Threats Library
Reusable threat definitions (causes on the left side of bow-tie diagrams).
Add Threat
Tags:
661 threats — page 5 of 14
| Name | Category | Tags | Description | |
|---|---|---|---|---|
| Indicator Removal: Clear Windows Event Logs | Defense Evasion | Adversaries may clear Windows Event Logs to hide the activity of an intrusion. Windows Event Logs ar… | Edit | |
| Indicator Removal: File Deletion | Defense Evasion | Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools,… | Edit | |
| Indicator Removal: Network Share Connection Removal | Defense Evasion | Adversaries may remove share connections that are no longer useful in order to clean up traces of th… | Edit | |
| Indicator Removal: Relocate Malware | Defense Evasion | Once a payload is delivered, adversaries may reproduce copies of the same malware on the victim syst… | Edit | |
| Indicator Removal: Timestomp | Defense Evasion | Adversaries may modify file time attributes to hide new files or changes to existing files. Timestom… | Edit | |
| Indirect Command Execution | Defense Evasion | Adversaries may abuse utilities that allow for command execution to bypass security restrictions tha… | Edit | |
| Masquerading | Defense Evasion | Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or … | Edit | |
| Masquerading: Break Process Trees | Defense Evasion | An adversary may attempt to evade process tree-based analysis by modifying executed malware's parent… | Edit | |
| Masquerading: Browser Fingerprint | Defense Evasion | Adversaries may attempt to blend in with legitimate traffic by spoofing browser and system attribute… | Edit | |
| Masquerading: Double File Extension | Defense Evasion | Adversaries may abuse a double extension in the filename as a means of masquerading the true file ty… | Edit | |
| Masquerading: Invalid Code Signature | Defense Evasion | Adversaries may attempt to mimic features of valid code signatures to increase the chance of deceivi… | Edit | |
| Masquerading: Masquerade Account Name | Defense Evasion | Adversaries may match or approximate the names of legitimate accounts to make newly created ones app… | Edit | |
| Masquerading: Masquerade File Type | Defense Evasion | Adversaries may masquerade malicious payloads as legitimate files through changes to the payload's f… | Edit | |
| Masquerading: Masquerade Task or Service | Defense Evasion | Adversaries may attempt to manipulate the name of a task or service to make it appear legitimate or … | Edit | |
| Masquerading: Match Legitimate Resource Name or Location | Defense Evasion | Adversaries may match or approximate the name or location of legitimate files, Registry keys, or oth… | Edit | |
| Masquerading: Overwrite Process Arguments | Defense Evasion | Adversaries may modify a process's in-memory arguments to change its name in order to appear as a le… | Edit | |
| Masquerading: Rename Legitimate Utilities | Defense Evasion | Adversaries may rename legitimate / system utilities to try to evade security mechanisms concerning … | Edit | |
| Masquerading: Right-to-Left Override | Defense Evasion | Adversaries may abuse the right-to-left override (RTLO or RLO) character (U+202E) to disguise a stri… | Edit | |
| Masquerading: Space after Filename | Defense Evasion | Adversaries can hide a program's true filetype by changing the extension of a file. With certain fil… | Edit | |
| Modify Cloud Compute Infrastructure | Defense Evasion | An adversary may attempt to modify a cloud account's compute service infrastructure to evade defense… | Edit | |
| Modify Cloud Compute Infrastructure: Create Cloud Instance | Defense Evasion | An adversary may create a new instance or virtual machine (VM) within the compute service of a cloud… | Edit | |
| Modify Cloud Compute Infrastructure: Create Snapshot | Defense Evasion | An adversary may create a snapshot or data backup within a cloud account to evade defenses. A snapsh… | Edit | |
| Modify Cloud Compute Infrastructure: Delete Cloud Instance | Defense Evasion | An adversary may delete a cloud instance after they have performed malicious activities in an attemp… | Edit | |
| Modify Cloud Compute Infrastructure: Modify Cloud Compute Configurations | Defense Evasion | Adversaries may modify settings that directly affect the size, locations, and resources available to… | Edit | |
| Modify Cloud Compute Infrastructure: Revert Cloud Instance | Defense Evasion | An adversary may revert changes made to a cloud instance after they have performed malicious activit… | Edit | |
| Modify Cloud Resource Hierarchy | Defense Evasion | Adversaries may attempt to modify hierarchical structures in infrastructure-as-a-service (IaaS) envi… | Edit | |
| Modify Registry | Defense Evasion | Adversaries may interact with the Windows Registry as part of a variety of other techniques to aid i… | Edit | |
| Modify System Image | Defense Evasion | Adversaries may make changes to the operating system of embedded network devices to weaken defenses … | Edit | |
| Modify System Image: Downgrade System Image | Defense Evasion | Adversaries may install an older version of the operating system of a network device to weaken secur… | Edit | |
| Modify System Image: Patch System Image | Defense Evasion | Adversaries may modify the operating system of a network device to introduce new capabilities or wea… | Edit | |
| Network Boundary Bridging | Defense Evasion | Adversaries may bridge network boundaries by compromising perimeter network devices or internal devi… | Edit | |
| Network Boundary Bridging: Network Address Translation Traversal | Defense Evasion | Adversaries may bridge network boundaries by modifying a network device’s Network Address Translatio… | Edit | |
| Obfuscated Files or Information | Defense Evasion | Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting… | Edit | |
| Obfuscated Files or Information: Binary Padding | Defense Evasion | Adversaries may use binary padding to add junk data and change the on-disk representation of malware… | Edit | |
| Obfuscated Files or Information: Command Obfuscation | Defense Evasion | Adversaries may obfuscate content during command execution to impede detection. Command-line obfusca… | Edit | |
| Obfuscated Files or Information: Compile After Delivery | Defense Evasion | Adversaries may attempt to make payloads difficult to discover and analyze by delivering files to vi… | Edit | |
| Obfuscated Files or Information: Compression | Defense Evasion | Adversaries may use compression to obfuscate their payloads or files. Compressed file formats such a… | Edit | |
| Obfuscated Files or Information: Dynamic API Resolution | Defense Evasion | Adversaries may obfuscate then dynamically resolve API functions called by their malware in order to… | Edit | |
| Obfuscated Files or Information: Embedded Payloads | Defense Evasion | Adversaries may embed payloads within other files to conceal malicious content from defenses. Otherw… | Edit | |
| Obfuscated Files or Information: Encrypted/Encoded File | Defense Evasion | Adversaries may encrypt or encode files to obfuscate strings, bytes, and other specific patterns to … | Edit | |
| Obfuscated Files or Information: Fileless Storage | Defense Evasion | Adversaries may store data in "fileless" formats to conceal malicious activity from defenses. Filele… | Edit | |
| Obfuscated Files or Information: HTML Smuggling | Defense Evasion | Adversaries may smuggle data and files past content filters by hiding malicious payloads inside of s… | Edit | |
| Obfuscated Files or Information: Indicator Removal from Tools | Defense Evasion | Adversaries may remove indicators from tools if they believe their malicious tool was detected, quar… | Edit | |
| Obfuscated Files or Information: Junk Code Insertion | Defense Evasion | Adversaries may use junk code / dead code to obfuscate a malware’s functionality. Junk code is code … | Edit | |
| Obfuscated Files or Information: LNK Icon Smuggling | Defense Evasion | Adversaries may smuggle commands to download malicious payloads past content filters by hiding them … | Edit | |
| Obfuscated Files or Information: Polymorphic Code | Defense Evasion | Adversaries may utilize polymorphic code (also known as metamorphic or mutating code) to evade detec… | Edit | |
| Obfuscated Files or Information: SVG Smuggling | Defense Evasion | Adversaries may smuggle data and files past content filters by hiding malicious payloads inside of s… | Edit | |
| Obfuscated Files or Information: Software Packing | Defense Evasion | Adversaries may perform software packing or virtual machine software protection to conceal their cod… | Edit | |
| Obfuscated Files or Information: Steganography | Defense Evasion | Adversaries may use steganography techniques in order to prevent the detection of hidden information… | Edit | |
| Obfuscated Files or Information: Stripped Payloads | Defense Evasion | Adversaries may attempt to make a payload difficult to analyze by removing symbols, strings, and oth… | Edit |