---
type: "mapping-set"
title: "ATT&CK techniques → #9 Social Engineering"
description: "18 ATT&CK techniques entries mapped to TLCTC #9 Social Engineering."
resource: "tlctc:mapping:attack:cluster-9"
tags:
  - "mapping"
  - "attack"
  - "cluster-9"
---
# ATT&CK techniques → #9 Social Engineering

> Source: MITRE ATT&CK Enterprise → TLCTC mapping (`mappings/mitre-attack-enterprise/`).

Mapped entries: **18**. Cluster: [#9 Social Engineering](/clusters/cluster-9.md).

| Technique | Name | TLCTC | Rationale |
|---|---|---|---|
| T1204 | User Execution | #9 → #7 | User Execution: human is induced (lure, pretext, urgency, authority) to perform the action that runs attacker-supplied content. The induction is `#9` per R-HUMAN; the resulting execution is `#7` per R-EXEC. Path: `#9 \|\|[human][@External→@Org]\|\| → #7`. Sub-techniques specify the lure/payload pairing. |
| T1204.001 | User Execution: Malicious Link | #9 → #7 | Malicious Link: user induced to click a link that leads to attacker-controlled content; depending on the destination, code runs (drive-by style or downloaded payload). `#9` (user click induction) → `#7` (FEC). |
| T1204.002 | User Execution: Malicious File | #9 → #7 | Malicious File: user induced to open an attacker-supplied file (executable, document with macros, ISO/IMG mount, LNK shortcut, container archive). `#9` → `#7`. |
| T1204.003 | User Execution: Malicious Image | #9 → #7 | Malicious Image: user induced to pull/run an attacker-supplied container image, VM image, or system image from a registry/repository they trust. `#9` (induction to pull) → `#7` (image runs FEC). |
| T1204.004 | User Execution: Malicious Copy and Paste | #9 → #7 | Malicious Copy and Paste (ClickFix-style): user is shown an instruction (fake CAPTCHA, fake error fix, fake support page) that tells them to paste an attacker-supplied command into a shell or run dialog. `#9` (instruction-following induction) → `#7` (pasted command executes FEC). |
| T1204.005 | User Execution: Malicious Library | #9 → #7 | Malicious Library: user induced to install/load an attacker-supplied library (npm/PyPI package, browser extension, IDE plugin). `#9` → `#7` per R-EXEC when the library code runs in the host process. |
| T1534 | Internal Spearphishing | #9 | Internal spearphishing: attacker (operating from a compromised internal account) sends socially engineered messages to other @Org users to induce them into actions (clicking links, opening attachments, transferring funds, disclosing data). The threat at this step is human cognition under social pressure — `#9`. Cluster corrected from prior `#1 \| #9` — the `#1`-only mode does not describe internal spearphishing (it describes T1072 Software Deployment Tools or generic email-API abuse without an SE component). Internal spearphishing is, by definition, social engineering. Path begins: `#9 → …` (with the prior `#4` credential application that gave the attacker the internal account, and `#1` abuse of the internal email send function, recorded as preceding steps in the full incident path). |
| T1566 | Phishing | #9 | Electronically delivered social engineering: crafted message exploits human cognition under social pressure (trust, urgency, authority, curiosity) to induce a target action. The induced action then maps to its own cluster (#3 browser exploit, #4 credential disclosure, #7 attachment execution). Path begins: `#9 \|\|[human][@External→@Org]\|\| → …`. |
| T1566.001 | Phishing: Spearphishing Attachment | #9 → #7 | Email with malicious attachment. Human is induced to open the attachment (#9); the attachment's payload is foreign executable content that runs (#7 per R-EXEC). Path: `#9 \|\|[human][@External→@Org]\|\| → #7`. When the attachment relies on a client-side flaw to gain execution (e.g., document parser exploit), insert `→ #3` between #9 and #7. |
| T1566.002 | Phishing: Spearphishing Link | (#9 → #3 → #7) \| (#9 → #4) | Email with malicious link. Human clicks (#9). The destination either (a) exploits a browser/plugin client-side flaw and delivers FEC — `#9 → #3 → #7`; or (b) presents a credential-harvesting form that the user fills in — `#9 → #4` (the captured credential's subsequent use is a further #4 step per R-CRED, recorded separately). Path: `(#9 → #3 → #7) \|\|[human][@External→@Org]\|\| \| (#9 → #4)`. The prior mapping `(#9 → #3) \| (#9 → #4)` is corrected to chain `#7` after `#3` per R-EXEC. |
| T1566.003 | Phishing: Spearphishing via Service | (#9 → #4) \| (#9 → #7) | Spearphishing delivered via a third-party service (social media, IM, collaboration platform). The service relays the lure and is **transit**, not target. Outcome can be credential disclosure (`#9 → #4`) or attacker-content execution (`#9 → #7`). Path: `(#9 → #4) \|\|[human][@External⇒@Service→@Org]\|\| \| (#9 → #7)`. Cluster expanded from prior `#9 → #4`-only. |
| T1566.004 | Phishing: Spearphishing Voice | (#9 → #4) \| (#9 → #7) \| (#9 → #1) | Voice phishing (vishing). Human in @Org is manipulated by phone (#9, often combined with caller-ID spoofing for credibility). Outcomes: (a) credential/MFA-code disclosure → `#9 → #4`; (b) victim runs attacker-supplied installer/RAT → `#9 → #7`; (c) victim performs an authorized business function under attacker direction (wire transfer, password reset, configuration change) → `#9 → #1`. Path: `(#9 → #4) \|\|[human][@External⇒@Telco→@Org]\|\| \| (#9 → #7) \| (#9 → #1)`. Cluster expanded from prior `#9 → #7`-only — the fund-transfer / business-function-abuse outcome is the most common vishing pattern in financial fraud and was missing. |
| T1598 | Phishing for Information | #9 | Phishing for information targets the human at the @Org boundary with crafted communication that elicits disclosure of credentials, MFA codes, or business data. Same generic vulnerability as T1566 (human cognition under social pressure); only the goal differs — info disclosure rather than payload execution. Maps to #9 Social Engineering. Path: `#9 \|\|[human][@External→@Org]\|\| + [DRE: C]`. |
| T1598.001 | Phishing for Information: Spearphishing Service | #9 | Spearphishing via third-party service relays a request that manipulates a human in @Org into disclosing information. Treat the platform as transit (⇒@Service), not target. Path: `#9 \|\|[human][@External⇒@Service→@Org]\|\| + [DRE: C]`. |
| T1598.002 | Phishing for Information: Spearphishing Attachment | #9 | Spearphishing attachment used to elicit information (e.g., credential-harvesting form embedded in document) manipulates a human in @Org into disclosure. The attachment is the lure, not foreign executable content. #9 with no #7 step. Path: `#9 \|\|[human][@External→@Org]\|\| + [DRE: C]`. |
| T1598.003 | Phishing for Information: Spearphishing Link | #9 | Spearphishing link directs a human in @Org to attacker-controlled disclosure surface (credential page, fake form). #9 Social Engineering; the credential capture is the DRE outcome of this step. Path: `#9 \|\|[human][@External→@Org]\|\| + [DRE: C]`. If captured credentials are subsequently used to authenticate, that is a separate #4 step (R-CRED, Axiom X). |
| T1598.004 | Phishing for Information: Spearphishing Voice | #9 | Spearphishing voice (vishing) elicits information from a human in @Org by phone. Generic vulnerability is human cognition under conversational social pressure — #9. Path: `#9 \|\|[human][@External⇒@Telco→@Org]\|\| + [DRE: C]`. |
| T1656 | Impersonation | #9 | Impersonation: pose as a trusted person or organization (executive, IT support, vendor, partner) to manipulate a target into performing an action — wire transfer, credential disclosure, software install, policy override. Cluster corrected from prior `#1`: impersonation is the defining example of `#9` Social Engineering — it manipulates human cognition through pretext, authority, urgency, and trust. Path: `#9 \|\|[human][@External→@Org]\|\| → …`. (When delivered via voice, mark `⇒@Telco`; via SMS, `⇒@SMSProvider`; via deepfake on a video call, `⇒@VideoService`.) |