Threats Library
Reusable threat definitions (causes on the left side of bow-tie diagrams).
Add Threat
Tags:
661 threats — page 11 of 14
| Name | Category | Tags | Description | |
|---|---|---|---|---|
| Create or Modify System Process: Launch Daemon | Persistence | Adversaries may create or modify Launch Daemons to execute malicious payloads as part of persistence… | Edit | |
| Create or Modify System Process: Systemd Service | Persistence | Adversaries may create or modify systemd services to repeatedly execute malicious payloads as part o… | Edit | |
| Create or Modify System Process: Windows Service | Persistence | Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part o… | Edit | |
| Event Triggered Execution: Python Startup Hooks | Persistence | Adversaries may achieve persistence by leveraging Python’s startup mechanisms, including path config… | Edit | |
| Event Triggered Execution: Udev Rules | Persistence | Adversaries may maintain persistence through executing malicious content triggered using udev rules.… | Edit | |
| Exclusive Control | Persistence | Adversaries who successfully compromise a system may attempt to maintain persistence by “closing the… | Edit | |
| External Remote Services | Persistence | Adversaries may leverage external-facing remote services to initially access and/or persist within a… | Edit | |
| Hijack Execution Flow | Persistence | Adversaries may execute their own malicious payloads by hijacking the way operating systems run prog… | Edit | |
| Hijack Execution Flow: AppDomainManager | Persistence | Adversaries may execute their own malicious payloads by hijacking how the .NET AppDomainManager load… | Edit | |
| Hijack Execution Flow: COR_PROFILER | Persistence | Adversaries may leverage the COR_PROFILER environment variable to hijack the execution flow of progr… | Edit | |
| Hijack Execution Flow: DLL | Persistence | Adversaries may abuse dynamic-link library files (DLLs) in order to achieve persistence, escalate pr… | Edit | |
| Hijack Execution Flow: Dylib Hijacking | Persistence | Adversaries may execute their own payloads by placing a malicious dynamic library (dylib) with an ex… | Edit | |
| Hijack Execution Flow: Dynamic Linker Hijacking | Persistence | Adversaries may execute their own malicious payloads by hijacking environment variables the dynamic … | Edit | |
| Hijack Execution Flow: Executable Installer File Permissions Weakness | Persistence | Adversaries may execute their own malicious payloads by hijacking the binaries used by an installer.… | Edit | |
| Hijack Execution Flow: KernelCallbackTable | Persistence | Adversaries may abuse the KernelCallbackTable of a process to hijack its execution flow in order to … | Edit | |
| Hijack Execution Flow: Path Interception by PATH Environment Variable | Persistence | Adversaries may execute their own malicious payloads by hijacking environment variables used to load… | Edit | |
| Hijack Execution Flow: Path Interception by Search Order Hijacking | Persistence | Adversaries may execute their own malicious payloads by hijacking the search order used to load othe… | Edit | |
| Hijack Execution Flow: Path Interception by Unquoted Path | Persistence | Adversaries may execute their own malicious payloads by hijacking vulnerable file path references. A… | Edit | |
| Hijack Execution Flow: Services File Permissions Weakness | Persistence | Adversaries may execute their own malicious payloads by hijacking the binaries used by services. Adv… | Edit | |
| Hijack Execution Flow: Services Registry Permissions Weakness | Persistence | Adversaries may execute their own malicious payloads by hijacking the Registry entries used by servi… | Edit | |
| Implant Internal Image | Persistence | Adversaries may implant cloud or container images with malicious code to establish persistence after… | Edit | |
| Office Application Startup | Persistence | Adversaries may leverage Microsoft Office-based applications for persistence between startups. Micro… | Edit | |
| Office Application Startup: Add-ins | Persistence | Adversaries may abuse Microsoft Office add-ins to obtain persistence on a compromised system. Office… | Edit | |
| Office Application Startup: Office Template Macros | Persistence | Adversaries may abuse Microsoft Office templates to obtain persistence on a compromised system. Micr… | Edit | |
| Office Application Startup: Office Test | Persistence | Adversaries may abuse the Microsoft Office "Office Test" Registry key to obtain persistence on a com… | Edit | |
| Office Application Startup: Outlook Forms | Persistence | Adversaries may abuse Microsoft Outlook forms to obtain persistence on a compromised system. Outlook… | Edit | |
| Office Application Startup: Outlook Home Page | Persistence | Adversaries may abuse Microsoft Outlook's Home Page feature to obtain persistence on a compromised s… | Edit | |
| Office Application Startup: Outlook Rules | Persistence | Adversaries may abuse Microsoft Outlook rules to obtain persistence on a compromised system. Outlook… | Edit | |
| Power Settings | Persistence | Adversaries may impair a system's ability to hibernate, reboot, or shut down in order to extend acce… | Edit | |
| Pre-OS Boot: Bootkit | Persistence | Adversaries may use bootkits to persist on systems. A bootkit is a malware variant that modifies the… | Edit | |
| Pre-OS Boot: Component Firmware | Persistence | Adversaries may modify component firmware to persist on systems. Some adversaries may employ sophist… | Edit | |
| Pre-OS Boot: System Firmware | Persistence | Adversaries may modify system firmware to persist on systems.The BIOS (Basic Input/Output System) an… | Edit | |
| Server Software Component | Persistence | Adversaries may abuse legitimate extensible development features of servers to establish persistent … | Edit | |
| Server Software Component: IIS Components | Persistence | Adversaries may install malicious components that run on Internet Information Services (IIS) web ser… | Edit | |
| Server Software Component: SQL Stored Procedures | Persistence | Adversaries may abuse SQL stored procedures to establish persistent access to systems. SQL Stored Pr… | Edit | |
| Server Software Component: Terminal Services DLL | Persistence | Adversaries may abuse components of Terminal Services to enable persistent access to systems. Micros… | Edit | |
| Server Software Component: Transport Agent | Persistence | Adversaries may abuse Microsoft transport agents to establish persistent access to systems. Microsof… | Edit | |
| Server Software Component: Web Shell | Persistence | Adversaries may backdoor web servers with web shells to establish persistent access to systems. A We… | Edit | |
| Server Software Component: vSphere Installation Bundles | Persistence | Adversaries may abuse vSphere Installation Bundles (VIBs) to establish persistent access to ESXi hyp… | Edit | |
| Software Extensions | Persistence | Adversaries may abuse software extensions to establish persistent access to victim systems. Software… | Edit | |
| Software Extensions: Browser Extensions | Persistence | Adversaries may abuse internet browser extensions to establish persistent access to victim systems. … | Edit | |
| Software Extensions: IDE Extensions | Persistence | Adversaries may abuse an integrated development environment (IDE) extension to establish persistent … | Edit | |
| Abuse Elevation Control Mechanism | Privilege Escalation | Adversaries may circumvent mechanisms designed to control elevate privileges to gain higher-level pe… | Edit | |
| Abuse Elevation Control Mechanism: Bypass User Account Control | Privilege Escalation | Adversaries may bypass UAC mechanisms to elevate process privileges on system. Windows User Account … | Edit | |
| Abuse Elevation Control Mechanism: Elevated Execution with Prompt | Privilege Escalation | Adversaries may leverage the AuthorizationExecuteWithPrivileges API to escalate privileges by prompt… | Edit | |
| Abuse Elevation Control Mechanism: Setuid and Setgid | Privilege Escalation | An adversary may abuse configurations where an application has the setuid or setgid bits set in orde… | Edit | |
| Abuse Elevation Control Mechanism: Sudo and Sudo Caching | Privilege Escalation | Adversaries may perform sudo caching and/or use the sudoers file to elevate privileges. Adversaries … | Edit | |
| Abuse Elevation Control Mechanism: Temporary Elevated Cloud Access | Privilege Escalation | Adversaries may abuse permission configurations that allow them to gain temporarily elevated access … | Edit | |
| Escape to Host | Privilege Escalation | Adversaries may break out of a container or virtualized environment to gain access to the underlying… | Edit | |
| Event Triggered Execution | Privilege Escalation | Adversaries may establish persistence and/or elevate privileges using system mechanisms that trigger… | Edit |