Threats Library
Reusable threat definitions (causes on the left side of bow-tie diagrams).
Add Threat
Tags:
661 threats — page 6 of 14
| Name | Category | Tags | Description | |
|---|---|---|---|---|
| Plist File Modification | Defense Evasion | Adversaries may modify property list files (plist files) to enable other malicious activity, while a… | Edit | |
| Pre-OS Boot | Defense Evasion | Adversaries may abuse Pre-OS Boot mechanisms as a way to establish persistence on a system. During t… | Edit | |
| Pre-OS Boot: ROMMONkit | Defense Evasion | Adversaries may abuse the ROM Monitor (ROMMON) by loading an unauthorized firmware with adversary co… | Edit | |
| Pre-OS Boot: TFTP Boot | Defense Evasion | Adversaries may abuse netbooting to load an unauthorized network device operating system from a Triv… | Edit | |
| Process Injection | Defense Evasion | Adversaries may inject code into processes in order to evade process-based defenses as well as possi… | Edit | |
| Process Injection: Asynchronous Procedure Call | Defense Evasion | Adversaries may inject malicious code into processes via the asynchronous procedure call (APC) queue… | Edit | |
| Process Injection: Dynamic-link Library Injection | Defense Evasion | Adversaries may inject dynamic-link libraries (DLLs) into processes in order to evade process-based … | Edit | |
| Process Injection: Extra Window Memory Injection | Defense Evasion | Adversaries may inject malicious code into process via Extra Window Memory (EWM) in order to evade p… | Edit | |
| Process Injection: ListPlanting | Defense Evasion | Adversaries may abuse list-view controls to inject malicious code into hijacked processes in order t… | Edit | |
| Process Injection: Portable Executable Injection | Defense Evasion | Adversaries may inject portable executables (PE) into processes in order to evade process-based defe… | Edit | |
| Process Injection: Proc Memory | Defense Evasion | Adversaries may inject malicious code into processes via the /proc filesystem in order to evade proc… | Edit | |
| Process Injection: Process Doppelgänging | Defense Evasion | Adversaries may inject malicious code into process via process doppelgänging in order to evade proce… | Edit | |
| Process Injection: Process Hollowing | Defense Evasion | Adversaries may inject malicious code into suspended and hollowed processes in order to evade proces… | Edit | |
| Process Injection: Ptrace System Calls | Defense Evasion | Adversaries may inject malicious code into processes via ptrace (process trace) system calls in orde… | Edit | |
| Process Injection: Thread Execution Hijacking | Defense Evasion | Adversaries may inject malicious code into hijacked processes in order to evade process-based defens… | Edit | |
| Process Injection: Thread Local Storage | Defense Evasion | Adversaries may inject malicious code into processes via thread local storage (TLS) callbacks in ord… | Edit | |
| Process Injection: VDSO Hijacking | Defense Evasion | Adversaries may inject malicious code into processes via VDSO hijacking in order to evade process-ba… | Edit | |
| Reflective Code Loading | Defense Evasion | Adversaries may reflectively load code into a process in order to conceal the execution of malicious… | Edit | |
| Rogue Domain Controller | Defense Evasion | Adversaries may register a rogue Domain Controller to enable manipulation of Active Directory data. … | Edit | |
| Rootkit | Defense Evasion | Adversaries may use rootkits to hide the presence of programs, files, network connections, services,… | Edit | |
| Selective Exclusion | Defense Evasion | Adversaries may intentionally exclude certain files, folders, directories, file types, or system com… | Edit | |
| Subvert Trust Controls | Defense Evasion | Adversaries may undermine security controls that will either warn users of untrusted activity or pre… | Edit | |
| Subvert Trust Controls: Code Signing | Defense Evasion | Adversaries may create, acquire, or steal code signing materials to sign their malware or tools. Cod… | Edit | |
| Subvert Trust Controls: Code Signing Policy Modification | Defense Evasion | Adversaries may modify code signing policies to enable execution of unsigned or self-signed code. Co… | Edit | |
| Subvert Trust Controls: Gatekeeper Bypass | Defense Evasion | Adversaries may modify file attributes and subvert Gatekeeper functionality to evade user prompts an… | Edit | |
| Subvert Trust Controls: Install Root Certificate | Defense Evasion | Adversaries may install a root certificate on a compromised system to avoid warnings when connecting… | Edit | |
| Subvert Trust Controls: Mark-of-the-Web Bypass | Defense Evasion | Adversaries may abuse specific file formats to subvert Mark-of-the-Web (MOTW) controls. In Windows, … | Edit | |
| Subvert Trust Controls: SIP and Trust Provider Hijacking | Defense Evasion | Adversaries may tamper with SIP and trust provider components to mislead the operating system and ap… | Edit | |
| System Binary Proxy Execution | Defense Evasion | Adversaries may bypass process and/or signature-based defenses by proxying execution of malicious co… | Edit | |
| System Binary Proxy Execution: CMSTP | Defense Evasion | Adversaries may abuse CMSTP to proxy execution of malicious code. The Microsoft Connection Manager P… | Edit | |
| System Binary Proxy Execution: Compiled HTML File | Defense Evasion | Adversaries may abuse Compiled HTML files (.chm) to conceal malicious code. CHM files are commonly d… | Edit | |
| System Binary Proxy Execution: Control Panel | Defense Evasion | Adversaries may abuse control.exe to proxy execution of malicious payloads. The Windows Control Pane… | Edit | |
| System Binary Proxy Execution: Electron Applications | Defense Evasion | Adversaries may abuse components of the Electron framework to execute malicious code. The Electron f… | Edit | |
| System Binary Proxy Execution: InstallUtil | Defense Evasion | Adversaries may use InstallUtil to proxy execution of code through a trusted Windows utility. Instal… | Edit | |
| System Binary Proxy Execution: MMC | Defense Evasion | Adversaries may abuse mmc.exe to proxy execution of malicious .msc files. Microsoft Management Conso… | Edit | |
| System Binary Proxy Execution: Mavinject | Defense Evasion | Adversaries may abuse mavinject.exe to proxy execution of malicious code. Mavinject.exe is the Micro… | Edit | |
| System Binary Proxy Execution: Mshta | Defense Evasion | Adversaries may abuse mshta.exe to proxy execution of malicious .hta files and Javascript or VBScrip… | Edit | |
| System Binary Proxy Execution: Msiexec | Defense Evasion | Adversaries may abuse msiexec.exe to proxy execution of malicious payloads. Msiexec.exe is the comma… | Edit | |
| System Binary Proxy Execution: Odbcconf | Defense Evasion | Adversaries may abuse odbcconf.exe to proxy execution of malicious payloads. Odbcconf.exe is a Windo… | Edit | |
| System Binary Proxy Execution: Regsvcs/Regasm | Defense Evasion | Adversaries may abuse Regsvcs and Regasm to proxy execution of code through a trusted Windows utilit… | Edit | |
| System Binary Proxy Execution: Regsvr32 | Defense Evasion | Adversaries may abuse Regsvr32.exe to proxy execution of malicious code. Regsvr32.exe is a command-l… | Edit | |
| System Binary Proxy Execution: Rundll32 | Defense Evasion | Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe, vice ex… | Edit | |
| System Binary Proxy Execution: Verclsid | Defense Evasion | Adversaries may abuse verclsid.exe to proxy execution of malicious code. Verclsid.exe is known as th… | Edit | |
| System Script Proxy Execution | Defense Evasion | Adversaries may use trusted scripts, often signed with certificates, to proxy the execution of malic… | Edit | |
| System Script Proxy Execution: PubPrn | Defense Evasion | Adversaries may use PubPrn to proxy execution of malicious remote files. PubPrn.vbs is a Visual Basi… | Edit | |
| System Script Proxy Execution: SyncAppvPublishingServer | Defense Evasion | Adversaries may abuse SyncAppvPublishingServer.vbs to proxy execution of malicious PowerShell comman… | Edit | |
| Template Injection | Defense Evasion | Adversaries may create or modify references in user document templates to conceal malicious code or … | Edit | |
| Traffic Signaling | Defense Evasion | Adversaries may use traffic signaling to hide open ports or other malicious functionality used for p… | Edit | |
| Traffic Signaling: Port Knocking | Defense Evasion | Adversaries may use port knocking to hide open ports used for persistence or command and control. To… | Edit | |
| Traffic Signaling: Socket Filters | Defense Evasion | Adversaries may attach filters to a network socket to monitor then activate backdoors used for persi… | Edit |