Defense Evasion [Mitre]

Technique Name Technique ID's Snippet(s) Rules(s) OS
Direct Volume Access T1006
Rootkit T1014
Obfuscated Files or Information: Binary Padding T1027.001
Obfuscated Files or Information: Software Packing T1027.002
Obfuscated Files or Information: Steganography T1027.003
Obfuscated Files or Information: Compile After Delivery T1027.004
Obfuscated Files or Information: Indicator Removal from Tools T1027.005
Obfuscated Files or Information: HTML Smuggling T1027.006
Obfuscated Files or Information: Dynamic API Resolution T1027.007
Obfuscated Files or Information: Stripped Payloads T1027.008
Obfuscated Files or Information: Embedded Payloads T1027.009
Masquerading: Invalid Code Signature T1036.001
Masquerading: Right-to-Left Override T1036.002
Masquerading: Rename System Utilities T1036.003
Masquerading: Masquerade Task or Service T1036.004
Masquerading: Match Legitimate Name or Location T1036.005
Masquerading: Double File Extension T1036.007
Process Injection: Dynamic-link Library Injection T1055.001
Process Injection: Portable Executable Injection T1055.002
Process Injection: Thread Execution Hijacking T1055.003
Process Injection: Asynchronous Procedure Call T1055.004
Process Injection: Thread Local Storage T1055.005
Process Injection: Extra Window Memory Injection T1055.011
Process Injection: Process Hollowing T1055.012
Process Injection: Process Doppelgänging T1055.013
Process Injection: ListPlanting T1055.015
Indicator Removal: Clear Windows Event Logs T1070.001 U0302
Indicator Removal: Clear Command History T1070.003
Indicator Removal: File Deletion T1070.004
Indicator Removal: Network Share Connection Removal T1070.005
Indicator Removal: Clear Network Connection History and Configurations T1070.007
Indicator Removal: Clear Mailbox Data T1070.008
Indicator Removal: Clear Persistence T1070.009
Valid Accounts: Default Accounts T1078.001
Valid Accounts: Domain Accounts T1078.002
Valid Accounts: Local Accounts T1078.003
Modify Registry T1112
Trusted Developer Utilities Proxy Execution: MSBuild T1127.001
Access Token Manipulation: Token Impersonation/Theft T1134.001
Access Token Manipulation: Create Process with Token T1134.002
Access Token Manipulation: Make and Impersonate Token T1134.003
Access Token Manipulation: SID-History Injection T1134.005
Deobfuscate/Decode Files or Information T1140
BITS Jobs T1197
Indirect Command Execution T1202
Traffic Signaling: Port Knocking T1205.001
Traffic Signaling: Socket Filters T1205.002
Rogue Domain Controller T1207
Exploitation for Defense Evasion T1211
System Script Proxy Execution: PubPrn T1216.001
System Binary Proxy Execution: Compiled HTML File T1218.001
System Binary Proxy Execution: Control Panel T1218.002
System Binary Proxy Execution: CMSTP T1218.003
System Binary Proxy Execution: InstallUtil T1218.004
System Binary Proxy Execution: Mshta T1218.005
System Binary Proxy Execution: Msiexec T1218.007
System Binary Proxy Execution: Odbcconf T1218.008
System Binary Proxy Execution: Regsvcs/Regasm T1218.009
System Binary Proxy Execution: Regsvr32 T1218.010
System Binary Proxy Execution: Rundll32 T1218.011
System Binary Proxy Execution: Verclsid T1218.012
System Binary Proxy Execution: Mavinject T1218.013
System Binary Proxy Execution: MMC T1218.014
XSL Script Processing T1220
Template Injection T1221
Windows File and Directory Permissions Modification T1222.001
Execution Guardrails: Environmental Keying T1480.001
Domain Policy Modification: Group Policy Modification T1484.001
Domain Policy Modification: Domain Trust Modification T1484.002
Virtualization/Sandbox Evasion: System Checks T1497.001
Virtualization/Sandbox Evasion: User Activity Based Checks T1497.002
Virtualization/Sandbox Evasion: Time Based Evasion T1497.003
Pre-OS Boot: System Firmware T1542.001
Pre-OS Boot: Component Firmware T1542.002
Pre-OS Boot: Bootkit T1542.003
Bypass User Account Control T1548.002
Use Alternate Authentication Material: Pass the Hash T1550.002
Use Alternate Authentication Material: Pass the Ticket T1550.003
Subvert Trust Controls: Code Signing T1553.002
Subvert Trust Controls: SIP and Trust Provider Hijacking T1553.003
Subvert Trust Controls: Install Root Certificate T1553.004
Subvert Trust Controls: Mark-of-the-Web Bypass T1553.005
Subvert Trust Controls: Code Signing Policy Modification T1553.006
Modify Authentication Process T1556
Modify Authentication Process: Domain Controller Authentication T1556.001
Modify Authentication Process: Password Filter DLL T1556.002
Modify Authentication Process: Reversible Encryption T1556.005
Modify Authentication Process: Multi-Factor Authentication T1556.006
Modify Authentication Process: Hybrid Identity T1556.007
Impair Defenses: Disable or Modify Tools T1562.001
Impair Defenses: Disable Windows Event Logging T1562.002
Impair Defenses: Impair Command History Logging T1562.003
Impair Defenses: Disable or Modify System Firewall T1562.004
Impair Defenses: Indicator Blocking T1562.006
Impair Defenses: Safe Mode Boot T1562.009
Impair Defenses: Downgrade Attack T1562.010
Hide Artifacts: Hidden Files and Directories T1564.001
Hide Artifacts: Hidden Users T1564.002
Hide Artifacts: Hidden Window T1564.003
Hide Artifacts: NTFS File Attributes T1564.004
Hide Artifacts: Hidden File System T1564.005
Hide Artifacts: Run Virtual Instance T1564.006
Hide Artifacts: VBA Stomping T1564.007
Hide Artifacts: Email Hiding Rules T1564.008
Hide Artifacts: Process Argument Spoofing T1564.010
Hijack Execution Flow: DLL Search Order Hijacking T1574.001
Hijack Execution Flow: DLL Side-Loading T1574.002
Hijack Execution Flow: Executable Installer File Permissions Weakness T1574.005
Hijack Execution Flow: Path Interception by PATH Environment Variable T1574.007
Hijack Execution Flow: Path Interception by Search Order Hijacking T1574.008
Hijack Execution Flow: Path Interception by Unquoted Path T1574.009
Hijack Execution Flow: Services File Permissions Weakness T1574.010
Hijack Execution Flow: Services Registry Permissions Weakness T1574.011
Hijack Execution Flow: COR_PROFILER T1574.012
Hijack Execution Flow: KernelCallbackTable T1574.013
Reflective Code Loading T1620
Debugger Evasion T1622
Indicator Removal: Timestomp U0303 T1070.006
Volume Shadow Copy Service (VSC,VSS) Deletion U0305 T1070.004
DNS Tunneling U0905 T1048.003
Domain Fronting U0908 T1090.004
Replication Through Removable Media U1012 T1091
Access Token Manipulation: Parent PID Spoofing U1234 T1134.004
AppInit DLL Injection U1244 T1546

Category Description

MITRE Usage License

LICENSE

The MITRE Corporation (MITRE) hereby grants you a non-exclusive, royalty-free license to use ATT&CK® for research, development, and commercial purposes. Any copy you make for such purposes is authorized provided that you reproduce MITRE's copyright designation and this license in any such copy.

"© 2021 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation."

DISCLAIMERS

MITRE does not claim ATT&CK enumerates all possibilities for the types of actions and behaviors documented as part of its adversary model and framework of techniques. Using the information contained within ATT&CK to address or cover full categories of techniques will not guarantee full defensive coverage as there may be undisclosed techniques or variations on existing techniques not documented by ATT&CK.

ALL DOCUMENTS AND THE INFORMATION CONTAINED THEREIN ARE PROVIDED ON AN "AS IS" BASIS AND THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS OR IS SPONSORED BY (IF ANY), THE MITRE CORPORATION, ITS BOARD OF TRUSTEES, OFFICERS, AGENTS, AND EMPLOYEES, DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION THEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.