--- type: "mapping-set" title: "ATT&CK techniques → #7 Malware" description: "58 ATT&CK techniques entries mapped to TLCTC #7 Malware." resource: "tlctc:mapping:attack:cluster-7" tags: - "mapping" - "attack" - "cluster-7" --- # ATT&CK techniques → #7 Malware > Source: MITRE ATT&CK Enterprise → TLCTC mapping (`mappings/mitre-attack-enterprise/`). Mapped entries: **58**. Cluster: [#7 Malware](/clusters/cluster-7.md). | Technique | Name | TLCTC | Rationale | |---|---|---|---| | T1001 | Data Obfuscation | #7 \| (#1 → #7) | Data obfuscation makes C2 traffic harder to detect by mangling, hiding, or steganographically embedding command/response content. The obfuscation logic is a feature of the malware payload — `#7`. When the obfuscation reuses designed system encoding/transform functions (Base64, image libraries, compression APIs), an `#1` step precedes the FEC use: `#1 → #7`. No new boundary crossed beyond the existing C2 channel. | | T1001.001 | Data Obfuscation: Junk Data | #7 \| (#1 → #7) | Junk Data: pad C2 messages with attacker-generated noise to evade pattern detection. FEC capability — `#7` (or `#1 → #7` when designed encoding functions are abused inline). | | T1001.002 | Data Obfuscation: Steganography | #7 \| (#1 → #7) | Steganography: embed C2 content in image/audio/document carriers. `#7` (or `#1 → #7` when designed image/audio APIs are reused). | | T1001.003 | Protocol Impersonation | #7 | Protocol Impersonation: malware mimics a legitimate protocol's shape (TLS handshake structure, DNS query patterns) without actually speaking the protocol. The mimicry logic is internal to the FEC — `#7`. | | T1008 | Fallback Channels | #7 | Fallback Channels: malware contains multiple C2 endpoints / protocols and switches when the primary fails. Resilience logic is a feature of the FEC — `#7`. | | T1014 | Rootkit | #7 | Rootkit: foreign code with privileged hooks that intercept system calls, hide processes/files/network connections, and evade detection. The rootkit IS the FEC running with kernel/user-mode hooks — `#7` as a property of the malware step. Installation of a rootkit is recorded as the relevant Persistence technique (T1547.006 Kernel Module, T1556 Auth Process, T1014 placement, etc.); this entry captures the running rootkit's capabilities. | | T1027.001 | Binary Padding | #7 | Binary Padding: append junk bytes to attacker binary to alter file hash or evade size-based heuristics. Padding is a property of the FEC build — `#7`. | | T1027.005 | Indicator Removal from Tools | #7 | Indicator Removal from Tools: strip strings, debug info, or known signatures from attacker tooling before delivery. FEC build-time feature — `#7` as a property of the resulting payload. | | T1027.007 | Dynamic API Resolution | #7 | Dynamic API Resolution: malware resolves API addresses at runtime via hash-of-name lookup so static analysis sees no import names. FEC capability — `#7`. | | T1027.008 | Stripped Payloads | #7 | Stripped Payloads: malware delivered with required components/strings stripped, fetched on demand to evade scanners. FEC capability — `#7`. | | T1027.009 | Embedded Payloads | #7 | Embedded Payloads: secondary payload embedded inside a primary carrier file (resource section, document, image). FEC build-time feature — `#7`. | | T1027.014 | Polymorphic Code | #7 | Polymorphic Code: malware mutates its own code/structure on each execution or build. FEC capability — `#7`. | | T1027.016 | Junk Code Insertion | #7 | Junk Code Insertion: insert NOP/no-op/dead code to defeat signature/CFG analysis. Build-time FEC feature — `#7`. | | T1036.001 | Invalid Code Signature | #7 | Invalid Code Signature: attacker binary carries a signature that looks valid at a glance but is actually invalid/unverified. Build-time FEC feature — `#7`. | | T1036.005 | Match Legitimate Name or Location | #7 | Match Legitimate Name or Location: attacker drops binary at a legit path or with a legit name. Build-time FEC feature — `#7`. | | T1036.007 | Double File Extension | #7 | Double File Extension: name attacker file `report.pdf.exe` so explorer hides the `.exe`. FEC build-time naming convention — `#7`. (The user double-clicking the disguised file is `#9` recorded as the User Execution / Phishing step.) | | T1071 | Application Layer Protocol | #7 | Application Layer Protocol: malware communicates with C2 by speaking a legitimate application-layer protocol (HTTP, DNS, mail, FTP, MQTT) so traffic blends with normal communications. Communication capability is integral to the FEC — `#7` as a property of the malware step. Path step records the C2 capability; specific protocol is annotated by sub-technique. | | T1071.001 | Application Layer Protocol: Web Protocols | #7 | Web Protocols (HTTP/HTTPS): malware C2 over HTTP(S) request/response, typically blending with normal web traffic. `#7` as FEC capability. When the C2 endpoint is itself a legitimate third-party service (cloud webhook, paste site, social media), see T1102 instead — that pattern is `#1` (abuse of the third-party service) and uses the transit operator: `\|\|[network][@Org⇒@WebService→@External]\|\|`. | | T1071.002 | Application Layer Protocol: File Transfer Protocols | #7 | File Transfer Protocols (FTP, SFTP, FTPS, TFTP) used as C2: malware communicates over these protocols. `#7` as FEC capability. | | T1071.003 | Application Layer Protocol: Mail Protocols | #7 | Mail Protocols (SMTP, IMAP, POP3): malware embeds C2 in email messages. `#7` as FEC capability. (When the mail provider itself is the dead-drop relay, see T1102; the provider is then transit `⇒@MailProvider`.) | | T1071.004 | Application Layer Protocol: DNS | #7 | DNS as C2 transport: malware encodes commands/responses in DNS queries and responses. `#7` as FEC capability. Path: `#7 \|\|[network][@Org→@External]\|\|` (with intermediate DNS resolvers as transit when the C2 server is upstream of @Org's recursive resolver — see T1568.001 fast-flux for related routing). | | T1071.005 | Application Layer Protocol: Publish/Subscribe Protocols | #7 | Publish/Subscribe Protocols (MQTT, AMQP, XMPP) as C2 transport. `#7` as FEC capability. When the broker is a legitimate third-party service used as relay, the broker is transit: `\|\|[network][@Org⇒@Broker→@External]\|\|`. | | T1132.002 | Non-Standard Encoding | #7 | Non-Standard Encoding: custom attacker-designed encoding scheme. The encoding logic is internal to the FEC — `#7`. | | T1140 | Deobfuscate/Decode Files or Information | #7 | Deobfuscate/Decode Files or Information: malware decodes its own packed/encrypted payload at runtime (unpack stub, decrypt stage, decode resources). Decoder routine is part of the FEC — `#7`. | | T1480 | Execution Guardrails | #7 | Execution Guardrails: malware contains environmental checks that gate further execution (target hostname/domain match, GPS region, language settings, mutex presence) so the FEC only runs in the intended environment. The guardrail logic is integral to the FEC — `#7` as a property of the malware step. Cluster corrected from prior `#1` to align with the FEC-capability framing applied to T1497 sandbox-evasion (the canonical decision: a check baked into the payload that gates further behavior is part of `#7`, not a separate `#1` enumeration step). | | T1480.001 | Execution Guardrails: Environmental Keying | #7 | Environmental Keying: derive decryption key for second-stage payload from environment-specific data (target domain SID, host GUID, geolocation hash) so the payload only unpacks in the intended environment. FEC capability — `#7`. | | T1480.002 | Execution Guardrails: Mutual Exclusion | #7 | Mutual Exclusion: malware uses a global mutex/named lock to ensure only one instance runs (avoiding crashes that draw attention) or to detect prior infection. FEC capability — `#7`. | | T1485 | Data Destruction | #7 | Foreign attacker-supplied tooling (wiper binary, destructive script) executes against @Org data, overwriting or unlinking files. #7 per R-EXEC. Outcome `[DRE: Av]` — data gone/unrecoverable. Path: `#7 + [DRE: Av]`. (When destruction is performed by abusing legitimate admin utilities such as `format`, `del /s`, or cloud delete APIs without dropping a binary, classify as `#1 + [DRE: Av]` instead.) | | T1486 | Data Encrypted for Impact | #7 | Ransomware payload execution against @Org data. Per **Axiom III**, "ransomware" is an outcome label, not a cluster — the threat at this step is the execution of attacker-supplied encryption code (#7 per R-EXEC). Distinguishing DRE: data is present on disk but cannot be used by @Org, which is `[DRE: Ac]` (Accessibility — present but unusable), distinct from `[DRE: Av]` used for wipers (data gone). Path: `#7 + [DRE: Ac]`. Preceding steps in a typical ransomware path (initial access, privilege escalation, recovery inhibition, lateral spread) are classified separately by their own clusters. | | T1491 | Defacement | #7 | Defacement places attacker-supplied content (HTML, images, scripts, ransom notes) onto @Org assets, replacing legitimate content. The placed content is foreign executable/renderable content — #7 per R-EXEC. Outcome `[DRE: I]` (integrity of public-facing or internal data violated). Path: `#7 + [DRE: I]`. | | T1491.001 | Defacement: Internal Defacement | #7 | Internal defacement: attacker content replaces legitimate content on systems used by @Org employees (internal portals, login banners, shared file servers). #7 per R-EXEC. Path: `#7 + [DRE: I]`. | | T1491.002 | Defacement: External Defacement | #7 | External defacement: attacker content replaces legitimate content on @Org public-facing assets (website, customer portal). #7 per R-EXEC; visibility extends the reputational impact but does not change classification. Path: `#7 + [DRE: I]`. | | T1496.001 | Resource Hijacking: Compute Hijacking | #7 | Compute hijacking runs a foreign workload (cryptominer, distributed compute job) on @Org hosts. #7 per R-EXEC — the miner/worker is FEC. Outcome `[DRE: A]` — legitimate workload performance degraded as compute is consumed. Path: `#7 + [DRE: A]`. | | T1496.002 | Resource Hijacking: Bandwidth Hijacking | #7 | Bandwidth hijacking runs a foreign workload (proxy bot, click-fraud agent, P2P relay) on @Org hosts that consumes egress capacity. #7 per R-EXEC. Outcome `[DRE: A]` — legitimate data flows degraded. Path: `#7 + [DRE: A]`. | | T1497 | Virtualization/Sandbox Evasion | #7 | Virtualization/Sandbox Evasion is a **feature of the foreign executable content** — the malware payload contains environmental checks (CPU features, MAC OUI, registry artifacts, user-activity heuristics, time-jump detection) that gate its further behavior. These checks are not a separate enumeration step taken by an actor; they are an integral capability of the `#7` step itself. Classified `#7` as a property of the FEC, not as a discrete `#1` discovery action. (Contrast with T1057 Process Discovery and other interactive-enumeration techniques where a discrete `#1` step exists.) | | T1497.001 | Virtualization/Sandbox Evasion: System Checks | #7 | Sandbox/VM detection via system checks (`cpuid`, MAC OUI lookups, registry keys characteristic of analysis VMs, presence of analysis-tool artifacts). FEC capability — `#7` — not a discrete `#1` discovery step. See T1497 parent rationale. | | T1497.002 | Virtualization/Sandbox Evasion: User Activity Based Checks | #7 | Sandbox detection via user-activity signals (mouse movement, recent-document lists, sustained user input, screen-resolution heuristics). FEC capability — `#7`. | | T1497.003 | Virtualization/Sandbox Evasion: Time Based Checks | #7 | Sandbox detection via time-based checks (sleep skipping, `RDTSC` deltas, time-source comparisons). FEC capability — `#7`. | | T1542 | Pre-OS Boot | #7 \| (#1 → #7) | Pre-OS Boot persistence: implant in firmware / boot chain runs before the OS loads. The implant itself is foreign code — `#7`. When the implant is installed via designed firmware-update / boot-record-write functions on the live system, the placement is `#1` and the chain is `#1 → #7`. (Supply-chain delivery of malicious firmware is `#10.3 → #7`, recorded in the upstream chain.) | | T1542.001 | Pre-OS Boot: System Firmware | #7 \| (#1 → #7) | System Firmware: malicious UEFI/BIOS firmware. `#7` for the firmware runtime; `#1 → #7` when written via designed flashing utilities; `#10.3 → #7` for supply-chain delivery. | | T1542.002 | Pre-OS Boot: Component Firmware | #7 \| (#1 → #7) | Component Firmware: implant in NIC / drive controller / GPU firmware. Same `#7` / `#1 → #7` / `#10.3 → #7` modes as parent. | | T1542.003 | Pre-OS Boot: Bootkit | #7 \| (#1 → #7) | Bootkit: malicious code in MBR/VBR/EFI partition that executes before OS. `#7` runtime; `#1 → #7` when written on live system; `#10.3 → #7` if pre-imaged. | | T1542.004 | Pre-OS Boot: ROMMONkit | #7 \| (#1 → #7) | ROMMONkit: malicious code persisted in network device ROMMON. `#7` runtime; `#1 → #7` when flashed on live device; `#10.3 → #7` for supply-chain delivery. | | T1542.005 | Pre-OS Boot: TFTP Boot | #7 \| (#1 → #7) | TFTP Boot: redirect network device to boot from attacker-controlled TFTP image. `#7` runtime; `#1 → #7` with designed TFTP-boot configuration abuse. | | T1561 | Disk Wipe | #7 | Disk-wiping payload executes against @Org storage, overwriting raw sectors or filesystem structures. Foreign destructive code — #7 per R-EXEC. Outcome `[DRE: Av]`. Path: `#7 + [DRE: Av]`. | | T1561.001 | Disk Wipe: Disk Content Wipe | #7 | Wiper overwrites file contents at the data layer. #7 per R-EXEC. Path: `#7 + [DRE: Av]`. | | T1561.002 | Disk Wipe: Disk Structure Wipe | #7 | Wiper overwrites partition tables, MBR, or filesystem metadata, rendering data unrecoverable even if blocks remain on disk. #7 per R-EXEC. Path: `#7 + [DRE: Av]`. | | T1568 | Dynamic Resolution | #7 | Dynamic Resolution: malware determines its C2 endpoint at runtime via algorithm or protocol behavior rather than a hardcoded address. Resolution logic is integral to the FEC — `#7` as a property of the malware step. | | T1568.001 | Dynamic Resolution: Fast Flux DNS | #7 | Fast Flux DNS: large pool of A records that rotates rapidly, often via attacker-controlled authoritative nameservers. Resolution behavior orchestrated by malware/attacker infra — `#7` as FEC C2 feature. (The DNS resolvers in the path are transit but the rapid rotation is the threat behavior; transit-operator notation: `\|\|[network][@Org⇒@DNSResolvers→@External]\|\|`.) | | T1568.002 | Dynamic Resolution: Domain Generation Algorithms | #7 | Domain Generation Algorithm (DGA): malware computes candidate domains deterministically and tries them until one resolves. The algorithm is embedded in the FEC — `#7`. | | T1568.003 | Dynamic Resolution: DNS Calculation | #7 | DNS Calculation: malware encodes routing data (port, IP) inside DNS responses received from infrastructure that the attacker controls. Decoding is FEC capability — `#7`. | | T1573 | Encrypted Channel | #7 \| (#1 → #7) | Encrypted Channel: C2 traffic is encrypted to evade content inspection. The crypto routines are typically embedded in the FEC — `#7`. When the malware reuses designed system crypto libraries (OpenSSL, BoringSSL, OS APIs), an `#1` step precedes the FEC use — `(#1 → #7)`. | | T1573.001 | Encrypted Channel: Symmetric Cryptography | #7 \| (#1 → #7) | Symmetric Cryptography: pre-shared key encryption (AES, ChaCha20) for C2. FEC capability — `#7` (or `#1 → #7` when designed crypto libraries are reused). | | T1573.002 | Encrypted Channel: Asymmetric Cryptography | #7 \| (#1 → #7) | Asymmetric Cryptography: public-key crypto (RSA, ECC) — typically TLS or custom asymmetric handshake in the C2 protocol. FEC capability — `#7` (or `#1 → #7`). | | T1622 | Debugger Evasion | #7 | Debugger Evasion is a **feature of the foreign executable content** — the malware contains anti-analysis checks (`IsDebuggerPresent`, `CheckRemoteDebuggerPresent`, `NtQueryInformationProcess`, hardware breakpoint detection, ptrace state) that gate further behavior. Classified `#7` as a capability of the FEC, not as a discrete `#1` enumeration step. (Cluster restored to `#7` after a brief Phase 7 misclassification that mistook FEC-feature framing for an Axiom IV violation.) | | T1665 | Hide Infrastructure | #7 | Hide Infrastructure: techniques to obscure attacker infrastructure from defenders/researchers (bulletproof hosting, anti-forensics, fast-flux/CDN abuse, certificate transparency evasion). These describe attacker-side preparation/maintenance and are not steps that cross into @Org per se. Where a feature is built into the FEC (anti-analysis, infra-rotation logic), it is part of the malware's `#7` capabilities. Where it concerns purely attacker-side infrastructure not crossing @Org, an `N/A` interpretation is also defensible — the current `#7` framing treats it as FEC capability. | | T1678 | Delay Execution | #7 | Delay Execution: malware sleeps, time-skews, or schedules itself to run at a chosen later time to evade sandboxes (which only run for minutes) and to spread activity. Sleep/timing logic is FEC capability — `#7`. | | T1679 | Selective Exclusion | #7 | Selective Exclusion: malware avoids specific defender environments by detecting and excluding itself when target conditions are unfavorable (analyst hostnames, well-known sandbox MAC OUIs, known monitoring tools running). FEC environmental-gating capability — `#7` (cf. T1480 Execution Guardrails for the broader pattern). |