]\|`. |
| T1055.011 | Process Injection: Extra Window Memory Injection | #1 → #7 | Extra Window Memory Injection: store attacker code/path in window-class extra memory of a target process; trigger via crafted message dispatch. `#1 → #7`. `\|[process][@procA→@procB]\|`. |
| T1055.012 | Process Hollowing | #1 → #7 | Process Hollowing: create a target process suspended, unmap its memory, write attacker PE in its place, set context, resume. The "hollow" appears as the legit process but runs attacker code. `#1 → #7`. |
| T1055.013 | Process Doppelgänging | #1 → #7 | Process Doppelgänging: leverage transactional NTFS so on-disk file appears legitimate while a different (attacker) image is mapped into the new process. `#1 → #7`. |
| T1055.014 | Process Injection: VDSO Hijacking | #1 → #7 | VDSO Hijacking (Linux): patch the vDSO mapping in target process so syscalls trampoline through attacker code. `#1 → #7`. `\|[process][@procA→@procB]\|`. |
| T1055.015 | Process Injection: ListPlanting | #1 → #7 | ListPlanting: place attacker code pointer in a SysListView32-controlled list whose accelerator key dispatch routes to attacker code in the target. `#1 → #7`. `\|[process][@procA→@procB]\|`. |
| T1056 | Input Capture | #1 \| #7 | Input capture acquires credentials and other sensitive input. Modes: (`#1`) abuse of designed input/accessibility APIs; (`#7`) malware-implemented capture. R-CRED: captured credentials are subsequently used in a separate `#4` step. Collection-tactic outcome: `[DRE: C]` — captured input data is in attacker hands. |
| T1056.001 | Input Capture: Keylogging | #1 \| #7 | Keylogging: (`#1`) abuse of keyboard-hook / raw-input / accessibility APIs; (`#7`) malware-implemented keylogger. (Hardware keyloggers introduce a `#8` step at insertion.) Outcome `[DRE: C]` for captured keystrokes; subsequent application of captured credentials is a separate `#4` step per R-CRED. |
| T1056.002 | Input Capture: GUI Input Capture | (#1 \| #7) → #9 | GUI Input Capture: fake credential prompt that mimics a legitimate dialog. Rendered via designed UI APIs (`#1`) or by malware (`#7`); user induced to enter credentials into the impostor prompt — `#9`. Outcome `[DRE: C]` for captured credentials; subsequent application is `#4` per R-CRED. |
| T1056.003 | Input Capture: Web Portal Capture | #1 \| #7 | Web Portal Capture: attacker modifies a legitimate, trusted web portal so user logins flow to attacker collection. Modes: (`#1`) server-side modification, (`#7`) malware on the portal server. Outcome `[DRE: C]` for captured credentials; subsequent application is `#4` per R-CRED. |
| T1056.004 | Input Capture: Credential API Hooking | #1 \| #7 | Credential API Hooking: hook authentication APIs (`LsaLogonUser`, PAM modules, browser auth callbacks) to intercept credentials. Modes: (`#1`) abuse of designed hooking APIs; (`#7`) malware-implemented hook. Outcome `[DRE: C]`; subsequent `#4` per R-CRED. |
| T1057 | Process Discovery | #1 | Process Discovery: enumerate running processes via `tasklist`, `ps`, `Get-Process`, `EnumProcesses`. Designed system functions used for reconnaissance from a foothold inside @Org — `#1` per R-ABUSE. No implementation flaw exploited. |
| T1059 | Command and Scripting Interpreter | #1 → #7 | Command and Scripting Interpreter parent: invoke a legitimate, signed interpreter (`#1` — its execution function is designed) to proxy attacker-supplied commands or scripts (`#7` per R-EXEC). The canonical LOLBAS pattern. Both steps must be recorded — the interpreter is benign software, the script content is FEC. |
| T1059.001 | PowerShell | #1 → #7 | PowerShell: `powershell.exe`, `pwsh`, .NET PowerShell host APIs invoke attacker-supplied script content (encoded commands, downloaded scripts, embedded payloads). `#1` (signed interpreter) → `#7` (script as FEC). |
| T1059.002 | Command and Scripting Interpreter: AppleScript | #1 → #7 | AppleScript / `osascript`: macOS scripting facility executes attacker-supplied AppleScript/JXA. `#1` → `#7`. |
| T1059.003 | Command and Scripting Interpreter: Windows Command Shell | #1 → #7 | Windows Command Shell (`cmd.exe`): runs attacker-supplied batch scripts or chained commands. `#1` → `#7`. |
| T1059.004 | Command and Scripting Interpreter: Unix Shell | #1 → #7 | Unix shells (`bash`, `sh`, `zsh`, `dash`, `ksh`): execute attacker-supplied shell scripts, one-liners, or piped command streams. `#1` → `#7`. |
| T1059.005 | Command and Scripting Interpreter: Visual Basic | #1 → #7 | Visual Basic (VBScript via `wscript`/`cscript`, VBA in Office documents): executes attacker-supplied macros and scripts. `#1` → `#7`. |
| T1059.006 | Python | #1 → #7 | Python (`python.exe`/`python3`): legitimate interpreter executes attacker-supplied scripts (often pulled from staging URL or embedded in dropped file). `#1` → `#7`. |
| T1059.007 | Command and Scripting Interpreter: JavaScript | #1 → #7 | JavaScript (Node.js, Windows Script Host `wscript`/`cscript` with `.js`/`.jse`, browser JS engines via `mshta`/`jscript.dll`): runs attacker-supplied JS. `#1` → `#7`. |
| T1059.008 | Network Device CLI | #1 → #7 | Network Device CLI (Cisco IOS/NX-OS shells, JunOS CLI, network OS scripting): when used to execute attacker-supplied scripts, configuration injections, or staged binaries. `#1` (designed CLI/scripting feature) → `#7` (attacker-supplied content). Cluster corrected from prior `#1 \| #7` to `#1 → #7` for consistency with sibling sub-techniques and to satisfy R-EXEC when attacker content runs. |
| T1059.009 | Command and Scripting Interpreter: Cloud API | #1 → #7 | Cloud API CLI (`aws`, `az`, `gcloud`, vendor SDKs, cloud shells): when invoking attacker-supplied scripts or arbitrary commands via the cloud control plane (`aws ssm send-command`, `az vm run-command`, GCP startup scripts). `#1` → `#7`. |
| T1059.010 | Command and Scripting Interpreter: AutoHotKey & AutoIT | #1 → #7 | AutoHotKey / AutoIT: legitimate scripting/automation interpreters that adversaries leverage as compiled-script droppers. `#1` (designed interpreter) → `#7` (attacker script). |
| T1059.011 | Command and Scripting Interpreter: Lua | #1 → #7 | Lua: embedded scripting in many applications (game runtimes, network devices, monitoring agents) used by adversaries to execute attacker scripts inside the host application. `#1` → `#7`. |
| T1059.012 | Command and Scripting Interpreter: Hypervisor CLI | #1 → #7 | Hypervisor CLI (`esxcli`, `vim-cmd`, `vsish` on ESXi): hypervisor management interface used to run attacker-supplied commands or staged binaries on the host. `#1` → `#7`. |
| T1059.013 | Command and Scripting Interpreter: Container CLI/API | #1 → #7 | Container CLI/API (`docker exec`, `kubectl exec`, `crictl`, runtime APIs): designed container-runtime functions used to invoke commands inside attacker-targeted containers. `#1` (designed API) → `#7` (attacker-supplied command/payload inside container). |
| T1069 | Permission Groups Discovery | #1 | Permission Groups Discovery: enumerate groups and group memberships via `net group`, `net localgroup`, `Get-ADGroup`, IAM API listings. Designed system functions used for reconnaissance from a foothold inside @Org — `#1` per R-ABUSE. No implementation flaw exploited. |
| T1069.001 | Permission Groups Discovery: Local Groups | #1 | Local Permission Groups: enumerate local groups and members via `net localgroup`, `Get-LocalGroupMember`, `/etc/group`. Designed system functions used for reconnaissance from a foothold inside @Org — `#1` per R-ABUSE. No implementation flaw exploited. |
| T1069.002 | Permission Groups Discovery: Domain Groups | #1 | Domain Permission Groups: enumerate AD groups and members via `net group /domain`, `Get-ADGroup`, LDAP queries. Designed system functions used for reconnaissance from a foothold inside @Org — `#1` per R-ABUSE. No implementation flaw exploited. |
| T1069.003 | Permission Groups Discovery: Cloud Groups | #1 | Cloud Permission Groups: enumerate cloud IAM groups, roles, and bindings via `aws iam list-groups`, `az role assignment list`, `gcloud iam` listings. Designed system functions used for reconnaissance from a foothold inside @Org — `#1` per R-ABUSE. No implementation flaw exploited. |
| T1070 | Indicator Removal | #1 | Indicator Removal: clear, modify, or relocate forensic artifacts (logs, history, files, persistence, mailbox). Designed admin/maintenance tools used to delete/edit data — `#1` per R-ABUSE. |
| T1070.001 | Indicator Removal: Clear Windows Event Logs | #1 | Clear Windows Event Logs: `wevtutil cl`, `Clear-EventLog`, EventLog API clear. `#1`. |
| T1070.002 | Indicator Removal: Clear Linux or Mac System Logs | #1 | Clear Linux/macOS System Logs: truncate or delete `/var/log/*`, `journalctl --rotate`, `wtmp`/`utmp` editing. `#1`. |
| T1070.003 | Indicator Removal: Clear Command History | #1 | Clear Command History: truncate `.bash_history`, `HISTFILE` redirection, PowerShell history clear. `#1`. |
| T1070.004 | Indicator Removal: File Deletion | #1 | File Deletion: delete attacker artifacts via designed file-system functions. `#1`. |
| T1070.005 | Network Share Connection Removal | #1 | Network Share Connection Removal: `net use /delete`, `Remove-SmbMapping` to remove share-connection traces. `#1`. |
| T1070.006 | Indicator Removal: Timestomp | #1 | Timestomp: modify file MAC timestamps via designed file-attribute APIs (`SetFileTime`, `touch`). `#1`. |
| T1070.007 | Indicator Removal: Clear Network Connection History and Configurations | #1 | Clear Network Connection History: remove cached SMB/RDP/proxy connection history via designed config APIs/registry. `#1`. |
| T1070.008 | Indicator Removal: Clear Mailbox Data | #1 | Clear Mailbox Data: delete mail items via designed mail APIs (`Remove-Mailbox`, EWS, Graph) to remove evidence of attacker mailbox activity. `#1`. |
| T1070.009 | Indicator Removal: Clear Persistence | #1 | Clear Persistence: remove the persistence artifact after it has served its purpose (delete scheduled task, remove service, unregister extension). `#1`. |
| T1070.010 | Indicator Removal: Relocate Malware | #1 | Relocate Malware: move attacker binary between locations using designed file operations to evade location-based heuristics. `#1`. |
| T1072 | Software Deployment Tools | #1 → #7 | Software deployment systems (SCCM, BigFix, Intune, Jamf, Tanium, Salt, Ansible) are designed to push and execute code on managed endpoints. Attacker who controls the deployment tool uses its designed function to push attacker-supplied content (`#1`); on every target host, foreign executable content runs (`#7` per R-EXEC). Path: `#1 → #7`. Each managed endpoint receives its own `#7` step in the realized incident path. |
| T1074 | Data Staged | #1 | Move collected data into a chosen location (local or remote) prior to exfiltration. Uses designed file-management functions — `#1` per R-ABUSE. No additional DRE at this step: the confidentiality breach was incurred at the original collection step; staging is intra-attacker movement. |
| T1074.001 | Data Staged: Local Data Staging | #1 | Local Data Staging: collected data placed in a local directory chosen for low-monitoring exposure or to consolidate. `#1`. (No incremental DRE; see T1074 parent.) |
| T1074.002 | Remote Data Staging | #1 | Remote Data Staging: collected data moved to a remote intermediate location (compromised host, cloud bucket, attacker-staging system) before final exfiltration. `#1`. (No incremental DRE.) |
| T1080 | Taint Shared Content | #1 → #7 | Attacker writes malicious files (or modifies legitimate files) on shared internal locations — network drives, code repositories, document libraries, package caches — using legitimate file-write functions with whatever access their foothold has (`#1`). Other @Org users subsequently access the tainted content and FEC executes on their hosts (`#7` per R-EXEC). Cluster corrected from prior `#8 → #7` (which mistakenly classified network-share placement as physical attack). Path: `#1 → #7`. When victim opening relies on social-engineering (file looks legitimate / impersonates a known artifact), insert `→ #9` between the placement and execution: `#1 → #9 → #7`. |
| T1082 | System Information Discovery | #1 | System Information Discovery: enumerate OS, hardware, version, and architecture details via `systeminfo`, `uname -a`, `Get-ComputerInfo`, sysctl/sysfs reads, cloud `DescribeInstance` APIs. Designed system functions used for reconnaissance from a foothold inside @Org — `#1` per R-ABUSE. No implementation flaw exploited. |
| T1083 | File and Directory Discovery | #1 | File and Directory Discovery: enumerate files and directory structure via `dir`, `ls`, `tree`, `Get-ChildItem`, `find`, file-system APIs. Designed system functions used for reconnaissance from a foothold inside @Org — `#1` per R-ABUSE. No implementation flaw exploited. |
| T1087 | Account Discovery | #1 | Account Discovery: enumerate user accounts on the system or in the directory via `net user`, `Get-ADUser`, `dscl`, IAM API listings. Designed system functions used for reconnaissance from a foothold inside @Org — `#1` per R-ABUSE. No implementation flaw exploited. |
| T1087.001 | Account Discovery: Local Account | #1 | Local Account Discovery: enumerate local user accounts via `net user`, `/etc/passwd`, `Get-LocalUser`. Designed system functions used for reconnaissance from a foothold inside @Org — `#1` per R-ABUSE. No implementation flaw exploited. |
| T1087.002 | Account Discovery: Domain Account | #1 | Domain Account Discovery: enumerate AD user accounts via `net user /domain`, `Get-ADUser`, LDAP queries. Designed system functions used for reconnaissance from a foothold inside @Org — `#1` per R-ABUSE. No implementation flaw exploited. |
| T1087.003 | Account Discovery: Email Account | #1 | Email Account Discovery: enumerate mailboxes and email-account metadata via Exchange/Graph API, GAL queries, `Get-Mailbox`. Designed system functions used for reconnaissance from a foothold inside @Org — `#1` per R-ABUSE. No implementation flaw exploited. |
| T1087.004 | Account Discovery: Cloud Account | #1 | Cloud Account Discovery: enumerate cloud accounts and identities via `aws iam list-users`, `az ad user list`, `gcloud iam` listings, IdP API queries. Designed system functions used for reconnaissance from a foothold inside @Org — `#1` per R-ABUSE. No implementation flaw exploited. |
| T1090 | Proxy | #1 \| #7 | Proxy: route C2 traffic through one or more proxy hops. Modes: (`#1`) abuse of legitimate proxy services / network proxy functions; (`#7`) malware-implemented proxy. The proxy hops are transit between attacker and @Org — see sub-techniques for specific transit notation. |
| T1090.001 | Proxy: Internal Proxy | #1 \| #7 | Internal Proxy: a compromised @Org host relays C2 for other @Org hosts. The relay host is transit *within* @Org. Path: `(#1 \| #7) \|\|[network][@External⇒@OrgRelay→@Org]\|\|` — `#1` if relay uses designed forwarding functions (SOCKS proxy, port forwarding utilities), `#7` if the relay is a malware-implemented proxy. |
| T1090.002 | Proxy: External Proxy | #1 \| #7 | External Proxy: third-party proxy service (commercial proxy, residential proxy, attacker-rented infrastructure) sits between attacker and @Org. The external proxy is transit. Path: `(#1 \| #7) \|\|[network][@External⇒@Proxy→@Org]\|\|`. |
| T1090.003 | Multi-hop Proxy | #1 \| #7 | Multi-hop Proxy: chained proxies (Tor, multi-hop VPNs, layered relays) between attacker and @Org for attribution evasion. Path: `(#1 \| #7) \|\|[network][@External⇒@HopN⇒…⇒@Hop1→@Org]\|\|`. Multi-hop transit is the canonical use case for chained `⇒` operators. |
| T1090.004 | Proxy: Domain Fronting | #1 \| #7 | Domain Fronting: attacker C2 traffic is routed through a CDN whose front-end serves multiple domains; the SNI/Host mismatch hides the true backend. The CDN is transit. Path: `(#1 \| #7) \|\|[network][@External⇒@CDN→@Org]\|\|`. Cluster `#1` reflects abuse of the CDN's designed multi-tenant routing; `#7` reflects malware-implemented domain-fronting clients. |
| T1095 | Non-Application Layer Protocol | #1 \| #7 | Non-Application Layer Protocol C2: malware communicates over network layers below the application layer (raw IP, ICMP, custom L4). Modes: (`#1`) abuse of designed protocol facilities (raw sockets, ICMP echo data field); (`#7`) malware-implemented protocol speaking. Path: `(#1 \| #7) \|\|[network][@Org→@External]\|\|`. |
| T1098 | Account Manipulation | #1 | Account Manipulation: modify identity-management state (add credential, grant role, register device, change MFA, edit `authorized_keys`) via designed identity-management functions. `#1` per R-ABUSE. No FEC executes at this step — the persistence is the standing access; attacker's subsequent use of that access is a separate `#4` step per R-CRED. |
| T1098.001 | Account Manipulation: Additional Cloud Credentials | #1 | Additional Cloud Credentials: attach an extra access key, service-principal secret, or client certificate to an account via designed cloud IAM APIs. `#1`. Subsequent use is `#4`. |
| T1098.002 | Account Manipulation: Additional Email Delegate Permissions | #1 | Additional Email Delegate Permissions: grant attacker (or attacker-controlled identity) delegate access to a target mailbox via designed mail/Exchange APIs. `#1`. Subsequent mailbox access is `#4 → #1`. |
| T1098.003 | Account Manipulation: Additional Cloud Roles | #1 | Additional Cloud Roles: attach extra IAM roles/policies to an attacker-controlled account via designed IAM APIs. `#1`. Subsequent action under those roles is `#4 → #1`. |
| T1098.004 | SSH Authorized Keys | #1 | SSH Authorized Keys: append attacker public key to `~/.ssh/authorized_keys` via designed file-write. `#1`. Subsequent SSH login with the matching private key is `#4`. |
| T1098.005 | Account Manipulation: Device Registration | #1 | Device Registration: register attacker-controlled device into the @Org IdP (AD/Azure AD/Okta) so it appears as a trusted device. `#1`. Subsequent device-conditional auth flows are `#4`. |
| T1098.006 | Account Manipulation: Additional Container Cluster Roles | #1 | Additional Container Cluster Roles: attach extra Kubernetes RBAC `RoleBinding`/`ClusterRoleBinding` to attacker identity via designed kube-API. `#1`. |
| T1098.007 | Account Manipulation: Additional Local or Domain Groups | #1 | Additional Local or Domain Groups: add account to a privileged group (Administrators, Domain Admins, sudo) via designed group-management functions. `#1`. |
| T1102 | Web Service | #1 | Web Service C2: attacker uses a legitimate third-party web service (Twitter/X, GitHub Gists, Pastebin, Discord, cloud storage) as a relay or dead drop. The web service is transit. Path: `#1 \|\|[network][@Org⇒@WebService→@External]\|\|`. `#1` per R-ABUSE — the service's designed publish/read functions are used for unintended purpose. |
| T1102.001 | Web Service: Dead Drop Resolver | #1 | Dead Drop Resolver: malware reads attacker C2 endpoint or commands posted by attacker on a public web service (forum post, gist, paste, social-media bio). Service is transit. Path: `#1 \|\|[network][@Org⇒@WebService→@External]\|\|`. |
| T1102.002 | Web Service: Bidirectional Communication | #1 | Bidirectional Communication via web service: malware reads commands and posts results through a legitimate third-party platform. Service is transit. Path: `#1 \|\|[network][@Org⇒@WebService→@External]\|\|`. |
| T1102.003 | Web Service: One-Way Communication | #1 | One-Way Communication via web service: outbound-only signal/exfil to a legitimate third-party endpoint, no inbound from C2. Service is transit. Path: `#1 \|\|[network][@Org⇒@WebService→@External]\|\|`. |
| T1104 | Multi-Stage Channels | #1 \| #7 | Multi-Stage Channels: separate channels for stages of C2 (initial beacon, control, exfil), often using different protocols/services. Modes: (`#1`) abuse of legitimate services per stage; (`#7`) malware-implemented multi-channel coordination. Each stage may have its own boundary/transit annotation. |
| T1105 | Ingress Tool Transfer | #1 | Ingress Tool Transfer: copy attacker tools/files into @Org from external infrastructure over a C2 channel. The transfer step itself uses designed network/transfer functions (HTTP download, BITS, `certutil -urlcache`, OS file-download APIs) — `#1` per R-ABUSE. Cluster corrected from prior `#7`: the transfer doesn't execute foreign code at the moment of transfer — the file is moved, not run. R-EXEC fires later when/if the transferred tool actually executes (recorded as a separate `#7` step). Path: `#1 \|\|[network][@External→@Org]\|\|` (the subsequent execution step is classified per its own technique). |
| T1106 | Native API | #1 → #7 | Native API: invoke OS APIs directly (`CreateProcess`, `NtCreateThreadEx`, `LoadLibrary`, `mprotect`+`mmap`, `posix_spawn`) to bypass higher-level execution wrappers and run attacker-supplied code. The API call itself is designed function abuse (`#1`); the resulting attacker-controlled execution is `#7` per R-EXEC. Path: `#1 → #7`. |
| T1111 | Multi-Factor Authentication Interception | #1 → #5 | MFA interception captures the second factor in transit: (`#1`) abuse of MFA-related functions (push approval relays, OTP-relay malware on the user device, abuse of SMS forwarding); (`#5`) AiTM proxy intercepting the OTP between user and IdP. Path: `#1 → #5` (representative chain). R-CRED: the captured factor is subsequently combined with the password and applied as a `#4` step. (See T1621 for the user-approval-under-fatigue mode, which adds `#9`.) |
| T1112 | Modify Registry | #1 | Modify Registry: write/delete registry values via designed registry APIs (`RegSetValueEx`, `reg.exe`, PowerShell registry providers). The persistence value itself is configuration data — `#1` per R-ABUSE — no FEC at this step. (When the registry change configures an autostart/trigger that subsequently launches FEC, that combined chain is captured by the relevant T1547/T1546/T1574 entry as `#1 → #7`.) |
| T1113 | Screen Capture | #1 | Screen Capture: invoke designed graphics/screenshot APIs (`BitBlt`, `CGWindowListCreateImage`, `screencapture`, X11 screenshot) to capture the on-screen content. `#1` per R-ABUSE. Outcome `[DRE: C]` — visible data captured. Path: `#1 + [DRE: C]`. |
| T1115 | Clipboard Data | #1 | Clipboard Data: read clipboard contents via designed APIs (`GetClipboardData`, `pbpaste`, X11 clipboard, `Get-Clipboard`). `#1`. Outcome `[DRE: C]` — clipboard contents (often sensitive: passwords pasted, copied addresses, payment data) captured. Path: `#1 + [DRE: C]`. |
| T1119 | Automated Collection | #1 | Automated Collection: scripted enumeration and copy of files matching attacker criteria, via designed file-search and read APIs (`dir /s`, `Get-ChildItem -Recurse`, `find`, regex over file content). `#1` per R-ABUSE. Outcome `[DRE: C]`. Path: `#1 + [DRE: C]`. |
| T1120 | Peripheral Device Discovery | #1 | Peripheral Device Discovery: enumerate connected peripherals via `Get-PnpDevice`, WMI device queries, `lsusb`, `system_profiler SPUSBDataType`. Designed system functions used for reconnaissance from a foothold inside @Org — `#1` per R-ABUSE. No implementation flaw exploited. |
| T1123 | Audio Capture | #1 | Audio Capture: invoke designed audio-input APIs (DirectShow, `AVAudioRecorder`, ALSA/PulseAudio capture, browser `getUserMedia`) to record from microphone. `#1` per R-ABUSE. Outcome `[DRE: C]` — audio (potentially sensitive conversations, dictated info) captured. Path: `#1 + [DRE: C]`. |
| T1124 | System Time Discovery | #1 | System Time Discovery: enumerate host time and time zone via `net time`, `w32tm`, `date`, `time` command, `GetSystemTime` API. Designed system functions used for reconnaissance from a foothold inside @Org — `#1` per R-ABUSE. No implementation flaw exploited. |
| T1125 | Video Capture | #1 | Video Capture: invoke designed camera-capture APIs (DirectShow, AVFoundation, V4L2, `getUserMedia`) to record from webcam. `#1`. Outcome `[DRE: C]`. Path: `#1 + [DRE: C]`. |
| T1127 | Trusted Developer Utilities Proxy Execution | #1 → #7 | Trusted Developer Utilities Proxy Execution: invoke a signed Microsoft developer utility (MSBuild, ClickOnce, JamPlus) so it processes/compiles/runs an attacker-supplied script or project. `#1` (signed utility used as designed) → `#7` (attacker code runs under the utility's trust per R-EXEC). Cluster corrected from prior `#1 \| #10` — no malicious artifact crosses a trust boundary here, so `#10` does not apply; this is a LOLBAS pattern (`#1 → #7`). |
| T1127.001 | Trusted Developer Utilities Proxy Execution: MSBuild | #1 → #7 | MSBuild: invoke `msbuild.exe` against an attacker `.proj`/`.csproj` containing inline-task code. `#1 → #7`. |
| T1127.002 | Trusted Developer Utilities Proxy Execution: ClickOnce | #1 → #7 | ClickOnce: deploy attacker `.application`/`.appref-ms` ClickOnce package; `dfsvc.exe` downloads and runs it. `#1 → #7`. |
| T1127.003 | Trusted Developer Utilities Proxy Execution: JamPlus | #1 → #7 | JamPlus: invoke `jamplus.exe` with attacker `Jamfile.jam` containing build-rule actions that execute attacker commands. `#1 → #7`. |
| T1129 | Shared Modules | #1 → #7 | Shared module loading: invoke `LoadLibrary` / `dlopen` / `LdrLoadDll` to load an attacker-supplied DLL/dylib/shared object that runs code in `DllMain`/initializer routines. `#1` (designed loader API) → `#7` (foreign module execution per R-EXEC). Path: `#1 → #7`. |
| T1132 | Data Encoding | #1 \| #7 | Data Encoding: encode C2 traffic using standard or non-standard schemes. Modes: (`#1`) reuse of designed system encoding APIs (Base64, gzip, JSON); (`#7`) malware-implemented encoding routine. |
| T1132.001 | Standard Encoding | #1 \| #7 | Standard Encoding: Base64, ASCII85, hex, gzip, etc. — typically reuses designed system APIs (`#1`) but may be malware-implemented (`#7`). |
| T1134 | Access Token Manipulation | #1 → #4 | Access Token Manipulation: duplicate, impersonate, or craft Windows access tokens via designed token APIs (`OpenProcessToken`, `DuplicateTokenEx`, `ImpersonateLoggedOnUser`, `LogonUser`). The manipulation step is `#1`. Operating under the new token is identity application — `#4` per R-CRED / Axiom X (the token IS an identity artifact). Path: `#1 → #4`. |
| T1134.001 | Access Token Manipulation: Token Impersonation/Theft | #1 → #4 | Token Impersonation/Theft: open another process's token, duplicate it, and impersonate. `#1 → #4`. |
| T1134.002 | Access Token Manipulation: Create Process with Token | #1 → #4 | Create Process with Token: `CreateProcessWithTokenW` to spawn a new process running under a stolen/duplicated token. `#1 → #4`. |
| T1134.003 | Access Token Manipulation: Make and Impersonate Token | #1 → #4 | Make and Impersonate Token: forge a token via `LogonUser` with stolen credentials and impersonate. `#1 → #4`. |
| T1134.004 | Parent PID Spoofing | #1 → #7 | Parent PID Spoofing: spawn attacker process with `STARTUPINFOEX` extended attributes pointing to a chosen parent PID (often a privileged process), so it inherits parent context and appears benign. `#1` (designed extended-attribute API) → `#7` (spawned attacker process runs FEC per R-EXEC). Cluster corrected from prior `#1`-only — the spawned process executing attacker code requires the `#7` step. |
| T1134.005 | SID-History Injection | #1 → #4 | SID-History Injection: write attacker-controlled SIDs into a domain account's `SIDHistory` attribute via designed AD APIs; account then carries those SIDs in tokens for cross-trust access. `#1` (designed AD attribute) → `#4` (token now authenticates with extra SIDs per R-CRED). |
| T1135 | Network Share Discovery | #1 | Network Share Discovery: enumerate available network shares via `net view`, `net share`, `Get-SmbShare`, SMB enumeration. Designed system functions used for reconnaissance from a foothold inside @Org — `#1` per R-ABUSE. No implementation flaw exploited. |
| T1136 | Create Account | #1 | Create Account: create a new identity (local user, domain user, cloud account) via designed identity-management functions. `#1`. No FEC at this step. Subsequent use of the new identity is `#4`. |
| T1136.001 | Create Account: Local Account | #1 | Create Local Account: `net user /add`, `New-LocalUser`, useradd. `#1`. |
| T1136.002 | Create Account: Domain Account | #1 | Create Domain Account: `New-ADUser`, `dsadd user`, AD UI add. `#1`. |
| T1136.003 | Create Account: Cloud Account | #1 | Create Cloud Account: `aws iam create-user`, Azure AD user-create, GCP service-account create. `#1`. |
| T1137 | Office Application Startup | #1 → #7 | Office Application Startup: register attacker macros/templates/forms/add-ins in designed Office startup locations (`Normal.dotm`, `XLSTART`, Outlook forms/rules/HomePage, COM/VSTO add-in registration). `#1` (designed Office extensibility) → `#7` (macro/add-in code runs each time Office starts or the trigger fires per R-EXEC). |
| T1137.001 | Office Template Macros | #1 → #7 | Office Template Macros: place malicious VBA in `Normal.dotm`, `XLSTART/Personal.xlsb`, or other global templates that Office auto-loads. `#1` → `#7`. |
| T1137.002 | Office Test | #1 → #7 | Office Test: abuse the legacy `HKCU\Software\Microsoft\Office test\Special\Perf` registry hook to load attacker DLL when Office launches. `#1` → `#7`. |
| T1137.003 | Outlook Forms | #1 → #7 | Outlook Forms: persist via custom Outlook form bound to an item type that Outlook auto-instantiates. `#1` → `#7`. |
| T1137.004 | Outlook Home Page | #1 → #7 | Outlook Home Page: set a malicious URL as a folder Home Page so Outlook renders attacker-controlled content (script execution context) on folder access. `#1` → `#7`. |
| T1137.005 | Outlook Rules | #1 → #7 | Outlook Rules: configure rules that execute scripts/applications on incoming-mail triggers via the legacy "run a script" rule action. `#1` → `#7`. |
| T1137.006 | Office Application Startup: Add-ins | #1 → #7 | Office Add-ins (COM/VSTO/Web Add-ins): register attacker add-in via designed add-in manifest/registry path; add-in code runs on Office launch. `#1` → `#7`. |
| T1176 | Software Extensions | #1 → #7 | Software Extensions: install attacker-controlled extension into a host application that auto-loads it (browser, IDE). `#1` (designed extension framework) → `#7` (extension code runs in host process per R-EXEC). |
| T1176.001 | Software Extensions: Browser Extensions | #1 → #7 | Browser Extensions: install attacker extension via Chrome/Edge/Firefox/Safari extension framework (forced install policy, manual sideload, web-store hijack). `#1` → `#7`. |
| T1176.002 | Software Extensions: IDE Extensions | #1 → #7 | IDE Extensions: install attacker extension into VS Code, JetBrains IDEs, Eclipse via the IDE's designed extension/plugin framework. `#1` → `#7`. |
| T1185 | Browser Session Hijacking | #1 → #4 | Browser Session Hijacking: attacker abuses browser features (extensions, debug protocols, man-in-the-browser injection) — `#1` — to ride the user's authenticated session and operate as that user against web services — `#4` per R-CRED (the session itself is the identity artifact at this step). Cluster corrected from prior `#1`-only — the `#4` step (impersonation through the hijacked session) was missing. Path: `#1 → #4 + [DRE: C]` (data accessed under the user's identity is C-breached). |
| T1187 | Forced Authentication | #1 → #4 | Forced authentication coerces a victim host or account into authenticating to attacker-controlled endpoints (UNC path injection, link in document forcing NTLM auth, captive-portal abuse). The coercion step abuses designed protocol behavior (`#1`); the captured authentication material is then applied — `#4` per R-CRED. (NTLM-relay variants insert a `→ #5` between `#1` and `#4` to capture the on-wire auth and relay it.) |
| T1197 | BITS Jobs | #1 → #7 | BITS Jobs: schedule a Background Intelligent Transfer Service job that downloads and/or executes attacker content. `#1` (designed BITS job mechanism via `bitsadmin`/PowerShell) → `#7` (transferred or `SetNotifyCmdLine` payload runs per R-EXEC). |
| T1201 | Password Policy Discovery | #1 | Password Policy Discovery: enumerate password complexity and lockout settings via `net accounts`, `Get-ADDefaultDomainPasswordPolicy`, `pam.d` reads. Designed system functions used for reconnaissance from a foothold inside @Org — `#1` per R-ABUSE. No implementation flaw exploited. |
| T1202 | Indirect Command Execution | #1 | Indirect Command Execution: invoke attacker commands through unusual designed proxies that don't look like shell calls (`forfiles`, `pcalua`, `bash -c` from non-shell contexts). `#1` per R-ABUSE. (When the proxied command runs FEC, append `→ #7`.) |
| T1205 | Traffic Signaling | #1 → #7 | Traffic Signaling: install a listener/signal-handler that wakes attacker-supplied code on a network trigger (port-knock sequence, magic packet via socket filter). `#1` (designed packet/socket facility) → `#7` (triggered FEC per R-EXEC). |
| T1205.001 | Port Knocking | #1 | Port Knocking: a sequence of connection attempts opens a hidden firewall port. Designed network/firewall functions used to gate access — `#1` per R-ABUSE. (When the unlocked port leads to FEC execution, append `→ #7` for the post-trigger step.) |
| T1205.002 | Traffic Signaling: Socket Filters | #1 → #7 | Socket Filters: install BPF/socket filter via designed kernel APIs that triggers attacker code on matching packets. `#1` → `#7` per R-EXEC. |
| T1207 | Rogue Domain Controller | #1 → #4 | Rogue Domain Controller (DCShadow): register a fake DC into the AD topology via designed AD replication APIs (`#1`); the rogue DC pushes attacker-crafted updates to legitimate DCs, including changes that grant attacker identity escalated rights — subsequent use of those rights is `#4` per R-CRED. Path: `#1 → #4`. |
| T1213 | Data from Information Repositories | #1 | Mine information repositories (wikis, document portals, code repos, CRMs, databases, chat archives) for valuable @Org data. Uses designed repository APIs / web UI / search — `#1` per R-ABUSE. Outcome `[DRE: C]`. Path: `#1 + [DRE: C]`. |
| T1213.001 | Data from Information Repositories: Confluence | #1 | Confluence: query Confluence pages and spaces via designed web UI / REST API for technical documentation, runbooks, credentials inadvertently posted, architecture diagrams. `#1`. Outcome `[DRE: C]`. |
| T1213.002 | Sharepoint | #1 | SharePoint: query SharePoint sites, document libraries, and lists via designed web UI / Graph API / SOAP services for policies, network diagrams, credentials inadvertently posted, source-code snippets. `#1` per R-ABUSE. Outcome `[DRE: C]`. Cluster corrected from prior `N/A` — the older rationale ("out of scope because post-compromise") would imply every Collection technique is `N/A`, which is internally inconsistent. SharePoint collection is no different in cluster terms from T1213.001 Confluence or T1213.005 Messaging Apps — all are `#1` reads from internal repositories. |
| T1213.003 | Data from Information Repositories: Code Repositories | #1 | Code Repositories: query internal Git/SVN/Mercurial servers (GitLab, Bitbucket, in-house Gitea) via designed APIs/UI for source code, secrets in commits, infrastructure-as-code. `#1`. Outcome `[DRE: C]`. |
| T1213.004 | Data from Information Repositories: Customer Relationship Management Software | #1 | Customer Relationship Management: query CRM systems (Salesforce, Dynamics, HubSpot) via designed APIs/UI for customer records, contract data, internal communications. `#1`. Outcome `[DRE: C]`. |
| T1213.005 | Data from Information Repositories: Messaging Applications | #1 | Messaging Applications: query chat platforms (Slack, Teams, Mattermost, Discord) via designed APIs/UI for shared credentials, links, sensitive discussion. `#1`. Outcome `[DRE: C]`. |
| T1213.006 | Data from Information Repositories: Databases | #1 | Databases: query database instances (RDBMS, NoSQL, data warehouses) via designed query interfaces (SQL, MQL, native APIs) for stored business data. `#1`. Outcome `[DRE: C]`. |
| T1216 | Signed Script Proxy Execution | #1 → #7 | Signed Script Proxy Execution: invoke a Microsoft-signed script (`.vbs`, `.js`, `.ps1`) that is part of Windows so it executes attacker-supplied content under that signature's trust. `#1 → #7` (LOLBAS). |
| T1216.001 | PubPrn | #1 → #7 | PubPrn (`pubprn.vbs`): signed Microsoft script that can be invoked to execute a remote `.sct` scriptlet. `#1 → #7`. |
| T1216.002 | System Script Proxy Execution: SyncAppvPublishingServer | #1 → #7 | SyncAppvPublishingServer: signed Microsoft script that accepts arbitrary PowerShell on its command line and executes it. `#1 → #7`. |
| T1217 | Browser Information Discovery | #1 | Browser Information Discovery: enumerate browser bookmarks, history, and stored data via reading browser SQLite databases via designed file-system access. Designed system functions used for reconnaissance from a foothold inside @Org — `#1` per R-ABUSE. No implementation flaw exploited. |
| T1218 | Signed Binary Proxy Execution | #1 → #7 | System Binary Proxy Execution: invoke a Microsoft-signed Windows utility so it runs attacker-supplied content under that binary's trust (LOLBAS pattern). `#1` (signed utility) → `#7` (attacker content per R-EXEC). |
| T1218.001 | System Binary Proxy Execution: Compiled HTML File | #1 → #7 | Compiled HTML File (`hh.exe` + `.chm`): execute attacker payload via compiled-help-file infrastructure. `#1 → #7`. |
| T1218.002 | System Binary Proxy Execution: Control Panel | #1 → #7 | Control Panel (`control.exe` + `.cpl`): execute attacker DLL with `.cpl` extension via Control Panel. `#1 → #7`. |
| T1218.003 | System Binary Proxy Execution: CMSTP | #1 → #7 | CMSTP (`cmstp.exe` + `.inf`): execute attacker scriptlet/DLL via Connection Manager Profile Installer. `#1 → #7`. |
| T1218.004 | System Binary Proxy Execution: InstallUtil | #1 → #7 | InstallUtil (`installutil.exe`): invoke .NET InstallUtil with attacker assembly that has `[RunInstaller]` callbacks. `#1 → #7`. |
| T1218.005 | Mshta | #1 → #7 | Mshta (`mshta.exe`): execute attacker `.hta` or inline HTML+VBScript/JScript. `#1 → #7`. |
| T1218.007 | Msiexec | #1 → #7 | Msiexec (`msiexec.exe`): install attacker MSI containing custom actions that run as SYSTEM. `#1 → #7`. |
| T1218.008 | Odbcconf | #1 → #7 | Odbcconf (`odbcconf.exe`): load attacker DLL via `REGSVR` action in a response file. `#1 → #7`. |
| T1218.009 | Regsvcs/Regasm | #1 → #7 | Regsvcs/Regasm: invoke .NET registration utilities with attacker COM-callable assembly. `#1 → #7`. |
| T1218.010 | Regsvr32 | #1 → #7 | Regsvr32 (`regsvr32.exe`): register attacker DLL or invoke remote `.sct` scriptlet. `#1 → #7`. |
| T1218.011 | Rundll32 | #1 → #7 | Rundll32 (`rundll32.exe`): execute exported function in attacker DLL. `#1 → #7`. |
| T1218.012 | System Binary Proxy Execution: Verclsid | #1 → #7 | Verclsid (`verclsid.exe`): invoke COM CLSID verification path that loads attacker COM object. `#1 → #7`. |
| T1218.013 | System Binary Proxy Execution: Mavinject | #1 → #7 | Mavinject (`mavinject.exe`): inject attacker DLL into a target process via designed App-V injection facility. `#1 → #7`. |
| T1218.014 | System Binary Proxy Execution: MMC | #1 → #7 | MMC (`mmc.exe`): invoke Microsoft Management Console with attacker `.msc` or snap-in to execute hosted code. `#1 → #7`. |
| T1218.015 | System Binary Proxy Execution: Electron Applications | #1 → #7 | Electron Applications: launch a signed Electron app (Teams, Discord, VS Code) with attacker arguments to load attacker JavaScript. `#1 → #7`. |
| T1219 | Remote Access Software | #1 \| #7 | Remote Access Software: install/use legitimate remote-access tools (TeamViewer, AnyDesk, ScreenConnect, RustDesk) for persistent attacker access. Modes: (`#1`) abuse of legitimate signed tool; (`#7`) attacker-customized or malware-bundled variant. The vendor cloud is often transit: `\|\|[network][@External⇒@VendorCloud→@Org]\|\|`. |
| T1219.001 | Remote Access Tools: IDE Tunneling | #1 \| #7 | IDE Tunneling (VS Code Remote-Tunnels, JetBrains Gateway): legitimate IDE tunneling features used for persistent reverse access. Vendor cloud is transit. Path: `(#1 \| #7) \|\|[network][@External⇒@VendorCloud→@Org]\|\|`. |
| T1219.002 | Remote Access Tools: Remote Desktop Software | #1 \| #7 | Remote Desktop Software (TeamViewer, AnyDesk, Splashtop, Chrome Remote Desktop): legit RD tools used for C2/access. Vendor cloud is transit. Path: `(#1 \| #7) \|\|[network][@External⇒@VendorCloud→@Org]\|\|`. |
| T1219.003 | Remote Access Tools: Remote Access Hardware | #1 \| #7 | Remote Access Hardware (out-of-band management, hardware KVM with network capability, IPMI/BMC misconfiguration): physical/firmware-level remote access leveraged for attacker C2. Cluster `#1` for designed management interfaces; `#7` if malicious firmware/agent is involved. |
| T1220 | XSL Script Processing | #1 → #7 | XSL Script Processing: invoke `wmic`, `msxsl`, or other designed XSL processors against attacker-supplied XSL containing `msxsl:script` or equivalent embedded code. `#1 → #7` (LOLBAS). |
| T1221 | Template Injection | #1 | Template Injection: weaponize Office document by setting its `Template` reference to a remote attacker URL; document open fetches and renders attacker template (often containing macros — chains to `#9 → #7` via T1204/T1137 follow-on). `#1` for the designed remote-template feature abused. |
| T1222 | File and Directory Permissions Modification | #1 | File and Directory Permissions Modification: change ACLs/permissions via designed file-permission APIs (`icacls`, `chmod`, `setfacl`) to grant attacker access or hide artifacts. `#1`. |
| T1222.001 | File and Directory Permissions Modification: Windows File and Directory Permissions Modification | #1 | Windows File and Directory Permissions Modification: `icacls`, `cacls`, `Set-Acl`, `takeown`. `#1`. |
| T1222.002 | File and Directory Permissions Modification: Linux and Mac File and Directory Permissions Modification | #1 | Linux/macOS File and Directory Permissions Modification: `chmod`, `chown`, `setfacl`, ACL APIs. `#1`. |
| T1482 | Domain Trust Discovery | #1 | Domain Trust Discovery: enumerate AD trust relationships via `nltest /domain_trusts`, `Get-ADTrust`, LDAP trust queries. Designed system functions used for reconnaissance from a foothold inside @Org — `#1` per R-ABUSE. No implementation flaw exploited. |
| T1484 | Domain or Tenant Policy Modification | #1 | Domain or Tenant Policy Modification: change AD/Azure AD/cloud-tenant policies (GPO, conditional access, federation trust) via designed policy-management functions to weaken controls or grant access. `#1` per R-ABUSE. No FEC at this step; subsequent attacker activity using the relaxed policy is recorded under its own technique. |
| T1484.001 | Domain or Tenant Policy Modification: Group Policy Modification | #1 | Group Policy Modification: edit existing or create new GPOs to deploy attacker-controlled settings/scripts to domain-joined hosts via designed GPO mechanism. `#1`. (When the GPO drops scripts/binaries that subsequently run on endpoints, those endpoint executions are separate `#7` steps in the path.) |
| T1484.002 | Domain or Tenant Policy Modification: Trust Modification | #1 | Trust Modification: modify federation/forest trust settings (add attacker-controlled IdP, change SAML signing, alter cross-tenant access) via designed trust-management APIs. `#1`. |
| T1485.001 | Data Destruction: Lifecycle-Triggered Deletion | #1 | Attacker configures cloud lifecycle policies (S3 lifecycle rules, GCS object lifecycle, Azure Blob policies) to schedule automated deletion of @Org data. The deletion is performed by the cloud platform per its designed function — no foreign code executes on @Org assets, so this is #1 Abuse of Functions per R-ABUSE, not #7. Outcome `[DRE: Av]` (data deleted on policy trigger). Path: `#1 + [DRE: Av]`. |
| T1489 | Service Stop | #1 | Stopping services through their designed control interfaces (`sc stop`, `net stop`, `systemctl stop`, service-manager APIs). #1 per R-ABUSE — admin functions used contrary to operational intent. Outcome `[DRE: A]` — services and dependent data flows unavailable while stopped. Path: `#1 + [DRE: A]`. |
| T1490 | Inhibit System Recovery | #1 | Abuse of legitimate recovery-management utilities (`vssadmin delete shadows`, `wbadmin delete catalog`, `bcdedit /set recoveryenabled no`, cloud snapshot deletion APIs) to remove backups, shadow copies, and boot-recovery options. #1 per R-ABUSE. Outcome `[DRE: Av]` — recoverable copies destroyed (typically a precursor to a follow-on encryption or wipe step that compounds the impact). Path: `#1 + [DRE: Av]`. |
| T1495 | Firmware Corruption | #1 | Firmware corruption typically uses legitimate firmware-update channels (UEFI flashing utilities, BMC/IPMI interfaces, vendor update APIs) to write malformed or attacker-controlled firmware images. The update interface is designed functionality — #1 per R-ABUSE. Outcome `[DRE: Av]` — device rendered inoperable until reflashed. Path: `#1 + [DRE: Av]`. (When the written firmware itself executes attacker code on subsequent boot, that execution step is classified separately as #7.) |
| T1496 | Resource Hijacking | #1 \| #7 | Resource hijacking spans two distinct cluster modes per sub-technique: (a) compute/bandwidth hijacking executes a foreign workload (cryptominer, proxy bot) on @Org assets — #7; (b) SMS pumping and cloud-service hijacking abuse @Org-owned messaging or cloud APIs without necessarily dropping a binary — #1. Parent classified as `#1 \| #7`; see sub-techniques for specific paths. Outcome typically degrades availability of the hijacked resource (`[DRE: A]`) when capacity is exhausted; pure financial-loss cases carry no DRE. |
| T1496.003 | Resource Hijacking: SMS Pumping | #1 | SMS pumping abuses @Org-controlled SMS-sending interfaces (Twilio, AWS SNS, in-app verification flows) to drive high-volume messages to attacker-controlled premium-rate numbers. The threat is abuse of the designed send function — #1 per R-ABUSE — with no foreign code executing on @Org assets. Primary impact is financial cost; quota exhaustion may also degrade legitimate use, in which case `[DRE: A]` applies. Path: `#1` (or `#1 + [DRE: A]` when quota is exhausted). Cluster corrected from prior `#7` (which described cryptomining, not SMS pumping). |
| T1496.004 | Resource Hijacking: Cloud Service Hijacking | #1 | Cloud service hijacking abuses @Org cloud control-plane APIs (after credential theft / account compromise) to spin up attacker-controlled workloads, send messages, or consume paid services. The threat is abuse of designed cloud-platform functions — #1 per R-ABUSE. Primary impact is financial; service quota or budget exhaustion may degrade legitimate use (`[DRE: A]`). Path: `#1` (or `#1 + [DRE: A]` when quotas hit). Cluster corrected from prior `#7` (which described cryptomining, not cloud-control-plane abuse). When the workload spun up is itself foreign attacker code running in the cloud account, that execution step is a separate #7. |
| T1505 | Server Software Component | #1 → #7 | Server Software Component: install/register attacker-controlled module in a server application's designed extension framework so the server loads and runs it. `#1` (designed component framework) → `#7` (module code runs in server per R-EXEC). |
| T1505.001 | SQL Stored Procedures | #1 → #7 | SQL Stored Procedures: create attacker stored procedure in a database, often with auto-execution triggers (startup procedure, login trigger). `#1` (designed procedure mechanism) → `#7`. |
| T1505.002 | Server Software Component: Transport Agent | #1 → #7 | Transport Agent (Exchange): register attacker assembly in Exchange transport-agent pipeline so it processes every routed mail. `#1` → `#7`. |
| T1505.003 | Server Software Component: Web Shell | #1 → #7 | Web Shell: place an attacker-supplied script (`.aspx`, `.jsp`, `.php`) in the web server's served directory using designed file-write access (`#1`); each attacker HTTP request invokes the script and the server interpreter runs it (`#7` per R-EXEC). Cluster corrected from prior `#7`-only — the placement step (`#1`) was missing. Path: `#1 → #7`. |
| T1505.004 | Server Software Component: IIS Components | #1 → #7 | IIS Components: register attacker IIS module/handler via designed IIS extensibility (`appcmd`, `web.config`) so requests trigger attacker code. `#1` → `#7`. |
| T1505.005 | Server Software Component: Terminal Services DLL | #1 → #7 | Terminal Services DLL: replace `TermService` DLL or hijack its load order so it runs attacker code at session start. `#1` → `#7`. |
| T1505.006 | Server Software Component: vSphere Installation Bundles | #1 → #7 | vSphere Installation Bundles (VIBs): install an attacker VIB into ESXi via designed VIB-install mechanism (often with weakened acceptance level). `#1` → `#7`. |
| T1518 | Software Discovery | #1 | Software Discovery: enumerate installed software and versions via `Get-WmiObject Win32_Product`, `wmic product`, package-manager listings, registry uninstall keys. Designed system functions used for reconnaissance from a foothold inside @Org — `#1` per R-ABUSE. No implementation flaw exploited. |
| T1518.001 | Security Software Discovery | #1 | Security Software Discovery: enumerate installed security tools (AV, EDR, firewalls) via service/process enumeration of known security products, registry checks for security-product keys. Designed system functions used for reconnaissance from a foothold inside @Org — `#1` per R-ABUSE. No implementation flaw exploited. |
| T1518.002 | Software Discovery: Backup Software Discovery | #1 | Backup Software Discovery: enumerate installed backup software via service/process enumeration; registry/config-file reads for backup products. Designed system functions used for reconnaissance from a foothold inside @Org — `#1` per R-ABUSE. No implementation flaw exploited. |
| T1525 | Implant Internal Image | #1 → #7 | Implant Internal Image: place attacker-modified image in a registry / catalog that @Org pulls from (internal container registry, golden VM image, AMI). `#1` (designed registry/catalog write) → `#7` (image runs FEC every time @Org launches a workload from it per R-EXEC). |
| T1526 | Cloud Service Discovery | #1 | Cloud Service Discovery: enumerate enabled cloud services in the tenant via `aws ec2 describe-*`, `az resource list`, `gcloud services list`, control-plane API enumeration. Designed system functions used for reconnaissance from a foothold inside @Org — `#1` per R-ABUSE. No implementation flaw exploited. |
| T1528 | Steal Application Access Token | (#1 \| #9) → #4 | Stealing OAuth / API access tokens: (`#1`) abuse of designed OAuth grant flows / token-endpoint behavior; (`#9`) **consent phishing** — user induced to grant a malicious app the requested scopes. Stolen token then applied to authenticate API calls — `#4` per R-CRED. Cluster expanded from prior `#1 → #4` to add `#9` for the consent-phishing variant which is the dominant pattern in many real intrusions. Path: `(#1 \| #9) → #4`. |
| T1529 | System Shutdown/Reboot | #1 \| #7 | System shutdown/reboot: (#1) via designed control interfaces (`shutdown`, `Restart-Computer`, ACPI APIs); or (#7) via foreign code that triggers shutdown as part of payload execution. Outcome `[DRE: A]` — system unavailable during downtime; in destructive scenarios may compound with wipe steps. Path: `#1 + [DRE: A]` or `#7 + [DRE: A]`. |
| T1531 | Account Access Removal | #1 \| #7 | Account access removal locks legitimate users out of their own accounts through (#1) abuse of identity-management APIs (password reset, account disable, key rotation) or (#7) malware that performs the same operations. Data remains present but accessibility is revoked from rightful users — `[DRE: Ac]`. Path: `#1 + [DRE: Ac]` or `#7 + [DRE: Ac]`. |
| T1535 | Unused/Unsupported Cloud Regions | #1 | Unused/Unsupported Cloud Regions: spin up attacker resources in cloud regions where @Org has no monitoring/policy coverage. Designed cloud region-selection feature abused — `#1`. |
| T1537 | Transfer Data to Cloud Account | #1 \| #7 | Data is moved within or between cloud providers to an attacker-controlled cloud account, often via the provider's own copy/transfer APIs (S3 cross-account copy, Azure Storage transfer, GCS rsync). Treat the cloud platform as transit between @Org and @External (attacker). Path: `(#1 \| #7) \|\|[network][@Org⇒@CloudProvider→@External]\|\| + [DRE: C]`. |
| T1538 | Cloud Service Dashboard | #1 | Cloud Service Dashboard: enumerate cloud-provider web console / dashboards via authenticated browsing of cloud admin portals (AWS Console, Azure Portal, GCP Console). Designed system functions used for reconnaissance from a foothold inside @Org — `#1` per R-ABUSE. No implementation flaw exploited. |
| T1539 | Steal Web Session Cookie | #1 \| #7 | Stealing web session cookies is **acquisition**. Per R-CRED / Axiom X, acquisition maps to its enabling cluster — not to `#4`. Modes: (`#1`) abuse of designed browser cookie storage / process memory access; (`#7`) malware-implemented cookie stealer (infostealers, RATs). XSS-driven cookie theft adds a server-side `#2` step in the chain. AiTM cookie interception adds a `#5` step. Cluster corrected from prior `#4` (which conflated theft with application; the application step is T1550.004 = `#4`). Path: `#1 \| #7` here, then `→ #4` later when the cookie is applied. |
| T1543 | Create or Modify System Process | #1 → #7 | Create or Modify System Process: register attacker code as an OS service / agent / daemon so the OS auto-launches it at boot. `#1` (designed service-management) → `#7` (service binary runs per R-EXEC). |
| T1543.001 | Create or Modify System Process: Launch Agent | #1 → #7 | Launch Agent (macOS): place a `.plist` in `~/Library/LaunchAgents` or `/Library/LaunchAgents` so launchd starts attacker binary at user login. `#1` → `#7`. |
| T1543.002 | Create or Modify System Process: Systemd Service | #1 → #7 | Systemd Service (Linux): create a `.service` unit and enable it so systemd launches attacker binary at boot. `#1` → `#7`. |
| T1543.003 | Create or Modify System Process: Windows Service | #1 → #7 | Windows Service: register a service via SCM (`sc create`, `New-Service`) pointing to attacker binary. `#1` → `#7`. |
| T1543.004 | Create or Modify System Process: Launch Daemon | #1 → #7 | Launch Daemon (macOS): place a `.plist` in `/Library/LaunchDaemons` or `/System/Library/LaunchDaemons` for system-level autostart. `#1` → `#7`. |
| T1543.005 | Create or Modify System Process: Container Service | #1 → #7 | Container Service: register attacker container as a system service in the container runtime (Kubernetes DaemonSet, systemd-managed Docker container). `#1` → `#7`. |
| T1546 | Event Triggered Execution | #1 → #7 | Event Triggered Execution: bind attacker code to a designed event-handling mechanism so it runs whenever the event fires (file open, screensaver, WMI event, shell login, image execution option, COM activation). `#1` (designed event mechanism) → `#7` (FEC at event time per R-EXEC). |
| T1546.001 | Event Triggered Execution: Change Default File Association | #1 → #7 | Change Default File Association: rebind a common file extension to attacker binary via registry / desktop-environment association. Opens of that file type now trigger attacker code. `#1` → `#7`. |
| T1546.002 | Screensaver | #1 → #7 | Screensaver: replace the configured screensaver `.scr` (which is just an executable) so attacker code runs on screensaver activation. `#1` → `#7`. |
| T1546.003 | Event Triggered Execution: Windows Management Instrumentation Event Subscription | #1 → #7 | WMI Event Subscription: register WMI permanent event subscription (`__EventFilter` + `CommandLineEventConsumer`) so WMI runs attacker command on a chosen event. `#1` → `#7`. |
| T1546.004 | Event Triggered Execution: Unix Shell Configuration Modification | #1 → #7 | Unix Shell Configuration Modification: append attacker command to `.bashrc`, `.zshrc`, `.profile`, `/etc/bash.bashrc`. Each shell start runs the command. `#1` → `#7`. |
| T1546.005 | Event Triggered Execution: Trap | #1 → #7 | Trap (Unix shell): register a `trap` handler in shell config that runs attacker code on signals (e.g., `EXIT`). `#1` → `#7`. |
| T1546.006 | Event Triggered Execution: LC_LOAD_DYLIB Addition | #1 → #7 | LC_LOAD_DYLIB Addition (macOS): inject a `LC_LOAD_DYLIB` command into a Mach-O binary so it loads attacker dylib at launch. `#1` → `#7`. |
| T1546.007 | Netsh Helper DLL | #1 → #7 | Netsh Helper DLL: register attacker DLL as a `netsh` helper. Each `netsh` invocation loads it. `#1` → `#7`. |
| T1546.008 | Event Triggered Execution: Accessibility Features | #1 → #7 | Accessibility Features: replace accessibility binaries (`sethc.exe`, `utilman.exe`) or hijack their image-file-execution-options so login-screen activation runs attacker code (often as SYSTEM). `#1` → `#7`. |
| T1546.009 | Event Triggered Execution: AppCert DLLs | #1 → #7 | AppCert DLLs: register attacker DLL in `HKLM\System\CurrentControlSet\Control\Session Manager\AppCertDlls`. Loaded into every process that calls `CreateProcess`. `#1` → `#7`. |
| T1546.010 | Event Triggered Execution: AppInit DLLs | #1 → #7 | AppInit DLLs: register attacker DLL in `HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs`. Loaded into every user32-linked process. `#1` → `#7`. |
| T1546.011 | Event Triggered Execution: Application Shimming | #1 → #7 | Application Shimming: register attacker shim via Application Compatibility Database (`.sdb`) so it intercepts API calls of targeted applications. `#1` → `#7`. |
| T1546.012 | Event Triggered Execution: Image File Execution Options Injection | #1 → #7 | Image File Execution Options Injection: set `Debugger` value under IFEO key for a target executable so the OS launches attacker binary in its place. `#1` → `#7`. |
| T1546.013 | PowerShell Profile | #1 → #7 | PowerShell Profile: append attacker code to user/all-users PowerShell profile (`$PROFILE`); runs on every PowerShell start. `#1` → `#7`. |
| T1546.014 | Event Triggered Execution: Emond | #1 → #7 | Emond (macOS, deprecated): register attacker rule in the Event Monitor daemon. `#1` → `#7`. |
| T1546.015 | Event Triggered Execution: Component Object Model Hijacking | #1 → #7 | COM Hijacking: replace or insert a CLSID that legitimate software resolves at runtime so attacker DLL loads instead. `#1` → `#7`. |
| T1546.016 | Event Triggered Execution: Installer Packages | #1 → #7 | Installer Packages (macOS): register attacker pre/post-install scripts in a `.pkg` and trigger install. `#1` → `#7`. |
| T1546.017 | Event Triggered Execution: Udev Rules | #1 → #7 | Udev Rules (Linux): place a udev rule in `/etc/udev/rules.d` that runs attacker command on hardware events. `#1` → `#7`. |
| T1546.018 | Event Triggered Execution: Python Startup Hooks | #1 → #7 | Python Startup Hooks: place attacker code in `sitecustomize.py` / `usercustomize.py` / `PYTHONSTARTUP` so it runs on every Python interpreter start. `#1` → `#7`. |
| T1547 | Boot or Logon Autostart Execution | #1 → #7 | Boot or Logon Autostart Execution: register attacker code in a designed autostart location so the OS launches it at boot or user logon. `#1` (designed autostart mechanism) → `#7` (FEC at start per R-EXEC). |
| T1547.001 | Registry Run Keys / Startup Folder | #1 → #7 | Registry Run Keys / Startup Folder: write attacker binary path to `HKCU/HKLM ...\Run` keys or place a shortcut in the user/all-users Startup folder. `#1` → `#7`. |
| T1547.002 | Boot or Logon Autostart Execution: Authentication Package | #1 → #7 | Authentication Package: register attacker DLL as a Security Package loaded into LSA at boot. `#1` → `#7`. (Often co-occurs with T1556 auth-process modification.) |
| T1547.003 | Boot or Logon Autostart Execution: Time Providers | #1 → #7 | Time Providers: register attacker DLL as a W32Time time provider; loaded into the W32Time service at boot. `#1` → `#7`. |
| T1547.004 | Boot or Logon Autostart Execution: Winlogon Helper DLL | #1 → #7 | Winlogon Helper DLL: hijack `Winlogon\Notify`, `Userinit`, or `Shell` registry values to load attacker DLL/EXE during logon. `#1` → `#7`. |
| T1547.005 | Security Support Provider | #1 → #7 | Security Support Provider: register attacker DLL as an SSP loaded by LSA at boot. `#1` → `#7`. |
| T1547.006 | Boot or Logon Autostart Execution: Kernel Modules and Extensions | #1 → #7 | Kernel Modules and Extensions: install attacker kernel module (`.ko` Linux, KEXT macOS) so the kernel loads attacker code at boot. `#1` (designed module-load) → `#7` (kernel-mode FEC per R-EXEC). |
| T1547.007 | Re-opened Applications | #1 → #7 | Re-opened Applications (macOS): mark attacker app for relaunch via the saved-state mechanism so it auto-launches on next login. `#1` → `#7`. |
| T1547.008 | Boot or Logon Autostart Execution: LSASS Driver | #1 → #7 | LSASS Driver: register attacker driver/DLL loaded by LSASS at boot. `#1` → `#7`. |
| T1547.009 | Shortcut Modification | #1 → #7 | Shortcut Modification: edit a `.lnk`/desktop shortcut to point to attacker binary or an additional command. `#1` → `#7`. |
| T1547.010 | Port Monitors | #1 → #7 | Port Monitors: register attacker DLL as a print spooler port monitor; loaded by the `Spooler` service at boot. `#1` → `#7`. |
| T1547.011 | Plist Modification | #1 → #7 | This is an attack path. The adversary abuses the legitimate mechanism of property list (plist) files that macOS uses to configure login items and other startup behaviors (#1 Abuse ofFunctions). They modify a plist to point to and execute their malicious payload (#7 Malware). |
| T1547.012 | Print Processors | #1 → #7 | Print Processors: register attacker DLL as a print processor; loaded by the `Spooler` service at boot. `#1` → `#7`. |
| T1547.013 | Boot or Logon Autostart Execution: XDG Autostart Entries | #1 → #7 | XDG Autostart Entries (Linux desktop): place attacker `.desktop` file in `~/.config/autostart` or `/etc/xdg/autostart`. Runs at user login. `#1` → `#7`. |
| T1547.014 | Boot or Logon Autostart Execution: Active Setup | #1 → #7 | Active Setup: register attacker `StubPath` under `HKLM\Software\Microsoft\Active Setup\Installed Components`. Runs once per user at logon. `#1` → `#7`. |
| T1547.015 | Boot or Logon Autostart Execution: Login Items | #1 → #7 | Login Items (macOS): register attacker app via Service Management framework (`SMAppService`) or legacy `LSSharedFileList`. Runs at user login. `#1` → `#7`. |
| T1548 | Abuse Elevation Control Mechanism | #1 → #7 | Abuse Elevation Control Mechanism: trick or piggy-back on a designed elevation mechanism (UAC, sudo, polkit, cloud assume-role, macOS TCC) so attacker code runs at higher privilege without exploiting a flaw. `#1` (designed elevation feature abused) → `#7` (elevated FEC per R-EXEC). |
| T1548.001 | Setuid and Setgid | #1 → #7 | Setuid and Setgid: set the setuid/setgid bit on an attacker-controlled binary via `chmod` / `fchmod` (designed file-mode functions). When the binary is later invoked it runs with elevated privilege — `#1 → #7` per R-EXEC. Cluster corrected from prior `#1`-only when the suid target is attacker code (the `#7` step at execution was missing). When only repointing the suid bit on existing legitimate binaries with weak ACLs to enable later abuse, `#1`-only may be appropriate. |
| T1548.002 | Abuse Elevation Control Mechanism: Bypass User Account Control | #1 → #7 | Bypass User Account Control: leverage auto-elevating Windows binaries, mock-trusted-directory tricks, or COM hijacking against signed elevated processes to run attacker code without UAC prompt. `#1 → #7`. |
| T1548.003 | Abuse Elevation Control Mechanism: Sudo and Sudo Caching | #1 → #7 | Sudo and Sudo Caching: abuse sudo timestamp caching, `sudoers` misconfiguration (`NOPASSWD`, command wildcards), or `sudo -n` checks to run attacker command as root. `#1 → #7`. |
| T1548.004 | Abuse Elevation Control Mechanism: Elevated Execution with Prompt | #1 → #7 | Elevated Execution with Prompt (macOS): use `AuthorizationExecuteWithPrivileges` (designed legacy API) to ask for admin-prompt elevation; user approval yields elevated FEC. `#1 → #7` (often in conjunction with `→ #9` when prompt is socially engineered). |
| T1548.005 | Abuse Elevation Control Mechanism: Temporary Elevated Cloud Access | #1 → #7 | Temporary Elevated Cloud Access: assume an over-privileged role via designed cloud assume-role / role-chaining flow (`sts:AssumeRole`, Azure JIT) to operate at elevated permissions. `#1` (designed elevation) → `#7` (when the elevated session executes attacker tooling) or `#1` alone for control-plane abuse without FEC. |
| T1548.006 | Abuse Elevation Control Mechanism: TCC Manipulation | #1 → #7 | TCC Manipulation (macOS): tamper with the Transparency, Consent, and Control database to grant attacker process privileged accesses (camera, microphone, disk, accessibility) without the user prompt. `#1 → #7` when attacker code subsequently uses the granted permissions. |
| T1552 | Unsecured Credentials | #1 → #4 | Unsecured credentials: attacker reads credential material left accessible (files, registry, env vars, IMDS, shell history, GPP, container metadata, chat logs). Reading uses designed file/API access — `#1`. Per R-CRED, the reading step is the acquisition; application is the subsequent `#4`. Path: `#1 → #4`. |
| T1552.001 | Unsecured Credentials: Credentials In Files | #1 → #4 | Credentials in files: read via designed file-system access — `#1`; subsequently applied — `#4` per R-CRED. |
| T1552.002 | Unsecured Credentials: Credentials in Registry | #1 → #4 | Credentials in registry: read via designed registry-access APIs — `#1`; subsequently applied — `#4` per R-CRED. |
| T1552.003 | Unsecured Credentials: Shell History | #1 → #4 | Shell history: read history files (`.bash_history`, PowerShell transcript) via designed file-system access — `#1`; applied — `#4` per R-CRED. |
| T1552.004 | Private Keys | #1 → #4 | Private keys (SSH, code-signing, x.509 keys): read via designed file-system / keystore access — `#1`; applied — `#4` per R-CRED. |
| T1552.005 | Unsecured Credentials: Cloud Instance Metadata API | #1 → #4 | Cloud Instance Metadata API: query the IMDS endpoint (`169.254.169.254` and equivalents) using designed metadata-service functions — `#1`; cloud credentials returned are then applied — `#4` per R-CRED. (When IMDS access is via SSRF in a hosted application, a prior `#2` server-flaw step is recorded for the SSRF.) |
| T1552.006 | Unsecured Credentials: Group Policy Preferences | #1 → #4 | Group Policy Preferences: read GPP-stored credentials from SYSVOL via designed share-access — `#1`; applied — `#4` per R-CRED. (Even though GPP encryption was reversible by published key, the read itself is the acquisition step here.) |
| T1552.007 | Unsecured Credentials: Container API | #1 → #4 | Container API: query container orchestrator / runtime APIs (kube-api, Docker socket, ECS metadata) for credentials embedded in pod specs, secrets, or environment — `#1`; applied — `#4` per R-CRED. |
| T1552.008 | Unsecured Credentials: Chat Messages | #1 → #4 | Chat messages: read credentials shared in messaging platforms (Slack, Teams, IRC) via designed message-history access — `#1`; applied — `#4` per R-CRED. |
| T1553 | Subvert Trust Controls | #1 \| #10 | Subvert Trust Controls: bypass system trust mechanisms (code signing, certificate validation, Mark-of-the-Web). Modes: (`#1`) abuse of designed trust-checking surface (e.g., signing-policy relaxation, MOTW removal); (`#10`) when the trust mechanism is forced to accept a malicious artifact as authoritative — Trust Acceptance Event for an attacker-supplied signing identity / installed root CA / trusted certificate. |
| T1553.001 | Subvert Trust Controls: Gatekeeper Bypass | #1 \| #10 | Gatekeeper Bypass (macOS): defeat Gatekeeper trust check (quarantine bit removal, archive-based bypass, gatekeeper-disabled paths). `#1` for design abuse; `#10` when an attacker-signed artifact is accepted as trusted. |
| T1553.002 | Subvert Trust Controls: Code Signing | #1 \| #10 | Code Signing: sign attacker code with a stolen / purchased / abused legitimate signing certificate so @Org systems treat it as trusted. The trusted-and-loaded signed artifact is the Trust Acceptance Event — `#10` per R-SUPPLY (cf. signed-binary supply-chain pattern). `#1` covers cases without a specific TAE artifact. |
| T1553.003 | SIP and Trust Provider Hijacking | #1 → #7 | SIP and Trust Provider Hijacking: register attacker SIP/trust-provider DLL via designed registry/COM hooks so signature verification routines route through attacker code. `#1` (designed extensibility) → `#7` (attacker DLL loaded into trust-checking process per R-EXEC). |
| T1553.004 | Subvert Trust Controls: Install Root Certificate | #1 \| #10 | Install Root Certificate: install attacker-controlled CA into a trust store. The install act is `#1` (designed cert-store API). After install, every attacker-issued cert is trusted — TAE for `#10`. |
| T1553.005 | Subvert Trust Controls: Mark-of-the-Web Bypass | #1 \| #10 | Mark-of-the-Web (MOTW) Bypass: deliver attacker file via container formats (ISO, IMG, 7z without MOTW propagation) so the system does not flag it as internet-sourced. `#1` for designed-format abuse; `#10` framing applies when downstream trust decisions accept the un-marked artifact as authoritative. |
| T1553.006 | Subvert Trust Controls: Code Signing Policy Modification | #1 \| #10 | Code Signing Policy Modification: relax or disable code-signing policy (Driver Signature Enforcement off, weakened AppLocker policy, kernel testsigning) so unsigned/attacker-signed code loads. `#1` per R-ABUSE; `#10` framing when the relaxed policy is treated as authoritative for downstream trust. |
| T1554 | Compromise Host Software Binary | #1 → #7 | Compromise Host Software Binary: replace or trojanize a legitimate binary on @Org host so attacker code runs whenever the binary is invoked. `#1` (designed file-write to binary location, possibly leveraging weak ACLs) → `#7` (modified binary executes per R-EXEC). |
| T1555 | Credentials from Password Stores | (#1 \| #7) → #4 | Extracting credentials from password stores (Keychain, Credential Manager, browser stores, password managers, cloud secret stores). Acquisition modes: (`#1`) abuse of designed unlock / read APIs of the store; (`#7`) malware-implemented extractor. Subsequently applied — `#4` per R-CRED. Path: `(#1 \| #7) → #4`. (Standardized across all sub-techniques; the older mapping pass had inconsistent shapes.) |
| T1555.001 | Credentials from Password Stores: Keychain | (#1 \| #7) → #4 | macOS Keychain extraction: `#1` via designed `security` CLI / Keychain APIs (with unlock prompt or stored unlock pass) or `#7` via malware. Applied — `#4`. |
| T1555.002 | Securityd Memory | (#1 \| #7) → #4 | Securityd memory extraction (macOS): read in-memory keychain unlock keys via designed memory access — `#1` — or malware-driven — `#7`. Applied — `#4`. (Standardized from prior `#1 → #4` to `(#1 \| #7) → #4`.) |
| T1555.003 | Credentials from Password Stores: Credentials from Web Browsers | (#1 \| #7) → #4 | Browser-stored credentials extraction (Chrome / Edge / Firefox login data, SQLite stores, master keys via DPAPI). `#1` via designed browser-store decryption flow or `#7` via malware. Applied — `#4`. |
| T1555.004 | Credentials from Password Stores: Windows Credential Manager | (#1 \| #7) → #4 | Windows Credential Manager extraction: `#1` via designed `vaultcmd` / DPAPI / Credential Manager APIs or `#7` via malware. Applied — `#4`. |
| T1555.005 | Password Managers | (#1 \| #7) → #4 | Password manager extraction (1Password, Bitwarden, KeePass, LastPass): `#1` abuse of unlock flow with captured master password / file access or `#7` via malware. Applied — `#4`. (Standardized from prior `#1 → #4`.) |
| T1555.006 | Credentials from Password Stores: Cloud Secrets Management Stores | (#1 \| #7) → #4 | Cloud secrets-management extraction (AWS Secrets Manager, Azure Key Vault, GCP Secret Manager, HashiCorp Vault): `#1` abuse of designed secret-retrieval APIs with stolen credentials/IAM access; `#7` if malware drives. Applied — `#4`. |
| T1556 | Modify Authentication Process | #1 \| (#1 → #7) \| #7 | Modifying the authentication process to enable credential theft, MFA bypass, or backdoor login. Modes: (`#1`) modification via designed config/registry/policy APIs only; (`#1 → #7`) modification followed by malicious DLL/module loading into auth pipeline; (`#7`) malware that itself becomes the auth modifier. R-CRED: harvested credentials are applied later as `#4`. |
| T1556.001 | Modify Authentication Process: Domain Controller Authentication | #1 → #7 | Domain Controller authentication modification (Skeleton Key, custom auth-package DLL): registry/auth-config write — `#1` — followed by foreign DLL loading into LSASS as authentication package — `#7` per R-EXEC. Subsequent harvested credentials applied as `#4`. |
| T1556.002 | Password Filter DLL | #1 → #7 | Password Filter DLL: register a custom password-change filter via designed registry mechanism (`#1`); the DLL loads into LSASS and intercepts password changes — `#7` per R-EXEC. Captured credentials applied as `#4`. |
| T1556.003 | Pluggable Authentication Modules | #1 \| (#1 → #7) | Pluggable Authentication Modules (Linux PAM): edit PAM config — `#1`. When modification adds a foreign PAM module (`.so`) that intercepts credentials, append `→ #7` per R-EXEC. Subsequent application — `#4`. |
| T1556.004 | Network Device Authentication | (#1 → #7 → #4) \| (#10 → #7 → #4) | Network Device Authentication modification: (a) attacker with admin access modifies device firmware/auth process — `#1 → #7` — to capture or bypass auth; (b) supply-chain compromise places malicious firmware/code at vendor — `#10 → #7` at the Trust Acceptance Event. Either path ends in stolen credentials applied — `#4` per R-CRED. |
| T1556.005 | Modify Authentication Process: Reversible Encryption | #1 \| (#1 → #7) \| #7 | Reversible-Encryption flag set on user accounts so passwords can be recovered. Setting the flag is `#1` via designed AD attribute write. Subsequent password harvest from NTDS leverages `#1`/`#7` (T1003.003). Applied — `#4` per R-CRED. |
| T1556.006 | Modify Authentication Process: Multi-Factor Authentication | #1 \| (#1 → #7) \| #7 | MFA modification: disable, weaken, or replace MFA mechanisms via designed identity-management functions (`#1`); when implemented through malicious code on the IdP, append `→ #7`. Subsequent auth bypass enables `#4` impersonation. |
| T1556.007 | Modify Authentication Process: Hybrid Identity | #1 \| (#1 → #7) \| #7 | Hybrid identity modification (PTA agents, federation trusts, AD Connect components): tamper with the bridge between on-prem and cloud directories. Designed config modification (`#1`); malicious agent code (`#7`); subsequent auth bypass enables `#4`. |
| T1556.008 | Modify Authentication Process: Network Provider DLL | #1 \| (#1 → #7) \| #7 | Network Provider DLL: register a custom network provider via designed registry mechanism (`#1`); the DLL captures credentials at network-logon time — `#7` per R-EXEC when loaded. Captured credentials applied — `#4`. |
| T1556.009 | Modify Authentication Process: Conditional Access Policies | #1 \| (#1 → #7) \| #7 | Conditional Access Policy modification: weaken or replace policies that enforce auth conditions, removing barriers to attacker auth. Designed admin-portal/API modification (`#1`); malicious automation/code (`#7`); enables subsequent `#4` impersonation under relaxed policy. |
| T1557.001 | Adversary-in-the-Middle: LLMNR/NBT-NS Poisoning and SMB Relay | #1 → #5 | LLMNR / NetBIOS-NS poisoning + SMB relay: abuse designed broadcast name-resolution behavior (`#1`) to position for AiTM (`#5`). Captured material includes credentials (`→ #4` per R-CRED) and traffic content (`[DRE: C]`). |
| T1557.002 | Adversary-in-the-Middle: ARP Cache Poisoning | #1 → #5 | ARP cache poisoning: abuse designed ARP behavior (`#1`) to redirect L2 traffic, positioning for AiTM (`#5`). `[DRE: C]` for intercepted data. |
| T1557.003 | Adversary-in-the-Middle: DHCP Spoofing | #1 → #5 | DHCP spoofing: rogue DHCP responses abuse designed DHCP behavior (`#1`) to position attacker as gateway/DNS for AiTM (`#5`). `[DRE: C]` for intercepted data. |
| T1558 | Steal or Forge Kerberos Tickets | #1 → #4 | Steal/forge Kerberos tickets: acquisition via designed Kerberos protocol features or directory-replication abuse (`#1`); forged or stolen ticket then applied — `#4` per R-CRED. Path: `#1 → #4`. |
| T1558.001 | Steal or Forge Kerberos Tickets: Golden Ticket | #1 → #4 | Golden Ticket: requires the krbtgt account hash (acquired earlier via `#1` DCSync or NTDS extraction). Forging the TGT is offline computation; the forged ticket is then applied — `#4` per R-CRED. Path: `#1 → #4` (with the krbtgt acquisition recorded in the upstream chain). |
| T1558.003 | Steal or Forge Kerberos Tickets: Kerberoasting | #1 → #4 | Kerberoasting: request service tickets via designed Kerberos AS-REQ/TGS-REQ functions (`#1`); tickets contain service-account-hash-encrypted material that is cracked offline; cracked password subsequently applied — `#4` per R-CRED. |
| T1558.004 | Steal or Forge Kerberos Tickets: AS-REP Roasting | #1 → #4 | AS-REP Roasting: request AS-REP messages for accounts with pre-auth disabled — designed Kerberos AS-REQ behavior (`#1`); the AS-REP contains password-derived material that is cracked offline; subsequently applied — `#4` per R-CRED. |
| T1558.005 | Steal or Forge Kerberos Tickets: Ccache Files | #1 → #4 | Ccache files: read stored Kerberos ticket cache files via designed file-system access (`#1`); tickets applied — `#4` per R-CRED. |
| T1559 | Inter-Process Communication | #1 → #7 | Inter-Process Communication: invoke a designed IPC mechanism to deliver attacker-supplied code or commands across process boundaries. `#1` (designed IPC) → `#7` (FEC executes in target process per R-EXEC). |
| T1559.001 | Inter-Process Communication: Component Object Model | #1 → #7 | Component Object Model: instantiate COM objects that the attacker controls (registered class, hijacked CLSID) and invoke methods that run attacker code in the host process. `#1` (COM/DCOM) → `#7`. |
| T1559.002 | Inter-Process Communication: Dynamic Data Exchange | #1 → #7 | Dynamic Data Exchange: trigger DDE field/formula evaluation in Office documents to launch attacker-controlled commands. `#1` (designed DDE) → `#7`. |
| T1559.003 | Inter-Process Communication: XPC Services | #1 → #7 | XPC Services (macOS): use designed XPC IPC to invoke attacker-controlled service code in the target process. `#1` → `#7`. |
| T1560 | Archive Collected Data | #1 | Compress and/or encrypt collected data prior to exfiltration. Uses designed archive utilities/libraries — `#1` per R-ABUSE. No incremental DRE at this step: the confidentiality breach was incurred at collection; archiving is intra-attacker preparation. |
| T1560.001 | Archive Collected Data: Archive via Utility | #1 | Archive via Utility: invoke designed archive tools (`tar`, `zip`, `7z`, `rar`, `Compress-Archive`). `#1`. |
| T1560.002 | Archive Collected Data: Archive via Library | #1 | Archive via Library: invoke designed archive libraries from within attacker code (`zlib`, `libarchive`, .NET `System.IO.Compression`). `#1`. |
| T1560.003 | Archive Collected Data: Archive via Custom Method | #1 | Archive via Custom Method: attacker-implemented archiving/encoding routines. The archiving logic itself is custom but invokes designed file/encoding APIs — `#1` for the data-handling step. (When the custom routine constitutes substantial novel attacker code that runs as a deliberate FEC, the `#7` step is recorded at the FEC execution earlier in the path; this step itself remains `#1`.) |
| T1562 | Impair Defenses | #1 | Impair Defenses: disable, modify, or evade defensive components via designed admin/configuration interfaces. `#1` per R-ABUSE — the defensive component's own admin surface is used to neuter it. |
| T1562.001 | Impair Defenses: Disable or Modify Tools | #1 | Disable or Modify Tools: stop AV/EDR services, uninstall agents, edit policies via designed admin functions. `#1`. |
| T1562.002 | Impair Defenses: Disable Windows Event Logging | #1 | Disable Windows Event Logging: `auditpol /clear`, `wevtutil sl /e:false`, registry edits to disable channels. `#1`. |
| T1562.003 | Impair Defenses: Impair Command History Logging | #1 | Impair Command History Logging: `unset HISTFILE`, `set +o history`, `Set-PSReadLineOption -HistorySaveStyle SaveNothing`. `#1`. |
| T1562.004 | Impair Defenses: Disable or Modify System Firewall | #1 | Disable or Modify System Firewall: `netsh advfirewall set ... state off`, `iptables -F`, designed firewall admin. `#1`. |
| T1562.006 | Impair Defenses: Indicator Blocking | #1 | Indicator Blocking: insert filter rules so security tools fail to log/forward target events (sysmon config edit, EDR exclusion adds). `#1`. |
| T1562.007 | Impair Defenses: Disable or Modify Cloud Firewall | #1 | Disable or Modify Cloud Firewall: edit security groups, NACLs, GCP firewall rules via designed cloud admin APIs. `#1`. |
| T1562.008 | Impair Defenses: Disable or Modify Cloud Logs | #1 | Disable or Modify Cloud Logs: stop CloudTrail trails, delete log streams, alter retention via designed cloud admin APIs. `#1`. |
| T1562.009 | Impair Defenses: Safe Mode Boot | #1 | Safe Mode Boot: configure system to boot into safe mode where many security agents do not load (`bcdedit /set safeboot ...`). `#1`. |
| T1562.010 | Impair Defenses: Downgrade Attack | #1 | Downgrade Attack: induce a system or component to use an older, weaker version (PowerShell 2 fallback, TLS downgrade) where defenses are weaker. `#1` per R-ABUSE. |
| T1562.011 | Impair Defenses: Spoof Security Alerting | #1 | Spoof Security Alerting: manipulate alert pipelines so defenders see false-positive noise or no alerts (alert-rule edits, false alerts injection). `#1`. |
| T1562.012 | Impair Defenses: Disable or Modify Linux Audit System | #1 | Disable or Modify Linux Audit System: stop `auditd`, edit `audit.rules`, mask the unit. `#1`. |
| T1562.013 | Impair Defenses: Disable or Modify Network Device Firewall | #1 | Disable or Modify Network Device Firewall: edit ACLs / firewall config on routers/switches/firewalls via designed CLI/management plane. `#1`. |
| T1563 | Remote Service Session Hijacking | #1 → #4 | Session hijacking takes over an existing authenticated session belonging to another user. The takeover is performed by abusing session-management functions (tscon, ssh-agent forwarding, terminal multiplexers, credential-relay APIs) — `#1`. Once the attacker is operating as the legitimate session owner, identity is impersonated — `#4` per R-CRED (the session itself is the identity artifact at this step). Path: `#1 → #4`. |
| T1563.001 | SSH Hijacking | #1 → #4 | SSH hijacking abuses ssh-agent forwarding or session multiplexing (designed features) to ride another user's authenticated session — `#1` to abuse the feature, `#4` for the resulting identity impersonation. Path: `#1 → #4`. |
| T1563.002 | RDP Hijacking | #1 → #4 | RDP hijacking abuses `tscon.exe` (a designed Windows utility for session reconnection) to take over another user's authenticated desktop session — `#1` to invoke tscon, `#4` for the resulting identity impersonation. Path: `#1 → #4`. |
| T1564 | Hide Artifacts | #1 | Hide Artifacts: place attacker artifacts where standard tooling does not enumerate them (hidden attributes, alternate streams, hidden file systems, hidden users, exclusions). Designed feature used to obscure — `#1`. |
| T1564.001 | Hide Artifacts: Hidden Files and Directories | #1 | Hidden Files and Directories: set hidden/system attributes via designed file-attribute APIs (`attrib +h`, dot-prefix on Linux/macOS). `#1`. |
| T1564.002 | Hide Artifacts: Hidden Users | #1 | Hidden Users: hide accounts from logon screens / `net user` listings via designed registry / DSCL configuration. `#1`. |
| T1564.003 | Hide Artifacts: Hidden Window | #1 | Hidden Window: spawn process with `STARTUPINFO::wShowWindow = SW_HIDE` or PowerShell `-WindowStyle Hidden`. `#1`. |
| T1564.004 | NTFS File Attributes | #1 | NTFS File Attributes: store data in alternate data streams (`file:hidden_stream`) or extended attributes that standard listings ignore. `#1`. |
| T1564.005 | Hide Artifacts: Hidden File System | #1 | Hidden File System: create attacker-controlled file system (encrypted container, custom FUSE) not enumerated by host tooling. `#1`. |
| T1564.006 | Run Virtual Instance | #1 → #7 | Run Virtual Instance: run attacker code inside a VM/container on the @Org host so host security tooling does not see the activity. `#1` (designed virt-launch) → `#7` (FEC inside the guest per R-EXEC). |
| T1564.007 | Hide Artifacts: VBA Stomping | #1 | VBA Stomping: replace Office VBA p-code while leaving source intact so static AV scanners see benign source. `#1` (designed VBA storage format). |
| T1564.008 | Hide Artifacts: Email Hiding Rules | #1 | Email Hiding Rules: configure mailbox rules that auto-move/delete messages matching attacker patterns to hide responses. `#1` (designed mail-rule API). |
| T1564.009 | Hide Artifacts: Resource Forking | #1 | Resource Forking (macOS): hide attacker code/data in resource fork (`._file`) attributes that standard tooling ignores. `#1`. |
| T1564.010 | Hide Artifacts: Process Argument Spoofing | #1 | Process Argument Spoofing: launch process with one set of arguments, then overwrite the argv/PEB so process explorers display benign args. `#1`. |
| T1564.011 | Hide Artifacts: Ignore Process Interrupts | #1 | Ignore Process Interrupts: set process to ignore SIGHUP/SIGTERM via designed signal-handling APIs so kill attempts fail. `#1`. |
| T1564.012 | Hide Artifacts: File/Path Exclusions | #1 | File/Path Exclusions: add attacker file/path to AV/EDR exclusion list via designed admin interface so scanners skip it. `#1`. |
| T1564.013 | Hide Artifacts: Bind Mounts | #1 | Bind Mounts (Linux): use `mount --bind` to overlay one path onto another, hiding the original or substituting attacker content. `#1`. |
| T1564.014 | Hide Artifacts: Extended Attributes | #1 | Extended Attributes: store attacker data/keys in xattrs (`setfattr`, NTFS EA) where standard backup/scan tools may not read. `#1`. |
| T1565 | Data Manipulation | #1 | Data manipulation alters @Org data through legitimate write/modify functions (DB updates, file edits, config changes, message modification). #1 per R-ABUSE. Outcome `[DRE: I]` — integrity of stored, transmitted, or runtime data violated. Path: `#1 + [DRE: I]`. See sub-techniques for specific contexts; the transmitted-data sub-technique additionally has a #5 mode. |
| T1565.001 | Data Manipulation: Stored Data Manipulation | #1 | Stored data manipulation: attacker modifies records at rest using legitimate data-modification functions on a host where they have access. #1 per R-ABUSE. Path: `#1 + [DRE: I]`. |
| T1565.002 | Data Manipulation: Transmitted Data Manipulation | #1 \| #5 | Transmitted data manipulation has two cluster modes: (#1) modifying data on a compromised endpoint or middleware before transmission, using designed write/output functions; or (#5) intercepting and altering data on the wire from a Man-in-the-Middle position. Cluster corrected from prior `#1`-only to `#1 \| #5` to reflect the on-wire mode. Path: `#1 + [DRE: I]` or `#5 + [DRE: I]`. |
| T1565.003 | Runtime Data Manipulation | #1 | Runtime data manipulation alters data as it is processed (in-memory edits, hooked APIs returning modified results, injected DOM/PDF rendering). Achieved by abusing legitimate process memory or rendering functions, not by exploiting a flaw — #1 per R-ABUSE. Path: `#1 + [DRE: I]`. |
| T1567 | Exfiltration Over Web Service | #1 \| #7 | Exfiltration to legitimate web services that the attacker uses as transit/staging. The web service is the carrier (⇒), not the attacker's own infrastructure. Modes: (`#1`) attacker abuses legitimate egress and the web service's designed upload functions; (`#7`) malware embeds the upload logic. Path: `(#1 \| #7) \|\|[network][@Org⇒@WebService→@External]\|\| + [DRE: C]`. |
| T1567.001 | Exfiltration Over Web Service: Exfiltration to Code Repository | #1 \| #7 | Exfiltration to a code repository (GitHub, GitLab, Bitbucket attacker-controlled repo). The repository platform is transit. Path: `(#1 \| #7) \|\|[network][@Org⇒@CodeRepo→@External]\|\| + [DRE: C]`. |
| T1567.002 | Exfiltration Over Web Service: Exfiltration to Cloud Storage | #1 \| #7 | Exfiltration to cloud storage (attacker-controlled S3, Azure Blob, GCS, Dropbox, Box, Google Drive). The storage platform is transit. Path: `(#1 \| #7) \|\|[network][@Org⇒@CloudStorage→@External]\|\| + [DRE: C]`. |
| T1567.003 | Exfiltration Over Web Service: Exfiltration to Text Storage Sites | #1 \| #7 | Exfiltration to text storage sites (Pastebin, hastebin, attacker-controlled paste services). The paste site is transit. Path: `(#1 \| #7) \|\|[network][@Org⇒@PasteSite→@External]\|\| + [DRE: C]`. |
| T1567.004 | Exfiltration Over Web Service: Exfiltration Over Webhook | #1 \| #7 | Exfiltration over webhook endpoints (Discord/Slack/Teams webhooks, attacker-hosted webhook receivers behind tunneling services like ngrok). The webhook platform is transit. Path: `(#1 \| #7) \|\|[network][@Org⇒@Webhook→@External]\|\| + [DRE: C]`. |
| T1569 | System Services | #1 → #7 | System Services: register or invoke a service through the OS's designed service-control mechanisms to run an attacker-supplied service binary or command. `#1` (service-manager APIs) → `#7` (service binary runs as FEC per R-EXEC). |
| T1569.001 | System Services: Launchctl | #1 → #7 | launchctl (macOS launchd): load a `.plist` and start a launch agent/daemon running attacker-controlled binary. `#1` → `#7`. |
| T1569.002 | Service Execution | #1 → #7 | Windows Service Execution: `sc.exe` / Service Control Manager APIs register or start a service whose binary is attacker-supplied (PsExec service-binary pattern). `#1` (designed service mgmt) → `#7`. |
| T1569.003 | System Services: Systemctl | #1 → #7 | `systemctl` (Linux systemd): register/start a unit that runs attacker-controlled binary or command. `#1` → `#7`. |
| T1571 | Non-Standard Port | #1 \| #7 | Non-Standard Port: C2 over an unexpected port to evade port-based detection (e.g., HTTPS on TCP/8443 or 53 over TCP/443). Modes: (`#1`) reuse of designed network APIs to bind/connect on chosen port; (`#7`) malware-implemented port selection. Path: `(#1 \| #7) \|\|[network][@Org→@External]\|\|`. |
| T1572 | Protocol Tunneling | #1 \| #7 | Protocol Tunneling: encapsulate one protocol inside another (HTTP-over-DNS, RDP-over-HTTP, SSH tunnels) to bypass filtering. Modes: (`#1`) abuse of designed tunneling utilities (`ssh -L`, `iodine`, `chisel`); (`#7`) malware-implemented tunnel. Path: `(#1 \| #7) \|\|[network][@Org→@External]\|\|`. |
| T1574 | Hijack Execution Flow | #1 → #7 | Hijack Execution Flow: cause a legitimate process to load/execute attacker code via designed loader/path/extensibility behavior. `#1` (designed loader/path behavior) → `#7` (attacker code runs in legit process per R-EXEC). |
| T1574.001 | Hijack Execution Flow: DLL | #1 → #7 | DLL Hijacking: place attacker DLL where a legitimate process searches first (PATH, application directory, side-by-side); legit process loads attacker DLL. `#1` → `#7`. |
| T1574.004 | Hijack Execution Flow: Dylib Hijacking | #1 → #7 | Dylib Hijacking (macOS): exploit dylib search order or weak signing to make a legit Mach-O load attacker dylib. `#1` → `#7`. |
| T1574.005 | Hijack Execution Flow: Executable Installer File Permissions Weakness | #1 → #7 | Executable Installer File Permissions Weakness: replace a binary that an installer/updater later runs with elevated privileges. `#1` → `#7`. |
| T1574.006 | Hijack Execution Flow: Dynamic Linker Hijacking | #1 → #7 | Dynamic Linker Hijacking: set `LD_PRELOAD`/`LD_LIBRARY_PATH`/`DYLD_INSERT_LIBRARIES` so designated processes load attacker shared object first. `#1` → `#7`. |
| T1574.007 | Path Interception by PATH Environment Variable | #1 → #7 | Path Interception by PATH Environment Variable: modify PATH so an attacker-named binary is found before the legit one. `#1` → `#7`. |
| T1574.008 | Path Interception by Search Order Hijacking | #1 → #7 | Path Interception by Search Order Hijacking: place attacker binary in a directory the OS searches before the intended location. `#1` → `#7`. |
| T1574.009 | Path Interception by Unquoted Path | #1 → #7 | Path Interception by Unquoted Path: exploit unquoted `ImagePath` (e.g., `C:\Program Files\App\app.exe`) by placing attacker `Program.exe` at the unquoted boundary. `#1` → `#7`. |
| T1574.010 | Services File Permissions Weakness | #1 → #7 | Services File Permissions Weakness: replace a service binary whose ACLs allow attacker write. SCM later launches the attacker binary as the service. `#1` → `#7`. |
| T1574.011 | Services Registry Permissions Weakness | #1 → #7 | Services Registry Permissions Weakness: modify a service's `ImagePath` or related registry values where ACLs are weak. SCM launches attacker target. `#1` → `#7`. |
| T1574.012 | Hijack Execution Flow: COR_PROFILER | #1 → #7 | COR_PROFILER: set the .NET profiler environment so the CLR loads attacker DLL into every .NET process. `#1` → `#7`. |
| T1574.013 | Hijack Execution Flow: KernelCallbackTable | #1 → #7 | KernelCallbackTable: hijack a process's `KernelCallbackTable` entry so a callback redirects to attacker code. `#1` → `#7`. |
| T1574.014 | Hijack Execution Flow: AppDomainManager | #1 → #7 | AppDomainManager: register attacker AppDomainManager assembly so .NET hosts load it on startup. `#1` → `#7`. |
| T1578 | Modify Cloud Compute Infrastructure | #1 | Modify Cloud Compute Infrastructure: alter snapshots, instances, configurations via designed cloud admin APIs to access data, evade detection, or persist. `#1`. |
| T1578.001 | Modify Cloud Compute Infrastructure: Create Snapshot | #1 | Create Snapshot: snapshot a victim volume and attach to an attacker-controlled instance to read its data. `#1`. |
| T1578.002 | Modify Cloud Compute Infrastructure: Create Cloud Instance | #1 | Create Cloud Instance: spin up new instances inside @Org account for attacker workloads. `#1`. |
| T1578.003 | Modify Cloud Compute Infrastructure: Delete Cloud Instance | #1 | Delete Cloud Instance: destroy victim instances to remove forensic evidence. `#1`. |
| T1578.004 | Revert Cloud Instance | #1 | Revert Cloud Instance: revert to an earlier snapshot to undo defender remediation. `#1`. |
| T1578.005 | Modify Cloud Compute Infrastructure: Modify Cloud Compute Configurations | #1 | Modify Cloud Compute Configurations: change quotas, regions, networking, storage classes to enable attacker objectives. `#1`. |
| T1580 | Cloud Infrastructure Discovery | #1 | Cloud Infrastructure Discovery: enumerate cloud compute, storage, and networking inventory via cloud control-plane APIs (`describe-instances`, `list-buckets`, `get-vpc`). Designed system functions used for reconnaissance from a foothold inside @Org — `#1` per R-ABUSE. No implementation flaw exploited. |
| T1595 | Active Scanning | #1 | Active scanning probes @Org public-facing services with crafted requests; the services respond through their designed interfaces (banner grabs, port states, error responses, application replies). The attacker uses those legitimate response functions to extract reconnaissance data, which is the generic vulnerability behind #1 Abuse of Functions. Path: `#1 \|\|[api][@External→@Org]\|\| + [DRE: C]`. R-ABUSE applies; the boundary crossing is observable on @Org perimeter telemetry. |
| T1595.001 | Active Scanning: Scanning IP Blocks | #1 | Sweeping IP blocks issues legitimate network probes (ICMP, TCP/UDP) to @Org address space; reachable hosts respond per protocol design and disclose existence/availability. Designed functionality used for reconnaissance — #1 per R-ABUSE. Path: `#1 \|\|[api][@External→@Org]\|\| + [DRE: C]`. |
| T1595.002 | Active Scanning: Vulnerability Scanning | #1 | Vulnerability scanners send fingerprint and probe requests to @Org services; services respond with version banners, header values, and error patterns through their designed interfaces. Information leakage via legitimate response functions — #1 per R-ABUSE (no exploit is fired here; the exploitation step, if it follows, is a separate #2/#3 classification). Path: `#1 \|\|[api][@External→@Org]\|\| + [DRE: C]`. |
| T1595.003 | Active Scanning: Wordlist Scanning | #1 | Wordlist/path scanning queries @Org web infrastructure for files, endpoints, and virtual hosts; the server distinguishes existing from non-existing resources through its designed response codes, leaking enumeration data. #1 per R-ABUSE. Path: `#1 \|\|[api][@External→@Org]\|\| + [DRE: C]`. |
| T1599 | Network Boundary Bridging | #1 \| #2 | Network Boundary Bridging: cause a network device or boundary appliance to bridge segments it should not. `#1` when achieved via designed configuration abuse (NAT rule abuse, route injection); `#2` when an implementation flaw in the device is exploited. |
| T1599.001 | Network Address Translation Traversal | #1 | Network Address Translation Traversal: configure NAT rules on a compromised border device to map external addresses to internal targets. `#1` per R-ABUSE. |
| T1600 | Weaken Encryption | #1 \| #7 | Weaken Encryption: disable hardware crypto, force weak ciphers, reduce key strength on a target device or service. `#1` for designed-config abuse; `#7` when malware-driven. |
| T1600.001 | Reduce Key Space | #1 \| #2 | Reduce Key Space: force usage of small key sizes / vulnerable curves (`#1` config) or exploit a crypto flaw (`#2`). |
| T1600.002 | Weaken Encryption: Disable Crypto Hardware | #1 \| #7 | Disable Crypto Hardware: turn off HSM/TPM/secure enclave use to fall back to weaker software crypto. `#1` for config abuse; `#7` for malware-driven. |
| T1601 | Modify System Image | (#1 → #7) \| (#8 → #7) \| (#10 → #7) | Modify System Image: replace or patch the OS/firmware image of a device with attacker-modified version. Delivery vectors: (`#1 → #7`) attacker with admin access flashes from live system; (`#8 → #7`) physical access to flash; (`#10 → #7`) supply-chain delivery of pre-modified image. |
| T1601.001 | Patch System Image | (#1 → #7) \| (#10 → #7) | Patch System Image: in-place patch of running OS/firmware image (network device IOS, embedded firmware) to inject attacker behavior. `#1 → #7` for live patching; `#10 → #7` for pre-patched supply. |
| T1602 | Data from Configuration Repository | #1 | Read configuration data from network devices and management systems via designed management protocols (SNMP, network-OS CLI exports, NETCONF, RESTCONF). `#1` per R-ABUSE. Outcome `[DRE: C]` — device configurations (often containing credentials, topology, ACLs) captured. Path: `#1 + [DRE: C]`. |
| T1602.001 | SNMP (MIB Dump) | #1 | SNMP MIB Dump: walk SNMP-exposed MIBs via designed SNMP queries (`snmpwalk`, `snmpbulkget`). Often returns device configuration, interface state, ACLs, and (with weak community strings or v1/v2c) widely accessible. `#1 + [DRE: C]`. |
| T1602.002 | Network Device Configuration Dump | #1 | Network Device Configuration Dump: invoke designed CLI/API export functions (`show running-config`, NETCONF `get-config`, Cisco/Juniper config-export utilities) to retrieve full device configuration. `#1 + [DRE: C]`. |
| T1606 | Forge Web Credentials | #1 → #4 | Forging web credentials (cookies, JWTs, SAML tokens): acquisition of signing material via designed config / store access (`#1`); forging is offline; forged credential applied — `#4` per R-CRED. Path: `#1 → #4`. |
| T1606.001 | Forge Web Credentials: Web Cookies | #1 → #4 | Forge web cookies: acquire signing/encryption secret via `#1`; forge cookie offline; apply forged cookie — `#4` per R-CRED. |
| T1609 | Container Administration Command | #1 → #7 | Container Administration Command: use designed container-runtime/orchestrator APIs (`docker exec`, `kubectl exec`, `crictl exec`) to run attacker-supplied commands inside an existing container. `#1` (designed admin function) → `#7` (attacker command executes inside container per R-EXEC). |
| T1610 | Deploy Container | #1 → #7 | Deploy Container: create a new container from an attacker-supplied image via designed orchestrator/runtime APIs (`docker run`, `kubectl create`, ECS task creation). `#1` (orchestrator API) → `#7` (image runs attacker FEC). |
| T1611 | Escape to Host | #1 \| #2 | Escape to Host (container escape): break out from a container/VM into the underlying host. Modes: (`#1`) abuse of designed but dangerous configurations (privileged container, mounted Docker socket, host-PID/network namespace sharing, hostPath volume mount) — no flaw exploited; (`#2`) exploit an implementation flaw in the container runtime, kernel, or hypervisor (server-role component processing guest input). Path: `\|[hypervisor][@container→@host]\| (#1 \| #2)`. Cluster expanded from prior `#1`-only to include the exploit-based escape mode (`#2`). The intra-system boundary operator `\|[hypervisor][@container→@host]\|` is the canonical v2.1 use case for this technique. (When the escape results in attacker code running on the host, append `→ #7` per R-EXEC.) |
| T1612 | Build Image on Host | #1 | Build Image on Host: build a new container image directly on @Org host via designed `docker build` / `buildah` / containerd APIs (avoids pulling from a registry where image scanning would catch the attacker layer). `#1`. (Subsequent execution of the built image is captured by T1610 as `→ #7`.) |
| T1613 | Container and Resource Discovery | #1 | Container and Resource Discovery: enumerate container/orchestrator inventory via `docker ps`, `kubectl get`, `crictl`, container-runtime APIs. Designed system functions used for reconnaissance from a foothold inside @Org — `#1` per R-ABUSE. No implementation flaw exploited. |
| T1614 | System Location Discovery | #1 | System Location Discovery: enumerate host geographic and locale information via locale APIs, `Get-Culture`, IP-geolocation lookups, time-zone reads. Designed system functions used for reconnaissance from a foothold inside @Org — `#1` per R-ABUSE. No implementation flaw exploited. |
| T1614.001 | System Location Discovery: System Language Discovery | #1 | System Language Discovery: enumerate system language settings via `Get-WinSystemLocale`, locale environment vars, `defaults read NSGlobalDomain AppleLanguages`. Designed system functions used for reconnaissance from a foothold inside @Org — `#1` per R-ABUSE. No implementation flaw exploited. |
| T1615 | Group Policy Discovery | #1 | Group Policy Discovery: enumerate AD group policies and settings via `gpresult /R`, `Get-GPO`, SYSVOL share reads. Designed system functions used for reconnaissance from a foothold inside @Org — `#1` per R-ABUSE. No implementation flaw exploited. |
| T1619 | Cloud Storage Object Discovery | #1 | Cloud Storage Object Discovery: enumerate objects in cloud storage via `aws s3 ls`, `az storage blob list`, `gcloud storage objects list`. Designed system functions used for reconnaissance from a foothold inside @Org — `#1` per R-ABUSE. No implementation flaw exploited. |
| T1620 | Reflective Code Loading | #1 → #7 | Reflective Code Loading: allocate executable memory and load attacker code directly via designed memory APIs (`VirtualAlloc` + `WriteProcessMemory` + `CreateThread`, `mmap`+`mprotect`+`jump`, `Assembly.Load(byte[])`) without writing to disk. `#1` (designed memory APIs) → `#7` (loaded code runs in process per R-EXEC). Cluster corrected from prior `#1`-only — the loaded code IS FEC executing; R-EXEC requires the `#7` step. |
| T1621 | Multi-Factor Authentication Request Generation | #1 → #9 → #4 | MFA Request Generation (push-bombing / MFA fatigue): attacker repeatedly invokes the MFA push function via designed auth flows (`#1`); the user, fatigued / confused / under social pressure, eventually approves — `#9` Social Engineering (the user's judgment is overwhelmed); the now-completed authentication is the attacker's — `#4` per R-CRED. Cluster expanded from prior `#1 → #4` to insert `→ #9` for the user-approval step, which is the defining mechanism of this technique. Path: `#1 → #9 → #4`. |
| T1647 | Plist File Modification | #1 | Plist File Modification (macOS): edit `.plist` files to alter application behavior, disable security checks, change launch arguments, redirect logging. Designed plist read/write — `#1`. (When the modified plist registers attacker code as a launch agent/daemon, that's T1543.001/.004 — `#1 → #7`.) |
| T1648 | Serverless Execution | #1 → #7 | Serverless Execution: deploy/invoke a Lambda / Cloud Function / Azure Function / Cloudflare Worker with attacker-supplied code, or trigger an existing function with attacker payload. `#1` (designed serverless API) → `#7` (function code is FEC per R-EXEC). |
| T1649 | Steal or Forge Authentication Certificates | #1 → #4 | Steal or forge authentication certificates (AD CS abuse, x.509 client-cert theft, code-signing cert misuse for auth). Acquisition via designed PKI / CA APIs / file-system access (`#1`); forged or stolen certificate applied — `#4` per R-CRED. Path: `#1 → #4`. (AD CS misconfiguration variants — ESC1-ESC15 — typically chain through `#1` abuse of certificate-template enrollment.) |
| T1651 | Cloud Administration Command | #1 → #7 | Cloud Administration Command (`aws ssm send-command`, `az vm run-command`, GCP `instances.startup-script`, EC2 user-data): designed cloud-management feature for running commands on instances. Attacker invokes it to run attacker-supplied content on @Org cloud workloads. `#1` (cloud control plane) → `#7`. |
| T1652 | Device Driver Discovery | #1 | Device Driver Discovery: enumerate loaded kernel drivers via `driverquery`, `Get-WindowsDriver`, `lsmod`, kernel-module APIs. Designed system functions used for reconnaissance from a foothold inside @Org — `#1` per R-ABUSE. No implementation flaw exploited. |
| T1653 | Power Settings | #1 → #7 | Power Settings: configure system power settings (wake-on-LAN, scheduled wake, prevent-sleep flags) via designed power-management functions to enable attacker code to run at chosen times. `#1` (designed power-management config) → `#7` (FEC runs at the wake event per R-EXEC). |
| T1654 | Log Enumeration | #1 | Log Enumeration: enumerate system and application log entries via `Get-WinEvent`, `wevtutil`, log-file reads, cloud-log APIs (`aws logs filter-log-events`). Designed system functions used for reconnaissance from a foothold inside @Org — `#1` per R-ABUSE. No implementation flaw exploited. |
| T1657 | Financial Theft | #1 \| #7 | Financial theft: (#1) abuse of legitimate banking/payment/finance functions (initiating transfers, modifying invoices, redirecting payouts) using the access already obtained; or (#7) malware that performs the manipulation (banking trojan, ATM jackpotting payload). Outcome typically `[DRE: I]` — integrity of transaction/ledger records violated. Path: `#1 + [DRE: I]` or `#7 + [DRE: I]`. The financial loss itself is a downstream business consequence, not a TLCTC DRE; the DRE captures the data-integrity violation at the manipulation step. |
| T1666 | Modify Cloud Resource Hierarchy | #1 | Modify Cloud Resource Hierarchy: move resources between OUs / management groups / projects to escape security policies that apply at the organizational level. Designed hierarchy-management APIs — `#1`. |
| T1668 | Exclusive Control | #1 → #7 | Exclusive Control: register attacker code as the exclusive handler for a system event/feature so designed mechanism routes execution to attacker (e.g., set as default debugger, default shell, default mail handler). `#1` → `#7`. |
| T1671 | Cloud Application Integration | #1 → #7 | Cloud Application Integration: install attacker-controlled OAuth/SaaS app integration into the @Org tenant via designed integration framework (Azure AD app consent, SaaS marketplace integrations, Slack/Teams app installs). `#1` (designed integration mechanism) → `#7` (integration code runs against tenant resources per R-EXEC, often with broad delegated scope). |
| T1672 | Email Spoofing | #1 | Email Spoofing: forge `From:` headers / domain-aligned envelope to make attacker email appear to originate from a trusted sender. Designed SMTP behavior allows arbitrary header construction — `#1` per R-ABUSE. (The recipient deception that follows is the `#9` step in the relevant phishing technique.) |
| T1673 | Virtual Machine Discovery | #1 | Virtual Machine Discovery: enumerate VMs on hypervisors / cloud via `vim-cmd vmsvc/getallvms`, `Get-VM`, `aws ec2 describe-instances`, hypervisor APIs. Designed system functions used for reconnaissance from a foothold inside @Org — `#1` per R-ABUSE. No implementation flaw exploited. |
| T1674 | Input Injection | #1 → #7 | Input Injection: simulate keyboard/mouse/HID input to a host (via emulators, exposed HID device, automation APIs) to type attacker-supplied commands into shells or applications. `#1` (designed input subsystem) → `#7` (typed commands execute as FEC). |
| T1675 | ESXi Administration Command | #1 → #7 | ESXi Administration Command: vSphere/ESXi management functions (vCenter API, host CLI invocations) used to run attacker-supplied commands on the hypervisor host. `#1` (designed admin path) → `#7`. |
| T1677 | Poisoned Pipeline Execution | #1 → #10.2 → #7 | Poisoned Pipeline Execution (PPE): attacker injects malicious build steps / dependencies / configuration into CI/CD pipelines via designed write access to repos, pipeline definitions, or shared runners (`#1`). When the pipeline runs, the @Org build/deployment environment accepts the poisoned content as authoritative — Trust Acceptance Event in the development sphere — `#10.2` per R-SUPPLY. The injected code then executes inside the pipeline runner — `#7` per R-EXEC. Path: `#1 \|\|[dev][@Org→@Org]\|\| → #10.2 → #7`. (When the attacker is external and modifies upstream dependencies/actions consumed by the pipeline, the source sphere is `@Vendor` instead of `@Org`.) |
| T1680 | Local Storage Discovery | #1 | Local Storage Discovery: enumerate local drives, volumes, and partitions via `Get-Volume`, `lsblk`, `diskpart list disk`, `df`, storage-management APIs. Designed system functions used for reconnaissance from a foothold inside @Org — `#1` per R-ABUSE. No implementation flaw exploited. |