Threats Library
Reusable threat definitions (causes on the left side of bow-tie diagrams).
Add Threat
Tags:
clear tags
658 threats — page 10 of 14
| Name | Category | Tags | Description | |
|---|---|---|---|---|
| Remote Services | Lateral Movement | Adversaries may use Valid Accounts to log into a service that accepts remote connections, such as te… | Edit | |
| Remote Services: Cloud Services | Lateral Movement | Adversaries may log into accessible cloud services within a compromised environment using Valid Acco… | Edit | |
| Remote Services: Direct Cloud VM Connections | Lateral Movement | Adversaries may leverage Valid Accounts to log directly into accessible cloud hosted compute infrast… | Edit | |
| Remote Services: Distributed Component Object Model | Lateral Movement | Adversaries may use Valid Accounts to interact with remote machines by taking advantage of Distribut… | Edit | |
| Remote Services: Remote Desktop Protocol | Lateral Movement | Adversaries may use Valid Accounts to log into a computer using the Remote Desktop Protocol (RDP). T… | Edit | |
| Remote Services: SMB/Windows Admin Shares | Lateral Movement | Adversaries may use Valid Accounts to interact with a remote network share using Server Message Bloc… | Edit | |
| Remote Services: SSH | Lateral Movement | Adversaries may use Valid Accounts to log into remote machines using Secure Shell (SSH). The adversa… | Edit | |
| Remote Services: VNC | Lateral Movement | Adversaries may use Valid Accounts to remotely control machines using Virtual Network Computing (VNC… | Edit | |
| Remote Services: Windows Remote Management | Lateral Movement | Adversaries may use Valid Accounts to interact with remote systems using Windows Remote Management (… | Edit | |
| Replication Through Removable Media | Lateral Movement | Adversaries may move onto systems, possibly those on disconnected or air-gapped networks, by copying… | Edit | |
| Taint Shared Content | Lateral Movement | Adversaries may deliver payloads to remote systems by adding content to shared storage locations, su… | Edit | |
| Account Manipulation | Persistence | Adversaries may manipulate accounts to maintain and/or elevate access to victim systems. Account man… | Edit | |
| Account Manipulation: Additional Cloud Credentials | Persistence | Adversaries may add adversary-controlled credentials to a cloud account to maintain persistent acces… | Edit | |
| Account Manipulation: Additional Cloud Roles | Persistence | An adversary may add additional roles or permissions to an adversary-controlled cloud account to mai… | Edit | |
| Account Manipulation: Additional Container Cluster Roles | Persistence | An adversary may add additional roles or permissions to an adversary-controlled user or service acco… | Edit | |
| Account Manipulation: Additional Email Delegate Permissions | Persistence | Adversaries may grant additional permission levels to maintain persistent access to an adversary-con… | Edit | |
| Account Manipulation: Additional Local or Domain Groups | Persistence | An adversary may add additional local or domain groups to an adversary-controlled account to maintai… | Edit | |
| Account Manipulation: Device Registration | Persistence | Adversaries may register a device to an adversary-controlled account. Devices may be registered in a… | Edit | |
| Account Manipulation: SSH Authorized Keys | Persistence | Adversaries may modify the SSH authorized_keys file to maintain persistence on a victim host. Linux … | Edit | |
| Boot or Logon Autostart Execution | Persistence | Adversaries may configure system settings to automatically execute a program during system boot or l… | Edit | |
| Boot or Logon Autostart Execution: Active Setup | Persistence | Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machin… | Edit | |
| Boot or Logon Autostart Execution: Authentication Package | Persistence | Adversaries may abuse authentication packages to execute DLLs when the system boots. Windows authent… | Edit | |
| Boot or Logon Autostart Execution: Kernel Modules and Extensions | Persistence | Adversaries may modify the kernel to automatically execute programs on system boot. Loadable Kernel … | Edit | |
| Boot or Logon Autostart Execution: LSASS Driver | Persistence | Adversaries may modify or add LSASS drivers to obtain persistence on compromised systems. The Window… | Edit | |
| Boot or Logon Autostart Execution: Login Items | Persistence | Adversaries may add login items to execute upon user login to gain persistence or escalate privilege… | Edit | |
| Boot or Logon Autostart Execution: Port Monitors | Persistence | Adversaries may use port monitors to run an adversary supplied DLL during system boot for persistenc… | Edit | |
| Boot or Logon Autostart Execution: Print Processors | Persistence | Adversaries may abuse print processors to run malicious DLLs during system boot for persistence and/… | Edit | |
| Boot or Logon Autostart Execution: Re-opened Applications | Persistence | Adversaries may modify plist files to automatically run an application when a user logs in. When a u… | Edit | |
| Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder | Persistence | Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a… | Edit | |
| Boot or Logon Autostart Execution: Security Support Provider | Persistence | Adversaries may abuse security support providers (SSPs) to execute DLLs when the system boots. Windo… | Edit | |
| Boot or Logon Autostart Execution: Shortcut Modification | Persistence | Adversaries may create or modify shortcuts that can execute a program during system boot or user log… | Edit | |
| Boot or Logon Autostart Execution: Time Providers | Persistence | Adversaries may abuse time providers to execute DLLs when the system boots. The Windows Time service… | Edit | |
| Boot or Logon Autostart Execution: Winlogon Helper DLL | Persistence | Adversaries may abuse features of Winlogon to execute DLLs and/or executables when a user logs in. W… | Edit | |
| Boot or Logon Autostart Execution: XDG Autostart Entries | Persistence | Adversaries may add or modify XDG Autostart Entries to execute malicious programs or commands when a… | Edit | |
| Boot or Logon Initialization Scripts | Persistence | Adversaries may use scripts automatically executed at boot or logon initialization to establish pers… | Edit | |
| Boot or Logon Initialization Scripts: Login Hook | Persistence | Adversaries may use a Login Hook to establish persistence executed upon user logon. A login hook is … | Edit | |
| Boot or Logon Initialization Scripts: Logon Script (Windows) | Persistence | Adversaries may use Windows logon scripts automatically executed at logon initialization to establis… | Edit | |
| Boot or Logon Initialization Scripts: Network Logon Script | Persistence | Adversaries may use network logon scripts automatically executed at logon initialization to establis… | Edit | |
| Boot or Logon Initialization Scripts: RC Scripts | Persistence | Adversaries may establish persistence by modifying RC scripts, which are executed during a Unix-like… | Edit | |
| Boot or Logon Initialization Scripts: Startup Items | Persistence | Adversaries may use startup items automatically executed at boot initialization to establish persist… | Edit | |
| Cloud Application Integration | Persistence | Adversaries may achieve persistence by leveraging OAuth application integrations in a software-as-a-… | Edit | |
| Compromise Host Software Binary | Persistence | Adversaries may modify host software binaries to establish persistent access to systems. Software bi… | Edit | |
| Create Account | Persistence | Adversaries may create an account to maintain access to victim systems. With a sufficient level of a… | Edit | |
| Create Account: Cloud Account | Persistence | Adversaries may create a cloud account to maintain access to victim systems. With a sufficient level… | Edit | |
| Create Account: Domain Account | Persistence | Adversaries may create a domain account to maintain access to victim systems. Domain accounts are th… | Edit | |
| Create Account: Local Account | Persistence | Adversaries may create a local account to maintain access to victim systems. Local accounts are thos… | Edit | |
| Create or Modify System Process | Persistence | Adversaries may create or modify system-level processes to repeatedly execute malicious payloads as … | Edit | |
| Create or Modify System Process: Container Service | Persistence | Adversaries may create or modify container or container cluster management tools that run as daemons… | Edit | |
| Create or Modify System Process: Launch Agent | Persistence | Adversaries may create or modify launch agents to repeatedly execute malicious payloads as part of p… | Edit | |
| Create or Modify System Process: Launch Daemon | Persistence | Adversaries may create or modify Launch Daemons to execute malicious payloads as part of persistence… | Edit |