Threats Library
Reusable threat definitions (causes on the left side of bow-tie diagrams).
Add Threat
Tags:
clear tags
658 threats — page 2 of 14
| Name | Category | Tags | Description | |
|---|---|---|---|---|
| Dynamic Resolution | Command And Control | Adversaries may dynamically establish connections to command and control infrastructure to evade com… | Edit | |
| Dynamic Resolution: DNS Calculation | Command And Control | Adversaries may perform calculations on addresses returned in DNS results to determine which port an… | Edit | |
| Dynamic Resolution: Domain Generation Algorithms | Command And Control | Adversaries may make use of Domain Generation Algorithms (DGAs) to dynamically identify a destinatio… | Edit | |
| Dynamic Resolution: Fast Flux DNS | Command And Control | Adversaries may use Fast Flux DNS to hide a command and control channel behind an array of rapidly c… | Edit | |
| Encrypted Channel | Command And Control | Adversaries may employ an encryption algorithm to conceal command and control traffic rather than re… | Edit | |
| Encrypted Channel: Asymmetric Cryptography | Command And Control | Adversaries may employ a known asymmetric encryption algorithm to conceal command and control traffi… | Edit | |
| Encrypted Channel: Symmetric Cryptography | Command And Control | Adversaries may employ a known symmetric encryption algorithm to conceal command and control traffic… | Edit | |
| Fallback Channels | Command And Control | Adversaries may use fallback or alternate communication channels if the primary channel is compromis… | Edit | |
| Hide Infrastructure | Command And Control | Adversaries may manipulate network traffic in order to hide and evade detection of their C2 infrastr… | Edit | |
| Ingress Tool Transfer | Command And Control | Adversaries may transfer tools or other files from an external system into a compromised environment… | Edit | |
| Multi-Stage Channels | Command And Control | Adversaries may create multiple stages for command and control that are employed under different con… | Edit | |
| Non-Application Layer Protocol | Command And Control | Adversaries may use an OSI non-application layer protocol for communication between host and C2 serv… | Edit | |
| Non-Standard Port | Command And Control | Adversaries may communicate using a protocol and port pairing that are typically not associated. For… | Edit | |
| Protocol Tunneling | Command And Control | Adversaries may tunnel network communications to and from a victim system within a separate protocol… | Edit | |
| Proxy | Command And Control | Adversaries may use a connection proxy to direct network traffic between systems or act as an interm… | Edit | |
| Proxy: Domain Fronting | Command And Control | Adversaries may take advantage of routing schemes in Content Delivery Networks (CDNs) and other serv… | Edit | |
| Proxy: External Proxy | Command And Control | Adversaries may use an external proxy to act as an intermediary for network communications to a comm… | Edit | |
| Proxy: Internal Proxy | Command And Control | Adversaries may use an internal proxy to direct command and control traffic between two or more syst… | Edit | |
| Proxy: Multi-hop Proxy | Command And Control | Adversaries may chain together multiple proxies to disguise the source of malicious traffic. Typical… | Edit | |
| Remote Access Tools | Command And Control | An adversary may use legitimate remote access tools to establish an interactive command and control … | Edit | |
| Remote Access Tools: IDE Tunneling | Command And Control | Adversaries may abuse Integrated Development Environment (IDE) software with remote development feat… | Edit | |
| Remote Access Tools: Remote Access Hardware | Command And Control | An adversary may use legitimate remote access hardware to establish an interactive command and contr… | Edit | |
| Remote Access Tools: Remote Desktop Software | Command And Control | An adversary may use legitimate desktop support software to establish an interactive command and con… | Edit | |
| Web Service | Command And Control | Adversaries may use an existing, legitimate external Web service as a means for relaying data to/fro… | Edit | |
| Web Service: Bidirectional Communication | Command And Control | Adversaries may use an existing, legitimate external Web service as a means for sending commands to … | Edit | |
| Web Service: Dead Drop Resolver | Command And Control | Adversaries may use an existing, legitimate external Web service to host information that points to … | Edit | |
| Web Service: One-Way Communication | Command And Control | Adversaries may use an existing, legitimate external Web service as a means for sending commands to … | Edit | |
| Adversary-in-the-Middle | Credential Access | Adversaries may attempt to position themselves between two or more networked devices using an advers… | Edit | |
| Adversary-in-the-Middle: ARP Cache Poisoning | Credential Access | Adversaries may poison Address Resolution Protocol (ARP) caches to position themselves between the c… | Edit | |
| Adversary-in-the-Middle: DHCP Spoofing | Credential Access | Adversaries may redirect network traffic to adversary-owned systems by spoofing Dynamic Host Configu… | Edit | |
| Adversary-in-the-Middle: Evil Twin | Credential Access | Adversaries may host seemingly genuine Wi-Fi access points to deceive users into connecting to malic… | Edit | |
| Adversary-in-the-Middle: LLMNR/NBT-NS Poisoning and SMB Relay | Credential Access | By responding to LLMNR/NBT-NS network traffic, adversaries may spoof an authoritative source for nam… | Edit | |
| Brute Force | Credential Access | Adversaries may use brute force techniques to gain access to accounts when passwords are unknown or … | Edit | |
| Brute Force: Credential Stuffing | Credential Access | Adversaries may use credentials obtained from breach dumps of unrelated accounts to gain access to t… | Edit | |
| Brute Force: Password Cracking | Credential Access | Adversaries may use password cracking to attempt to recover usable credentials, such as plaintext pa… | Edit | |
| Brute Force: Password Guessing | Credential Access | Adversaries with no prior knowledge of legitimate credentials within the system or environment may g… | Edit | |
| Brute Force: Password Spraying | Credential Access | Adversaries may use a single or small list of commonly used passwords against many different account… | Edit | |
| Credentials from Password Stores | Credential Access | Adversaries may search for common password storage locations to obtain user credentials. Passwords a… | Edit | |
| Credentials from Password Stores: Cloud Secrets Management Stores | Credential Access | Adversaries may acquire credentials from cloud-native secret management solutions such as AWS Secret… | Edit | |
| Credentials from Password Stores: Credentials from Web Browsers | Credential Access | Adversaries may acquire credentials from web browsers by reading files specific to the target browse… | Edit | |
| Credentials from Password Stores: Keychain | Credential Access | Adversaries may acquire credentials from Keychain. Keychain (or Keychain Services) is the macOS cred… | Edit | |
| Credentials from Password Stores: Password Managers | Credential Access | Adversaries may acquire user credentials from third-party password managers. Password managers are a… | Edit | |
| Credentials from Password Stores: Securityd Memory | Credential Access | An adversary with root access may gather credentials by reading securityd’s memory. securityd is a s… | Edit | |
| Credentials from Password Stores: Windows Credential Manager | Credential Access | Adversaries may acquire credentials from the Windows Credential Manager. The Credential Manager stor… | Edit | |
| Exploitation for Credential Access | Credential Access | Adversaries may exploit software vulnerabilities in an attempt to collect credentials. Exploitation … | Edit | |
| Forced Authentication | Credential Access | Adversaries may gather credential material by invoking or forcing a user to automatically provide au… | Edit | |
| Forge Web Credentials | Credential Access | Adversaries may forge credential materials that can be used to gain access to web applications or In… | Edit | |
| Forge Web Credentials: SAML Tokens | Credential Access | An adversary may forge SAML tokens with any permissions claims and lifetimes if they possess a valid… | Edit | |
| Forge Web Credentials: Web Cookies | Credential Access | Adversaries may forge web cookies that can be used to gain access to web applications or Internet se… | Edit | |
| Modify Authentication Process | Credential Access | Adversaries may modify authentication mechanisms and processes to access user credentials or enable … | Edit |