Threats Library
Reusable threat definitions (causes on the left side of bow-tie diagrams).
Add Threat
Tags:
661 threats — page 4 of 14
| Name | Category | Tags | Description | |
|---|---|---|---|---|
| Delay Execution | Defense Evasion | Adversaries may employ various time-based methods to evade detection and analysis. These techniques … | Edit | |
| Deobfuscate/Decode Files or Information | Defense Evasion | Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis.… | Edit | |
| Deploy Container | Defense Evasion | Adversaries may deploy a container into an environment to facilitate execution or evade defenses. In… | Edit | |
| Direct Volume Access | Defense Evasion | Adversaries may directly access a volume to bypass file access controls and file system monitoring. … | Edit | |
| Domain or Tenant Policy Modification | Defense Evasion | Adversaries may modify the configuration settings of a domain or identity tenant to evade defenses a… | Edit | |
| Domain or Tenant Policy Modification: Group Policy Modification | Defense Evasion | Adversaries may modify Group Policy Objects (GPOs) to subvert the intended discretionary access cont… | Edit | |
| Domain or Tenant Policy Modification: Trust Modification | Defense Evasion | Adversaries may add new domain trusts, modify the properties of existing domain trusts, or otherwise… | Edit | |
| Email Spoofing | Defense Evasion | Adversaries may fake, or spoof, a sender’s identity by modifying the value of relevant email headers… | Edit | |
| Execution Guardrails | Defense Evasion | Adversaries may use execution guardrails to constrain execution or actions based on adversary suppli… | Edit | |
| Execution Guardrails: Environmental Keying | Defense Evasion | Adversaries may environmentally key payloads or other features of malware to evade defenses and cons… | Edit | |
| Execution Guardrails: Mutual Exclusion | Defense Evasion | Adversaries may constrain execution or actions based on the presence of a mutex associated with malw… | Edit | |
| Exploitation for Defense Evasion | Defense Evasion | Adversaries may exploit a system or application vulnerability to bypass security features. Exploitat… | Edit | |
| File and Directory Permissions Modification | Defense Evasion | Adversaries may modify file or directory permissions/attributes to evade access control lists (ACLs)… | Edit | |
| File and Directory Permissions Modification: Linux and Mac File and Directory Permissions Modification | Defense Evasion | Adversaries may modify file or directory permissions/attributes to evade access control lists (ACLs)… | Edit | |
| File and Directory Permissions Modification: Windows File and Directory Permissions Modification | Defense Evasion | Adversaries may modify file or directory permissions/attributes to evade access control lists (ACLs)… | Edit | |
| Hide Artifacts | Defense Evasion | Adversaries may attempt to hide artifacts associated with their behaviors to evade detection. Operat… | Edit | |
| Hide Artifacts: Bind Mounts | Defense Evasion | Adversaries may abuse bind mounts on file structures to hide their activity and artifacts from nativ… | Edit | |
| Hide Artifacts: Email Hiding Rules | Defense Evasion | Adversaries may use email rules to hide inbound emails in a compromised user's mailbox. Many email c… | Edit | |
| Hide Artifacts: Extended Attributes | Defense Evasion | Adversaries may abuse extended attributes (xattrs) on macOS and Linux to hide their malicious data i… | Edit | |
| Hide Artifacts: File/Path Exclusions | Defense Evasion | Adversaries may attempt to hide their file-based artifacts by writing them to specific folders or fi… | Edit | |
| Hide Artifacts: Hidden File System | Defense Evasion | Adversaries may use a hidden file system to conceal malicious activity from users and security tools… | Edit | |
| Hide Artifacts: Hidden Files and Directories | Defense Evasion | Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent nor… | Edit | |
| Hide Artifacts: Hidden Users | Defense Evasion | Adversaries may use hidden users to hide the presence of user accounts they create or modify. Admini… | Edit | |
| Hide Artifacts: Hidden Window | Defense Evasion | Adversaries may use hidden windows to conceal malicious activity from the plain sight of users. In s… | Edit | |
| Hide Artifacts: Ignore Process Interrupts | Defense Evasion | Adversaries may evade defensive mechanisms by executing commands that hide from process interrupt si… | Edit | |
| Hide Artifacts: NTFS File Attributes | Defense Evasion | Adversaries may use NTFS file attributes to hide their malicious data in order to evade detection. E… | Edit | |
| Hide Artifacts: Process Argument Spoofing | Defense Evasion | Adversaries may attempt to hide process command-line arguments by overwriting process memory. Proces… | Edit | |
| Hide Artifacts: Resource Forking | Defense Evasion | Adversaries may abuse resource forks to hide malicious code or executables to evade detection and by… | Edit | |
| Hide Artifacts: Run Virtual Instance | Defense Evasion | Adversaries may carry out malicious operations using a virtual instance to avoid detection. A wide v… | Edit | |
| Hide Artifacts: VBA Stomping | Defense Evasion | Adversaries may hide malicious Visual Basic for Applications (VBA) payloads embedded within MS Offic… | Edit | |
| Impair Defenses | Defense Evasion | Adversaries may maliciously modify components of a victim environment in order to hinder or disable … | Edit | |
| Impair Defenses: Disable Windows Event Logging | Defense Evasion | Adversaries may disable Windows event logging to limit data that can be leveraged for detections and… | Edit | |
| Impair Defenses: Disable or Modify Cloud Firewall | Defense Evasion | Adversaries may disable or modify a firewall within a cloud environment to bypass controls that limi… | Edit | |
| Impair Defenses: Disable or Modify Cloud Logs | Defense Evasion | An adversary may disable or modify cloud logging capabilities and integrations to limit what data is… | Edit | |
| Impair Defenses: Disable or Modify Linux Audit System | Defense Evasion | Adversaries may disable or modify the Linux audit system to hide malicious activity and avoid detect… | Edit | |
| Impair Defenses: Disable or Modify Network Device Firewall | Defense Evasion | Adversaries may disable network device-based firewall mechanisms entirely or add, delete, or modify … | Edit | |
| Impair Defenses: Disable or Modify System Firewall | Defense Evasion | Adversaries may disable or modify system firewalls in order to bypass controls limiting network usag… | Edit | |
| Impair Defenses: Disable or Modify Tools | Defense Evasion | Adversaries may modify and/or disable security tools to avoid possible detection of their malware/to… | Edit | |
| Impair Defenses: Downgrade Attack | Defense Evasion | Adversaries may downgrade or use a version of system features that may be outdated, vulnerable, and/… | Edit | |
| Impair Defenses: Impair Command History Logging | Defense Evasion | Adversaries may impair command history logging to hide commands they run on a compromised system. Va… | Edit | |
| Impair Defenses: Indicator Blocking | Defense Evasion | An adversary may attempt to block indicators or events typically captured by sensors from being gath… | Edit | |
| Impair Defenses: Safe Mode Boot | Defense Evasion | Adversaries may abuse Windows safe mode to disable endpoint defenses. Safe mode starts up the Window… | Edit | |
| Impair Defenses: Spoof Security Alerting | Defense Evasion | Adversaries may spoof security alerting from tools, presenting false evidence to impair defenders’ a… | Edit | |
| Impersonation | Defense Evasion | Adversaries may impersonate a trusted person or organization in order to persuade and trick a target… | Edit | |
| Indicator Removal | Defense Evasion | Adversaries may delete or modify artifacts generated within systems to remove evidence of their pres… | Edit | |
| Indicator Removal: Clear Command History | Defense Evasion | In addition to clearing system logs, an adversary may clear the command history of a compromised acc… | Edit | |
| Indicator Removal: Clear Linux or Mac System Logs | Defense Evasion | Adversaries may clear system logs to hide evidence of an intrusion. macOS and Linux both keep track … | Edit | |
| Indicator Removal: Clear Mailbox Data | Defense Evasion | Adversaries may modify mail and mail application data to remove evidence of their activity. Email ap… | Edit | |
| Indicator Removal: Clear Network Connection History and Configurations | Defense Evasion | Adversaries may clear or remove evidence of malicious network connections in order to clean up trace… | Edit | |
| Indicator Removal: Clear Persistence | Defense Evasion | Adversaries may clear artifacts associated with previously established persistence on a host system … | Edit |