Threats Library
Reusable threat definitions (causes on the left side of bow-tie diagrams).
Add Threat
Tags:
661 threats — page 3 of 14
| Name | Category | Tags | Description | |
|---|---|---|---|---|
| Modify Authentication Process: Conditional Access Policies | Credential Access | Adversaries may disable or modify conditional access policies to enable persistent access to comprom… | Edit | |
| Modify Authentication Process: Domain Controller Authentication | Credential Access | Adversaries may patch the authentication process on a domain controller to bypass the typical authen… | Edit | |
| Modify Authentication Process: Hybrid Identity | Credential Access | Adversaries may patch, modify, or otherwise backdoor cloud authentication processes that are tied to… | Edit | |
| Modify Authentication Process: Multi-Factor Authentication | Credential Access | Adversaries may disable or modify multi-factor authentication (MFA) mechanisms to enable persistent … | Edit | |
| Modify Authentication Process: Network Device Authentication | Credential Access | Adversaries may use Patch System Image to hard code a password in the operating system, thus bypassi… | Edit | |
| Modify Authentication Process: Network Provider DLL | Credential Access | Adversaries may register malicious network provider dynamic link libraries (DLLs) to capture clearte… | Edit | |
| Modify Authentication Process: Password Filter DLL | Credential Access | Adversaries may register malicious password filter dynamic link libraries (DLLs) into the authentica… | Edit | |
| Modify Authentication Process: Pluggable Authentication Modules | Credential Access | Adversaries may modify pluggable authentication modules (PAM) to access user credentials or enable o… | Edit | |
| Modify Authentication Process: Reversible Encryption | Credential Access | An adversary may abuse Active Directory authentication encryption properties to gain access to crede… | Edit | |
| Multi-Factor Authentication Interception | Credential Access | Adversaries may target multi-factor authentication (MFA) mechanisms, (i.e., smart cards, token gener… | Edit | |
| Multi-Factor Authentication Request Generation | Credential Access | Adversaries may attempt to bypass multi-factor authentication (MFA) mechanisms and gain access to ac… | Edit | |
| Network Sniffing | Credential Access | Adversaries may passively sniff network traffic to capture information about an environment, includi… | Edit | |
| OS Credential Dumping | Credential Access | Adversaries may attempt to dump credentials to obtain account login and credential material, normall… | Edit | |
| OS Credential Dumping: /etc/passwd and /etc/shadow | Credential Access | Adversaries may attempt to dump the contents of /etc/passwd and /etc/shadow to enable offline passwo… | Edit | |
| OS Credential Dumping: Cached Domain Credentials | Credential Access | Adversaries may attempt to access cached domain credentials used to allow authentication to occur in… | Edit | |
| OS Credential Dumping: DCSync | Credential Access | Adversaries may attempt to access credentials and other sensitive information by abusing a Windows D… | Edit | |
| OS Credential Dumping: LSA Secrets | Credential Access | Adversaries with SYSTEM access to a host may attempt to access Local Security Authority (LSA) secret… | Edit | |
| OS Credential Dumping: LSASS Memory | Credential Access | Adversaries may attempt to access credential material stored in the process memory of the Local Secu… | Edit | |
| OS Credential Dumping: NTDS | Credential Access | Adversaries may attempt to access or create a copy of the Active Directory domain database in order … | Edit | |
| OS Credential Dumping: Proc Filesystem | Credential Access | Adversaries may gather credentials from the proc filesystem or /proc. The proc filesystem is a pseud… | Edit | |
| OS Credential Dumping: Security Account Manager | Credential Access | Adversaries may attempt to extract credential material from the Security Account Manager (SAM) datab… | Edit | |
| Steal Application Access Token | Credential Access | Adversaries can steal application access tokens as a means of acquiring credentials to access remote… | Edit | |
| Steal Web Session Cookie | Credential Access | An adversary may steal web application or service session cookies and use them to gain access to web… | Edit | |
| Steal or Forge Authentication Certificates | Credential Access | Adversaries may steal or forge certificates used for authentication to access remote systems or reso… | Edit | |
| Steal or Forge Kerberos Tickets | Credential Access | Adversaries may attempt to subvert Kerberos authentication by stealing or forging Kerberos tickets t… | Edit | |
| Steal or Forge Kerberos Tickets: AS-REP Roasting | Credential Access | Adversaries may reveal credentials of accounts that have disabled Kerberos preauthentication by Pass… | Edit | |
| Steal or Forge Kerberos Tickets: Ccache Files | Credential Access | Adversaries may attempt to steal Kerberos tickets stored in credential cache files (or ccache). Thes… | Edit | |
| Steal or Forge Kerberos Tickets: Golden Ticket | Credential Access | Adversaries who have the KRBTGT account password hash may forge Kerberos ticket-granting tickets (TG… | Edit | |
| Steal or Forge Kerberos Tickets: Kerberoasting | Credential Access | Adversaries may abuse a valid Kerberos ticket-granting ticket (TGT) or sniff network traffic to obta… | Edit | |
| Steal or Forge Kerberos Tickets: Silver Ticket | Credential Access | Adversaries who have the password hash of a target service account (e.g. SharePoint, MSSQL) may forg… | Edit | |
| Unsecured Credentials | Credential Access | Adversaries may search compromised systems to find and obtain insecurely stored credentials. These c… | Edit | |
| Unsecured Credentials: Chat Messages | Credential Access | Adversaries may directly collect unsecured credentials stored or passed through user communication s… | Edit | |
| Unsecured Credentials: Cloud Instance Metadata API | Credential Access | Adversaries may attempt to access the Cloud Instance Metadata API to collect credentials and other s… | Edit | |
| Unsecured Credentials: Container API | Credential Access | Adversaries may gather credentials via APIs within a containers environment. APIs in these environme… | Edit | |
| Unsecured Credentials: Credentials In Files | Credential Access | Adversaries may search local file systems and remote file shares for files containing insecurely sto… | Edit | |
| Unsecured Credentials: Credentials in Registry | Credential Access | Adversaries may search the Registry on compromised systems for insecurely stored credentials. The Wi… | Edit | |
| Unsecured Credentials: Group Policy Preferences | Credential Access | Adversaries may attempt to find unsecured credentials in Group Policy Preferences (GPP). GPP are too… | Edit | |
| Unsecured Credentials: Private Keys | Credential Access | Adversaries may search for private key certificate files on compromised systems for insecurely store… | Edit | |
| Unsecured Credentials: Shell History | Credential Access | Adversaries may search the command history on compromised systems for insecurely stored credentials.… | Edit | |
| Compromised Privileged ERP Account | Credential Theft | Admin or service account credentials for the ERP system are stolen via credential stuffing or passwo… | Edit | |
| Abuse Elevation Control Mechanism: TCC Manipulation | Defense Evasion | Adversaries can manipulate or abuse the Transparency, Consent, & Control (TCC) service or database t… | Edit | |
| Access Token Manipulation | Defense Evasion | Adversaries may modify access tokens to operate under a different user or system security context to… | Edit | |
| Access Token Manipulation: Create Process with Token | Defense Evasion | Adversaries may create a new process with an existing token to escalate privileges and bypass access… | Edit | |
| Access Token Manipulation: Make and Impersonate Token | Defense Evasion | Adversaries may make new tokens and impersonate users to escalate privileges and bypass access contr… | Edit | |
| Access Token Manipulation: Parent PID Spoofing | Defense Evasion | Adversaries may spoof the parent process identifier (PPID) of a new process to evade process-monitor… | Edit | |
| Access Token Manipulation: SID-History Injection | Defense Evasion | Adversaries may use SID-History Injection to escalate privileges and bypass access controls. The Win… | Edit | |
| Access Token Manipulation: Token Impersonation/Theft | Defense Evasion | Adversaries may duplicate then impersonate another user's existing token to escalate privileges and … | Edit | |
| BITS Jobs | Defense Evasion | Adversaries may abuse BITS jobs to persistently execute code and perform various background tasks. W… | Edit | |
| Build Image on Host | Defense Evasion | Adversaries may build a container image directly on a host to bypass defenses that monitor for the r… | Edit | |
| Debugger Evasion | Defense Evasion | Adversaries may employ various means to detect and avoid debuggers. Debuggers are typically used by … | Edit |