Threats Library
Reusable threat definitions (causes on the left side of bow-tie diagrams).
Add Threat
Tags:
661 threats — page 8 of 14
| Name | Category | Tags | Description | |
|---|---|---|---|---|
| Query Registry | Discovery | Adversaries may interact with the Windows Registry to gather information about the system, configura… | Edit | |
| Remote System Discovery | Discovery | Adversaries may attempt to get a listing of other systems by IP address, hostname, or other logical … | Edit | |
| Software Discovery | Discovery | Adversaries may attempt to get a listing of software and software versions that are installed on a s… | Edit | |
| Software Discovery: Backup Software Discovery | Discovery | Adversaries may attempt to get a listing of backup software or configurations that are installed on … | Edit | |
| Software Discovery: Security Software Discovery | Discovery | Adversaries may attempt to get a listing of security software, configurations, defensive tools, and … | Edit | |
| System Information Discovery | Discovery | An adversary may attempt to get detailed information about the operating system and hardware, includ… | Edit | |
| System Location Discovery | Discovery | Adversaries may gather information in an attempt to calculate the geographical location of a victim … | Edit | |
| System Location Discovery: System Language Discovery | Discovery | Adversaries may attempt to gather information about the system language of a victim in order to infe… | Edit | |
| System Network Configuration Discovery | Discovery | Adversaries may look for details about the network configuration and settings, such as IP and/or MAC… | Edit | |
| System Network Configuration Discovery: Internet Connection Discovery | Discovery | Adversaries may check for Internet connectivity on compromised systems. This may be performed during… | Edit | |
| System Network Configuration Discovery: Wi-Fi Discovery | Discovery | Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on… | Edit | |
| System Network Connections Discovery | Discovery | Adversaries may attempt to get a listing of network connections to or from the compromised system th… | Edit | |
| System Owner/User Discovery | Discovery | Adversaries may attempt to identify the primary user, currently logged in user, set of users that co… | Edit | |
| System Service Discovery | Discovery | Adversaries may try to gather information about registered local system services. Adversaries may ob… | Edit | |
| System Time Discovery | Discovery | An adversary may gather the system time and/or time zone settings from a local or remote system. The… | Edit | |
| Virtual Machine Discovery | Discovery | An adversary may attempt to enumerate running virtual machines (VMs) after gaining access to a host … | Edit | |
| Cloud Administration Command | Execution | Adversaries may abuse cloud management services to execute commands within virtual machines. Resourc… | Edit | |
| Command and Scripting Interpreter | Execution | Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. The… | Edit | |
| Command and Scripting Interpreter: AppleScript | Execution | Adversaries may abuse AppleScript for execution. AppleScript is a macOS scripting language designed … | Edit | |
| Command and Scripting Interpreter: AutoHotKey & AutoIT | Execution | Adversaries may execute commands and perform malicious tasks using AutoIT and AutoHotKey automation … | Edit | |
| Command and Scripting Interpreter: Cloud API | Execution | Adversaries may abuse cloud APIs to execute malicious commands. APIs available in cloud environments… | Edit | |
| Command and Scripting Interpreter: Container CLI/API | Execution | Adversaries may abuse built-in CLI tools or API calls to execute malicious commands in containerized… | Edit | |
| Command and Scripting Interpreter: Hypervisor CLI | Execution | Adversaries may abuse hypervisor command line interpreters (CLIs) to execute malicious commands. Hyp… | Edit | |
| Command and Scripting Interpreter: JavaScript | Execution | Adversaries may abuse various implementations of JavaScript for execution. JavaScript (JS) is a plat… | Edit | |
| Command and Scripting Interpreter: Lua | Execution | Adversaries may abuse Lua commands and scripts for execution. Lua is a cross-platform scripting and … | Edit | |
| Command and Scripting Interpreter: Network Device CLI | Execution | Adversaries may abuse scripting or built-in command line interpreters (CLI) on network devices to ex… | Edit | |
| Command and Scripting Interpreter: PowerShell | Execution | Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful intera… | Edit | |
| Command and Scripting Interpreter: Python | Execution | Adversaries may abuse Python commands and scripts for execution. Python is a very popular scripting/… | Edit | |
| Command and Scripting Interpreter: Unix Shell | Execution | Adversaries may abuse Unix shell commands and scripts for execution. Unix shells are the primary com… | Edit | |
| Command and Scripting Interpreter: Visual Basic | Execution | Adversaries may abuse Visual Basic (VB) for execution. VB is a programming language created by Micro… | Edit | |
| Command and Scripting Interpreter: Windows Command Shell | Execution | Adversaries may abuse the Windows command shell for execution. The Windows command shell (cmd) is th… | Edit | |
| Container Administration Command | Execution | Adversaries may abuse a container administration service to execute commands within a container. A c… | Edit | |
| ESXi Administration Command | Execution | Adversaries may abuse ESXi administration services to execute commands on guest machines hosted with… | Edit | |
| Exploitation for Client Execution | Execution | Adversaries may exploit software vulnerabilities in client applications to execute code. Vulnerabili… | Edit | |
| Input Injection | Execution | Adversaries may simulate keystrokes on a victim’s computer by various means to perform any type of a… | Edit | |
| Inter-Process Communication | Execution | Adversaries may abuse inter-process communication (IPC) mechanisms for local code or command executi… | Edit | |
| Inter-Process Communication: Component Object Model | Execution | Adversaries may use the Windows Component Object Model (COM) for local code execution. COM is an int… | Edit | |
| Inter-Process Communication: Dynamic Data Exchange | Execution | Adversaries may use Windows Dynamic Data Exchange (DDE) to execute arbitrary commands. DDE is a clie… | Edit | |
| Inter-Process Communication: XPC Services | Execution | Adversaries can provide malicious content to an XPC service daemon for local code execution. macOS u… | Edit | |
| Native API | Execution | Adversaries may interact with the native OS application programming interface (API) to execute behav… | Edit | |
| Poisoned Pipeline Execution | Execution | Adversaries may manipulate continuous integration / continuous development (CI/CD) processes by inje… | Edit | |
| Scheduled Task/Job | Execution | Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of … | Edit | |
| Scheduled Task/Job: At | Execution | Adversaries may abuse the at utility to perform task scheduling for initial or recurring execution o… | Edit | |
| Scheduled Task/Job: Container Orchestration Job | Execution | Adversaries may abuse task scheduling functionality provided by container orchestration tools such a… | Edit | |
| Scheduled Task/Job: Cron | Execution | Adversaries may abuse the cron utility to perform task scheduling for initial or recurring execution… | Edit | |
| Scheduled Task/Job: Scheduled Task | Execution | Adversaries may abuse the Windows Task Scheduler to perform task scheduling for initial or recurring… | Edit | |
| Scheduled Task/Job: Systemd Timers | Execution | Adversaries may abuse systemd timers to perform task scheduling for initial or recurring execution o… | Edit | |
| Serverless Execution | Execution | Adversaries may abuse serverless computing, integration, and automation services to execute arbitrar… | Edit | |
| Shared Modules | Execution | Adversaries may execute malicious payloads via loading shared modules. Shared modules are executable… | Edit | |
| Software Deployment Tools | Execution | Adversaries may gain access to and use centralized software suites installed within an enterprise to… | Edit |